Supplemental Document : BIG-IP 12.1.5 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 12.1.5

BIG-IP APM

  • 12.1.5

BIG-IP Analytics

  • 12.1.5

BIG-IP Link Controller

  • 12.1.5

BIG-IP LTM

  • 12.1.5

BIG-IP AFM

  • 12.1.5

BIG-IP PEM

  • 12.1.5

BIG-IP DNS

  • 12.1.5

BIG-IP ASM

  • 12.1.5
Updated Date: 06/22/2020

BIG-IP Release Information

Version: 12.1.5
Build: 6.0

Cumulative fixes from BIG-IP v12.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.4 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.7 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.6 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.5 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.4 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.3 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v12.1.2 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release
Cumulative fixes from BIG-IP v12.1.1 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release
Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release
Known Issues in BIG-IP v12.1.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
771873-2 CVE-2019-6642 K40378764 TMSH Hardening
757023-5 CVE-2018-5743 K74009656 BIND vulnerability CVE-2018-5743
737574-3 CVE-2019-6621 K20541896 iControl REST input sanitization
737565-3 CVE-2019-6620 K20445457 iControl REST input sanitization
715923-3 CVE-2018-15317 K43625118 When processing TLS traffic TMM may terminate connections unexpectedly
794413-5 CVE-2019-6471 K10092301 BIND vulnerability CVE-2019-6471
745257-4 CVE-2018-14634 K20934447 Linux kernel vulnerability: CVE-2018-14634
702469-4 CVE-2019-6633 K73522927 Appliance mode hardening in scp
796469-1 CVE-2019-6649 K05123525 ConfigSync Hardening
797885-5 CVE-2019-6649 K05123525 ConfigSync Hardening
799589-5 CVE-2019-6649 K05123525 ConfigSync Hardening
799617-5 CVE-2019-6649 K05123525 ConfigSync Hardening
807477-4 CVE-2019-6650 K04280042 ConfigSync Hardening
810557-5 CVE-2019-6649 K05123525 ASM ConfigSync Hardening


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
707509-3 1-Blocking   Initial vCMP guest creations can fail if certain hotfixes are used
769809-1 2-Critical   vCMP guests 'INOPERATIVE' after upgrade
762453-4 2-Critical   Hardware cryptography acceleration may fail
757455-4 2-Critical   Excessive resource consumption when processing REST requests
750586-3 2-Critical   HSL may incorrectly handle pending TCP connections with elongated handshake time.
748205-2 2-Critical   SSD bay identification incorrect for RAID drive replacement
744331-1 2-Critical   OpenSSH hardening
743790-4 2-Critical   BIG-IP system should trigger a HA failover event when expected HSB device is missing from PCI bus
734539-2 2-Critical   The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads
726487-1 2-Critical   MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
710277-2 2-Critical   IKEv2 further child_sa validity checks
693996-3 2-Critical K42285625 MCPD sync errors and restart after multiple modifications to file object in chassis
685458-5 2-Critical K44738140 merged fails merging a table when a table row has incomplete keys defined.
671741-4 2-Critical   LCD on iSeries devices can lock at red 'loading' screen.
653152-1 2-Critical   Support RSASSA-PSS-SIGN in F5 crypto APIs.
788301-2 3-Major K58243048 SNMPv3 Hardening
777261-1 3-Major   When SNMP cannot locate a file it logs messages repeatedly
758527-5 3-Major   BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode
758119-3 3-Major K58243048 qkview may contain sensitive information
747592-4 3-Major   PHP vulnerability CVE-2018-17082
746266-4 3-Major   Vcmp guest vlan mac mismatch across blades.
745405 3-Major   Under heavy SSL traffic, sw crypto codec queue is stuck and taken out of service without failover
743803-5 3-Major   IKEv2 potential double free of object when async request queueing fails
739971-3 3-Major   Linux kernel vulnerability: CVE-2018-5391
738445-1 3-Major   IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup
737437-1 3-Major   IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages
663924-2 3-Major   Qkview archives includes Kerberos keytab files
641753-2 3-Major   Syncookies activated on a genuine connection gets reset almost 30-50% of the time
599543-3 3-Major   Cannot update (overwrite) PKCS#12 SSL cert & key while referenced in SSL profile
575919-3 3-Major   Running concurrent TMSH instances can result in error in access to history file
523797-2 3-Major   Upgrade: file path failure for process name attribute in snmp.
726317-3 4-Minor   Improved debugging output for mcpd
692165-2 4-Minor   A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token
662372-1 4-Minor K41250179 Uploading a new device certificate file via the GUI might not update the device certificate
631334-4 4-Minor   TMSH does not preserve \? for config save/load operations
520877-1 4-Minor   Alerts sent by the lcdwarn utility are not shown in tmsh
479471-1 4-Minor K00342205 CPU statistics reported by the tmstat command may spike or go negative


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
759968-1 1-Blocking   Distinct vCMP guests are able to cluster with each other.
757391-1 2-Critical   Datagroup iRule command class can lead to memory corruption
756450-3 2-Critical   Traffic using route entry that's more specific than existing blackhole route can cause core
752930 2-Critical   Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
740963-3 2-Critical   VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart
738046-3 2-Critical   SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby
726393-5 2-Critical   DHCPRELAY6 can lead to a tmm crash
724214-2 2-Critical   TMM core when using Multipath TCP
671714-2 2-Critical   Empty persistence cookie name inserted from policy can cause TMM to crash
667779-2 2-Critical   iRule commands may cause the TMM to crash in very rare situations.
474797-7 2-Critical   Nitrox crypto hardware may attempt soft reset while currently resetting
760550-2 3-Major   Retransmitted TCP packet has FIN bit set
759480-1 3-Major   HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash
758872-1 3-Major   TMM memory leak
758631-1 3-Major   ec_point_formats extension might be included in the server hello even if not specified in the client hello
756538-2 3-Major   Failure to open data channel for active FTP connections mirrored across an HA pair.
756270-1 3-Major   SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle
749414-1 3-Major   Invalid monitor rule instance identifier error
749294-1 3-Major   TMM cores when query session index is out of boundary
742237-1 3-Major   CPU spikes appear wider than actual in graphs
740959-1 3-Major   User with manager rights cannot delete FQDN node on non-Common partition
739963-1 3-Major   TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
727292-2 3-Major   SSL in proxy shutdown case does not deliver server TCP FIN
726232-1 3-Major   iRule drop/discard may crash tmm
720219-1 3-Major K13109068 HSL::log command can fail to pick new pool member if last picked member is 'checking'
715467-3 3-Major   Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
702450-4 3-Major   The validation error message generated by deleting certain object types referenced by a policy action is incorrect
699598-4 3-Major   HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR
688629-3 3-Major K52334096 Deleting data-group in use by iRule does not trigger validation error
617382-1 3-Major   Csyncd memory leak on multi-bladed systems
599567 3-Major   APM assumes SNAT automap, does not use SNAT pool
576311-1 3-Major K41335027 HTTP Strict Transport Security (HSTS) configuration error when no clientssl profile is present
511324-12 3-Major K23159242 HTTP::disable does not work after the first request/response.
504522-2 3-Major   Trailing space present after 'tmsh ltm pool members monitor' attribute value
747585-1 4-Minor   TCP Analytics supports ANY protocol number
624168-2 4-Minor   DATA_ACK and DATA_FIN ignored on a subflow not currently used for transmission


Performance Fixes

ID Number Severity Solution Article(s) Description
735832-2 2-Critical   RAM Cache traffic fails on B2150


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
750213-1 3-Major K25351434 DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
744937-4 3-Major K00724442 Make authenticated-denial-of-existence NSEC3 RR Types Bitmap reflect available Resource Records


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
723790-4 2-Critical   Idle asm_config_server handlers consumes a lot of memory
773553-5 3-Major   ASM JSON parser false positive.
761231-5 3-Major   Bot Defense Search Engines getting blocked after configuring DNS correctly
760878-1 3-Major   Incorrect enforcement of explicit global parameters
727107-1 3-Major   Request Logs are not stored locally due to shmem pipe blockage
721399-3 3-Major   Signature Set cannot be modified to Accuracy = 'All' after another value
695878-5 3-Major   Signature enforcement issue on specific requests
685164-3 3-Major   In partitions with default route domain != 0 request log is not showing requests
660327-2 3-Major   Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.
653017-2 3-Major   Bot signatures cannot be created after upgrade with DoS profile in non-Common partition
605649-3 3-Major K28782793 The cbrd daemon runs at 100% CPU utilization
758336-2 4-Minor   Incorrect recommendation in Online Help of Proactive Bot Defense


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
774301-1 3-Major   Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList
766577-5 3-Major   APMD fails to send response to client and it already closed connection.
758018-2 3-Major   APD/APMD may consume excessive resources
755507-1 3-Major   [App Tunnel] 'URI sanitization' error


Service Provider Fixes

ID Number Severity Solution Article(s) Description
758065-3 3-Major   TMM may consume excessive resources while processing FIX traffic


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
709670-5 3-Major   iRule triggered from RADIUS occasionally fails to create subscribers.


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
757088 2-Critical   TMM clock advances and cluster failover happens during webroot db nightly updates
754257 3-Major   URL lookup queries not working


Device Management Fixes

ID Number Severity Solution Article(s) Description
658417-1 2-Critical   REST: Failure to authenticate/renew user who is using expired password



Cumulative fixes from BIG-IP v12.1.4.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
757025-4 CVE-2018-5744 K00040234 BIND Update
754944-4 CVE-2019-6626 K00432398 AVR reporting UI does not follow best practices
754345-4 CVE-2019-6625 K79902360 WebUI does not follow best security practices
753776-3 CVE-2019-6624 K07127032 TMM may consume excessive resources when processing UDP traffic
749879 CVE-2019-6611 K47527163 Possible interruption while processing VPN traffic
748502-4 CVE-2019-6623 K72335002 TMM may crash when processing iSession traffic
744035-3 CVE-2018-15332 K12130880 APM Client Vulnerability: CVE-2018-15332
739970-3 CVE-2018-5390 K95343321 Linux kernel vulnerability: CVE-2018-5390
739947-3 CVE-2019-6610 K42465020 TMM may crash while processing APM traffic
757027-4 CVE-2019-6465 K01713115 BIND Update
753796-3 CVE-2019-6640 K40443301 SNMP does not follow best security practices
750460-4 CVE-2019-6639 K61002104 Subscriber management configuration GUI
750187-4 CVE-2019-6637 K29149494 ASM REST may consume excessive resources
745713-2 CVE-2019-6619 K94563344 TMM may crash when processing HTTP/2 traffic
745371-3 CVE-2019-6636 K68151373 AFM GUI does not follow best security practices
745165-4 CVE-2019-6617 K38941195 Users without Advanced Shell Access are not allowed SFTP access
742226-3 CVE-2019-6635 K11330536 TMSH platform_check utility does not follow best security practices
737910-1 CVE-2019-6609 K18535734 Security hardening on the following platforms
710857-4 CVE-2019-6634 K64855220 iControl requests may cause excessive resource usage
703835-4 CVE-2019-6616 K82814400 When using SCP into BIG-IP systems, you must specify the target filename
702472-4 CVE-2019-6615 K87659521 Appliance Mode Security Hardening
673842-3 CVE-2019-6632 K01413496 vCMP does not follow best security practices


Functional Change Fixes

ID Number Severity Solution Article(s) Description
666505-2 2-Critical   Gossip between VIPRION blades
745387-4 3-Major   Resource-admin user roles can no longer get bash access
698376-4 3-Major   Non-admin users have limited bash commands and can only write to certain directories
667257-2 3-Major   CPU Usage Reaches 100% With High FastL4 Traffic
607410-1 3-Major K81239824 In the iRule output of X509 Certificate's subject and issuer, the display is not OpenSSL compatible
600811-2 3-Major   CATEGORY::lookup command change in behavior


TMOS Fixes

ID Number Severity Solution Article(s) Description
752835-1 2-Critical   Mitigate mcpd out of memory error with auto-sync enabled.
757026-4 3-Major   BIND Update
756153-1 3-Major   Add diskmonitor support for MySQL /var/lib/mysql
749153 3-Major   Cannot create LTM policy from GUI using iControl
735565-3 3-Major   BGP neighbor peer-group config element not persisting
726409-3 3-Major   Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077
723794-4 3-Major   PTI (Meltdown) mitigation should be disabled on AMD-based platforms
722682-1 3-Major   Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load
720819-1 3-Major   Certain platforms may take longer than expected to detect and recover from HSB lock-ups
720269-3 3-Major   TACACS audit logging may append garbage characters to the end of log strings
720110-4 3-Major   0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.
716166-3 3-Major   Dynamic routing not added when conflicting self IPs exist
714986-1 3-Major   Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot
714903-1 3-Major   Errors in chmand
714654-3 3-Major   Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
709544-4 3-Major   VCMP guests in HA configuration become Active/Active during upgrade
707740-3 3-Major   Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination
693388-1 3-Major   Log additional HSB registers when device becomes unresponsive
678488-3 3-Major K59332320 BGP default-originate not announced to peers if several are peering over different VLANs
639619-3 3-Major   UCS may fail to load due to Master key decryption failure on EEPROM-less systems
582792-7 3-Major   iRules are not updated in transactions through TMSH or iControl
581921-2 3-Major K22327083 Required files under /etc/ssh are not moved during a UCS restore
671044-3 4-Minor K78612407 FIPS certificate creation can cause failover to standby system
668964-2 4-Minor K81873940 'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group
619706-1 4-Minor   tmsh appears to allow password change for internal lcd admin user
436116-1 4-Minor   The tcpdump utility may fail to capture packets


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
754103-3 2-Critical   iRulesLX NodeJS daemon does not follow best security practices
753912-1 2-Critical K44385170 UDP flows may not be swept
747968-4 2-Critical   DNS64 stats not increasing when requests go through DNS cache resolver
744269-3 2-Critical   dynconfd restarts if FQDN template node deleted while IP address change in progress
741919-1 2-Critical   HTTP response may be dropped following a 100 continue message.
738945-1 2-Critical   SSL persistence does not work when there are multiple handshakes present in a single record
727206-4 2-Critical   Memory corruption when using SSL Forward Proxy on certain platforms
718210-3 2-Critical   Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused
747131-1 3-Major   ARP table may not be updated properly by some TMMs
746922-3 3-Major   When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
744536 3-Major   HTTP/2 may garble large headers
742078-1 3-Major   Incoming SYNs are dropped and the connection does not time out.
739638-1 3-Major   BGP failed to connect with neighbor when pool route is used
738523-3 3-Major   SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages
721621-2 3-Major   Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node
720799-3 3-Major   Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
717896-1 3-Major   Monitor instances deleted in peer unit after sync
717100-4 3-Major   FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
716716-3 3-Major   Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
710564-3 3-Major   DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0
710355-1 3-Major   High CPU when using HTTP::collect for large chunked payloads
705112-1 3-Major   DHCP server flows are not re-established after expiration
685519-3 3-Major   Mirrored connections ignore the handshake timeout
651889-2 3-Major   persist record may be inconsistent after a virtual hit rate limit
625166-1 3-Major   Suspended iRules cannot complete on aborted flows
588720-1 3-Major K44907534 Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled.
273104-2 3-Major   Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps
751586-1 4-Minor   http2 virtual does not honour translate-address disabled
684319-2 4-Minor   iRule execution logging
664618-3 4-Minor   Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'
658382-1 5-Cosmetic   Large numbers of ERR_UNKNOWN appearing in the logs


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
756774-3 2-Critical   Aborted DNS queries to a cache may cause a TMM crash
756094-1 2-Critical   DNS express in restart loop, 'Error writing scratch database' in ltm log
739846-4 2-Critical   Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
749508-4 3-Major   LDNS and DNSSEC: Various OOM conditions need to be handled properly
748902-8 3-Major   Incorrect handling of memory allocations while processing DNSSEC queries
746877-4 3-Major   Omitted check for success of memory allocation for DNSSEC resource record
744707-1 3-Major   Crash related to DNSSEC key rollover
723288-3 3-Major   DNS cache replication between TMMs does not always work for net dns-resolver
721895-1 3-Major   Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)
748177-4 4-Minor   Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character
726412-1 4-Minor   Virtual server drop down missing objects on pool creation


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
691945-2 3-Major   Security Policy Configuration Changes When Disabling Learning
690215-1 3-Major   Missing requests in request log
641307-2 3-Major   Response Page contents are corrupted by XML policy import for non-UTF-8 policies
641083-2 3-Major   Policy Builder Persistence is not saved while config events are received
754365-2 4-Minor   Updated flags for countries that changed their flags since 2010
583402-1 4-Minor   ASM Policy Parameter's Filter: Search for at least 1 Override doesn't work


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
747192-3 2-Critical   Small memory leak while creating Access Policy items
714716-3 2-Critical K10248311 Apmd logs password for acp messages when in debug mode
660913-1 2-Critical   For ActiveSync client type, browscap info provided is incorrect.
597674-1 2-Critical   TunnelServer may crash due to division by zero under unknown circumstances while establishing AppTunnels.
758764-5 3-Major   APMD Core when CRLDP Auth fails to download revoked certificate
747725-1 3-Major   Kerberos Auth agent may override settings that manually made to krb5.conf
746768-2 3-Major   APMD leaks memory if access policy policy contains variable/resource assign policy items
745654-1 3-Major   Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
722969-1 3-Major   Access Policy import with 'reuse' enabled instead rewrites shared objects
672818-2 3-Major   When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established
656784-2 3-Major K98510679 Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
674367-1 3-Major K20983428 SDD v3 symmetric deduplication may stop working indefinitely


Service Provider Fixes

ID Number Severity Solution Article(s) Description
701680-1 3-Major   MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
747104-4 1-Blocking K52868493 LibSSH Vulnerability: CVE-2018-10933
686376-1 3-Major   Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon
624314-1 3-Major   AVR reports incorrect 'actions' in ACL reports


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
726647-1 3-Major   PEM content insertion in a compressed response may truncate some data


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
744959-2 3-Major   SNMP OID for sysLsnPoolStatTotal not incremented in stats
708830-1 3-Major   Inbound or hairpin connections may get stuck consuming memory.



Cumulative fixes from BIG-IP v12.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
738119-3 CVE-2019-6589 K23566124 SIP routing UI does not follow best practices
714181-3 CVE-2019-6603 K14632915 TMM may crash while processing TCP traffic
671498-3 CVE-2017-3143 K02230327 BIND zone contents may be manipulated
745358-4 CVE-2019-6607 K14812883 ASM GUI does not follow best practices
737442-1 CVE-2019-6591 K32840424 Error in APM Hosted Content when set to public access
716900-1 CVE-2019-6594 K91026261 TMM core when using MPTCP
699452-3 CVE-2019-6597 K29280193 Web UI does not follow current best coding practices
658557-2 CVE-2019-6606 K35209601 The snmpd daemon may leak memory when processing requests.
643554-12 CVE-2017-3731 CVE-2017-3732 CVE-2016-7055 K37526132 K44512851 K43570545 OpenSSL vulnerabilities - OpenSSL 1.0.2k library update
603658-1 CVE-2019-6601 K25359902 AAM security hardening
530775-4 CVE-2019-6600 K23734425 Login page may generate unexpected HTML output
701785-3 CVE-2017-18017 K18352029 Linux kernel vulnerability: CVE-2017-18017


Functional Change Fixes

ID Number Severity Solution Article(s) Description
734527-4 3-Major   BGP 'capability graceful-restart' for peer-group not properly advertised when configured
600385-1 3-Major K43295141 BIG-IP LTM and BIG-IP DNS monitors are allowed to be configured with interval value larger than timeout
597899-1 3-Major   Disabling all pool members may not be reflected in Virtual Server status


TMOS Fixes

ID Number Severity Solution Article(s) Description
741423-1 2-Critical   Secondary blade goes offline when provisioning ASM/FPS on already established config-sync
738887-2 2-Critical   The snmpd daemon may leak memory when processing requests.
724680-3 2-Critical   OpenSSL Vulnerability: CVE-2018-0732
723722-3 2-Critical   MCPD crashes if several thousand files are created between config syncs.
723298-3 2-Critical   BIND upgrade to version 9.11.4
700386-1 2-Critical   mcpd may dump core on startup
697424 2-Critical   iControl-REST crashes on /example for firewall address-lists
691589 2-Critical   When using LDAP client auth, tamd may become stuck
689437-2 2-Critical K49554067 icrd_child cores due to infinite recursion caused by incorrect group name handling
638091-4 2-Critical   Config sync after changing named pool members can cause mcpd on secondary blades to restart
594366-1 2-Critical K21271097 Occasional crash of icrd_child when BIG-IP restarts
748187-1 3-Major   'Transaction Not Found' Error on PATCH after Transaction has been Created
720713-3 3-Major   TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail
720651-3 3-Major   Running Guest Changed to Provisioned Never Stops
720461-3 3-Major   qkview prompts for password on chassis
711249-2 3-Major   NAS-IP-Address added to RADIUS packet unexpectedly
707391-4 3-Major   BGP may keep announcing routes after disabling route health injection
706354-1 3-Major   OPT-0045 optic unable to link
706104-2 3-Major   Dynamically advertised route may flap
705037-3 3-Major   System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
704449-4 3-Major   Orphaned tmsh processes might eventually lead to an out-of-memory condition
700827-2 3-Major   B2250 blades may lose efficiency when source ports form an arithmetic sequence.
700757-2 3-Major   vcmpd may crash when it is exiting
693884-3 3-Major   ospfd core on secondary blade during network unstability
692189-3 3-Major   errdefsd fails to generate a core file on request.
689002-1 3-Major   Stackoverflow when JSON is deeply nested
676705-2 3-Major   do not run agetty on VE without serial port
673974-1 3-Major K63225596 agetty auto detects parity on console port incorrectly
671447-2 3-Major   ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form
666884-2 3-Major K27056204 Message: Not enough free disk space to install! cpcfg cannot copy a configuration on a chassis platform
653888-2 3-Major   BGP advertisement-interval attribute ignored in peer group configuration
652877-3 3-Major   Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
642923-2 3-Major   MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system
639575-5 3-Major   Using libtar with files larger than 2 GB will create an unusable tarball
628402-4 3-Major   Operator users receive 'can't get object count from mcpd' error in response to certain commands
613509-1 3-Major K49101035 platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve
610449-2 3-Major   restarting mcpd on guest makes block-device-images disappear
602566-5 3-Major   sod daemon may crash during start-up
598289-4 3-Major   TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>
598085-2 3-Major   Expected telemetry is not transmitted by sFlow on the standby-mode unit.
563905-2 3-Major   Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.
491560-1 3-Major   Using proxy for IP intelligence updates
737389 4-Minor   kern.log contains many messages: warning kernel: Tracklist initialized; Tracklist destroyed
674145-3 4-Minor   chmand error log message missing data
608348-4 4-Minor   Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
744117-6 2-Critical K18263026 The HTTP URI is not always parsed correctly
740490-2 2-Critical   Configuration changes involving HTTP2 or SPDY may leak memory
739927-1 2-Critical   Bigd crashes after a specific combination of logging operations
737758-1 2-Critical   MPTCP Passthrough and VIP-on-VIP can lead to TMM core
727044-1 2-Critical   TMM may crash while processing compressed data
726239-3 2-Critical   interruption of traffic handling as sod daemon restarts TMM
724868-2 2-Critical   dynconfd memory usage increases over time
663178-1 2-Critical   tmm may crash sometimes usng VPN
606035-1 2-Critical   csyncd crash
738521-2 3-Major   i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
714559-1 3-Major   Removal of HTTP hash persistence cookie when a pool member goes down.
710028-4 3-Major   LTM SQL monitors may stop monitoring if multiple monitors querying same database
708068-3 3-Major   Tcl commands like "HTTP::path -normalize" do not return normalized path.
706102-3 3-Major   SMTP monitor does not handle all multi-line banner use cases
701678-1 3-Major   Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded
695925-3 3-Major   tmm crash when showing connections for a CMP disabled virtual server
693910-2 3-Major   Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)
693582-3 3-Major   Monitor node log not rotated for certain monitor types
680264 3-Major   HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags
674591-2 3-Major K37975308 Packets with payload smaller than MSS are being marked to be TSOed
672312-2 3-Major   IP ToS may not be forwarded to serverside with syncookie activated
666595-2 3-Major   Monitor node log fd leak by bigd instances not actively monitoring node
662816-2 3-Major K61902543 Monitor node log fd leak for certain monitor types
653930-2 3-Major K69713140 Monitor with description containing backslash may fail to load.
613618-1 3-Major   The TMM crashes in the websso plugin.
611482-4 3-Major K71450348 Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) .
610138-2 3-Major K23284054 STARTTLS in SMTPS filter does not properly restrict I/O buffering
605147-1 3-Major   No mirroring for TCP TIME-WAIT reconnections and new TCP flows after HA reconnections.
598707-4 3-Major   Path MTU does not work in self-IP flows
586621-7 3-Major K36008344 SQL monitors 'count' config value does not work as expected.
628016-2 4-Minor   MP_JOIN always fails if MPTCP never receives payload data
618884-1 4-Minor   Behavior when using VLAN-Group and STP


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
750488 3-Major   Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750484 3-Major   Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750472 3-Major   Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
750457 3-Major   Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records
749774-2 3-Major   EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
749675-2 3-Major   DNS cache resolver may return a malformed truncated response with multiple OPT records
737332-2 3-Major   It is possible for DNSX to serve partial zone information for a short period of time
723792-3 3-Major   GTM regex handling of some escape characters renders it invalid


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
741108 2-Critical   tmm dosl7 memory leak when X-Forwared-For header value contains a long list of comma separated ip addresses
744347-1 3-Major   Protocol Security logging profiles cause slow ASM upgrade and apply policy
739945-1 3-Major   JavaScript challenge on POST with 307 breaks application
738789-3 3-Major   ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog
738647-1 3-Major   Add the login detection criteria of 'status code is not X'
737998 3-Major   Brute Force end attack condition isn't satisfied for successful logins only
698757-1 3-Major K58143082 Standby system saves config and changes status after sync from peer
664714-1 3-Major   Client-side challenge is changing POST parameter value under some circumstances
642185-1 3-Major   Add support for IBM AppScan scanner schema changes
613728-1 3-Major   Import/Activate Security policy with 'Replace policy associated with virtual server' option fails
569195-1 3-Major K41874435 A Set-Cookie for an existing ASM cookie without value change
542817-1 3-Major K11619228 Specific numbers that are not credit card numbers are being masked as such
653895 4-Minor   Admin user cannot edit policy


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
616161-1 2-Critical   BD process crash and restarts
737597 3-Major   AVR DoS Attack report misses virtual server name in a specific config


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
740777-2 2-Critical   Secondary blades mcp daemon restart when subroutine properties are configured
672221 2-Critical   TMM cores if the certificate configured to validate message signature does not exist.
631060-1 2-Critical   BIG-IP may incorrectly reject serverside connection when REQLOG is configured.
745574-4 3-Major   URL is not removed from custom category when deleted
739744-2 3-Major   Import of Policy using Pool with members is failing
726592-2 3-Major   Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop
628712-1 3-Major K53129098 Advanced customization doesn't work for Profiles in non-common partition with . (period) with name


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
706642-3 2-Critical   wamd may leak memory during configuration changes and cluster events
603746-1 4-Minor   DCDB security hardening


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
724532-1 2-Critical   SIG SEGV during IP intelligence category match in TMM
710755-2 2-Critical   Crash when cached route information becomes stale and the system accesses the information from it.
699454-3 4-Minor   Web UI does not follow current best coding practices
627454 4-Minor   Trimming leading whitespaces at logging profile creation


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
744516-2 2-Critical   TMM panics after a large number of LSN remote picks
734446-3 2-Critical   TMM crash after changing LSN pool mode from PBA to NAPT
669645-1 2-Critical   tmm crashes after LSN pool member change
663531-1 2-Critical   TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
746868 2-Critical   memory leakage when "apply to base domain" is enabled



Cumulative fixes from BIG-IP v12.1.3.7 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
739094-4 CVE-2018-5546 K54431371 APM Client Vulnerability: CVE-2018-5546
737441-1 CVE-2018-5546 K54431371 Disallow hard links to svpn log files
726089-3 CVE-2018-15312 K44462254 Modifications to AVR metrics page
724339-2 CVE-2018-15314 K04524282 Unexpected TMUI output in AFM
724335-2 CVE-2018-15313 K21042153 Unexpected TMUI output in AFM
722677-3 CVE-2019-6604 K26455071 High-Speed Bridge may lock up
722387-2 CVE-2019-6596 K97241515 TMM may crash when processing APM DTLS traffic
722091-2 CVE-2018-15319 K64208870 TMM may crash while processing HTTP traffic
717742-3 CVE-2018-2798, CVE-2018-2811, CVE-2018-2795, CVE-2018-2790, CVE-2018-2783, CVE-2018-2825, CVE-2018-2826, CVE-2018-2796, CVE-2018-2799, CVE-2018-2815, CVE-2018-2800, CVE-2018-2814, CVE-2018-2797, CVE-2018-2794 K44923228 Oracle Java SE vulnerability CVE-2018-2783
707990-3 CVE-2018-15315 K41704442 Unexpected TMUI output in SSL Certificate Instance page
704184-3 CVE-2018-5529 K52171282 APM MAC Client create files with owner only read write permissions
701253-3 CVE-2018-15318 K16248201 TMM core when using MPTCP
721924-3 2018-17539 K17264695 bgpd may crash processing extended ASNs
719554-3 CVE-2018-8897 K17403481 Linux Kernel Vulnerability: CVE-2018-8897
674486-5 CVE-2017-9233 K03244804 Expat Vulnerability: CVE-2017-9233
661828-1 CVE-2019-6590 K55101404 TMM may consume excessive resources when processing SSL traffic


Functional Change Fixes

ID Number Severity Solution Article(s) Description
715750-3 3-Major   The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.
652671-4 3-Major K31326690 Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.


TMOS Fixes

ID Number Severity Solution Article(s) Description
716391-3 2-Critical K76031538 High priority for MySQL on 2 core vCMP may lead to control plane process starvation
690793-2 2-Critical K25263287 TMM may crash and dump core due to improper connflow tracking
688148-1 2-Critical   IKEv1 racoon daemon SEGV during phase-two SA list iteration
613476-2 2-Critical   IKEv1 racoon daemon delayed timer use of ike-peer (rmconf) after deletion
704247-3 3-Major   BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
686124-3 3-Major K83576240 IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs
678380-3 3-Major K26023811 Deleting an IKEv1 peer in current use could SEGV on race conditions.
671712 3-Major   The values returned for the ltmUserStatProfileStat table are incorrect.
670528-1 3-Major K20251354 Warnings during vCMP host upgrade.
620746-1 3-Major   MCPD crash
580602-1 3-Major   Configuration containing LTM nodes with IPv6 link-local addresses fail to load.
551925-3 3-Major   Misdirected UDP traffic with hardware acceleration
464650-4 3-Major   Failure of mcpd with invalid authentication context.
689211-2 4-Minor   IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }
678254-2 4-Minor   Error logged when restarting Tomcat


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
716213-3 2-Critical   BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
697259-1 2-Critical K14023450 Different versioned vCMP guests on the same chassis may crash.
694656-3 2-Critical K05186205 Routing changes may cause TMM to restart
666401-2 2-Critical K03294104 Memory might become corrupted when a Standby device transitions to Active during failover
659709-1 2-Critical   Mirroring persistence records may cause a TMM memory leak
641869-1 2-Critical K62744980 Assertion "vmem_hashlist_remove not found" failed.
635191-1 2-Critical   Under rare circumstances TMM may crash
618106-1 2-Critical K74714343 bigd core due to memory leak, especially with FQDN nodes
615097-1 2-Critical   Incorrect use of HTTP::collect leads to TMM core.
513310-1 2-Critical   TMM might core when a profile is changed.
722363-1 3-Major   Client fails to connect to server when using PVA offload at Established
720293-1 3-Major   HTTP2 IPv4 to IPv6 fails
713690-1 3-Major   IPv6 cache route metrics are locked
712664-4 3-Major   IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
711981-3 3-Major   BIG-IP system accepts larger-than-egress MTU, PMTU update
700696-2 3-Major   SSID does not cache fragmented Client Certificates correctly via iRule
694697-3 3-Major K62065305 clusterd logs heartbeat check messages at log level info
693308-3 3-Major   SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain
691224-1 3-Major K59327001 Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled
671725-1 3-Major K19920320 Connection leak on standby unit
632968-2 3-Major   supported_signature_algorithms extension in CertificateRequest sent by a TLS server fails
600812-1 3-Major   IPv6 virtual address with icmp-echo is enabled on a IPv6 Host IP forwarding ignores the neighbor advertisement packet.
578971-3 3-Major   When mcpd is restarted on a blade, cluster members may be temporarily marked as failed
572234-2 3-Major   When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.
716922-4 4-Minor   Reduction in PUSH flags when Nagle Enabled
622148-5 4-Minor   flow generated icmp error message need to consider which side of the proxy they are
602708-2 4-Minor K84837413 Traffic may not passthrough CoS by default


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
718885-1 2-Critical K25348242 Under certain conditions, monitor probes may not be sent at the configured interval
726255-3 3-Major   dns_path lingering in memory with last_access 0 causing high memory usage
719644-1 3-Major   If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions
715448-1 3-Major   Providing LB::status with a GTM Pool name in a variable caused validation issues
710246-3 3-Major   DNS-Express was not sending out NOTIFY messages on VE
636790-3 3-Major   Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
739798 2-Critical   Massive number of log messages being generated and written to the bd.log.
734622 2-Critical K83093212 Policy change with newly enforced signatures causes sig collection failure in other policies
721741-2 2-Critical   BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
716788-3 2-Critical   TMM may crash while response modifications are being performed within DoSL7 filter
685230-1 2-Critical   memory leak on a specific server scenario
666221-2 2-Critical K47152503 tmm may crash from DoSL7
617391-1 2-Critical K53345828 Custom ASM Search Engines causing sync, offline, and upgrade issues
721752-1 3-Major   Null char returned in REST for Suggestion with more than MAX_INT occurrences
713282-3 3-Major   Remote logger violation_details field does not appear when virtual server has more than one remote logger
701856-2 3-Major   Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart
701039 3-Major   Requests do not appear in local logging due to rare file descriptor exhaustion
676223-2 3-Major   Internal parameter in order not to sign allowed cookies
650070-2 3-Major K23041827 iRule that uses ASM violation details may cause the system to reset the request
648639-3 3-Major K92201230 TS cookie name contains NULL or other raw byte
646800-2 3-Major   A part of the request is not sent to ICAP server in a specific case
644725-4 3-Major K01914292 Configuration changes while removing ASM from the virtual server may cause graceful ASM restart
614730-1 3-Major   Session opening log shows incorrect number of challenged responses.
564324-2 3-Major   ASM scripts can break applications
463314-2 4-Minor   Enabling ASM AJAX blocking response page feature causing cross domain AJAX requests to fail


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
685741 3-Major   DoS Overview is very slow to load data, to the point of timeout
649177-2 3-Major K54018808 Testing for connection to SMTP Server always returns "OK"


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
722013-3 2-Critical   MCPD restarts on all secondary blades post config-sync involving APM customization group
631286-1 2-Critical   TMM Memory leak caused by APM URI cache entries
546489-1 2-Critical   VMware View USB redirection stops working after client reconnect
739144-1 3-Major   Domain logoff scripts runs after VPN connection is closed
738397-2 3-Major   SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.
726895-1 3-Major K02205915 VPE cannot modify subroutine settings
713655-3 3-Major   RouteDomainSelectionAgent might fail under heavy control plane traffic/activities
703793-1 3-Major   tmm restarts when using ACCESS::perflow get' in certain events
702873-3 3-Major   Windows Logon Integration feature may cause Windows logon screen freeze
631626 3-Major   Unable to delete an access profile which contains a route domain agent
631048-1 3-Major   Portal Access [PeopleSoft] 'My Preferences' page does not have content
596166-1 3-Major   Cannot create email using Address Book
565347-2 3-Major   Rewrite engine behaves improperly in case of AS2 SWF with a badly formatted 'push' instruction
721375 4-Minor   Export then import of config with RSA server in it might fail


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
603755-1 2-Critical   dwbld core dump when Auto Blacklisting is configured, in a rare scenario
698806-2 3-Major   Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
738669-3 3-Major   Login validation may fail for a large request with early server response
716318-4 3-Major   Engine/Signatures automatic update check may fail to find/download the latest update


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
726303 3-Major   Unlock 10 million custom db entry limit



Cumulative fixes from BIG-IP v12.1.3.6 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
716992-3 CVE-2018-5539 K75432956 The ASM bd process may crash
710244-1 CVE-2018-5536 K27391542 Memory Leak of access policy execution objects
709972-4 CVE-2017-12613 K52319810 CVE-2017-12613: APR Vulnerability
709688-5 CVE-2017-3144
CVE-2018-5732
CVE-2018-5733
K08306700 dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733
693744-3 CVE-2018-5531 K64721111 CVE-2018-5531: vCMP vulnerability
710827-4 CVE-2019-6598 K44603900 TMUI dashboard daemon stability issue
710705-3 CVE-2018-7320, CVE-2018-7321, CVE-2018-7322, CVE-2018-7423, CVE-2018-7324, CVE-2018-7325, CVE-2018-7326, CVE-2018-7327, CVE-2018-7428, CVE-2018-7329, CVE-2018-7330, CVE-2018-7331, CVE-2018-7332, CVE-2018-7333, CVE-2018-7334, CVE-2018-7335, CVE-2018-7336, CVE-2018-7337, CVE-2018-7417, CVE-2018-7418, CVE-2018-7419, CVE-2018-7420, CVE-2018-7421 K34035645 Multiple Wireshark vulnerabilities
710314-2 CVE-2018-5537 K94105051 TMM may crash while processing HTML traffic
710148-4 CVE-2017-1000111
CVE-2017-1000112
K60250153 CVE-2017-1000111 & CVE-2017-1000112
705476-4 CVE-2018-15322 K28003839 Appliance Mode does not follow design best practices
703940-3 CVE-2018-5530 K45611803 Malformed HTTP/2 frame consumes excessive system resources
698813-3 CVE-2018-5538 K45435121 When processing DNSX transfers ZoneRunner does not enforce best practices
677088-4 CVE-2018-15321 K01067037 BIG-IP tmsh vulnerability CVE-2018-15321
672124-3 CVE-2018-5541 K12403422 Excessive resource usage when BD is processing requests
714879-1 CVE-2018-15326 K34652116 APM CRLDP Auth passes all certs
708653-3 CVE-2018-15311 K07550539 TMM may crash while processing TCP traffic
673165 CVE-2017-7895 K15004519 CVE-2017-7895: Linux Kernel Vulnerability


Functional Change Fixes

ID Number Severity Solution Article(s) Description
671999-2 3-Major   Re-extract the the thales software everytime the installation script is run
643034-1 3-Major K52510343 Turn off TCP Proxy ICMP forwarding by default
620445-4 3-Major   New SIP::persist keyword to set the timeout without changing key
613023-4 3-Major   Update SIP::Persist to support resetting timeout value.
441079-2 3-Major K55242686 BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved
693007-3 4-Minor   Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC


TMOS Fixes

ID Number Severity Solution Article(s) Description
700315-3 1-Blocking K26130444 Ctrl+C does not terminate TShark
636774-1 1-Blocking   Potential TMM crash credits to BWC token distribution logic
723130-3 2-Critical K13996 Invalid-certificate warning displayed when deploying BIG-IP VE OVA file
707003-2 2-Critical   Unexpected syntax error in TMSH AVR
706423-2 2-Critical   tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
696113-1 2-Critical   Extra IPsec reference added per crypto operation overflows connflow refcount
692158-2 2-Critical   iCall and CLI script memory leak when saving configuration
690819-3 2-Critical   Using an iRule module after a 'session lookup' may result in crash
671314-4 2-Critical K37093335 BIG-IP system cores when sending SIP SCTP traffic
665362-4 2-Critical   MCPD might crash if the AOM restarts
663197-3 2-Critical   Security hardening of files to prevent sensitive configuration from being stored in qkview.
626861-2 2-Critical K31220138 Ensure unique IKEv2 sequence numbers
599223-1 2-Critical   Prevent static destructors in tmipsecd daemon
581851-2 2-Critical K16234725 mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands
559980-1 2-Critical   Change console baud rate requires reboot to take effect
508113-3 2-Critical   tmsh load sys config base merge file <filename> fails
720880 3-Major   Attempts to license/re-license the BIG-IP system fail.
720756 3-Major   SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS
720104 3-Major   BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
714848 3-Major   OPT-0031 and OPT-0036 log DDM warning every minute when interface disabled and DDM enabled
710602 3-Major   iCRD commands requiring 'root' user access fixed
707445 3-Major K47025244 Nitrox 3 compression hangs/unable to recover
704336-3 3-Major   Updating 3rd party device cert not copied correctly to trusted certificate store
704282-3 3-Major   TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy
701900 3-Major K55938217 DHCP configured domain-name-servers unavailable after reboot when there are more than two domain-name servers in the lease.
698947-1 3-Major   BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.
694740-1 3-Major   BIG-IP reboot during a TMM core results in an incomplete core dump
693106-2 3-Major   IKEv1 newest established phase-one SAs should be found first in a search
692179-3 3-Major   Potential high memory usage from errdefsd.
687905 3-Major K72040312 OneConnect profile causes CMP redirected connections on the HA standby
687534-3 3-Major   If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page
686926-3 3-Major   IPsec: responder N(cookie) in SA_INIT response handled incorrectly
684391-1 3-Major   Existing IPsec tunnels reload. tmipsecd creates a core file.
680838-3 3-Major   IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator
679347-3 3-Major K44117473 ECP does not work for PFS in IKEv2 child SAs
678925-4 3-Major   Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.
677928-2 3-Major   A wrong source MAC address may be used in the outgoing IPsec encapsulated packets.
676897-1 3-Major K25082113 IPsec keeps failing to reconnect
676092-1 3-Major   IPsec keeps failing to reconnect
675718-1 3-Major   IPsec keeps failing to reconnect
669268 3-Major   Failover in the same availability zone of AWS may fail when AWS services are intermittently available.
667223 3-Major   The merge option for the tmsh load sys config command removes existing nested objects
666035-1 3-Major   Obscuring secrets in files collected by qkview
621314-6 3-Major K55358710 SCTP virtual server with mirroring may cause excessive memory use on standby device
617865-1 3-Major   Missing health monitor information for FQDN members
605270-5 3-Major   On some platforms the SYN-Cookie status report is not accurate
588929-2 3-Major   SCTP emits 'address conflict detected' log messages during failover
588794-2 3-Major   Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements
588771-2 3-Major   SCTP needs traffic-group validation for server-side client alternate addresses
586938-1 3-Major K57360106 Standby device will respond to the ARP of the SCTP multihoming alternate address
586031-1 3-Major K40453207 Configuration with LTM policy may fail to load
525580-1 3-Major K51013874 tmsh load sys config merge file filename.scf base command does not work as expected
685475-3 4-Minor K93145012 Unexpected error when applying hotfix
680856-3 4-Minor   IPsec config via REST scripts may require post-definition touch of both policy and traffic selector
679135-3 4-Minor   IKEv1 and IKEv2 cannot share common local address in tunnels
678388-3 4-Minor K00050055 IKEv1 racoon daemon is not restarted when killed multiple times
658298-3 4-Minor   SMB monitor marks node down when file not specified
624484-2 4-Minor K09023677 Timestamps not available in bash history on non-login interactive shells
573031-1 4-Minor   qkview may not collect certain configuration files in their entirety
720391-1 5-Cosmetic   BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'
713491-1 5-Cosmetic   IKEv1 logging shows spi of deleted SA with opposite endianess
651826-2 5-Cosmetic   SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
718071-3 2-Critical   HTTP2 with ASM policy not passing traffic
709334-2 2-Critical   Memory leak when SSL Forward proxy is used and ssl re-negotiates
708114-3 2-Critical K33319853 TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed
707447-2 2-Critical   Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.
707207-2 2-Critical   iRuleLx returning undefined value may cause TMM restart
703914-1 2-Critical   TMM SIGSEGV crash in poolmbr_conn_dec.
686685-1 2-Critical   LTM Policy internal compilation error
683631-1 2-Critical   TMM crashes during stress test
678722-2 2-Critical   In SSL-O, TMM may core when SSL forward proxy cleanup certificate resources
676721-2 2-Critical K33325265 Missing check for NULL condition causes tmm crash.
674004-1 2-Critical K34448924 tmm may crash when after deleting pool member in traffic
670804-2 2-Critical K03163260 Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP
656898-2 2-Critical   'oops' 'bad transition' messages occur
613524-3 2-Critical   TMM crash when call HTTP::respond twice in LB_FAILED
598110-1 2-Critical   pkcs11d daemon should not show status 'up' until all connections are established with HSM and BIG-IP is ready to process traffic.
586587-1 2-Critical   RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms.
571651-3 2-Critical   Reset Nitrox3 crypto accelerator queue if it becomes stuck.
440620-2 2-Critical   New connections may be reset when a client reuses the same port as it used for a recently closed connection
713951-3 3-Major   tmm core files produced by nitrox_diag may be missing data
713934-4 3-Major   Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
712475-1 3-Major K56479945 DNS zones without servers will prevent DNS Express reading zone data
712464-1 3-Major   Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
712437-1 3-Major K20355559 Records containing hyphens (-) will prevent child zone from loading correctly
711281-3 3-Major   nitrox_diag may run out of space on /shared
707951 3-Major   Stalled mirrored flows on HA next-active when OneConnect is used.
704381-3 3-Major   SSL/TLS handshake failures and terminations are logged at too low a level
703580 3-Major   TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.
702151-2 3-Major   HTTP/2 can garble large headers
700889-2 3-Major K07330445 Software syncookies without TCP TS improperly include TCP options that are not encoded
700061-3 3-Major   Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file
700057-3 3-Major   LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved
698916-3 3-Major   TMM crash with HTTP/2 under specific condition
698379-3 3-Major K61238215 HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(
693838 3-Major   Adaptive monitor feature does not mark pool member down when hard limit set on UDP monitors
691806-3 3-Major K61815412 RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
688553-1 3-Major   SASP GWM monitor may not mark member UP as expected
685615-5 3-Major K24447043 Incorrect source mac for TCP Reset with vlangroup for host traffic
681757-1 3-Major K32521651 Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'
678872-2 3-Major   Inconsistent behavior for virtual-address and selfip on the same ip-address
677525-3 3-Major   Translucent VLAN group may use unexpected source MAC address
676914-1 3-Major   The SSL Session Cache can grow indefinitely if the traffic group is changed.
676828-2 3-Major K09012436 Host IPv6 traffic is generated even when ipv6.enabled is false
676355-2 3-Major   DTLS retransmission does not comply with RFC in certain resumed SSL session
675212-3 3-Major   The BIG-IP system incorrectly allows clients through as part of SSL Client Certificate Authentication
673052-2 3-Major   On i-Series platforms, HTTP/2 is limited to 10 streams
671337-1 3-Major   NetHSM DNSSEC key creation can attempt to change the SELinux label on a file
668196-2 3-Major   Connection limit continues to be enforced with least-connections and pool member flap, member remains down
668006-1 3-Major K12015701 Suspended 'after' command leads to assertion if there are multiple pending events
667707-2 3-Major   LTM policy associations with virtual servers are not ConfigSynced correctly
659519-1 3-Major K42400554 Non-default header-table-size setting on HTTP2 profiles may cause issues
657883-2 3-Major K34442339 tmm cache resolver should not cache response with TTL=0
657626-2 3-Major   User with role 'Manager' cannot delete/publish LTM policy.
651541-2 3-Major K83955631 Changes to the HTTP profile do not trigger validation for virtual servers using that profile
636289-2 3-Major   Fixed a memory issue while handling TCP::congestion iRule
633691-4 3-Major   HTTP transaction may not finish gracefully due to TCP connection is closed by RST
624846-1 3-Major   TCP Fast Open does not work for Responses < 1 MSS
604838-1 3-Major   TCP Analytics reports incorrectly reports entities as "Aggregated"
595281-1 3-Major   TCP Analytics reports huge goodput numbers
570277-1 3-Major K16044231 SafeNet client not able to establish session to all HSMs on all blades.
367226-4 3-Major   Outgoing RIP advertisements may have incorrect source port
251162-3 3-Major K11564 The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name
248914-4 3-Major K00612197 ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address
713533-3 4-Minor   list self-ip with queries does not work
708249-4 4-Minor   nitrox_diag utility generates QKView files with 5 MB maximum file size limit
700433-2 4-Minor K10870739 Memory leak when attaching an LTM policy to a virtual server
685467-2 4-Minor K12933087 Certain header manipulations in HTTP profile may result in losing connection.
678801-2 4-Minor   WS::enabled returned empty string
677958-2 4-Minor   WS::frame prepend and WS::frame append do not insert string in the right place.
645729-1 4-Minor   SSL connection is not mirrored if ssl session cache is cleared and resume attempted
639970-3 4-Minor   GUI - Client SSL profile certificate extensions names switch to numbers in case of validation error
627764-2 4-Minor   Prevent sending a 2nd RST for a TCP connection
627695-2 4-Minor   [netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational
621379-2 4-Minor   TCP Lossfilter not enforced after iRule changes TCP settings
618024-2 4-Minor   software switched platforms accept traffic on lacp trunks even when the trunk is down
604272-1 4-Minor   SMTPS profile connections_current stat does not reflect actual connection count.
523814-3 4-Minor   When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections
522302-2 4-Minor   TCP Receive Window error messages are inconsistent on UI
495242-3 4-Minor   mcpd log messages: Failed to unpublish LOIPC object


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
713066-3 2-Critical K10620131 Connection failure during DNS lookup to disabled nameserver can crash TMM
707310-1 2-Critical   DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)
706128-1 3-Major   DNSSEC Signed Zone Transfers Can Leak Memory
705503-1 3-Major   Context leaked from iRule DNS lookup
680069-3 3-Major K81834254 zxfrd core during transfer while network failure and DNS server removed from DNS zone config
675539-1 3-Major   Inter-system communications targeted at a Management IP address might not work in some cases.
672491-2 3-Major K10990182 net resolver uses internal IP as source if matching wildcard forwarding virtual server
660263-4 3-Major   DNS transparent cache message and RR set activity counters not incrementing
653775-3 3-Major K05397641 Ampersand (&) in GTM synchronization group name causes synchronization failure.
643813-2 3-Major   ZoneRunner does not properly process $ORIGIN directives
637227-4 3-Major K60414305 DNS Validating Resolver produces inconsistent results with DNS64 configurations.
629421-1 3-Major   Big3d memory leak when adding/removing Wide IPs in a GTM sync pair.
609527-2 3-Major   DNS cache local zone not properly copying recursion desired (RD) flag in response
602300-1 3-Major   Zone Runner entries cannot be modified when sys DNS starts with IPv6 address
669262-2 4-Minor   [GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record
638170-1 4-Minor K36455356 Pagination broken or missing while viewing pool statistics for GTM wideip
605537-5 4-Minor K03997964 Error when resetting statistics on GSLB Pool Members


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
639767-2 2-Critical   Policy with Session Awareness Statuses may fail to export
606983-3 2-Critical   ASM errors during policy import
580862-1 2-Critical   Policy disabled after enabled with apply-policy via REST, asm-sync removal fixes
712362-1 3-Major   ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
710327-3 3-Major   Remote logger message is truncated at NULL character.
707888 3-Major   Some ASM operations delayed due to scheduled ASU update
707147-2 3-Major   High CPU consumed by asm_config_server_rpc_handler_async.pl
706845-1 3-Major   False positive illegal multipart violation
704143-2 3-Major   BD memory leak
700726-1 3-Major   Search engine list was updated, and fixing case of multiple entries
691897-1 3-Major   Names of the modified cookies do not appear in the event log
687759-2 3-Major   bd crash
686765-1 3-Major   Database cleaning failure may allow MySQL space to fill the disk entirely
683241-3 3-Major K70517410 Improve CSRF token handling
674527-1 3-Major   TCL error in ltm log when server closes connection while ASM irules are running
666112-1 3-Major K53708490 TMM 'DoS Layer 7' memory leak during config load
663396-1 3-Major   URL Method override is enforced incorrectly after upgrade
654996-1 3-Major K50345236 Closed connections remains in memory
665470-1 4-Minor   Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised
700812-2 5-Cosmetic   asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
716747-4 2-Critical   TMM my crash while processing APM or SWG traffic
715250-2 2-Critical   TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED
681850-1 2-Critical   APMD process may fail to initialize on start either after upgrade or after adding certain configurations
671373-2 2-Critical   urldb core seen
632798-2 2-Critical K30710317 Double-free may occur if Access initialization fails
720695-2 3-Major   Export then import of APM access Profile/Policy with advanced customization is failing
720030-3 3-Major   Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)
718208-1 3-Major   Unable to install Network Access plugin on Linux Ubuntu 16.04 with Firefox v52 ESR using SUDO
715207-2 3-Major   coapi errors while modifying per-request policy in VPE
714542-1 3-Major   'Always Connected Mode' text is missing in EdgeClient tray
712924 3-Major   In VPE SecurID servers list are not being displayed in SecurID authentication dialogue
712857-1 3-Major   SWG-Explicit rejects large POST bodies during policy evaluation
706374-2 3-Major   Heavy use of APM Kerberos SSO can sometimes lead to memory corruption
704524-2 3-Major   [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
684937-6 3-Major K26451305 [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
683113-6 3-Major K22904904 [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
658664-3 3-Major K21390304 VPN connection drops when 'prohibit routing table change' is enabled
609793-1 3-Major   HTTP header modify agent logs error message as it is disabled since it cannot modify headers/cookies in HTTP Response.
602429-1 3-Major   DNS suffix is not restored after disconnecting Network Access
543344-3 3-Major   ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event
516736-1 3-Major   URLs with backslashes in the path may not be handled correctly in Portal Access


Service Provider Fixes

ID Number Severity Solution Article(s) Description
703515-5 2-Critical K44933323 MRF SIP LB - Message corruption when using custom persistence key
698338-2 2-Critical   Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection
685708-3 2-Critical   Routing via iRule to a host without providing a transport from a transport-config created connection cores
669739-1 2-Critical K71963740 Potential core when using MRF SIP with SCTP
659173-1 2-Critical K76352741 Diameter Message Length Limit Changed from 1024 to 4096 Bytes
700571-2 3-Major   SIP MR profile, setting incorrect branch param for CANCEL to INVITE
696049-3 3-Major   High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
688942-3 3-Major   ICAP: Chunk parser performs poorly with very large chunk
679114-2 3-Major   Persistence record expires early if an error is returned for a BYE command
674747-2 3-Major K30837366 sipdb cannot delete custom bidirectional persistence entries.
673814-4 3-Major K37822302 Custom bidirectional persistence entries are not updated to the session timeout
642298-3 3-Major   Unable to create a bidirectional custom persistence record in MRF SIP
640384-3 3-Major   New iRule options for MR::message route command
620759-4 3-Major   Persist timeout value gets truncated when added to the branch parameter.
632658-4 4-Minor   Enable SIP::persist command to operate during SIP_RESPONSE event
617690-4 4-Minor   enable SIP::respond iRule command to operate during MR_FAILED event


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
677473-1 2-Critical   MCPD core is generated on multiple add/remove of Mgmt-Rules
663770-2 3-Major K04025134 AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
699531-3 2-Critical   Potential TMM crash due to incorrect number of attributes in a PEM iRule command
696294-3 2-Critical   TMM core may be seen when using Application reporting with flow filter in PEM
715090 3-Major   PEM policy actions obtained via a PCRF are not applied for traffic generated subscribers
711570-1 3-Major   PEM iRule subscriber policy name query using subscriber ID, may not return applied policies
711093-2 3-Major   PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
709610-1 3-Major   Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
697718-3 3-Major   Increase PEM HSL reporting buffer size to 4K.
648802-3 3-Major   Required custom AVPs are not included in an RAA when reporting an error.


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
667662-1 3-Major K06579313 Autolasthop does not work for PPTP-GRE traffic.


Device Management Fixes

ID Number Severity Solution Article(s) Description
625114-2 2-Critical K08062851 Internal sync-change conflict after update to local users table



Cumulative fixes from BIG-IP v12.1.3.5 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
708956 1-Blocking K51206433 During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
696732 2-Critical K54431534 tmm may crash in a compression provider
697616 3-Major   Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests
692239-1 3-Major K31554905 AOM menu power off then on results in 'Host Power Cycle Event' SEL log entries posted every two seconds
689730-2 3-Major   Software installations from v13.1.0 might fail
674455-7 3-Major   Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS
680388-2 4-Minor   f5optics should not show function name in non-debug log messages
653759-2 4-Minor   Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
701538-1 2-Critical   SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured
662078-1 2-Critical   Occasionally connections are dropped in response to timing errors
694778-2 3-Major   Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size
686631-1 3-Major   Deselect a compression provider at the end of a job and reselect a provider for a new job
679494-2 3-Major   Change the default compression strategy to speed
632824-1 3-Major K00722715 SSL TPS limit can be reached if the system clock is adjusted
495443-10 3-Major K16621 ECDH negotiation failures logged as critical errors.
679496-1 4-Minor   Add 'comp_req' to the output of 'tmctl compress'



Cumulative fixes from BIG-IP v12.1.3.4 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
695901-2 CVE-2018-5513 K46940010 TMM may crash when processing ProxySSL data
693312-2 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic
688516-2 CVE-2018-5518 K03165684 vCMPd may crash when processing bridged network traffic
704580-3 CVE-2018-5549 K05018525 apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP
701359-2 CVE-2017-3145 K08613310 BIND vulnerability CVE-2017-3145
688009-5 CVE-2018-5519 K46121888 Appliance Mode TMSH hardening
671497-4 CVE-2017-3142 K59448931 TSIG authentication bypass in AXFR requests
615269-1 CVE-2016-2183 K13167034 CVE-2016-2183: AFM SSH Proxy Vulnerability
603758-1 CVE-2018-5540 K82038789 Big3D security hardening


Functional Change Fixes

ID Number Severity Solution Article(s) Description
680850-1 3-Major K48342409 Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.
570570-5 3-Major   Default crypto failure action is now 'go-offline-downlinks'.


TMOS Fixes

ID Number Severity Solution Article(s) Description
711547 1-Blocking   Update cipher support for Common Criteria compliance
708054-3 2-Critical   Web Acceleration: TMM may crash on very large HTML files with conditional comments
706305-2 2-Critical   bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled
703761-1 2-Critical   Disable DSA keys for public-key and host-based authentication in Common Criteria mode
677937-1 2-Critical K41517253 APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets
673484-1 2-Critical K85405312 IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO
664549-2 2-Critical K55105132 TMM restart while processing rewrite filter
599423-1 2-Critical K24584925 merged cores and restarts
583111-1 2-Critical   BGP activated for IPv4 address family even when 'no bgp default ipv4-unicast' is configured
701626-1 3-Major K16465222 GUI resets custom Certificate Key Chain in child client SSL profile
686029-1 3-Major   A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces
664737-2 3-Major   Do not reboot on ctrl-alt-del
655005-1 3-Major K23355841 "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync
646890-1 3-Major K12068427 IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512
635703-1 3-Major K14508857 Interface description may cause some interface level commands to be removed
614486-1 3-Major   BGP community lower bytes of zero is not allowed to be set in route-map
612721-4 3-Major   FIPS: .exp keys cannot be imported when the local source directory contains .key file
609967-2 3-Major K55424912 qkview missing some HugePage memory data
586412-2 3-Major   BGP peer-group members address-family configuration not saved to configuration
583108-1 3-Major   Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart.
581101-1 3-Major   non-admin user running list cmd: can't get object count
557155-8 3-Major K33044393 BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
421797-3 3-Major   ePVA continues to accelerate IP Forwarding VS traffic even in Standby
651413-2 4-Minor K34042229 tmsh list ltm node does not return an error when node does not exist
598437-1 4-Minor   SNMP process monitoring is incorrect for tmm and bigd


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
706631 2-Critical   A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.
705611-1 2-Critical   The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used
704666-2 2-Critical   memory corruption can occur when using certain certificates
701202-1 2-Critical K35023432 SSL memory corruption
700862-2 2-Critical K15130240 tmm SIGFPE 'valid node'
700393-2 2-Critical K53464344 Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash
685254-1 2-Critical K14013100 RAM Cache Exceeding Watchdog Timeout in Header Field Search
678416-2 2-Critical   Some tmm/umem_usage_stat counters may be incorrect under memory pressure.
676028-2 2-Critical K09689143 SSL forward proxy bypass may fail to release memory used for ssl_hs instances
673951-4 2-Critical K56466330 Memory leak when using HTTP2 profile
670814-2 2-Critical   Wrong SE Linux label breaks nethsm DNSSEC keys
665185-1 2-Critical K20994524 SSL handshake reference is not dropped if forward proxy certificate lookup failed
657463-2 2-Critical   SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.
648320-3 2-Critical K38159538 Downloading via APM tunnels could experience performance downgrade.
647757-2 2-Critical K96395052 RATE-SHAPER:Fred not properly initialized may halt traffic
613088-3 2-Critical   pkcs11d thread has session initialization problem.
452283-2 2-Critical   An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows
705794-1 3-Major   Under certain circumstances a stale HTTP/2 stream might cause a tmm crash
690042-3 3-Major K43412307 Potential Tcl leak during iRule suspend operation
689449-3 3-Major   Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
687205-3 3-Major   Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart
686972-1 3-Major   The change of APM log settings will reset the SSL session cache.
686395 3-Major   With DTLS version1, when client hello uses version1.2, handshake shall proceed
683697-3 3-Major K00647240 SASP monitor may use the same UID for multiple HA device group members
677962-3 3-Major   Invalid use of SETTINGS_MAX_FRAME_SIZE
677457 3-Major K13036194 HTTP/2 Gateway appends semicolon when a request has one or more cookies
677400-3 3-Major K82502883 pimd daemon may exit on failover
673399-1 3-Major   HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.
665652-2 3-Major K41193475 Multicast traffic not forwarded to members of VLAN group
664528-1 3-Major K53282793 SSL record can be larger than maximum fragment size (16384 bytes)
663551-1 3-Major K14942957 SERVERSSL_DATA is not triggered when iRule issues [SSL::collect] in the SERVERSSL_HANDSHAKE event
662911-2 3-Major K93119070 SASP monitor uses same UID for all vCMP guests in a chassis or appliance
654368-7 3-Major K15732489 ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require
654086-3 3-Major   Incorrect handling of HTTP2 data frames larger than minimal frame size
653976-2 3-Major K00610259 SSL handshake fails if server certificate contains multiple CommonNames
651901-2 3-Major   Removed unnecessary ASSERTs in MPTCP code
640369-2 3-Major   TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan
633333-3 3-Major   During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent
619844-2 3-Major   Packet leak if reject command is used in FLOW_INIT rule
611691-5 3-Major   Packet payload ignored when DSS option contains DATA_FIN
608991-7 3-Major   BIG-IP retransmits SYN/ACK on a subflow after an MPTCP connection is closed
605480-4 3-Major   BIG-IP sends MP_FASTCLOSE after completing active close of MPTCP connection
604880-4 3-Major   tmm assert "valid pcb" in tcp.c
604549-7 3-Major   MPTCP connection not closed properly when the segment with DATA_FIN also DATA_ACKs data
592731-1 3-Major K34220124 Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck.
653746-2 4-Minor K83324551 Unable to display detailed CPU graphs if the number of CPU is too large
569814-2 4-Minor K30240351 iRule "nexthop IP_ADDR" rejected by validator


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
710424-3 2-Critical K00874337 Possible SIGSEGV in GTMD when GTM persistence is enabled.
699135-2 2-Critical   tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip
691287-3 2-Critical   tmm crashes on iRule with GTM pool command
682335-3 2-Critical   TMM can establish multiple connections to the same gtmd
699339-1 3-Major K24634702 Geolocation upgrade files fail to replicate to secondary blades
696808-3 3-Major   Disabling a single pool member removes all GTM persistence records
687128-3 3-Major   gtm::host iRule validation for ipv4 and ipv6 addresses
679149-2 3-Major   TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]
663310-3 3-Major   named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files
619158-1 3-Major   iRule DNS request with trailing dot times out with empty response
595293-4 3-Major   Deleting GTM links could cause gtm_add to fail on new devices.


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
679221-1 1-Blocking   APMD may generate core file or appears locked up after APM configuration changed
702278-3 2-Critical   Potential XSS security exposure on APM logon page.
678715-1 2-Critical   Large volume of query result update to SessionDB fails and locks down ApmD
712315-1 3-Major   LDAP and AD Group Resource Assign are not displaying Static ACLs correctly
710211 3-Major   Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro.
702490-4 3-Major   Windows Credential Reuse feature may not work
702487-1 3-Major   AD/LDAP admins with spaces in names are not supported
700780-4 3-Major   F5 DNS Relay Proxy service now warns about and clears truncated flag in proxied DNS responses
699267-1 3-Major   LDAP Query may fail to resolve nested groups
681415-1 3-Major   Copying of profile with advanced customization or images might fail
675775-2 3-Major   TMM crashes inside dynamic ACL building session db callback
672250-1 3-Major   SessionDB update from ApmD with large volume fails
671149-3 3-Major   Captive portal login page is not rendered until it is refreshed
669459-2 3-Major   Efect of bad connection handle between APMD and memcachd
639283-4 3-Major   Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate
569542-1 3-Major   After upgrade, user cannot upload APM Sandbox hosted-content file in a partition existing before upgrade
667237-3 4-Minor   Edge Client logs the routing and IP tables repeatedly


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
673463-2 2-Critical K68275280 SDD v3 symmetric deduplication may start performing poorly after a failover event
685693 3-Major   APM AppTunnels memory leak


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
702738 3-Major K32181540 Tmm might crash activating new blob when changing firewall rules
528499-3 4-Minor   AFM address lists are not sorted while trying to create a new rule.



Cumulative fixes from BIG-IP v12.1.3.3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
706086-1 CVE-2018-5515 K62750376 PAM RADIUS authentication subsystem hardening
704490 CVE-2017-5754 K91229003 CVE-2017-5754 (Meltdown)
704483 CVE-2017-5753
CVE-2017-9074
CVE-2017-7542
CVE-2017-11176
K91229003 CVE-2017-5753 (Spectre Variant 1)


Functional Change Fixes

ID Number Severity Solution Article(s) Description
467709-1 4-Minor   FQDN nodes or pool members show Green (Available) when DNS responds with NXDOMAIN


TMOS Fixes

ID Number Severity Solution Article(s) Description
707226-2 1-Blocking   DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
704804-2 3-Major   The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
704733-2 3-Major   NAS-IP-Address is sent with the bytes in reverse order
703869-1 3-Major   Waagent updated to 2.2.21
701249-2 3-Major   RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
699147 3-Major   Hourly billed cloud images are now pre-licensed
687098 3-Major   IPv6 RADIUS servers not supported for remote authentication
674288-2 3-Major K62223225 FQDN nodes - monitor attribute doesn't reliably show in GUI
649465-1 3-Major   SELinux warning messages regarding nsm daemon


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
695117 2-Critical K30081842 bigd cores and sends corrupted MCP messages with many FQDN nodes
668883 2-Critical   FQDN pool member status may become out-of-sync when enabled/disabled through GUI
707675 3-Major   FQDN nodes or pool members flap when DNS response received
701609 3-Major   Static member of pool with FQDN members may revert to user-disabled after being re-enabled
685344-2 3-Major   Monitor 'min 1 of' not working as expected with FQDN nodes/members
673075-1 3-Major   Reduced Issues for Monitors configured with FQDN
671228-1 3-Major   Multiple FQDN ephemeral nodes may be created with autopopulate disabled
667560-3 3-Major K69205908 FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed
573602-1 3-Major   FQDN pool members not shown by tmsh show ltm monitor
573302-1 3-Major   FQDN pool member remains in disabled state after removing monitor
571095-1 3-Major   Monitor probing to pool member stops after FQDN pool member with same IP address is deleted
699262-2 5-Cosmetic   FQDN pool member status remains in 'checking' state after full config sync



Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
700556-2 CVE-2018-5504 K11718033 TMM may crash when processing WebSockets data
698080-1 CVE-2018-5503 K54562183 TMM may consume excessive resources when processing with PEM
691504-3 CVE-2018-5503 K54562183 PEM content insertion in a compressed response may cause a crash.
686305-2 CVE-2018-5534 K64552448 TMM may crash while processing SSL forward proxy traffic
677193-2 CVE-2017-6154 K38243073 ASM BD Daemon Crash.
674189 CVE-2016-0718 K52320548 iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0
673078-1 CVE-2017-6150 K62712037 TMM may crash when processing FastL4 traffic
670822-3 CVE-2017-6148 K55225440 TMM may crash when processing SOCKS data
668501-2 CVE-2017-6151 K07369970 HTTP2 does not handle some URIs correctly
630446-1 CVE-2016-0718 K52320548 Expat vulnerability CVE-2016-0718
621233-1 CVE-2018-5509 K49440608 FastL4 and HTTP profile or hash persistence with ip-protocol not set to TCP can crash tmm
699455-3 CVE-2018-5523 K50254952 SAML export does not follow best practices
699346-2 CVE-2018-5524 K53931245 NetHSM capacity reduces when handling errors
694274-2 CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798 K23565223 [RHSA-2017:3195-01] Important: httpd security update - EL6.7
688625-2 CVE-2017-11628 K75543432 PHP Vulnerability CVE-2017-11628
688011-5 CVE-2018-5520 K02043709 Dig utility does not apply best practices
676457-3 CVE-2017-6153 K52167636 TMM may consume excessive resource when processing compressed data
671638-4 CVE-2018-5500 K33211839 TMM crash when load-balancing mptcp traffic
670405-4 CVE-2017-1000366 K20486351 K20486351: glibc vulnerability CVE-2017-1000366:
662850-2 CVE-2015-2716 K50459349 Expat XML library vulnerability CVE-2015-2716
662663-6 CVE-2018-5507 K52521791 Decryption failure Nitrox platforms in vCMP mode
652848-2 CVE-2018-5501 K44200194 TCP DNS profile may impact performance
643375-1 CVE-2018-5508 K10329515 TMM may crash when processing compressed data
631204-1 CVE-2018-5521 K23124150 GeoIP lookups incorrectly parse IP addresses
617273-7 CVE-2016-5300 K70938105 Expat XML library vulnerability CVE-2016-5300
593139-9 CVE-2014-9761 K31211252 glibc vulnerability CVE-2014-9761
572272-5 CVE-2018-5506 K65355492 BIG-IP - Anonymous Certificate ID Enumeration
673607-2 CVE-2017-3169 K83043359 Apache CVE-2017-3169
672667-4 CVE-2017-7679 K75429050 CVE-2017-7679: Apache vulnerability
605579-8 CVE-2012-6702 K65460334 iControl-SOAP expat client library is subjected to entropy attack
578983-4 CVE-2015-8778 K51079478 glibc: Integer overflow in hcreate and hcreate_r
684033-1 CVE-2017-9798 K70084351 CVE-2017-9798 : Apache Vulnerability (OptionsBleed)


Functional Change Fixes

ID Number Severity Solution Article(s) Description
686389-3 3-Major   APM does not honor per-farm HTML5 client disabling at the View Connection Server
685020-1 3-Major   Enhancement to SessionDB provides timeout
653772-2 3-Major   fastL4 fails to evict flows from the ePVA
639505-3 3-Major   BGP may not send all configured aggregate routes
587107-3 3-Major   Allow iQuery to negotiate up to version TLS1.2


TMOS Fixes

ID Number Severity Solution Article(s) Description
667148-1 1-Blocking K02500042 Config load or upgrade can fail when loading GTM objects from a non-/Common partition
689577-1 2-Critical K45800333 ospf6d may crash when processing specific LSAs
678833 2-Critical   IPv6 prefix SPDAG causes packet drop
676203-1 2-Critical   Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.
667405-2 2-Critical K61251939 Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM.
667404-2 2-Critical K77576404 Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts
651362 2-Critical   eventd crashes during boot
631700-1 2-Critical K72453283 sod may kill bcm56xxd under heavy load
617733-1 2-Critical   Error message: subscriber id response; Subscription not found
580753-1 2-Critical K82583534 eventd might core on transition to secondary.
563661-2 2-Critical   Datastor may crash
694696-3 3-Major   On multiblade Viprion, creating a new traffic-group causes the device to go Offline
687658-2 3-Major   Monitor operations in transaction will cause it to stay unchecked
687353-3 3-Major K35595105 Qkview truncates tmstat snapshot files
682213-3 3-Major K31623549 TLS v1.2 support in IP reputation daemon
679480-1 3-Major   User able to create node when an ephemeral with the same IP already exists
674320-2 3-Major K11357182 Syncing a large number of folders can prevent the configuration getting saved on the peer systems
672815-2 3-Major   Incorrect disaggregation on VIPRION B4200 blades
671082-1 3-Major K85168072 snmpd constantly restarting
669888-2 3-Major   No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96
669462-1 3-Major   Error adding /Common/WideIPs as members to GTM Pool in non-Common partition
669415-1 3-Major   Flow eviction for hardware-accelerated flow might fail
664894-1 3-Major K11070206 PEM sessions lost when new blade is inserted in chassis
664057-2 3-Major   Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached
664017-3 3-Major   OCSP may reject valid responses
652968-2 3-Major K88825548 IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys
645723-2 3-Major K74371937 Dynamic routing update can delete admin ip route from the kernel
632366-1 3-Major   Prevent a spurious Broadcom switch driver failure.
631316 3-Major K62532020 Unable to load config with client-SSL profile error
626990-1 3-Major K64915164 restjavad logs flooded with messages from ChildWrapper
624362-1 3-Major   VCMP guest /shared file system growth due to /shared/tmp/guestagentd.out file
623803-2 3-Major K12921801 General DB error when select Profiles: Protocol: SCTP profile. Error due to 'read access denied type Virtual Address profile SCTP'
610122-1 3-Major   Hotfix installation fails: can't create /service/snmpd/run
598724-1 3-Major   Abandoned indefinite lifetime SessionDB entries on STANDBY devices.
586887-2 3-Major K25883308 SCTP tmm crash with virtual server destination.
579760-3 3-Major K55703840 HSL::send may fail to resume after log server pool member goes down/up
471237-2 3-Major K12155235 BIG-IP VE instances do not work with an encrypted disk in AWS.
699281 4-Minor   Version format of hypervisor bundle matches Version format of ISO
669255-2 4-Minor K20100613 An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms
660239-3 4-Minor   When accessing the dashboard, invalid HTTP headers may be present
655085-2 4-Minor   While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors
613275-2 4-Minor K62581339 SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up
601168-1 4-Minor   Incorrect virtual server CPU utilization may be observed.
509980-1 4-Minor   Spurious HA group configuration errors can be displayed during reboot of other DSC cluster members.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
692970-3 2-Critical   Using UDP port 67 for purposes other than DHCP might cause TMM to crash
687603-1 2-Critical K36243347 tmsh query for dns records may cause tmm to crash
686228-3 2-Critical K23243525 TMM may crash in some circumstances with VLAN failsafe
682682-3 2-Critical   tmm asserts on a virtual server-to-virtual server connection
681175-1 2-Critical K32153360 TMM may crash during routing updates
676982-2 2-Critical K21958352 Active connection count increases over time, long after connections expire
674576-4 2-Critical   Outage may occur with VIP-VIP configurations
665924-1 2-Critical K24847056 The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios
665732-2 2-Critical K45001711 FastHTTP may crash when receiving a fragmented IP packet
664461-3 2-Critical K16804728 Replacing HTTP payload can cause tmm restart
658989-2 2-Critical   Memory leak when connection terminates in iRule process
639039-4 2-Critical K33754014 Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons
614702-1 2-Critical K24172560 Race condition when using SSL Orchestrator can cause TMM to core
704073-3 3-Major K24233427 Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm
698000-1 3-Major K04473510 Connections may stop passing traffic after a route update
689089-3 3-Major   VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
686307-1 3-Major K10665315 Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later
686065-1 3-Major   RESOLV::lookup iRule command can trigger crash with slow resolver
685955 3-Major   TMM hud_message_ctx leak
685110-3 3-Major K05430133 With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
683683-1 3-Major   ASN1::encode returns wrong binary data
682104-1 3-Major   HTTP PSM leaks memory when looking up evasion descriptions
680755-1 3-Major K27015502 max-request enforcement no longer works outside of OneConnect
673621-2 3-Major   Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.
670816-2 3-Major K44519487 HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters
669974-1 3-Major K90395411 Encoding binary data using ASN1::encode may truncate result
668522-1 3-Major   bigd might try to read from a file descriptor that is not ready for read
668419-1 3-Major K53322151 ClientHello sent in multiple packets results in TCP connection close
666315 3-Major   Global SNAT sets TTL to 255 instead of decrementing
666160-1 3-Major K63132146 L7 Policy reconfiguration causes a slow memory leak
665022-1 3-Major   Rateshaper stalls when TSO packet length exceeds max ceiling.
664769-1 3-Major   TMM may restart when using SOCKS profile and an iRule
663821-3 3-Major K41344010 SNAT Stats may not include port FTP traffic
661881-2 3-Major K00030614 Memory and performance issues when using certain ASN.1 decoding formats in iRules
659648-2 3-Major   LTM Policy rule name migration doesn't properly handle whitespace
657795-1 3-Major K51498984 Possible performance impact on some SSL connections
655432-7 3-Major K85522235 SSL renegotiation failed intermittently with AES-GCM cipher
651681-4 3-Major   Orphaned bigd instances may exist (within multi-process bigd)
651135-4 3-Major K41685444 LTM Policy error when rule names contain slash (/) character
645220-2 3-Major   bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs
645197-3 3-Major   Monitors receiving unique HTTP 'success' response codes may stop monitoring after status change
640565-1 3-Major K11564859 Incorrect packet size sent to clone pool member
636149-3 3-Major   Multiple monitor response codes to single monitor probe failure
628721-1 3-Major   In rare conditions, DNS cache resolver outbound TCP connections fail to expire.
627926-1 3-Major K21211001 Retrieving a server-side SSL session ID in iRules does not work
584865-1 3-Major   Primary slot mismatch after primary cluster member leaves and then rejoins the cluster
582487-2 3-Major K22210514 'merged.method' set to 'slow_merge,' does not update system stats
574526-1 3-Major K55542554 HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter
573366-4 3-Major   parking command used in the nesting script of clientside and serverside command can cause tmm core
692095-3 4-Minor K65311501 bigd logs monitor status unknown for FQDN Node/Pool Member
625892-2 4-Minor   Nagle Algorithm Not Fully Enforced with TSO
530877-7 4-Minor K13887095 TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
692941-3 2-Critical   GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
678861-3 2-Critical   DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other
580537-1 2-Critical   The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data
562921-4 2-Critical   Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
700527-1 3-Major   cmp-hash change can cause repeated iRule DNS-lookup hang
691498-1 3-Major   Connection failure during iRule DNS lookup can crash TMM
690166-3 3-Major   ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
671326-2 3-Major K81052338 DNS Cache debug logging might cause tmm to crash.
667469-1 3-Major K35324588 Higher than expected CPU usage when using DNS Cache
665347-2 3-Major K17060443 GTM listener object cannot be created via tmsh while in non-Common partition
636853-2 3-Major K19401488 Under some conditions, a change in the order of GTM topology records does not take effect.
621374-1 3-Major   "abbrev" argument in "whereis" iRule returns nothing
487144-2 3-Major   tmm intermittently reports that it cannot find FIPS key


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
701327-1 2-Critical   failed configuration deletion may cause unwanted bd exit
699720-3 2-Critical   ASM crash when configuring remote logger for WebSocket traffic with response-logging:all
691670-3 2-Critical   Rare BD crash in a specific scenario
684312-2 2-Critical K54140729 During Apply Policy action, bd agent crashes, causing the machine to go Offline
681109-2 2-Critical K46212485 BD crash in a specific scenario
679603-2 2-Critical K15460886 bd core upon request, when profile has sensitive element configured.
678462-2 2-Critical   after chassis failover: asmlogd CPU 100% on secondary
678228-1 2-Critical K27568142 Repeated Errors in ASM Sync
672301-2 2-Critical   ASM crashes when using a logout object configuration in ASM policy
664708-2 2-Critical   TMM memory leak when DoS profile is attached to VS
662281-2 2-Critical   Inconsistencies in Automatic sync ASM Device Group
637252-1 2-Critical K73107660 Rest worker becomes unreliable after processing a call that generated an error
633070-1 2-Critical   Sync Inconsistencies when using Autosync ASM Group between Chassis devices
631609-1 2-Critical   ASM Centralized Management Infrastructure Sync issues
614441-4 2-Critical K04950182 False Positive for illegal method (GET)
611154-1 2-Critical   BD crash
599221-1 2-Critical   ASM Policy cannot be created in non-default partition via the Import Policy Task
576123-3 2-Critical K23221623 ASM policies are created as inactive policies on the peer device
702946-2 3-Major   Added option to reset staging period for signatures
701841-1 3-Major   Unnecessary file recovery_db/conf.tar.gz consumes /var disk space
700564-2 3-Major   JavaScript errors shown when debugging a mobile device with ASM deviceID enabled
700330 3-Major   AJAX blocking page isn't shown when a webpage uses jQuery framework.
700143-1 3-Major   ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages
698919-1 3-Major   Anti virus false positive detection on long XML uploads
697303-3 3-Major   BD crash
696265-3 3-Major K60985582 BD crash
694922-4 3-Major   ASM Auto-Sync Device Group Does Not Sync
691477-1 3-Major   ASM standby unit showing future date and high version count for ASM Device Group
685743-3 3-Major   When changing internal parameter 'request_buffer_size' in large request violations might not be reported
685207-2 3-Major   DoS client side challenge does not encode the Referer header.
683508-3 3-Major K00152663 WebSockets: umu memory leak of binary frames when remote logger is configured
682612 3-Major   Event Correlation is disabled on vCMP even though all the prerequisites are met.
679384-1 3-Major K85153939 The policy builder is not getting updates about the newly added signatures.
678293-1 3-Major K25066531 Uncleaned policy history files cause /var disk exhaustion
676416-2 3-Major   BD restart when switching FTP profiles
675232-3 3-Major   Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction
674494-1 3-Major K77993010 BD memory leak on specific configuration and specific traffic
671675-1 3-Major   Centralized Management Infrastructure: asm_config_server restart on device group change
668184-1 3-Major   Huge values are shown in the AVR statistics for ASM violations
668181-2 3-Major   Policy automatic learning mode changes to manual after failover
667922 3-Major K44692860 Alternative unicode encoding in JSON objects not being parsed correctly
666986-2 3-Major K50320144 Filter by Support ID is not working in Request Log
663535-1 3-Major   Sending ASM cookies with "secure" attribute even without client-ssl profile
654925-1 3-Major K25952033 Memory Leak in ASM Sync Listener Process
654873-2 3-Major   ASM Auto-Sync Device Group
619516-1 3-Major   Inconsistencies in Automatic sync ASM Device Group
605982-1 3-Major   Policy settings change during export/import
434821-1 3-Major   Remote logging of staged signatures and staged sets
694073-1 4-Minor   All signature update details are shown in 'View update history from previous BIG-IP versions' popup
655159-1 4-Minor K84550544 Wrong XML profile name Request Log details for XML violation
625602-3 4-Minor   ASM Auto-Sync Device Group Does Not Sync


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
658343-2 3-Major K33043439 AVR tcp-analytics: per-host RTT average may show incorrect values
648242 3-Major K73521040 Administrator users unable to access all partition via TMSH for AVR reports
582029-4 3-Major   AVR might report incorrect statistics when used together with other modules.
682105 4-Minor   Adding widget in Analytics Overview can cause measures list to empty out on Page change
649161-1 4-Minor K42340304 AVR caching mechanism not working properly


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
693739-3 2-Critical   VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled
660711-1 2-Critical K05265457 MCPd might crash when user trying to import a access policy
649234-3 2-Critical K64131101 TMM crash from a possible memory corruption.
639929-2 2-Critical   Session variable replace with value containing these characters ' " & < > = may case tmm crash
632178-1 2-Critical   LDAP Query agent creates only two session variables when required attributes list is empty
703984-2 3-Major   Machine Cert agent improperly matches hostname with CN and SAN
703429-1 3-Major   Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services
700783-3 3-Major   Machine certificate check does not check against all FQDN hostnames
692307-1 3-Major   User with 'operator' role may not be able to view some session variables
689826-2 3-Major K95422068 Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)
686282-1 3-Major   APMD intermittently crash when processing access policies
684325-3 3-Major   APMD Memory leak when applying a specific access profile
683389-1 3-Major   Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
682500-1 3-Major   VDI Profile and Storefront Portal Access resource do not work together
680112-1 3-Major K18131781 SWG-Explicit rejects large POST bodies during policy evaluation
678851-1 3-Major   Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()
676690-3 3-Major   Windows Edge Client sometimes crashes when user signs out from Windows
675866-1 3-Major   WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO
675399-3 3-Major K14304639 Network Access does not work when empty variables are assigned for WINS and DNS
674593-1 3-Major   APM configuration snapshot takes a long time to create
674410-3 3-Major K59281892 AD auth failures due to invalid Kerberos tickets
673748-1 3-Major K19534801 ng_export, ng_import might leave security.configpassword in invalid state
672868-1 3-Major   Portal Access: JavaScript application with non-whitespace control characters may be processed incorrectly
672040-3 3-Major   Access Policy Causing Duplicate iRule Event Execution
671597-1 3-Major   Import, export, copy and delete is taking too long on 1000 entries policy
670910-2 3-Major   Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined
669510-2 3-Major   When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.
669154-1 3-Major K25342114 Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases.
668623-5 3-Major K85991425 macOS Edge client fails to detect correct system language for regions other than USA
668503-3 3-Major   Edge Client fails to reconnect to virtual server after disabling Network Adapter
668129-1 3-Major   BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers.
666689-1 3-Major   Occasional "profile not found" errors following activate access policy
666058-2 3-Major K86091857 XenApp 6.5 published icons are not displayed on APM Webtop
665416-3 3-Major K02016491 Old versions of APM configuration snapshots need to be reaped more aggressively if not used
665330-1 3-Major   MSIE 11 should avoid compatibility mode
664507-3 3-Major   When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration
663127-1 3-Major   Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration.
655364-1 3-Major   Portal access rewriting window.opener causes JS exception
655146-2 3-Major   APM Profile access stats are not updated correctly
654508-2 3-Major   SharePoint MS-OFBA browser window displays Javascript errors
654046-1 3-Major K22121533 BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs.
653771-2 3-Major   tmm crash after per-request policy error
653324-3 3-Major K87979026 On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly
651910-2 3-Major   Cannot change 'Enable Access System Logs' or 'Enable URL Request Logs' via the GUI after upgrading from 12.x to 13.0.0 or later
649613-3 3-Major   Multiple UDP/TCP packets packed into one DTLS Record
632646-4 3-Major   APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.
629921-4 3-Major   [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.
621682-1 3-Major   Portal Access: problem with specific JavaScript code
616104-2 3-Major   VMware View connections to pool hit matching BIG-IP virtuals
613373-2 3-Major   Access may be denied to users with Application Editor role when accessing SAML Authentication Context UI page
610582-2 3-Major   Device Guard prevents Edge Client connections
601420-3 3-Major   Possible SAML authentication loop with IE and multi-domain SSO.
596083-1 3-Major   Error running custom APM Reports with "session creation time" on Viprion Platform
590992-3 3-Major   If IP address on network adapter changes but DNS remains unchanged, DNS resolution stops working
578413-1 3-Major   Missing reference to customization-group from connectivity profile if created via portal access wizard
575444-1 3-Major   Wininfo agent incorrectly reports OS version on Windows 10 in some cases
563135-3 3-Major   SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt
466068-1 3-Major   Allow setting of the AAA Radius server timeout value larger than 60 seconds
447565-5 3-Major K33692321 Renewing machine-account password does not update the serviceId for associated ntlm-auth.
691017-1 4-Minor   Preventing ng_export hangs
684414-1 4-Minor   Retrieving too many groups is causing out of memory errors in TMUI and VPE
673717-1 4-Minor   VPE loading times can be very long
671627-1 4-Minor K06424790 HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.
667304-1 4-Minor K68108551 Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled
561892-2 4-Minor K08121752 Kerberos cache is not cleared when Administrator password is changed in AAA AD Server


Service Provider Fixes

ID Number Severity Solution Article(s) Description
662844 2-Critical K87735013 TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x.
643785-3 2-Critical   diadb crashes if it cannot find pool name
699431 3-Major   Possible memory leak in MRF under low memory


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
456376-4 1-Blocking K53153545 BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32
671052-3 2-Critical K50324413 AFM NAT security RST the traffic with (FW NAT) dst_trans failed
644822-2 2-Critical K19245372 FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned
564058-1 2-Critical K91467162 AutoDoS daemon aborts intermittently after it's being up for several days
620543-1 3-Major   Security Address Lists and Port Lists can't change Description field


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
696383-2 2-Critical   PEM Diameter incomplete flow crashes when sweeped
694717-3 2-Critical   Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
616008-3 2-Critical K23164003 TMM core may be seen when using an HSL format script for HSL reporting in PEM
696789-2 3-Major   PEM Diameter incomplete flow crashes when TCL resumed
695968-3 3-Major   Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.
694319-3 3-Major   CCA without a request type AVP cannot be tracked in PEM.
694318-3 3-Major   PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.
684333-3 3-Major   PEM session created by Gx may get deleted across HA multiple switchover with CLI command
678820-2 3-Major   Potential memory leak if PEM Diameter sessions are not created successfully.
678714-3 3-Major   After HA failover, subscriber data has stale session ID information
660187-3 3-Major   TMM core after intra-chassis failover for some instances of subscriber creation
642068-1 3-Major   PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
638594-3 3-Major   TMM crash when handling unknown Gx messages.
627616-3 3-Major   CCR-U missing upon VALIDITY TIMER expiry when quota is zero
624231-5 3-Major   No flow control when using content-insertion with compression
680729-3 4-Minor K64307999 DHCP Trace log incorrectly marked as an Error log.
678822-3 4-Minor   Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
663333-1 2-Critical   TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high
615432-1 2-Critical   Multiple TFTP data transfers cannot be initiated in a single session
663974-2 3-Major   TMM crash when using LSN inbound connections


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
692123-2 3-Major   GET parameter is grayed out if MobileSafe is not licensed
667892-2 3-Major   FPS: BLFN inheritance won't take effect until GUI refresh



Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
681710-4 CVE-2017-6155 K10930474 Malformed HTTP/2 requests may cause TMM to crash
673595-2 CVE-2017-3167 CVE-2017-3169 K34125394 Apache CVE-2017-3167
648786-5 CVE-2017-6169 K31404801 TMM crashes when categorizing long URLs


Functional Change Fixes

ID Number Severity Solution Article(s) Description
673129 3-Major K41458656 New feature: revoke license


TMOS Fixes

ID Number Severity Solution Article(s) Description
682837 1-Blocking   Compression watchdog period too brief.
675921 1-Blocking   Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running
696468 2-Critical   Active compression requests can become starved from too many queued requests.
667173 2-Critical   13.1.0 cannot join a device group with 13.1.0.1
665656-1 2-Critical   BWC with iSession may memory leak
663366-3 2-Critical   SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.
621386-1 2-Critical K91988084 restjavad spawns too many icrd_child instances
683114-1 3-Major   Need support for 4th element version in Update Check
679959-1 3-Major   Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000
672988-2 3-Major K03433341 MCP memory leak when performing incremental ConfigSync
669288-3 3-Major K76152943 Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist.
668352-2 3-Major   High Speed Logging unbalance in log distribution for multiple pool destination.
668048-1 3-Major K02551403 TMM memory leak when manually enabling/disabling pool member used as HSL destination
663063-2 3-Major   Disabling pool member used in busy HSL TCP destination can result service disruption.
659057-1 3-Major   BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD
658636-2 3-Major K51355172 When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.
652691-1 3-Major   Installation fails if only .iso.384.sig (new format signature file) is present
652689-2 3-Major K14243280 Displaying 100G interfaces
642952 3-Major   platform_check doesn't run PCI check on i11800
640636-3 3-Major   F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade
638881-1 3-Major   Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances
628739-1 3-Major   BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD
628735-1 3-Major   Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles
604547-1 3-Major K21551422 Unix daemon configuration may lost or not be updated upon reboot
674515 4-Minor   New revoke license feature for VE only implemented
663580-1 4-Minor K31981624 logrotate does not automatically run when /var/log reaches 90% usage
644723-1 4-Minor   cm56xxd logs link 'DOWN' message when an interface is admin DISABLED
507206-1 4-Minor   Multicast Out stats always zero for management interface.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
689080 2-Critical   Erroneous syncookie validation in HSB causes the BIG-IP system to choose the wrong MSS value
463097-3 3-Major   Clock advanced messages with large amount of data maintained in DNS Express zones


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
672504-1 2-Critical K52325625 Deleting zones from large databases can take excessive amounts of time.
614788-1 2-Critical   zxfrd crash due to lack of disk space
655233-1 3-Major K93338593 DNS Express using wrong TTL for SOA RRSIG record in NoData response
648766-1 3-Major K57853542 DNS Express responses missing SOA record in NoData responses if CNAMEs present
645615-2 3-Major K70543226 zxfrd may fail and restart after multiple failovers between blades in a chassis.
433678-2 3-Major K32401561 A monitor removed from GTM link cannot be deleted: 'monitor is in use'
646615-1 4-Minor   Improved default storage size for DNS Express database


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
652796-1 1-Blocking   When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
652792-1 2-Critical   When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
678976-2 3-Major K24756214 Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.
677058-3 3-Major K31757417 Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
679440-2 2-Critical K14120433 MCPD Cores with SIGABRT
591828-4 3-Major K52750813 For unmatched connection, TCP RST may not be sent for data packet


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
668252-2 2-Critical K22784428 TMM crash in PEM_DIAMETER component
628311-3 2-Critical K87863112 Potential TMM crash due to duplicate installed PEM policies by the PCRF
675928-2 3-Major   Periodic content insertion could add too many inserts to multiple flows if http request is outstanding
674686-2 3-Major   Periodic content insertion of new flows fails, if an outstanding flow is a long flow
673683-2 3-Major   Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener
673678-2 3-Major   Periodic content insertion fails, if http request/response get interleaved by second subscriber http request
673472-2 3-Major   After classification rule is updated, first periodic Insert content action fails for existing subscriber
639486-4 3-Major   TMM crash due to PEM usage reporting after a CMP state change.
634015-3 3-Major K49315364 Potential TMM crash due to a PEM policy content triggered buffer overflow
572568-2 3-Major   Gy CCR-i requests are not being re-sent after initial configured re-transmits



Cumulative fixes from BIG-IP v12.1.3 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
687193-1 CVE-2018-5533 K45325728 TMM may leak memory when processing SSL Forward Proxy traffic
684879-2 CVE-2017-6164 K02714910 TMM may crash while processing TLS traffic
662022-5 CVE-2017-6138 K34514540 The URI normalization functionality within the TMM may mishandle some malformed URIs.
653993-3 CVE-2017-6132 K12044607 A specific sequence of packets to the HA listener may cause tmm to produce a core file
653880 CVE-2017-6214 K81211720 Kernel Vulnerability: CVE-2017-6214
652539 CVE-2016-0634
CVE-2016-7543
CVE-2016-9401
K73705133 Multiple Bash Vulnerabilities
652516 CVE-2016-10088 CVE-2016-10142 CVE-2016-2069 CVE-2016-2384 CVE-2016-6480 CVE-2016-7042 CVE-2016-7097 CVE-2016-8399 CVE-2016-9576 K31603170 Multiple Linux Kernel Vulnerabilities
651221-2 CVE-2017-6133 K25033460 Parsing certain URIs may cause the TMM to produce a core file.
650286-2 CVE-2017-6167 K24465120 REST asynchronous tasks permissions issues
650059-1 CVE-2017-6129 K20087443 TMM may crash when processing VPN traffic
649907-2 CVE-2017-3137 K30164784 BIND vulnerability CVE-2017-3137
649904-2 CVE-2017-3136 K23598445 BIND vulnerability CVE-2017-3136
644904-5 CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985
CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486
K55129614 tcpdump 4.9
644693-3 CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241 K15518610 Fix for multiple CVE for openjdk-1.7.0
638556-2 CVE-2016-10045 K73926196 PHP Vulnerability: CVE-2016-10045
634779-1 CVE-2017-6147 K43945001 TMM may crash will processing SSL Forward Proxy traffic
625860-2 CVE-2017-6140 K55102452 Improved handling of crypto hardware decrypt failures on B4450 platform.
624903-6 CVE-2017-6140 K55102452 Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.
600069-6 CVE-2017-0301 K54358225 Portal Access: Requests handled incorrectly
659791-2 CVE-2017-6136 K81137982 TFO and TLP could produce a core file under specific circumstances
655059-3 CVE-2017-6134 K37404773 TMM Crash
653224-1 CVE-2016-8610
CVE-2017-5335
CVE-2017-5336
CVE-2017-5337
K59836191 Multiple GnuTLS Vulnerabilities
653217-2 CVE-2016-2125
CVE-2016-2126
K03644631 Multiple Samba Vulnerabilities
645480-3 CVE-2017-6139 K45432295 Unexpected APM response
645101-2 CVE-2017-3731, CVE-2017-3732 K44512851 OpenSSL vulnerability CVE-2017-3732
642659-2 CVE-2015-8870, CVE-2016-5652, CVE-2016-9533, CVE-2016-9534, CVE-2016-9535, CVE-2016-9536, CVE-2016-9537, CVE-2016-9540 K34527393 Multiple LibTIFF Vulnerabilities
640768 CVE-2016-10088
CVE-2016-9576
K05513373 Kernel vulnerability: CVE-2016-10088
639729-2 CVE-2017-0304 K39428424 Request validation failure in AFM UI Policy Editor
637666-2 CVE-2016-10033 K74977440 PHP Vulnerability: CVE-2016-10033
635314-5 CVE-2016-1248 K22183127 vim Vulnerability: CVE-2016-1248
622178-1 CVE-2017-6158 K19361245 Improve flow handling when Autolasthop is disabled
597176-1 CVE-2015-8711 CVE-2015-8714 CVE-2015-8716 CVE-2015-8717 CVE-2015-8718 CVE-2015-8720 CVE-2015-8721 CVE-2015-8723 CVE-2015-8725 CVE-2015-8729 CVE-2015-8730 CVE-2015-8733 CVE-2016-2523 CVE-2016-4006 CVE-2016-4078 CVE-2016-4079 CVE-2016-4080 CVE-2016-4081 CVE K01837042 Multiple Wireshark (tshark) vulnerabilities
583678-1 CVE-2016-3115 K93532943 SSHD session.c vulnerability CVE-2016-3115
582773-5 CVE-2018-5532 K48224824 DNS server for child zone can continue to resolve domain names after revoked from parent
567233-1 CVE-2015-5252, CVE-2015-5296, CVE-2015-5299 K92616530 Multiple samba vulnerabilities
353229-2 CVE-2018-5522 K54130510 Buffer overflows in DIAMETER
656912-4 CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464, CVE-2017-6451, CVE-2017-6458 K32262483 Various NTP vulnerabilities
632875-3 CVE-2018-5516 K37442533 Non-Administrator TMSH users no longer allowed to run dig
615226-5 CVE-2015-8925 CVE-2015-8933 CVE-2016-8688 CVE-2015-8919 CVE-2016-8689 CVE-2015-8931 CVE-2015-8923 CVE-2015-8930 CVE-2015-8922 CVE-2016-5844 CVE-2015-8917 CVE-2016-8687 CVE-2015-8932 CVE-2015-8916 CVE-2016-4809 CVE-2015-8934 CVE-2015-8924 CVE-2015-8920 CVE-2016-4302 CVE-2015-8921 CVE-2015-8928 CVE-2015-8926 CVE-2016-7166 CVE-2016-4300 K13074505 Libarchive vulnerabilities: CVE-2016-8687 and others
590840-2 CVE-2015-8325 K20911042 OpenSSH vulnerability CVE-2015-8325
655021-2 CVE-2017-3138 K23598445 BIND vulnerability CVE-2017-3138
652638-2 CVE-2016-10167 K23731034 php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
627203-1 CVE-2016-5542, CVE-2016-5554, CVE-2016-5573, CVE-2016-5582, CVE-2016-5597 K63427774 Multiple Oracle Java SE vulnerabilities


Functional Change Fixes

ID Number Severity Solution Article(s) Description
654549-1 2-Critical   PVA support for uncommon protocols DoS vector
653729-2 2-Critical   Support IP Uncommon Protocol
653234 2-Critical   Many objects must be reconfigured before use when loading a UCS from another device.
652094-2 2-Critical K49190243 Improve traffic disaggregation for uncommon IP protocols
643210-2 2-Critical K45444280 Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM
643054-2 2-Critical   ARP and NDP packets should be CoS marked by the swtich on ingress
663521-2 3-Major   Intermittent dropping of multicast packets on certain BIG-IP platforms
651772-3 3-Major   IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
643143-2 3-Major   ARP and NDP packets should be QoS/DSCP marked on egress
610710-2 3-Major   Pass IP TOS bits from incoming connection to outgoing connection
584545-2 3-Major   Failure to stabilize internal HiGig link will not trigger failover event
567177-1 4-Minor   Log all attempts of key export in ltm log
650074-1 5-Cosmetic   Changed Format of RAM Cache REST Status output.


TMOS Fixes

ID Number Severity Solution Article(s) Description
642703-2 1-Blocking   Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.
619097 1-Blocking   iControl REST slow performace on GET request for virtual servers
539093-1 1-Blocking K26104530 VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface.
697878 2-Critical   High crypto request completion time under some workload patterns
666790-2 2-Critical K06619044 Use HSB HiGig MAC reset to recover both FCS errors and link instability
665354-2 2-Critical K31190471 Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log
658574-2 2-Critical K61847644 An accelerated flow transmits packets to a stale (incorrect) destination MAC address.
655357-2 2-Critical K06245820 Corrupted L2 FDB entries on B4450 blades might result in dropped traffic
653376-5 2-Critical   bgpd may crash on receiving a BGP update with >= 32 extended communities
649866-1 2-Critical   fsck should not run during first boot on public clouds
638997-2 2-Critical   Reboot required after disk size modification in a running BIG-IP VE instance.
625456-5 2-Critical   Pending sector utility may write repaired sector incorrectly
624826-2 2-Critical K36404710 mgmt bridge takes HWADDR of guest vm's tap interface
613415-2 2-Critical K22750357 Memory leak in ospfd when distribute-list is used
609335-1 2-Critical   IPsec tmm devbuf memory leak.
604011-1 2-Critical   Sync fails when iRule or policy is in use
595783 2-Critical   Changing console baud rate for B2100, B2150 and B2250 blades does not work
593137-1 2-Critical   userDefined property for bot signatures is not shown in REST
579210-3 2-Critical K11418051 VIPRION B4400N blades might fail to go Active under rare conditions.
471860-10 2-Critical K16209 Disabling interface keeps DISABLED state even after enabling
412817-3 2-Critical   BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.
671920-1 3-Major   Accessing SNMP over IPv6 on non-default route domains
669818-2 3-Major K64537114 Higher CPU usage for syslog-ng when a syslog server is down
667278-3 3-Major   DSC connections between BIG-IP units may fail to establish
667138-1 3-Major   LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"
664829-1 3-Major   BIG-IP sometimes performs unnecessary reboot on first boot
662331-1 3-Major K24331010 BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
661764-2 3-Major K53762147 It is possible to configure a number of CPUs that exceeds the licensed throughput
660532-2 3-Major K21050223 Cannot specify the event parameter for redirects on the policy rule screen.
655671-1 3-Major   Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced
655649-2 3-Major K88627152 BGP last update timer incorrectly resets to 0
654011-2 3-Major K33210520 Pool member's health monitors set to Member Specific does not display the active monitors
651155-1 3-Major   HSB continually logs 'loopback ring 0 tx not active'
650349 3-Major K50168519 Creation or reconfiguration of iApps fails if high speed logging is configured
650002-1 3-Major   tzdata bug fix and enhancement update
649949-1 3-Major   Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM
647988-3 3-Major K15331432 HSL Balanced distribution to Two-member pool may not be balanced correctly.
647944-2 3-Major   MCP may crash when making specific changes to a FIX profile attached to more than one virtual server
645179-6 3-Major   Traffic group becomes active on more than one BIG-IP after a long uptime
644404-1 3-Major   Extracting SSD from system leads to Emergency LCD alert
644184-4 3-Major K36427438 ZebOS daemons hang while AgentX SNMP daemon is waiting.
643294 3-Major   IGMP and PIM not in self-allow default list when upgrading from 10.2.x
643121-1 3-Major   Failed installation volumes cannot be deleted in the GUI.
643013 3-Major   DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3
642982-3 3-Major K23241518 tmrouted may continually restart after upgrade, adding or renaming an interface
642314-2 3-Major K24276198 CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x
638825-2 3-Major   SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD
637561-1 3-Major   Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice
636744-1 3-Major K16918340 IKEv1 phase 2 SAs not deleted
631866-2 3-Major   Cannot access LTM policy rules in the web UI when the name contains certain characters
631172-4 3-Major K54071336 GUI user logged off when idle for 30 minutes, even when longer timeout is set
624692-3 3-Major   Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying
623391-5 3-Major   cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size
622619-5 3-Major   BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
622133-1 3-Major   VCMP guests may incorrectly obtain incorrect MAC addresses
621259-3 3-Major   Config save takes long time if there is a large number of data groups
619060 3-Major   Reduction in boot time in BIG-IP Virtual Edition platforms
612752-1 3-Major   UCS load or upgrade may fail under certain conditions.
610442-2 3-Major K75051412 vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso
607961-1 3-Major   Secondary blades restart when modifying a virtual server's route domain in a different partition.
605792-1 3-Major   Installing a new version changes the ownership of administrative users' files
601709-2 3-Major K02314881 I2C error recovery for BIG-IP 4340N/4300 blades
590938-3 3-Major   The CMI rsync daemon may fail to start
583475-1 3-Major   The BIG-IP may core while recompiling LTM policies
577474-3 3-Major K35208043 Users with auditor role are unable to use tmsh list sys crypto cert
569100-1 3-Major   Virtual server using NTLM profile results in benign Tcl error
544906-2 3-Major K07388310 Issues when using remote authentication when users have different partition access on different devices
507240-4 3-Major K13811263 ICMP traffic cannot be disaggregated based on IP addresses
480983-4 3-Major   tmrouted daemon may core due to daemon_heartbeat
471029-2 3-Major   If the configuration contains a filename with the $ character, then saving the UCS fails.
656900-1 4-Minor   Blade family migration may fail
655314 4-Minor   When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0
653225-1 4-Minor   coreutils security and bug fix update
645717 4-Minor   UCS load does not set directory owner
644975-4 4-Minor K09554025 /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost
644799-1 4-Minor K42882011 TMM may crash when the BIG-IP system processes CGNAT traffic.
642723-3 4-Minor   Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect
634371-2 4-Minor   Cisco ethernet NIC driver
530927-8 4-Minor   Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed
530530-6 4-Minor K07298903 tmsh sys log filter is displayed in UTC time
527720-1 4-Minor   Rare 'No LopCmd reply match found' error in getLopReg
448409-1 4-Minor K15491 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle
626596 5-Cosmetic   Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections'.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
670011-2 1-Blocking   SSL forward proxy does not create the server certchain when ignoring server certificates
621452-1 1-Blocking K58146172 Connections can stall with TCP::collect iRule
659899-1 2-Critical K10589537 Rare, intermittent system instability observed in dynamic load-balancing modes
657713-5 2-Critical K05052273 Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.
655628-1 2-Critical   TCP analytics does not release resources under specific sequence of packets
655211-1 2-Critical   bigd crash (SIGSEGV) when running FQDN node monitors
650317-3 2-Critical   The TMM on the next-active panics with message: "Missing oneconnect HA context"
649171-4 2-Critical   tmm core in iRule with unreachable remote address
648037-2 2-Critical   LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash
646643-2 2-Critical K43005132 HA standby virtual server with non-default lasthop settings may crash.
646604-5 2-Critical K21005334 Client connection may hang when NTLM and OneConnect profiles used together
645663 2-Critical   Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus.
644112-2 2-Critical K56150996 Permanent connections may be expired when endpoint becomes unreachable
643631 2-Critical K70938130 Serverside connections on virtual servers using VDI may become zombies.
635274-1 2-Critical K21514205 SSL::sessionid command may return invalid values
634265-2 2-Critical K34688632 Using route pools whose members aren't directly connected may crash the TMM.
632552-2 2-Critical K08634156 tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event
629178-1 2-Critical K42206046 Incorrect initial size of connection flow-control window
611704-5 2-Critical   tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event
605983-1 2-Critical   tmrouted may crash when being restarted in debug mode
604926-3 2-Critical K50041125 The TMM may become unresponsive when using SessionDB data larger than ~400K
604223-2 2-Critical   pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM"
583700-3 2-Critical K32784801 tmm core on out of memory
583355-1 2-Critical   The TMM may crash when changing profiles associated with plugins
566071-5 2-Critical   network-HSM may not be operational on secondary slots of a standby chassis.
559030-1 2-Critical K65244513 TMM may core during ILX RPC activity if a connflow closes before the RPC returns
677119 3-Major   HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE
676471-1 3-Major   Insufficient space for core files on i11x00-series platforms
672008-1 3-Major K22122208 NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds
671935-2 3-Major   Possible uneven ephemeral port reuse.
669025-1 3-Major K11425420 Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
668521-2 3-Major   Bigd might stall while waiting for an external monitor process to exit
666032-3 3-Major K05145506 Secure renegotiation is set while data is not available.
663326-2 3-Major   Thales HSM: "fipskey.nethsm --export" fails to make stub keys
662881-2 3-Major K10443875 L7 mirrored packets from standby to active might cause tmm core when it goes active.
662085-1 3-Major   iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages
658214-2 3-Major K20228504 TCP connection fail intermittently for mirrored fastl4 virtual server
655793-1 3-Major K04178391 SSL persistence parsing issues due to SSL / TCP boundary mismatch
654109-2 3-Major K01102467 Configuration loading may fail when iRules calling procs in other iRules are deleted
653511-2 3-Major   Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve
652535-1 3-Major K54443700 HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.
652445-2 3-Major K87541959 SAN with uppercase names result in case-sensitive match or will not match
651651-3 3-Major K54604320 bigd can crash when a DNS response does not match the expected value
650292-2 3-Major   DNS transparent cache can return non-recursive results for recursive queries
650152-1 3-Major   Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms
648954-5 3-Major K01102467 Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls
647137 3-Major   bigd/tmm con vCMP guests
646443-1 3-Major K54432535 Ephemeral Node may be errantly created in bigd, causing crash
645058-3 3-Major   Modifying SSL profiles in GUI may fail when key is protected by passphrase
645036-3 3-Major K85772089 Removing pool from virtual server does not update its status
644873-2 3-Major K97237310 ssldump can fail to decrypt captures with certain TCP segmenting
644851-2 3-Major   Websockets closes connection on receiving a close frame from one of the peers
644418-2 3-Major   Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate
643777-2 3-Major K27629542 LTM policies with more than one IP address in TCP address match may fail
643582-2 3-Major   Config load with large ssl profile configuration may cause tmm restart
641491-2 3-Major K37551222 TMM core while running iRule LB::status pool poolname member ip port
640376-3 3-Major   STPD leaks memory on 2000/4000/i2000/i4000 series
638715-3 3-Major K77010072 Multiple Diameter monitors to same server ip/port may race on PID file
632001-1 3-Major   For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys
627574-1 3-Major   After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft.
626434-6 3-Major K65283203 tmm may be killed by sod when a hardware accelerator does not work
624805-1 3-Major   ILX node.js process may be restarted if a single operation takes more than 15 seconds
623940-3 3-Major   SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello
622017-8 3-Major K54106058 Performance graph data may become permanently lost after corruption.
621736-6 3-Major K00323105 statsd does not handle SIGCHLD properly in all cases
620788-1 3-Major K05232247 FQDN pool created with existing FQDN node has RED status
618161-1 3-Major   SSL handshake fails when clientssl uses softcard-protected key-certs.
618121 3-Major   "persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x
607246-10 3-Major   Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires
603609-2 3-Major   Policy unable to match initial path segment when request-URI starts with "//"
602040-3 3-Major   Truncated support ID for HTTP protocol security logging profile
600614-5 3-Major   External crypto offload fails when SSL connection is renegotiated
596433-3 3-Major   Virtual with lasthop configured rejects request with no route to client.
596242-1 3-Major K17065223 [zxfrd] Improperly configured master name server for one zone makes DNS Express respond with previous record
595275-5 3-Major   Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN
593390-4 3-Major   Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.
589006-5 3-Major   SSL does not cancel pending sign request before the handshake times out or is canceled.
587705-5 3-Major K98547701 Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.
578573-1 3-Major   SSL Forward Proxy Forged Certificate Signature Algorithm
563933-4 3-Major   [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs
536563-7 3-Major   Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.
484542-1 3-Major   QinQ tag-mode can be set on unsupported platforms
668802-3 4-Minor K83392557 GTM link graphs fail to display in the GUI
667318-3 4-Minor   BIG-IP DNS/GTM link graphs fail to display in the GUI.
584210-1 4-Minor   TMM may core when running two simultaneous WebSocket collect commands
578415-2 4-Minor   Support for hardware accelerated bulk crypto SHA256 missing
513288-7 4-Minor   Management traffic from nodes being health monitored might cause health monitors to fail.
462043-2 4-Minor   DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms


Performance Fixes

ID Number Severity Solution Article(s) Description
620903-1 2-Critical   Decreased performance of ICMP attack mitigation.


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
636541-3 1-Blocking   DNS Rapid Response filters large datagrams
667028-1 2-Critical   DNS Express does not run on i11000 platforms with htsplit disabled.
649564-2 2-Critical   Crash related to GTM monitors with long RECV strings
663073-1 3-Major   GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.
659912-1 3-Major K81210772 GSLB Pool Member Manage page display issues and error message
655807-5 3-Major K40341291 With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score
655445-2 3-Major   Provide the ability to globally specifiy a DSCP value.
654599-1 3-Major K74132601 The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
648286-2 3-Major   GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.
644447-2 3-Major   sync_zones script increasingly consumes memory when there is network connectivity failure
626141-3 3-Major   DNSX Performance Graphs are not displaying Requests/sec"
615222-1 3-Major K79580892 GTM configuration fails to load when it has GSLB pool with members containing more than one colon character
605260-1 3-Major   [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0
659969-1 4-Minor   tmsh command for gtm-application disabled contexts does not work with none and replace-all-with
644220-3 4-Minor   Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page
604371-1 4-Minor   Pagination controls missing for GSLB pool members


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
653014-1 2-Critical   Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name
652200-1 2-Critical K81349220 Failure to update ASM enforcer about account change.
651001-1 2-Critical   massive prints in tmm log: "could not find conf for profile crc"
638629-2 2-Critical   Bot can be classified as human
619110-1 2-Critical   Slow to delete URLs, CPU spikes with Automatic Policy Builder
672695-1 3-Major   Internal perl process listening on all interfaces when ASM enabled
665905 3-Major K83305000 Signature System corruption from specific ASU prevents ASU load after upgrade
664930-2 3-Major   Policy automatic learning mode changes to manual after failover
655617-1 3-Major K36442669 Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge
650081-1 3-Major K53010710 FP feature causes the blank page/delay on IE11
648617 3-Major K23432927 JavaScript challenge repeating in loop when URL has path parameters
644855-2 3-Major   irules with commands which may suspend processing cannot be used with proactive bot defense
631444-2 3-Major   Bot Name for ASM Search Engines is case sensitive
630356-1 3-Major   JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge
628351-1 3-Major   Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled
618656-2 3-Major   JavaScript challenge repeating in loop on Firefox when URL is longer than 1033 characters
606521-1 3-Major   Policy with UTF-8 encoding retains disallowed high ASCII meta-characters after upgrade
605616-1 3-Major   Creating 256 Fundamental Security policies will result in an out of memory error
602975-1 3-Major   Unable to update the HTTP URL's "Header-Based Content Profiles" values
596685-1 3-Major K76841626 Request Log failure on request with XML format violation
595900-4 3-Major K11833633 Cookie Signature overrides may be ignored after Signature Update
563727-1 3-Major   Issue a Body in Get sub violation for GET request with 'transfer-encoding: chunked'
534247-1 3-Major   Issue a Body in Get sub violation for GET request with content type header
519612-1 3-Major   JavaScript challenge fails when coming within iframe with different domain than main page


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
604191-1 2-Critical   AVR: Loading the configuration after upgrade might fail due to mishandling of scheduled-reports
629573-1 3-Major K66001885 No drill-down filter for virtual-servers is mentioned on exported reports when using partition
603875-2 3-Major   The statistic ASM memory Utilization - bd swap size: stats are wrong
601536-1 3-Major   Analytics load error stops load of configuration
639395-2 4-Minor K91614278 AVR does not display 'Max read latency' units.


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
647108-1 1-Blocking   Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction
679235-5 2-Critical   Inspection Host NPAPI Plugin for Safari can not be installed
669341 2-Critical   Category Lookup by Subject.CN will result in a reset
666454-2 2-Critical K05520115 Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update
663506-7 2-Critical K30533350 apmd crash during ldap cache initialization
652004-2 2-Critical K45320415 Show /apm access-info all-properties causes memory leaks in tmm
662639-2 3-Major   Policy Sync fails when policy object include FIPS key
659371-2 3-Major K54310201 apmd crashes executing iRule policy evaluate
658852-5 3-Major   Empty User-Agent in iSessions requests from APM client on Windows
654513-6 3-Major K11003951 APM daemon crashes when the LDAP query agent returns empty in its search results.
649929-1 3-Major   saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it
648053-1 3-Major K94477320 Rewrite plugin may crash on some JavaScript files
646928-1 3-Major   Landing URI incorrect when changing URI
645684-2 3-Major   Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.
618957-1 3-Major   Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates
601919-2 3-Major   Custom categories and custom url filter assignment must be specific to partition instead of global lookup
583272-2 3-Major   "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth
580567-1 3-Major   LDAP Query agent failed to resolve nested group membership
551795-1 3-Major   Portal Access: corrections to CORS support for XMLHttpRequest
550547-2 3-Major   URL including a "token" query fails results in a connection reset


Service Provider Fixes

ID Number Severity Solution Article(s) Description
664535-1 2-Critical   Diameter failure: load balancing fails when all pool members use same IP Address
640407-1 2-Critical   Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF
568545-2 2-Critical K17124802 iRules commands that refer to a transport-config will fail validation
559953-1 2-Critical   tmm core on long DIAMETER::host value
662364-2 3-Major   MRF DIAMETER: IP ToS not passing through with DIAMETER
644946-2 3-Major K05053251 Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation
644565-1 3-Major   MRF Message metadata lost when routing message to a connection on a different TMM
634078-2 3-Major   MRF: Routing using a virtual with SNAT set to none may select a source port of zero
624155-2 3-Major   MRF Per-Client mode connections unable to return responses if used by another client connection
620929-4 3-Major   New iRule command, MR::ignore_peer_port
651640-3 4-Minor   queue full dropped messages incorrectly counted as responses


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
670400-3 2-Critical   SSH Proxy public key authentication can be circumvented in some cases
655470 2-Critical K79924625 IP Intelligence logging publisher removal can cause tmm crash
618902-4 3-Major   PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
658261-2 2-Critical K12253471 TMM core after HA during GY reporting
658148-2 2-Critical K23150504 TMM core after intra-chassis failover for some instances of subscriber creation
657632-4 2-Critical   Rarely if a subscriber delete is performed following HA switchover, tmm may crash
653285-1 2-Critical   PEM rule deletion with HSL reporting may cause tmm coredump
652973-2 2-Critical   Coredump observed at system bootup time when many DHCP packets arrive
650422-2 2-Critical   TMM core after a switchover involving GY quota reporting
659567-1 3-Major K94685557 iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions
652052-3 3-Major   PEM:sessions iRule made the order of parameters strict
635257-2 3-Major K41151808 Inconsistencies in Gx usage record creation.
623037-2 3-Major   delete of pem session attribute does not work after a update


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
676808-2 2-Critical   FPS: tmm may crash on response with large payload from server
669364-1 2-Critical   TMM core when server responds fast with server responses such as 404.
669359 2-Critical   WebSafe might cause connections to hang
674931 3-Major   FPS modified responses/injections might result in a corrupted response
674909-3 3-Major   Application CSS injection might not work as expected when connection is congested
667872-1 3-Major   Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports
658321-2 3-Major   Websafe features might break in IE8
657502-2 3-Major   JS error when leaving page opened for several minutes
644694 3-Major   FPS security update check ends up with an empty page when error occurs.
618185-1 3-Major   Mismatch in URL CRC32 calculation
643602-2 4-Minor   'Select All' checkbox selects items on hidden pages


Device Management Fixes

ID Number Severity Solution Article(s) Description
605123-1 2-Critical   IAppLX objects fail to sync after establishing HA in auto-sync mode


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
606316-4 1-Blocking   HTTPS request to F5 licensing server fails
665778-1 2-Critical K34503519 Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.
599424-2 2-Critical   iApps LX fails to sync
632060-1 4-Minor   restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header



Cumulative fixes from BIG-IP v12.1.2 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
693211-3 CVE-2017-6168 K21905460 CVE-2017-6168


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
664063-1 2-Critical K03203976 Azure displays failure for deployment of BIG-IP from a Resource Manager template



Cumulative fixes from BIG-IP v12.1.2 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
652151-1 CVE-2017-6131 K61757346 Azure VE: Initialization improvement
623885-4 CVE-2016-9251 K41107914 Internal authentication improvements
621371-2 CVE-2016-9257 K43523962 Output Errors in APM Event Log
648865-2 CVE-2017-6074 K82508682 Linux kernel vulnerability: CVE-2017-6074
643187-2 CVE-2017-3135 K80533167 BIND vulnerability CVE-2017-3135
641445-1 CVE-2017-6145 K22317030 iControl improvements
641360-2 CVE-2017-0303 K30201296 SOCKS proxy protocol error
641256-1 CVE-2016-9257 K43523962 APM access reports display error
636702-3 CVE-2016-9444 K40181790 BIND vulnerability CVE-2016-9444
636699-5 CVE-2016-9131 K86272821 BIND vulnerability CVE-2016-9131
631582 CVE-2016-9250 K55792317 Administrative interface enhancement
630475-5 CVE-2017-6162 K13421245 TMM Crash
628836-4 CVE-2016-9245 K22216037 TMM crash during request normalization
626360 CVE-2017-6163 K22541983 TMM may crash when processing HTTP2 traffic
624570-1 CVE-2016-8864 K35322517 BIND vulnerability CVE-2016-8864
624526-3 CVE-2017-6159 K10002335 TMM core in mptcp
624457-5 CVE-2016-5195 K10558632 Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195
623093-1 CVE-2016-3990 CVE-2016-3632 CVE-2015-7554 CVE-2016-5320 K38871451 TIFF vulnerability CVE-2015-7554
620400-1 CVE-2017-6141 K21154730 TMM crash during TLS processing
610255-1 CVE-2017-6161 K62279530 CMI improvement
596340-8 CVE-2016-9244 K05121675 F5 TLS vulnerability CVE-2016-9244
580026-5 CVE-2017-6165 K74759095 HSM logging error
648879-2 CVE-2016-6136 CVE-2016-9555 K90803619 Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555
641612-2 CVE-2017-0302 K87141725 APM crash
638137 CVE-2016-7117 CVE-2016-4998 CVE-2016-6828 K51201255 CVE-2016-7117 CVE-2016-4998 CVE-2016-6828
635412 CVE-2017-6137 K82851041 Invalid mss with fast flow forwarding and software syn cookies
635252-1 CVE-2016-9256 K47284724 CVE-2016-9256
631688-7 CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433 K55405388 K87922456 K63326092 K51444934 K80996302 Multiple NTP vulnerabilities
630150-1 CVE-2016-9253 K51351360 Websockets processing error
627916-1 CVE-2017-6144 K81601350 Improve cURL Usage
627907-1 CVE-2017-6143 K11464209 Improve cURL usage
627747-1 CVE-2017-6142 K20682450 Improve cURL Usage
625372-5 CVE-2016-2179 K23512141 OpenSSL vulnerability CVE-2016-2179
623119 CVE-2016-4470 K55672042 Linux kernel vulnerability CVE-2016-4470
622496 CVE-2016-5829 K28056114 Linux kernel vulnerability CVE-2016-5829
622126-1 CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127 K54308010 PHP vulnerability CVE-2016-7124
621337-6 CVE-2016-7469 K97285349 XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469
618261-6 CVE-2016-2182 K01276005 OpenSSL vulnerability CVE-2016-2182
615267-2 CVE-2016-2183 K13167034 OpenSSL vulnerability CVE-2016-2183
613225-7 CVE-2016-2180, CVE-2016-6306, CVE-2016-6302 K90492697 OpenSSL vulnerability CVE-2016-6306
606710-10 CVE-2016-2834 CVE-2016-5285 CVE-2016-8635 K15479471 Mozilla NSS vulnerability CVE-2016-2834
605420-5 CVE-2016-5387, CVE-2007-6750 K80513384 httpd security update - CVE-2016-5387
600232-9 CVE-2016-2177 K23873366 OpenSSL vulnerability CVE-2016-2177
600223-2 CVE-2016-2177 K23873366 OpenSSL vulnerability CVE-2016-2177
599858-7 CVE-2015-8895 CVE-2015-8896 CVE-2015-8897 CVE-2015-8898 CVE-2016-5118 CVE-2016-5239 CVE-2016-5240 K68785753 ImageMagick vulnerability CVE-2015-8898
635933-3 CVE-2004-0790 K23440942 The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable
628832-4 CVE-2016-6161 K71581599 libgd vulnerability CVE-2016-6161
622662-7 CVE-2016-6306 K90492697 OpenSSL vulnerability CVE-2016-6306
617901-1 CVE-2018-5525 K00363258 GUI to handle file path manipulation to prevent GUI instability.
609691-1 CVE-2014-4617 K21284031 GnuPG vulnerability CVE-2014-4617
600205-9 CVE-2016-2178 K53084033 OpenSSL Vulnerability: CVE-2016-2178
600198-2 CVE-2016-2178 CVE-2016-6306 CVE-2016-6302 CVE-2016-2216 K53084033 OpenSSL vulnerability CVE-2016-2178
599285-2 CVE-2016-5094 CVE-2016-5095 CVE-2016-5096 K51390683 PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
598002-10 CVE-2016-2178 K53084033 OpenSSL vulnerability CVE-2016-2178
621937-1 CVE-2016-6304 K54211024 OpenSSL vulnerability CVE-2016-6304
621935-6 CVE-2016-6304 K54211024 OpenSSL vulnerability CVE-2016-6304
606771-2 CVE-2016-5399 CVE-2016-6288 CVE-2016-6289 CVE-2016-6290 CVE-2016-5385 CVE-2016-6291 CVE-2016-6292 CVE-2016-6207 CVE-2016-6294 CVE-2015-8879 CVE-2016-6295 CVE-2016-6296 CVE-2016-6297 K35799130 Multiple PHP vulnerabilities
601268-5 CVE-2015-8874 CVE-2016-5770 CVE-2016-5772 CVE-2016-5768 CVE-2016-5773 CVE-2016-5769 CVE-2016-5766 CVE-2016-5771 CVE-2016-5767 CVE-2016-5093 CVE-2016-5094 K43267483 PHP vulnerability CVE-2016-5766


Functional Change Fixes

ID Number Severity Solution Article(s) Description
653453 2-Critical   ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.
628972-2 2-Critical   BMC version 2.51.7 for iSeries appliances
624831-2 2-Critical   BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps
616918-1 2-Critical   BMC version 2.50.3 for iSeries appliances
633723-3 3-Major   New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
633391-1 3-Major   GUI Error trying to modify IP Data-Group
609614-3 3-Major   Yafuflash 4.25 for iSeries appliances
597797-4 3-Major K78449695 Allow users to disable enforcement of RFC 7057
584471-1 3-Major K34343741 Priority order of clientssl profile selection of virtual server.
581840-5 3-Major K46576869 Cannot use Administrator account other than 'admin' to manage BIG-IP systems through BIG-IQ.
564876-2 3-Major   New DB variable log.lsn.comma changes CGNAT logs to CSV format
609084-2 4-Minor K03808942 Max number of chunks not configurable above 1000 chunks
597270-2 4-Minor   tcpdump support missing for VXLAN-GPE NSH


TMOS Fixes

ID Number Severity Solution Article(s) Description
655500 1-Blocking   Rekey SSH sessions after one hour
642058-1 1-Blocking   CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances
641390-5 1-Blocking K00216423 Backslash removal in LTM monitors after upgrade
627433-1 1-Blocking   HSB transmitter failure on i2x00 and i4x00 platforms
602830-1 1-Blocking   BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode
648056-2 2-Critical K16503454 bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.
645805 2-Critical K92637255 LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain incorrect Ethernet source MAC addresses
641248 2-Critical   IPsec-related tmm segfault
641013-5 2-Critical   GRE tunnel traffic pinned to one TMM
638935-3 2-Critical   Monitor with send/receive string containing double-quote may cause upgrade to fail.
636918-2 2-Critical   Fix for crash when multiple tunnels use the same traffic selector
636290 2-Critical   vCMP support for B4450 blade
627898-2 2-Critical K53050234 tmm leaks memory in the ECM subsystem
625824-1 2-Critical   iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory
624263-4 2-Critical   iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response
618779-1 2-Critical   Route updates during IPsec tunnel setup can cause tmm to restart
616059-1 2-Critical K19545861 Modifying license.maxcores Not Allowed Error
614296-1 2-Critical   Dynamic routing process ripd may core
613536-5 2-Critical   tmm core while running the iRule STATS:: command
610295-1 2-Critical K32305923 TMM may crash due to internal backplane inconsistency after reprovisioning
583516-2 2-Critical   tmm ASSERT's "valid node" on Active, after timer fire..
567457-2 2-Critical   TMM may crash when changing the IKE peer config.
652484-2 3-Major   tmsh show net f5optics shows information for only 1 chassis slot in a cluster
649617-2 3-Major   qkview improvement for OVSDB management
648544-5 3-Major K75510491 HSB transmitter failure may occur when global COS queues enabled
646760 3-Major   Common Criteria Mode Disrupts Administrative SSH Access
644892-1 3-Major   Files captured multiple times in qkview
644490-1 3-Major   Finisar 100G LR4 values need to be revised in f5optics
637559-1 3-Major   Modifying iRule online could cause TMM to be killed by SIGABRT
636535 3-Major K24844444 HSB lockup in vCMP guest doesn't generate core file
635961-1 3-Major   gzipped and truncated files may be saved in qkview
635129 3-Major   Chassis systems in HA configuration become Active/Active during upgrade
635116-1 3-Major K34100550 Memory leak when using replicated remote high-speed logging.
634115-1 3-Major   Not all topology records may sync.
633879-1 3-Major K52833014 Fix IKEv1 md5 phase1 hash algorithm so config takes effect
633512-1 3-Major K20160253 HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.
633413-1 3-Major   IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI
631627-4 3-Major   Applying BWC over route domain sometimes results in tmm not becoming ready on system start
630622-1 3-Major   tmm crash possible if high-speed logging pool member is deleted and reused
630610-5 3-Major K43762031 BFD session interface configuration may not be stored on unit state transition
630546-1 3-Major   Very large core files may cause corrupted qkviews
629499-9 3-Major   tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"
629085-1 3-Major K55278069 Any CSS content truncated at a quoted value leads to a segfault
628202-4 3-Major   Audit-forwarder can take up an excessive amount of memory during a high volume of logging
628164-3 3-Major K20766432 OSPF with multiple processes may incorrectly redistribute routes
628009-1 3-Major   f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800
627961-3 3-Major K15130343 nic_failsafe reboot doesn't trigger if HSB fails to disable interface
627914-1 3-Major   Unbundled 40GbE optics reporting as Unsupported Optic
627214-3 3-Major   BGP ECMP recursive default route not redistributed to TMM
626839 3-Major   sys-icheck error for /var/lib/waagent in Azure.
626721-5 3-Major   "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart
625703-2 3-Major   SELinux: snmpd is denied access to tmstat files
625085 3-Major   lasthop rmmod causes kernel panic
624361-1 3-Major   Responses to some of the challenge JS are not zipped.
623930-3 3-Major   vCMP guests with vlangroups may loop packets internally
623401-1 3-Major   Intermittent OCSP request failures due to non-optimal default TCP profile setting
623336-4 3-Major   After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS
623055-1 3-Major   Kernel panic during unic initialization
622183-5 3-Major   The alert daemon should remove old log files but it does not.
621909-4 3-Major K23562314 Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members
621273-1 3-Major   DSR tunnels with transparent monitors may cause TMM crash.
620659-3 3-Major   The BIG-IP system may unecessarily run provisioning on successive reboots
620366-4 3-Major   Alertd can not open UDP socket upon restart
617628-1 3-Major   SNMP reports incorrect value for sysBladeTempTemperature OID
615934-1 3-Major   Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.
615107-1 3-Major   Cannot SSH from AOM/SCCP to host without password (host-based authentication).
613765-3 3-Major   Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.
612809-1 3-Major   Bootup script fails to run on on a vCMP guest due to a missing reference file.
611658-3 3-Major   "less" utility logs an error for remotely authenticated users using the tmsh shell
611512-1 3-Major   AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.
611487-3 3-Major   vCMP: VLAN failsafe does not trigger on guest
610417-1 3-Major K54511423 Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.
609119-7 3-Major   Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:
608320-3 3-Major   iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response
604727-1 3-Major   Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.
604237-3 3-Major   Vlan allowed mismatch found error in VCMP guest
604061-2 3-Major   Link Aggregation Control Protocol May Lose Synchronization after TMM Crash
602376-1 3-Major   qkview excludes files
598498-7 3-Major   Cannot remove Self IP when an unrelated static ARP entry exists.
598134-1 3-Major   Stats query may generate an error when tmm on secondary is down
596067-2 3-Major   GUI on VIPRION hangs on secondary blade reboot
590211-2 3-Major   jitterentropy-rngd quietly fails to start
583754-7 3-Major   When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.
575027-1 3-Major   Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.
562928-2 3-Major   Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled
559080-5 3-Major   High Speed Logging to specific destinations stops from individual TMMs
557471-3 3-Major   LTM Policy statistics showing zeros in GUI
543208-1 3-Major   Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.
534520-1 3-Major   qkview may exclude certain log files from /var/log
424542-5 3-Major   tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments
418349-2 3-Major   Update/overwrite of FIPS keys error
643404-2 4-Minor K30014507 'tmsh system software status' does not display properly in a specific cc-mode situation
636520-3 4-Minor K88813435 Detail missing from power supply 'Bad' status log messages
633181-1 4-Minor   A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section
632668-5 4-Minor   When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds
632069-3 4-Minor   Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076
621957-2 4-Minor   Timezone data on AOM not syncing with host
609107-1 4-Minor   mcpd does not properly validate missing 'sys folder' config in bigip_base.conf
599191-2 4-Minor   One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card
589379-2 4-Minor K20937139 ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.
585097-1 4-Minor   Traffic Group score formula does not result in unique values.
541550-3 4-Minor   Defining more than 10 remote-role groups can result in authentication failure
541320-10 4-Minor K50973424 Sync of tunnels might cause restore of deleted tunnels.
500452-8 4-Minor K28520025 PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware
642015-2 5-Cosmetic   SSD Manufacturer "unavailable"
524277-2 5-Cosmetic   Missing power supplies issue warning message that should be just a notice message.


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
651476 2-Critical   bigd may core on non-primary bigd when FQDN in use
648715-2 2-Critical   BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0
643396-2 2-Critical K34553627 Using FLOW_INIT iRule may lead to TMM memory leak or crash
642400-2 2-Critical   Path MTU discovery occasionally fails
640352-2 2-Critical K01000259 Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet
639744-1 2-Critical K84228882 Memory leak in STREAM::expression iRule
637181-4 2-Critical   VIP-on-VIP traffic may stall after routing updates
632685 2-Critical   bigd memory leak for FQDN nodes on non-primary bigd instance
630306-1 2-Critical   TMM crash in DNS processing on UDP virtual server with no available pool members
629145-1 2-Critical   External datagroups with no metadata can crash tmm
628890-1 2-Critical   Memory leak when modifying large datagroups
627403-2 2-Critical   HTTP2 can can crash tmm when stats is updated on aborting of a new connection
626311-2 2-Critical K75419237 Potential failure of DHCP relay functionality credits to incorrect route lookup.
625198-1 2-Critical   TMM might crash when TCP DSACK is enabled
622856-1 2-Critical   BIG-IP may enter SYN cookie mode later than expected
621870-2 2-Critical   Outage may occur with VIP-VIP configurations
619663-3 2-Critical K49220140 Terminating of HTTP2 connection may cause a TMM crash
619528-4 2-Critical   TMM may accumulate internal events resulting in TMM restart
619071-3 2-Critical   OneConnect with verified accept issues
614509-1 2-Critical   iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart
609027-1 2-Critical   TMM crashes when SSL forward proxy is enabled.
608304-1 2-Critical K55292305 TMM crash on memory corruption
603667-2 2-Critical   TMM may leak or corrupt memory when configuration changes occur with plugins in use
603082-3 2-Critical   Ephemeral pool members are getting deleted/created over and over again.
602136-5 2-Critical   iRule drop/discard/reject commands causes tmm segfault or still sends 3-way handshake to the server.
601828-1 2-Critical K13338433 An untrusted certificate can cause tmm to crash.
600982-5 2-Critical   TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"
599720-2 2-Critical   TMM may crash in bigtcp due to null pointer dereference
597828-1 2-Critical   SSL forward proxy crashes in some cases
596450-1 2-Critical   TMM may produce a core file after updating SSL session ticket key
594642-3 2-Critical   Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.
581746-1 2-Critical K42175594 MPTCP or SSL traffic handling may cause a BIG-IP outage
557358-5 2-Critical   TMM SIGSEGV and crash when memory allocation fails.
423629-3 2-Critical K08454006 bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted
653201 3-Major   Update the default CA certificate bundle file to the latest version and remove expiring certificates from it
651106 3-Major   memory leak on non-primary bigd with changing node IPs
649571-1 3-Major   Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello
648990 3-Major   Serverside SSL renegotiation does not occur after block cipher data limit is exceeded
641512-4 3-Major K51064420 DNSSEC key generations fail with lots of invalid SSL traffic
632324-2 3-Major   PVA stats does not show correct connection number
629412-3 3-Major   BIG-IP closes a connection when a maximum size window is attempted
627246-1 3-Major K09336400 TMM memory leak when ASM policy configured on virtual server
626386-1 3-Major K28505256 SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled
626106-3 3-Major   LTM Policy with illegal rule name loses its conditions and actions during upgrade
625106-2 3-Major   Policy Sync can fail over a lossy network
624616-1 3-Major   Safenet uninstall is unable to remove libgem.so
620625-2 3-Major K38094257 Changes to the Connection.VlanKeyed DB key may not immediately apply
620079-3 3-Major   Removing route-domain may cause monitors to fail
619849-4 3-Major   In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.
618430-2 3-Major   iRules LX data not included in qkview
618428 3-Major   iRules LX - Debug mode does not function in dedicated mode
618254-4 3-Major   Non-zero Route domain is not always used in HTTP explicit proxy
617858-2 3-Major   bigd core when using Tcl monitors
616022-2 3-Major K46530223 The BIG-IP monitor process fails to process timeout conditions
613326-1 3-Major   SASP monitor improvements
612694-5 3-Major   TCP::close with no pool member results in zombie flows
610429-5 3-Major   X509::cert_fields iRule command may memory with subpubkey argument
610302-1 3-Major   Link throughput graphs might be incorrect.
609244-4 3-Major   tmsh show ltm persistence persist-records leaks memory
608551-3 3-Major   Half-closed congested SSL connections with unclean shutdown might stall.
607152-1 3-Major   Large Websocket frames corrupted
604496-4 3-Major   SQL (Oracle) monitor daemon might hang.
603979-4 3-Major   Data transfer from the BIG-IP system self IP might be slow
603723-2 3-Major   TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
603550-1 3-Major K63164073 Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.
600827-8 3-Major K21220807 Stuck Nitrox crypto queue can erroneously be reported
600593-1 3-Major   Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests
600052-1 3-Major   GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system
599121-2 3-Major K24036315 Under heavy load, hardware crypto queues may become unavailable.
592871-3 3-Major   Cavium Nitrox PX/III stuck queue diagnostics missing.
591666-3 3-Major   TMM crash in DNS processing on TCP virtual with no available pool members
589400-1 3-Major K33191529 With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.
586738-4 3-Major   The tmm might crash with a segfault.
584310-1 3-Major K83393638 TCP:Collect ignores the 'skip' parameter when used in serverside events
584029-6 3-Major   Fragmented packets may cause tmm to core under heavy load
582769-1 3-Major K99405272 WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual
579926-1 3-Major   HTTP starts dropping traffic for a half-closed connection when in passthrough mode
568543-4 3-Major   Syncookie mode is activated on wildcard virtuals
562267-3 3-Major   FQDN nodes do not support monitor alias destinations.
517756-6 3-Major   Existing connections can choose incorrect route when crossing non-strict route-domains
509858-5 3-Major   BIG-IP FastL4 profile vulnerability
419741-3 3-Major   Rare crash with vip-targeting-vip and stale connections on VIPRION platforms
352957-4 3-Major K03005026 Route lookup after change in route table on established flow ignores pool members
660170-1 4-Minor K28505910 tmm may crash at ~75% of VLAN failsafe timeout expiration
631862-1 4-Minor K32107573 Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk
618517-1 4-Minor K61255401 bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring
611161-3 4-Minor K28540353 VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
587966-1 4-Minor K77283304 LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port
583943-1 4-Minor K27491104 Forward proxy does not work when netHSM is configured on TMM interfaces
574020-5 4-Minor   Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')


Performance Fixes

ID Number Severity Solution Article(s) Description
621115-1 2-Critical   IP/IPv6 TTL/hoplimit may not be preserved for host traffic


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
642039-2 2-Critical K20140595 TMM core when persist is enabled for wideip with certain iRule commands triggered.
584374-2 2-Critical K67622400 iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.
642330-2 3-Major   GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.
640903-1 3-Major   Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen
632423-4 3-Major K40256229 DNS::query can cause tmm crash if AXFR/IXFR types specified.
629530-2 3-Major K53675033 Under certain conditions, monitors do not time out.
628897-1 3-Major   Add Hyperlink to gslb server and vs on the Pool Member List Page
625671-4 3-Major   The diagnostic tool dnsxdump may crash with non-standard DNS RR types.
624876-1 3-Major   Response Policy Zones can trigger even after entry removed from zone
624193-2 3-Major   Topology load balancing not working as expected
623023-1 3-Major   Unable to set DNS Topology Continent to Unknown via GUI
621239-2 3-Major   Certain DNS queries bypass DNS Cache RPZ filter.
620215-5 3-Major   TMM out of memory causes core in DNS cache
619398-7 3-Major   TMM out of memory causes core in DNS cache
612769-1 3-Major K33842313 Hard to use search capabilities on the Pool Members Manage page.
601180-2 3-Major K73505027 Link Controller base license does not allow DNS namespace iRule commands.
567743-2 3-Major K70663134 Possible gtmd crash under certain conditions.
557434-4 3-Major   After setting a Last Resort Pool on a Wide IP, cannot reset back to None
366695-1 5-Cosmetic   Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
646511-1 2-Critical   BD crashes repeatedly after interrupted roll-forward upgrade
636397-1 2-Critical   bd cores when persistent storage configuration and under some memory conditions.
634001-2 2-Critical   ASM restarts after deleting a VS that has an ASM security policy assigned to it
627117-1 2-Critical   crash with wrong ceritifcate in WSS
625783-1 2-Critical   Chassis sync fails intermittently due to sync file backlog
618771-1 2-Critical   Some Social Security Numbers are not being masked
601378-2 2-Critical   Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons
584082-3 2-Critical   BD daemon crashes unexpectedly
540928-1 2-Critical   Memory leak due to unnecessary logging profile configuration updates.
640824-1 3-Major K20770267 Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log
635754-1 3-Major K65531575 Wildcard URL pattern match works inncorectly in Traffic Learning
632344-2 3-Major   POP DIRECTIONAL FORMATTING causes false positive
632326-2 3-Major K52814351 relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation
631737-1 3-Major K61367823 ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations
630929-1 3-Major K69767100 Attack signature exception list upload times-out and fails
627360-1 3-Major   Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log
626438-1 3-Major   Frame is not showing in the browser and/ or an error appears
625832-4 3-Major   A false positive modified domain cookie violation
622913-2 3-Major   Audit Log filled with constant change messages
621524-2 3-Major   Processing Timeout When Viewing a Request with 300+ Violations
620635-2 3-Major   Request having upper case JSON login parameter is not detected as a failed login attempt
614563-3 3-Major   AVR TPS calculation is inaccurate
611151-2 3-Major   An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive
608245 3-Major   Reporting missing parameter details when attack signature is matched against parameter value
583024-1 3-Major   TMM restart rarely during startup
581406-1 3-Major   SQL Error on Peer Device After Receiving ASM Sync in a Device Group
580168-4 3-Major   Information missing from ASM event logs after a switchboot and switchboot back
576591-6 3-Major   Support for some future credit card number ranges
572885-1 3-Major   Policy automatic learning mode changes to manual after failover
392121-3 3-Major   TMSH Command to retrieve the memory consumption of the bd process
642874-1 4-Minor K15329152 Ready to be Enforced filter for Policy Signatures returns too many signatures


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
634215-1 2-Critical   False detection of attack after restarting dosl7d
573764-1 2-Critical   In some cases, only primary blade retains it's statistics after upgrade on multi bladed system
642221-2 3-Major   Incorrect entity is used when exporting TCP analytics from GUI
641574 3-Major K06503033 AVR doesn't report on virtual and client IP in DNS statistics
635561-1 3-Major   Heavy URLs statistics are not shown after upgrade.
631722 3-Major   Some HTTP statistics not displayed after upgrade
631131-3 3-Major   Some tmstat-adapters based reports stats are incorrect
605010-1 3-Major   Thrift::TException error
560114-6 3-Major   Monpd is being affected by an I/O issue which makes some of its threads freeze


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
645339-2 1-Blocking   TMM may crash when processing APM data
637308-8 2-Critical K41542530 apmd may crash when HTTP Auth agent is used in an Access Policy
632005-1 2-Critical   BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes
622244-2 2-Critical   Edge client can fail to upgrade when always connected is selected
617310-2 2-Critical   Edge client can fail to upgrade when Always Connected is selected
614322-1 2-Critical K31063537 TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway
608424-2 2-Critical   Dynamic ACL agent error log message contains garbage data
608408-2 2-Critical   TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library
593078-1 2-Critical   CATEGORY::filetype command may cause tmm to crash and restart
643547-1 3-Major K43036745 APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP
638799-1 3-Major   Per-request policy branch expression evaluation fails
638780-3 3-Major   Handle 302 redirects for VMware Horizon View HTML5 client
636044-1 3-Major K68018520 Large number of glob patterns affects custom category lookup performance
634576 3-Major K48181045 TMM core in per-request policy
634252 3-Major K99114539 TMM crash with per-request policy in SWG explicit
632504-1 3-Major K31277424 APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list
632499-1 3-Major K70551821 APM Policy Sync: Resources under webtop section are not sync'ed automatically
632472-1 3-Major   Frequently logged "Silent flag set - fail" messages
632386-1 3-Major   EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists
630571-1 3-Major K35254214 Edge Client on Mac OSX Sierra stuck in a reconnect loop
629801-2 3-Major   Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain.
629698-1 3-Major   Edge client stuck on "Initializing" state
629069-2 3-Major   Portal Access may delete scripts from HTML page in some cases
628687-2 3-Major   Edge Client reconnection issues with captive portal
628685-2 3-Major K79361498 Edge Client shows several security warnings after roaming to a network with Captive Portal
627972-2 3-Major K11327511 Unable to save advanced customization when using Exchange iApp
627059-1 3-Major   In some rare cases TMM may crash while handling VMware View client connection
626910-1 3-Major   Policy with assigned SAML Resource is exported with error
625474-1 3-Major   POST request body is not saved in session variable by access when request is sent using edge client
625159-1 3-Major   Policy sync status not shown on standby device in HA case
624966-2 3-Major   Edge client starts new APM session when Captive portal session expire
623562-3 3-Major   Large POSTs rejected after policy already completed
622790-1 3-Major   EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP
621976-4 3-Major   OneDrive for Business thick client shows javascript errors when rendering APM logon page
621974-4 3-Major   Skype For Business thick client shows javascript errors when rendering APM logon page
621447-1 3-Major   In some rare cases, VDI may crash
621210-2 3-Major   Policy sync shows as aborted even if it is completed
621126-2 3-Major   Import of config with saml idp connector with reuse causes certificate not found error
620829-2 3-Major K34213161 Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
620801-3 3-Major   Access Policy is not able to check device posture for Android 7 devices
620614-4 3-Major   Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account
619879-1 3-Major   HTTP iRule commands could lead to WEBSSO plugin being invoked
619811-2 3-Major   Machine Cert OCSP check fails with multiple Issuer CA
619486-3 3-Major   Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self
619473-2 3-Major   Browser may hang at APM session logout
618170-3 3-Major   Some URL unwrapping functions can behave bad
617063-1 3-Major   After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel
617002-1 3-Major   SWG with Response Analytics agent in a Per-Request policy fails with some URLs
616838-3 3-Major   Citrix Remote desktop resource custom parameter name does not accept hyphen character
615970-1 3-Major   SSO logging level may cause failover
615254-2 3-Major   Network Access Launch Application item fails to launch in some cases
612419-1 3-Major   APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))
611968-3 3-Major   JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow
611669-4 3-Major   Mac Edge Client customization is not applied on macOS 10.12 Sierra
610180-2 3-Major   SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.
597214-5 3-Major   Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly
595819-1 3-Major   Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached,
595272-1 3-Major   Edge client may show a windows displaying plain text in some cases
591246-1 3-Major   Unable to launch View HTML5 connections in non-zero route domain virtual servers
584582-1 3-Major   JavaScript: 'baseURI' property may be handled incorrectly
570217-2 3-Major   BIG-IP APM now uses Airwatch v2 API to retreive device posture information
533956-3 3-Major K30515450 Portal Access: Space-like characters in EUC character sets may be handled incorrectly.
503842-4 3-Major   Microsoft WebService HTML component does not work after rewriting
640521-1 4-Minor   EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices
636254-2 4-Minor   Cannot reinitiate a sync on a target device when sync is completed
618404-1 4-Minor   Access Profile copying might be invalid if policies are named series of names.
606257-3 4-Minor K56716107 TCP FIN sent with Connection: Keep-Alive header for webtop page resources


WebAccelerator Fixes

ID Number Severity Solution Article(s) Description
630661-2 3-Major K30241432 WAM may leak memory when a WAM policy node has multiple variation header rules


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
644970-1 2-Critical   Editing a virtual server config loses SSL encryption on iSession connections
644489-1 3-Major K14899014 Unencrypted iSession connection established even though data-encrypt configured in profile


Service Provider Fixes

ID Number Severity Solution Article(s) Description
639236-1 2-Critical K66947004 Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute
624023-3 2-Critical   TMM cores in iRule when accessing a SIP header that has no value
569316-1 2-Critical   Core occurs on standby in MRF when routing to a route using a transport config
649933-1 3-Major   Fragmented RADIUS messages may be dropped
629663-1 3-Major K23210890 CGNAT SIP ALG will drop SIP INVITE
625542-1 3-Major   SIP ALG with Translation fails for REGISTER refresh.
625098-3 3-Major   SCTP::local_port iRule not supported in MRF events
601255-4 3-Major   RTSP response to SETUP request has incorrect client_port attribute


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
632731-2 2-Critical K21964367 specific external logging configuration can cause TMM service restart
628623-1 2-Critical   tmm core with AFM provisioned
639193-1 3-Major K03453591 BIG-IP devices configured with Manual Sync, deleting parent policy causes sync to fail.
631025-1 3-Major   500 internal error on inline rule editor for certain firewall policies
610129-3 3-Major K43320840 Config load failure when cluster management IP is not defined, but instead uses address-list.
592113-5 3-Major   tmm core on the standby unit with dos vectors configured
590805-4 3-Major   Active Rules page displays a different time zone.
431840-3 3-Major   Cannot add vlans to whitelist if they contain a hyphen


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
627257-2 2-Critical   Potential PEM crash during a Gx operation
626851-2 2-Critical K37665112 Potential crash in a multi-blade chassis during CMP state changes.
624744-1 2-Critical   Potential crash in a multi-blade chassis during CMP state changes.
624733-1 2-Critical   Potential crash in a multi-blade chassis during CMP state changes.
624228-1 2-Critical   Memory leak when using insert action in pem rule and flow gets aborted
623922-5 2-Critical K64388805 TMM failure in PEM while processing Service-Provider Disaggregation
641482-2 3-Major   Subscriber remains in delete pending state until CCR-t ack has success as result code is received
640510-3 3-Major   BWC policy category attachment may fail during a PEM policy update for a subscriber.
640457-2 3-Major   Session Creation failure after HA
635233-3 3-Major K80902149 Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages
630611-1 3-Major K84324392 PEM module crash when subscriber not fund
627798-3 3-Major   Buffer length check for quota bucket objects
627279-2 3-Major   Potential crash in a multi-blade chassis during CMP state changes.
623927-2 3-Major K41337253 Flow entry memory leaked after DHCP DORA process
564281-3 3-Major   TMM (debug) assert seen during Failover with Gy
628869-4 4-Minor   Unconditional logs seen due to the presence of a PEM iRule.


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
609788 2-Critical   PCP may pick an endpoint outside the deterministic mapping
642284 3-Major   Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption.
629871-2 3-Major   FTP ALG deployment should not rewrite PASV response 464 XLAT cases


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
639750-1 2-Critical   username aliases are not supported
636370 3-Major   Application Layer Encryption AJAX support
629627-1 3-Major   FPS Log Publisher is not grouped nor filtered by partition
629127-1 3-Major   Parent profiles cannot be saved using FPS GUI
628348-1 3-Major   Cannot configure any Mobile Security list having 11 records or more via the GUI
628337-1 3-Major   Forcing a single injected tag configuration is restrictive
625275-1 3-Major   Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI
624198-1 3-Major   Unable to add multiple User-Defined alerts with the same search category
623518-1 3-Major   Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition
594127-2 3-Major   Pages using Angular may hang when Websafe is enabled
635541 4-Minor   "Application CSS Locations" is not inherited if changing parent profile


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
625172-1 2-Critical   tmm crashes when classification is enabled and ftp traffic is flowing trough the box
631472-1 3-Major   Reseting classification signatures to default may result in non-working configuration


Device Management Fixes

ID Number Severity Solution Article(s) Description
606518-3 2-Critical K00762373 iControl REST with 3rd party auth does not function as expected with special characters in the username e.g., '$', '@' / email addresses as username.
642983-1 3-Major K94534313 Update to max message size limit doesn't work sometimes
629845-2 3-Major   Disallowing TLSv1 connections to HTTP causes iControl/REST issues
626542-2 3-Major   Unable to set maxMessageBodySize in iControl REST after upgrade



Cumulative fixes from BIG-IP v12.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
618306-2 CVE-2016-9247 K33500120 TMM vulnerability CVE-2016-9247
616864-1 CVE-2016-2776 K18829561 BIND vulnerability CVE-2016-2776
613282-2 CVE-2016-2086, CVE-2016-2216, CVE-2016-1669 K15311661 NodeJS vulnerability CVE-2016-2086
611469-3 CVE-2016-7467 K95444512 Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector
597394-2 CVE-2016-9252 K46535047 Improper handling of IP options
591328-7 CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 K36488941 OpenSSL vulnerability CVE-2016-2106
591325-8 CVE-2016-2108 CVE-2016-2107 CVE-2016-2105 CVE-2016-2106 CVE-2016-2109 K75152412 OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109
591042-17 CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109 K23230229 OpenSSL vulnerabilities
560109-7 CVE-2017-6160 K19430431 Client capabilities failure
618549-1 CVE-2016-9249 K71282001 Fast Open can cause TMM crash CVE-2016-9249
618263-1 CVE-2016-2182 K01276005 OpenSSL vulnerability CVE-2016-2182
614147-1 CVE-2017-6157 K02692210 SOCKS proxy defect resolution
614097-1 CVE-2017-6157 K02692210 HTTP Explicit proxy defect resolution
607314-1 CVE-2016-3500 CVE-2016-3508 K25075696 Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508
605039-3 CVE-2016-2775 K92991044 lwresd and bind vulnerability CVE-2016-2775
601059-6 CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4448 CVE-2016-4449 K14614344 libxml2 vulnerability CVE-2016-1840
599536-1 CVE-2017-6156 K05263202 IPsec peer with wildcard selector brings up wrong phase2 SAs
597023-1 CVE-2016-4954 K82644737 NTP vulnerability CVE-2016-4954
595242-1 CVE-2016-3705 K54225343 libxml2 vulnerabilities CVE-2016-3705
595231-1 CVE-2016-3627 K54225343 libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705
594496-1 CVE-2016-4539 K35240323 PHP Vulnerability CVE-2016-4539
593447-1 CVE-2016-5024 K92859602 BIG-IP TMM iRules vulnerability CVE-2016-5024
592485 CVE-2015-5157 CVE-2015-8767 K17326 Linux kernel vulnerability CVE-2015-5157
592001-1 CVE-2016-4071 CVE-2016-4073 K64412100 CVE-2016-4073 PHP vulnerabilities
591455-7 CVE-2016-1550 CVE-2016-1548 CVE-2016-2516 CVE-2016-2518 K24613253 NTP vulnerability CVE-2016-2516
591447-1 CVE-2016-4070 K42065024 PHP vulnerability CVE-2016-4070
591358-1 CVE-2016-3425 CVE-2016-0695 CVE-2016-3427 K81223200 Oracle Java SE vulnerability CVE-2016-3425
585424-1 CVE-2016-1979 K20145801 Mozilla NSS vulnerability CVE-2016-1979
580747-1 CVE-2016-0739 K57255643 libssh vulnerability CVE-2016-0739
557190-3 CVE-2017-6166 K65615624 'packet_free: double free!' tmm core
597010-1 CVE-2016-4955 K03331206 NTP vulnerability CVE-2016-4955
596997-1 CVE-2016-4956 K64505405 NTP vulnerability CVE-2016-4956
591767-8 CVE-2016-1547 K11251130 NTP vulnerability CVE-2016-1547
591438-7 CVE-2015-8865 K54924436 PHP vulnerability CVE-2015-8865
575629-3 CVE-2015-8139 K00329831 NTP vulnerability: CVE-2015-8139
573343-1 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 K01324833 NTP vulnerability CVE-2015-8158


Functional Change Fixes

ID Number Severity Solution Article(s) Description
615377-3 3-Major   Unexpected rate limiting of unreachable and ICMP messages for some addresses.
590122-2 3-Major   Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.
581438-2 3-Major   Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision.
561348-7 3-Major   krb5.conf file is not synchronized between blades and not backed up
541549-2 3-Major   AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.
530109-3 3-Major   OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.
246726-1 3-Major K8940 System continues to process virtual server traffic after disabling virtual address
225634-1 3-Major   The rate class feature does not honor the Burst Size setting.
599839-3 4-Minor   Add new keyords to SIP::persist command to specify how Persistence table is updated
591733-4 4-Minor K83175883 Save on Auto-Sync is missing from the configuration utility.


TMOS Fixes

ID Number Severity Solution Article(s) Description
625784 1-Blocking   TMM crash on i4x00 and i2x00 platforms with large ASM configuration.
617622 1-Blocking   In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure
621422 2-Critical   i2000 and i4000 series appliances do not warn when an incorrect optic is in a port
620056-1 2-Critical   Assert on deletion of paired in-and-out IPsec traffic selectors
617935 2-Critical   IKEv2 VPN tunnels fail to establish
617481-1 2-Critical   TMM can crash when HTML minification is configured
614865-5 2-Critical   Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.
610354-1 2-Critical   TMM crash on invalid memory access to loopback interface stats object
605476-3 2-Critical   statsd can core when reading corrupt stats files.
601527-4 2-Critical   mcpd memory leak and core
600894-1 2-Critical   In certain situations, the MCPD process can leak memory
598748 2-Critical   IPsec AES-GCM IVs are now based on a monotonically increasing counter
598697-1 2-Critical   vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created
595712-1 2-Critical   Not able to add remote user locally
591495-2 2-Critical   VCMP guests sflow agent can crash due to duplicate vlan interface indices
591104-1 2-Critical   ospfd cores due to an incorrect debug statement.
588686 2-Critical   High-speed logging to remote logging node stops sending logs after all logging nodes go down
587698-3 2-Critical   bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured
585745-2 2-Critical   sod core during upgrade from 10.x to 12.x.
583936-5 2-Critical   Removing ECMP route from BGP does not clear route from NSM
557680-4 2-Critical   Fast successive MTU changes to IPsec tunnel interface crashes TMM
355806-7 2-Critical   Starting mcpd manually at the command line interferes with running mcpd
622877-1 3-Major   i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away
622199 3-Major   sys-icheck reports error with /var/lib/waagent
622194 3-Major   sys-icheck reports error with ssh_host_rsa_key
621423 3-Major   sys-icheck reports error with /config/ssh/ssh_host_dsa_key
621242-1 3-Major   Reserve enough space in the image for future upgrades.
621225 3-Major   LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"
620782 3-Major   Azure cloud now supports hourly billing
619410-1 3-Major   TMM hardware accelerated compression not registering for all compression levels.
617986-2 3-Major   Memory leak in snmpd
617229-1 3-Major K54245014 Local policy rule descriptions disappear when policy is re-saved
616242-3 3-Major K39944245 basic_string::compare error in encrypted SSL key file if the first line of the file is blank
614530-2 3-Major   Dynamic ECMP routes missing from Linux host
614180-1 3-Major   ASM is not available in LTM policy when ASM is licensed as the main active module
610441-3 3-Major   When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.
610352-1 3-Major   sys-icheck reports error with /etc/sysconfig/modules/unic.modules
610350-1 3-Major   sys-icheck reports error with /config/bigpipe/defaults.scf
610273-3 3-Major   Not possible to do targeted failover with HA Group configured
605894-3 3-Major   Remote authentication for BIG-IP users can fail
603149-2 3-Major   Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy
602854-8 3-Major   Missing ASM control option from LTM policy rule screen in the Configuration utility
602502-2 3-Major   Unable to view the SSL Cert list from the GUI
601989-3 3-Major K88516119 Remote LDAP system authenticated username is case sensitive
601893-2 3-Major K89212666 TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.
601502-4 3-Major   Excessive OCSP traffic
600558-5 3-Major   Errors logged after deleting user in GUI
599816-2 3-Major   Packet redirections occur when using VLAN groups with members that have different cmp-hash settings.
598443-1 3-Major   Temporary files from TMSH not being cleaned up intermittently.
598039-6 3-Major   MCP memory may leak when performing a wildcard query
597729-5 3-Major   Errors logged after deleting user in GUI
596104-1 3-Major K84539934 HA trunk unavailable for vCMP guest
595773-4 3-Major   Cancellation requests for chunked stats queries do not propagate to secondary blades
594426-2 3-Major   Audit forwarding Radius packets may be rejected by Radius server
592870-2 3-Major   Fast successive MTU changes to IPsec tunnel interface crashes TMM
592320-5 3-Major   ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1
589083-2 3-Major   TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
586878-4 3-Major   During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.
585833-3 3-Major   Qkview will abort if /shared partition has less than 2GB free space
585547-1 3-Major   NTP configuration items are no longer collected by qkview
585485-3 3-Major   inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system
584583-3 3-Major K18410170 Timeout error when using the REST API to retrieve large amount of data
583285-5 3-Major K24331010 BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.
582084-1 3-Major   BWC policy in device sync groups.
580500-1 3-Major   /etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed.
578551-5 3-Major   bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot
576305-7 3-Major   Potential MCPd leak in IPSEC SPD stats query code
575649-5 3-Major   MCPd might leak memory in IPFIX destination stats query
575591-6 3-Major   Potential MCPd leak in IKE message stats query code
575589-5 3-Major   Potential MCPd leak in IKE event stats query code
575587-7 3-Major   Potential MCPd leak in BWC policy class stats query code
575176-1 3-Major K58275035 Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic
575066-1 3-Major   Management DHCP settings do not take effect
570818-4 3-Major   Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.
568672-1 3-Major   Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI
566507-4 3-Major   Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment
553795-7 3-Major   Differing cert/key after successful config-sync
547479-5 3-Major   Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
546145-1 3-Major   Creating local user for previously remote user results in incomplete user definition.
540872-1 3-Major   Config sync fails after creating a partition.
527206-5 3-Major   Management interface may flap due to LOP sync error
393270-1 3-Major   Configuration utility may become non-responsive or fail to load.
618421 4-Minor   Some mass storage is left un-used
617124 4-Minor   Cannot map hardware type (12) to HardwareType enumeration
581835-1 4-Minor   Command failing: tmsh show ltm virtual vs_name detail.
567546-1 4-Minor   Files with file names larger than 100 characters are omitted from qkview
564771-1 4-Minor   cron sends purge_mysql_logs.pl email error on LTM-only device
564522-2 4-Minor K40547220 cron is configured with MAILTO=root but mailhost defaults to 'mail'
559837-4 4-Minor   Misleading error message in catalina.out when listing certificates.
551349-5 4-Minor K80203854 Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade
460833-5 4-Minor   MCPD sync errors and restart after multiple modifications to file object in chassis
572133-5 5-Cosmetic   tmsh save /sys ucs command sends status messages to stderr
442231-4 5-Cosmetic   Pendsect log entries have an unexpected severity


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
618905-1 1-Blocking   tmm core while installing Safenet 6.2 client
616215-4 2-Critical   TMM can core when using LB::detach and TCP::notify commands in an iRule
615388-1 2-Critical   L7 policies using normalized HTTP URI or Referrer operands may corrupt memory
612229-1 2-Critical   TMM may crash if LTM a disable policy action for 'LTM Policy' is not last
609628-2 2-Critical   CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session
609199-6 2-Critical   Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join
608555-1 2-Critical   Configuring asymmetric routing with a VE rate limited license will result in tmm crash
607724-2 2-Critical K25713491 TMM may crash when in Fallback state.
607524-2 2-Critical   Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.
607360-5 2-Critical   Safenet 6.2 library missing after upgrade
606573-3 2-Critical   FTP traffic does not work through SNAT when configured without Virtual Server
605865-4 2-Critical   Debug TMM produces core on certain ICMP PMTUD packets
604133-2 2-Critical   Ramcache may leave the HTTP Cookie Cache in an inconsistent state
603032-1 2-Critical   clientssl profiles with sni-default enabled may leak X509 objects
602326-1 2-Critical   Intermittent pkcs11d core when stopping or restarting pkcs11d service
599135-2 2-Critical   B2250 blades may suffer from high TMM CPU utilisation with tcpdump
588959-2 2-Critical K34453301 TMM may crash or behave abnormally on a Standby BIG-IP unit
588351-5 2-Critical   IPv6 fragments are dropped when packet filtering is enabled.
586449-1 2-Critical   Incorrect error handling in HTTP cookie results in core when TMM runs out of memory
584213-1 2-Critical   Transparent HTTP profiles cannot have iRules configured
575011-1 2-Critical K21137299 Memory leak. Nitrox3 Hang Detected.
574880-3 2-Critical   Excessive failures observed when connection rate limit is configured on a fastl4 virtual server.
549329-3 2-Critical K02020031 L7 mirrored ACK from standby to active box can cause tmm core on active
545810-3 2-Critical K14304373 TMM halts and restarts
459671-4 2-Critical   iRules source different procs from different partitions and executes the incorrect proc.
617862-2 3-Major   Fastl4 handshake timeout is absolute instead of relative
617824-3 3-Major   "SSL::disable/enable serverside" + oneconnect reuse is broken
615143-1 3-Major   VDI plugin-initiated connections may select inappropriate SNAT address
613429-2 3-Major   Unable to assign wildcard wide IPs to various BIG-IP DNS objects.
613369-4 3-Major   Half-Open TCP Connections Not Discoverable
613079-4 3-Major   Diameter monitor watchdog timeout fires after only 3 seconds
613065-1 3-Major   User can't generate netHSM key with Safenet 6.2 client using GUI
612040-4 3-Major   Statistics added for all crypto queues
611320-3 3-Major   Mirrored connection on Active unit of HA pair may be unexpectedly torndown
610609-3 3-Major   Total connections in bigtop, SNMP are incorrect
608024-3 3-Major   Unnecessary DTLS retransmissions occur during handshake.
607803-3 3-Major K33954223 DTLS client (serverssl profile) fails to complete resumed handshake.
607304-5 3-Major   TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.
606940-3 3-Major   Clustered Multiprocessing (CMP) peer connection may not be removed
606575-6 3-Major   Request-oriented OneConnect load balancing ends when the server returns an error status code.
606565-2 3-Major K52231531 TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection
604977-2 3-Major K08905542 Wrong alert when DTLS cookie size is 32
603236-1 3-Major   1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware
602385-1 3-Major   Add zLib compression
602366-1 3-Major   Safenet 6.2 HA performance
602358-5 3-Major   BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version
601496-4 3-Major   iRules and OCSP Stapling
601178-6 3-Major   HTTP cookie persistence 'preferred' encryption
598874-2 3-Major   GTM Resolver sends FIN after SYN retransmission timeout
597978-2 3-Major   GARPs may be transmitted by active going offline
597879-1 3-Major   CDG Congestion Control can lead to instability
597532-1 3-Major   iRule: RADIUS avp command returns a signed integer
597089-8 3-Major   Connections are terminated after 5 seconds when using ePVA full acceleration
593530-6 3-Major K26430211 In rare cases, connections may fail to expire
592784-2 3-Major   Compression stalls, does not recover, and compression facilities cease.
592497-1 3-Major   Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.
591659-5 3-Major K47203554 Server shutdown is propagated to client after X-Cnection: close transformation.
591476-7 3-Major K53220379 Stuck crypto queue can erroneously be reported
591343-5 3-Major K03842525 SSL::sessionid output is not consistent with the sessionid field of ServerHello message.
589223-1 3-Major   TMM crash and core dump when processing SSL protocol alert.
588115-1 3-Major   TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw
588089-3 3-Major   SSL resumed connections may fail during mirroring
587016-3 3-Major   SIP monitor in TLS mode marks pool member down after positive response.
585813-3 3-Major   SIP monitor with TLS mode fails to find cert and key files.
585412-4 3-Major   SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines
583957-6 3-Major   The TMM may hang handling pipelined HTTP requests with certain iRule commands.
582465-1 3-Major   Cannot generate key after SafeNet HSM is rebooted
580303-5 3-Major   When going from active to offline, tmm might send a GARP for a floating address.
579843-1 3-Major   tmrouted may not re-announce routes after a specific succession of failover states
579371-4 3-Major K70126130 BIG-IP may generate ARPs after transition to standby
578951-2 3-Major   TCP Fast Open connection timeout during handshake does not decrement pre_established_connections
572281-5 3-Major   Variable value in the nesting script of foreach command get reset when there is parking command in the script
570057-2 3-Major   Can't install more than 16 SafeNet HSMs in its HA group
569288-6 3-Major   Different LACP key may be used in different blades in a chassis system causing trunking failures
565799-4 3-Major   CPU Usage increases when using masquerade addresses
551208-6 3-Major   Nokia alarms are not deleted due to the outdated alert_nokia.conf.
550161-4 3-Major   Networking devices might block a packet that has a TTL value higher than 230.
545796-5 3-Major   [iRule] [Stats] iRule is not generating any stats for executed iRules.
545450-5 3-Major   Log activation/deactivation of TM.TCPMemoryPressure
537553-8 3-Major   tmm might crash after modifying virtual server SSL profiles in SNI configuration
534457-4 3-Major   Dynamically discovered routes might fail to remirror connections.
530266-7 3-Major   Rate limit configured on a node can be exceeded
506543-5 3-Major   Disabled ephemeral pool members continue to receive new connections
483953-1 3-Major   Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value.
472571-7 3-Major   Memory leak with multiple client SSL profiles.
464801-3 3-Major   Intermittent tmm core
423392-6 3-Major   tcl_platform is no longer in the static:: namespace
371164-1 3-Major   BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs.
598860-4 4-Minor   IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address
587676-2 4-Minor   SMB monitor fails due to internal configuration issue
560471-1 4-Minor   Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down
544033-5 4-Minor K30404012 ICMP fragmentation request is ignored by BIG-IP
222034-4 4-Minor   HTTP::respond in LB_FAILED with large header/body might result in truncated response


Performance Fixes

ID Number Severity Solution Article(s) Description
510631-1 3-Major   B4450 L4 No ePVA or L7 throughput lower than expected


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
603598-3 2-Critical   big3d memory under extreme load conditions
587656-2 2-Critical   GTM auto discovery problem with EHF for ID574052
587617-1 2-Critical   While adding GTM server, failure to configure new IP on existing server leads to gtmd core
615338-2 3-Major   The value returned by "matchregion" in an iRule is inconsistent in some cases.
613576-1 3-Major   QOS load balancing links display as gray
613045-7 3-Major   Interaction between GTM and 10.x LTM results in some virtual servers marked down
607658-1 3-Major   GUI becomes unresponsive when managing GSLB Pool
589256-1 3-Major K71283501 DNSSEC NSEC3 records with different type bitmap for same name.
588289-1 3-Major   GTM is Re-ordering pools when adding pool including order designation
584623-2 3-Major   Response to -list iRules command gets truncated when dealing with MX type wide IP
574052-4 3-Major   GTM autoconf can cause high CPU usage for gtmd
370131-4 3-Major   Loading UCS with low GTM Autoconf Delay drops pool Members from config


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
609499-1 2-Critical   Compiled signature collections use more memory than prior versions
603945-2 2-Critical   BD config update should be considered as config addition in case of update failure
588087-1 2-Critical   Attack prevention isn't escalating under some conditions in session opening mitigation
587629-2 2-Critical   IP exceptions may have issues with route domain
575133-1 2-Critical   asm_config_server_rpc_handler_async.pl SIGSEGV and core
622386-1 3-Major   Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled
621808-1 3-Major   Proactive Bot Defense failing in IE11 with Compatibility View enabled
616169 3-Major   ASM Policy Export returns HTML error file
613459-1 3-Major   Non-common browsers blocked by Proactive Bot Defense
613396-1 3-Major   Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs
611385-1 3-Major   "Learn Explicit Entities" may continue to work as if it is 'Add All Entities'
610857-1 3-Major   DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.
610830-1 3-Major   FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page.
609496-2 3-Major   Improved diagnostics in BD config update (bd_agent) added
608509-1 3-Major   Policy learning is slow under high load
606875-1 3-Major   DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page
604923-5 3-Major   REST id for Signatures change after update
604612-1 3-Major K20323120 Modified ASM cookie violation happens after upgrade to 12.1.x
602221-2 3-Major   Wrong parsing of redirect Domain
601924-1 3-Major   Selenium detection by ports scanning doesn't work even if the ports are opened
596502-1 3-Major   Unable to force Bot Defense action to Allow in iRule
584642-1 3-Major   Apply Policy Failure
584103-2 3-Major   FPS periodic updates (cron) write errors to log
582683-2 3-Major   xpath parser doesn't reset a namespace hash value between each and every scan
582133-1 3-Major   Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.)
581315-1 3-Major   Selenium detection not blocked
579917-1 3-Major   User-defined signature set cannot be created/updated with Signature Type = "All"
579495-1 3-Major   Error when loading Upgrade UCS
521204-2 3-Major   Include default values in XML Policy Export
501892-1 3-Major   Selenium is not detected by headless mechanism when using client version without server


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
602654-2 2-Critical   TMM crash when using AVR lookups
602434-1 2-Critical   Tmm crash with compressed response
601056 2-Critical   TCP-Analytics, error message not using rate-limit mechanism can halt TMM
622735 3-Major   TCP Analytics statistics does not list all virtual servers
618944-1 3-Major   AVR statistic is not save during the upgrade process
601035 3-Major   TCP-Analytics can fail to collect all the activity


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
618506 2-Critical   TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.
618324-1 2-Critical   Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor
592868-3 2-Critical   Rewrite may crash processing HTML tag with HTML entity in attribute value
591117-3 2-Critical   APM ACL construction may cause TMM to core if TMM is out of memory
569563-3 2-Critical   Sockets resource leak after loading complex policy
619250-1 3-Major   Returning to main menu from "RSS Feed" breaks ribbon
617187-1 3-Major   APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate
614891-2 3-Major   Routing table doesn't get updated when EDGE client roams among wireless networks
613613-2 3-Major   Incorrect handling of form that contains a tag with id=action
611922-1 3-Major   Policy sync fails with policy that includes custom CA Bundle.
611240-3 3-Major   Import of config with securid might fail
610224-3 3-Major   APM client may fetch expired certificate when a valid and an expired certificate co-exist
608941-1 3-Major   AAA RADIUS system authentication fails on IPv6 network
604767-1 3-Major   Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.
601905-1 3-Major   POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server
600119-3 3-Major   DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions
598981-3 3-Major K06913155 APM ACL does not get enforced all the time under certain conditions
598211-1 3-Major   Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.
597431-2 3-Major   VPN establishment may fail when computer wakes up from sleep
596116-3 3-Major   LDAP Query does not resolve group membership, when required attribute(s) specified
595227-1 3-Major   SWG Custom Category: unable to have a URL in multiple custom categories
594288-1 3-Major   Access profile configured with SWG Transparent results in memory leak.
592414-4 3-Major   IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed
591840-1 3-Major   encryption_key in access config is NULL in whitelist
591590-1 3-Major   APM policy sync results are not persisted on target devices
591268-1 3-Major   VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions
590820-3 3-Major   Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.
588888-3 3-Major K80124134 Empty URI rewriting is not done as required by browser.
586718-1 3-Major   Session variable substitutions are logged
586006-1 3-Major   Failed to retrieve CRLDP list from client certificate if DirName type is present
585562-3 3-Major   VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari
583113-1 3-Major   NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event
582752-3 3-Major   Macrocall could be topologically not connected with the rest of policy.
582526-3 3-Major   Unable to display and edit huge policies (more than 4000 elements)
580893-2 3-Major K08731969 Support for Single FQDN usage with Citrix Storefront Integration mode
573643-3 3-Major   flash.utils.Proxy functionality is not negotiated
572558-1 3-Major   Internet Explorer: incorrect handling of document.write() to closed document
569309-3 3-Major   Clientside HTML parser does not recognize HTML event attributes without value
562636-2 3-Major K05489319 Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.
525429-11 3-Major   DTLS renegotiation sequence number compatibility
455975-1 3-Major   Separate MIBS needed for tracking Access Sessions and Connectivity Sessions
389484-6 3-Major   OAM reporting Access Server down with JDK version 1.6.0_27 or later
386517-1 3-Major   Multidomain SSO requires a default pool be configured
238444-3 3-Major K14219 An L4 ACL has no effect when a layered virtual server is used.
605627 4-Minor   Selinux denial seen for apmd when it is being shutdown.
584373-2 4-Minor   AD/LDAP resource group mapping table controls are not accessible sometimes
573611-1 4-Minor   Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs
557411-1 4-Minor   Full Webtop resources appear overlapping in IE11 compatibility mode


Wan Optimization Manager Fixes

ID Number Severity Solution Article(s) Description
619757-1 2-Critical   iSession causes routing entry to be prematurely freed


Service Provider Fixes

ID Number Severity Solution Article(s) Description
613297-3 2-Critical   Default generic message routing profile settings may core
612135-3 2-Critical   Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic
603397-2 2-Critical   tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config
596631-2 2-Critical   SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later
609575-5 3-Major   BIG-IP drops ACKs containing no max-forwards header
609328-3 3-Major K53447441 SIP Parser incorrectly parsers empty header
607713-3 3-Major   SIP Parser fails header with multiple sequential separators inside quoted string.
603019-3 3-Major   Inserted SIP VIA branch parameter not unique between INVITE and ACK
599521-5 3-Major   Persistence entries not added if message is routed via an iRule
598854-3 3-Major   sipdb tool incorrectly displays persistence records without a pool name
598700-6 3-Major   MRF SIP Bidirectional Persistence does not work with multiple virtual servers
597835-3 3-Major K12228503 Branch parameter in inserted VIA header not consistent as per spec
583010-4 3-Major   Sending a SIP invite with 'tel' URI fails with a reset
578564-4 3-Major   ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response
573075-4 3-Major   ADAPT recursive loop when handling successive iRule events
566576-6 3-Major   ICAP/OneConnect reuses connection while previous response is in progress
401815-1 3-Major   BIG-IP system may reset the egress IP ToS to zero when load balancing SIP traffic
585807-2 4-Minor   'ICAP::method <method>' iRule is documented but is read-only
561500-4 4-Minor   ICAP Parsing improvement


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
612874-1 2-Critical   iRule with FLOW_INIT stage execution can cause TMM restart
609095-1 2-Critical   mcpd memory grows when updating firewall rules
622281-1 3-Major   Network DoS logging configuration change can cause TMM crash
614284-2 3-Major   Performance fix to not reset a data structure in the packet receive hotpath.
608566-1 3-Major   The reference count of NW dos log profile in tmm log is incorrect
605427-1 3-Major   TMM may crash when adding and removing virtual servers with security log profiles
594869-4 3-Major   AFM can log DoS attack against the internal mpi interface and not the actual interface
594075-2 3-Major   Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically
586070 3-Major   'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings
585823-1 3-Major   FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
609005-2 1-Blocking   Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).
611467-3 2-Critical   TMM coredump at dhcpv4_server_set_flow_key().
608009-1 2-Critical   Crash: Tmm crashing when active system connections are deleted from cli
603825-2 2-Critical   Crash when a Gy update message is received by a debug TMM
593070-2 2-Critical   TMM may crash with multiple IP addresses per session
472860-5 2-Critical   RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.
623491-2 3-Major   After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.
622220-2 3-Major   Disruption during manipulation of PEM data with suspected flow irregularity
618657-4 3-Major   Bogus ICMP unreachable messages in PEM with ipother profile in use
617014-3 3-Major   tmm core using PEM
608742-2 3-Major K48561135 DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode.
608591-1 3-Major   Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers
592070-5 3-Major   DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied
588456-3 3-Major K60250444 PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).
577863-5 3-Major K56504204 DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
606066-2 2-Critical   LSN_DELETE messages may be lost after HA failover
605525-1 2-Critical   Deterministic NAT combined with NAT64 may cause a TMM core
587106-1 2-Critical   Inbound connections are reset prematurely when zombie timeout is configured.
602171-1 3-Major   TMM may core when remote LSN operations time out


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
617648 2-Critical   Surfing with IE8 sometimes results with script error
603234-3 2-Critical   Performance Improvements
597471 2-Critical   Some Alerts are sent with outdated username value
617688 3-Major   Encryption is not activated unless "real-time encryption" is selected
613671-2 3-Major   Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation
610897-2 3-Major   FPS generated request failure throw "unspecified error" error in old IE.
609098-1 3-Major   Improve details of ajax failure
604885-1 3-Major   Redirect/Route action doesn't work if there is an alert logging iRule
601083-1 3-Major   FPS Globally Forbidden Words lists freeze in IE 11
588058-3 3-Major   False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer
609114-1 4-Minor   Add the ability to control dropping of alerts by before-load-function
605125-2 4-Minor   Sometimes, passwords fields are readonly
592274-3 4-Minor   RAT-Detection alerts sent with incorrect duration details


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
588405-1 3-Major   BADOS - BIG-IP Self-protection during (D)DOS attack
608826-1 4-Minor   Greylist (bad actors list) is not cleaned when attack ends


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
624370-1 2-Critical   tmm crash during classification hitless upgrade if virtual server configuration is modified


Device Management Fixes

ID Number Severity Solution Article(s) Description
621401 3-Major   When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
615824-1 3-Major   REST API calls to invalid REST endpoint log level change



Cumulative fixes from BIG-IP v12.1.1 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
613127-3 CVE-2016-5696 K46514822 Linux TCP Stack vulnerability CVE-2016-5696


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
612564 1-Blocking   mysql does not start
618382-4 2-Critical   qkview may cause tmm to restart or may take 30 or more minutes to run
614766-1 3-Major   lsusb uses unknown ioctl and spams kernel logs
612952-1 3-Major   PSU FW revision not displayed correctly
611352 3-Major K68092141 Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms
610307 3-Major   Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber
609325 3-Major   Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported
606807-1 3-Major   i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error
604459-1 3-Major   On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up
597309-2 3-Major   Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms
561444-1 3-Major   LCD might display incorrect output.
521270-1 3-Major   Hypervisor might replace vCMP guest SYN-Cookie secrets
434573-6 3-Major K25051022 Tmsh 'show sys hardware' displays Platform ID instead of platform name
609677-1 4-Minor   Dossier warning 14
607857-1 4-Minor   Some information displayed in "list net interface" will be stale for interfaces that change bundle state
607200-1 4-Minor   Switch interfaces may seem up after bcm56xxd goes down
602061 4-Minor   i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages
601309 4-Minor   Locator LED no longer persists across reboots
592716-1 4-Minor   BMC timezone value was not being synchronized by BIG-IP


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
597708-4 3-Major   Stats are unavailable and vCMP state and status are incorrect



Cumulative fixes from BIG-IP v12.1.1 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
598294-1 CVE-2016-7472 K17119920 BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472
601938-2 CVE-2016-7474 K52180214 MCPD stores certain data incorrectly


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
542097-4 2-Critical   Update to RHEL6 kernel
601927-1 4-Minor K52180214 Security hardening of control plane


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
602653-1 2-Critical   TMM may crash after updating bot-signatures
599769 2-Critical   TMM may crash when managing APM clients.
605682-2 3-Major   With forward proxy enabled, sometimes the client connection will not complete.
599054-2 3-Major   LTM policies may incorrectly use those of another virtual server


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
585120-1 2-Critical   Memory leak in bd under rare scenario


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
596674-2 2-Critical   High memory usage when using CS features with gzip HTML responses.
575170-2 2-Critical   Analytics reports may not identify virtual servers correctly
590074-1 3-Major   Wrong value for TCP connections closed measure


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
603997 2-Critical   Plugin should not inject nonce to CSP header with unsafe-inline
594910-1 3-Major   FPS flags no cookie when length check fails
590608-1 3-Major   Alert is not redirected to alert server when unseal fails
590578-4 3-Major   False positive "URL error" alerts on URLs with GET parameters
593355 4-Minor   FPS may erroneously flag missing cookie
589318-1 4-Minor   Clicking 'Customize All' checkbox does not work.


iApp Technology Fixes

ID Number Severity Solution Article(s) Description
603605-1 2-Critical   Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active
608373-2 3-Major   Some iApp LX packages will not be saved during upgrade or UCS save/restore



Cumulative fixes from BIG-IP v12.1.1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
596488-1 CVE-2016-5118 K82747025 GraphicsMagick vulnerability CVE-2016-5118.
579955-6 CVE-2016-7475 K01587042 BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475
587077-1 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2115 CVE-2016-2118 K37603172 Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118
579220-1 CVE-2016-1950 K91100352 Mozilla NSS vulnerability CVE-2016-1950
570697-1 CVE-2015-8138 K71245322 NTP vulnerability CVE-2015-8138
580340-1 CVE-2016-2842 K52349521 OpenSSL vulnerability CVE-2016-2842
580313-1 CVE-2016-0799 K22334603 OpenSSL vulnerability CVE-2016-0799
579829-7 CVE-2016-0702 K79215841 OpenSSL vulnerability CVE-2016-0702
579085-6 CVE-2016-0797 K40524634 OpenSSL vulnerability CVE-2016-0797
578570-1 CVE-2016-0705 K93122894 OpenSSL Vulnerability CVE-2016-0705
569355-1 CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494 K50118123 Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494
565895-1 CVE-2015-8389 CVE-2015-8388 CVE-2015-5073 CVE-2015-8395 CVE-2015-8393 CVE-2015-8390 CVE-2015-8387 CVE-2015-8391 CVE-2015-8383 CVE-2015-8392 CVE-2015-8386 CVE-2015-3217 CVE-2015-8381 CVE-2015-8380 CVE-2015-8384 CVE-2015-8394 CVE-2015-3210 K17235 Multiple PCRE Vulnerabilities
570667-2 CVE-2016-0701 CVE-2015-3197 K64009378 OpenSSL vulnerabilities


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
606509-4 2-Critical   Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover
595605 2-Critical   Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail
591119 2-Critical   OOM with session messaging may result in TMM crash
601076 3-Major   Fix watchdog event for accelerated compression request overflow
597303 3-Major   "tmsh create net trunk" may fail
595693 3-Major   Incorrect PVA indication on B4450 blade
591261 3-Major   BIG-IP VPR-B4450N shows "unknown" SNMP Object ID
590904-1 3-Major   New HA Pair created using serial cable failover only will remain Active/Active
589661 3-Major   PS2 power supply status incorrect after removal
588327 3-Major   Observe "err bcm56xxd' liked log from /var/log/ltm
587735 3-Major   False alarm on LCD indicating bad fan
587668 3-Major   LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.
585332 3-Major   Virtual Edition network settings aren't pinned correctly on startup
584670 3-Major   Output of tmsh show sys crypto master-key
584661 3-Major   Last good master key
584655 3-Major   platform-migrate won't import password protected master-keys from a 10.2.4 UCS file
583177 3-Major   LCD text truncated by heartbeat icon on VIPRION
581945-2 3-Major   Device-group 'datasync-global-dg' becomes out-of-sync every hour
581811 3-Major   The blade alarm LED may not reflect the warning that non F5 optics is used.
579529 3-Major   Stats file descriptors kept open in spawned child processes
578064 3-Major   tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade
578036-1 3-Major   incorrect crontab can cause large number of email alerts
573584 3-Major   CPLD update success logs at the same error level as an update failure
563592 3-Major   Content diagnostics and LCD
559655 3-Major   Post RMA, system does not display correct platform name regardless of license
555039-4 3-Major K24458124 VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration
539360 3-Major   Firmware update that includes might take over 15 minutes. Do not turn off device.
526708 3-Major   system_check shows fan=good on removed PSU of 4000 platform
433357 3-Major   Management NIC speed reported as 'none'
400778 3-Major   Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete
400550 3-Major   LCD listener error during shutdown
587780 4-Minor   warning: HSBe2 XLMAC initial recovery failed after 11 retries.
478986 4-Minor   Powered down DC PSU is treated as not-present
418009 5-Cosmetic   Hardware data display inaccuracies


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
603700 2-Critical   tmm core on multiple SSL::disable calls
598052-1 2-Critical   SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails
591139 2-Critical   TMM QAT segfault after zlib/QAT compression conflation.
585654 2-Critical   Enhanced implementation of AES in Common Criteria mode
579953 2-Critical   Updated the list of Common Criteria ciphersuites
584926-1 3-Major   Accelerated compression segfault when devices are all in error state.
566342 3-Major   Cannot set 10T-FD or 10T-HD on management port


Performance Fixes

ID Number Severity Solution Article(s) Description
599803 1-Blocking   TMM accelerated compression incorrectly destroying in-flight contexts.
588879-2 2-Critical   apmd crash under rare conditions with LDAP


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
581824-2 3-Major   "Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
588049-1 2-Critical   Improve detection of browser capabilities
585352-2 2-Critical   bruteForce record selfLink gets corrupted by change to brute force settings in GUI
585054-1 2-Critical   BIG-IP imports delay violations incorrectly, causing wrong policy enforcement
583686-2 3-Major   High ASCII meta-characters can be disallowed on UTF-8 policy via XML import
581991-1 3-Major   Logging filter for remote loggers doesn't work correctly with more than one logging profile
521370-1 3-Major   Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8
518201-4 3-Major   ASM policy creation fails with after upgrading


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
587419-1 3-Major   TMM may restart when SAML SLO is performed after APM session is closed
585442-2 3-Major   Provisioning APM to 'none' creates a core file


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
596809-1 3-Major   It is possible to create ssh rules with blank space for auth-info
593925-1 3-Major   ssh profile should not contain rules that begin and end with spaces (cannot be deleted)
593696-1 3-Major   Sync fails when deleting an ssh profile


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
584921-1 2-Critical   Inbound connections fail to keep port block alive



Cumulative fixes from BIG-IP v12.1.0 Hotfix 2 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
600662-9 CVE-2016-5745 K64743453 NAT64 vulnerability CVE-2016-5745
599168-7 CVE-2016-5700 K35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
598983-7 CVE-2016-5700 K35520031 BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700
580596-1 CVE-2013-0169 CVE-2016-6907 CVE-2019-6593 K14190 K39508724 K10065173 TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
604211-1 2-Critical K72931250 License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.
600859-2 2-Critical   Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.
599033-5 2-Critical   Traffic directed to incorrect instance after network partition is resolved
595394-3 2-Critical   Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.
606110-2 3-Major   BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.
596814-4 3-Major   HA Failover fails in certain valid AWS configurations
596603-2 3-Major   AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
600357-2 3-Major   bd crash when asm policy is removed from virtual during specific configuration change



Cumulative fixes from BIG-IP v12.1.0 Hotfix 1 that are included in this release


Vulnerability Fixes

ID Number CVE Solution Article(s) Description
569467-5 CVE-2016-2084 K11772107 BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.
591806-8 CVE-2016-3714 K03151140 ImageMagick vulnerability CVE-2016-3714
591918-2 CVE-2016-3718 K61974123 ImageMagick vulnerability CVE-2016-3718
591908-2 CVE-2016-3717 K29154575 ImageMagick vulnerability CVE-2016-3717
591894-2 CVE-2016-3715 K10550253 ImageMagick vulnerability CVE-2016-3715
591881-1 CVE-2016-3716 K25102203 ImageMagick vulnerability CVE-2016-3716


Functional Change Fixes

ID Number Severity Solution Article(s) Description
583631-2 1-Blocking   ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.
590993 3-Major   Unable to load configs from /usr/libexec/aws/.
576478 3-Major   Enable support for the Purpose-Built DDoS Hybrid Defender Platform
544477 3-Major   New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.


TMOS Fixes

ID Number Severity Solution Article(s) Description
591039 2-Critical   DHCP lease is saved on the Custom AMI used for auto-scaling VE
590779 2-Critical   Rest API - log profile in json return does not include the partition but needs to
588140 2-Critical   Pool licensing fails in some KVM/OpenStack environments
587791-1 2-Critical   Set execute permission on /var/lib/waagent
565137 2-Critical K12372003 Pool licensing fails in some KVM/OpenStack environments.
554713-2 2-Critical   Deployment failed: Failed submitting iControl REST transaction
592363 3-Major   Remove debug output during first boot of VE
592354 3-Major   Raw sockets are not enabled on Cloud platforms


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
592699-3 2-Critical   IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance
594302-1 3-Major   Connection hangs when processing large compressed responses from server
592854-1 3-Major   Protocol version set incorrectly on serverssl renegotiation
592682-1 3-Major   TCP: connections may stall or be dropped
531979-6 3-Major   SSL version in the record layer of ClientHello is not set to be the lowest supported version.


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
582629-1 2-Critical   User Sessions lookups are not cleared, session stats show marked as invalid


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
590601-2 3-Major   BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed
590428-1 3-Major   The "ACCESS::session create" iRule command does not work
590345-1 3-Major   ACCESS policy running iRule event agent intermittently hangs
585905-1 3-Major   Citrix Storefront integration mode with pass-through authentication fails
581834-5 3-Major   Firefox signed plugin for VPN, Endpoint Check, etc


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
588399-1 3-Major   BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated
582374-1 3-Major   Multiple 'Loading state for virtual server' messages in admd.log
569121-1 3-Major   Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low
547053-1 4-Minor   Bad actor quarantining


Traffic Classification Engine Fixes

ID Number Severity Solution Article(s) Description
590795-1 2-Critical   tmm crash when loading default signatures or updating classification signature

 

Cumulative fix details for BIG-IP v12.1.5 that are included in this release

810557-5 : ASM ConfigSync Hardening

Solution Article: K05123525


807477-4 : ConfigSync Hardening

Solution Article: K04280042


799617-5 : ConfigSync Hardening

Solution Article: K05123525


799589-5 : ConfigSync Hardening

Solution Article: K05123525


797885-5 : ConfigSync Hardening

Solution Article: K05123525


796469-1 : ConfigSync Hardening

Solution Article: K05123525


794413-5 : BIND vulnerability CVE-2019-6471

Solution Article: K10092301


788301-2 : SNMPv3 Hardening

Solution Article: K58243048

Component: TMOS

Symptoms:
SNMPv3 agents do not follow current best practices.

Conditions:
SNMPv3 agents enabled.

Impact:
SNMPv3 agents do not follow current best practices.

Fix:
SNMPv3 features now follow current best practices.


777261-1 : When SNMP cannot locate a file it logs messages repeatedly

Component: TMOS

Symptoms:
When the SNMP daemon experiences an error when it attempts to statfs a file then it logs an error message. If the file is not present then this error is repeatedly logged and can fill up the log file.

Conditions:
When an SNMP request causes the daemon to query a file on disk it is possible that a system error occurs. If the file is not present then the error is logged repeatedly.

Impact:
This can fill up the log with errors.

Fix:
The SNMP daemon has been fixed to log this error once.


774301-1 : Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is configured as SAML IdP or SAML SP processes SAML Requests/Responses, the verification of digital signature fails in certain cases:

err apmd[19684]: 01490000:3: modules/Authentication/Saml/SamlSPAgent.cpp func: "verifyAssertionSignature()" line: 5321 Msg: ERROR: verifying the digest of SAML Response

Conditions:
-- BIG-IP system is configured as SAML IdP or SAML SP.

-- SAML sends the "ArtifactResponse" message with both "ArtifactResponse" and "Assertion" signed.

-- This is also applicable to any SAML requests/responses that are signed:
   a) SAML Authentication Request
   b) SAML Assertion
   c) SAML Artifact Response
   e) SAML SLO Request/Response

Impact:
Output does not match the 'Canonicalized element without Signature' calculated by APM. BIG-IP SAML IdP or SAM SP fails to process SAML Requests/Responses resulting in errors. Cannot deploy APM as SAML SP with Assertion Artifact binding.

Workaround:
None.

Fix:
Output now matches the Canonicalized element without Signature' calculated by APM, so deployment occurs without error.


773553-5 : ASM JSON parser false positive.

Component: Application Security Manager

Symptoms:
False positive JSON malformed violation.

Conditions:
-- JSON profile enabled (enabled is the default).
-- Specific JSON traffic is passed.

Impact:
HTTP request is blocked or an alarm is raised.

Workaround:
There is no workaround other than disabling the JSON profile.

Fix:
JSON parser has been fixed as per RFC8259.


771873-2 : TMSH Hardening

Solution Article: K40378764


769809-1 : vCMP guests 'INOPERATIVE' after upgrade

Component: TMOS

Symptoms:
After upgrading the host or creating new vCMP guests, the prompt in the vCMP guests report as INOPERATIVE.

Conditions:
-- The system truncates the unit key. (Note: This occurs because the unit key is designed to be a certain length, and the internally generated unit key for the guest has a NULL in it.)
-- Upgrading the host.
-- Creating new guests.

Impact:
vCMP guests are sent a truncated unit key and fail to decrypt the master key needed to load the config. vCMP Guests report 'INOPERATIVE' after upgrade.

Workaround:
None.

Fix:
The system now handles a guest unit key that has a NULL in it, so vCMP guests are no longer 'INOPERATIVE' after upgrade


766577-5 : APMD fails to send response to client and it already closed connection.

Component: Access Policy Manager

Symptoms:
APMD fails to send response to client and produces error message:
err apmd[8353]: 01490085:3: /pt-qp-campus/apm-cdp-qp-qa:pt-qp-campus:bb651ae6: Response could not be sent to remote client. Socket error: Connection reset by peer

APMD does most of its action with backend authentication servers (e.g., AD, LDAP, RADIUS). If the backend server response is very slow (because of various reasons such as network issues), it might cause slow apmd client response. Sometimes, the client has already closed the connection to the virtual server, so the client connection is no longer valid.

Conditions:
Backend server is slow, causing longer-than-usual response times.

Impact:
This causes the client to close the connection. APMD fails to respond to the client.

The cumulative slowness of the backend server causes delay in response. Most of the time, the client connection is already closed. As a result, the request queue gets full. When apmd starts processing the request from the queue, the client connection is already closed for some of them, and processing those requests still continues, which is unnecessary and causes more delay.

Fix:
The system now tests the client connection after picking up the request from the request queue and before processing.
-- If the connection is already closed, the system drops the request.
-- If the request is already in progress, the system checks the client connection before saving the session variables and sending the response to client.


762453-4 : Hardware cryptography acceleration may fail

Component: TMOS

Symptoms:
Host reports the following error message:
 Device error: crypto codec qat-cryptoXX-Y queue is stuck.

Conditions:
Platform with access to Intel QAT cryptography hardware
Hardware cryptography acceleration enabled

Impact:
Hardware cryptography acceleration failure, leading to a failover event.

Workaround:
Disable hardware crypto acceleration for impacted device.

Fix:
Platforms with QAT accelerators now function as expected.


761231-5 : Bot Defense Search Engines getting blocked after configuring DNS correctly

Component: Application Security Manager

Symptoms:
Bot Defense performs a reverse DNS for requests with User-Agents of known Search Engines.

A cache is stored for legal / illegal requests to prevent querying the DNS again.

This cache never expires, so in case of an initial misconfiguration, after fixing the DNS configuration, or routing or networking issue, the Search Engines may still be blocked until TMM is restarted.

Conditions:
-- Initial misconfiguration of DNS or routing or networking issue.
-- Cache stores requests to prevent future queries to DNS.
-- Correct the misconfiguration.

Impact:
Cache does not expire and is never updated, so it retains the misconfigured requests. As a result, valid Search Engines are getting blocked by Bot Defense.

Workaround:
Restart TMM by running the following command:
bigstart restart tmm

Fix:
The internal DNS cache within Bot Defense and DoSL7 now expires after five minutes.


760878-1 : Incorrect enforcement of explicit global parameters

Component: Application Security Manager

Symptoms:
A false positive or false negative enforcement of explicit global parameter.

Conditions:
-- A configuration with more than 255 security policies.
-- Policies configured with an explicit parameter that is unique (for example, 'static', a disabled signature, etc.).
-- Attempt to enforce that parameter.

Impact:
Wrong blocking/violations. The parameter is not found, and the wildcard * parameter is enforced instead.

Workaround:
Make the explicit parameters a wildcard parameter.

Fix:
Explicit parameters are enforced correctly on all parameters.


760550-2 : Retransmitted TCP packet has FIN bit set

Component: Local Traffic Manager

Symptoms:
After TCP sends a packet with FIN, retransmitted data earlier in the sequence space might also have the FIN bit set.

Conditions:
-- Nagle is enabled.
-- TCP has already sent a FIN.
-- A packet is retransmitted with less than MSS bytes in the send queue.

Impact:
The retransmitted packet has the FIN bit set even if it does not contain the end of the data stream. This might cause the connection to stall near the end.

Workaround:
Set Nagle to disabled in the TCP profile.

Fix:
The incorrect FIN bit is removed.


759968-1 : Distinct vCMP guests are able to cluster with each other.

Component: Local Traffic Manager

Symptoms:
--Distinct vCMP guests are able to cluster with each other.

--Guests end up having duplicate rebroad_mac on one or more slots. This can be checked using below command:

clsh tmctl -d blade tmm/vcmp -w 200

Look at the "rebroad_mac" field.

Conditions:
--It is not yet clear under what circumstances the issue occurs.

--One of the ways this issue occurs is when guests are moved between blades and they end up having a non-null and duplicate "rebroad_mac" on one or more slots.

Impact:
Only the vCMP guest acting as primary will be operative.

Workaround:
--Disable clusterd from sending packets over tmm_bp by turning off the db variable clusterd.communicateovertmmbp:

modify sys db clusterd.communicateovertmmbp value false.

Note: This command should be issued on the guest acting as primary since config changes are only allowed on cluster primary.


759480-1 : HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash

Component: Local Traffic Manager

Symptoms:
When a request is sent to the virtual server which meets the conditions specified, TMM may crash.

Conditions:
When all of the following conditions are met:

-- Virtual server configured with iRule that contains HTTP::respond or HTTP::redirect in an LB_FAILED event.

-- A command in an LB_FAILED event (does not have to be in the same iRule as the previous point, but must be attached to the same virtual server), that parks the iRule (e.g., table, session, persist, after, HSL).

-- A CLIENT_CLOSED event is present.

-- The pool member fails in some manner, triggering LB_FAILED

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Add reject command to LB_FAILED event to force the serverside of the connection closed before response is sent to the client.


758872-1 : TMM memory leak

Component: Local Traffic Manager

Symptoms:
When a Clustered Multiprocessing (CMP) disabled virtual server enters syncookie mode the flows created on TMM instances other than tmm0 are not removed, resulting in a TMM memory leak.

Note: CMP-disabled virtual servers are not distributed among the available TMM processes, but instead are processed on tmm0.

Conditions:
-- Virtual server is CMP disabled.
-- The same virtual server enters syncookie mode.

Impact:
Elevated memory utilization that may impact performance. In extreme cases, it might lead to out-of-memory crash.

Workaround:
Make sure the virtual server is not CMP disabled, for example, avoid using global variables in iRules.

Fix:
Flows of CMP-disabled virtual servers are now properly removed from all TMM instances.


758764-5 : APMD Core when CRLDP Auth fails to download revoked certificate

Component: Access Policy Manager

Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.

Conditions:
Empty revoked-certificate list handling.

Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.

Workaround:
None.

Fix:
The system now checks for empty revoked certificate lists (for NULL) and lets the validation OK (because there is nothing to validate against).


758631-1 : ec_point_formats extension might be included in the server hello even if not specified in the client hello

Component: Local Traffic Manager

Symptoms:
RFC 5246 states that if an extension does not exist in the client hello, it must not exist in the server hello. When an EC cipher suite is selected, the server might send the ec_point_formats extension, even if none exists in the client hello.

Conditions:
-- An EC cipher suite is selected.
-- The client does not send an ec_point_formats extension.

Impact:
Some clients abort the connection in this case.

Workaround:
There is no workaround other than not configuring any EC cipher suites.

Fix:
With this change, the server does not send an unsolicited ec_point_formats extension.


758527-5 : BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode

Component: TMOS

Symptoms:
Under certain conditions BIG-IP may forward VLAN-tagged frames even if the VLAN is not defined on the ingress interface.

Conditions:
Tagged VLANs in use.
STP pass-through mode enabled.

Impact:
Frames not delivered as expected.

Workaround:
Disable global STP.

Fix:
Frames now delivered as expected.


758336-2 : Incorrect recommendation in Online Help of Proactive Bot Defense

Component: Application Security Manager

Symptoms:
The online help of Proactive Bot Defense within the DoS profile shows the following under the 'Cross-Domain Requests' section:

Allow configured domains; validate in bulk: ... We recommend this option if your web site has many cross-domain resources.

Allow configured domains; validate upon request: ... We recommend this option if your web site does not have many cross-domain resources.

The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Conditions:
Application has multiple cross-domain resources.

Impact:
Confusing documentation. The recommendation is actually the reverse: for many cross-domain resources, it is better to use 'validate upon request'.

Workaround:
For many cross-domain resources, it is better to use 'validate upon request'.

Fix:
The online help of Proactive Bot Defense has been corrected under the 'Cross-Domain Requests' section.


758119-3 : qkview may contain sensitive information

Solution Article: K58243048

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K58243048

Conditions:
For more information see: https://support.f5.com/csp/article/K58243048

Impact:
For more information see: https://support.f5.com/csp/article/K58243048

Workaround:
For more information see: https://support.f5.com/csp/article/K58243048

Fix:
For more information see: https://support.f5.com/csp/article/K58243048


758065-3 : TMM may consume excessive resources while processing FIX traffic

Component: Service Provider

Symptoms:
Under certain conditions, the TMM may consume excessive resources when processing traffic for a Virtual Server with FIX profile applied.

Conditions:
Virtual Server with FIX profile.

Impact:
Excessive resource consumption, potentially leading to a failover event.

Workaround:
None.

Fix:
TMM now processes FIX traffic as expected.


758018-2 : APD/APMD may consume excessive resources

Component: Access Policy Manager

Symptoms:
APD/APMD may consume excessive resources when processing certain requests

Conditions:
-- APM provisioned and enabled.
-- The service type is either SWG Explicit or Clientless Mode 3.

Impact:
Excessive resource consumption, potentially degrading overall throughput or leading to a failover event.

Workaround:
For Clientless Mode 3, replace with Clientless Mode 1 to work around the issue.

Fix:
APD/APMD now consumes the expected resources when processing requests


757455-4 : Excessive resource consumption when processing REST requests

Component: TMOS

Symptoms:
Under certain conditions, REST requests may consume excessive system resources

Conditions:
-- Advanced Shell on the BIG-IP system.
-- REST usage.

Impact:
Excessive resource consumption, potentially leading to a failover event.

Workaround:
None.

Fix:
BIG-IP now handles REST requests as expected.


757391-1 : Datagroup iRule command class can lead to memory corruption

Component: Local Traffic Manager

Symptoms:
When using the iRule command to access datagroups within a foreach loop, memory can be corrupted and tmm can crash.

Conditions:
A [class] command used within a foreach loop.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround aside from removing that iRule.

Fix:
tmm no longer crashes under these conditions.


757088 : TMM clock advances and cluster failover happens during webroot db nightly updates

Component: Traffic Classification Engine

Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.

Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.

Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.

Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.

#vi /etc/wr_urldbd/bcsdk.cfg
  DoBcap=true
  DoRtu=false
  DownloadDatabase=false

Fix:
Mapping/Unmapping the database is done asynchronously and the delay is reduced so that the CDP failover doesn't happen.


757027-4 : BIND Update

Solution Article: K01713115


757026-4 : BIND Update

Component: TMOS

Symptoms:
Upgrade BIND to 9.11.5-P4 per recommendation from ISC

Conditions:
GTM provisioned.

Impact:
BIND not up-to-date

Workaround:
None.

Fix:
Upgrade to BIND 9.11.5-P4


757025-4 : BIND Update

Solution Article: K00040234


757023-5 : BIND vulnerability CVE-2018-5743

Solution Article: K74009656


756774-3 : Aborted DNS queries to a cache may cause a TMM crash

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash if an attempt is made to send a response to a TCP connection that has already been torn down.

Conditions:
TCP connections that are aborted before receiving a RESPONSE from a cache.

Impact:
Loss of service until TMM is restarted. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Aborted DNS queries to a cache no longer cause a TMM crash.


756538-2 : Failure to open data channel for active FTP connections mirrored across an HA pair.

Component: Local Traffic Manager

Symptoms:
Occasionally, attempting to actively open a data channel from an FTP session that is mirrored across a BIG-IP high availability pair will fail. This is due to aggressive port reuse on the active BIG-IP system, causing ports that are still in a TIME_WAIT state to be used for the data connection.

Conditions:
-- Have a BIG-IP HA pair configured.
-- Create an FTP virtual server with mirroring enabled.
-- Have the pool member(s) of the virtual server be either 3CDaemon or IIS servers (this issue has been confirmed only for 3CDaemon and IIS, but it could affect other servers as well).
-- Client attempts to download data through the virtual server via active FTP.

Impact:
Data connections fail to open; data transfer is unsuccessful.

Workaround:
Use passive FTP, or do not use mirroring for FTP virtual servers.

Fix:
Mirrored, active FTP connections no longer fail to open data channels, and now successfully transmit data.


756450-3 : Traffic using route entry that's more specific than existing blackhole route can cause core

Component: Local Traffic Manager

Symptoms:
TMM asserts with 'Attempting to free loopback interface'message.

Conditions:
- Using blackhole routes.
- Have a route entry that is more specific than the existing blackhole route.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use /32 blackhole routes.

Fix:
TMM no longer cores when using blackhole routes that are less specific than non-blackhole routes.


756270-1 : SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle

Component: Local Traffic Manager

Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.

Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.

Impact:
Handshake failure.

Workaround:
None.

Fix:
This has been fixed to check for the issuer among all certificates that have the same subject name as the CRL issuer.


756153-1 : Add diskmonitor support for MySQL /var/lib/mysql

Component: TMOS

Symptoms:
If the disk partition /var/lib/mysql is filled to 100%, diskmonitor does not notify that the partition is nearly exhausted.

Conditions:
The disk partition /var/lib/mysql is filled to 100%.

Impact:
diskmonitor does not notify that disk partition /var/lib/mysql is nearly exhausted.

Workaround:
None.


756094-1 : DNS express in restart loop, 'Error writing scratch database' in ltm log

Component: Global Traffic Manager (DNS)

Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd

Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).

Impact:
Zone updates from the DNS master servers are not processed.

Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:

   bigstart stop zxfrd
   rm /shared/zxfrd/*
   bigstart start zxfrd

Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.

Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.


755507-1 : [App Tunnel] 'URI sanitization' error

Component: Access Policy Manager

Symptoms:
URI sanitization error with app tunnel (application tunnel). The system posts messages similar to the following:
-- APM log: warning tmm[19703]: 01490586:4: /Common/AP-AD:Common:ff776e4a: Invalid Resource Access For RESOURCENAME. RST due to URI sanitization
-- LTM log: err tmm[19703]: 01230140:3: RST sent from 10.0.0.1:80 to 10.0.0.1:228, [0x2263e2c:7382] Unrecognized resource access (RESOURCENAME)

Conditions:
Access Policy that includes a 'Logon Page' and 'Advanced Resource Assign' (full webtop and app tunnel).

Impact:
APM does not send a response after receiving a request to 'GET /vdesk/resource_app_tunnels_info.xml'.

Workaround:
None.


754944-4 : AVR reporting UI does not follow best practices

Solution Article: K00432398


754365-2 : Updated flags for countries that changed their flags since 2010

Component: Application Security Manager

Symptoms:
Old flags for countries that changed their flags since 2010.

Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya

Impact:
Old flag is shown.

Workaround:
None.

Fix:
The three flags are now updated in ASM.


754345-4 : WebUI does not follow best security practices

Solution Article: K79902360


754257 : URL lookup queries not working

Component: Traffic Classification Engine

Symptoms:
Occasionally, there is no response to a url-categorization query.

Conditions:
This might occur under the following conditions:
-- When there are duplicate requests using tmsh.
-- When the connection is partially closed by the server.

Impact:
URL does not get classified. Cannot take any actions against those URLs.

Workaround:
None.

Fix:
URL lookup queries now work as expected.


754103-3 : iRulesLX NodeJS daemon does not follow best security practices

Component: Local Traffic Manager

Symptoms:
The iRulesLX NodeJS daemon, if explicitly launched with the --debug command-line option, does not follow best security practices.

Conditions:
Launch an iRulesLX plugin:extension with debug command line option (--debug).

Impact:
NodeJS daemon does not follow best security practices.

Workaround:
None.

Fix:
NodeJS daemon now follows best security practices.


753912-1 : UDP flows may not be swept

Solution Article: K44385170

Component: Local Traffic Manager

Symptoms:
Some UDP connection flows do not show in connection table but do show up in stats. This might occur with datagram_lb mode is enabled on the UDP profile under heavy load.

Conditions:
-- UDP profile with datagram_lb mode enabled.
-- System under heavy load.

Impact:
Increased memory utilization of TMM.

Workaround:
None.

Fix:
The system now correctly manages all expired flows.


753796-3 : SNMP does not follow best security practices

Solution Article: K40443301


753776-3 : TMM may consume excessive resources when processing UDP traffic

Solution Article: K07127032


752930 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state

Component: Local Traffic Manager

Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.

Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.

Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop.

Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.

2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:

# ssh slot2 bigstart stop

# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109

# save sys config

# clsh rm -f /var/db/mcpdb.bin

# ssh slot2 bigstart start

Note: This recovery method might have to be executed multiple times to restore a working setup.


752835-1 : Mitigate mcpd out of memory error with auto-sync enabled.

Component: TMOS

Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.

Conditions:
-- Auto-sync enabled in an HA pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.

Impact:
mcpd crashes.

Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.

Fix:
This is not a complete fix. It is still possible for mcpd to run out of memory due to a peer not processing sync messages quickly enough. It does, however, make it more difficult for this scenario to happen, so configuration changes with auto-sync on can be sent somewhat more quickly without crashing mcpd as often.


751586-1 : http2 virtual does not honour translate-address disabled

Component: Local Traffic Manager

Symptoms:
translate-address disabled on a http2 virtual is getting ignored

Conditions:
http2 virtual and translate-address disabled configured

Impact:
The traffic is translated to the destination address to the pool member

Workaround:
none

Fix:
translate-address disabled is working correctly now.


750586-3 : HSL may incorrectly handle pending TCP connections with elongated handshake time.

Component: TMOS

Symptoms:
HSL may incorrectly handle TCP connections that are pending 3-way handshake completion that exceed default handshake timeout.

Conditions:
-- HSL or ReqLog configured to send logging data to pool via TCP protocol.
-- TCP 3-way handshake takes longer than 20 seconds (the default handshake timeout) to complete.

Impact:
-- Service interruption while TMM restarts.
-- Failover event.

Workaround:
None.

Fix:
HSL handles unusually long pending TCP handshakes gracefully and does not cause outage.


750488 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.

Conditions:
Responses to queries with EDNS0 record to DNS Cache do not contain the RFC-required EDNS0 record.

Impact:
Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
Corrected EDNS OPT record handling in DNS Cache.

Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:

example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa

These types of responses are expected when running the validation tool against DNS Cache.


750484 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache drops a DNS query that contains an EDNS OPT Record that it does not understand.

Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.

Impact:
DNS Cache drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
When a query with an invalid EDNS OPT version is received by DNS Cache, the system now sends a response with the BADVERS error code, as stipulated by the RFC.

Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following:

example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa

These types of responses are expected when running the validation tool against DNS Cache.


750472 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express drops a DNS query that contains an EDNS OPT Record that it does not understand.

Conditions:
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.

Impact:
DNS Express drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
When a query with an invalid EDNS OPT version is received by DNS Express, send a response with the BADVERS error code as stipulated by the RFC.

Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:

example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok


750460-4 : Subscriber management configuration GUI

Solution Article: K61002104


750457 : Certain BIG-IP DNS configurations improperly respond to DNS queries that contain EDNS OPT Records

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express does not always include an EDNS OPT Record in responses to queries that contain an EDNS OPT Record.

Conditions:
Queries to DNS Express containing an ENDS0 record it does not understand.

Impact:
DNS Express responses might not contain the RFC-required ENDS0 record. Some compliance tools and upstream DNS servers may consider the BIG-IP non-compliant, and report it as such.

This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.

Workaround:
None.

Fix:
Corrected EDNS OPT record handling in DNS Express.

Note: The EDNS Compliance Tester should produce output similar to the following when run against DNS Express:

example1.com. @10.10.10.125 (ns.example1.com.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok optlist=ok signed=ok ednstcp=ok


750213-1 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.

Solution Article: K25351434

Component: Global Traffic Manager (DNS)

Symptoms:
FPGA hardware-accelerated DNS Cache can respond improperly to DNS queries that contain EDNS OPT Records. This improper response can take several forms, ranging from not responding with an OPT record, to a query timeout, to a badvers response.

Conditions:
-- Using VIPRION B2250 blades.
-- This may occur if a client sends a query with an EDNS OPT record that has an unknown version or other values that the Hardware-accelerated Cache does not understand. These errors only occur when matching the query to a hardware cached response.

Note: If the response is not in the hardware cache, then the query should be properly handled.

Impact:
Hardware-accelerated DNS Cache drops the request. Clients will experience a timeout for that query.

This is occurring now because of the changes coming to software from certain DNS software vendors that remove specific workarounds on February 1st, 2019. This is known as DNS Flag Day.

Workaround:
None.


750187-4 : ASM REST may consume excessive resources

Solution Article: K29149494


749879 : Possible interruption while processing VPN traffic

Solution Article: K47527163


749774-2 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled

Component: Global Traffic Manager (DNS)

Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.

Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.

Impact:
Inconsistent behavior.

Workaround:
None.

Fix:
In this release, responses are now consistent when caching is enabled.


749675-2 : DNS cache resolver may return a malformed truncated response with multiple OPT records

Component: Global Traffic Manager (DNS)

Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.

Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).

Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.

Workaround:
A second query will return the cached record, which will only have one OPT record.

Fix:
DNS cache resolver now returns the correct response under these conditions.


749508-4 : LDNS and DNSSEC: Various OOM conditions need to be handled properly

Component: Global Traffic Manager (DNS)

Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.

Conditions:
LDNS and DNSSEC OOM conditions.

Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.

Workaround:
None.

Fix:
The system contains improvements for handling OOM conditions properly.


749414-1 : Invalid monitor rule instance identifier error

Component: Local Traffic Manager

Symptoms:
Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects.

Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is in a pool.
-- Run the following command: tmsh load /sys config
-- Loading UCS/SCF file can trigger the issue also.
-- Nodes share the same monitor instance.
-- default-node-monitor is not configured.

Impact:
-- The system might delete monitor rule instances for unrelated nodes/pool-members.

-- Pool members are incorrectly marked down.

Workaround:
You can use either of the following:

-- Failover or failback traffic to the affected device.

-- Run the following command: tmsh load sys config.


749294-1 : TMM cores when query session index is out of boundary

Component: Local Traffic Manager

Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.

Conditions:
When session index equals the size of session caches.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The index boundary check now operates correctly in this situation, so tmm no longer cores.


749153 : Cannot create LTM policy from GUI using iControl

Component: TMOS

Symptoms:
LTM policy cannot be created from GUI using iControl REST.

Conditions:
Using iControl to create an LTM policy.

Impact:
LTM policy cannot be created from the GUI

Workaround:
Create LTM policy using TMSH.

Fix:
Can now create LTM policy from GUI using iControl.


748902-8 : Incorrect handling of memory allocations while processing DNSSEC queries

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes.

Conditions:
-- Heavy DNS traffic using DNS security signatures.
-- Use of external HSM may aggravate the problem.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release corrects the handling of memory allocations while processing DNSSEC queries.


748502-4 : TMM may crash when processing iSession traffic

Solution Article: K72335002


748205-2 : SSD bay identification incorrect for RAID drive replacement

Component: TMOS

Symptoms:
On iSeries platforms with dual SSDs, the 'bay' of a given SSD indicated in the 'tmsh show sys raid' command may be incorrect. If a drive fails, or for some other reason it is intended to be replaced, and you are using the bay number listed from the tmsh command, the wrong drive could be removed from the system resulting in system failure to operate or boot.

Conditions:
iSeries platform with dual SSDs.

Impact:
Removal of the one working drive could result in system failure and subsequent failure to boot

Workaround:
If you discover that you removed the incorrect drive, you can attempt to recover by re-inserting the drive into the bay that it was in, and powering on the device.

The following steps will help to avoid inadvertently removing the wrong drive:

As a rule for systems with this issue:
-- Power should be off when you remove a drive. This makes it possible to safely check the serial number of the removed drive.
-- Power should be on, and the system should be completely 'up' before you add a new drive.

Here are some steps to follow to prevent this issue from occurring.


1. Identify the failed drive, taking careful note of its serial number (SN). You can use any of the following commands to get the serial number:
     • tmsh show sys raid
     • tmsh show sys raid array
     • array
2. Logically remove the failed drive using the following command: tmsh modify sys raid array MD1 remove HD<>
3. Power down the unit.
4. Remove the fan tray and physically remove the failed drive.
5. Manually inspect the SN on the failed drive to ensure that the correct drive was removed.
6. Replace the fan tray.
7. Power on the unit with the remaining, single drive.
8. Once booted, wait for the system to identify the remaining (good) drive. You can confirm that this has happened when it appears in the 'array' command output.
9. Remove fan tray again (with the system running).
10. Install the new drive.
11. Use the 'array' command to determine that the new drive is recognized (Note: the tmsh commands do not show new drive at this stage.)
12. Logically add the new drive using the command command: tmsh modify sys raid array MD1 add HD<>
13. Monitor the rebuild using any of the commands shown in step 1.

Note: You must follow these steps exactly. If you insert the new drive while the system is off, and you then boot the system with the previously existing working drive and the new blank drive present, the system recognizes the blank drive as the working Array member, and you cannot add it to the array. That means system responds and replicates as if 'HD already exists'.


748187-1 : 'Transaction Not Found' Error on PATCH after Transaction has been Created

Component: TMOS

Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.

Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.

Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.

Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.

Fix:
Erroneous 'Transaction Not Found' messages no longer occur under these conditions.


748177-4 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character

Component: Global Traffic Manager (DNS)

Symptoms:
Multiple wildcards not matched to the most specific WideIP.

Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.

Impact:
DNS request gets wrong answer.

Workaround:
There is no workaround at this time.

Fix:
Multiple wildcards are now matched to the most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character.


747968-4 : DNS64 stats not increasing when requests go through DNS cache resolver

Component: Local Traffic Manager

Symptoms:
DNS64 stats are not incrementing when running the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands if responses are coming from DNS cache resolver.

Conditions:
-- DNS responses are coming from DNS cache resolver.
-- Viewing statistics using the 'tmsh show ltm profile dns' or 'tmctl profile_dns_stat' commands.

Impact:
DNS64 stats are not correct.

Workaround:
There is no workaround at this time.


747725-1 : Kerberos Auth agent may override settings that manually made to krb5.conf

Component: Access Policy Manager

Symptoms:
when apmd starts up, it can override settings in krb5.conf file with those required for Kerberos Auth agent

Conditions:
- Kerberos Auth is configured in an Access Policy,
- administrator made changes to krb5.conf manually
to the section [realms] of the configured realm

Impact:
Kerberos Auth agent behavior is not what administrator expects with the changes.
it may also affect websso(kerberos) to behave properly

Workaround:
None

Fix:
after fix, the configuration file changes are merged.
Kerberos Auth agent adds the lines it requires and does not override existing settings


747592-4 : PHP vulnerability CVE-2018-17082

Component: TMOS

Symptoms:
The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.

Conditions:
This exploit doesn't need any authentication and can be exploited via POST request. Because of 'Transfer-Encoding: Chunked' header php is echoing the body as response.

Impact:
F5 products not affected by this vulnerability. Actual impact of this vulnerability is possible XSS attack.

Workaround:
No known workaround.

Fix:
The brigade seems to end up in a messed up state if something fails in shutdown, so we clean it up.


747585-1 : TCP Analytics supports ANY protocol number

Component: Local Traffic Manager

Symptoms:
No TCP analytics data is collected for an ANY virtual server.

Conditions:
1. Provision AVR
2. Create a FastL4 server that accepts all protocols.
3. Attach a TCP Analytics profile
4. Try to run UDP traffic through it.

Impact:
No TCP analytics data is collected for TCP flows when a virtual server's protocol number is ANY.

Workaround:
There is no workaround this time.

Fix:
TCP analytics now supports both ANY and TCP protocol numbers and would collect analytics for TCP flows if protocol number is ANY or TCP.


747192-3 : Small memory leak while creating Access Policy items

Component: Access Policy Manager

Symptoms:
Memory slowly leaks for every access policy item added: 32 + 80 bytes for each item.

Conditions:
The leak occurs while creating new policy items in Access.

Impact:
After a long uptime interval, mcpd may crash due to lack of memory.

Workaround:
Restart mcpd periodically if you modify Access policies frequently by adding or deleting policy items.

Fix:
Leak was fixed by clearing the leaked objects.


747131-1 : ARP table may not be updated properly by some TMMs

Component: Local Traffic Manager

Symptoms:
When receiving ARP request coming from the client, some TMMs may not update the ARP table properly, leading to connectivity failures.

Conditions:
- BIG-IP with autolasthop disabled.
- Client blocking ARP responses.
- BIG-IP relies only on ARP requests coming from the client for sending the traffic back.

Impact:
This will have no impact in most of configurations, since BIG-IP will perform it's own resolution for client's MAC addresses.

In a case where client is not responding to ARP probes sent by Big-IP, the problem may lead to connectivity failures for particular clients.

Workaround:
Configure static ARP entries OR enable autolasthop.


747104-4 : LibSSH Vulnerability: CVE-2018-10933

Solution Article: K52868493

Component: Advanced Firewall Manager

Symptoms:
For more information see: https://support.f5.com/csp/article/K52868493

Conditions:
For more information see: https://support.f5.com/csp/article/K52868493

Impact:
For more information see: https://support.f5.com/csp/article/K52868493

Fix:
For more information see: https://support.f5.com/csp/article/K52868493


746922-3 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.

Component: Local Traffic Manager

Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.

If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry might be better than the current, previously selected, routing entry. But the previously selected entry doesn't get invalidated, thus the routing entity that is holding this entry is forwarding traffic to a less-preferable egress point.

#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searches for the best egress point and finds nothing in the routing table for route domain 1, and then later finds a routing entry, but from the parent route domain - 0.0.0.0/0%0.

Later a new gw for RD1 was added - 0.0.0.0/0%1, it's preferable for the 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in this case, with - 0.0.0.0/0%1.

Conditions:
1. There is more than one route domain in the parent-child relationship.
2. There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object (for instance, pool member) which is from child route domain.
3. The routing entry from a parent route domain is selected as an egress point for the object from the child route domain.
4. New routing entry for child route domain is added.

Impact:
If a new added route is preferable to an existing one in a different route domain, the new, preferable, route is not going to be used by a routing object that has previously selected a route. Thus, traffic flows through these routing objects to an unexpected/incorrect egress point. This might result in undesirable behavior:
-- The route might be unreachable, and all traffic for a specific pool member is dropped.
-- The virtual server cannot find an available SNAT address.
-- Simply, the wrong egress interface is being used.

Workaround:
Use either of these workaround after a new route in child domain is added.

-- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted daemon if routes are gathered via routing protocols.

-- Recreate a routing object.
  - If a pool member is affected, recreate the pool member.
  - If a SNAT pool list is affected, recreate it.
  - And so on.

Fix:
Routing objects are now forced to reselect a routing entry after a new route is added to the child route domain's routing table.


746877-4 : Omitted check for success of memory allocation for DNSSEC resource record

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.

Conditions:
During memory stress while handling DNSSEC traffic.

Impact:
TMM panic and subsequent interruption of network traffic.

Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.

Fix:
The system now checks for success of memory allocation for DNSSEC resource record, so this issue no longer occurs.


746868 : memory leakage when "apply to base domain" is enabled

Component: Fraud Protection Services

Symptoms:
Memory leakage when "apply to base domain" is enabled. this can result in a crash or aggressive sweeper mode.

Conditions:
"apply to base domain" is enabled in the anti-fraud profile

Impact:
Aggressive connections sweeper mode, and traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


746768-2 : APMD leaks memory if access policy policy contains variable/resource assign policy items

Component: Access Policy Manager

Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.

Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.

Impact:
APMD's memory footprint will increase whenever the access policy is applied.

Workaround:
There is no workaround.

Fix:
Memory growth has been addressed.


746266-4 : Vcmp guest vlan mac mismatch across blades.

Component: TMOS

Symptoms:
Guests running on blades in a single chassis report different MAC addresses on a single vlan upon host reboot for vcmp guest.

Conditions:
This issue may be seen when all of the following conditions are met:

- One (or more) blade(s) are turned off completely via AOM.
- Create two vlans.
- Deploy a multi-slot guest with the higher lexicographic vlan.
- Now, assign the smaller vlan to the guest.
- Reboot the host

Impact:
Incorrect MAC addresses are reported by some blades.

Workaround:
There is no workaround at this time.


745713-2 : TMM may crash when processing HTTP/2 traffic

Solution Article: K94563344


745654-1 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server

Component: Access Policy Manager

Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.

Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.

Impact:
Low throughput and slow responses from Virtual server.

Workaround:
There is no workaround at this time.

Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.


745574-4 : URL is not removed from custom category when deleted

Component: Access Policy Manager

Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.

Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.

Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.

Workaround:
"bigstart restart tmm" will resolve the issue.

Fix:
Made sure that the deletion takes effect properly and SSL traffic is no longer miscategorized after removal of the URL from the custom category.


745405 : Under heavy SSL traffic, sw crypto codec queue is stuck and taken out of service without failover

Component: TMOS

Symptoms:
Under heavy SSL traffic, it is observed that sw crypto codec queue is stuck and taken out of service, but no failover happened

Conditions:
Heavy SSL traffic

Impact:
Traffic is impacted and a large number of SSL handshakes to the BIG-IP are failing.

Workaround:
Increase crypto.queue.timeout to a much larger number(from 100 to 500 for example). Restart tmms for the change to take effect.


745387-4 : Resource-admin user roles can no longer get bash access

Component: TMOS

Symptoms:
Resource-admin users with bash access may write to system files beyond the scope of their assigned access.

Conditions:
Resource-admin users configured with bash shell access.

Impact:
Resource-admin users with bash access may write to system files causing security risks.

Workaround:
Do not assign bash access for resource-admin users.

Fix:
Resource-admin users restricted to tmsh access now. If a resource-admin user had bash access in a prior version and upgrades to this version, that user will get converted to tmsh access automatically after the upgrade process.

Behavior Change:
Resource-admin roles can no longer have bash shell access. And upon upgrade, resource-admin users with bash access will get converted to tmsh shell access.


745371-3 : AFM GUI does not follow best security practices

Solution Article: K68151373


745358-4 : ASM GUI does not follow best practices

Solution Article: K14812883


745257-4 : Linux kernel vulnerability: CVE-2018-14634

Solution Article: K20934447


745165-4 : Users without Advanced Shell Access are not allowed SFTP access

Solution Article: K38941195


744959-2 : SNMP OID for sysLsnPoolStatTotal not incremented in stats

Component: Carrier-Grade NAT

Symptoms:
SNMP OID for sysLsnPoolStatTotal is not incremented in stats totals.

Conditions:
This affects all of the global port block allocation (PBA) counters.

Impact:
SNMP OID for sysLsnPoolStatTotal is not incremented when it should be. Stats are not accurate.

Workaround:
None.

Fix:
SNMP OID for sysLsnPoolStatTotal is now incremented in stats totals.


744937-4 : Make authenticated-denial-of-existence NSEC3 RR Types Bitmap reflect available Resource Records

Solution Article: K00724442

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP does not know what resource records some external zone holds at the time the BIG-IP is responding to some dnssec query that asked for some record type at some owner name.
If the resource record type does not exist, then as part of the response, the BIG-IP generates an NSEC3 record (to authenticate denial of existence along with RRSIG) containing a types bitmap that is supposed to have the available RRs at the owner name.
With some new feature supported in BIND 9.12 (RFC 8198) called Aggressive use of Negative Cache, that negative response with the inaccurate types bitmap is cached which can then be re-used to show that some resource records do not exist but are in fact available at the owner name.

Conditions:
A query comes in for a zone that is not hosted on the BIG-IP where the BIG-IP is only responsible for DNSSEC signing.

Impact:
Validating resolvers implementing Aggressive Use of DNSSEC-Validated Cache may respond with NODATA for an existing resource record.

Workaround:
N/A


744707-1 : Crash related to DNSSEC key rollover

Component: Global Traffic Manager (DNS)

Symptoms:
When running out of memory, a DNSSKEY rollover event might cause a tmm crash and core dump.

Conditions:
-- System has low memory or is out of memory.
-- DNSSKEY rollover event occurs.

Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.

Fix:
Fixed an issue in DNSSEC Key Rollover event that could cause a crash.


744536 : HTTP/2 may garble large headers

Component: Local Traffic Manager

Symptoms:
The HTTP/2 filter may incorrectly encode large headers.

Conditions:
A header that encodes to larger than 2048 bytes.

Impact:
Application functionality may be disrupted because large header values, such as for cookies, may be truncated when passed to the endpoint.

Workaround:
None.

Fix:
The HTTP/2 filter now correctly encodes large HTTP headers.


744516-2 : TMM panics after a large number of LSN remote picks

Component: Carrier-Grade NAT

Symptoms:
TMM panics with the assertion 'nexthop ref valid' failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.

Conditions:
An LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.

Impact:
TMM restarts. Traffic is interrupted.

Workaround:
There is no workaround.

Fix:
TMM no longer panics regardless of the number of remote picks.


744347-1 : Protocol Security logging profiles cause slow ASM upgrade and apply policy

Component: Application Security Manager

Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.

Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.

Impact:
ASM upgrade and apply policy are delayed.

Workaround:
There is no workaround at this time.


744331-1 : OpenSSH hardening

Component: TMOS

Symptoms:
The default OpenSSH configuration does not follow best practices for security hardening.

Conditions:
Administrative SSH access enabled.

Impact:
OpenSSH does not follow best practices.

Fix:
The default OpenSSH configuration includes best practices for security hardening.


744269-3 : dynconfd restarts if FQDN template node deleted while IP address change in progress

Component: Local Traffic Manager

Symptoms:
The dynconfd daemon may crash and restart if an FQDN template node is deleted (by user action or config sync) while ephemeral nodes are in the process of being created, and deleted as the result of new IP addresses being returned by a recent DNS query.

Conditions:
This may occur on BIG-IP version 14.0.0.3 (and BIG-IP versions 13.1.x or v12.1.x with engineering hotfixes for ID 720799, ID 721621 and ID 726319), under the following conditions:
1. A DNS query returns a different set of IP addresses for one or more FQDN names.
2. While new ephemeral node(s) are being created (for new IP addresses and deleted (for old IP addresses), an FQDN template node is deleted (either by user action or config sync).

Impact:
The dynconfd daemon crashes and restarts.
Ephemeral nodes may not be updated in a timely manner while the dynconfd daemon is restarting.

Fix:
The dynconfd daemon does not crash and restart if an FQDN template node is deleted while ephemeral nodes are in the process of being created and deleted as the result of new IP addresses being returned by a recent DNS query.


744117-6 : The HTTP URI is not always parsed correctly

Solution Article: K18263026

Component: Local Traffic Manager

Symptoms:
The HTTP URI exposed by the HTTP::uri iRule command, Traffic Policies, or used by ASM is incorrect.

Conditions:
-- HTTP profile is configured.
-- The URI is inspected.

Impact:
If the URI is used for security checks, then those checks might be bypassed.

Workaround:
None.

Fix:
The HTTP URI is parsed in a more robust manner.


744035-3 : APM Client Vulnerability: CVE-2018-15332

Solution Article: K12130880


743803-5 : IKEv2 potential double free of object when async request queueing fails

Component: TMOS

Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.

Conditions:
When an async IPsec crypto operation fails to queue.

Impact:
Restart of tmm. All tunnels lost must be re-established.

Workaround:
No workaround known at this time.


743790-4 : BIG-IP system should trigger a HA failover event when expected HSB device is missing from PCI bus

Component: TMOS

Symptoms:
In some rare circumstances, the HSB device might drop off the PCI bus, resulting in the BIG-IP system not being able to pass traffic. However, no high availability (HA) failover condition is triggered, so the BIG-IP system stays active.

Conditions:
HSB drops off the PCI bus. This is caused in response to certain traffic patterns (FPGA issue) that are yet to be determined.

Impact:
No failover to standby unit after this error condition, causing site outage.

Workaround:
None.

Fix:
Now the active BIG-IP system fails over to the standby when HSB on the active unit drops off the PCI bus.


742237-1 : CPU spikes appear wider than actual in graphs

Component: Local Traffic Manager

Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.

Conditions:
CPU usage has spikes.

Impact:
Graphs of CPU spikes appear to last longer than they actually last.

Workaround:
Perform the following procedure:

1. Run the following command to record the 5-second average rather than the 1-second average:

sed -i.bak 's/TMCOLNAME "ratio"/TMCOLNAME "five_sec_avg.ratio"/;s/TMCOLNAME "cpu_ratio_curr"/TMCOLNAME "cpu_ratio_5sec"/g' /config/statsd.conf

2. Restart statsd to load the new configuration:

bigstart restart statsd

Fix:
CPU samples for graphs are averaged over longer time to more closely represent actual time between samples.


742226-3 : TMSH platform_check utility does not follow best security practices

Solution Article: K11330536


742078-1 : Incoming SYNs are dropped and the connection does not time out.

Component: Local Traffic Manager

Symptoms:
There is a hard-coded limit on the number of SYNs forwarded on a FastL4 connection. This might cause a problem when a connection is reused, for example, if a connection is not correctly closed.

Conditions:
-- SYN forwarding on FastL4 connections.
-- The number of SYNs on a single connection reaches the hard-coded limit.

Impact:
If the number of SYNs on a single connection reaches this limit, subsequent incoming SYNs are dropped and the connection might not time out.

Workaround:
There is no workaround.

Fix:
The following command enables the forwarding of an an unlimited number of SYNs:
tmsh modify sys db tm.dupsynenforce value disable


741919-1 : HTTP response may be dropped following a 100 continue message.

Component: Local Traffic Manager

Symptoms:
When a 100 response a quickly followed by another HTTP response (2xx/4xx), the second response might be dropped.

Conditions:
When a 100 response is quickly followed by another HTTP response (i.e., a 2xx/4xx response arrives within a few microseconds).

Impact:
The second response might be dropped, so the end user client might not receive all the HTTP responses coming from the server.

Note: This does not happen all the time, and depends on how the underlying data packets are formed and delivered to the HTTP filter.

Workaround:
You can use either of the following workarounds:
-- Use an iRule to disable the HTTP filter in the HTTP_REQUEST event.

-- Disable LRO by running the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable


741423-1 : Secondary blade goes offline when provisioning ASM/FPS on already established config-sync

Component: TMOS

Symptoms:
When provisioning ASM for the first time on a device that is already linked in a high availability (HA) config-sync configuration, any other cluster device that is on the trust domain experiences mcpd restarting on all secondary blades due to a configuration error.

The system logs messages similar to the following in /var/log/ltm:
-- notice mcpd[12369]: 010718ed:5: DATASYNC: Done initializing datasync configuration for provisioned modules [ none ].
-- err mcpd[9791]: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.
-- err mcpd[9791]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested device group device (/Common/datasync-device-test1.lab.com-dg /Common/test1.lab.com) was not found.... failed validation with error 16908342.
-- notice mcpd[12369]: 0107092a:5: Secondary slot 2 disconnected.

Conditions:
-- Cluster devices are joined in the trust for HA or config-sync.
-- Provisioning ASM or FPS on clusters which are already joined in a trust.
-- ASM and FPS have not been provisioned on any of the devices: this is the first ASM/FPS provisioning in the trust.

Impact:
Traffic on all secondary blades is interrupted while mcpd restarts. Then, traffic is resumed.

Workaround:
Before provisioning ASM/FPS (but after setting up a trust configuration):

1. On the device on which ASM/FPS is about to be provisioned, create the datasync-global-dg device group and add all of the available devices.

For example, if there are two devices in the Trust Domain: test1.lab.com and test2.lab.com, and you plan to provision ASM/FPS for the first time on test1.lab.com, first run the following command from test1.lab.com:

tmsh create cm device-group datasync-global-dg devices add { test1.lab.com test2.lab.com }

2. Do not sync the device group.
3. Then on test1.lab.com, you can provision ASM/FPS.

Fix:
Secondary blades no longer go offline when provisioning ASM/FPS on already established HA or config-sync configurations.


741108 : tmm dosl7 memory leak when X-Forwared-For header value contains a long list of comma separated ip addresses

Component: Application Security Manager

Symptoms:
tmm memory leak can lead to tmm out-of-memory state.

Conditions:
-- ASM provisioned.
-- ASM policy attached on a virtual server.
-- ASM policy has device ID enabled.
-- HTTP profile accept_xff enabled.

Impact:
Unexpected tmm out-of-memory state can be reached, causing sweeper activity and disrupting traffic.

Workaround:
Disable accept_xff in HTTP profile that is assigned to a virtual server along with ASM policy.

Fix:
The leak is now fixed.


740963-3 : VIP-targeting-VIP traffic can cause TCP retransmit bursts resulting in tmm restart

Component: Local Traffic Manager

Symptoms:
VIP-on-VIP traffic might cause TCP retransmit bursts, which in certain situations can cause tmm to restart.

Conditions:
- Virtual server handling TCP traffic.
- iRule using the 'virtual' command.

Impact:
Temporary memory consumption and potential for tmm to restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TCP retransmit bursts are now handled gracefully.


740959-1 : User with manager rights cannot delete FQDN node on non-Common partition

Component: Local Traffic Manager

Symptoms:
A user that has manager rights for a non-Common partition, but not for the /Common partition, may be denied delete privileges for an FQDN template node that is created on the non-Common partition for which the user does have manager rights.

This occurs because ephemeral nodes created from the FQDN template node are 'shared' in the /Common partition, so the delete transaction fails because the user has insufficient permissions to delete the dependent ephemeral nodes on the /Common partition.

Conditions:
-- A user is created with manager rights for a non-Common partition.

-- That user does not have manager rights for the /Common partition;

-- At least one ephemeral node is created from that FQDN template node (due to DNS lookup), which is not also shared by other FQDN template nodes.

-- That user attempts to delete an FQDN template node on the non-Common partition for which the user has manager rights.

Impact:
The transaction to delete the FQDN template node fails due to insufficient permissions. No configuration changes occur as a result of the FQDN template node-delete attempt.

Workaround:
You can use either of the following workarounds:

-- Perform the FQDN template node-delete operation with a user that has manager rights to the /Common partition.

-- Create the FQDN template node on the /Common partition.

Fix:
A user with manager rights for a non-Common partition that has no manager rights to the /Common partition, is now able to successfully delete an FQDN template node created on that non-Common partition.


740777-2 : Secondary blades mcp daemon restart when subroutine properties are configured

Component: Access Policy Manager

Symptoms:
Secondary blades' MCP daemons restart with the following error messages:
-- err mcpd[26818]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested Subroutine Properties (/Common/confirm_10 /Common/confirm_10) was not found.... failed validation with error 16908342.

Conditions:
When a subroutine is configured in the access policy.

Impact:
The secondary blade MCP daemon restarts. Cannot use subroutine in the access policy.

Workaround:
There is no workaround other than to not use subroutine in the access policy.

Fix:
You can now use subroutines in the access policy.


740490-2 : Configuration changes involving HTTP2 or SPDY may leak memory

Component: Local Traffic Manager

Symptoms:
If virtual servers which have HTTP2 or SPDY profiles are updated, then the TMM may leak memory.

Conditions:
-- A virtual server has a HTTP2 or SPDY profile.
-- Any configuration object attached to that virtual server changes.

Impact:
The TMM leaks memory, and may take longer to execute future configuration changes. If the configuration changes take too long, the TMM may be restarted by SOD.

Workaround:
None.

Fix:
The TMM no longer leaks memory when virtual servers that contain a HTTP2 or SPDY profile are reconfigured.


739971-3 : Linux kernel vulnerability: CVE-2018-5391

Component: TMOS

Symptoms:
IP fragments with random offsets allow a remote denial of service (FragmentSmack)

Conditions:
A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system.

Impact:
remote denial of service (FragmentSmack)


739970-3 : Linux kernel vulnerability: CVE-2018-5390

Solution Article: K95343321


739963-1 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
To restore the state of the member, remove it and add it back to the pool.


739947-3 : TMM may crash while processing APM traffic

Solution Article: K42465020


739945-1 : JavaScript challenge on POST with 307 breaks application

Component: Application Security Manager

Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.

Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.

Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.

Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.

Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.


739927-1 : Bigd crashes after a specific combination of logging operations

Component: Local Traffic Manager

Symptoms:
Bigd crashes. Bigd core will be generated.

Conditions:
1. Boot the system and set up any monitor.
2. Enable and disable bigd.debug:
-- tmsh modify sys db bigd.debug value enable
-- tmsh modify sys db bigd.debug value disable
3. Enable monitor logging.

Impact:
Bigd crashes.

Workaround:
None.

Fix:
Bigd no longer crashes under these conditions.


739846-4 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection

Component: Global Traffic Manager (DNS)

Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.

Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.

Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.

Workaround:
None.

Fix:
The big3d process no longer gets a segmentation fault when reaching the limits of the memory footprint while trying to establish iQuery connections.


739798 : Massive number of log messages being generated and written to the bd.log.

Component: Application Security Manager

Symptoms:
Log messages regarding parameters might fill the bd.log file. The system logs messages appear similar to the following:

deleting job-> converterd key
deleting p_node

Conditions:
No special conditions are required to cause this to occur.

Impact:
Lots of I/O processing. Potentially large bd.log file.

Workaround:
None.

Fix:
Fixed a scenario that resulted in a massive number of log messages being generated and written to the bd.log.


739744-2 : Import of Policy using Pool with members is failing

Component: Access Policy Manager

Symptoms:
Import of Policy using Pool with members is failing with an error Pool member node (/Common/u.x.y.z%0) and existing node (/Common/u.x.y.z) cannot use the same IP Address (u.x.y.z)

Conditions:
Policy has pool attached to it with resource assign or chained objects

Impact:
Policy is not being imported on the same box

Workaround:
There is no workaround at this time.

Fix:
ng-import is now importing policy correctly.


739638-1 : BGP failed to connect with neighbor when pool route is used

Component: Local Traffic Manager

Symptoms:
BGP peering fails to be established.

Conditions:
- Dynamic routing enabled.
- BGP peer connect through a pool route or ECMP route.

Impact:
BGP dynamic route paths are not created.

Workaround:
Use a gateway route.

Fix:
BGP peering can be properly established through a pool route.


739144-1 : Domain logoff scripts runs after VPN connection is closed

Component: Access Policy Manager

Symptoms:
APM Network Access option: 'Execute logoff scripts on connection termination' does not work when script runs after VPN connection is closed.

Conditions:
Following options configured for Microsoft Windows clients:
* Synchronize with Active Directory policies on connection establishment.
and
* Execute logoff scripts on connection termination.

-- Windows client is part of a domain.
-- Domain logoff script is not available without VPN connection.

Impact:
'Execute logoff scripts on connection termination' does not work when script runs after VPN connection is closed.

Workaround:
None.

Fix:
Changes in APM client allow it to wait until domain logoff script execution completes before closing VPN connection, so this issue no longer occurs.


739094-4 : APM Client Vulnerability: CVE-2018-5546

Solution Article: K54431371


738945-1 : SSL persistence does not work when there are multiple handshakes present in a single record

Component: Local Traffic Manager

Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.

Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.

Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.

Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.

After changing or disabling persistence, the transaction succeeds and no longer hangs.


738887-2 : The snmpd daemon may leak memory when processing requests.

Component: TMOS

Symptoms:
Under certain conditions, the snmpd daemon may leak memory when processing requests.

Conditions:
This issue is known to occur on a multi-blade vCMP guest after specific maintenance operations have been carried out by an Administrator on the guest.

Impact:
Once enough memory has leaked, the system may become unstable and fail unpredictably.

Workaround:
If the snmpd daemon is consuming excessive memory, restart it with the following command:

bigstart restart snmpd

Fix:
The snmpd daemon no longer leaks memory when a multi-blade vCMP guest reaches a certain condition.


738789-3 : ASM/XML family parser does not support us-ascii encoding when it appears in the document prolog

Component: Application Security Manager

Symptoms:
ASM blocks requests when a request payload is an xml document with a prolog line at the begging with encoding="us-ascii".

Conditions:
- ASM provisioned.
- ASM policy attached to a virtual server.
- ASM handles XML traffic with encoding="us-ascii" (use of the value encoding="us-ascii" is very uncommon, the typical value is encoding="utf-8").

Impact:
Blocked XML requests.

Workaround:
You can use either of the following workarounds:

-- Remove XML profile from a URL in the ASM policy.

-- Disable XML malformed document detection via ASM policy blocking settings.

Fix:
XML parser now supports encoding="us-ascii".


738669-3 : Login validation may fail for a large request with early server response

Component: Fraud Protection Services

Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsing, egress :: for login validation's banned/mandatory strings check or scripts injection), if the server responds fast enough, the buffer may contain mixed parts of request/response. This may have several effects, from incorrectly performing login-validation to generating a tmm core file.

Conditions:
-- Login validation is enabled and configured to check for banned/mandatory string.
-- A username parameter is configured.
-- There are no parameters configured for encrypt/HTML Field Obfuscation (HFO), and no decoy parameters.
-- There is a large request and response.
-- The system response very quickly.

Impact:
This results in one or more of the following:
-- Login validation failure/skip.
-- Bad response/script injection.
-- tmm core. In this case, traffic is disrupted while tmm restarts.

Workaround:
None.

Fix:
FPS now handles ingress/egress buffers separately, so this issue no longer occurs.


738647-1 : Add the login detection criteria of 'status code is not X'

Component: Application Security Manager

Symptoms:
There is a criterion needed to detect successful login.

Conditions:
Attempting to detect successful login when the response code is not X (where 'x' = some code).

Impact:
Cannot configure login criteria.

Workaround:
None.

Fix:
This release adds a new criterion to the login criteria.


738523-3 : SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages

Component: Local Traffic Manager

Symptoms:
When monitoring an SMTP server that emits multi-line '250' responses to the initial 'HELO' message, the monitor fails. If monitor logging is enabled on the pool member, the system posts an error similar to the following in the monitor log:

09:50:08.580145:(_Tcl /Common/mysmtp): ERROR: failed to complete the transfer, Failed to identify domain.

Conditions:
-- Monitoring an SMTP server.
-- SMTP server is configured to return a multi-line '250' response to the initial 'HELO' message.

Impact:
The pool member is marked down even though it is actually up.

Workaround:
None.

Fix:
The system now handles multi-line '250' responses to the initial 'HELO' message.


738521-2 : i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.

Component: Local Traffic Manager

Symptoms:
A trunk configured between a BIG-IP i4x00/i2x00 platform and an upstream switch may go down due to the presence of the VLAN tag.

Conditions:
LACP configured between a BIG-IP i4x00/i2x00 platform and an upstream switch.

Impact:
Trunks are brought down by upstream switch.

Workaround:
There are two workarounds:

-- Configure the trunk as 'untagged' in one of the VLANs in which it's configured.
-- Disable LACP.

Fix:
The system no longer transmits a VLAN tag for LACP PDUs, so this issue no longer occurs.


738445-1 : IKEv1 handles INVALID-SPI incorrectly in parsing SPI and in phase 2 lookup

Component: TMOS

Symptoms:
INVALID_SPI notification does not delete the IPsec-SA with the SPI value that appears in the notify payload. This occurs because the handler of INVALID-SPI notifications performs the following incorrect actions:

-- Fetches SPI from payload as if it's a string, rather than the network byte order integer it actually is.

-- Attempts phase 2 lookup via selector ID (reqid) rather than SPI.

Either alone prevents finding the SA to delete.

Conditions:
An IKEv1 IPsec peer sends an INVALID-SPI notification to the BIG-IP system.

Impact:
The IPsec-SA with that SPI cannot be found and is not deleted.

Workaround:
From the BIG-IP command line, you can still manually delete any IPsec-SA, including the invalid SPI, using the following command:
# tmsh delete net ipsec ipsec-sa spi <spi number>

Fix:
SPI is now extracted correctly from the payload as a binary integer, and the phase 2 SA lookup is done with a proper SPI search, which also requires a match in the peer address.


738397-2 : SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.

Component: Access Policy Manager

Symptoms:
For a BIG-IP system configured as IdP, in the SAML-IdP-initiated case: If the IdP has a Per-Request policy (in addition to a V1 policy), such that the Per-Request policy has a subroutine or a subroutine macro with a logon page, the system reports access failure on running the policy.

The error logged is similar to the following: '/Common/sso_access:Common:218f759e: Authorization failure: Denied request for SAML resource /Common/saml_resource_obj1&state=000fffff032db022'.

Conditions:
-- BIG-IP system configured as IdP.
-- SAML IdP initiated case in which the following is true:
  + The IdP has a Per-Request policy (in addition to a V1 policy).
  + That Per-Request policy has a subroutine or a subroutine macro with a logon page.

Impact:
Access is denied. The request URI has '&state=<per-flow-id>' appended to the SAML Resource name.

Workaround:
None.

Fix:
The system now checks for additional query parameters in the request_uri while extracting Resource name so it is not incorrectly set to 'ResourceName&state=<per-flow-id>' which causes the access failure.


738119-3 : SIP routing UI does not follow best practices

Solution Article: K23566124


738046-3 : SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby

Component: Local Traffic Manager

Symptoms:
For FastL4 connections, SERVER_CONNECTED currently doesn't fire on the standby device. If the standby device then becomes active, the first packet from the server on an existing FastL4 connection causes SERVER_CONNECTED to fire. Depending on what the iRule does in SERVER_CONNECTED, a variety of results can occur, including TMM coring due to commands being executed in unexpected states.

Conditions:
-- High availability configuration.
-- Mirrored FastL4 virtual server.
-- Attached iRule contains a SERVER_CONNECTED event.

Impact:
SERVER_CONNECTED does not fire when expected on standby device. When the standby device becomes active, the SERVER_CONNECTED iRule may cause TMM to core with traffic being disrupted while TMM restarts.

Workaround:
None.

Fix:
SERVER_CONNECTED now fires when expected on the standby device.


737998 : Brute Force end attack condition isn't satisfied for successful logins only

Component: Application Security Manager

Symptoms:
When brute force attack is detected and prevented by asm, asm continue to prevent login attempts even the attacking traffic has stopped 5 minutes ago.

Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- ASM Brute Force protection enabled in the asm policy
- There is an ongoing brute force attack on the backend server.

Impact:
ASM doesn't report that brute force attack is finished and logins mitigation continues to occur.

Workaround:
While ongoing endless brute force attack, change an arbitrary field in brute force configuration and apply policy. Brute force attack end event will be triggered and the system will stop brute force prevention, if the attacking traffic still being sent, new brute force attack event will be raised and the mitigation will reoccur.

Fix:
Fix brute force end condition check for a case when only successful logins are sent.


737910-1 : Security hardening on the following platforms

Solution Article: K18535734


737758-1 : MPTCP Passthrough and VIP-on-VIP can lead to TMM core

Component: Local Traffic Manager

Symptoms:
If a FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled, TMM may produce a core upon receiving certain traffic.

Conditions:
A FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with a TCP profile attached that has MPTCP passthrough enabled, and certain traffic is received.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not using an iRule with the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled.

Fix:
If MPTCP passthrough is enabled, the system now processes incoming MPTCP connections coming from the loop device as if MPTCP is disabled.


737597 : AVR DoS Attack report misses virtual server name in a specific config

Component: Application Visibility and Reporting

Symptoms:
DoS AVR Report GUI page is under:
Navigate to Security :: Reporting : DoS : Network

The report shows the attack, but categorizes the attack under 'Aggregated' in the Virtual Server name value, rather than the actual name of the Virtual Server on which the attack is happening.

Conditions:
-- A Virtual Server is configured with a IP/Subnet range.

For example,
-- Virtual Server with Destination Address: 10.10.10.0/27 (meaning the destination range is 10.10.10.32 - 10.10.10.63).
-- Destination Address of the Client Traffic and Attack: 10.10.10.63

View AVR Reporting, which does not resolve the to any specific Virtual Server, but instead categorizes the attack as 'Aggregate'.

Impact:
AVR report missing the Virtual Server information.

Workaround:
None.


737574-3 : iControl REST input sanitization

Solution Article: K20541896


737565-3 : iControl REST input sanitization

Solution Article: K20445457


737442-1 : Error in APM Hosted Content when set to public access

Solution Article: K32840424


737441-1 : Disallow hard links to svpn log files

Solution Article: K54431371


737437-1 : IKEv1: The 4-byte 'Non-ESP Marker' may be missing in some IKE messages

Component: TMOS

Symptoms:
The BIG-IP system might fail to re-establish an IKEv1 phase 1 security association (ISAKMP-SA) when the Initiator starts the exchange using UDP port 4500. The exchange progresses to the point of NAT detection, whereupon the BIG-IP system stops using the Non-ESP marker and sends malformatted ISAKMP.

Conditions:
All of the following must be true:
-- The BIG-IP system is an IKEv1 Responder.
-- ISAKMP phase 1 negotiation starts on UDP port 4500.
-- NAT is detected on only one side during the phase 1 exchange.

Impact:
-- Establishment of an ISAKMP-SA will fail until the peer device switches to UDP port 500.
-- The remote peer may send INVALID-SPI messages quoting SPI numbers that do not exist.

Workaround:
To help workaround this issue, you can try the following:
-- Make sure the BIG-IP system is always the Initiator.
-- Bypass NAT.
-- Configure both the BIG-IP system and remote peer to use address IDs that are not the same as the IP addresses used in the ISAKMP exchange, thus causing the BIG-IP system to think there is NAT on both sides.

Fix:
The BIG-IP system now keeps the Non-ESP marker when NAT is detected.


737389 : kern.log contains many messages: warning kernel: Tracklist initialized; Tracklist destroyed

Component: TMOS

Symptoms:
There may be a large number of messages in /var/log/kern.log similar to the following:

Tracklist initialized
Tracklist destroyed

Conditions:
This can happen when vCMP is provisioned, which enables SR-IOV mode.

Impact:
It causes messages to show up in /var/log/kern.log, but does not affect traffic. This is a cosmetic issue and does not indicate a functionality issue.

Workaround:
None.

Fix:
Tracklist is now disabled, so this issue no longer occurs.


737332-2 : It is possible for DNSX to serve partial zone information for a short period of time

Component: Global Traffic Manager (DNS)

Symptoms:
During zone transfers into DNS Express, partial zone data may be available until the transfer completes.

Conditions:
-- Two zones being transferred during the same time period
  + zone1.example.net
  + zone2.example.net

-- Transfer of zone1 has started, but not finished.

-- zone2 starts a transfer and finishes before zone1 finishes, meaning that the database might be updated with all of the zone2 data, and only part of the zone1 data.

Impact:
Partial zone data will be served, including possible NXDOMAIN or NODATA messages. This happens until zone1 finishes and saves to the database, at which time both zones' data will be complete and correct.

Workaround:
The workaround is to limit the number of concurrent transfers to 1. However this severely limits the ability of DNS Express to update zones in a timely fashion if there are many zones and many updates.

Fix:
All zone transfers are now staged until they are complete. The zone transfer data is then saved to the database. Only when the zone data has completed updating to the database will the data be available to queries.


735832-2 : RAM Cache traffic fails on B2150

Component: Performance

Symptoms:
Rendering pages from RAM Cache fails. System does not pass RAM Cache traffic on B2150 platform.

Conditions:
-- VIPRION B2150 blade.
-- Attempting to pass traffic from RAM Cache.

Impact:
B2150 does not pass any RAM Cache traffic.

Workaround:
None.

Fix:
RAM Cache traffic now succeeds on B2150.


735565-3 : BGP neighbor peer-group config element not persisting

Component: TMOS

Symptoms:
neighbor peer-group configuration element not persisting after restart

Conditions:
- dynamic routing enabled
- BGP neighbor configured with peer-group
- BIG-IP or tmrouted daemon restart

Impact:
BGP peer-group configuration elements don't persist

Workaround:
Reconfigure BGP neighbor peer-group after restart

Fix:
BGP neighbor peer-group configuration is properly save to configuration, and persists after restart


734622 : Policy change with newly enforced signatures causes sig collection failure in other policies

Solution Article: K83093212

Component: Application Security Manager

Symptoms:
An ASM policy change with newly enforced signatures causes a signature collection failure in all other policies.

Conditions:
An ASM policy is changed by adding newly enforced signatures.

Impact:
Signature collection failures are logged for all other policies.

Workaround:
For each other policy on the device, make a spurious change (such as modifying policy description and saving) and apply the policy. Alternatively, a new user-defined signature which would be included in enforcement can be spuriously added and then immediately removed.


734539-2 : The IKEv1 racoon daemon can crash on multiple INVALID-SPI payloads

Component: TMOS

Symptoms:
When an IKEv1 peer sends an INVALID-SPI payload, and BIG-IP system cannot find the phase-two Security Association (SA) for that SPI but can find phase-one SA involved; the racoon daemon may crash if there are additional INVALID-SPI payloads afterward.

Conditions:
-- An INVALID-SPI notification is received.
-- That phase-two SA is already gone.
-- The phase-one parent SA is still around.
-- Subsequent notification INVALID-SPI payloads involve the same phase-one SA.

Impact:
The v1 racoon daemon cores, interrupting traffic until new tunnels can be established after racoon restarts.

Workaround:
There is no workaround at this time.

Fix:
The system no longer destroys the parent phase-one SA when an INVALID-SPI notification cannot find the target phase-two SA, so this issue does not occur.


734527-4 : BGP 'capability graceful-restart' for peer-group not properly advertised when configured

Component: TMOS

Symptoms:
BGP neighbor using peer-group with 'capability graceful-restart' enabled (which is the default). However, on the system, peer-group defaults to disable. Because there is no config statement to enable 'capability graceful-restart' after restart, it gets turned off after config load, which also turns it off for any BGP neighbor using it.

Conditions:
- Neighbor configured to use peer-group.
- Peer-group configured with capability graceful-restart, but with the default: disabled.

Impact:
Because peer-group is set to disable by default, and there is no operation to enable it after restart, 'capability graceful-restart' gets turned off after config load, and neighbors using it from peer-group get turned off as well.

Workaround:
Re-issue the commands to set peer-group 'capability graceful-restart' and 'clear ip bgp *' to reset BGP neighbors.

Fix:
The peer-group now has 'capability graceful-restart' enabled by default, so this issue no longer occurs.

Behavior Change:
In this release, peer-group has 'capability graceful-restart' enabled by default.


734446-3 : TMM crash after changing LSN pool mode from PBA to NAPT

Component: Carrier-Grade NAT

Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.

Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.

The PBA pool can be deleted after the virtual servers are no longer using it.

Fix:
TMM no longer crashes after changing LSN pool mode from PBA to NAPT.


727292-2 : SSL in proxy shutdown case does not deliver server TCP FIN

Component: Local Traffic Manager

Symptoms:
Connection is not torn down.

Conditions:
HTTPS server disconnects connection when in handshake.

Impact:
Potential resource exhaustion.

Workaround:
You can mitigate this condition in either of the following ways:

-- Wait for system to clean up lingering connections.

-- Use tmsh to clean up connections. (Note: Sometimes this might not work as expected depending on conditions.)

-- If this happens on the config-sync channel, use a different self-ip for config-sync on the affected device.

Fix:
SSL server side handles this error situation by sending out all remaining egress data and sending a shutdown signal to lower filters.


727206-4 : Memory corruption when using SSL Forward Proxy on certain platforms

Component: Local Traffic Manager

Symptoms:
When using SSL Forward proxy, memory corruption can occur, which can eventually lead to a tmm crash.

Conditions:
Client SSL profile on a virtual server with SSL Forward proxy enabled.

-- Using the following platforms:
   - vCMP host
   - 2000s / 2200s
   - 5000s / 5200v
   - 5050s / 5250v / 5250v-F
   - 10350V-F

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes under these conditions.


727107-1 : Request Logs are not stored locally due to shmem pipe blockage

Component: Application Security Manager

Symptoms:
An unknown issue causes the communication layer between pabnagd and asmlogd to be become stuck. Messages similar to the following appear in pabnagd.log:

----------------------------------------------------------------------
account |NOTICE|... src/Account.cpp:183|Skipped 36 repeated messages. Request Log protobuf subscription queue is full. Message dropped.
rqlgwriter |WARNIN|... src/RequestLogWriter.cpp:137|Skipped 599 repeated messages. No space to write in shmem.

Messages similar to the following appear in pabnagd.log:

Conditions:
Request Logs are not stored locally due to shmem pipe blockage.

Impact:
Event logs stop logging locally.

Workaround:
Restart policy builder with:
killall -s SIGHUP pabnagd

Fix:
The policy builder now detects the blockage, and restarts the connection with the request logger.


727044-1 : TMM may crash while processing compressed data

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing compressed data.

Conditions:
Compression enabled
Hardware compression disabled

Impact:
TMM crash leading to a failover event.

Workaround:
No workaround.

Fix:
TMM now correctly processes compressed traffic


726895-1 : VPE cannot modify subroutine settings

Solution Article: K02205915

Component: Access Policy Manager

Symptoms:
Open per-request policy in Visual Policy Editor (VPE) that has a subroutine. Click 'Subroutine Settings / Rename.

Numeric values like the inactivity timeout are displayed as 'NaN. Attempts to modify the values results in MCP validation errors such as one of these:
- Unable to execute transaction because of:
- Unable to execute transaction because of: 01020036:3: The requested user role partition (admin Common) was not found.

Conditions:
-- Per-request policy in the VPE.
-- Subroutine in the per-request policy.
-- Attempt to change the values.

Impact:
All fields say 'NaN', and error when trying to modify properties. Subroutine settings like the Inactivity Timeout and Gating Criteria cannot be modified through the VPE

Workaround:
Use tmsh to modify these values, for example:

tmsh modify apm policy access-policy <policy_name> subroutine properties modify { all { inactivity-timeout 301 } }

Fix:
The issue has been fixed; it is now possible to view and modify subroutine settings in the VPE.


726647-1 : PEM content insertion in a compressed response may truncate some data

Component: Policy Enforcement Manager

Symptoms:
HTTP compressed response with content insert action can truncate data.

Conditions:
PEM content insertion action with compressed HTTP response.

Impact:
Data might be truncated.

Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.

Fix:
HTTP compressed response with content insert action no longer truncates data.


726592-2 : Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop

Component: Access Policy Manager

Symptoms:
Invalid logsetting config messaging between our daemons could send apmd, apm_websso, localdbmgr into infinite loop. This could be triggered by invalid state of our control plane daemons.

Conditions:
This is an extremely rare situation that can be caused by invalid logsetting config messaging between our daemons. However, once it happens it can impact multiple daemons at the same time causing all of them to hang.

Impact:
Once this happens it can impact multiple daemons (apmd, apm_websso, localdbmgr) at the same time causing all of them to hang.

Workaround:
There is no workaround at this time, you can recover by restarting the daemons that hang.

Fix:
We have fixed a memory corruption that can break the linkages in our data structure which would cause certain traversals to loop indefinitely.


726487-1 : MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.

Component: TMOS

Symptoms:
The MCPD daemon on secondary VIPRION or vCMP blades exits and restarts, logging errors similar to the following:

-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.

-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.

Or:

--- err mcpd[8320]: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).

--- err mcpd[8320]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).... failed validation with error 17236027.

Conditions:
This issue occurs when all of the following conditions are met:

-- VIPRION or vCMP platform with more than one blade.
-- A partition with a non-default route domain.
-- Creating a pool member in the aforementioned partition while a configuration save is taking place at the same time (either system or user initiated).

Impact:
If the system is Active, traffic will be disrupted as the secondary blades restart. The capacity of the system will be reduced until all blades are on-line again. Additionally, depending on the system configuration, the system may fail over to its peer (if one exists).

Workaround:
There is no workaround other than not to create pool members from a different client while saving configuration changes in another client. However, this does not help if the configuration save operation was system-initiated.

Fix:
MCPD on secondary blades no longer restarts if a pool member is created in a partition that uses a non-default route domain at the same as the configuration is being saved.


726412-1 : Virtual server drop down missing objects on pool creation

Component: Global Traffic Manager (DNS)

Symptoms:
Available virtual servers are not populated in the drop down list during Pool creation.

Conditions:
Virtual server names containing single quote, backslash, or greater-than and less-than signs: ' \ < >.

Impact:
Unable to add available virtual servers to pools.

Workaround:
After pool creation, go into that newly created pool, click 'Members', and then click 'Manage', and use the Virtual Server drop-down list to add any virtual servers.

Fix:
Fixed the drop down for virtual servers. Now virtual servers get loaded in the drop-down list during pool creation.


726409-3 : Kernel Vulnerabilities: CVE-2017-8890 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077

Component: TMOS

Symptoms:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the Linux kernel allows attackers to cause a denial of service (double free) or
possibly have unspecified other impact by leveraging use of the accept system call.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel through 4.11.1 mishandles inheritance,
which allows local users to cause a denial of service or possibly have unspecified other impact via crafted system calls, a related issue to CVE-2017-8890.

Conditions:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439

Impact:
denial of service

Workaround:
don't allow login

Fix:
For more information see: https://support.f5.com/csp/article/K02236463
https://support.f5.com/csp/article/K02613439


726393-5 : DHCPRELAY6 can lead to a tmm crash

Component: Local Traffic Manager

Symptoms:
tmm can crash when handling a DHCPv6 request via the DHCPv6 relay.

Conditions:
tmm handling a DHCPv6 request.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash related to DHCPv6 request via the DHCPv6 relay.


726317-3 : Improved debugging output for mcpd

Component: TMOS

Symptoms:
In some cases, mcpd debugging output is insufficient for diagnosing a problem.

Conditions:
Using debugging in mcpd, specifically, setting log.mcpd.level to debug.

Impact:
None. Has no effect without log.mcpd.level set to debug.

Workaround:
None.

Fix:
New output helps F5 engineers diagnose mcpd problems more easily.


726303 : Unlock 10 million custom db entry limit

Component: Traffic Classification Engine

Symptoms:
Cannot add more than 10 million custom db entries.

Conditions:
This happens when you try to add more than 10 million custom db entries.

Impact:
Not able to add more than 10 million entries.

Workaround:
There is no workaround at this time.

Fix:
This release provides a sys db var, tmm.urlcat.no_db_limit, to allow growth beyond the existing limit of 10 million custom db entries.


726255-3 : dns_path lingering in memory with last_access 0 causing high memory usage

Component: Global Traffic Manager (DNS)

Symptoms:
dns_path not released after exceeding the inactive path ttl.

Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.

Impact:
High memory usage.

Workaround:
There is no workaround at this time.

Fix:
dns_path memory will be released after ttl.


726239-3 : interruption of traffic handling as sod daemon restarts TMM

Component: Local Traffic Manager

Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.

Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This fix handles a rare TMM crash when TCP persist timer is active.


726232-1 : iRule drop/discard may crash tmm

Component: Local Traffic Manager

Symptoms:
TMM crash after an iRule attempts to drop packet.

Conditions:
Virtual server with UDP profile, and following iRule:
when LB_SELECTED {
    drop
    # discard - drop is the same as discard
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
TMM correctly handles 'drop' command in 'LB_SELECTED' event.


726089-3 : Modifications to AVR metrics page

Solution Article: K44462254


724868-2 : dynconfd memory usage increases over time

Component: Local Traffic Manager

Symptoms:
dynconfd memory usage slowly increases over time as it processes various state-related messages.

Conditions:
No special conditions as dynconfd is a core LTM process. Large numbers of pool members combined with flapping might increase the rate of memory usage increase.

Impact:
dynconfd grows over time and eventually the system is pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.

Workaround:
Periodic restarts of dynconfd avoids the growth affecting the system.

Fix:
dynconfd no longer leaks memory when processing messages.


724680-3 : OpenSSL Vulnerability: CVE-2018-0732

Component: TMOS

Symptoms:
For more information see: https://support.f5.com/csp/article/K21665601

Conditions:
For more information see: https://support.f5.com/csp/article/K21665601

Impact:
For more information see: https://support.f5.com/csp/article/K21665601

Workaround:
None.

Fix:
For more information see: https://support.f5.com/csp/article/K21665601


724532-1 : SIG SEGV during IP intelligence category match in TMM

Component: Advanced Firewall Manager

Symptoms:
TMM restart while matching traffic from source IP to IP Intelligence category.

Conditions:
Multiple configuration changes that include deleting the custom IP intelligence categories.

Impact:
TMM restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer restarts while matching traffic from source IP to IP Intelligence category.


724339-2 : Unexpected TMUI output in AFM

Solution Article: K04524282


724335-2 : Unexpected TMUI output in AFM

Solution Article: K21042153


724214-2 : TMM core when using Multipath TCP

Component: Local Traffic Manager

Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic interrupted while TMM restarts.

Workaround:
There is no workaround other than to disable MPTCP.

Fix:
TMM no longer produces a core.


723794-4 : PTI (Meltdown) mitigation should be disabled on AMD-based platforms

Component: TMOS

Symptoms:
Platforms with AMD processors freeze when the PTI (Page Table Isolation) mitigation is enabled, after a period ranging from several hours to several days.

You can find information about which versions have the PTI (Meltdown) mitigations enabled in the AskF5 Article: Bug ID 707226: DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations :: https://cdn.f5.com/product/bugtracker/ID707226.html.

Conditions:
-- AMD-based platforms:
   + BIG-IP B4100 blades
   + BIG-IP B4200 blades
   + BIG-IP 6900 and NEBS appliances
   + BIG-IP 89x0 appliances
   + BIG-IP 6400 FIPS and NEBS platforms
   + BIG-IP 110x0 appliances

-- The database variable kernel.pti is set to enable (to address PTI (Meltdown)).

Impact:
System locks up and is rebooted by the watchdog timer.

Workaround:
Set the database variable kernel.pti to disable by running the following command:

tmsh modify sys db kernel.pti value disable

According to AMD, these AMD processors are not vulnerable to PTI (Meltdown), so there is no reason to leave the db variable enabled.

Fix:
PTI (Page Table Isolation) mitigation is no longer enabled on AMD-based platforms.


723792-3 : GTM regex handling of some escape characters renders it invalid

Component: Global Traffic Manager (DNS)

Symptoms:
The memory footprint of big3d increases.

Conditions:
GTM monitor recv string such as the following: ^http\/\d\.\d[23]\d\d

Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory. The monitor marks the server it is monitoring UP as long as the server returns any response.

Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}

Fix:
Fixed handling of escape characters. Recv strings that previously failed to compile will now compile.


723790-4 : Idle asm_config_server handlers consumes a lot of memory

Component: Application Security Manager

Symptoms:
Idle asm_config_server handlers needlessly uses a large amount of memory.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a big XML ASM policy and then leaving the BIG-IP system idle. Relevant asm_config_server handler process increases its memory consumption and stays that way, holding on to the memory until it is released with a restart.

Impact:
Unnecessary memory consumption.

Workaround:
1) Lower the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server:
---------------
# perl -pi.bak -e 's/MaxMemorySize=471859200/MaxMemorySize=262144000/' /etc/ts/tools/asm_config_server.cfg
---------------

2) Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------

Notes:
-- The provided workaround does not permanently fix the issue. Instead it alleviates the symptoms of memory pressure, by (1) lowering the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server, and (2) freeing up all the memory that is currently taken by all asm_config_server processes.
-- This workaround does not cause any down time; the asm_config_server processes automatically start within ~30 seconds.


723722-3 : MCPD crashes if several thousand files are created between config syncs.

Component: TMOS

Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.

Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.

Impact:
Traffic is disrupted while the MCPD process restarts.

Workaround:
Run a config sync operation after every ~5000 files created.

Fix:
MCPD no longer crashes if several thousand files are created between config sync operations.


723298-3 : BIND upgrade to version 9.11.4

Component: TMOS

Symptoms:
The BIG-IP system is running BIND version 9.9.9.

Conditions:
BIND on BIG-IP system.

Impact:
BIND 9.9 Extended Support Version was supported until June, 2018.

Workaround:
None.

Fix:
BIND version has been upgraded to 9.11.4.


723288-3 : DNS cache replication between TMMs does not always work for net dns-resolver

Component: Global Traffic Manager (DNS)

Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.

Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.

Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.

Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.

Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)


723130-3 : Invalid-certificate warning displayed when deploying BIG-IP VE OVA file

Solution Article: K13996

Component: TMOS

Symptoms:
The OVA signing certificate that signs BIG-IP Virtual Edition (VE) OVA files expired. When deploying a BIG-IP VE from an OVA file, an invalid-certificate warning might be displayed due to the expired OVA signing certificate.

Conditions:
This issue may be encountered during the creation of new instances of BIG-IP VE in clients that check the validity of the OVA signing certificate (e.g., VMware).

Note: Existing BIG-IP VE instances are not subject to this issue.

Impact:
There might be questions about the integrity of the OVA file, and in some cases, might not be able to deploy a new instance from an OVA file.

Workaround:
None.

Fix:
The expired OVA signing certificate has been replaced with a valid signing certificate.


722969-1 : Access Policy import with 'reuse' enabled instead rewrites shared objects

Component: Access Policy Manager

Symptoms:
If a policy is exported and then imported with 'reuse' it rewrites objects on the server instead of simply reusing them.

Conditions:
-- Exporting profile A.
-- Importing profile B, with 'reuse' configured.
-- The objects in both profiles are named the same and are the same type.

Impact:
-- 'Reused' objects on the system are modified.
-- Policy A requires 'apply', because objects shared with Policy B are overwritten.

Workaround:
None.

Fix:
Access policy import with 'reuse' option enabled no longer rewrites shared objects


722682-1 : Fix of ID 615222 results in upgrade issue for GTM pool member whose name contains a colon; config failed to load

Component: TMOS

Symptoms:
Loading configuration process failed after upgrade when pool member names contain colons. The system posts errors similar to the following:
01070226:3: Pool Member 443:10.10.10.10 references a nonexistent Virtual Server
Unexpected Error: Loading configuration process failed.

Conditions:
-- GTM pool member has colon in its name.
-- Upgrade to any of the following versions:
  + 12.1.3.x
  + Any 13.0.x
  + All 13.1.x earlier than 13.1.1.2
  + 14.0.x earlier than 14.0.0.3

Impact:
The system removes the part of the pool member name that precedes the colon, and configuration load fails. For example, when the configuration contains a pool member named example_pm:443:10:10:10:10, the system removes the part of the pool member name that precedes the first colon, in this case, example_pm, leaving the pool member name 443:10.10.10.10.

Workaround:
After upgrade, add two backslash characters, \\ before the first colon, : character.

1. Upgrade the BIG-IP DNS system to the new version of software.
2. SSH to log into the bash prompt of the BIG-IP DNS system.
3. Run the following command to add the string \\ in front of the first colon character, : in the name of each affected GTM pool member:

  for j in $(find /config/ -name bigip_gtm.conf); do for i in $(awk '$0 ~ /^gtm server.*:/ {gsub("[/:]"," ",$0); print $4}' ${j}); do sed -i "s, /Common/${i}, /Common/${i}\\\\\\\,g" ${j} | grep " /Common/${i}"; done; done

4. Run the following command: load sys config gtm-only

Fix:
Configuration load no longer fails when upgrading with a configuration that contains BIG-IP DNS pools with members whose names contain colon characters.


722677-3 : High-Speed Bridge may lock up

Solution Article: K26455071


722387-2 : TMM may crash when processing APM DTLS traffic

Solution Article: K97241515


722363-1 : Client fails to connect to server when using PVA offload at Established

Component: Local Traffic Manager

Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.

When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.

Conditions:
A FastL4 virtual server is configured with offload_state = EST.

Impact:
Clients fail to connect to the server.

Workaround:
There is no workaround other than to disable PVA acceleration.


722091-2 : TMM may crash while processing HTTP traffic

Solution Article: K64208870


722013-3 : MCPD restarts on all secondary blades post config-sync involving APM customization group

Component: Access Policy Manager

Symptoms:
After performing a series of specific config-sync operations between multi-blade systems, the MCPD daemon restarts on all secondary blades of one of the systems.

Each affected blade will log an error message similar to the following example:

-- err mcpd[5038]: 01070711:3: Caught runtime exception, Failed to collect files (snapshot path () req (7853) pmgr (7853) not valid msg (create_if { customization_group { customization_group_name "/Common/Test-A_secure_access_client_customization" customization_group_app_id "" customization_group_config_source 0 customization_group_cache_path "/config/filestore/files_d/Common_d/customization_group_d/:Common:Test-A_secure_access_client_customization_66596_1" customization_group_system_path "" customization_group_is_system 0 customization_group_access 3 customization_group_is_dynamic 0 customization_group_checksum "SHA1:62:fd61541c1097d460e42c50904684def2794ba70d" customization_group_create_time 1524643393 customization_group_last_update_time 1524643393 customization_group_created_by "admin" customization_group_last_updated_by "admin" customization_group_size 62 customization_group_mode 33188 customization_group_update_revision 1

Conditions:
This issue occurs when all of the following conditions are met:

- You have configured a device-group consisting of multi-blade systems (such as VIPRION devices or vCMP guests).

- Systems are provisioned for APM.

- The device-group is configured for incremental manual synchronizations.

- On one system (for example, source_system), you create an APM configuration object (for example, a connectivity profile) that causes the automatic creation of an associated customization group.

- You synchronize the configuration from the source_system to the device-group.

- On the source_system, you create a new configuration object of any kind (for example, an LTM node).

- Instead of synchronizing the newest configuration to the device-group, you synchronize the configuration from another device in the device-group to the source_system (which effectively undoes your recent change).

- The MCPD daemon restarts on all secondary blades of the source_system.

Impact:
While the MCPD daemon restarts, the blade is offline, and many other BIG-IP daemons need to restart along with MCPD.

-- If the source_system is Active, the load capacity of the system temporarily decreases proportionally to the number of blades restarting. Additionally, if the systems use the min-up-members or HA-Group features, losing a certain number of secondary blades may trigger a failover.

-- If the source_system is Standby, some of the previously mirrored information may become lost as TMM on secondary blades restarts along with MCPD. Should this system later become the Active system, traffic may be impacted by the lack of previously mirrored information.

Workaround:
None.

Fix:
The MCPD daemon no longer restarts on secondary blades after config-sync of APM.


721924-3 : bgpd may crash processing extended ASNs

Solution Article: K17264695

Component: TMOS

Symptoms:
Under certain conditions bgpd may crash while processing extended ASNs.

Conditions:
Dynamic routing enabled.
Extended ASP capabilities enabled: bgp extended-asn-cap enabled

Impact:
Dynamic routing disrupted while bgpd restarts.

Fix:
bgpd now processes extended ASNs as expected.


721895-1 : Add functionality to configure the minimum TLS version advertised and accepted by big3d (iQuery)

Component: Global Traffic Manager (DNS)

Symptoms:
big3d advertises a TLSv1.0 version. Even though big3d requires previously exchanged certificates to validate a connection request, the TLSv1.0 advertisement triggers various vulnerability scanners and is flagged.

Conditions:
Running a vulnerability scanner or other SSL test tool.

Impact:
The scanner or tool reports that big3d might potentially accept a TLSv1.0 connection request (which is considered insecure). Vulnerability scanners then flag the BIG-IP system as vulnerable.

Workaround:
Although there is no workaround, because big3d accepts connections only from clients that match the certificates on the BIG-IP system, the risk is minimal.

In addition, you can deploy firewall rules to accept connections only on port 4353 from know BIG-IP systems.

Fix:
This version adds a db variable for the big3d
big3d.minimum.tls.version. By default the value is 'TLSv1'. You can also specify TLSV1.1 or TLSV1.2 (the setting is case insensitive).

After changing the DB variable, restart big3d. Change the value on all BIG-IP systems that are subject to scans. This includes GTM as well as LTM configurations.


721752-1 : Null char returned in REST for Suggestion with more than MAX_INT occurrences

Component: Application Security Manager

Symptoms:
Unable to view ASM event log details for a majority of violations.

Conditions:
Suggestion with more than MAX_INT (2,147,483,647) occurrences.

Impact:
Null char returned in REST for Suggestion with more than MAX_INT occurrences.

Workaround:
Use the following sql command:

UPDATE PLC.PL_SUGGESTIONS set occurrence_count = 2147483647 where occurrence_count < 0;

Fix:
Null char is no longer returned in REST for Suggestion with more than MAX_INT occurrences.


721741-2 : BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative

Component: Application Security Manager

Symptoms:
bd log spits this error.
-------
ECARD_POLICY|NOTICE|May 24 04:49:42.035|4143|table.h:2408|IPTableList::del_object key not found in table
ECARD|ERR |May 24 04:49:42.035|4143|table.h:0398|KEY_UPDATE: Failed to REMOVE data will continue to add
-------

Conditions:
Configuring IP Address Exceptions in certain order - w/ and w/o route domain.

Impact:
BD and BD_Agent out-of-sync for IP Address Exception, causes false positives / false negatives

Workaround:
There is no workaround at this time.

Fix:
System no longer generates these false positive/negative log entries.


721621-2 : Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node

Component: Local Traffic Manager

Symptoms:
If an LTM pool is configured with only FQDN members, the DNS server resolves the FQDN to IP addresses that match statically-configured LTM nodes, and the IP address records returned by the DNS server change, an ephemeral pool member may not be added to the pool for the new IP address.

When in this state, if the FQDN template pool member is deleted from the pool, a new ephemeral pool member may be added corresponding to the last IP address record returned by the DNS server.

Conditions:
This may occur when:
1. Static nodes are configured which match addresses that may be returned in the DNS query for a given FQDN name.
2. An FQDN node is created with autopopulate disabled, for an address which may resolve to the same address as one of the static nodes.
3. This FQDN node is added (as a pool member) with autopopulate disabled, to a pool with no other non-FQDN members.
4. The DNS server resolves the FQDN name to an address that matches one of the static nodes.
5. A subsequent DNS query resolves the FQDN name to a different address that matches a different static node.

Impact:
In this case:
-- The original ephemeral member is removed from the pool.
-- A new ephemeral member for the new address may NOT be added to the pool.
-- In this state, if the FQDN template member is deleted from the pool, a new ephemeral member (i.e., the missing ephemeral with new IP address) is re-added to the pool.

Note. This symptom can occur only if the statically-configured node is created prior to an ephemeral pool member being created for the same IP address. If an ephemeral pool member and node are created first, it is not possible to create a statically-configured node or pool member using the same IP address.

Overall, traffic for the affected pool may not be sent to correct pool member (new ephemeral address).

If no other members are defined in the pool, traffic will be interrupted.

Workaround:
This issue can be prevented by:
-- Avoiding configuring a static (non-FQDN) node with an IP address that matches any address that might be returned by the DNS server when resolving the FQDN.
-- Adding a statically-configured pool member to the pool in addition to the FQDN template member.

Once the symptom occurs, recovery is possible by performing either of the following actions:
-- Delete the statically-configured node with the conflicting IP address.
-- Recreate the node using the following procedure:
1. Delete the FQDN template member from the pool.
2. Delete the orphaned ephemeral member from the pool.
3. Re-add the FQDN template member to the pool.

Fix:
When an FQDN pool member address resolves to the same IP address as an existing static node, the corresponding ephemeral pool member is successfully created and deleted as expected, including when the IP address returned by the DNS query changes.


721399-3 : Signature Set cannot be modified to Accuracy = 'All' after another value

Component: Application Security Manager

Symptoms:
ASM Signature Set cannot be modified to Accuracy = 'All' after another value was used previously.

Conditions:
-- ASM Signature Set has a value set for Accuracy filter.
-- Accuracy is subsequently set to 'All'.

Impact:
The change to Accuracy = 'All' does not take effect. ASM Signature Set cannot be modified to Accuracy = 'All'.

Workaround:
You can use either of the following workarounds:

-- Delete and re-create the Signature Set with the desired value.
-- Modify the filter to a value that will match all results (such as Accuracy is greater than or equal to 'Low').

Fix:
ASM Signature Set can now be set to Accuracy = 'All' after a value was previously set.


721375 : Export then import of config with RSA server in it might fail

Component: Access Policy Manager

Symptoms:
If an exported policy configuration contains both an RSA server as well as the RSA-provided sdconf.rec and sdstatus.12 config files, policy import might fail.

Conditions:
-- RSA server and access profile are in the same, non-Common partition.
-- Exported policy contains an RSA server as well as both the RSA-provided sdconf.rec and sdstatus.12 config files.

Impact:
Unable to import the exported configuration. This occurs because of how the names for the files are resolved in the exported configuration.

Workaround:
Although there is no actual workaround, you can avoid this issue if the profile is outside of the partition. That case uses a different name resolution during the export, so import works as expected.

Fix:
You can now successfully import an exported policy containing an RSA server as well as both sdconf.rec and sdstatus.12 files.


720880 : Attempts to license/re-license the BIG-IP system fail.

Component: TMOS

Symptoms:
Attempts to activate or reactivate the license on the BIG-IP system results in failure messages.

Conditions:
No specific configurations are associated with this issue, but license activation/reactivation requests that include add-ons are more likely to fail.

This occurs under random conditions.

Impact:
The system is either unusable or very difficult to activate.

Workaround:
Because the conditions under which this issue occurs are random, additional licensing attempts might succeed.

Fix:
The source of the underlying problem has been corrected. No additional logs, error message, or user-interaction is involved.


720819-1 : Certain platforms may take longer than expected to detect and recover from HSB lock-ups

Component: TMOS

Symptoms:
In the unlikely event of a HSB lock-up, certain BIG-IP platforms may take longer than expected to detect and recover from the condition.

For instance, it may take several minutes for an affected unit to detect the condition and initiate the predefined failsafe action.

Instead, the recovery mechanism should trigger almost instantaneously.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is an i56xx/i58xx, i76xx/i78xx, or i106xx/i108xx platform.

-- The HSB locks-up due to a different issue.

Impact:
Traffic is negatively impacted until the BIG-IP system detects and remedies the condition. This might take up to 15 minutes before remedied by a reboot, depending on other traffic being processed.

Workaround:
None.

Fix:
The HSB lock-up is now promptly detected and remedied.


720799-3 : Virtual Server/VIP flaps with FQDN pool members when all IP addresses change

Component: Local Traffic Manager

Symptoms:
When using FQDN pool members, if all ephemeral members are removed and replaced by a DNS query that returns an entirely new set of IP addresses (no overlap with previous DNS query results), all ephemeral pool members are removed before the new ephemeral pool members are created.

This results in a brief moment when there are no ephemeral members (that can receive traffic) in the pool.

Conditions:
A DNS query for the FQDN node in which the pool members belong, returns an entirely new set of IP addresses (no overlap with previous DNS query results).

Impact:
The brief moment during which there are no ephemeral members (that can receive traffic) in the pool can cause a Virtual Server or Virtual Address using that pool to flap.

Workaround:
It is possible to work around this issue by:
1. Adding a pool member with a statically-configured IP address.
2. Including multiple FQDN pool members in the pool, to limit the effect of the ephemeral members changing for a single FQDN pool member.

Fix:
When using FQDN pool members, ephemeral members whose IP addresses are not present in the most DNS query results are not immediately deleted from the pool.

To prevent the brief condition in which there are no ephemeral members in the pool (which can cause a Virtual Server or Virtual Address using that pool to flap), creation of new ephemeral nodes and pool members occurs immediately, but deletion of old new ephemeral nodes and pool members occurs after a delay.

The duration of the delay follows the fqdn 'down-interval' value configured for the associated FQDN template node.


720756 : SNMP platform name is unknown on i11400-DS/i11600-DS/i11800-DS

Component: TMOS

Symptoms:
The SNMP query for platform marketing name is 'unknown' for i11400-DS/i11600-DS/i11800-DS.

Conditions:
-- On licensed system, check OID marketing name.
-- Using i11400-DS/i11600-DS/i11800-DS platforms.

Impact:
Cannot tell the actual platform name in the SNMP query.

Workaround:
There is no workaround at this time.

Fix:
SNMP platform name is now reported correctly on BIG-IP i11400-DS/i11600-DS/i11800-DS platforms.


720713-3 : TMM traffic to/from a i5800/i7800/i10800 device in vCMP host mode may fail

Component: TMOS

Symptoms:
When a BIG-IP iSeries i5800, i7800, or i10800 device is configured as a vCMP host and at least one vCMP guest is running (or ever ran), TMM traffic to the vCMP host may fail.

Note: Management port traffic to/from the device is unaffected.

Note: TMM traffic to/from the vCMP guests running on the device is unaffected. This issue affects only the vCMP host.

The most visible symptom is that TMM on the vCMP host fails to answer ARP requests that it receives for its own Self-IP addresses.

Conditions:
This issue occurs when all of the following conditions apply:

- BIG-IP iSeries i5800, i7800, or i10800 device in vCMP host mode.

- At least one vCMP guest is deployed or was deployed, at some point.

Impact:
Inability to communicate to/from the vCMP host via its Self-IP addresses.

Workaround:
Ensure that the host is running a compatible version of BIG-IP. For more information on supported host/guest versions, see K14088: vCMP host and compatible guest version matrix, available at https://support.f5.com/csp/article/K14088

Fix:
The vCMP host continues to handle traffic correctly once a guest is started.


720695-2 : Export then import of APM access Profile/Policy with advanced customization is failing

Component: Access Policy Manager

Symptoms:
An exported policy containing advanced customization fails to import.

Conditions:
-- Export policy containing advanced customization.
-- Import the same policy.

Impact:
Import fails.

Workaround:
None.

Fix:
Access policy import containing advanced customization now succeeds.


720651-3 : Running Guest Changed to Provisioned Never Stops

Component: TMOS

Symptoms:
After changing a vCMP guest status to provisioned the guest remains running showing a status of stopping.

Conditions:
-- Guests deployed on a BIG-IP VCMP host.
-- Changing the state from deployed to provisioned.

Impact:
Guests do not stop and change status until vcmpd process is restarted.

Workaround:
There is no workaround.

Fix:
The guest now stops when the state is changed from deployed to provisioned.


720461-3 : qkview prompts for password on chassis

Component: TMOS

Symptoms:
Qkview prompts for a password when executing getnodedates from the chassis module.

Conditions:
SSH auth keys are missing or corrupted.

Impact:
This blocks collecting qkview.

Workaround:
Edit the /user/bin/getnodedates script and add -oBatchMode=yes for the SSH command as shown in the following example:

        $date = `/usr/bin/ssh -q -oBatchMode=yes -oStrictHostKeyChecking=no $ip /bin/date`;

Fix:
The qkview is no longer blocked with a password prompt.


720391-1 : BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware'

Component: TMOS

Symptoms:
BIG-IP i7800 Dual SSD reports wrong marketing name under 'show sys hardware' and 'unknown' when OID sysObjectID is queried.

Conditions:
1. Execute 'tmsh show sys hardware'.
2. Query for OID sysObjectID using snmpwalk.

Impact:
System is reported as 'none', when it should be i7800-D. Platform with dual SSD not correctly identified using tmsh command or snmpwalk.

Workaround:
None.

Fix:
Added new SNMP OID for BIG-IP i7800 Dual SSD, reported as BIG-IP i7800-D, which is the correct designation.


720293-1 : HTTP2 IPv4 to IPv6 fails

Component: Local Traffic Manager

Symptoms:
An IPv4-formatted virtual server with an IPv6-formatted pool member cannot establish the connection to the pool member if HTTP2 is configured.

Conditions:
-- IPv4 virtual Server.
-- IPv6 pool member.
-- HTTP2 profile.

Impact:
Traffic connection does not establish; no traffic passes.

Workaround:
None.

Fix:
In this release, an IPv4-formatted virtual server with an IPv6-formatted pool member works with HTTP2.


720269-3 : TACACS audit logging may append garbage characters to the end of log strings

Component: TMOS

Symptoms:
When using TACACS audit logging, you might see extra 'garbage' characters appended to the end of logging strings.

Conditions:
Using audit forwarding with a remote TACACS server.

Impact:
Confusing log messages. Remote TACACS logging might stop altogether after some time.

Workaround:
There is no workaround at this time.

Fix:
Prevented extra characters from being appended to TACACS audit logs.


720219-1 : HSL::log command can fail to pick new pool member if last picked member is 'checking'

Solution Article: K13109068

Component: Local Traffic Manager

Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.

Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.

Impact:
Failure to send log messages via HSL.

Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.

Fix:
This issue no longer occurs. If a 'down' pool member is picked, it will eventually be bypassed to find an 'up' pool member, if possible.


720110-4 : 0.0.0.0/0 NLRI not sent by BIG-IP when BGP peer resets the session.

Component: TMOS

Symptoms:
Neither learned nor default-originate default routes (0.0.0.0/0) are sent to the BGP peer if the BGP peer has terminated the BGP session with TCP FIN, without BGP notify message.

Conditions:
1. BGP session is terminated without BGP notify (just TCP FIN).
2. Either learned (not originated in DUT) and default-originate (originated in DUT) routes are not sent.

Impact:
Default routes are not propagated in the network after the BGP peer restart.

Workaround:
There is no workaround at this time.

Fix:
Default routes are now always sent after the BGP session reset. Consistent behavior between BGP session reset with and without BGP notify message.


720104 : BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'

Component: TMOS

Symptoms:
BIG-IP i2800/i2600 650W AC PSU is missing marketing name under 'show sys hardware' and displays 'unknown' when OID sysObjectID is queried.

Conditions:
-- Execute 'tmsh show sys hardware'.
-- Query for OID sysObjectID using snmpwalk.
-- Using BIG-IP i2800/i2600 platforms.

Impact:
System reports an empty marketing name when queried. Platform with 650W AC PSU not identified using tmsh command or snmpwalk.

Workaround:
There is no workaround at this time.

Fix:
Added new SNMP OID for BIG-IP i2800/i2600 650W AC PSU.


720030-3 : Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests are generated without enabling EDNS0. Without this, internal DNS server (dnscached) truncates the UDP response if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in a lot of TIME_WAIT connections on the socket using dnscached.

Conditions:
APM end users using Kerberos SSO to access backend resources.

Impact:
Ability to create new DNS requests is affected, if there are numerous sockets in TIME_WAIT. This can result in scalability issues.

Workaround:
For BIG-IP software v12.x and later,

Edit the /etc/resolv.conf file to add an EDNS0 option.

There is no workaround if you are running a version earlier than 12.x.

Fix:
Kerberos DNS SRV requests now support EDNS0, so that UDP responses greater than 512 bytes can be received correctly, eliminating the need to re-send the request on TCP while communicating to the internal DNS server (dnscached).


719644-1 : If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions

Component: Global Traffic Manager (DNS)

Symptoms:
When an LTM configuration has virtual server names containing period (.), a GTM configuration with auto-discovery enabled is upgraded from v11.5.x to a later version might lose consistency.

Conditions:
-- Upgrading GTM from v11.5.x to later versions (e.g., BIG-IP DNS v12.x).
-- Auto-discovery is enabled.
-- LTM configuration containing virtual server names containing the period character (.).
-- The same virtual server name is used in multiple partitions.

Impact:
The configuration after the upgrade might be affected in the following ways:
-- Missing virtual servers.
-- Deletion of some pool members.
-- Virtual servers with incorrect addresses.

Workaround:
There is no workaround at this time.

Fix:
This release supports GTM upgrades from 11.x to BIG-IP DNS 12.x and later versions for cases where:
-- Auto-discovery is enabled.
-- LTM virtual server name a period character (.).
-- The same virtual server name is used in multiple partitions.


719554-3 : Linux Kernel Vulnerability: CVE-2018-8897

Solution Article: K17403481


718885-1 : Under certain conditions, monitor probes may not be sent at the configured interval

Solution Article: K25348242

Component: Global Traffic Manager (DNS)

Symptoms:
When sufficient resources are configured with the same monitor interval, and the monitor timeout value is no more than two times the monitor interval, the monitored resource may be marked as unavailable (due to a timeout) then immediately changed to available.

Conditions:
Monitor interval is lower than the number of resources configured with the same monitor interval.

Impact:
Monitor probes are not consistently performed at the configured interval.

Workaround:
Set the monitor interval to a value greater than the number of resources monitored using that same interval value.

The key to this workaround is to ensure that the sum of the resources monitored at a given interval is not greater than the interval. That can be accomplished several ways depending on your configuration and requirements.

For example, if the monitoring interval is 30 seconds and there are 40 different monitors with a 30-second interval and each monitor is assigned to exactly one resource, there are at least two options:

-- Change the interval for 10 of the monitors to a different value.

-- Set the monitor interval to 40.

Note: If you change the monitor interval, make sure to also change the timeout value to follow best practices:
timeout value = (3 x interval) + 1.

Fix:
Monitoring is now consistently performed at the configured interval regardless of the number of resources with the same monitor interval.


718210-3 : Connections using virtual targeting virtual and time-wait recycle result in a connection being improperly reused

Component: Local Traffic Manager

Symptoms:
In very rare circumstances, connections that use virtual targeting virtual server and time-wait recycle result in a connection being improperly reused.

Conditions:
Virtual server targeting virtual server (usually occurs in an iRule) with time-wait recycle being used on the virtual server's TCP profile.

Note: This is the default value, so any virtual servers defined internally are using it.

Impact:
A connection might be reused even though it is a new one. TMM can crash and restart. Traffic disrupted while tmm restarts.

Note: This is an extremely rare issue.

Workaround:
None.

Fix:
This issue has been fixed.


718208-1 : Unable to install Network Access plugin on Linux Ubuntu 16.04 with Firefox v52 ESR using SUDO

Component: Access Policy Manager

Symptoms:
When using Firefox v52 ESR to install SVPN client, the SVPN client keeps prompting to enter SUDO credentials.

Conditions:
Using Firefox v52 ESR to install SVPN client.

Impact:
Cannot install SVPN client using Firefox v52 ESR browser.

Workaround:
Follow this procedure to work around this problem:

1. Delete the NPAPI plugin from the browser. To do so, remove the browser plugin, which you can find in either or both of the following locations:

~/.mozilla/plugins/np_F5_SSL_VPN_x86_64.so

~/.mozilla/firefox/w8wdvzyy.default/extensions/{5984e8a4-b593-11e5-ad1f-ac88bb8e7f8b}/

2. Launch the browser; connect to APM and install the SVPN client manually.
3. Install the plugin through the browser, or copy the plugin to the browser plugin directory.
4. Restart Firefox v52 ESR to connect to APM.

Fix:
This issue has been fixed, and now you can install the Network Access plugin on Linux Ubuntu 16.04 with Firefox v52 ESR browser.


718071-3 : HTTP2 with ASM policy not passing traffic

Component: Local Traffic Manager

Symptoms:
HTTP2 traffic does not pass traffic if an ASM policy is applied.

Conditions:
-- HTTP2 virtual server.
-- ASM policy applied.

Impact:
Traffic does not pass.

Workaround:
No workaround.

Fix:
HTTP2 and ASM now work correctly together.


717896-1 : Monitor instances deleted in peer unit after sync

Component: Local Traffic Manager

Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.

During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.

Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.

Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.

Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.

Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.

Fix:
An incremental-sync from a modified-node that was set to 'user-down' successfully replicates the several monitor instances on that node to the target-node on the backup device in an HA configuration.


717742-3 : Oracle Java SE vulnerability CVE-2018-2783

Solution Article: K44923228


717100-4 : FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member

Component: Local Traffic Manager

Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not be created if multiple FQDN template pool members are created rapidly, without the corresponding FQDN template nodes being created first.

The missing FQDN ephemeral pool members may be created an hour after initial operations.

Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.

Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.

Workaround:
The following steps, alone or in combination, may help avoid this issue:

1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in a single tmsh CLI transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.

Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.

In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).

Fix:
Ephemeral pool members are now created for each pool under these conditions.


716992-3 : The ASM bd process may crash

Solution Article: K75432956


716922-4 : Reduction in PUSH flags when Nagle Enabled

Component: Local Traffic Manager

Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.

Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.

Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.

Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.

Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.

Mote: To take advantage of some of the Nagle benefits, use 'Auto'.

Fix:
Revised PUSH flag setting logic to set the flag in cases where sending is Nagle-limited.


716900-1 : TMM core when using MPTCP

Solution Article: K91026261


716788-3 : TMM may crash while response modifications are being performed within DoSL7 filter

Component: Application Security Manager

Symptoms:
TMM might crash when a response is modified by the DoSL7 filter while injecting an HTML response from a backend server.

Conditions:
-- ASM provisioned.
-- DoS application profile is attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts, failover may occur.

Workaround:
There is no workaround other than to remove the DoS application profile from the virtual server.

Fix:
Response modification handler has been modified so that this issue no longer occurs.


716747-4 : TMM my crash while processing APM or SWG traffic

Component: Access Policy Manager

Symptoms:
Under certain circumstances, TMM may crash when processing APM or SWG.

There will be a log message in /var/log/apm near the time of crash with this:

err tmm[20598]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_initiate_swgt_policy_done, Line: 17000.

Conditions:
APM or SWG enabled.

Impact:
TMM crash, leading to a failover event.

Workaround:
There is no workaround at this time.

Fix:
TMM now processes APM and SWG traffic as expected.


716716-3 : Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core

Component: Local Traffic Manager

Symptoms:
TMM cores when the system has a kernel route configured, but no matching TMM route.

Conditions:
The scenario that can lead to this state is unknown.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
Either remove the kernel route, or add a matching TMM route.

Fix:
This release prevents the core that occurred when the kernel has a route that has no corresponding TMM route.


716391-3 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation

Solution Article: K76031538

Component: TMOS

Symptoms:
vCMP guest with only 2 cores (or 2 cores per blade for multi-blade guests) may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.

Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores (or 2 cores per blade for multi-blade vCMP guests).
-- A module using MySQL is provisioned, MySQL, for example BIG-IP ASM and BIG-IP Analytics (AVR). These other modules also implicitly provision AVR: ASM, AFM, DOS, APM, PEM, and vCMP.

Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.

Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.
 
IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.


716318-4 : Engine/Signatures automatic update check may fail to find/download the latest update

Component: Fraud Protection Services

Symptoms:
Engine/Signatures automatic update check may fail to find/download the latest update if the timestamp of the factory update file is later than the timestamp of the update file in downloads.f5.com.

Note: This issue is relevant only for engineering hotfixes.

Conditions:
This occurs when the following conditions are met:
-- Engineering hotfix.
-- The factory update file timestamp is later than the timestamp of the update file in downloads.f5.com.

Impact:
Automatic update check will detect the wrong update file.

Workaround:
Manually check, and then download and install the update file from downloads.f5.com, if needed.

Fix:
The factory update file timestamp is now set to 0, unless there is a reason to install the factory file over the current update file in downloads.f5.com.


716213-3 : BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic

Component: Local Traffic Manager

Symptoms:
When APM connects to Active Directory Federation Services (ADFS), a blank page is observed. The log file /var/log/ltm exhibits a TCP reset issued by the BIG-IP system. The TCP capture informs that the issue is due to an out-of-bounds error that occurs when traffic gets parsed by the SSL Persistence Parser (SSID).

Conditions:
-- SSL persistence (SSID) is enabled for a virtual host.
-- APM connects to ADFS.

Impact:
A blank page is observed due to the TCP reset.

Workaround:
No workaround is available.

Fix:
The SSL persistence parser now validates the handshake message data-bytes are available prior to fetching them, so the bounds error does not get raised.


716166-3 : Dynamic routing not added when conflicting self IPs exist

Component: TMOS

Symptoms:
Missing dynamic route in dynamic routing daemon as shown via 'show ip route'.

Conditions:
When a self IP host address is the same as the network address of the dynamic route being propagated. For example: self IP 10.10.10.0/31 versus dynamic route 10.10.10.0/24; or 10.10.0.0/24 versus dynamic route 10.10.0.0/16.

Impact:
Propagation of the dynamic route to the kernel, TMM.

Workaround:
There is no workaround other than not creating self IPs on the network address of a prefix.


715923-3 : When processing TLS traffic TMM may terminate connections unexpectedly

Solution Article: K43625118


715750-3 : The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.

Component: Local Traffic Manager

Symptoms:
Upon receiving a FIN midstream in an SSL connection, the BIG-IP system will immediately proxy the FIN to the remote host on the peer side. At this point, depending on the specific configuration of the remote host on the peer side, the BIG-IP system may exhibit behaviors that may be deemed undesirable.

For instance, if the remote host on the peer side acknowledges the FIN but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system will drop all ingress data (i.e., not proxy it) while keeping the side that transmitted the original FIN open indefinitely.

Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close.

Conditions:
This issue occurs when the following conditions are met:

-- A standard virtual server with the clientssl and serverssl profiles in use.

-- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.

Impact:
There is no real impact to the BIG-IP system because of this issue. However, both the client and the server can be negatively impacted by this issue.

For example, if the original FIN was received by the BIG-IP system on the clientside:

-- The client connection is not allowed to close for potentially a very long time. During this time, the client does not receive anything other than Keep-Alive packets from the BIG-IP system. This can delay or adversely impact applications on the client.

-- The server continues to send data to the BIG-IP system unnecessarily. After accounting for the fact this could be a lot of data and many connections could be in this state, the server and/or its surrounding network could become impacted/congested. At a minimum, this might cause a waste of resources.

Workaround:
There is no workaround at this time.

Fix:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.

Behavior Change:
SSL shutdown behavior is controlled with profile option 'Alert Timeout', which specifies the duration in time for the system to try to close an SSL connection before resetting the connection. The default is 'Indefinite'.


715467-3 : Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY

Component: Local Traffic Manager

Symptoms:
If the 'A' record for an FQDN node is removed or replaced on the DNS server, then the BIG-IP system does not remove the old ephemeral pool member or create the new pool member and node.

Conditions:
-- FQDN nodes.
-- Pool members with a service port of ANY.

Impact:
Ephemeral pool member and nodes are not removed or updated when the DNS 'A' record is removed or changed.

Workaround:
There is no workaround at this time.

Fix:
Upon a DNS 'A' record being removed or changed, the ephemeral pool members and nodes based on the old value are removed or changed.


715448-1 : Providing LB::status with a GTM Pool name in a variable caused validation issues

Component: Global Traffic Manager (DNS)

Symptoms:
When utilizing an LB::status iRule where the GTM Pool name was provided in a variable, instead of directly written into the command, the system posts the following error message: Can't read 'monkey': no such variable.

Conditions:
LB::status pool a <Variable containing string>.

Impact:
Unable to use LB::status iRule.

Workaround:
There is no workaround at this time.

Fix:
Can now use LB::status iRule command to display the status of a GTM Pool when the name of the pool is provided in a variable.


715250-2 : TMM crash when RPC resumes TCL event ACCESS_SESSION_CLOSED

Component: Access Policy Manager

Symptoms:
TMM generates a core and restarts when RPC resumes iRule event ACCESS_SESSION_CLOSED.

Conditions:
Plugin RPC call has iRule event ACCESS_SESSION_CLOSED configured.

Impact:
System instability, failover, traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


715207-2 : coapi errors while modifying per-request policy in VPE

Component: Access Policy Manager

Symptoms:
System reports errors about coapi in /var/log/ltm when modifying a per-request policy in the Visual Policy Editor (VPE).

err coapi: PHP: requested conversion of uninitialized member.

Conditions:
-- The per-request policy being modified is attached to the virtual server.
-- Using VPE.

Impact:
The impact can vary by version.
-- In some versions it represents a stray error log.
-- In other versions the 'Accepted Languages' in the Logon Page agent does not have the full list.
-- In other versions, there are server 500 errors when modifying agents.

Workaround:
To work around this issue, perform the following procedure: 1. Remove the per-request policy from the virtual server.
2. Modify the policy.
3. Add the policy back to the virtual server.

Fix:
Now per-request access policies can be simultaneously used and edited without causing spurious 'coapi' log errors.


715090 : PEM policy actions obtained via a PCRF are not applied for traffic generated subscribers

Component: Policy Enforcement Manager

Symptoms:
Policy and Charging Rules Function (PCRF) policy actions will have no effect on the subscribers' traffic.

Conditions:
PEM creates a traffic generated subscriber that has PCRF-provided policies associated with it.

Impact:
Potential loss of service depending on the policy actions that do not take effect.

Workaround:
There is no workaround at this time.

Fix:
This issue has been fixed.


714986-1 : Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot

Component: TMOS

Symptoms:
On an iSeries platform, when the console baud rate is changed through TMSH, new terminal sessions revert back to the previous baud rate instead of adopting the new setting unless the unit is rebooted.

Conditions:
1. Modify the console baud rate in BIG-IP through TMSH on an iSeries platform (i2xxx, i4xxx, i5xxx, i7xxx, i10xxx, i15xxx), for example: tmsh modify sys console baud-rate 9600.

2. Exit from the login prompt in the current terminal session, or kill it and start a new session.

Impact:
The BIG-IP system reverts to the previous baud rate instead of the new setting. Inability to create any new serial console connections with the modified baud-rate without a reboot.

Workaround:
The problem can be mitigated by manually reprogramming the TTY device and restarting the agetty process and bash login sessions. This closes any existing console connections, but newly established connections will connect at the modified baud rate.

1. Use TMSH to modify the baud rate to the desired speed by running a command similar to the following:

tmsh modify sys console baud-rate 9600

2. Re-program the TTY device with the desired speed by running a command similar to the following:

stty -F /dev/ttyS0 9600

3. Kill the existing agetty process so it will re-start at the new baud rate by running the following command:

/usr/bin/killall -q agetty

4. Restart bash logins by running the following command:

/bin/kill -HUP `/bin/ps -A | /bin/grep ttyS0 | /bin/grep -v grep | /bin/grep bash | /bin/awk '{print $1}'` >/dev/null 2>&1

Fix:
In addition to reprogramming the UART with the new baud rate, the BIG-IP system now re-initializes the TTY device and agetty process with the correct speed so that new terminal sessions reflect the change.


714903-1 : Errors in chmand

Component: TMOS

Symptoms:
VIPRION cluster does not form; only primary blade stays online. Chassis manager chmand generated a core file. System logs the following error in ltm log: err clusterd[11162]: 013a0004:3: Error adding cluster mgmt addr, HAL error 7.

Conditions:
-- Restoring UCS.
-- Chassis starting up.
-- System in stressed condition, where there is very little or no memory available.

Impact:
Cluster does not form.

Workaround:
None.

Fix:
These errors in chmand are fixed.


714879-1 : APM CRLDP Auth passes all certs

Solution Article: K34652116


714848 : OPT-0031 and OPT-0036 log DDM warning every minute when interface disabled and DDM enabled

Component: TMOS

Symptoms:
DDM transmit power too low warning continually appear in /var/log/ltm, and in SNMP traps. Messages appear similar to the following:
DDM interface:3/1.0 transmit power too low warning. Transmit power(mWatts) 0.0001 0.0001 0.0001 0.0001

A single warning message is expected, not repeating messages.

Conditions:
This occurs when all of the following conditions are met:
-- The interface is disabled.
-- DDM is enabled.
-- OPT-0031 or OPT-0036.

Impact:
There are multiple messages in /var/log/ltm, and SNMP DDM traps. There is no impact on traffic.

Workaround:
There is no workaround other than to enable the interface or disable DDM.

Fix:
DDM errors no longer continually appear on disabled interfaces containing OPT-0031 or OPT-0036.


714716-3 : Apmd logs password for acp messages when in debug mode

Solution Article: K10248311

Component: Access Policy Manager

Symptoms:
Apmd logs password when executing policy via iRule.

Conditions:
-- APM is licensed and provisioned
-- Executing policy via iRule using iRule command 'ACCESS::policy evaluate'.
-- Clear text password is supplied for authentication
-- Debug mode active

Impact:
Apmd logs clear text password

Fix:
Apmd now no longer logs password in debug mode when evaluating policy via iRule.


714654-3 : Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM

Component: TMOS

Symptoms:
While creating a static route, tmrouted disconnects with error: existing entry is not a dynamic.

Conditions:
Creating a static route for a network that already has an advertised dynamic route.

Impact:
TMM's connection to tmrouted goes down, which results in loss of the dynamic route for TMM.

Workaround:
There is no workaround other than not creating a static route for routes received through dynamic routing.

Fix:
Creating static routes for advertised dynamic route no longer causes the tmrouted-to-TMM connection to drop.


714559-1 : Removal of HTTP hash persistence cookie when a pool member goes down.

Component: Local Traffic Manager

Symptoms:
When HTTP cookie hash persistence is configured the cookie is removed when a pool member goes down. This is incorrect if pool members are using session replication.

Conditions:
- Cookie hash persistence is configured.
- A pool member that the persistence record points to goes down.
- Pool members are using session replication.

Impact:
Connected clients must establish a new session.

Workaround:
To configure HTTP cookie hash persistence, use an iRule similar to the following:

when CLIENT_ACCEPTED {
    persist cookie hash JSESSIONID
}

Fix:
HTTP hash persistence cookie is no longer removed when a pool member goes down.

If you need to remove the cookie, use an iRule similar to the following:

when PERSIST_DOWN {
    HTTP::cookie remove JSESSIONID
}


714542-1 : 'Always Connected Mode' text is missing in EdgeClient tray

Component: Access Policy Manager

Symptoms:
When right-clicking the EdgeClient tray icon, the pop-up menu shows a grey box instead of the 'Always Connected Mode' text.

Conditions:
EdgeClient installed in 'Always Connected Mode' with 'Allow' traffic when VPN is disconnected.

Impact:
No functional impact. Previously, the message appeared only for blocked mode.

Workaround:
None.

Fix:
Now, when a user right-clicks the Edge Client tray icon in Always Connected mode, the <uicontrol>Always Connected Mode</uicontrol> text is displayed on the tray icon pop-up menu.


714181-3 : TMM may crash while processing TCP traffic

Solution Article: K14632915


713951-3 : tmm core files produced by nitrox_diag may be missing data

Component: Local Traffic Manager

Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.

Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.

Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
When the nitrox_diag utility generates a tmm core file, that file now includes data for all tmm threads instead of only one.


713934-4 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response

Component: Local Traffic Manager

Symptoms:
Received malformed Truncated DNS response.

Conditions:
-- Using iRule 'DNS::question name' to shorten the name.
-- DNS response is longer than 4096 UDP limit.

Impact:
DNS request might not be resolved correctly.

Workaround:
There is no workaround at this time.

Fix:
In this release, when DNS::query name changes the query name, the software ensures that the request is updated with proper lengths.


713690-1 : IPv6 cache route metrics are locked

Component: Local Traffic Manager

Symptoms:
Under certain circumstances IPv6 route metrics are locked for the lifetime of a route metrics cache entry.

Conditions:
Under certain circumstances IPv6 route metrics cache entries are created locked.

Impact:
IPV6 route metrics are locked for the lifetime of a route metrics cache entry. When receiving subsequent icmpv6 packet to big messages with a larger MTU, the value does not get updated.

Workaround:
None.

Fix:
IPv6 route metrics are not locked anymore.


713655-3 : RouteDomainSelectionAgent might fail under heavy control plane traffic/activities

Component: Access Policy Manager

Symptoms:
If per-session access policy requests route domain selection during policy evaluation, the agent might hang and fail to retrieve route domain information. APMD might restart and produce a core file.

Conditions:
-- Policy sync operation.
-- System receives a query for route domain information.
-- There is a heavy load of control plane traffic to process.

Impact:
Poor performance and/or APMD restarts with a core file, causing brief disruption of the authentication service.

Workaround:
None.

Fix:
Route domain selection operations no longer fail under heavy control-plane traffic/activities.


713533-3 : list self-ip with queries does not work

Component: Local Traffic Manager

Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.

Conditions:
list net self always returns all Self IPs

Impact:
You are unable to filter the Self IP list using a regex pattern.

Fix:
You can now use pattern matching to list Self IPs


713491-1 : IKEv1 logging shows spi of deleted SA with opposite endianess

Component: TMOS

Symptoms:
Sometimes the IKEv1 racoon daemon logs a 32-bit child-SA spi with octets in backwards order (reversing the endianness).

Conditions:
When an SA is deleted.

Impact:
Logging typically shows a network byte order spi in the wrong order. Cosmetic interference with logging interpretation.

Workaround:
There is no workaround at this time.

Fix:
The spi values are shown in the correct endianness now.


713282-3 : Remote logger violation_details field does not appear when virtual server has more than one remote logger

Component: Application Security Manager

Symptoms:
Remote logger violation_details field appears empty.

Conditions:
-- More than one remote logger is attached to the virtual server.
-- A violation occurs.
-- Viewing the associated log.

Impact:
Violation_details field appears empty in logs.

Workaround:
There is no workaround at this time.

Fix:
Remote logger violation_details field is now populated as expected when the virtual server has more than one remote logger.


713066-3 : Connection failure during DNS lookup to disabled nameserver can crash TMM

Solution Article: K10620131

Component: Global Traffic Manager (DNS)

Symptoms:
TMM restart as a result of a DNS lookup to disabled nameserver.

Conditions:
DNS lookup that tries to connect to a nameserver that is not reachable for some reason.

This could be an explicit 'RESOLV::lookup' command in iRule, or it could be DNS lookups internally triggered by APM or HTTP.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
Verify connectivity to nameserver.

As an alternative, refrain from using RESOLV::lookup in iRules.

Fix:
This issue is now fixed.


712924 : In VPE SecurID servers list are not being displayed in SecurID authentication dialogue

Component: Access Policy Manager

Symptoms:
In VPE SecurID servers list are not being displayed in SecurID authentication dialogue. List is displaying only None.

Conditions:
Always when adding SecureID authentication action.

Impact:
Inability to (re)configure SecureId via VPE.

Workaround:
Manually modify RSA AAA server in SecurID Auth Agent via tmsh:

tmsh modify apm policy agent aaa-securid <aaa agent> server <securid server name>


712857-1 : SWG-Explicit rejects large POST bodies during policy evaluation

Component: Access Policy Manager

Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 128 KB limit on POST bodies while the policy is being evaluated.

The system posts an error message similar to the following in /var/log/apm:
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048

Conditions:
This applies only during policy evaluation. After the policy has been set to 'Allow', there is no limit to the POST body.

Impact:
Unable to start an SWG-Explicit policy with a large POST body.

Workaround:
None.

Fix:
This release introduces a db variable 'tmm.access.maxrequestbodysize'. You can now avoid this issue by setting a value larger than the 128 KB POST body size. The maximum supported value is 25000000 (25 MB).


712664-4 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address

Component: Local Traffic Manager

Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting

Conditions:
- transparent vlan-group
 - Virtual Address with ARP disabled
 - Virtual Address corresponds to remote IPv6 host address

Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.

Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.

Fix:
IPv6 NS is no longer dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address.


712475-1 : DNS zones without servers will prevent DNS Express reading zone data

Solution Article: K56479945

Component: Local Traffic Manager

Symptoms:
DNS Express does not return dig requests.

Conditions:
DNS Express is configured a zone without a server.

Impact:
DNS Express does not return dig requests.

Workaround:
You can use either of the following workarounds:
-- Remove the zone without the server.
-- Configure a server for the zone.

Fix:
DNS zones without servers no longer prevent DNS Express reading zone data.


712464-1 : Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain except the self-signed certificate.

Some of the intermediate CA certificates in the cert chain use the SHA1 hash algorithm. This kind of intermediate CAs is usually in the BIG-IP system's ca-bundle. BIG-IP receives the cert chain including the intermediate CA and forges the cert with SHA1, which is rejected by some web clients.

Conditions:
-- The BIG-IP system is configured to use SSL Forward Proxy or SSL Intercept.
-- Some intermediate CA in the web server's cert chain is using a weak algorithm like SHA1 to sign certificates.
-- The web client rejects the weak-algorithm-signed certificate.

Impact:
Clients cannot access the web server due to SSL handshake failure.

Workaround:
There is no workaround at this time.

Fix:
This fix excludes trusted CA certificates in hash algorithm selection. This may prevent forged certificate from using SHA1 hash algorithm.


712437-1 : Records containing hyphens (-) will prevent child zone from loading correctly

Solution Article: K20355559

Component: Local Traffic Manager

Symptoms:
The dig command returns no record with SOA from the parent zone even though dnsxdump shows that the record exists.

Conditions:
-- Parent zone has a record containing - (a hyphen) and the preceding characters match the child zone. For example,
 myzone.com -- parent
 foo.myzone.com -- child
 
-- In myzone.com, you have a record of the following form:
foo-record.myzone.com

Impact:
DNS can not resolve records correctly.

Workaround:
None.

Fix:
DNS now handles the case in which the parent zone has a record containing - (a hyphen) and the preceding characters match the child zone.


712362-1 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase

Component: Application Security Manager

Symptoms:
When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection.

The system posts the following messages in /ts/log/bd.log:
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0269|101 Switching Protocols HTTP status arrived, but the websocket hanshake failed.
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0270|Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.

Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- WebSocket backend server sends 101 response without the 'Switching Protocols' phrase.

Impact:
WebSocket frames stalls.

Workaround:
#1 Change the backend server:
Change WebSocket backend server to return 101 response to include the 'Switching Protocols' reason phrase:

HTTP/1.1 101 Switching Protocols


#2 Use an irRule:
when SERVER_CONNECTED {
    TCP::collect 15
}
when SERVER_DATA {
    if { [TCP::payload 15] contains "HTTP/1.1 101 \r\n" } {
        TCP::payload replace 0 12 "HTTP/1.1 101 Switching Protocols"
    }
}

Fix:
This release correctly handles 101 responses even without the 'Switching Protocols' reason phrase.


712315-1 : LDAP and AD Group Resource Assign are not displaying Static ACLs correctly

Component: Access Policy Manager

Symptoms:
In VPE LDAP and AD Group Resource Assign are not displaying static acls when they are configured.

Conditions:
While attempting to assign Static ACls via AD or LDAP Group Resource assign (aka Group Mapping) Static ACLs are not displayed.

Impact:
Users are not able to assign Static ACLs with AD and LDAP Group Mapping via VPE.

Workaround:
Static ACLs are assignable with TMSH.

Fix:
Functionality is restored and Static ACLs are being displayed in AD and Ldap Group Resource Assign aka Group Mapping

use:
tmsh modify apm policy agent resource-assign


711981-3 : BIG-IP system accepts larger-than-egress MTU, PMTU update

Component: Local Traffic Manager

Symptoms:
A Path MTU (PMTU) message can lead to the BIG-IP system to falsely assume an egress MTU on the related flow to be larger than the interface egress MTU.

Conditions:
A valid PMTU message.

Impact:
BIG-IP sends larger-than-configured interface egress MTU messages.

Workaround:
None.

Fix:
The BIG-IP system now limits the flow egress MTU to the interface egress MTU.


711570-1 : PEM iRule subscriber policy name query using subscriber ID, may not return applied policies

Component: Policy Enforcement Manager

Symptoms:
PEM::subscriber config policy get <subscriber id> does not return policy names

Conditions:
PEM iRule using subscriber ID to get policy name.

Impact:
Subscriber policy names are not returned.

Workaround:
Use PEM::subscriber config policy get <IP address> instead.

Fix:
Subscriber policy names are now returned when running PEM iRules using subscriber ID to get policy names.


711547 : Update cipher support for Common Criteria compliance

Component: TMOS

Symptoms:
Default cipher selection may not be compliant with Common Criteria requirements. Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.

Conditions:
Common Criteria mode active

Impact:
Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.

Workaround:
Please see the Common Criteria guidance documentation for details about cipher strings in CC mode.

Fix:
Improved Common Criteria compliance in default cipher strings.


711281-3 : nitrox_diag may run out of space on /shared

Component: Local Traffic Manager

Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.

Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.

Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.

Workaround:
The only workaround is to ensure there is enough free space for the files to be created.

In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.

Fix:
nitrox_diag now clears the older data before gathering new data, instead of after. Note, however, that if there is insufficient free space on /shared to collect the raw data, the operation still cannot succeed.


711249-2 : NAS-IP-Address added to RADIUS packet unexpectedly

Component: TMOS

Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.

Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.

Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.

Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.


711093-2 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.

Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).

Impact:
PEM sessions remain in marked-for-delete state.

Workaround:
None.

Fix:
PEM sessions no longer stay in the marked-for-delete state after session delete


710857-4 : iControl requests may cause excessive resource usage

Solution Article: K64855220


710827-4 : TMUI dashboard daemon stability issue

Solution Article: K44603900


710755-2 : Crash when cached route information becomes stale and the system accesses the information from it.

Component: Advanced Firewall Manager

Symptoms:
The crash happens intermittently when the cached route information becomes stale and the system accesses the information from it.

Conditions:
Use stale cached route information.

Impact:
This condition can lead to a crash as the route information is no longer valid, and can lead to illegal memory access.

Workaround:
None.

Fix:
The system now fetches the latest egress route/interface information before accessing it.


710705-3 : Multiple Wireshark vulnerabilities

Solution Article: K34035645


710602 : iCRD commands requiring 'root' user access fixed

Component: TMOS

Symptoms:
Some of the iCRD calls that run commands on the base operating system that require elevated permissions fail because iCRD was not correctly executing the commands in the right context.

Conditions:
Use an iCRD endpoint that requires elevated permissions to succeed.

Impact:
Only impacts iCRD endpoints which run commands that require root access.

Workaround:
There is no workaround at this time.

Fix:
This fix resolves this issue by running the commands with the correct user context.


710564-3 : DNS returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0

Component: Local Traffic Manager

Symptoms:
The DNS filter returns an erroneous invalidate response with EDNS0 CSUBNET Scope Netmask !=0.

Conditions:
- Virtual Server configured with 'DNS Profile' set to 'dns' or a 'dns'-derived profile.
- DNS queries with EDNS0 ECS option set.

Impact:
If the response ECS Scope Netmask has a value other than '0', LTM drops it, causing timeout and retry on client side.

Workaround:
There is no workaround at this time.


710424-3 : Possible SIGSEGV in GTMD when GTM persistence is enabled.

Solution Article: K00874337

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM persistence is enabled, GTMD may occasionally crash and restart.

Conditions:
GTM persistence is enabled.

Impact:
GTMD may occasionally restart.

Workaround:
Disable GTM persistence.

Fix:
GTMD will no longer crash and restart when persistence is enabled.


710355-1 : High CPU when using HTTP::collect for large chunked payloads

Component: Local Traffic Manager

Symptoms:
When collecting large amounts of chunked payload, approximately one million bytes, the processing to parse each chunk for the chunk headers and offsets results in large CPU utilization.

Conditions:
-- HTTP profile is attached to virtual server.
-- Server sends chunked response.
-- An iRule on the virtual server uses the HTTP::collect command to collect and parse large chunked payloads.

Impact:
High CPU utilization.

Workaround:
None.


710327-3 : Remote logger message is truncated at NULL character.

Component: Application Security Manager

Symptoms:
When a request including binary null character has been sent to an remote logger, configured for ASM, the request will arrive to the remote destination and will be truncated exactly at binary NULL character.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM remote logger attached to a virtual server.
-- Request including binary NULL character is sent to the remote logger destination.

Impact:
Partial request is logged at the remote logger destination.

Workaround:
None.

Fix:
Binary NULL character is now escaped before being sent to the remote logger destination, so the request is no longer truncated.


710314-2 : TMM may crash while processing HTML traffic

Solution Article: K94105051


710277-2 : IKEv2 further child_sa validity checks

Component: TMOS

Symptoms:
A tmm restart can occur when a child_sa is rekeyed at expiration time, provided a race condition occurs.

Conditions:
Encountering the issue in which rekeying a child_sa might core when race conditions allowed that child_sa to be destroyed while in use.

Impact:
Restart of tmm and outage of IPsec tunnels until renegotiated.

Workaround:
None.

Fix:
The validity of a child_sa and its traffic selector are checked now before use, to prevent failure when freed objects are accidentally used.


710246-3 : DNS-Express was not sending out NOTIFY messages on VE

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express is not sending out NOTIFY messages on BIG-IP Virtual Edition (VE).

Conditions:
-- DNS Express configured to send out NOTIFY messages.
-- Running on BIG-IP VE configuration.

Impact:
DNS secondary servers serving stale data.

Workaround:
There is no workaround at this time.

Fix:
DNS Express now sends out NOTIFY messages on VE.


710244-1 : Memory Leak of access policy execution objects

Solution Article: K27391542


710211 : Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro.

Component: Access Policy Manager

Symptoms:
Cannot edit Terminals of Macro if one or more Macrocalls point to a given Macro. The system posts a message similar to the following:

Unable to execute transaction because of: 01071203:3: Caption (XYZ1) of the rule in macrocall (/Common/abc_macro) must be identical to the caption (XYZ2) of terminalout.

Conditions:
-- Using Access Policy.
-- Policy includes one or more macros.
-- There is a macrocall on one of the macros.
-- You attempt to add a new terminal to that macro.

Impact:
Cannot edit macro terminals.

Workaround:
None.

Fix:
Can now edit Terminals of Macro if one or more Macrocalls point to a given Macro.


710148-4 : CVE-2017-1000111 & CVE-2017-1000112

Solution Article: K60250153


710028-4 : LTM SQL monitors may stop monitoring if multiple monitors querying same database

Component: Local Traffic Manager

Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.

When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:

[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'

then multiple, periodic instances of the following message, referencing the same connection string:

Abandoning hung SQL query: '<query string>' for: '<connection string>'

or:

<connection string>(<thread-number>): Hung SQL query; abandoning

Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.

And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.

Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.

Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.

To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.

Fix:
LTM SQL monitors continue monitoring when multiple monitors/ query the same server and database.


709972-4 : CVE-2017-12613: APR Vulnerability

Solution Article: K52319810


709688-5 : dhcp Security Advisory - CVE-2017-3144, CVE-2018-5732, CVE-2018-5733

Solution Article: K08306700


709670-5 : iRule triggered from RADIUS occasionally fails to create subscribers.

Component: Policy Enforcement Manager

Symptoms:
The subscriber can not be added with the same IP address after retries. This is a rarely occurring issue: if the daily average of subscriber additions is ~30000 subscribers, 5 to 6 subscribers face this problem (0.02%).

Conditions:
Running iRule to create PEM sessions from RADIUS packets using the 'PEM::subscriber create' command.

Impact:
Intermittently (a few operations per day), the command silently fails. No session is created, and no TCL error is produced. Subscriber addition requires manual intervention.

Workaround:
Trigger a RADIUS START using a different IP address for the subscriber.


709610-1 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM

Component: Policy Enforcement Manager

Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.

Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
    value "0"
}
sys db tmm.pem.session.provisioning.continuous {
    value "disable"
}

-- Actions occur in the following order:
 1. PEM receives RADIUS START with subscriber ID1 and IP1.
 2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
 3. PEM receives RADIUS START with subscriber ID1 and IP2.
 4. PEM receives RADIUS STOP with subscriber ID1 and IP2.

-- The time interval between steps 1 and 2 is very small (less than ~1ms).

Impact:
Subscriber session creation via PEM may fail.

Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.

Fix:
The system now handles PEM subscriber session updates properly, so this issue no longer occurs.


709544-4 : VCMP guests in HA configuration become Active/Active during upgrade

Component: TMOS

Symptoms:
When devices in a Device Service Cluster (DSC) are upgraded, multiple devices might become Active simultaneously.

During upgrade, the process erroneously clears the management-ip during reboot, and then synchronizes to other members of the DSC. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the DSC members lose contact with each other, so they all become Active.

Conditions:
-- Running on VIPRION chassis systems, either natively, or as a vCMP guest.
-- Upgrading from any affected versions (TMOS v12.1.3, TMOS v13.0.0, TMOS v13.0.1, TMOS v13.1.0), to any other version.

Impact:
When multiple devices become Active simultaneously, traffic is disrupted.

Workaround:
There is no workaround other than to remain in Active/Active state until upgrade is complete on all chassis in the DSC are finished. See K43990943: VIPRION systems configured for high availability may become active-active during the upgrade process :: https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.

Fix:
The erroneous management-ip change is not made, and the HA failover mechanism operates correctly across upgrade.


709334-2 : Memory leak when SSL Forward proxy is used and ssl re-negotiates

Component: Local Traffic Manager

Symptoms:
When looking at tmsh show sys memory you will see
ssl_compat continue to grow and fails to release memory.

Conditions:
-SSL Forward Proxy In use
-SSL Re-negotiations happening

Impact:
Eventually memory reaper will kick in.

Workaround:
There is no workaround at this time.

Fix:
ssl_compat now properly releases connections on re-negotiation.


708956 : During system boot, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'

Solution Article: K51206433

Component: TMOS

Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
 Dataplane INOPERABLE - only 1 HSBes found on this platform.

Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.

Impact:
System does not come up.

Workaround:
Reboot system.

Because this condition only happens occasionally, rebooting typically corrects the issue.

Fix:
This release fixes a race condition that might have occurred while reading FPGA firmware loading status.


708830-1 : Inbound or hairpin connections may get stuck consuming memory.

Component: Carrier-Grade NAT

Symptoms:
When inbound or hairpin connections require a remote Session DB lookup, and the lookup request or response messages get lost, the connections can get stuck in an embryonic state. They remain stuck in this state until they time out and expire. In this state, UDP connections queue inbound packets. If the client application continues to send packets, the connection may never expire. The queued packets accumulate, consuming memory. If the memory consumption becomes excessive, connections may be killed and 'TCP: Memory pressure activated' and 'Aggressive mode activated' messages appear in the logs.

Conditions:
-- An LSN pool with inbound and/or hairpin connections enabled.
-- Lost Session DB messages due to heavy load or hardware failure.
-- Remote lookups are more likely when using PBA mode or NAPT mode with default DAG.

Impact:
Excessive memory consumption that leads to dropped connections.

Workaround:
There is no workaround at this time.

Fix:
When Session DB messages are lost, the connection is killed and any queued packets are discarded. If the client application resends packets, they are treated as new connections.


708653-3 : TMM may crash while processing TCP traffic

Solution Article: K07550539


708249-4 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit

Component: Local Traffic Manager

Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.

Conditions:
Run the nitrox_diag command.

Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.

Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0

Fix:
Nitrox_diag utility now uses the -s0 command to generate QKView files, so there is no longer a 5 MB maximum file size limit, and the full QKView file is created.


708114-3 : TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed

Solution Article: K33319853

Component: Local Traffic Manager

Symptoms:
TMM crashes when receiving the HUDEVT_SSL_OCSP_RESUME_CLNT_HS after the SSL connection is closed.

Conditions:
-- The SSL connection has been closed.
-- SSL receives the HUDEVT_SSL_OCSP_RESUME_CLNT_HS message.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now ensures that SSL can still properly process the messages, even when the SSL connection is closed.


708068-3 : Tcl commands like "HTTP::path -normalize" do not return normalized path.

Component: Local Traffic Manager

Symptoms:
When using HTTP::path with the -normalized parameter:

"%2E%2E" is converted to ".." (expected)
"/foo/../bar" is converted to "/bar" (expected)
"/foo/%2E%2E/bar" is converted to "/foo/../bar" (unexpected)

Conditions:
The TCL command HTTP::path -normalize does not return normalized path as expected.

Impact:
Unexpected result.

Workaround:
There is no workaround.

Fix:
The TCL command HTTP::path -normalize should return normalized path.


708054-3 : Web Acceleration: TMM may crash on very large HTML files with conditional comments

Component: TMOS

Symptoms:
Web Acceleration feature may not handle big HTML file with improper conditional comments inside in some cases. TMM may crash processing such files if Web Acceleration profile is attached to VIP.

Conditions:
- HTML file with conditional comments inside:
  <!--[if condition...]> ... <![endif]-->

- The size of "condition" from the pattern above is comparable with RAM size of BIG-IP box, i.e. ~8-10GB.

Impact:
TMM crash interrupts all active sessions.

Workaround:
There is no workaround at this time.

Fix:
Now Web Acceleration feature can handle long HTML conditional comments correctly.


707990-3 : Unexpected TMUI output in SSL Certificate Instance page

Solution Article: K41704442


707951 : Stalled mirrored flows on HA next-active when OneConnect is used.

Component: Local Traffic Manager

Symptoms:
-- 'tmctl -d blade tmm/umem_usage_stat | grep xdata' may show increased memory usage.
-- 'tmsh show sys connect' shows idle flows.

Conditions:
- OneConnect profile is configured.
- High availability (HA) mirroring is enabled.

Impact:
- Some flows are mirrored incorrectly.
- Stalled flows may occupy a lot of memory.

Workaround:
Disable OneConnect.

Fix:
Stalled mirrored flows no longer appear when OneConnect is used.


707888 : Some ASM operations delayed due to scheduled ASU update

Component: Application Security Manager

Symptoms:
Some ASM operations (such as Apply Policy) are delayed while a scheduled ASU update is in progress. This issue affects only 12.1.3.x from 12.1.3.2 and later.

Conditions:
A scheduled ASM update is in progress on systems running v12.1.3.x.

Impact:
Some ASM operations, such as Apply Policy, are delayed.

Workaround:
There is no workaround at this time.

Fix:
Other ASM operations are no longer blocked by scheduled ASU update.


707740-3 : Failure deleting GTM Monitors when used on multiple virtual servers with the same ip:port combination

Component: TMOS

Symptoms:
When attempting to delete a GTM monitor, the system indicates that it is in use, even after removing that monitor from all GTM virtual servers. The system posts a message similar to the following:
01070083:3: Monitor /Common/mon-A is in use.

Conditions:
1. Attach a GTM monitor to multiple GTM virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port.
2. Remove the monitor from all virtual servers.
3. Attempt to delete the monitor from the configuration.

Impact:
Cannot delete the unused monitor.

Workaround:
After removing the monitor from all virtual servers, reload the GTM configuration using the following command:
tmsh load sys config gtm-only

You can now delete the monitor.

Fix:
You can now delete an unused GTM monitor, if that monitor was attached to multiple GTM virtual servers of the same ip+port combination.


707675 : FQDN nodes or pool members flap when DNS response received

Component: Local Traffic Manager

Symptoms:
When an LTM pool is configured with FQDN nodes or pool members, the LTM pool and associated virtual server(s) may transition from an UP to DOWN state and back over a period of a few seconds.

Such an event is accompanied by log messages similar to the following:

-- notice mcpd[#]: 01071682:5: SNMP_TRAP: Virtual /Common/vs_test has become unavailable
-- notice mcpd[#]: 010719e7:5: Virtual Address /Common/123.45.67.89 general status changed from GREEN to RED.
-- notice mcpd[#]: 010719e8:5: Virtual Address /Common/123.45.67.89 monitor status changed from UP to DOWN.
-- err mcpd[#]: 01020066:3: The requested Pool Member (/Common/Test_Pool /Common/test-dummy.com-12.34.56.78 443) already exists in partition Common.
-- notice bigd[##]: 01060144:5: Pool /Common/Test_Pool member /Common/test-dummy.com-12.34.56.78 session status enabled by monitor
-- notice bigd[##]: 01060145:5: Pool /Common/Test_Pool member /Common/test-dummy.com-12.34.56.78 monitor status up. [ /Common/mon_test_https: UP ] [ was checking for 0hr:0min:2sec ]
-- notice mcpd[#]: 01071681:5: SNMP_TRAP: Virtual /Common/vs_test has become available
-- notice mcpd[#]: 010719e7:5: Virtual Address /Common/123.45.67.89 general status changed from RED to GREEN.
-- notice mcpd[#]: 010719e8:5: Virtual Address /Common/123.45.67.89 monitor status changed from DOWN to UP.

This symptom repeats each time a DNS query is performed to resolve the FQDN node/pool-member name to its IP addresses, based on the 'interval' value configured for the FQDN node.

This symptom occurs only when the 'autopopulate' value is set to 'enabled' for the FQDN node/pool-member.

Conditions:
-- LTM pool is configured with FQDN nodes or pool members.
-- The 'autopopulate' value is set to 'enabled' for the FQDN node/pool-member.

Impact:
LTM pool and virtual server are briefly and periodically marked DOWN. Traffic may be impacted.

Workaround:
Either of the following methods can be used to work around this issue:

-- Configure static IP addresses instead of FQDN nodes/pool-members.

-- Set the 'autopopulate' value to 'disabled' for the FQDN node/pool-member, if possible (that is, if only one IP address is required/expected to be returned for the FQDN name, which means that the 'autopopulate' feature of FQDN nodes/pool-members is not required).

Fix:
FQDN node/pool-member and corresponding pool and virtual server are no longer briefly marked DOWN when the DNS server is queried to resolve the FQDN name, with the 'autopopulate' feature enabled for the FQDN node/pool-member. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.


707509-3 : Initial vCMP guest creations can fail if certain hotfixes are used

Component: TMOS

Symptoms:
vCMP guest fails to enter the 'provisioned' or 'deployed' states and similar messages can be seen in /var/log/ltm:

-- vcmpd[14254]: 01510003:2: Guest (guest_name): Install failed.
-- vcmpd[14254]: 01510004:3: Guest (guest_name): Install to VDisk /shared/vmdisks/guest_name.img FAILED: Child exited with non-zero exit code: 255

Conditions:
Creating vCMP guest using certain hotfix images, such as BIG-IP HF software released as partial .iso software images, and engineering hotfixes.

Impact:
vCMP guest cannot be created.

Workaround:
1. Create and deploy the vCMP guest using the full .iso base software image.
2. Log in to the vCMP guest once it has finished starting up.
3. Apply the hotfix image or engineering hotfix.

Fix:
Guest creation succeeds.


707447-2 : Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.

Component: Local Traffic Manager

Symptoms:
SSL SNI mechanism creates a hash containing a mapping between SAN entries in a given profile's certificate and the profile. This hash is owned by the default SNI profile, however is held by the other profiles on the VIP without a reference. If a connection utilizes SNI to use a non-default SNI profile *and* the default SNI profile reinitializes its state for any reason, the prf->sni_certsn_hash can be cleared and freed, leaving the existing connection(s) with profiles that refer to the freed hash. If then the connection attempts a renegotiation that causes the hash to be used, the freed hash can cause a fault should it have been reused in the meantime (i.e. the contents are invalid).
       
The fix: When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from
non-default SNI profile, stop the search and return NULL.

Conditions:
SNI configured with one default SNI profile, one or multiple SNI profiles. The default SNI profile is changed and renegotiation with SNI(with non-default SNI profile) is issued.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from non-default SNI profile, stop the search and return NULL.


707445 : Nitrox 3 compression hangs/unable to recover

Solution Article: K47025244

Component: TMOS

Symptoms:
LTM logs show the following message:

    Nitrox 3, Hang Detected: compression device was reset

When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.

Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.

Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.

Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.

Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.

There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:

A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).

Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.

Fix:
Compression device reset recovery made more robust for some compression failures.


707391-4 : BGP may keep announcing routes after disabling route health injection

Component: TMOS

Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.

Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.

Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.

Workaround:
Workaround would be to restart the dynamic routing process.

Fix:
BGP may no longer keeps announcing routes after disabling route health injection


707310-1 : DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)

Component: Global Traffic Manager (DNS)

Symptoms:
It is possible that when performing a sufficiently large DNSSEC signed zone transfer (e.g., ~1 KB records) that the final packet (or several packets) of NSEC3s and RRSIGs could be missing from the zone. This issue can be detected using a free third-party tool such as ldns-verify-zone or some other DNSSEC validating tool.

Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc.), or from DNS Express.

Impact:
The DNSSEC signed zone transfer could be incomplete, that is missing some NSEC3s and RRSIGs. An incomplete DNSSEC zone is considered an invalid zone.

Workaround:
There is no workaround at this time.

Fix:
DNSSEC signed zone transfers from general authoritative DNS Servers as well as from DNS Express are now complete regardless of the number of records in the zone.


707226-2 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations

Component: TMOS

Symptoms:
Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.

Impact:
Meltdown/PTI mitigations may negatively impact performance.

Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.

To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:

tmsh modify sys db kernel.pti value disable

Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.


707207-2 : iRuleLx returning undefined value may cause TMM restart

Component: Local Traffic Manager

Symptoms:
When an iRulesLX rule returns an undefined value, TMM may restart. An example of an undefined value is one where
its jsonrpc v2.0 representation is missing required fields, such as "result".

Conditions:
iRulesLX is licensed, and a rule is run that returns an undefined value.

Impact:
Traffic is interrupted.

Workaround:
There is no workaround at this time.

Fix:
A TMM restart resulting from an iRulesLX rule returning an undefined value was fixed.


707147-2 : High CPU consumed by asm_config_server_rpc_handler_async.pl

Component: Application Security Manager

Symptoms:
During a period of heavy learning from Policy Builder, typically due to Collapse Common elements, the backlog of events can cause a process to consume high CPU.

Conditions:
1) Automatic Policy Builder is enabled
2) An element is configured to "Always" learn new entities, and collapse common elements
3) An extended period of heavy learning due to traffic is enountered

Impact:
A process may consume high CPU even after the high traffic period is finished.

Workaround:
Kill asm_config_server.pl (This will not affect traffic)

Optionally modify one of the following
A) Learn "Always" to another mode
B) Turn off Collapse common URLs
C) Change from Automatic Learning to Manual


707003-2 : Unexpected syntax error in TMSH AVR

Component: TMOS

Symptoms:
The following tmsh command does not work: tmsh show analytics http report view-by virtual measures { transactions } drilldown

It fails with the following error message: 'Syntax Error: "drilldown" property requires at least one of (device device-list) to be specified before using.'

Conditions:
Whenever the affected tmsh command is run.

Impact:
The following tmsh command will not run: tmsh show analytics http report view-by virtual measures { transactions } drilldown

Workaround:
There is no workaround besides not running the affected command.

Fix:
The following command now works as expected: tmsh show analytics http report view-by virtual measures { transactions } drilldown


706845-1 : False positive illegal multipart violation

Component: Application Security Manager

Symptoms:
A false positive multipart violation.

Conditions:
Uploading a file with a filename value that is encoded in non utf-8 encoding.

Impact:
A false positive violation, request rejected.

Workaround:
Might be workaround using an irule

Fix:
Corrected ASM multipart parsing.


706642-3 : wamd may leak memory during configuration changes and cluster events

Component: WebAccelerator

Symptoms:
wamd memory consumption increases over time.

Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.

Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.

Workaround:
No workaround available.

Fix:
wamd n longer leaks memory during configuration changes and cluster events.


706631 : A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.

Component: Local Traffic Manager

Symptoms:
According to RFC2818, if the certificate sent by the TLS server has a valid Common Name, but the Subject Alternative Name does not match the Authenticate Name in the server-ssl profile, the connection should be terminated.

Conditions:
-- A server-ssl profile is enabled on a virtual server and has the 'authenticate-name' property set.

-- The TLS server presents a certificate in which the Subject Alternative Name does not match the configured authenticate-name.

-- Common Criteria mode licensed and configured.

Impact:
A TLS connection succeeds which should fail.

Workaround:
There is no workaround at this time.

Fix:
A remote TLS server certificate with a bad Subject Alternative Name is now rejected when Common Criteria mode is licensed and configured.


706423-2 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption

Component: TMOS

Symptoms:
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.

Conditions:
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly.

A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.

Impact:
TMM restarts, disrupting traffic and causing HA failover.

Workaround:
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)

Fix:
Now we ensure only one timer can be associated with a child-SA related to short-term progress toward maturity during negotiation, even if an error happens.

Now we also ensure a child-SA is safe during async crypto operations, even if they expire while currently in use.


706374-2 : Heavy use of APM Kerberos SSO can sometimes lead to memory corruption

Component: Access Policy Manager

Symptoms:
Kerberos SSO under high load can sometimes lead to system instability.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
This might result in unpredictable behavior such as memory corruption or core. However, the occurrence is rare since it only impacts concurrent DNS SRV requests to resolve different KDCs.

Workaround:
There is no workaround.

Fix:
Stability problems in DNS lookups in APM Kerberos SSO (S4U) have been corrected.


706354-1 : OPT-0045 optic unable to link

Component: TMOS

Symptoms:
The OPT-0045 optical transceiver when inserted into a 40G port does not function. The following error appears in /var/log/ltm:
Invalid module for bundle configuration of interface <portNumber>.0.

Conditions:
OPT-0045 in a 40G port.

Impact:
Optic does not work; interface does not come up.

Workaround:
None.

Fix:
This release supports the OPT-0045 optical transceiver.


706305-2 : bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled

Component: TMOS

Symptoms:
bgpd may crash on a BIG-IP system configured for dynamic routing announcing multiple overlapping aggregate-addresses with extended asn capabilities enabled.

Conditions:
- BGP enabled on route-domain
- BGP configured to announce several overlapping aggregate-addresses
- BGP configured with extended-asn-cap enabled.

Impact:
Inability for the unit to use BGP

Workaround:
Disabling extended-asn-cap or not announcing multiple overlapping aggregate addresses may allow to workaround this issue.

Fix:
bgpd no longer crashes with overlapping aggregate addresses and extended-asn-cap enabled


706128-1 : DNSSEC Signed Zone Transfers Can Leak Memory

Component: Global Traffic Manager (DNS)

Symptoms:
TMM might leak memory when performing DNSSEC signed zone transfers. You can detect this issue by examining system memory before and after performing zone transfers.

For example:

tmsh show sys memory raw | grep dnssec

Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc) or from DNS Express.

Impact:
TMM leaks memory related to the signed zone transfer.

Workaround:
There is no workaround at this time.

Fix:
TMM no longer leaks DNSSEC zone transfer related memory.


706104-2 : Dynamically advertised route may flap

Component: TMOS

Symptoms:
ZebOS may repeatedly add and delete the routes from protocol daemons. This may cause the protocol daemons to delete and re-advertise the default route.

Conditions:
- Dynamic routing in use
- Kernel routes redistributed into a routing protocol
- Static route configure in TMOS
- Route advertisement enabled on the virtual-address that's the same as the static route

Impact:
Route flapping may cause instability in the network, including inability to reach the default network advertised by the BIG-IP.

Workaround:
Since the static route will be redistributed in the same way as the virtual-address, there is no need to enable route-advertisement on the VIP virtual-address. Disabling this will resolve the problem.

The problem will also be resolved by moving the route from tmsh into ZebOS.
 - In imish config mode, "ip route <route> <gateway>"
 - In tmsh, "delete net route <route>"

Fix:
Configuring a static route in TMOS and enabling route-advertisement on the same virtual-address no longer causes route flapping in ZebOS.


706102-3 : SMTP monitor does not handle all multi-line banner use cases

Component: Local Traffic Manager

Symptoms:
An SMTP monitor does not handle all multi-line banner use cases, such as when the banner is physically split across two packets. This issue is due to attempting to parse the banner value from the first packet without a portion of the banner value that may arrive in a second packet.

Conditions:
An SMTP monitor is configured; and uses a multi-line banner; and the SMTP monitor banner is split across two physical packets.

Impact:
The SMTP monitor sends an RST after the first packet, and marks the resource down.

Workaround:
Use an SMTP monitor with a single-line banner. Or, rather than using an SMTP monitor, instead use a TCP monitor with send/recv strings.

Fix:
An SMTP monitor handles all use cases that include a multi-line banner.


706086-1 : PAM RADIUS authentication subsystem hardening

Solution Article: K62750376


705794-1 : Under certain circumstances a stale HTTP/2 stream might cause a tmm crash

Component: Local Traffic Manager

Symptoms:
A HTTP/2 stream is getting overlooked when cleaning up a HTTP/2 flow.

Conditions:
The only known condition is that the closing_stream is not empty. Exact entrance conditions are not clear.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
HTTP/2 flows are now properly cleaned up to prevent a tmm crash.


705611-1 : The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used

Component: Local Traffic Manager

Symptoms:
The TMM may later crash after a configuration change done under load if the HTTP/2 profile is used.

Conditions:
A configuration change occurs. The configuration change is large enough, or the TMM load large enough that the change is not synchronous. The change involves a HTTP/2 profile.

Data traffic progresses through a partially initialized HTTP/2 virtual server, potentially causing a later crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Large configuration changes to the TMM involving a HTTP/2 profile will no longer potentially cause a TMM crash.


705503-1 : Context leaked from iRule DNS lookup

Component: Global Traffic Manager (DNS)

Symptoms:
The memory usage increases, and stats are inaccurate.

Conditions:
Call RESOLV::lookup from an iRule.

Impact:
Memory leak that accumulates over time and inaccurate stats.

Workaround:
There is no workaround other than not using RESOLV::lookup in an iRule.

Fix:
Memory leak no longer occurs.


705476-4 : Appliance Mode does not follow design best practices

Solution Article: K28003839


705112-1 : DHCP server flows are not re-established after expiration

Component: Local Traffic Manager

Symptoms:
DHCP relay agent doesn't have server flows connecting to all active DHCP servers after a while.

Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds

Impact:
DHCP server traffic not load balanced.

Workaround:
None.

Fix:
A new logic to re-establish server flows is introduced to ensure a relay agent will have all DHCP servers connected.


705037-3 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart

Component: TMOS

Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.

Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.

Impact:
-- Unreliable or confusing statistics via SNMP polling.

-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.

Workaround:
None.

Fix:
System no longer exhibits duplicate if_index statistics.


704804-2 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address

Component: TMOS

Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.

Conditions:
This applies to remote authentication for the control plane, not APM.

Impact:
Login may be impacted.

Workaround:
There is no workaround at this time.

Fix:
NAS-IP-Address Attribute is now set correctly when the the BIG-IP system is configured to use RADIUS authentication.


704733-2 : NAS-IP-Address is sent with the bytes in reverse order

Component: TMOS

Symptoms:
The NAS-IP-Address has the address of the local device sent with the bytes in reverse order (e.g., 78.56.30.172, where 172.30.56.78 is expected).

Conditions:
-- This affects IPv4 addresses only.
-- BIG-IP system is configured for RADIUS authentication.

Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.

Workaround:
There is no workaround at this time.

Fix:
This has been corrected.


704666-2 : memory corruption can occur when using certain certificates

Component: Local Traffic Manager

Symptoms:
If a certificate has an extremely long common name, or an extremely long alternative name and is attached to an SSL profile, memory corruption can occur when loading the profile.

Conditions:
An SSL profile is loaded with a certificate containing an extremely long common name or subject alternative name.

Impact:
TMM could crash.

Workaround:
Do not use certificates with extremely long common names

Fix:
A length check has been added to avoid corruption when using extremely long common names.


704580-3 : apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP

Solution Article: K05018525


704524-2 : [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests do not contain EDNS headers. Without this header, DNS server truncates the UDP responses if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in unnecessary round trips in order to resolve DNS SRV queries.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
Increased latency of HTTP request processing. If the number of APM users is large, then this issue is magnified.

Workaround:
There is no workaround at this time.

Fix:
Kerberos DNS SRV requests now support EDNS0 so that UDP responses greater than 512 bytes can be received correctly, eliminating delays caused by TCP retransmission.


704490 : CVE-2017-5754 (Meltdown)

Solution Article: K91229003


704483 : CVE-2017-5753 (Spectre Variant 1)

Solution Article: K91229003


704449-4 : Orphaned tmsh processes might eventually lead to an out-of-memory condition

Component: TMOS

Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.

An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:

/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh

If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.

Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.

Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.

Workaround:
There are several workarounds for this issue:

-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Halt orphaned tmsh processes.

Fix:
tmsh processes are no longer orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects under these conditions.


704381-3 : SSL/TLS handshake failures and terminations are logged at too low a level

Component: Local Traffic Manager

Symptoms:
SSL/TLS handshake failures and terminations are being logged at too low of a level (INFO).

Conditions:
-- SSL/TLS connections are received or sent.
-- Handshake failures are logged.

Impact:
Sometimes other errors are produced, and the cause is a SSL/TLS handshake failure, but this failure is not being logged.

Workaround:
There is no workaround.

Fix:
SSL/TLS handhake failures and terminations are now logged at a higher level (WARNING).


704336-3 : Updating 3rd party device cert not copied correctly to trusted certificate store

Component: TMOS

Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.

Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.

Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.

Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.

Fix:
The fix will now add all the intermediate and root certificate including device certificate to Trusted Server and Trusted Device certificate bundle.


704282-3 : TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy

Component: TMOS

Symptoms:
Rarely, TMM halts and restarts when calculating the BWC pass rate for dynamic bwc policy.

Conditions:
-- Using BWC dynamic bwc policy.
-- Fair share rate is low.

For this to happen, the fair share rate of the instance of dynamic policy has to be less than than 32 times the average packet size of the instance of policy.

For example, if the average packet size is 1 KB, then the fair share would be under 32 KB.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
F5 does not recommend running the BWC under 64Kbps.

Either decrease the number of subscribers or increase the max-rate of dynamic policy.

Fix:
TMM no longer halts and restarts when calculating the BWC pass rate for dynamic bwc policy when fair share rate is low.


704247-3 : BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted

Component: TMOS

Symptoms:
BIG-IP .iso images may fail to install if multiple copies of the same image are present and have been deleted.

Conditions:
-- Have multiple copies of the same image .iso in the /shared directory on a BIG-IP system.
-- Delete one of them.

Impact:
Installation attempt of the remaining image(s) might fail.

Workaround:
Restart the lind process, so the installation can continue.

Fix:
The BIG-IP system now installs an image if multiple copies of the same image are present and have been deleted


704184-3 : APM MAC Client create files with owner only read write permissions

Solution Article: K52171282


704143-2 : BD memory leak

Component: Application Security Manager

Symptoms:
A BD memory leak.

Conditions:
websocket traffic with specific configuration

Impact:
Resident memory increases, swap getting used.

Workaround:
Make sure the web socket violations are not due to bad websocket URL configuration, that they are turned on in Learn/Alarm or block and that there is a local logger configured and attached.


704073-3 : Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm

Solution Article: K24233427

Component: Local Traffic Manager

Symptoms:
'bad transition' OOPS messages may be repeatedly logged to /var/log/ltm and /var/log/tmm over time, polluting the log files.

Conditions:
Although there are no definitive user-discernible conditions, use of SSL functionality might increase the likelihood of logging.

Impact:
Log pollution and potential for performance degradation.

Workaround:
Suppress the logging using the following command:
tmsh modify sys db tmm.oops value silent

Fix:
The 'bad transition' OOPS logging has been demoted to internal, debug builds only.


703984-2 : Machine Cert agent improperly matches hostname with CN and SAN

Component: Access Policy Manager

Symptoms:
MacOS Machine certificate agent matches the configured hostname with the actual hostname upon a beginning partial string match.

Conditions:
MacOS APM client using Machine Certificate Check agent.

Impact:
Hostname match may be incorrect in these cases.

Workaround:
There is no workaround at this time.

Fix:
The MacOS machine certificate check agent now matches on the whole host string rather than a sub string.


703940-3 : Malformed HTTP/2 frame consumes excessive system resources

Solution Article: K45611803


703914-1 : TMM SIGSEGV crash in poolmbr_conn_dec.

Component: Local Traffic Manager

Symptoms:
TMM cores in poolmbr_conn_dec function.

Conditions:
A connection limit is reached on a VS having an iRule using LB::reselect and a pool using request queueing.

Impact:
TMM core, traffic interruption, possible failover.

Workaround:
Do not use LB::reselect, disable request queueing on a pool associated with the VS.

Fix:
TMM correctly handles LB:reselect on virtual servers with pools using request queueing.


703869-1 : Waagent updated to 2.2.21

Component: TMOS

Symptoms:
Microsoft updates waagent via an opensource process, but it is not compatible with BIG-IP software, and so cannot be upgraded outside of BIG-IP releases. Without this, Microsoft will not support older releases of BIG-IP systems in their environment.

Conditions:
Using Microsoft Azure.

Impact:
Microsoft does not support the version of waagent shipped as part of BIG-IP software.

Workaround:
None.

Fix:
Waagent was updated to 2.2.21 from Microsoft along with F5 changes for compatibility with BIG-IP software.


703835-4 : When using SCP into BIG-IP systems, you must specify the target filename

Solution Article: K82814400


703793-1 : tmm restarts when using ACCESS::perflow get' in certain events

Component: Access Policy Manager

Symptoms:
tmm will restart when using 'ACCESS::perflow get' if the per-request policy has not been started yet.

Conditions:
Use 'ACCESS::perflow get' iRule in an event that runs before the per-request policy (e.g., CLIENT_ACCEPTED).

Impact:
tmm cores and traffic flow will be interrupted while it restarts.

Workaround:
None.

Fix:
Initialization of certain variables was reworked so that the iRule command will not cause a core anymore if the per-flow value is unavailable due to the per-request policy not having been started yet.


703761-1 : Disable DSA keys for public-key and host-based authentication in Common Criteria mode

Component: TMOS

Symptoms:
On a BIG-IP system configured for Common Criteria (CC) mode, DSA keys can still be used for key-based authentication to the BIG-IP system.

Conditions:
-- Running a CC release with CC Mode enabled.
-- Attempt to SSH-connect to the BIG-IP system from another system with a DSA key.
-- That DSA key is present in the BIG-IP system's authorized_keys file.

Impact:
If the key is in the BIG-IP system's authorized_keys file, public-key authentication succeeds, when DSA authentication should be disabled in CC mode.

Workaround:
There is no workaround at this time.

Fix:
DSA SSH keys are now disabled for public-key and host-based authentication in Common Criteria mode, as expected.


703580 : TLS1.1 handshake failure on v12.1.3 vCMP guest with earlier BIG-IP version on vCMP host.

Component: Local Traffic Manager

Symptoms:
TLS1.1 handshake failure on guest. The following error appears in /var/log/ltm:
warning tmm[11611]: 01260009:4: Connection error: ssl_hs_cn_vfy_fin:2339: corrupt Finished (20)

Conditions:
-- Using the VIPRION 42xx/43xx and B21xx blades.
-- Running BIG-IP software earlier than v12.1.3 (for example v12.1.2-hf2) on the vCMP host system.
-- Deploying vCMP guest running v12.1.3.
-- Using TLS1.1.

Impact:
TLS1.1 handshake fails on the guest.

Workaround:
Use the same software version on the vCMP host and vCMP guests.

Fix:
TLS1.1 handshake no longer fails running v12.x/v13.x vCMP guest with earlier BIG-IP software version on vCMP host.


703515-5 : MRF SIP LB - Message corruption when using custom persistence key

Solution Article: K44933323

Component: Service Provider

Symptoms:
If the custom persistence key is not a multiple of 3 bytes, the SIP request message may be corrupted when the via header is inserted.

Conditions:
Custom persistence key is not a multiple of 3 bytes

Impact:
The SIP request message may be corrupted when the via header is inserted.

Workaround:
Pad the custom persistence key to a multiple of 3 bytes in length.

Fix:
All persistence key lengths work as expected.


703429-1 : Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services

Component: Access Policy Manager

Symptoms:
Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services through F5 BIG-IP APM virtual server. The application closes just after entering the credentials.

Conditions:
-- Citrix Receiver for Android (v3.13.1) is used.
-- PNAgent replacement mode is configured for BIG-IP APM virtual server.

Impact:
No access to published Applications and Desktops through Citrix Receiver for Android.

Workaround:
None.

Fix:
System now provides valid data to Citrix Receiver for Android client.


702946-2 : Added option to reset staging period for signatures

Component: Application Security Manager

Symptoms:
In cases where a staging period was started, but no traffic passed through security policy, you might want to reset the staging period when traffic starts, but there is no option to do so.

Conditions:
Staging enabled for signatures in policy.

Impact:
There is a suggestion to enforce the signature before any traffic can influence this decision.

Workaround:
If all signatures are staged, you can enforce them all, and then enable staging again.

Note: Apply policy is required between actions.

Fix:
Added option to reset the staging period for all or specific signatures. In modal windows shown after clicking 'Change properties...' on the Policy Signatures screen, when 'No' is not selected for 'Perform Staging', the system presents a checkbox: Reset Staging Period.


702873-3 : Windows Logon Integration feature may cause Windows logon screen freeze

Component: Access Policy Manager

Symptoms:
Windows Logon Integration feature might cause a Microsoft Windows logon screen freeze, making Windows OS unresponsive to any client end user actions.

Conditions:
-- Client user putting laptop into sleep mode and waking it up multiple times.
-- Possibly, only Windows 10 is affected.

Impact:
Logon screen may hang, not allowing client user to type in credentials.

Workaround:
Reinstall EdgeClient without the Windows Logon Integration Feature.

Fix:
Previously, the Windows Logon Integration feature sometimes caused the Windows Logon screen to freeze. Now, this issue has been fixed.

As a side effect of the fix, the Logon screen now shows duplicates of the pre-logon VPN Entries, which might be confusing for client users. One duplicate comes from the Microsoft Credentials Provider. For information on how to disable the default Microsoft Credentials Provider, see the Microsoft Windows article: How to disable additional credential providers :: https://social.technet.microsoft.com/Forums/windows/en-US/9c23976a-3e2b-4b71-9f19-83ee3df0848b/how-to-disable-additional-credential-providers.


702738 : Tmm might crash activating new blob when changing firewall rules

Solution Article: K32181540

Component: Advanced Firewall Manager

Symptoms:
TMM crashes with core when changing firewall rules. TMM can enter a crash-loop, so it will crash again after restarting.

Conditions:
Updating, removing, or adding firewall rules.

Specific characteristics of change that can cause this issue are unknown; this issue occurs rarely.

Impact:
Data traffic processing stops.

Workaround:
There are two workaround options:
Option A
1. Delete all policies.
2. Create them again without allowing blob compilation.
3. Repeat steps 1 and 2 until all the policies have been created (enable on-demand-compilation).

Option B
Modify all the rules simultaneously.

For example, the following steps will resolve this issue:
1. Enable on-demand-compilation
2. Select an IP address that is not used in any rules, e.g., 1.1.1.1.
3. Add that IP address to all the rules/source in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses add { 1.1.1.1 } } } }

4. Delete the IP address (restore rules) in all of the policies. To do so, run the following command for each policy:
tmsh modify security firewall policy POLICY_NAME rules modify { all { source { addresses delete { 1.1.1.1 } } } }
5. Disable on-demand-compilation. Doing so starts new blob compilation.

Fix:
TMM no longer crashes when changing firewall rules.


702490-4 : Windows Credential Reuse feature may not work

Component: Access Policy Manager

Symptoms:
Windows Credential Reuse feature may not work requiring that the EdgeClient end user enter credentials in the EdgeClient login window as well as at the Microsoft Windows logon screen, instead of getting Single Sign-On (SSO).

The logterminal.txt file contains messages similar to the following:

<Date and time>, 1312,1320,, 48, \certinfo.cpp, 926, CCertInfo::IsSignerTrusted(), the file is signed by 3rd party certificate
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1004, CCertInfo::IsSignerTrusted(), EXCEPTION - CertFindCertificateInStore() failed, -2146885628 (0x80092004) Cannot find object or property.
<Date and time>, 1312,1320,, 1, \certinfo.cpp, 1009, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 256, IsTrustedClient, EXCEPTION - File signed by untrusted certificate
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 264, , EXCEPTION caught
<Date and time>, 1312,1320,, 1, \CredMgrSrvImpl.cpp, 360, GetCredentials, EXCEPTION - Access Denied - client not trusted

Conditions:
-- Using a specific combination of versions of F5 Credential Manager Service and EdgeClient on Windows systems.
-- The Reuse Credential option is enabled in the Connectivity Profile.

Impact:
The EdgeClient end user must retype credentials in EdgeClient login windows instead of having the login occur without requiring credentials, as SSO supports.

Workaround:
There is no workaround at this time.

Fix:
Previously, in some situations, Windows Credential Reuse did not work, requiring the EdgeClient end user to log in separately. This issue has been fixed.


702487-1 : AD/LDAP admins with spaces in names are not supported

Component: Access Policy Manager

Symptoms:
If admin is imported from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) and the name contains spaces, Visual Policy Editor (VPE), import/export/copy/delete, etc., fail, and post an error message similar to the following: sourceMCPD::loadDll User 'test user' have no access to partition 'Common'.

Note: Names containing spaces are not supported on BIG-IP systems.

Conditions:
-- Admin name containing spaces is imported from AD or LDAP.
-- Attempt to perform operations in VPE.

Impact:
VPE, import/export/copy/delete do not work.

Workaround:
There is no workaround other than to not use admin names containing spaces.

Fix:
VPE and utilities operations are now supported, even for admins with spaces in names. However, F5 recommends against using spaces in admin names, and recommends that you modify the admin name to remove the spaces.


702472-4 : Appliance Mode Security Hardening

Solution Article: K87659521


702469-4 : Appliance mode hardening in scp

Solution Article: K73522927


702450-4 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect

Component: Local Traffic Manager

Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:

# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.

The referenced object is not a "policy action" in this case, but is a virtual server.

Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.

Impact:
Possible confusion at the error message.

Workaround:
There is no workaround at this time.

Fix:
Made the error message accurately reflect what the user was attempting to delete.


702278-3 : Potential XSS security exposure on APM logon page.

Component: Access Policy Manager

Symptoms:
Potential XSS security exposure on APM logon page.

Conditions:
-- A LTM virtual server with an Access Policy assigned to it.
-- The Access Policy is configured to use a 'Logon Page' VPE agent, followed by AAA agent with 'Max Logon Attempts Allowed' set to a value greater than 1.

Impact:
Potential XSS security exposure.

Workaround:
1. Using APM Advance Customization UI, remove setOrigUriLink(); call in logon.inc from the next JS function:

369 function OnLoad()
370 {
371 var header = document.getElementById("credentials_table_header");
372 var softTokenHeaderStr = getSoftTokenPrompt();
373 if ( softTokenHeaderStr ) {
374 header.innerHTML = softTokenHeaderStr;
375 }
376 setFormAttributeByQueryParams("auth_form", "action", "/subsession_logon_submit.php3");
377 setFormAttributeByQueryParams("v2_original_url", "href", "/subsession_logon_submit.php3");
378 // ===> REMOVE THIS ONE setOrigUriLink();
----

Fix:
Potential security exposure has been removed from APM logon page.


702151-2 : HTTP/2 can garble large headers

Component: Local Traffic Manager

Symptoms:
The HTTP/2 filter may incorrectly encode large headers.

Conditions:
A header that encodes to larger than 2048 bytes may be incorrectly encoded.

Impact:
The garbled header may no longer conform to the HPACK spec, and cause the connection to be dropped. The garbled header may be correctly formed, but contain incorrect data.

Fix:
The HTTP/2 filter correctly encodes large HTTP headers.


701900 : DHCP configured domain-name-servers unavailable after reboot when there are more than two domain-name servers in the lease.

Solution Article: K55938217

Component: TMOS

Symptoms:
DHCP-configured domain-name-servers (DNS) unavailable after reboot when there are more than two domain-name-servers in the lease.

Conditions:
- DHCP is enabled on the mgmt interface.
- DHCP server provides more than 2 domain-name-servers in its lease.

Impact:
Name resolution on mgmt interface fails due to misconfiguration in DNS information for mgmt interface.

Workaround:
No workaround at this time.

Fix:
This release corrects the handling of multiple DNS name-servers.


701856-2 : Memory leak in ASM-config Event Dispatcher upon continuous Policy Builder restart

Component: Application Security Manager

Symptoms:
In rare circumstance, when Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm), ASM-config Event Dispatcher memory usage grows uncontrollably.

Conditions:
In rare circumstances, Policy Builder restarts continuously (in response to a different issue in which there are many shmem segments allocated and used by tmm).

Impact:
ASM-config Event Dispatcher memory usage grows continuously until the device eventually fails over.

Workaround:
Restart asm_config_server on all devices using the following command:
 killall asm_config_server.pl

Fix:
ASM-config Event Dispatcher memory usage remains stable even upon multiple Policy Builder restarts.


701841-1 : Unnecessary file recovery_db/conf.tar.gz consumes /var disk space

Component: Application Security Manager

Symptoms:
A file, /ts/var/install/recovery_db/conf.tar.gz ,is saved unnecessarily during UCS file save, and consumes /var disk space.

Conditions:
UCS file is saved.

Impact:
The /var filesystem can become full; this may degrade system performance over time, and can eventually lead to traffic disruptions.

Workaround:
Manually delete /ts/var/install/recovery_db/conf.tar.

Fix:
Unnecessary file recovery_db/conf.tar.gz is no longer written.


701785-3 : Linux kernel vulnerability: CVE-2017-18017

Solution Article: K18352029


701680-1 : MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds

Component: Service Provider

Symptoms:
Applying rate-limiting to MBLB SIP or Diameter virtual servers might cause the virtual server to periodically stop sending packets to the pool member server for a few seconds.

Conditions:
-- MBLB SIP or Diameter virtual server.
-- Rate-limited is applied.

Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.

Workaround:
There is no workaround at this time.

Fix:
MBLB rate-limited virtual server now correctly sends packets to the server.


701678-1 : Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded

Component: Local Traffic Manager

Symptoms:
TMM may periodically stop sending packets to the server for a few seconds when the configured virtual server rate-limited value is exceeded.

Conditions:
-- Virtual configured with rate-limit.
-- Uses a UDP profile (i.e., not using TCP or FastL4).
-- The idle-timeout is set to immediate.

Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.

Workaround:
None.

Fix:
UDP rate-limited virtual server now correctly sends packets to the server.


701626-1 : GUI resets custom Certificate Key Chain in child client SSL profile

Solution Article: K16465222

Component: TMOS

Symptoms:
In the GUI, editing a client SSL profile or selecting a different parent profile changes the Certificate Key Chain to default (i.e., /Common/default.crt and /Common/default.key).

Conditions:
This happens in the following scenario:

1. Using the GUI, create a client SSL profile.
2. Configure the new profile to inherit from a client SSL profile other than the default, clientssl.
3. Click the Custom box for Certificate Key Chain and select a different cert and key from the default.
4. Click Update.
5. In the GUI, change any setting in the newly created profile, or select a different parent profile (but not the clientssl profile).
6. Click Update again.

Impact:
The system resets Certificate Key Chain to default, even though the Custom box is checked.

Workaround:
To work around this issue in the GUI, click the Custom checkbox next to the 'Certificate Key Chain' option in the parent profile. This will set the value of inherit-certkeychain to false , preventing the issue from occurring.

You can also use tmsh to update parent profile settings to avoid the occurrence of this issue..

Fix:
GUI no longer resets custom Certificate Key Chain in child client SSL profiles.


701609 : Static member of pool with FQDN members may revert to user-disabled after being re-enabled

Component: Local Traffic Manager

Symptoms:
Within an LTM pool containing both FQDN members and members configured with static IP addresses; a statically-configured member that had been disabled (session = user-disabled) and then re-enabled (session = user-enabled) may become disabled again after making other changes affecting the state of other FQDN members of the pool.

Conditions:
This may occur under the following conditions:
- An LTM pool containing a mix of FQDN and statically-configured members.
- A statically-configured pool member is disabled (session = user-disabled) and then re-enabled (session = user-enabled).
- Other changes occur which affect the availability of FQDN pool members.
For example, if a route to an FQDN pool member is deleted and recreated, a previously-disabled statically-configured member may revert to a disabled state.

Depending on circumstances, the issue may only occur once after BIG-IP, TMM, bigd, or a related daemon restarts.

Impact:
A pool member may be unexpectedly disabled after being re-enabled, and thus would not receive traffic.

Workaround:
It may be possible to work around this issue by disabling and re-enabling the statically-configured pool member again.

Fix:
Statically-configured pool members of a pool that also contains FQDN members remain enabled after being manually disabled then re-enabled. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.


701538-1 : SSL handshake fails for OCSP, TLS false start, and SSL hardware acceleration configured

Component: Local Traffic Manager

Symptoms:
SSL handshake fails if the client initiates the handshake with TLS false start (specifically, client SSL sends the SSL record data to the server before the Server sends out the CSS is FINISHED notification).

Conditions:
1. Client initiates the SSL handshake with False Start.
2. The BIG-IP system has SSL hardware acceleration enabled (which is default for for non-virtual edition (VE) versions).

Impact:
The BIG-IP system sends the RST to tear down the connection in TLS false start.

Workaround:
There are no true workarounds. You must disable one of the conditions to workaround the issue:

-- Disable TLS False Start. (Note: this might not be feasible because it needs to be done on all clients.)
-- Disable SSL acceleration.
-- Disable AES-GCM ciphers in the client SSL profile. Without AES-GCM, clients do not try to use TLS false start and still be able to use (EC)DHE.

Fix:
The system no longer processes application data before verifying that the finished message arrives and handshake is complete.


701359-2 : BIND vulnerability CVE-2017-3145

Solution Article: K08613310


701327-1 : failed configuration deletion may cause unwanted bd exit

Component: Application Security Manager

Symptoms:
Immediately after the deletion of a configuration fails, bd exists.

Conditions:
When deleting a configuration fails.

Impact:
Unwanted bd restart.

Workaround:
None.

Fix:
bd will exit upon a failed configuration only when configured to exit on failure.


701253-3 : TMM core when using MPTCP

Solution Article: K16248201


701249-2 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1

Component: TMOS

Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.

The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.

Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.

Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.

Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.

Workaround:
There is no workaround.


701202-1 : SSL memory corruption

Solution Article: K35023432

Component: Local Traffic Manager

Symptoms:
In some instances random memory can be corrupted causing TMM core.

Conditions:
SSL is configured (either client-ssl or server-ssl) and SNI is used to select a non-default profile.

Impact:
TMM crash, disrupting traffic.

Workaround:
There is no workaround at this time.

Fix:
The memory corruption issue has been fixed.


701039 : Requests do not appear in local logging due to rare file descriptor exhaustion

Component: Application Security Manager

Symptoms:
In an extremely rare circumstance, requests do not appear in local logging due to file descriptor exhaustion in asmlogd.

Conditions:
-- ASM configured.
-- ASM policy with an associated 'Log all requests' logging profile.
-- Requests sent to virtual server.
-- View Request Log.

Impact:
Requests do not appear in local logging.

Workaround:
Restart ASM, or pkill -f asmlogd.

Fix:
Requests appear in local logging correctly.


700889-2 : Software syncookies without TCP TS improperly include TCP options that are not encoded

Solution Article: K07330445

Component: Local Traffic Manager

Symptoms:
When sending a software syncookie and there is no TCP timestamp option, tmm sends back TCP options like window scaling (WS), sackOK, etc. The values for these options are encoded in the timestamp field which is not sent. When the final ACK of the 3WHS arrives (without a timestamp), there is no way to know that the BIG-IP system negotiated the use of SACK, WS and other options that were encoded in the timestamp. This will leave the client believing that options are enabled and the BIG-IP believing that they are not.

Conditions:
TCP timestamps are disabled by the client, or in the TCP profile.

Impact:
In one known case, the client was Windows 7 which apparently disables timestamps by default. Users might experience poor connection performance because the client believed it was using WS, and that the BIG-IP system would scale up the advertised window. However, the BIG-IP system does not using WS in this case, and used the window size from the TCP header directly, causing the BIG-IP system to send small packets (believing it had filled the window) and wait for a response.

Workaround:
Specifically prevent the WS issue by lowering the send_buffer_size and receive_window_size to less than or equal to 65535.

Fix:
Added dependency between the window scale option and the timestamp option in a SYN/ACK response.


700862-2 : tmm SIGFPE 'valid node'

Solution Article: K15130240

Component: Local Traffic Manager

Symptoms:
A rare TMM crash with tmm SIGFPE 'valid node' may occur if the host is unreachable.

Conditions:
The host is unreachable.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This fix handles a rare TMM crash when the host is unreachable.


700827-2 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic

Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.

For example, some servers always use randomly selected even source port numbers. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.

Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.

Workaround:
Randomize source ports when connecting via a BIG-IP system.

Fix:
This release introduces a new variable mhdag.pu.table.size.multiplier. Setting it to 2 or 3 mitigates the issue.


700812-2 : asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview

Component: Application Security Manager

Symptoms:
asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview.

Conditions:
Try to deploy a qkview on a BIG-IP using the asmrepro tool
while BIG-IP has a 4 element version like 13.1.0.1.

Impact:
Cannot deploy a 4 element version qkview on a BIG-IP using the asmrepro tool.

Workaround:
n/a

Fix:
asmrepro now handles the version number properly.


700783-3 : Machine certificate check does not check against all FQDN hostnames

Component: Access Policy Manager

Symptoms:
macOS machine can be on multiple networks simultaneously, so it might have multiple hostnames. Machine certificate check does not check against all FQDN hostnames. This causes failure in certain scenarios.

Conditions:
-- macOS configuration with multiple hostnames.
-- The 'match FQDN with subject alt name' option is specified for machine certificate check.

Impact:
Machine cert check might fail.

Workaround:
No workaround at this time.

Fix:
Previously, with a macOS system that had multiple hostnames, the machine certificate check could not check against all hostnames, causing failures in some scenarios. Now, the machine certificate check compares all hostnames on macOS devices.


700780-4 : F5 DNS Relay Proxy service now warns about and clears truncated flag in proxied DNS responses

Component: Access Policy Manager

Symptoms:
F5 DNS Relay Proxy service does not support DNS-over-TCP requests, so if, in some configuration, the client resolver decides to use TCP for DNS resolution, this packet is not re-routed/proxied by the DNS Relay Proxy service, and may be causing DNS to be resolved using an incorrect DNS server (where the system decides to send it).

Typically, if a client receives DNS response with the TC flag set, it retries using TCP. Clearing the TC flag makes client resolver not use TCP at all, preventing DNS packets leakage.

Conditions:
-- DNS server responds with TC flag set in DNS response packet.
-- Windows only is affected.

Impact:
DNS resolution may not work as designed, as the system might send a packet to an incorrect DNS server.

Workaround:
None.

Fix:
Now F5 DNS Relay Proxy service clears TC flag in all proxied packets, preventing client DNS resolvers from using TCP. An appropriate log entry is printed into the service's log.


700757-2 : vcmpd may crash when it is exiting

Component: TMOS

Symptoms:
vcmpd may crash when it is exiting. The system logs an error message similar to the following in /var/log/ltm:

err vcmpd[14604]: 01510000:3: Uncaught exception: basic_string::_S_create

It's possible that vcmpd will then not start up, logging errors similar to the following in /var/log/ltm:

umount(/var/tmstat-vcmp/<guest name>) failed: (16, Device or resource busy

Conditions:
vCMP must be in use.

Impact:
vcmpd cores, but does so when already exiting. It is possible that vcmpd will then be unable to restart itself, and will need to be manually restarted.

Workaround:
If vcmpd cannot restart itself, you can manually restart it by running the following command:

tmsh restart sys service vcmpd

Fix:
Prevented vcmpd from crashing when exiting.


700726-1 : Search engine list was updated, and fixing case of multiple entries

Component: Application Security Manager

Symptoms:
Default search engine list does not identify current search engines, and blocks traffic unnecessarily. Part of the issue is that when adding custom search engines, there may be multiple search engines which match the User-Agent header, and this causes the match to fail.

Conditions:
Site accessed by search engines.

Impact:
Traffic from search engines is blocked unnecessarily.

Workaround:
Manually add search engines.

Fix:
Search engine list has been updated to reflect current common search engine usage. Also, this version removes the check of multiple search engines, so that now when multiple Search Engines are matched, the Search Engine bypasses the challenges.


700696-2 : SSID does not cache fragmented Client Certificates correctly via iRule

Component: Local Traffic Manager

Symptoms:
The last few bytes of a very large-sized Client Certificate (typically greater than 16,384 bytes) are not cached correctly if the certificate is received fragmented by the SSL Session ID (SSID) parser.

Conditions:
-- Client Authentication is enabled.
-- A very large Client Certificate is supplied (typically greater than 16,384 bytes).
-- SSL Session ID Persistence is enabled.
-- The iRule CLIENTSSL_CLIENTCERT is enabled.

Impact:
The client certificate is not stored on the BIG-IP device correctly. The last few bytes are missing.

Workaround:
Disable the CLIENTSSL_CLIENTCERT iRule when SSL Session ID (SSID) persistence is in use. Even though the Client Certificate does not get cached, that is preferable to caching an incorrect client certificate.

Fix:
This release supports caching of fragmented client certificates in the SSL Session ID (SSID) persistence feature to properly cache very large-size client certificates (typically exceeding 16,384 bytes).


700571-2 : SIP MR profile, setting incorrect branch param for CANCEL to INVITE

Component: Service Provider

Symptoms:
BIG-IP SIP profile MR does not maintain the Via 'branch parameter' ID when the Via header insertion is enabled for INVITE and CANCEL for the same INVITE.

Conditions:
This happens only when the following conditions are both met:
-- The transport connection that issued INVITE has been terminated.
-- A new transport is used to issue CANCEL

Impact:
The result is different branch IDs for the BIG-IP system-generated Via header. INVITE is only cancelled on the calling side, while on the called side, the line will ring until time out.

Workaround:
None.

Fix:
The branch parameter value calculation now remains consistent throughout the connection.


700564-2 : JavaScript errors shown when debugging a mobile device with ASM deviceID enabled

Component: Application Security Manager

Symptoms:
When debugging a mobile device with ASM Device ID enabled, the Google Chrome browser console log contains JavaScript errors similar to the following: net::ERR_UNKNOWN_URL_SCHEME.

Note: In order to view the Chrome browser console log, you must use BrowserStack from a developer's console, or physically connect the phone by cable, enable 'usb debug',
enable 'device discovery' on Chrome on the desktop, and view the console from there.

Conditions:
-- ASM policy is attached on a virtual server with deviceID enabled.
-- Device ID collection request has been sent from a mobile device.
-- Chrome browser console log is opened.

Impact:
Mobile device app developers might be concerned about the errors, potentially asking about why the ASM JavaScript code attempts to access UNKNOWN_URL_SCHEME in a mobile device.

The errors occur because Device ID enabled on an ASM policy uses the JavaScript request URI argument 'chrome-extension' to detect the existence of malicious browser extension. However, Chrome on Android/iOS does not support 'chrome-extension'.

Workaround:
Disable Device ID in ASM policy.

Fix:
The system now avoids checking Chrome extensions on mobile devices, so no UNKNOWN_URL_SCHEME errors occur.


700556-2 : TMM may crash when processing WebSockets data

Solution Article: K11718033


700527-1 : cmp-hash change can cause repeated iRule DNS-lookup hang

Component: Global Traffic Manager (DNS)

Symptoms:
An iRule that uses RESOLV::lookup can hang repeatedly when cmp-hash configuration is changed.

Conditions:
-- iRule is in the middle of a call to RESOLV::lookup.
-- A change is made to VLAN cmp-hash configuration.

Impact:
The iRule call can hang repeatedly.

Workaround:
Restart the TMM. This will interrupt client traffic while TMM restarts.

Fix:
The iRule connection is reestablished when the pending query expires, so subsequent RESOLV::lookup calls do not hang per TMM.


700433-2 : Memory leak when attaching an LTM policy to a virtual server

Solution Article: K10870739

Component: Local Traffic Manager

Symptoms:
BIG-IP LTM policies may cause an mcpd process memory leak.

As a result of this issue, you may encounter one or more of the following symptoms:

-- Latency when configuring the BIG-IP system.
-- Error messages logged in /var/log/ltm similar to the following example:
01140029:4: HA daemon_heartbeat mcpd fails action is restart.
-- The mcpd process may generate a core file in the /var/core directory.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your configuration includes one or more virtual servers with an associated BIG-IP LTM policy.
-- The BIG-IP LTM policy has at least one rule.
Note: Rules with actions or conditions can leak increased amounts of memory.

-- You delete and add BIG-IP LTM policies that are associated with the virtual server.
Note: This modification causes the memory leak to increase over time.

Impact:
The mcpd process might run slower as memory is consumed, and can fail when all system memory is exhausted. Devices in a high availability (HA) configuration may experience a failover event.

Workaround:
None.

Fix:
The system now prevents MCP from leaking memory when attaching an LTM policy to a virtual server.


700393-2 : Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash

Solution Article: K53464344

Component: Local Traffic Manager

Symptoms:
Tmm might crash due to a stale/stalled HTTP/2 stream.

Conditions:
HTTP/2 profile in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Stale/stalled HTTP2 streams are handled correctly to prevent a tmm crash.


700386-1 : mcpd may dump core on startup

Component: TMOS

Symptoms:
mcpd may generate a core file upon startup, with a message being logged that overdog restarted it because mcpd failed to send a heartbeat for five minutes.

Conditions:
This can happen only at startup.

Impact:
mcpd restarts, but resumes normal operation.

Workaround:
None.

Fix:
mcpd no longer generates a core on startup.


700330 : AJAX blocking page isn't shown when a webpage uses jQuery framework.

Component: Application Security Manager

Symptoms:
Request is blocked by an ASM policy, but the ASM end user does not see the blocking page with a unique support id for the blocked request.

Conditions:
1. ASM policy Asynchronous JavaScript and XML (AJAX) blocking page enabled.
2. ASM policy is working in blocking mode.
3. ASM policy attached to a virtual server.
4. AJAX request has been sent and blocked.

Impact:
ASM end user has no visual indication that there has been a blocked AJAX request.

Workaround:
None.

Fix:
The system now handles Ajax requests being sent via the JQuery framework.


700315-3 : Ctrl+C does not terminate TShark

Solution Article: K26130444

Component: TMOS

Symptoms:
A running TShark process on the BIG-IP system has problems exiting when the user is finished capturing and presses CTRL+C while listening on a tmm VLAN or 0.0.

Conditions:
-- Using TShark on a tmm VLAN or 0.0.
-- Pressing Ctrl+C to exit.

Impact:
TShark does not exit as expected when pressing CTRL+C.

Workaround:
To recover, you can move the process to the background (CTRL+Z) and then halt the process, by running a command similar to the following: kill -9 'pidof tshark'

Fix:
Ctrl+C now terminates TShark as expected.


700143-1 : ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages

Component: Application Security Manager

Symptoms:
Attempting to delete request logs by a filter (10,000 at a time), only works once. Subsequent delete by filter actions do not remove additional earlier logs.

Conditions:
System has over 10,000 ASM request logs by a selected filter, and delete all by filter is used multiple times.

Impact:
Only the latest 10,000 events are deleted.

Workaround:
No work around for deleting by a filter.
Delete all (without filter) works, and deleting selected requests works.

Fix:
Deletion by filter correctly deletes subsequent sets of 10,000 rows per action.


700061-3 : Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file

Component: Local Traffic Manager

Symptoms:
Restarting service MCPD or rebooting the BIG-IP device adds Unix 'other' read file permissions for key files.
Key files Unix permission changes from '-rw-r-----' to
'-rw-r--r--'

Conditions:
1. Restarting the service MCPD
2. Rebooting BIG-IP device.

Impact:
Key file Unix read permission changes from '-rw-r-----' to
'-rw-r--r--'

Workaround:
There is no workaround at this time.

Fix:
Fix made sure restart of service MCPD and reboot of device does not change key files Unix read permissions from '-rw-r-----' to
'-rw-r--r--'


700057-3 : LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved

Component: Local Traffic Manager

Symptoms:
After upgrading to an affected build, the default key will have incorrect group ownership.

Conditions:
Upgrade or load a .ucs with SSL keys configured.

Impact:
File permissions are not preserved in the .ucs file. The httpd process will not be able to use the default key, so anything using it will fail.

Workaround:
Run the following two commands:
tmsh save /sys config
tmsh load /sys config

Fix:
The system now preserves correct permissions for default.key across upgrade and ucs load.


699720-3 : ASM crash when configuring remote logger for WebSocket traffic with response-logging:all

Component: Application Security Manager

Symptoms:
ASM may crash when configuring remote logger for WebSocket traffic virtual server.

Conditions:
-- Virtual server handling WebSocket traffic.
-- ASM remote logger on the same virtual server.

Impact:
ASM crash; system goes offline.

Workaround:
Use either of the following workarounds:

-- Remove remote logger.
-- Have response logging for illegal requests only.

Fix:
The system now handles memory correctly and avoids crashing in this specific scenario.


699598-4 : HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR

Component: Local Traffic Manager

Symptoms:
HTTP/2 requests with a large body may result in the BIG-IP system sending RST_STREAM with FRAME_SIZE_ERROR.

Conditions:
-- HTTP/2 profile is configured on the virtual server.
-- Request has body size greater than 16 KB.

Impact:
HTTP/2 stream is reset with FRAME_SIZE_ERROR and transfer does not complete.

Workaround:
None.

Fix:
Large HTTP/2 requests are now processed as expected.


699531-3 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command

Component: Policy Enforcement Manager

Symptoms:
TMM crash.

Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.

Impact:
Loss of service. Traffic disrupted while tmm restarts.

Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.

For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.

Fix:
The system now provides the correct number of attributes, preventing a NULL pointer dereference.


699455-3 : SAML export does not follow best practices

Solution Article: K50254952


699454-3 : Web UI does not follow current best coding practices

Component: Advanced Firewall Manager

Symptoms:
The web UI does not follow current best coding practices while processing URL DB updates.

Conditions:
Authenticated web UI user.

Impact:
UI does not respond as intended.

Workaround:
None.

Fix:
The web UI now follows current best coding practices while processing URL DB updates.


699452-3 : Web UI does not follow current best coding practices

Solution Article: K29280193


699431 : Possible memory leak in MRF under low memory

Component: Service Provider

Symptoms:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Conditions:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Impact:
The table entry will be remain until the box resets.

Workaround:
There is no workaround at this time.

Fix:
The code has been fixed to remove the table entry when a memory allocation failure occurs while adding the record.


699346-2 : NetHSM capacity reduces when handling errors

Solution Article: K53931245


699339-1 : Geolocation upgrade files fail to replicate to secondary blades

Solution Article: K24634702

Component: Global Traffic Manager (DNS)

Symptoms:
Geolocation upgrade files fail to replicate to secondary blades.

Conditions:
-- Multiblade VIPRION platforms/vCMP guests.
-- Upgrading geolocation files on the primary blade.
-- Viewing the geolocation files on the secondary blades.

Impact:
Geoip database is not updated to match primary blade.

Workaround:
Use either of the following workarounds:

-- Use the root account to manually create the /shared/GeoIP/v2 directory on secondary blades, and then run geoip_update_data on primary blade.

-- On primary blade:
1. Edit /etc/csyncd.conf as shown below.
2. Restart csyncd.
3. Run geoip_update_data.

To edit /etc/csyncd.conf:

Merge the following two terms:
 monitor dir /shared/GeoIP {...)
 monitor dir /shared/GeoIP/v2 {...}

into one term, as follows:
monitor dir /shared/GeoIP {
        queue geoip
        pull pri2sec
        recurse yes
        defer no
        lnksync yes
        md5 no
        post "/usr/local/bin/geoip_reload_data"
}

Fix:
Geolocation upgrade files now correctly replicate to secondary blades.


699281 : Version format of hypervisor bundle matches Version format of ISO

Component: TMOS

Symptoms:
Recently F5 incorporated 4th element into versioning scheme. 4th and 5th are separated by dash (instead of dot) in ISO name. This change/bug insures that names of hypervisor bundles also use dash between 4th and 5th elements.

Conditions:
Applies to hypervisor bundles (for example ova files for vmware).

Impact:
Version format in names of hypervisor bundles matches version format of ISO file

Workaround:
Version format in names of hypervisor bundles matches version format of ISO file

Fix:
Version format in names of hypervisor bundles matches version format of ISO file (usage of dash between 4th and 5th elements).


699267-1 : LDAP Query may fail to resolve nested groups

Component: Access Policy Manager

Symptoms:
LDAP Query agent may fail to resolve nested groups for a user.
/var/log/apm logfile contains the following error messages when 'debug' log level is enabled for Access Profile:
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while getting group membership down with error (No such object.).
err apmd[17159]: 014902bb:3: /Common/ldap_access:Common:254fdc14 Failed to process the LDAP search result while querying LDAP with error (No such object.).

Conditions:
LDAP Query agent is configured in an Access Policy.
'Fetch groups to which the user or group belong' option is enabled

Impact:
LDAP Query agent fails.
unable to get user identity.
unable to finalize Access Policy.

Fix:
after fix, LDAP Query resolves all nested groups as expected and session.ldap.last.attr.memberOf attributes contains user's groups


699262-2 : FQDN pool member status remains in 'checking' state after full config sync

Component: Local Traffic Manager

Symptoms:
After performing a full config-sync (with overwrite config option checked) the sync target (peer) shows FQDN pool members stuck in the 'checking' state.

Conditions:
This occurs after a full config sync is forced between peers using FQDN pool members:

tmsh modify cm device-group <dg_name> devices modify { <local_member> { set-sync-leader } }

Impact:
Affected pools show an Availability state of 'unknown', although pool members are available and can pass traffic.

Workaround:
Restart bigd on the affected peer after the config sync.

Fix:
After performing a full config-sync (with overwrite config option checked) the sync target (peer) no longer shows FQDN pool members stuck in the 'checking' state. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.


699147 : Hourly billed cloud images are now pre-licensed

Component: TMOS

Symptoms:
Hourly billed images in cloud environments require outbound internet access to the F5 public license server in order to retrieve a license. This causes some sites with strict network access policies to fail to license.

Conditions:
Using hourly billing.

Impact:
Hourly instances do not receive licenses and thus could not pass traffic without outbound internet access.

Workaround:
Enable outbound internet access when the guest instance is created to allow it to license, then revoke it.

Fix:
Hourly billed cloud images are now pre-licensed and so do not require internet access to receive a license.


699135-2 : tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV in dns_rebuild_response.

Conditions:
1. Create a wideip of type other than A/AAAA.
2. Create a iRule with a host command for the previously created wideip.
3. Create a related zonerunner record with the same name and type.
4. Dig against the wideip with type any.
5. Observe that tmm cores.

Impact:
tmm cores.

Workaround:
Don't use host command for non type A/AAAA wideips.


698947-1 : BIG-IP may incorrectly drop packets from a GRE tunnel with auto-lasthop disabled.

Component: TMOS

Symptoms:
The BIG-IP system may incorrectly drop packets from a GRE point-to-point tunnel with auto-lasthop disabled.

Conditions:
The auto-lasthop of a GRE point-to-point tunnel is disabled.

Impact:
The decapsulated packets may be dropped in the BIG-IP system.

Fix:
The BIG-IP system correctly processes decapsulated packets from a GRE point-to-point tunnel.


698919-1 : Anti virus false positive detection on long XML uploads

Component: Application Security Manager

Symptoms:
A false positive virus-detected violation. The description of the violation explains that the ICAP server was not contacted.

Conditions:
-- A long XML upload or payload.
-- The assigned XML profile is configured to be inspected by the ICAP server.

Impact:
Violation is detected where no violation has occurred (false positive violation).

Workaround:
Increase the internal parameter max_raw_request_len to the required length of the XML.

Note: This workaround will affect the amount of logged data from ASM.

Fix:
Fixed a false positive virus-detected violation related to long XML uploads.


698916-3 : TMM crash with HTTP/2 under specific condition

Component: Local Traffic Manager

Symptoms:
TMM may crash when upgrading an HTTP/1.1 connection to an HTTP/2 connnection.

Conditions:
-- HTTP/2 gateway enabled.
-- Pool member supports protocol switching.

Impact:
TMM crash, leading to a failover event.

Workaround:
There is no workaround other than removing the HTTP/2 profile from the virtual server.

Fix:
TMM properly handles protocol upgrade requests from pool members when HTTP/2 is enabled, so no crash occurs.


698813-3 : When processing DNSX transfers ZoneRunner does not enforce best practices

Solution Article: K45435121


698806-2 : Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces

Component: Advanced Firewall Manager

Symptoms:
Egress Interfaces are not checked in the Source Translation page even if they are configured.

Conditions:
Create a source translation object with egress Interfaces set to 'Enabled on...', select Egress Interfaces from the list, and hit 'Finished'. Egress Interfaces will not be checked with the originally configured values.

Impact:
Egress Interfaces will not be checked even if they are configured.

Workaround:
Use tmsh to check if the object is actually configured with Egress Interfaces

Fix:
Egress Interfaces will be selected whenever a user tries to create a source Translation object with Egress Interfaces.


698757-1 : Standby system saves config and changes status after sync from peer

Solution Article: K58143082

Component: Application Security Manager

Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.

Conditions:
-- Manual sync device-group configuration.
-- Modify existing policy encoding to uppercase (via tmsh).
-- ASM configuration.

Impact:
The high availability (HA) configuration goes out of SYNC.

Workaround:
Use either of the following workarounds:
-- Push the sync back from the Standby device to the Active device, and then again from the Active to Standby.

-- Put the device group into auto-sync state and push the config from the Active to the Standby. After the Sync state resolves and the ASM configuration is finished loading, the device group can be put back to Manual sync.

Fix:
Change requested encoding to lowercase.


698379-3 : HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(

Solution Article: K61238215

Component: Local Traffic Manager

Symptoms:
Uploads for the HTTP2 virtual server fail intermittently with HTTP2 error error_code=FLOW_CONTROL_ERROR.

Conditions:
HTTP2 virtual server configured.

Impact:
Uploads for the HTTP2 virtual server might fail intermittently.

Workaround:
None.

Fix:
Uploads for the HTTP2 virtual server do not fail intermittently anymore.


698376-4 : Non-admin users have limited bash commands and can only write to certain directories

Component: TMOS

Symptoms:
TMSH access to Linux utilities does not follow best security practices.

Conditions:
Users without Advanced Shell Access running Linux utilities from inside TMSH.

Impact:
TMSH does not follow best security practices

Workaround:
None.

Fix:
TMSH access to Linux utilities now follows best security practices.

Behavior Change:
Some tmsh util commands will be restricted to writing files to certain directories.


698338-2 : Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection

Component: Service Provider

Symptoms:
The system may core.

Conditions:
-- Egress messages are queued waiting for MR_EGRESS event to be raised.
-- Current MR event exits with an error, thus aborting the connection.

Impact:
The system cores and will restart.

Workaround:
None.

Fix:
The system now returns pending messages back to the originator if the connection aborts due to an iRule error.


698080-1 : TMM may consume excessive resources when processing with PEM

Solution Article: K54562183


698000-1 : Connections may stop passing traffic after a route update

Solution Article: K04473510

Component: Local Traffic Manager

Symptoms:
When a pool is used with a non-translating virtual server, routing updates may lead to an incorrect lookup of the nexthop for the connection.

Conditions:
-- Pool on a non-translating virtual server.
-- Routing update occurs.

Impact:
Connections may fail after routing updates. New connections will not be affected.

Workaround:
Use a route to direct traffic to the ultimate destination rather than using a pool to indicate the nexthop.

Fix:
Routing updates no longer interrupts traffic to connections using a pool member to reach the nexthop.


697878 : High crypto request completion time under some workload patterns

Component: TMOS

Symptoms:
The tmctl tmm/crypto table shows heavily loaded bulk crypto queues backed up into associated waiting queue. The crypto requests continue to complete, but are significantly delayed.

Conditions:
High crypto usage often in conjunction with high compression usage.

Impact:
Crypto requests can be delayed as long as 1.5 seconds.

Workaround:
Disable hardware crypto by setting the "crypto.hwacceleration" DB key to "disable":
    tmsh modify sys db crypto.hwacceleration value disable

Fix:
Improve accelerated crypto poll-timing calculation.


697718-3 : Increase PEM HSL reporting buffer size to 4K.

Component: Policy Enforcement Manager

Symptoms:
Before this fix, PEM HSL reporting buffer size is limited by 512 bytes.

Conditions:
If any PEM HSL flow reporting stream goes beyond 512 bytes, it will be truncated.

Impact:
Part of PEM HSL flow reporting information will be lost.

Fix:
We increase PEM HSL reporting buffer size to 4K, which should be enough for uses cases we currently know.


697616 : Report Device error: crypto codec qat-crypto0-0 queue is stuck on vCMP guests

Component: TMOS

Symptoms:
Failure in SSL traffic in vCMP configurations. The system logs the following device error:
-- crit tmm[17083]: 01010025:2: Device error: crypto codec qat-crypto0-0 queue is stuck.
-- warning sod[7759]: 01140029:4: HA crypto_failsafe_t qat-crypto0-0 fails action is failover.

Conditions:
-- vCMP guests when performing crypto operations.
-- i5600, i5800, i7600, i7800, i10600, i10800, i12600, i12800, i15600, i15800 platforms.

Impact:
The 'crypto queue stuck' message is reported, and failover will be triggered.

Workaround:
None.

Fix:
The 'crypto queue stuck' issue on vCMP platforms no longer occurs.


697424 : iControl-REST crashes on /example for firewall address-lists

Component: TMOS

Symptoms:
Making a call to /example on firewall address-list crashes iControl-REST.

Conditions:
Making a call to /example on firewall address-list.

Impact:
The icrd_child process crashes.

Workaround:
There is no workaround other than not calling /example on firewall address-lists.


697303-3 : BD crash

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.

Impact:
BD crash, failover, and traffic disturbance.

Workaround:
Turn off the internal parameter relax_unicode_in_json.

Fix:
BD no longer crashes under these conditions.


697259-1 : Different versioned vCMP guests on the same chassis may crash.

Solution Article: K14023450

Component: Local Traffic Manager

Symptoms:
The vCMP guest TMM crashes soon after startup.

Conditions:
-- You are using BIG-IP software versions 12.1.0-12.1.2.
-- vCMP guests are deployed in a chassis.
-- You configure a new guest running unaffected software alongside an existing or new guest running affected software. In other words, the issue occurs if you mix guests running affected and non-affected versions in a single vCMP host.

Impact:
vCMP guests running older versions of the software might crash. Blades continuously crash and restart. Traffic cannot pass. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Different versioned vCMP guests on the same chassis no longer crash.


696808-3 : Disabling a single pool member removes all GTM persistence records

Component: Global Traffic Manager (DNS)

Symptoms:
Disabling a single pool member removes all GTM persistence records.

Conditions:
1. WideIP with persistence enabled.
2. drain-persistent-requests no.
3. GTM pool member toggled from enabled to disabled.

Impact:
All GTM persistence records are accidently cleared.

Workaround:
Set drain-persistent-requests yes.

Fix:
When drain-persistent-requests is set to no, only the persistence records associated with the affected pool members are cleared when a resource is disabled.


696789-2 : PEM Diameter incomplete flow crashes when TCL resumed

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, and the irule is resumed because of timeout.

Conditions:
PEM Diameter flow not fully created, suspended by iRule, and the iRule is resumed by timeout.

Impact:
The tmm will restart and all flows will reset.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by iRule resumed by timeout.


696732 : tmm may crash in a compression provider

Solution Article: K54431534

Component: TMOS

Symptoms:
TMM may crash with the following panic message in the log files:

panic: ../codec/compress/compress.c:1161: Assertion "context active" failed.

Conditions:
-- Running on the following platforms: BIG-IP i-series or VIPRION 4400 blades.
-- Virtual servers are performing compression.

Impact:
TMM crashes, Traffic disrupted while tmm restarts.

Workaround:
Do not use compression, or use software compression instead of hardware compression. To configure for software compression, run the following command:

tmsh modify sys db compression.strategy value softwareonly


696468 : Active compression requests can become starved from too many queued requests.

Component: TMOS

Symptoms:
From the "tmctl compress" table: the cur_ctx value for QAT is equal or higher than 512, and the cur_active remains at zero.

CPU utilization per tmm in this condition may be quite high.

Conditions:
At least 512 contexts with no traffic wait in the compression queue and prevent new requests from getting compression service.

Impact:
Compression on a per-tmm basis can stop servicing new requests.

Workaround:
Switch to software compression.

Fix:
Soften the restriction so that accumulated contexts with no traffic cannot not prevent busy contexts from getting compression time.


696383-2 : PEM Diameter incomplete flow crashes when sweeped

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, the sweeper may encounter a tmm crash.

Conditions:
-- PEM Diameter flow not fully created.
-- The flow is suspended by an iRule.
-- There is a CMP state change (likely) or a manual cluster-mirror change (less likely) while the flow is suspended.

Impact:
The tmm restarts and all flows reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by the sweeper.


696294-3 : TMM core may be seen when using Application reporting with flow filter in PEM

Component: Policy Enforcement Manager

Symptoms:
TMM core with flow filter when Application reporting action is enabled

Conditions:
If Application reporting is enabled along with flow filter

Impact:
TMM restart causing service interruption

Fix:
Initialize the application start buffer so as to prevent the TMM core


696265-3 : BD crash

Solution Article: K60985582

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.

Impact:
Potential traffic disturbance and failover.

Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.

Fix:
Fixed a BD crash scenario.


696113-1 : Extra IPsec reference added per crypto operation overflows connflow refcount

Component: TMOS

Symptoms:
The size of the refcount field in connflow became smaller, making the length of some crypto queues in IPsec able to reach and exceed the maximum refcount value.

Conditions:
When a large data transfer under an IPsec SA creates a queue of crypto operations longer than the connflow's refcount can handle, the refcount can overflow.

Impact:
Unexpected tmm failover after refcount overflow.

Workaround:
There is no workaround at this time.

Fix:
An object tracking crypto operations now adds a sole reference to the connflow as long as the count of crypto operation pending is nonzero.


696049-3 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running

Component: Service Provider

Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.

Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.

Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.

Workaround:
None.

Fix:
Request_sequence_numbers are not assigned to response messages until the Tcl event is executed for that message. This avoids assigning the same number to multiple events.


695968-3 : Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.

Component: Policy Enforcement Manager

Symptoms:
Memory leak resulting in a potential OOM scenario.

Conditions:
1. PEM configured with Gx
2. Flaky Diameter connection
3. Subscriber creation via PEM

Impact:
Potential loss of service.

Workaround:
There is no workaround at this time.

Fix:
Freed Diameter messages appropriately.


695925-3 : tmm crash when showing connections for a CMP disabled virtual server

Component: Local Traffic Manager

Symptoms:
tmm crashes when performing 'tmsh show sys connection' and there is a connection from a secondary blade to a CMP-disabled virtual server.

Conditions:
This occurs when all of the following conditions are met:

-- There is a CMP-disabled virtual server.

-- There is a connection to that server from the control plane of a secondary blade (this can include monitoring traffic).

-- Connections are displayed that include the connection from the secondary blade ('tmsh show sys connection').

Impact:
tmm crashes and restarts impacting traffic.

Workaround:
Do not use 'cmp-enabled no' virtual servers when there will be connections from the BIG-IP control plane to the virtual server.

Avoid using tmsh show sys connection


695901-2 : TMM may crash when processing ProxySSL data

Solution Article: K46940010


695878-5 : Signature enforcement issue on specific requests

Component: Application Security Manager

Symptoms:
Request payload does not get enforced by attack signatures on a certain policy configuration with specific traffic.

Conditions:
-- The violation 'Request exceeds max buffer size' is turned off.

-- The request is longer than the max buffer size (i.e., a request is larger than the internal long_request_buffer_size).

Impact:
Attack signatures are not enforced on the payload of this request at all.

Workaround:
Turn on the violation in blocking 'Request exceed max buffer size'.

Fix:
The operation now looks into part of the payload for the attack signatures enforcement.


695117 : bigd cores and sends corrupted MCP messages with many FQDN nodes

Solution Article: K30081842

Component: Local Traffic Manager

Symptoms:
When configured to monitor large numbers of nodes and/or pool members including FQDN nodes and/or pool members, the following symptoms may occur:
- bigd may core (aborted by sod due to missed heartbeat).
- bigd may produce corrupted MCP messages.
- FQDN nodes and/or pool members may remain in a Checking state indefinitely.

Conditions:
These symptoms may occur on affected versions of BIG-IP when a large number of nodes and/or pool members including FQDN nodes and/or pool members are configured. Depending on the capabilities of the platform in use, approximately one thousand (1,000) or more total nodes and/or pool members may be required to produce these symptoms.

FQDN nodes and/or pool members generate a more significant workload for the bigd daemon than nodes and/or pool members with statically-configured IP addresses. This additional load contributes to high CPU usage and the other observed symptoms.

Impact:
This issue produces the following impacts:
- bigd may core.
- nodes and/or pool members may remain in a Checking state indefinitely.
- bigd may produce corrupted MCP messages, which generate error messages in the LTM log of the following form:

... err mcpd[####]: 01070712:3: Caught configuration exception (0), Can't parse MCP message, ...

Examination of the corrupted MCP message shows objects at the point of corruption that have no hierarchical relationship with the objects referenced at the beginning of the message.

Workaround:
To work around this issue, use the following approaches singly or in combination:
1. Reduce the number of nodes and/or pool members configured for a given BIG-IP system.
2. Configure nodes and/or pool members with statically-configured IP addresses.

Fix:
bigd no longer produces corrupted MCP messages, resulting in nodes and/or pool members remaining in a 'checking' state, with up to 2,000 nodes and/or pool members including FQDN nodes and/or pool members configured. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.


694922-4 : ASM Auto-Sync Device Group Does Not Sync

Component: Application Security Manager

Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.

Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device

Impact:
ASM configuration is not correctly synchronized between devices

Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic

Fix:
Devices no longer spuriously enter an untrusted state


694778-2 : Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size

Component: Local Traffic Manager

Symptoms:
SSO-enabled Native RDP resources cannot be accessed via hardware (HW) BIG-IP systems with 'Intel Cave Creek' coprocessor (i.e., SSL connection cannot be established with the db variable 'crypto.hwacceleration' enabled, and RSA key used).

Conditions:
The failure might occur in the following scenario:
-- Running on Intel Cave Creek Engine (e.g., BIG-IP 2000 (C112) or 4000 (C113)).
-- Client OS is Mac, iOS, or Android.
-- HW crypto is enabled
-- Using a virtual server with a client SSL profile and 2048 bit RSA key on.
-- Native RDP resource with enabled SSO is used on hardware BIG-IP with 'Intel Cave Creek' coprocessor.
-- Output buffer size differs from RSA private key size.

Impact:
-- SSL connection fails.
-- RDP client cannot launch the requested resource (desktop/application).

Workaround:
There is no workaround other than to disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable

Fix:
SSL connection can now be established as expected. SSO-enabled Native RDP resources now can now be accessed via hardware BIG-IP systems with 'Intel Cave Creek' coprocessor (e.g., BIG-IP 2000 (C112) or 4000 (C113) platforms) from Mac, iOS, and Android clients.


694740-1 : BIG-IP reboot during a TMM core results in an incomplete core dump

Component: TMOS

Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then HSB panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On this platform, the reboot occurs before the core file is fully written, resulting in a truncated core.

Conditions:
An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.

Impact:
The reboot happens before the core dump completes, resulting in an incomplete core dump which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.

Workaround:
No workaround; does not hinder device operation, but does prevent post-crash analysis.

Fix:
Reboot is delayed until TMM core file is completed.


694717-3 : Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.

Component: Policy Enforcement Manager

Symptoms:
TMM crashes

Conditions:
PEM iRule command that would result in an inter-TMM lookup on a long lived flow that would result in the PEM iRule command being hit several times. For example, a long lived flow with multiple HTTP transactions.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Always release the connFlow reference associated with the TCL command to avoid a memory leak and potential crash.


694697-3 : clusterd logs heartbeat check messages at log level info

Solution Article: K62065305

Component: Local Traffic Manager

Symptoms:
The system reports clusterd logs heartbeat check messages at log level info, similar to the following.

-- info clusterd[6161]: 013a0007:6: Skipping heartbeat check on peer slot 3: Slot is DOWN.
-- info clusterd[5705]: 013a0007:6: Checking heartbeat of peer slot: 2 (Last heartbeat 0 seconds ago)

Conditions:
log.clusterd.level set to info.

Impact:
This is a cosmetic issue: clusterd heartbeat messages will be logged at info to the /var/log/ltm.

Workaround:
Set log.clusterd.level to notice.

Fix:
The log level of clusterd logs heartbeat check messages has changed. For 'Skipping heartbeat check' messages, the log level is now debug, and 'Checking heartbeat of peer slot' messages log level is verbose and now reports on which bp the heartbeat was received.


694696-3 : On multiblade Viprion, creating a new traffic-group causes the device to go Offline

Component: TMOS

Symptoms:
All devices in the failover device group will go offline, resulting in traffic disruption and possible failovers.

Conditions:
When a new traffic-group is created on a multiblade Viprion system that is a member of a sync-failover device group.

Impact:
Traffic to all other traffic-groups is disrupted for several seconds.

Workaround:
There is no workaround at this time.

Fix:
Creating a new traffic-group does not disrupt existing traffic-groups.


694656-3 : Routing changes may cause TMM to restart

Solution Article: K05186205

Component: Local Traffic Manager

Symptoms:
When routing changes are made while traffic is passing through the BIG-IP system, TMM might restart. This isn't a general issue, but can occur when other functionality is in use (such as Firewall NAT).

Conditions:
-- Routing changes occurring while BIG-IP is active and passing traffic.

-- Dynamic routing, due to its nature, is likely increase the potential for the issue to occur.

-- Usage of Firewall NAT functionality is one specific case known to contribute to the issue (there may be others).

Impact:
TMM restarts, resulting in a failover and/or traffic outage.

Workaround:
If dynamic routing is not in use, avoiding static route changes may avoid the issue.

If dynamic routing is in use, there is no workaround.

Fix:
TMM now properly manages routing information for active connections.


694319-3 : CCA without a request type AVP cannot be tracked in PEM.

Component: Policy Enforcement Manager

Symptoms:
May cause diagnostic issues as not all CCA messages cannot be tracked.

Conditions:
1. PEM with Gx/Gy configured
2. PCRF sends CCA's without a request type AVP

Impact:
May hamper effective diagnostics.

Workaround:
Mitigation:
Configure the PCRF to always include a request type in its CCAs.

Fix:
Add a statistics counter to track CCA's that do not request type AVPs.
Name of new counter:cca_unknown_type


694318-3 : PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.

Component: Policy Enforcement Manager

Symptoms:
Subscriber sessions in PEM will be stuck in a "Marked for Delete" state.

Conditions:
1. PEM provisioned with Gx.
2. PCRF responds to a CCR-t with a DIAMETER_TOO_BUSY return code and no Request type AVP.

Impact:
Subscriber sessions stuck in delete pending resulting in a potential increase in memry consumption over a period of time.

Workaround:
Mitigation:
PCRF (remote Diameter end point) must send a CCA-t with a request type AVP in case a DIAMETER_TOO_BUSY return code is present.

Fix:
Handle the DIAMETER_TOO_BUSY return code on a CCA-t regardless of the request type AVP.


694274-2 : [RHSA-2017:3195-01] Important: httpd security update - EL6.7

Solution Article: K23565223


694073-1 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup

Component: Application Security Manager

Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.

Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).

Impact:
Low and incorrect visibility of signature update details.

Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.

Fix:
Signature updates are now shown correctly for all versions.


693996-3 : MCPD sync errors and restart after multiple modifications to file object in chassis

Solution Article: K42285625

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
Making multiple changes to the same file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.


693910-2 : Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)

Component: Local Traffic Manager

Symptoms:
Some MAC addresses might experience delayed forwarding after the interface on which they are learned transition to a STP blocked state. This is because the FDB entries are not being flushed on these interfaces after they change to a block state. Traffic destined to these MAC addresses gets dropped until their associated entries in the FDB age out.

Conditions:
MAC addresses are learned on a STP forwarding interface that transitions to a blocked interface following a topology change.

Impact:
Traffic interruption for up to a few minutes for MAC addresses learned on the affected interface.

Workaround:
None.

Fix:
FDB entries are now flushed by interface whenever an interface transitions to a STP block state.


693884-3 : ospfd core on secondary blade during network unstability

Component: TMOS

Symptoms:
ospfd core on secondary blade while network is unstable.

Conditions:
-- Dynamic routing configured with OSPF on a chassis.
-- During a period of network instability.

Impact:
Dynamic routing process ospfd core on secondary blade.

Workaround:
None.


693838 : Adaptive monitor feature does not mark pool member down when hard limit set on UDP monitors

Component: Local Traffic Manager

Symptoms:
Member of pool is not marked down when response time exceeds hard limit.

Conditions:
Adaptive monitoring enabled for UDP monitor and server response time exceeds hard limit.

Impact:
Member remains in pool despite exceeding hard limit which may result in degraded services.

Workaround:
None.


693744-3 : CVE-2018-5531: vCMP vulnerability

Solution Article: K64721111


693739-3 : VPN cannot be established on macOS High Sierra 10.13.1 if full tunneling configuration is enabled

Component: Access Policy Manager

Symptoms:
For some Network Access configurations, VPN cannot establish a connection with client systems running macOS High Sierra 10.13.1 using F5 Edge client or Browser helper apps.

Conditions:
The following conditions must be true:
-- The Network Access resource Traffic Options setting is configured for Force all Traffic Through Tunnel.
-- The Network Access resource Allow Local Subnet setting is disabled.
(Both of these options are defaults.)
-- Client running macOS High Sierra 10.13.1.

Impact:
The Edge Client unsuccessfully tries to connect, resulting in a loop. The client cannot establish VPN.

Workaround:
1. Navigate to the Network Access resource.
2. Set the Network Access resource Allow Local Subnet checkbox to Enabled.
3. Save the setting, and apply the Access Policy.

Fix:
Edge Client operation does not go into a reconnect loop and is able to establish and maintain connection successfully on macOS High Sierra 10.13.1.


693582-3 : Monitor node log not rotated for certain monitor types

Component: Local Traffic Manager

Symptoms:
When Monitor Logging is enabled for an LTM node or pool member using certain monitor types, the monitor node log under /var/log/monitors/ is not rotated or compressed when log rotation occurs.

Conditions:
This occurs if Monitor Logging is enabled for an LTM node or pool member, and the LTM node or pool member uses any of the following monitor types:
- icmp
- gateway-icmp
- external

Impact:
Depending on the affected BIG-IP version in use, effects may include the following symptoms:

1. The active monitor node log is not rotated (not renamed from *.log to *.log.1).

2. The active monitor node log is rotated (renamed from *.log to *.log.1), but subsequent messages are logged to the rotated log file (*.log.1) instead of to the 'current' log file name (*.log).

3. The active monitor node log is not compressed (*.log.2.gz) when log rotation occurs.

Workaround:
To allow logging to the correct monitor node log file to occur, and for rotated monitor node log files to be compressed, disable Monitor Logging for the affected node or pool member(s).

-- If symptom #1 occurs, Monitor Logging can be re-enabled after log rotation has occurred.

-- To address symptoms #2 or #3, Monitor Logging can be re-enabled immediately.

For more information on Monitor Logging, see:
K12531: Troubleshooting health monitors :: https://support.f5.com/csp/article/K12531.

Fix:
Monitor node logs are now rotated/compressed as expected.


693388-1 : Log additional HSB registers when device becomes unresponsive

Component: TMOS

Symptoms:
HSB becomes unresponsive, and logs no registers to indicate the state of the device. There is no logging of additional registers to assist in diagnosing the failure.

Conditions:
It is unknown under what conditions the HSB becomes unresponsive.

Impact:
Limited visibility into the HSB state when it becomes unresponsive.

Workaround:
None.

Fix:
There is now logging of additional registers to assist in diagnosing the failure.

The registers can be seen in the TMM log files when there is either an HSB transmitter or receive failure.


693312-2 : vCMPd may crash when processing bridged network traffic

Solution Article: K03165684


693308-3 : SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain

Component: Local Traffic Manager

Symptoms:
When a very large Client Certificate Chain, typically exceeding 16,384 bytes, is received by BIG-IP on a virtual service, and Session Persistence is enabled, the handshake hangs.

Conditions:
[1] SSL client authentication is enabled on the backend server
[2] No SSL profile is specified on the BIG-IP device for the virtual service, on both, client and server side
[3] An SSL connection is initiated from the front-end client, via the BIG-IP's virtual service, to the backend server.
[4] The client certificate chain is passed to the BIG-IP device as part of initiating the connection.

Impact:
The backend server will not be securely accessible via SSL because the connection hangs

Workaround:
Disable SSL Session Persistence.

Fix:
Whenever a fragmented message is received by a BIG-IP virtual service, subsequent messages contain a 5-byte header, each, which should be accounted for. Upon taking this into consideration, no more multiple-of-5 bytes are found missing while the message is being parsed by the Session Persistence parser, and the parser no longer hangs.


693211-3 : CVE-2017-6168

Solution Article: K21905460


693106-2 : IKEv1 newest established phase-one SAs should be found first in a search

Component: TMOS

Symptoms:
Some IKEv1 implementations might delete "duplicate" phase one IKE SAs, even though not yet expired, keeping only the most recently negotiated IKE-SA. If this happens, and BIG-IP uses an older SA to negotiate, then phase two negotiation can fail.

If at all possible, we want BIG-IP to prefer the newest SA for a given remote peer. If a peer deletes a second SA without notifying BigIP, preferring a newest SA may mitigate the problem.

Conditions:
The situation seems mostly easily arranged when two peers initiate a new IKE-SA at the same time, so that both are negotiated concurrently, since neither has yet been established. Afterward, there are two IKE-SAs for one remote peer, nearly the same age.

If the other end deletes a duplicate without sending a DELETE message to BigIP, we might accidently use the older SA of a pair.

Impact:
If BIG-IP picks a mature IKE-SA for phase two negotiation that has been deleted by a peer, then BIG-IP's attempt to negotiate a new phase two SA will fail.

Workaround:
Try to configure other IPsec implementations to avoid deleting duplicate IKE-SAs.

Fix:
At the momenet a new IKE-SA is established, we now move that SA to the head of the hashmap bucket searched for that remote peer in the future. This makes us more likely to use the newest SA from the perspective of a remote peer, the next time we initiate another phase two negotiation ourselves.


693007-3 : Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC

Component: Global Traffic Manager (DNS)

Symptoms:
The current IPv4 address for b.root-servers.net is 192.228.79.201. The IPv4 address for b.root-servers.net will be renumbered to 199.9.14.201, effective 2017-10-24. The older number will be invalid after that date.

Conditions:
Several profiles contain the b.root-servers.net IPv4 address as 192.228.79.201.

Impact:
The impact is likely minimal, at most a single timeout for pending TLD queries when they happen to round-robin onto an old IP address, probably not more often than the hint's TTL, which is more than a month, and even this should cause a timeout only when the old IP actually stops responding.

Workaround:
Update the root hints for all affected profiles manually except the hardwired ones.

Fix:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24.

Behavior Change:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24, according to InterNIC. The old IPv4 address (192.228.79.201) will continue to answer queries for at least 6 months.


692970-3 : Using UDP port 67 for purposes other than DHCP might cause TMM to crash

Component: Local Traffic Manager

Symptoms:
DHCP relay presumes that a flow found via lookup is always a server-side flow of type DHCP relay. Hence TMM can crash when DHCP relay makes a server connection if UDP port 67 is used for another purpose, in which case a wrong DHCP server flow could be selected.

Conditions:
A UDP port 67 is configured for a purpose other than DHCP relay.

Impact:
TMM restart causes traffic interruption or failover.

Workaround:
Do not use UDP port 67 for other virtual servers, or configure a drop listener on certain VLANs that cannot avoid using UDP port 67.

Fix:
TMM no longer crashes with DHCP flow validation.


692941-3 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD

Component: Global Traffic Manager (DNS)

Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.

Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.

Impact:
gtmd and/or tmm core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Changing wide IP no longer causes gtmd and tmm core when GTM pool is removed when it is referenced by a persist record, and that record is accessed before it is purged.


692307-1 : User with 'operator' role may not be able to view some session variables

Component: Access Policy Manager

Symptoms:
When a user with 'operator' role tries to view the session variables, the GUI may show the following error: An error has occurred while trying to process you request.

Conditions:
This occurs when there is a huge blob of data associated with the user whose session variable is being viewed. For example Active Directory (AD) user accounts with thumbnailphoto and userCertificate user attributes containing binary data.

Impact:
User cannot view the session variables for those particular sessions. This data is available, however, via clicking on the Session ID.

Workaround:
Find this data via clicking on the session ID.

Fix:
User with 'operator' role can now view all expected session variables


692239-1 : AOM menu power off then on results in 'Host Power Cycle Event' SEL log entries posted every two seconds

Solution Article: K31554905

Component: TMOS

Symptoms:
When using the AOM menu, LCD touchscreen, or the operating system 'halt' command to power off then on the host CPU on i5600, i5800, i7600, i7800, i10600, i10800 platforms, the AOM creates a 'Host Power Cycle Event' SEL log entry every two seconds. The SEL log will continue to grow until external power to the appliance is fully power cycled.

Conditions:
-- Running on i5600, i5800, i7600, i7800, i10600, i10800 platforms.

-- With an older version of CPLD code installed (e.g., CPLD 0x45), power-off the host using the AOM menu, the LCD touchscreen, or the operating system's 'halt' command.

   + Bring up the AOM menu using ESC shift-9, then select 'p' and '0' from the menu to power off the host CPU complex.
   + On the LCD touchscreen, navigate to [System] menu and select [Power Off] to power off the host CPU complex.
   + Run the 'halt' command on the BIG-IP host subsystem.

-- Wait a few seconds, and power on the host.

   + On the AOM menu, select 'p' and '1' to power on the host CPU complex.
   + On the LCD touchscreen, navigate to [System] menu and select [Power On] to power on the host CPU complex.
   + There is no equivalent shell method to turn the power back on after running the 'halt' command.

Impact:
This results in ongoing 'Host Power Cycle Event' messages to post in the SEL log (tail /var/log/sel) every two seconds.

The SEL log will continue to grow and wrap as this message continues to post to the SEL log every two seconds.

This results in a very large number of SEL entry fetches by the host CPU to the AOM and can place a substantial load on the AOM interface.

Workaround:
The actual fix is to install a newer version of i5600, i5800, i7600, i7800, i10600, i10800 platform CPLD code (e.g., CPLD 0x54 or CPLD 0x55).

Another workaround is to fully power cycle the appliance.
However, every time the AOM menu is used to power off then on the host, the SEL log entries re-appear.

Fix:
This issue is fixed in newer versions of the i5600, i5800, i7600, i7800, i10600, i10800 platforms CPLD (e.g., CPLD 0x54 or CPLD 0x55).


692189-3 : errdefsd fails to generate a core file on request.

Component: TMOS

Symptoms:
Should errdefsd crash or be manually cored for the purpose of gathering diagnostic information, no core file will be generated.

Conditions:
Forcing errdefsd to core for diagnostic purposes.

Impact:
Increased communication required with F5 Support when attempting to diagnose problems with errdefsd.

Workaround:
1. Add the following lines to the official errdefsd script, /etc/bigstart/scripts/errdefsd:
16a17,19
> # set resource limits, affinity, etc
> setproperties ${service}
>
2. Run the following command: bigstart restart errdefsd

Fix:
errdefsd now generates a core file when forced to core.


692179-3 : Potential high memory usage from errdefsd.

Component: TMOS

Symptoms:
errdefsd memory usage grows with each config-sync or config update.

Conditions:
Ever increasing errdefsd memory usage is visible when the following conditions are met:
-- Config updates are frequent.
-- management-port logging is not being used.

Impact:
In extreme cases, errdefsd memory usage might increase userland memory-pressure. Note, however, that it isn't actually using the extra memory, so while Virtual Memory Size (VSZ) might be high, Resident Set Size (RSS) need not be.

Workaround:
A workaround for this problem is to periodically send logs to a management-port destination. The destination may be as simple as a dummy UDP port on 127.0.0.1. Adding such a destination to the publisher for an existing, active log source will work. errdefsd just needs a reason to process and flush accumulating configurations.

Fix:
The changes in this bug force errdefsd to check for config changes once every second in addition to checking whenever management-port destination logs come in.


692165-2 : A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token

Component: TMOS

Symptoms:
For some HTTP requests, a request-log profile can log nothing for the $VIRTUAL_POOL_NAME token (which expands to an empty string in the resulting logs).

Conditions:
- The virtual server where the request-log profile is used also uses OneConnect.

- The client uses HTTP Keep-Alive and sends multiple HTTP requests over the same TCP connection.

Impact:
For all HTTP requests the client sends except the first one, the $VIRTUAL_POOL_NAME token logs nothing. As a result, a BIG-IP Administrator may struggle to determine which pool serviced which request.

Workaround:
The $SERVER_IP and $SERVER_PORT tokens work for all requests, and so if those are also being logged it may be possible to deduce the pool name from that information.

However, there is no workaround to make the $VIRTUAL_POOL_NAME token work all of the time.


692158-2 : iCall and CLI script memory leak when saving configuration

Component: TMOS

Symptoms:
Whenever an iCall script or CLI script saves the configuration, the scriptd process on the device leaks memory.

Conditions:
Use of iCall or CLI scripts to save the configuration.

Impact:
Repeated invocation might cause the system to run out of memory eventually, causing tmm to restart and disrupting traffic.

Workaround:
There is no workaround other than not saving the configuration from iCall or CLI scripts.

Fix:
scriptd process on the device no longer leaks memory when iCall and CLI scripts are used to save the configuration.


692123-2 : GET parameter is grayed out if MobileSafe is not licensed

Component: Fraud Protection Services

Symptoms:
GET parameter is grayed out if MobileSafe is not licensed.

Conditions:
-- Provision FPS on a system whose license has at least one active feature.
-- Do not license MobileSafe.

Impact:
In FPS Parameter's list, the GET method is always grayed out.

Workaround:
Use either of the following workarounds:
-- License MobileSafe.
-- Use TMSH or REST.

Fix:
The GET method is not grayed out if MobileSafe is not licensed.


692095-3 : bigd logs monitor status unknown for FQDN Node/Pool Member

Solution Article: K65311501

Component: Local Traffic Manager

Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:

notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]

Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.

Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.

Workaround:
None.

Fix:
An FQDN-configured node or pool member logs each internal monitor status, including for scenarios of 'checking' and 'no address' for FQDN template nodes which were previously logged as 'unknown'.


691945-2 : Security Policy Configuration Changes When Disabling Learning

Component: Application Security Manager

Symptoms:
When Learning is enabled in either manual or automatic mode, and is then disabled. This was considered to be the end of the learning process, and so changes are automatically made to the default wildcard entities ("*" URL, Parameter, Filetype) such as removing the element from staging.

The user is not notified of these changes, and they may not be expected, leading to undesired security enforcement.

Conditions:
-- Learning is enabled in Manual or Automatic mode.
-- Learning is then disabled.

Impact:
Unexpected changes to the default wildcard elements in the policy can lead to undesired security enforcement.

Workaround:
The audit log shows all changes that were made to the policy, and undesired changes can be remedied before the policy changes are applied.

Fix:
No changes are made to the default wildcard entities upon disabling of learning.


691897-1 : Names of the modified cookies do not appear in the event log

Component: Application Security Manager

Symptoms:
A modified domain cookies violation happened. When trying to see additional details by clicking the violation link, the name and value of the modified cookie is empty.

Conditions:
A modified domain cookies violation happens.

Note: This can happen only if there are also non-modified or staged cookies.

Impact:
Expected violation details are not displayed.

Workaround:
There is no workaround at this time.

Fix:
Issue with modified domain cookie violation details is now fixed.


691806-3 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state

Solution Article: K61815412

Component: Local Traffic Manager

Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.

Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.

Impact:
The BIG-IP system resets connection with RST.

Workaround:
None.

Fix:
The BIG-IP system now responds with FIN/ACK to early FIN/ACK.


691670-3 : Rare BD crash in a specific scenario

Component: Application Security Manager

Symptoms:
BD crash or False reporting of signature ID 200023003.

Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).

Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.

Workaround:
Removing attack signature 200023003 from the security policy stops the issue.

Fix:
Fix a bug in the signatures engine that causes a false positive reporting of a signature. In some rare cases, this false reporting may cause a crash.

A newly released attack signature update changes the signature in a way that it no longer causes the issue to happen.


691589 : When using LDAP client auth, tamd may become stuck

Component: TMOS

Symptoms:
When a virtual server uses an LDAP auth profile for client authentication, the system can get into a state where all authentications time out. This condition persists until tamd restarts. Traffic analysis between the BIG-IP system and the LDAP server shows that the BIG-IP system makes a TCP handshake with the server, then immediately sends FIN. Tamd cores may be seen.

Conditions:
-- Virtual server using LDAP auth profile.
-- BIG-IP system makes a TCP handshake with the server, then immediately sends FIN.

Impact:
Authentication to the virtual server fails until tamd is restarted.

Workaround:
To recover, restart tamd by running the following command: bigstart restart tamd

Fix:
tamd no longer becomes stuck when using LDAP client auth.


691504-3 : PEM content insertion in a compressed response may cause a crash.

Solution Article: K54562183


691498-1 : Connection failure during iRule DNS lookup can crash TMM

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes in the DNS response cache periodic sweep.

Conditions:
The DNS resolver connection fails after a successful lookup response is cached. This has been reproduced with a failure due to a lost route. Other failures such as down ports do not cause a crash.

Impact:
The TMM cores and automatically restarts, Traffic disrupted while tmm restarts.

Workaround:
No known workaround.

Fix:
The reference counting of the resolver connection was fixed.


691477-1 : ASM standby unit showing future date and high version count for ASM Device Group

Component: Application Security Manager

Symptoms:
Policy builder is changing configuration of standby unit.

Conditions:
The system state changes from active to standby (also when blade is changed from master to non-master).

Impact:
Unexpected changes are made to the policy on standby device (CID increment).

Workaround:
Restart pabnagd when switching device from active to standby (also when blade is changed from master no non-master):

killall -s SIGHUP pabnagd

Fix:
Policy builder now updates its state correctly and doesn't make changes to a policy on a standby device.


691287-3 : tmm crashes on iRule with GTM pool command

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes with a SIGSEGV when a GTM iRule executes a 'pool' command against Tcl variables that have internal string representations, which can occur when a value is a result of (some) string commands (e.g., 'string tolower') or if the value comes from a built-in iRules command (such as 'class').

For example:

when DNS_REQUEST {
    pool [string tolower "Test.com"]
}

or:

when DNS_REQUEST {
    pool [class lookup pool-dg key-value]
}

Conditions:
GTM iRule executes a 'pool' command against Tcl variables that have internal string representations.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Pass the 'pool' argument through 'string trim'. For instance:

when DNS_REQUEST {
    pool [string trim [class lookup pool-dg key-value]]
}

Fix:
tmm no longer crashes on GTM iRules that use the 'pool' command.


691224-1 : Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled

Solution Article: K59327001

Component: Local Traffic Manager

Symptoms:
Node Server rejects received-and-incomplete ClientHello message and connection terminates.

Conditions:
This occurs when the following conditions are met:
-- SSL Persistence is enabled.
-- There is no ClientSSL and ServerSSL profile.
-- The BIG-IP device receives fragments of a ClientHello message (typically, 11 bytes each) from an SSL front-end client.

Impact:
With Session Persistence enabled
-- The parser fails to reassemble fragmented ClientHello messages prior to passing it on to the backend server.
-- As a result, the backend server responds as if it has received an incomplete ClientHello message, rejects the handshake, and terminates the connection.

Workaround:
The issue disappears when SSL Persistence is disabled.


691017-1 : Preventing ng_export hangs

Component: Access Policy Manager

Symptoms:
Sometimes ng_export is stuck while reading tmsh thru the pipe because of buffer issues. Export is trying to read more data from tmsh while data is lost in the middle of the read operation.

Conditions:
-- ng_export receives tmsh replies through buffer of constant size x.
-- During the read operation, tmsh returns a buffer size of x minus k, where k is a very small random number (less than 50).

Note: K is a very small random number, which makes this issue difficult to describe.

Impact:
The export operation hangs.

Workaround:
There is no workaround at this time.

Fix:
APM access policy export now uses non-blocking socket and loops to wait for data or terminate gracefully.


690819-3 : Using an iRule module after a 'session lookup' may result in crash

Component: TMOS

Symptoms:
'session lookup' does not clean up an internal structure after the call finishes. If another iRule module uses the values in this internal structure after a 'session lookup', it may result in a core or other undesired behavior.

Conditions:
Calling 'session lookup' in an iRule where a result is successfully retrieved, and then calling another module.

Impact:
The system may core, or result in undefined and/or undesired behavior.

Workaround:
Check the return value of 'session lookup' before using another iRule module.

If 'session lookup' says that the entry exists, call 'session lookup' again for a key that is known to not exist.


690793-2 : TMM may crash and dump core due to improper connflow tracking

Solution Article: K25263287

Component: TMOS

Symptoms:
In rare circumstances, it is possible for the embedded Packet Velocity Acceleration (ePVA) chip to try to process non-ePVA connflows. Due to this improper internal connflow tracking, TMM can crash and dump core.

Conditions:
This issue can occur on any system equipped with an ePVA and configured with virtual servers that make use of it to accelerate flows.

While no other conditions are required, it is known that modifying a FastL4 virtual server to Standard while the virtual server is processing traffic is very likely to cause the issue.

Impact:
TMM crashes and dumps core. A redundant unit will fail over. Traffic may be impacted while TMM restarts.

Workaround:
It is not recommended to switch virtual server profiles while running traffic. To change virtual server profiles, it is recommended to halt traffic to the system first.

However, this does not eliminate entirely the chances of running into this issue.

Fix:
The system now checks for HSB flow status update data and prevents false positive matches to virtual servers with non-FastL4 profiles.


690215-1 : Missing requests in request log

Component: Application Security Manager

Symptoms:
Requests are missing from request log

Conditions:
Either of:
- pabnagd restart
- asm restart
- failover

Impact:
- Requests are not logged for up to an hour (affected by the amount of policies)

Workaround:
No workaround.

Fix:
All requests are now logged always.


690166-3 : ZoneRunner create new stub zone when creating a SRV WIP with more subdomains

Component: Global Traffic Manager (DNS)

Symptoms:
Creating SRV wideip will result in stub zone creation even there are already matching zones.

Conditions:
Creating SRV wideip with three more layers than existing zone.

Impact:
Unnecessary stub zones created.


690042-3 : Potential Tcl leak during iRule suspend operation

Solution Article: K43412307

Component: Local Traffic Manager

Symptoms:
TMM's Tcl memory usage increases over time, and does not decrease. Memory leak of Tcl objects might cause TMM to core.

Conditions:
-- iRules are in use.
-- Some combination of nested proc calls and/or loops must go at least five levels deep.
-- Inside the nested calls, an iRule executes a suspend operation.

Impact:
Degraded performance. TMM out-of-memory crash. A failover or temporary outage might occur. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer leaks memory.


689826-2 : Proxy/PAC file generated during VPN tunnel is not updated for Windows 10 (unicode languages like: Japanese/Korean/Chinese)

Solution Article: K95422068

Component: Access Policy Manager

Symptoms:
On a Microsoft Windows 10 system configured for a Unicode language (Japanese, Korean, or Chinese, for example) the client proxy autoconfig file is not assigned in the Microsoft Internet Explorer browser after the VPN connection is established.

Conditions:
- Client proxy settings provided in Network Access settings, or client is configured with proxy prior to establishing VPN tunnel.
- Windows 10 configured for a unicode-language (Japanese/Korean/Chinese/etc.).
- VPN tunnel is established using either a browser or the Edge Client.

Impact:
Proxy settings are not applied on client side after VPN is established.

Workaround:
There are two possible workarounds:
Workaround A
============
-- Change the language to English from Control panel :: Region :: Administrative :: Language for non-Unicode programs :: Change System locale.
 
Workaround B
============
-- Add a variable assign agent in the access policy, after the logon item and before the resource is assigned. To do so, follow this procedure:

 1. Set the custom variable name to the following value:
    config.connectivity_resource_network_access./Common/<network_access_resource_name>.client.ConnectionTrayIcon
    Note: <network access resource name> is the name of the network access resource.

 2. Set the value to be of the type 'custom expression' and populate it with the following value (including the quotation marks):
    return "</ConnectionTrayIcon><connection_name_txt>F5VPN</connection_name_txt><ConnectionTrayIcon>"
    Note: The <connection_name_txt> tag contains the name of the adapter that the client will create.

 3. After making these two changes, apply the access policy. The next time the VPN is established, a new virtual adapter entry will be created with the name provided in <connection_name_txt> tag.

Fix:
Previously, on a Windows 10 system configured for a Unicode language (for example, Japanese, Korean, or Chinese) the client proxy autoconfig file was not assigned with Internet Explorer after the VPN connection was established. This issue has been fixed.


689730-2 : Software installations from v13.1.0 might fail

Component: TMOS

Symptoms:
Installation terminates with the following final log messages:

info: updating shared filesystem directories...
progress: 10/100
error: mkdir /mnt/tm_install/3543.JENFeQ/core failed - File exists
Terminal error: Failed to install.

Conditions:
-- BIG-IP Virtual Editions, or the following appliances:
   + i2600
   + i2800
   + i4600
   + i4800
   + i5600
   + i5800
   + i5820
   + i7600
   + i7800
   + i7820
   + i10600
   + i10800
   + i11600
   + i11800

-- Running BIG-IP software v13.1.0 or earlier.
-- Installing BIG-IP software with --instslot option.

Impact:
Installation of new software cannot proceed.

Workaround:
Remove the '/shared/core' symlink, the restart the installation.

Fix:
The installer now properly detects the symlink and proceeds without error.


689577-1 : ospf6d may crash when processing specific LSAs

Solution Article: K45800333

Component: TMOS

Symptoms:
When OSPFv3 is configured and another router in the network performs a graceful restart, ospf6d may crash.

Conditions:
-- OSPFv3 in use.
-- Graceful restart initiated by another system.

Impact:
OSPFv3 routing will interrupted while the daemon restarts and the protocol re-converges.

Workaround:
Disabling graceful restart on other network systems will prevent ospf6d from crashing on the BIG-IP system. However, it will cause a routing interruption on a system that restarts.

Fix:
The ospf6d daemon no longer crashes when a graceful restart occurs in the network.


689449-3 : Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, in some circumstances the system may experience an unconstrained TMM memory growth when a virtual server is configured for spdy/http2 and http with fallback-host.

Conditions:
- VIP configured with spdy/http2 and http with fallback-host.

Impact:
TMM may eventually enter aggressive sweeper mode where this memory will be released. In the process it is possible that some legitimate connections will killed.

Workaround:
No workaround at this time.

Fix:
BIG-IP no longer attempts to send a response with a configured fallback host in HTTP profile, when a connection is aborted by a client or due to an internal error. It prevents the internal flow to stay in memory after the connection has died.


689437-2 : icrd_child cores due to infinite recursion caused by incorrect group name handling

Solution Article: K49554067

Component: TMOS

Symptoms:
Every time the virtual server stats are requested via REST, icrd_child consumes high CPU, grows rapidly toward the 4 GB max process size (32-bit process), and might eventually core.

Conditions:
Virtual server stats are requested via iControl REST with a special string that includes the dotted group names.

Impact:
icrd_child consumes high CPU, grows rapidly, and might eventually core.

Workaround:
Clear the virtual server stats via reset-stats and icrd_child no longer cores.

Fix:
icrd_child parsing logic update is needed to not enter recursion.


689211-2 : IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }

Component: TMOS

Symptoms:
If you accidentally change an ike-peer version to { v1 v2 } for both IKEv1 and IKEv2 support then IKEv1 does not work when version is changed to { v1 }. Note: This is not a recommended action.

Packets from a remote peer after this appear to arrive via IPv6 and will not match the IPv4 config of the actual peer, so tunnels cannot be established.

Conditions:
Transiently changing an ike-peer version to { v1 v2 } before fixing it with 'version replace-all-with { v1 }' to target IKEv1 alone.

Impact:
IKEv1 tunnels cannot be established when the remote peer initiates. (If the local peer initiates, negotiation may succeed anyway, until the SA is expired or deleted.) After this, tmm forwards packets to racoon improperly.

Workaround:
After changing version to v1 alone, issue the following command to have the config work correctly:
 bigstart restart

Fix:
Added check for the IPv6 flag in the packet, in addition to testing for a v4-in-v6 address; this corrects the corner case of an address containing all zero when forwarded.


689089-3 : VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot

Component: Local Traffic Manager

Symptoms:
The cluster configuration file can be lost or corrupted, resulting in the out-of-band cluster management IP reverting to the default value.

Conditions:
Unexpected system restart while the configuration file is being updated may cause the file to become corrupted. If this occurs, the following error will be logged during blade startup:

"err clusterd[8171]: 013a0027:3: Chassis has N slots, config file has 0, ignoring config file"

Where "N" is the number of physical slots in the chassis (2, 4, or 8).

Impact:
Management IP reverts to 192.168.1.246, resulting in loss of access to the chassis through the out-of-band management network.

Workaround:
If this occurs, the management IP can be restored using TMSH or the UI through an in-band self IP, or with TMSH through the management console port.

Fix:
The configuration file update logic has been changed to prevent file corruption during update.


689080 : Erroneous syncookie validation in HSB causes the BIG-IP system to choose the wrong MSS value

Component: Local Traffic Manager

Symptoms:
When a software encoding algorithm is being used by tmm to generate syn cookies in a SYN/ACK packet, there is a chance that HSB might mistakenly identify the ACK response to the SYN/ACK as valid syncookie response and stamp a SYNCOOKIE_VALID flag on the packet. In that case, software processes try to extract the MSS (maximum segment size) value encoded in the syncookie, which would be a wrong value. This may cause connection to fail in subsequent transactions, or cause performance degradation.

Conditions:
When software syncookie protection mode is activated and a software encoding algorithm is being used.

Impact:
Connections either fail, or the smaller, incorrect MSS value causes performance degradation.

Workaround:
None.

Fix:
If a software syncookie encoding algorithm is being used, tmm now ignores the SYNCOOKIE_VALID flag stamped by HSB, so the correct MSS value is calculated.


689002-1 : Stackoverflow when JSON is deeply nested

Component: TMOS

Symptoms:
When the returned JSON payload from iControl REST is very large and deeply nested, the JSON destruction could trigger stack overflow due to deep recursion. This will crash icrd_child.

Conditions:
Deeply nested JSON returned from iControl-REST.

Impact:
icrd_child process coredumps.

Workaround:
None.

Fix:
The fix changes the destruction mechanism into an iterative solution, to completely avoid the stack overflow.


688942-3 : ICAP: Chunk parser performs poorly with very large chunk

Component: Service Provider

Symptoms:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system buffers the entire chunk and reevaluates the amount of data received as each new packet arrives.

Conditions:
ICAP server returns large payload entirely in a single chunk, or otherwise generates very large chunks (MB to GB range).

Impact:
The BIG-IP system uses memory to buffer the entire chunk. In extreme cases the parser can peg the CPU utilization at 100% as long as packets are arriving.

Workaround:
If possible, configure the ICAP server to chunk the response payload in mulitple normal sized chunks (up to a few tens of KB).

Fix:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system streams content back to the HTTP client or server as it arrives, without undue memory use or performance impact.


688629-3 : Deleting data-group in use by iRule does not trigger validation error

Solution Article: K52334096

Component: Local Traffic Manager

Symptoms:
iRule aborts due to failed commands, causing connflow aborts.

Conditions:
-- Delete a data group.
-- iRule uses that data-group on a virtual server

Impact:
In use data-group can be deleted without error. iRule aborts leading to connflow aborts.

Workaround:
Don't delete data-groups in use by an iRule.

Fix:
An attempt to delete a data-group in use by an iRule now triggers a validation error.


688625-2 : PHP Vulnerability CVE-2017-11628

Solution Article: K75543432


688553-1 : SASP GWM monitor may not mark member UP as expected

Component: Local Traffic Manager

Symptoms:
Pool members monitored by the SASP monitor may be incorrectly marked DOWN when they should be marked UP.

Conditions:
This may occur on affected BIG-IP versions when using the SASP monitor targeting a Load Balancing Advisor GWM (Global Workload Manager).

This is more likely to occur if pool members monitored by the SASP monitor are also monitored by an additional monitor which has marked the members DOWN, or if one or more pool members monitored by the SASP monitor have been manually marked down (state user-down via tmsh, or Disabled in the GUI).

This is not expected to occur with non-affected BIG-IP versions or when using the SASP monitor targeting a Lifeline GWM (Global Workload Manager).

Impact:
Traffic handled by pool members monitored by the SASP monitor may be disrupted.

Workaround:
Removing the SASP monitor from the pool or pool member configuration then re-adding the SASP monitor may reset the pool member status to the correct state.


688516-2 : vCMPd may crash when processing bridged network traffic

Solution Article: K03165684


688148-1 : IKEv1 racoon daemon SEGV during phase-two SA list iteration

Component: TMOS

Symptoms:
The wrong list linkage is iterated when phase-two SAs are deleted.

Conditions:
Deleting phase-two SAs, either manually or in response to notifications.

Impact:
IKEv1 tunnel outage until the racoon daemon restarts.

Workaround:
None.

Fix:
Fixed list iteration to use the correct list linkage, so iterating one phase-one SAs list does not instead visit the global list of phase-two SAs.


688011-5 : Dig utility does not apply best practices

Solution Article: K02043709


688009-5 : Appliance Mode TMSH hardening

Solution Article: K46121888


687905 : OneConnect profile causes CMP redirected connections on the HA standby

Solution Article: K72040312

Component: TMOS

Symptoms:
When virtual server uses OneConnect profile in HA setup, it can cause Clustered Multiprocessing (CMP) redirected connections and memory leak on high availability (HA) standby systems, including high memory usage on standby units.

Conditions:
-- Virtual server uses OneConnect profile in HA configuration.
-- Mirroring is enabled.
-- BIG-IP platform supports CMP.

Impact:
Redirected connections and memory leak on a standby device.

Workaround:
Remove OneConnect profile from the virtual server.


687759-2 : bd crash

Component: Application Security Manager

Symptoms:
A bd crash.

Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).

Impact:
bd crashes; system fails over; traffic disturbance occurs.

Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache


687658-2 : Monitor operations in transaction will cause it to stay unchecked

Component: TMOS

Symptoms:
If a monitored object is deleted and created or modified in the same transaction, and any of its monitor configuration is changed (either the monitor, or the state user-down), the monitor state will become unchecked.

Conditions:
This only happens within transactions.

Note: Using the command 'modify ltm pool <name> members replace-all-with' is considered a transaction containing a delete and create of pool members.

Impact:
Monitor state never returns to its correct value.

Workaround:
Do not do these operations in transactions. For pool members, use 'modify ltm pool <name> members modify' instead of replace-all-with.


687603-1 : tmsh query for dns records may cause tmm to crash

Solution Article: K36243347

Component: Local Traffic Manager

Symptoms:
tmm experiences segmentation fault.

Conditions:
Run 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.

Impact:
Core file / system outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm experiences segmentation fault when running the 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.


687534-3 : If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page

Component: TMOS

Symptoms:
- Create a pool with name containing two dots (that is, the string '..')
- Go to the GUI Local Traffic :: Pools : Member List page and click the Add button to add a member.
- There is a No Access error preventing you from adding a member to the pool

Conditions:
This issue occurs when a pool name contains .. in the name.

Impact:
Cannot add a Member to the pool using the GUI.

Workaround:
Use tmsh to add pool members to an existing pool using a command similar to the following.
 tmsh modify ltm pool <pool name> members add { <member info> }

Fix:
For pools with '..' in the name, it is now possible to add members after pool creation using the GUI Local Traffic :: Pools : Member List page.


687353-3 : Qkview truncates tmstat snapshot files

Solution Article: K35595105

Component: TMOS

Symptoms:
Qkview truncates the snapshot files it collects in /shared/tmstat/snapshots/.

Conditions:
Files are larger than 5 MiB, or the 'max file size' limit specified when running Qkview (the -s argument).

Note: 5 MiB is qkview utility's default maximum file size value.

Impact:
Snapshot data may not be collected in qkview. This may result in data being lost if the issue is only identified once important data has rotated out of history.

Workaround:
To specify no file size limit when collecting qkviews, use the following tmsh command:
qkview -s0


687205-3 : Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart

Component: Local Traffic Manager

Symptoms:
During flow shutdown, SSL may deliver HUDEVT_SENT messages, causing additional messages to be queued by higher filters, which may result in a tmm crash and restart.

Conditions:
This happens in response to a relatively rare condition that occurs during shutdown, such as HUDEVT_SENT queued after HUDCTL_SHUTDOWN.

Impact:
Possible tmm restart. Traffic disrupted while tmm restarts.

Workaround:
None.


687193-1 : TMM may leak memory when processing SSL Forward Proxy traffic

Solution Article: K45325728


687128-3 : gtm::host iRule validation for ipv4 and ipv6 addresses

Component: Global Traffic Manager (DNS)

Symptoms:
gtm::host iRule isn't validating that the host given matches the type of WideIP it is attached to.

Conditions:
An AAAA-type wideip with a ipv4 gtm::host iRule, or A-type wideip with an ipv6 gtm::host iRUle.

Impact:
Incorrect host information was being returned.

Workaround:
Only attach gtm::host of IPv4 type to A-type WideIPs, and gtm::host rules of IPv6 to AAAA-type WideIPs.

Fix:
FIxed issue allowing incorrect gtm::host iRule commands to trigger on incorrect wideip types.


687098 : IPv6 RADIUS servers not supported for remote authentication

Component: TMOS

Symptoms:
Authenticating against an IPv6 RADIUS server is not supported, only an IPv4 server.

Conditions:
This applies to remote authentication to log on to the BIG-IP system for management purposes.

Impact:
Logon operation will time out, as if the server did not respond.

Workaround:
Use an IPv4 server. If you have an IPv6 management IP, then you will need to have the IPv4 server reachable over a dataplane VLAN.

Fix:
Support for IPv6 RADIUS servers has been added.


686972-1 : The change of APM log settings will reset the SSL session cache.

Component: Local Traffic Manager

Symptoms:
If you change the configuration of APM log settings, it might cause the SSL session cache to be reset. Also, subsequent resumption of SSL sessions may fail after such change causing a situation where full ssl handshakes may occur more frequently.

Conditions:
-- Change the configuration of APM log settings.
-- SSL session cache is not empty.

Impact:
The change of APM log settings resets the SSL session cache, which causes the SSL session to initiate full-handshake instead of abbreviated re-negotiation.

Workaround:
Follow this procedure:
1. Change access policy.
2. The status of that access policy changes to 'Apply Access Policy'.
3. Re-apply that.

Fix:
The change of APM log settings now limits its effect on APM module instead of affecting other (SSL) module's data.


686926-3 : IPsec: responder N(cookie) in SA_INIT response handled incorrectly

Component: TMOS

Symptoms:
IKEv2 negotiation fails when a responder uses N(cookie) in the SA_INIT response, because the BIG-IP system does not expect a second response with the same zero message_id always used by SA_INIT.

Conditions:
Any time a responder sends N(cookie) in the first response to SA_INIT from a BIG-IP initiator.

Impact:
The SA negotiation fails when a responder includes N(cookie) in a SA_INIT response, because a second response appears to have an out-of-order message ID when BIG-IP believe the first message_id of zero was already handled earlier.

Workaround:
None.

Fix:
The BIG-IP system now correctly tracks a need to receive a SECOND response with message_id zero, to finish the SA_INIT exchange, whenever the first SA_INIT response caused the BIG-IP system to resend the first request with the cookie included.


686765-1 : Database cleaning failure may allow MySQL space to fill the disk entirely

Component: Application Security Manager

Symptoms:
Database cleaning failure may allow MySQL space to fill the disk entirely, which prevents any modification of ASM policy configuration.

In /var/log/ts/asm_config_server.log you might see these errors repeatedly:

Jun 9 09:38:45 10gal-f5-5000-2 crit g_server_rpc_handler.pl[16654]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::handle_error): Code: 999, Error message = DBD::mysql::db do failed: The table 'NEGSIG_SIGNATURES' is full

Conditions:
This occurs if database cleaning failures occur.

Impact:
Disk will fill up, and you will be unable to modify ASM policies.


686685-1 : LTM Policy internal compilation error

Component: Local Traffic Manager

Symptoms:
To enable maximum performance, LTM Policies undergo a compilation process, where they are transformed to a compact binary representation. An issue was discovered where the transformation is being done incorrectly under certain circumstances.

Conditions:
While not common, certain LTM Policy combinations will be transformed to binary representation where certain internal parameters are incorrect.

Impact:
The tmm process may experience an unexpected restart, or a policy action may not run as expected.

Workaround:
None.

Fix:
LTM Policies are correctly transformed to their high-performance, compact binary representations.


686631-1 : Deselect a compression provider at the end of a job and reselect a provider for a new job

Component: Local Traffic Manager

Symptoms:
The system might potentially retain a compression context, even though there is no data to be compressed or decompressed. This can affect the calculation of the load of the compression provider.

Conditions:
-- A connection is up.
-- Compression context is active.
-- There is no data for the compression provider.

Impact:
It affects the compression provider selection.

Workaround:
None.

Fix:
The system now deselects a provider at the end of a compression/decompression operation, and reselects a provider at the beginning of another compression/decompression operation.


686395 : With DTLS version1, when client hello uses version1.2, handshake shall proceed

Component: Local Traffic Manager

Symptoms:
With DTLS version1, when client hello uses version1.2, handshake fails with error of :unsupported version".

Conditions:
DTLS version1 handshake:
Handshake version 1.0 . (0xfeff)
Client hello version 1.2(0xfefd)

Impact:
DTLS functionalities.

Workaround:
N/A

Fix:
In this case, we shall still proceed to perform handshake instead of bailing out with "unsupported version" error.


686389-3 : APM does not honor per-farm HTML5 client disabling at the View Connection Server

Component: Access Policy Manager

Symptoms:
Current logic for determining whether to offer HTML5 client option works for Horizon 6.x (and earlier) but it does not work for Horizon 7.x.

With Horizon 7.x, VMware has enhanced the XML so that each resource includes a flag to indicate whether HTML5 client is enabled (absence of <html-access-disabled/> tag). APM does not honor this flag to show HTML5 client option to APM end user only if it has been enabled for that resource.

Conditions:
-- APM webtop with a VMware View resource assigned.
-- HTML5 Access disabled for some of the RDS farms managed by the broker.

Impact:
APM offers HTML5 client launch option and actually runs it if requested, although it is disabled at the backend.

Workaround:
There is no workaround at this time.

Fix:
For Horizon 7.x, the system now honors the <html5-access-disabled> flag in broker responses to disable HTML5 client for those RDS desktops and apps that have this flag set.

Behavior Change:
Before this fix, all the RDS desktops and apps were available for HTML5 client if it was installed on VCS.
Now, for those desktops and apps where HTML5 access has been deliberately disabled at the broker, only the native client option will be available.


686376-1 : Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon

Component: Advanced Firewall Manager

Symptoms:
When there are scheduled firewall rules, and the BIG-IP system is restarted or PCCD daemon is restarted, new blob compilation succeeds, but TMM fails to activate the new blob. Both GUI and TMSH show error status: Firewall rules deployment failed. After the system gets in this state it cannot be fixed except by removing or disabling all scheduled firewall rules.

Conditions:
-- There are scheduled firewall rules.
-- The BIG-IP system is restarted or the PCCD daemon is restarted.

Impact:
After this failure, firewall rules are not applied on data traffic.

Workaround:
Remove or disable all scheduled firewall rules.

Fix:
New blob deployed and new firewall rules applied successfully.


686307-1 : Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later

Solution Article: K10665315

Component: Local Traffic Manager

Symptoms:
When upgrading, monitor attributes such as receive string and send string might contain escape sequences that must be processed after the upgrade. However, due to a problem introduced by the LTM policy upgrade script, this processing is not performed, resulting in monitors not functioning correctly after the upgrade.

Note: Without LTM policies in the configuration, monitors upgrade without problem.

Conditions:
-- Upgrading and rolling forward monitor configuration data.
-- LTM policy data present.

Impact:
Monitors may not work after upgrade.

Workaround:
No workaround at this time.

Fix:
This release addresses the underlying problem so the issue no longer occurs.


686305-2 : TMM may crash while processing SSL forward proxy traffic

Solution Article: K64552448


686282-1 : APMD intermittently crash when processing access policies

Component: Access Policy Manager

Symptoms:
APMD process may crash intermittently (rare) when processing access policies.

Conditions:
This rarely encountered issue occurs when any one of the following conditions exist:

-- iRule is configured with 'ACCESS::policy evaluate'.
-- NTLM authentication configured and ECA plugin is involved (for example VDI RDG).
-- Kerberos authentication is configured with RBA enabled.

Impact:
APM end users cannot pass access policy, cannot login.

Workaround:
None.

Fix:
APMD no longer intermittently crashes when processing access policies.


686228-3 : TMM may crash in some circumstances with VLAN failsafe

Solution Article: K23243525

Component: Local Traffic Manager

Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms

Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.

Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.

Workaround:
Relax the timer to the default VLAN failsafe timer setting.

Fix:
TMM no longer crashes in some circumstances with VLAN failsafe.


686124-3 : IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs

Solution Article: K83576240

Component: TMOS

Symptoms:
Deleting SAs on a remote peer can cause improper handling in the IKEv1 racoon daemon when invalid SPI notifications are processed.

Conditions:
Events causing deletion of phase one IKE SAs.

Impact:
IPsec IKEv1 tunnels will halt or restart. Connectivity between remote private networks will be interrupted.

Workaround:
None.

Fix:
Phase one and phase two SA relationships are now more robust, tolerating operations that occur in any order, so tearing down old data structures will be done safely.


686065-1 : RESOLV::lookup iRule command can trigger crash with slow resolver

Component: Local Traffic Manager

Symptoms:
If thousands of connections are serviced by an iRule that performs a lookup for the same FQDN before the FQDN can be resolved, tmm may crash.

Conditions:
iRule with RESOLV::lookup.
Slow DNS resolver.
Thousand of connections triggering resolution of the same name.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove RESOLV::lookup from the workflow if it is not required.

Fix:
The scenario now works as expected and no longer results in a crash.


686029-1 : A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces

Component: TMOS

Symptoms:
FDB flushing on VLAN deletes is performed by VLAN member interface reference only, without regard to VLAN tags. This can result in unrelated VLAN FDB entries also being flushed on shared VLAN member interfaces.

Conditions:
Issuing a VLAN delete with other VLANs using shared tagged member interfaces with the VLAN being deleted.

Impact:
FDB entries for unrelated VLANs will be flushed if they share the same tagged VLAN member interfaces as the VLAN being deleted.

Workaround:
None.

Fix:
Correct FDB flushing on VLAN deletes, by limiting the scope to be VLAN specific.


685955 : TMM hud_message_ctx leak

Component: Local Traffic Manager

Symptoms:
There is a TMM memory issue caused by leaked hud_message_ctx objects, each holding a websockets_frame.

Conditions:
Running WebSocket traffic that needs to be processed by a plugin like ASM.

Impact:
Increasing TMM memory usage leading to eventual service outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The memory leak in TMM has been fixed.


685743-3 : When changing internal parameter 'request_buffer_size' in large request violations might not be reported

Component: Application Security Manager

Symptoms:
When the internal 'request_buffer_size' is set to a large value, long requests might be blocked, and no violation is reported.

Conditions:
-- Internal parameter 'request_buffer_size' is set to a large value (~50 KB or larger).
-- Request is long (~50 KB or longer).
-- Violations found.

Impact:
Requests might be blocked, and no reason is reported.

Workaround:
Reset internal 'request_buffer_size' to default.

Fix:
The system now handles the case in which the internal 'request_buffer_size' is set to a large value, so long requests are no longer blocked, and the violation is reported.


685741 : DoS Overview is very slow to load data, to the point of timeout

Component: Application Visibility and Reporting

Symptoms:
When logs contains more than 1 million records, loading of attacks data is extremely slow and requires many SQL queries.

Conditions:
N/A

Impact:
DoS Overview page is unusable

Workaround:
N/A

Fix:
The fix revolved around combining all the required data into a couple of queries instead of sending distinct queries for every attack.


685708-3 : Routing via iRule to a host without providing a transport from a transport-config created connection cores

Component: Service Provider

Symptoms:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Conditions:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Specify a transport to use for creating a new outgoing connection in the MR::message route command.

Fix:
The system will no longer core.


685693 : APM AppTunnels memory leak

Component: Wan Optimization Manager

Symptoms:
Using APM AppTunnels causes a slow memory leak.

Conditions:
Use of APM AppTunnels.

Impact:
The slow memory leak exhaust tmm memory over time. Traffic disrupted when tmm restarts.

Workaround:
None.

Fix:
The memory leak has been corrected.


685615-5 : Incorrect source mac for TCP Reset with vlangroup for host traffic

Solution Article: K24447043

Component: Local Traffic Manager

Symptoms:
BIG-IP outbound host TCP RST packets have incorrect source-mac-address.

Conditions:
BIG-IP host traffic is exiting via VLANs in a VLAN group.

Impact:
TCP Reset for traffic exiting the BIG-IP system with incorrect source-mac-address, which could include monitor traffic.

Workaround:
Use transparent mode on the VLAN group.

Fix:
source-mac-address for host traffic is correctly set.


685519-3 : Mirrored connections ignore the handshake timeout

Component: Local Traffic Manager

Symptoms:
Mirrored connections that do not complete the TCP 3-way-handshake do not honor the configured TCP handshake timeout on active and standby systems.

Conditions:
High availability mirroring enabled on virtual server with attached FastL4 profile.

Impact:
Unestablished TCP sessions in the connection table stay open for the duration of the TCP idle-timeout.

Workaround:
None.

Fix:
Mirrored connections now honor the TCP handshake timeout.


685475-3 : Unexpected error when applying hotfix

Solution Article: K93145012

Component: TMOS

Symptoms:
Software 'install hotfix' commands fail with a message similar to the following: Image (BIG-IP-11.6.1.0.0.317.iso) has a software image entry in MCP database but does not exist on the filesystem.

Conditions:
Before installing the hotfix, the necessary full (base) software image prerequisite was added to the images directory, but then was removed before issuing the hotfix command.

For example, to apply 'Hotfix-BIG-IP-11.6.1.2.0.338-HF2.iso', the system must have access to the base image; 'BIG-IP-11.6.1.0.0.317.iso'.

Here is another example: on multi-bladed VIPRION systems, where it is resolved by running 12.1.3.6.

1) Install and boot into 12.0.0 on the VIPRION system:
-- install /sys software image 12.0.0.iso create-volume volume HD1.test
-- reboot volume HD1.test
2) Install and boot into 12.1.2.0.402.249:
-- install /sys software hotfix Hotfix-BIG-IP-12.1.2.0.402.249-ENG.iso create-volume volume HD1.test2
-- reboot volume HD1.test2
3) Delete 12.0.0.iso and volume HD1.test:
-- delete sys software image 12.0.0.iso
-- delete sys software volume HD1.test
4) Copy over Hotfix-BIG-IP-13.1.0.7.0.17.1-ENG.iso without the 13.1.0.7 base image.
5) Check the /var/log/ltm logs for the following message:
-- lind[6288]: 013c0006:5: Image (BIG-IP-12.0.0.0.0.606.iso) has a software image entry in MCP database but does not exist on the filesystem.

Impact:
Cannot apply hotfix until the full base image is present.

Workaround:
Perform the following procedure:
1. Copy the base image to the images directory on the BIG-IP system.
2. Restart the 'lind' daemon.
3. Try the hotfix installation operation again.

Fix:
Issuing a 'install hotfix' command when the base image is not available sends the system into a 'wait' state. The process status is 'waiting for base image', which should make clear what needs to be done. When the base image becomes available (in the images directory), the hotfix installation proceeds.


685467-2 : Certain header manipulations in HTTP profile may result in losing connection.

Solution Article: K12933087

Component: Local Traffic Manager

Symptoms:
HTTP profile has an option 'Insert X-Forwarded-For' which adds a header when a request is forwarding to a pool member. When a virtual server has iRule with a collect command like SSL::collect, it is affected by the HTTP profile processing. Same issue has an option 'Request Header Erase' available in HTTP profile.

Conditions:
A virtual server meets the following conditions:
-- ClientSSL profile.
-- HTTP profile with option 'Insert X-Forwarded-For' enabled and/or configured option 'Request Header Erase'.
-- iRule that has an 'SSL::collect' command in at least two events (e.g., CLIENTSSL_HANDSHAKE and CLIENTSSL_DATA).

Impact:
TCP connection is reset, and no response is provided to a client.

Workaround:
Use iRule to insert X-Forwarded-For with an appropriate IP address and/or remove headers configured in 'Request Header Erase' option of HTTP profile.

Fix:
An issue of a resetting connections due to configuration options 'Insert X-Forwarded-For' and 'Request Header Erase' in HTTP profile no longer happens.


685458-5 : merged fails merging a table when a table row has incomplete keys defined.

Solution Article: K44738140

Component: TMOS

Symptoms:
There is as timing issue in merged where it will fail processing a table row with incomplete keys defined.

Conditions:
There are no specific conditions required, only that merged is running, which is true on every BIG-IP system, when the BIG-IP system is processing a table row with incomplete keys defined.

Although this issue is not dependent on configuration or traffic, it appears that it is more prevalent on vCMP hosts.

Impact:
There will be a few second gap in available statistics during the time when a core is being created and merged restarts.

Workaround:
None.

Fix:
merged now detect this scenario, a table row with incomplete keys defined, and does not fail.


685344-2 : Monitor 'min 1 of' not working as expected with FQDN nodes/members

Component: Local Traffic Manager

Symptoms:
A pool with a monitor configured as 'min 1 of {...}' may be unavailable when one or more members configured with FQDN are down, rather than remain available as long as at least one pool member remains up.

Conditions:
-- Pool nodes/members are configured with FQDN.
-- At least one associated monitor is defined with the 'min 1 of {...}' feature.

Impact:
The pool may be seen as 'offline' when one or more members are down, rather than remaining available as long as a single pool member is 'UP'.

Workaround:
To configure a pool with 'min 1 of{...}', specify static pool members, do not use FQDN to configure pool members.

Fix:
A pool with FQDN configured nodes/members and specified with a monitor of 'min 1 of {...}' remains available as long as a single pool member remains up.
This issue is resolved by the FQDNv2 feature re-implementation.


685254-1 : RAM Cache Exceeding Watchdog Timeout in Header Field Search

Solution Article: K14013100

Component: Local Traffic Manager

Symptoms:
SOD halts TMM while RAM cache is processing a header.

Conditions:
When RAM cache is attempting to match an ETag and fails to find it in the header field.

Impact:
The search continues until a match is found in memory, or a NUL byte is encountered. If the search takes too long, sod kills RAM cache on a watchdog timeout violation.

Workaround:
No workaround at this time.

Fix:
SOD no longer halts TMM while RAM cache is processing a header.


685230-1 : memory leak on a specific server scenario

Component: Application Security Manager

Symptoms:
The bd process memory increases.

Conditions:
A specific server scenario of handling the traffic.

Impact:
Swap may be used. The kernel OOM killer may be invoked. Possible traffic disturbance.

Workaround:
There is no workaround at this time.

Fix:
A memory leaked related to a specific server scenario was fixed.


685207-2 : DoS client side challenge does not encode the Referer header.

Component: Application Security Manager

Symptoms:
XSS reflection when DoS client side is enabled as a mitigation, or a proactive bot defense is enabled.

Conditions:
1. Login to the client IP address and send the ab request.
2. Once the DoS attack starts, sends the curl request
hl=en&q=drpdrp'-alert(1)-'drpdrp".
3. Unencoded Referer header is visible.

Impact:
The XSS reflection occurs after triggering the DoS attack.

Workaround:
None.

Fix:
DoS client side challenge now encodes the Referer header.


685164-3 : In partitions with default route domain != 0 request log is not showing requests

Component: Application Security Manager

Symptoms:
No requests in request log when partition selected, while they can be seen when 'All [Read Only]' is selected.

Conditions:
Select a partition whose default route domain is not 0 (zero).

Impact:
No requests in request log.

Workaround:
As a partial workaround, you can use [All], but it's read only.

Fix:
Fixed filter by Source IP, which worked incorrectly in partitions whose default route domain was not 0 (zero).


685110-3 : With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.

Solution Article: K05430133

Component: Local Traffic Manager

Symptoms:
1. FQDN Node/pools fails to populate with members.

2. An error similar to the following is logged in /var/log/ltm when an FQDN node or pool member is created:

err mcpd[####]: 01070356:3: Ratio load balancing feature not licensed.

Conditions:
1. License a BIG-IP system with non-LTM license lacking the ltm_lb_ratio feature.
Such licenses include APM and/or ASM licenses for certain newer platforms which do not support the AAM module.
Affected platforms include certain iSeries and Virtual Edition (VE) releases.
2. Configure an FQDN node/pool member. Do not specify a 'ratio' value.

Impact:
Unable to use FDQN nodes/pool members with non-LTM license.

Workaround:
None.

Fix:
Non-LTM license (ASM, APM, etc.), ephemeral nodes are now created for FQDN nodes/pool members.


685020-1 : Enhancement to SessionDB provides timeout

Component: TMOS

Symptoms:
In some cases, calls made to SessionDB never return from the remote TMM.

Conditions:
-- Using add, update, delete, and lookup commands to remote TMM.
-- SessionDB request is not returned.

Impact:
Calls made to SessionDB never return from the remote TMM.

Workaround:
None.

Fix:
The system initiates a timeout after 2 seconds. If a timeout occurs, the calling command receives a result of err==ERR_TIMEOUT.

A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.

# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|

Behavior Change:
A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.

# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|


684937-6 : [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users

Solution Article: K26451305

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over period of time.
Websso process CPU usage is very high during this time. The latency can vary between APM end users.

Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
LRU cache performance no longer drops linearly with the number of caches Kerberos tickets, the latency of HTTP request processing has been significantly improved.


684879-2 : TMM may crash while processing TLS traffic

Solution Article: K02714910


684414-1 : Retrieving too many groups is causing out of memory errors in TMUI and VPE

Component: Access Policy Manager

Symptoms:
Retrieving too many groups might cause out-of-memory errors in TMUI and VPE. TMUI might end up with HTTP 502 and VPE fails with HTTP 500

Conditions:
LDAP/AD server with over 20,000 groups.

Impact:
It's hard to perform LDAP/AD group mapping because there are no group names in the dialog box, which complicates work on such a large number of groups.

Workaround:
The only solution is to remove /shared/tmp/gmcache folder and use manual groupmapping.

Fix:
Retrieving too many groups no longer results in memory errors in TMUI and VPE, even on LDAP/AD servers with over 20,000 groups.


684391-1 : Existing IPsec tunnels reload. tmipsecd creates a core file.

Component: TMOS

Symptoms:
Existing IPsec tunnels reload. tmipsecd creates a core file.

Conditions:
Although an exact replication of the issue has not been reliable, the one instance occurred after the following conditions:
-- Remote peer repeatedly tries to establish a tunnel.
-- The IPsec IKEv1 daemon 'racoon' is dead.

Impact:
Existing IPsec tunnels reload when tmipsecd aborts. tmipsecd creates a core file.

Workaround:
None.

Fix:
Exception handling in tmipsecd has been improved so that tmipsecd will not reload when encountering some unusual conditions.


684333-3 : PEM session created by Gx may get deleted across HA multiple switchover with CLI command

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may get cleaned up with terminate cause of FATAL GRACE TIMEOUT, if multiple high availability (HA) failover is being performed using the following command: tmsh run sys failover standby.

Conditions:
Multiple HA failover performed using the following command: tmsh run sys failover standby.

Impact:
PEM session created using Gx may get deleted.

Workaround:
Initiate failover using alternate commands, such as the following:
 tmm big start restart.


684325-3 : APMD Memory leak when applying a specific access profile

Component: Access Policy Manager

Symptoms:
Access profile having CheckMachineCert agent, while updating profile using 'Apply access policy', each time it leaks 12096 bytes of memory.

Conditions:
-- Access profile configured with agent 'CheckMachineCert'.
-- Repeatedly update the profile using 'Apply access policy'.

Impact:
APMD process stops after repeated application of the script.

Workaround:
None.

Fix:
APMD no longer leaks memory when applying Access profile configured with agent 'CheckMachineCert'.


684319-2 : iRule execution logging

Component: Local Traffic Manager

Symptoms:
iRule execution can block tmm from getting CPU cycles.

Conditions:
when executing iRule TCL with e.g. a tight while loop, tmm will miss to sent its heartbeat. This change adds additional logging around this.

Impact:
Logging shows now iRule perpetrator.

Workaround:
No workaround.

Fix:
tmm will now log the following message should the configurable execution limit exceed:

 notice tmm9[20262]: 01010338:5: Virtual /Common/http_respond iRule /Common/responder <HTTP_REQUEST> execution ran for 631 ticks (192.168.24.24:38169 -> 10.209.31.20:80 TCP)
 notice tmm9[20262]: 01010029:5: Clock advanced by 632 ticks


684312-2 : During Apply Policy action, bd agent crashes, causing the machine to go Offline

Solution Article: K54140729

Component: Application Security Manager

Symptoms:
During Apply Policy action, bd agent crashes, causing with this error:
--------------------
crit perl[21745]: 01310027:2: ASM subsystem error (bd_agent,): bd_agent exiting, error:[Bit::Vector::new_Dec(): input string syntax error at /usr/local/share/perl5/F5/CfgConvert.pm line 66, <$inf> line 1. ]
--------------------

Causing bd and bd_agent processes restart, and causing the machine to go Offline.

Conditions:
-- ASM provisioned.
-- Applying policy.
-- Corrupted data was attempted to be loaded during an Apply Policy action.

Impact:
bd and bd_agent processes restart, causing the machine to go Offline while the processes restart..

Workaround:
None.

Fix:
During Apply Policy action, bd agent no longer crashes when attempting to load corrupted data.


684033-1 : CVE-2017-9798 : Apache Vulnerability (OptionsBleed)

Solution Article: K70084351


683697-3 : SASP monitor may use the same UID for multiple HA device group members

Solution Article: K00647240

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, the SASP monitor running on one member of an HA group (failover device group) may use the same LB UID as another member of the device group.

The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.

As a result, only the first HA group member using the duplicated UID is able to successfully use the SASP monitor.

The SASP monitor instance running on the HA group member using the duplicated UID will fail to connect to the SASP GWM.

Conditions:
This occurs under rare timing conditions when using the SASP monitor on a BIG-IP system that belongs to an HA group.

It is possible that the necessary timing conditions may occur if the external SASP monitor daemon is forcibly restarted (such as for troubleshooting purposes).

Impact:
The SASP monitor is unable to monitor pool member availability on all members of the HA group.

Workaround:
Forcing the mcpd process to reload the configuration (as described in article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030) allows recovery from this condition.

It is possible that less-intrusive measures such as restarting the external SASP monitor daemon (such as by sending a SIGTERM to the SASPD_monitor process) may also allow recovery. Due to the rare occurrence of this symptom, this solution has not been confirmed.

Fix:
The SASP monitor reliably uses a unique UID across HA group members, allowing all HA group members to successfully connect to the SASP GWM.


683683-1 : ASN1::encode returns wrong binary data

Component: Local Traffic Manager

Symptoms:
ASN1::encode returns incorrect data for certain integer values. For example, for integer 49280, ASN1::encode returns 02030000.

Conditions:
The problem happens in an implicit UTF encoding/decoding, and it is not obvious what data triggers the error.

This is because it implicitly converts the Tcl object type from byte array to string and later back to byte array, but because of the UTF de-coding algorithm, certain bytes get changed.

Impact:
The returned binary is wrong.

Workaround:
Use binary scan for the value that is incorrectly encoded by the command.

Fix:
ASN1::encode ENCODE mode now works so that it avoids the implicit type-conversion byte array to string back to byte array, which gets the original byte array changed during UTF-8 decoding.


683631-1 : TMM crashes during stress test

Component: Local Traffic Manager

Symptoms:
During stress/load testing, with a large number of connections which triggers flow sweeping, TMM restarts.

Conditions:
A large number of connections are seen, which triggers an expansion of the connflow hash table at the same time the connflow sweeper is active.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Connflow removal from the internal hash table is deferred until the entire bucket is processed.


683508-3 : WebSockets: umu memory leak of binary frames when remote logger is configured

Solution Article: K00152663

Component: Application Security Manager

Symptoms:
ASM out of memory error messages in /var/log/asm.

Conditions:
-- Virtual server configured with WebSocket profile.
-- ASM remote logger configured and assigned to the virtual server.

Impact:
ASM out of memory, memory leak.

Workaround:
Remove ASM remote logging profile from a virtual server.

Fix:
This release correctly releases unused memory after WebSocket message is sent to the logging destination.


683389-1 : Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application shows Error #2134 when trying to call flash.net::SharedObject.getLocal with localPath specified.

Conditions:
Attempt to create local SharedObject.

Impact:
Affected Flash applications are not working when accessed through Portal Access.

Workaround:
None.

Fix:
Addressed an issue in Portal Access which caused rewritten Flash files to show Error #2134 on attempt to create local SharedObject.


683241-3 : Improve CSRF token handling

Solution Article: K70517410

Component: Application Security Manager

Symptoms:
Under certain conditions, CSRF token handling does not follow current best practices.

Conditions:
CSRF is configured.

Impact:
CSRF token handling does not follow current best practices.

Workaround:
None.

Fix:
CSRF token handling now follows current best practices.


683114-1 : Need support for 4th element version in Update Check

Component: TMOS

Symptoms:
Previously, there was no 4th element version Update Check functionality.

Conditions:
Using Update Check.

Impact:
No 4th element version support provided.

Workaround:
None.

Fix:
There is now 4th element version support in Update Check.


683113-6 : [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users

Solution Article: K22904904

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over a period of time.

Websso CPU usage is very high.

The BIG-IP system response can rate drop to the point that the clients disconnect after waiting for a response. The system logs error messages similar to the following: Failure occurred when processing the work item.

Conditions:
-- Running APM.
-- A large number of APM end users (~20 KB) have logged on and are using Kerberos SSO.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
Improvements to the krb5 library have been implemented for better scalability, so the latency of HTTP request processing has been significantly improved.


682837 : Compression watchdog period too brief.

Component: TMOS

Symptoms:
Compression TPS can be reduced on certain platforms when sustained, very high compression request traffic is present.

Conditions:
Very high sustained system-wide compression request traffic.

Impact:
Accelerated compression throughput can drop significantly; some flows dropped.

Workaround:
Switch to software compression.

Fix:
Compression request monitor tuned to account for systems with smaller bandwidth.


682682-3 : tmm asserts on a virtual server-to-virtual server connection

Component: Local Traffic Manager

Symptoms:
tmm might crash when using a virtual server-to-virtual server connection, and that connection has a TCP profile with keepalive configured.

Conditions:
-- L7 virtual server-to-virtual server connection (Virtual command, cpm rule, etc.).
-- TCP profile with keepalive configured.
-- (Deflate profile.)
-- At the beginning of the connection, there is a stall for longer than the specified keepalive timer interval.
-- The received response decompresses to a size that is greater than the advertised window size on the first virtual server's TCP stack.

Impact:
Shortly after the keepalive packet is received, which then is decompressed, the assert is triggered, and tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
Remove keepalive from the TCP profiles of the two virtual servers involved.

Fix:
The system now honors the current receive window size when sending keepalives, so the tmm crash no longer occurs.


682612 : Event Correlation is disabled on vCMP even though all the prerequisites are met.

Component: Application Security Manager

Symptoms:
The GUI screen Security :: Event Logs : Application : Event Correlation reports the message: Event Correlation is not supported on this platform.

Conditions:
Multi-bladed vCMP guest, running on a BIG-IP system with SSD drives, having only one available slot (other slots appear offline/unavailable).

Impact:
Under these conditions, Event Correlation is disabled.

Workaround:
The following workaround does not survive ASM restart.
Thus, it has to be executed after every restart of ASM:
------------------------
# perl -MF5::ASMReady -MF5::Cfg -e 'while (! F5::ASMReady::is_asm_ready()) { print "Waiting for ASM to be ready.\n"; sleep 5; }; print "ASM is ready, patching Event Correlation cfg file\n"; F5::Cfg::cfg_set_config_item(qw{/etc/ts/correlation/correlation.cfg}, qw{General}, qw{Idle}, 0)'

# pkill -f correlation
------------------------

Event Correlation should start with in ~15 seconds, after the execution of this workaround:
------------------------
# ps -elf | grep correlation

0 S root ... /usr/share/ts/bin/correlation
------------------------

Fix:
Event Correlation is now enabled on a multi-bladed SSD vCMP guest with only one active slot.


682500-1 : VDI Profile and Storefront Portal Access resource do not work together

Component: Access Policy Manager

Symptoms:
Accessing a Citrix Storefront portal access resource and clicking on the application does not work since VDI returns HTTP status 404.

Conditions:
-- VDI profile is attached to the Virtual server.
-- Access policy has Citrix Storefront portal access resource.
-- Citrix remote-desktop resource is attached.

Impact:
Citrix Storefront portal access resource cannot be used to launch applications.

Workaround:
None.

Fix:
Citrix Storefront portal access resources can now be used with Citrix Remote desktop resources.


682335-3 : TMM can establish multiple connections to the same gtmd

Component: Global Traffic Manager (DNS)

Symptoms:
TMM can establish multiple connections to the same gtmd, and tmm may core.

Conditions:
This timing-related issue involves coordination between license blob arrival, gtmd connection teardown/establishment, and gtmd restart.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed, if there is an existing connflow, don't start another connection.


682213-3 : TLS v1.2 support in IP reputation daemon

Solution Article: K31623549

Component: TMOS

Symptoms:
The IP reputation daemon opens SSL connections to the Webroot BrightCloud server using TLS 1.0 protocol.

Conditions:
This occurs when using IP reputation.

Impact:
Because IP reputation services are used to accept/deny connections to critical business applications, there might be concerns about the service. Also some configurations might require that all transactions exfiltrating a PCI-controlled environment leverage secure protocols and ciphers, which won't be the case for IP reputation services.

Workaround:
None.

Fix:
Webroot updated BrightCloud servers to support TLS 1.2. This is additional support. To preserve backward compatiblity, the servers support TLS 1.0, TLS 1.1, TLS 1.2, SSL 2.0 and SSL 3.0.

In addition, this software version supports TLS 1.2 on the client side by customizing the SDK used by the IP reputation daemon.


682105 : Adding widget in Analytics Overview can cause measures list to empty out on Page change

Component: Application Visibility and Reporting

Symptoms:
When adding a new widget on Analytics Overview page with multiple modules (e.g., vCMP, Security), it is possible to reach a state in which the list of available measures is empty.

Conditions:
-- All 'available measurements' is selected (moved left).
-- A page should be changed.

Impact:
In some cases (like in vCMP when changing from Network to SynCookies), the list of available measurements will remain empty. Unable to select measures to display in new widget.

Workaround:
To reset the list of measures so that all measures are visible again, switch to another page and return to the previous one right away.


682104-1 : HTTP PSM leaks memory when looking up evasion descriptions

Component: Local Traffic Manager

Symptoms:
http_psm_description_lookup leaks xfrags containing PSM evasion descriptions.

Conditions:
When PSM looks up evasion descriptions.

Impact:
Memory leaked each time might eventually cause out of memory to the TMM.

Workaround:
None.

Fix:
This fix will stop the memory leakage.


681850-1 : APMD process may fail to initialize on start either after upgrade or after adding certain configurations

Component: Access Policy Manager

Symptoms:
APMD process may fail at initialization time with errors similar to the following:

-- createAgent - initInstance() failed for agent xxx_saml_auth_ag type (46)
-- Exiting due to failure in loading access policy objects

Conditions:
-- BIG-IP system is configured as SAML SP.
-- Certificate used by configured SAML Agent was imported onto BIG-IP system in DER format.

Impact:
APMD service may become unresponsive, dropping all traffic protected by APM access policies.

Workaround:
Convert DER encoded certificate used by SAML SP agent into PEM format.

Fix:
DER certificate no longer cause APMD process errors at initialization time.


681757-1 : Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'

Solution Article: K32521651

Component: Local Traffic Manager

Symptoms:
In response to this issue, you might see the following symptoms:
-- System remains inoperative
-- Screen alerts similar to the following are posted: 'Configuration has not yet loaded'.
-- Configuration fails to load after upgrade to v12.1.0 or higher.

The system records an error message similar to the following in the ltm log file:

 emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 010716de:3: Policy '/Common/Policy', rule 'Policy-Rule'; target 'forward' action 'select' does not support parameter of type 'member'. Unexpected Error: Loading configuration process failed.

Conditions:
Local Traffic Policy with a forward action that selects a target of type 'member'.

Impact:
Configuration fails to load on upgrade.

Workaround:
Modify the local traffic policies to use a target type of 'node' before upgrading, or, after upgrading, edit the config file and modify 'member' to 'node' in the local traffic policy, and then reload the configuration.

Fix:
Upon upgrade to v12.1.0 or later, policies that perform the action 'forward - select - member' will be automatically changed to 'forward - select - node', and configuration will load successfully.


681710-4 : Malformed HTTP/2 requests may cause TMM to crash

Solution Article: K10930474


681415-1 : Copying of profile with advanced customization or images might fail

Component: Access Policy Manager

Symptoms:
Copying a profile with advanced customization or images produces an error message similar to the following: 'Please specify language code' or similar

Conditions:
Access Profile has advanced customization group or customization image assigned to any of object connected to profile.

Impact:
Unable to copy policy.

Workaround:
None.

Fix:
Copying of profile with advanced customization or images now succeeds as expected.


681175-1 : TMM may crash during routing updates

Solution Article: K32153360

Component: Local Traffic Manager

Symptoms:
When dynamic routing is configured and ECMP routes are received, certain routing updates may lead to a TMM crash.

Conditions:
-- Dynamic routing.
-- ECMP routes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable ECMP routes by configuring "max-paths 1" in ZebOS.

Fix:
TMM no longer crashes on routing updates when ECMP is in use.


681109-2 : BD crash in a specific scenario

Solution Article: K46212485

Component: Application Security Manager

Symptoms:
BD crash occurs.

Conditions:
A specific, non-default configuration with specific traffic.

The issue is much more likely to occur when the policy is not tuned correctly, in which case you might receive a potentially huge number of false positive attack signature matches on that payload. The crash might then occur if there is a subsequent 'Parameter value does not comply with regular expression' violation on that same payload.

For example, nothing prevents you from incorrectly associating a Content-Type and <type-value> with a Request Body Handling parser that is not designed to parse that type of data, such as the following:
  Content-Type :: *xml* :: form-data

This configuration is likely to result in a very long list of false-positive attack signatures. Because of the big message generated, The regex violation which is also likely to happen on the payload cannot be added to the filled message, which causes the crash.

Impact:
Failover, traffic disturbance.

Workaround:
In order to prevent this, correctly configure the header-based-content-profile property on URLs for cases where an unusual header requires a specific, potentially unexpected parsing mechanism.

A correctly configured header-based-content-profile property on URLs appears as follows:

In URL Properties, the Header-Based Content Profiles section of the wildcard URL is by default applying the value and content signature. Here, you can associate Content-Type with <type-value> with <parser-type>. By default, the correct definitions are as follows:
 Content-Type :: *form* :: Form Data
 Content-Type :: *json* :: JSON
 Content-Type :: *xml* :: XML

Fix:
Added a check to prevent a crash in a specific scenario.


680856-3 : IPsec config via REST scripts may require post-definition touch of both policy and traffic selector

Component: TMOS

Symptoms:
A new IPsec tunnel may not work after being configured over REST. While the configuration is correct, a log message similar to the following may appear in ipsec.log (IKEv2 example):

info tmm[24203]: 017c0000 [0.0] [IKE] [INTERNAL_ERR]: selector index (/Common/Peer_172.16.4.1) does not have corresponding policy

Conditions:
A new IPsec tunnel is configured over REST.

Impact:
The newly configured IPsec tunnel does not start.

Workaround:
The following methods cause the traffic-selector and ipsec-policy to be correctly related to one another:
-- Restart tmm.
-- Change the configuration, for example the Description field, of both the policy and the traffic selector. This may also be done using REST.

Fix:
A traffic selector can no longer use a deleted policy by name, and if recreated after deletion, the policy is correctly constructed.


680850-1 : Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.

Solution Article: K48342409

Component: Global Traffic Manager (DNS)

Symptoms:
Enabling debug logging on zxfrd (DNSX) can result in excessive CPU and disk usage, as well as errors during DNS AXFR or IXFR processing.

Conditions:
log.zxfrd.level is set to debug by running the following command: tmsh modify sys db log.zxfrd.level value debug

Impact:
IXFRs or AXFRs may fail and be rescheduled due to high CPU usage by zxfrd, which causes it to fail to process data packets during a transfer.

Workaround:
To avoid this issue, do not set log.zxfrd.level to debug.

Fix:
With this change, the dump to /var/tmp/zxfrd.out occurs only when a new db variable, dnsexpress.dumpastext, is set to true. This enables turning on logging for debug without consuming all the CPU and disk necessary to dump packets and zone contents.

Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.

Behavior Change:
Previously, setting the zxfrd log level to debug caused all AXFR and IXFR requests and responses to be logged to /var/tmp/zxfrd.out. Doing so also caused the contents of all zones to be dumped, as text, to /var/tmp/zxfrd.out when the database was saved.

This was extremely CPU-, memory-, and disk-intensive. The CPU load could cause zxfrd to fail to process transfer data packets in a timely fashion, which could cause the master DNS server to close the connection.

With this fix, setting log.zxfrd.level debug no longer outputs this information.

Although it is not generally useful to output the contents of the transfer packets or the contents of the database, if this information is required for troubleshooting or information-verification purposes, you can set the new db variable: dnsexpress.dumpastext.

Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.


680838-3 : IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator

Component: TMOS

Symptoms:
A tmm restart and corefile can occur in rare cases while negotiating an IKEv2 IPsec tunnel.

A child_sa managed to process GETSPI_DONE once in the IDLING state, where the ike_sa was expected to be the initiator, but it appeared not to be -- failing an assert.

Conditions:
The BIG-IP is negotiating an IPsec tunnel as the Initiator, but an unexpected state change associated with being the Responder occurs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM will no longer restart due to assertion failure.


680755-1 : max-request enforcement no longer works outside of OneConnect

Solution Article: K27015502

Component: Local Traffic Manager

Symptoms:
max-request enforcement does not work when OneConnect is not configured.

Conditions:
-- The max-request enforcement option is configured.
-- OneConnect is not configured.

Impact:
max-request enforcement does not work.

Workaround:
Always use OneConnect.

Fix:
max-request enforcement now works when OneConnect is not configured.


680729-3 : DHCP Trace log incorrectly marked as an Error log.

Solution Article: K64307999

Component: Policy Enforcement Manager

Symptoms:
The following sample DHCP debug log may be found repeatedly in the TMM logs.

<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>

Conditions:
Send a DHCP request through a DHCP virtual and wait for 30 seconds for the DHCP callback to trigger.

Impact:
Possible clutter in the TMM logs.

Workaround:
Set the db variable to critical. To do so, run the following command: setdb tmm.dhcp.log.level critical

Fix:
The following log can be seen only when DHCP debug logs are set to enabled.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>


680388-2 : f5optics should not show function name in non-debug log messages

Component: TMOS

Symptoms:
For logging thresholds other than debug, the function name appears in log messages created by f5optics.

Conditions:
-- BIG-IP is running.
-- Logging thresholds is set to a value other than debug.

Impact:
Log files contain unexpected data.

Workaround:
There is no workaround at this time.

Fix:
With the fix, f5optics is not displaying function names in non-debug logging messages.


680264 : HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags

Component: Local Traffic Manager

Symptoms:
Intermittently, HTTP2 experiences protocol resets.

Conditions:
-- xfrag is 2 bytes in length.
-- The header length is greater than 128.
-- xfrag starts.

For example, the following returns the incorrect header length:
 (0xFF BYTE1) next byte, http2_arbint_read.

Impact:
Unexpected loss of HTTP2 frames due to protocol resets.

Workaround:
No effective workaround.

Fix:
HTTP2 now parses the request, regardless of its xfrags distribution.


680112-1 : SWG-Explicit rejects large POST bodies during policy evaluation

Solution Article: K18131781

Component: Access Policy Manager

Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 64 KB limit on POST bodies while the policy is being evaluated.

==> /var/log/apm <==
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048

Conditions:
This applies only during the policy evaluation. After the policy has been set to 'Allow', there is no limit.

Impact:
Unable to start an SWG-Explicit policy with a large POST body.

Workaround:
None.

Fix:
Modify the db variable 'tmm.access.maxrequestbodysize' with a value larger than the maximum post body size you would like to support. The maximum supported value is 25000000 (25 MB).


680069-3 : zxfrd core during transfer while network failure and DNS server removed from DNS zone config

Solution Article: K81834254

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd cores and restarts.

Conditions:
While zone transfer is in progress, the network fails and the DNS server is removed from the DNS zone configuration.

Impact:
zxfrd cores.

Workaround:
None.

Fix:
zxfrd no longer cores during transfer while network failure and DNS server removed from DNS zone config.


679959-1 : Unable to ping self IP of VCMP guest configured on i5000, i7000, or i10000

Component: TMOS

Symptoms:
Unable to the ping self IP of VCMP guests configured on i5000, i7000, or i10000.

Conditions:
Running TMOS v12.1.3 and VCMP guests configured on i5000, i7000 or i10000.

Impact:
Unable to process client traffic.

Workaround:
No workaround at this time.

Fix:
This issue is fixed.


679603-2 : bd core upon request, when profile has sensitive element configured.

Solution Article: K15460886

Component: Application Security Manager

Symptoms:
bd crash, system goes offline.

Conditions:
ASM provisioned.
-- ASM policy attached on a virtual server.
-- json profile configured with sensitive element.

Impact:
System goes offline/fails over.

Workaround:
Remove sensitive elements from the json profile in the ASM policy.

Fix:
ASM now handles this condition so the crash no longer occurs.


679496-1 : Add 'comp_req' to the output of 'tmctl compress'

Component: Local Traffic Manager

Symptoms:
The output of 'tmctl compress' displays the total numbers of requests (tot_req), but does not distinguish between deflate (compression) requests and inflate (decompression) requests.

Conditions:
Viewing the output of the 'tmctl compress' command.

Impact:
Cannot determine the different types of requests.

Workaround:
There is no workaround at this time.

Fix:
This release now distinguishes between deflate (compression) requests and inflate (decompression) requests, as follows: there is an indicator, 'comp_req', for compression requests. The number of decompression request is tot_req - comp_req.


679494-2 : Change the default compression strategy to speed

Component: Local Traffic Manager

Symptoms:
The current default compression.strategy is 'latency', which does not perform properly, i.e., the provider selection algorithm does not react to load change fast enough.

Conditions:
Using compression.strategy to distribute workload among hardware and software compression providers.

Impact:
The work load may not be distributed evenly among hardware and software compression providers when compression.strategy is 'latency'.

Workaround:
Modify the tmsh sys db variable compression.strategy to 'speed'.

Fix:
The default compression strategy is now set to 'speed'.


679480-1 : User able to create node when an ephemeral with the same IP already exists

Component: TMOS

Symptoms:
If an FQDN ephemeral node exists for a given IP address, the user is still able to create a real node for the same IP address.

Conditions:
This can only be done by the GUI, not by tmsh or iControl REST.

Impact:
This should be prevented, but is allowed.

Workaround:
Avoid creating such a node.

Fix:
Validation now prevents this from happening.


679440-2 : MCPD Cores with SIGABRT

Solution Article: K14120433

Component: Advanced Firewall Manager

Symptoms:
MCPD cores with SIGABRT.

Conditions:
This occurs while the dynamic white/black daemon (dwbld) processes auto-blacklisted IP addresses.

Impact:
MCPD core.

Workaround:
Run the following command:
tmsh modify sys db debug.afm.shun.notify_peers value disable

Fix:
MCPD no longer cores with SIGABRT if the auto-blacklisting feature is enabled.


679384-1 : The policy builder is not getting updates about the newly added signatures.

Solution Article: K85153939

Component: Application Security Manager

Symptoms:
The policy builder is not getting updates about the newly added signatures.

Conditions:
When ASU is installed or user-defined signatures are added/updated.

Impact:
No learning suggestions for some of the newly added signatures.

Workaround:
Use either of the following workarounds:
-- One workaround is restarting the policy builder. This will revert the learning progress made in the last 24 hours:
 killall -s SIGHUP pabnagd

-- Manually change some Policy Attack Signature Set in Learning and Blocking Settings (e.g., disabling and re-enabling Learn checkbox).

Fix:
After the fix, Policy Builder will be aware of all newly added signatures.


679347-3 : ECP does not work for PFS in IKEv2 child SAs

Solution Article: K44117473

Component: TMOS

Symptoms:
The original racoon2 code has no support for DH generate or compute using elliptic curve algorithms for (perfect forward security).

Additionally, the original interfaces are synchronous, but the only ECP support present uses API with async organization and callbacks, so adding ECP does not work.

Conditions:
Changing an ike-peer definition from the default phase1-perfect-forward-secrecy value of modp1024 to something using ECP: ecp256, ecp384, or ecp512.

Note: The first child SA is negotiated successfully.

Impact:
Once the first child SA expires (or is deleted), the IKEv2 tunnel goes down when another SA cannot be negotiated.

Workaround:
Use MODP for perfect-forward-secrecy instead of ECP.

Fix:
Full support for ECP as PFS has now been added, so a new child-SA negotiated in a IKEV2EXCH_CREATE_CHILD_SA exchange works as expected for ecp256, ecp384, and ecp512.


679235-5 : Inspection Host NPAPI Plugin for Safari can not be installed

Component: Access Policy Manager

Symptoms:
Inspection Host NPAPI Plugin for Safari on macOS High Sierra can not be installed.

Conditions:
macOS High Sierra, Inspection Host Plugin package installation triggered.

Impact:
Inspection Host plugin cannot be installed, therefore, endpoint checks will not work.

Workaround:
There is no workaround at this time.

Fix:
Previously, the Inspection Host NPAPI Plugin for Safari on macOS High Sierra could not be successfully installed. This plugin can now be successfully installed.


679221-1 : APMD may generate core file or appears locked up after APM configuration changed

Component: Access Policy Manager

Symptoms:
Right after clicking the 'Apply Access Policy' link, APMD may generate a core file and restart; or appears to be locked up.

Conditions:
-- Changing APM configuration, especially Per-Session and Per-Request Policy.
-- Configured for AD or LDAP Auth Agent.

Impact:
If APMD restarts, then AAA service will be interrupted for a brief period of time. If APMD appears to be locked up, then AAA service will be stopped until manually restarted.

Workaround:
None.

Fix:
APMD now processes the configuration changes correctly during 'modify apm profile access <profile name> generation-action increment' (TMSH) or 'Apply Access Policy' (GUI), and no service interruption occurs.


679149-2 : TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash or LB::server returns unexpected result.

Conditions:
GTM rule command LB::server is executed before a load balance decision is made or the decision is not to a real pool member.

Impact:
GTM rule command LB::server returns unexpected result. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
GTM rule command LB::server is now executed at the correct time, so TMM does not crash and LB::server returns expected results.


679135-3 : IKEv1 and IKEv2 cannot share common local address in tunnels

Component: TMOS

Symptoms:
When IKEv1 and IKEv2 IPsec tunnels are configured to use the same local IP address, either all the IKEv1 or all the IKEv2 tunnels will not establish.

Note: This is as designed: the system does not support using the same local self IP to establish both IKEv1 and IKEv2 tunnels. However, the system does not prevent it, and there is no indication of the reason for the failure.

Conditions:
-- Use the same self IP as the local address of an IPsec tunnel for IKEv1, as well as the local address of a tunnel for IKEv2.
-- Try to create competing listeners.

Impact:
Either the IKEv1 or IKEv2 tunnel will not work, because the listener for that tunnel fails to establish. Usually the IKEv1 tunnel will not work after tmm restart or BIG-IP reboot.

Workaround:
Use another self IP for the tunnel local address to keep IKEv1 and IKEv2 local tunnel addresses separate.

Note: If IKEv1 tunnels use one local address, while IKEv2 tunnels use another, everything works as expected.

Fix:
Logging in /var/log/ltm now reveals failure to establish listener, along with a suggestion to avoid sharing one local address across IKEv1 and IKEv2 tunnels.


679114-2 : Persistence record expires early if an error is returned for a BYE command

Component: Service Provider

Symptoms:
When an error is returned for a SIP command, the persistence timeout is set to the transaction timeout.

Conditions:
An error is returned for a any SIP command.

Impact:
The persistence record will expire early when the call has not been ended.

Workaround:
None.

Fix:
For BYE commands, the timeout is not set to transaction timeout on failure.


678976-2 : Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.

Solution Article: K24756214

Component: Access Policy Manager

Symptoms:
VDI debug logs print user credentials to /var/log/apm.

Conditions:
VDI debug logs are enabled and VDI functionality is used on the virtual server.

Impact:
User credentials are written to /var/log/apm.

Workaround:
Set VDI debug level to Notice.

Fix:
The system no longer prints user credentials to VDI debug logs.


678925-4 : Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.

Component: TMOS

Symptoms:
Using a multicast VXLAN tunnel without a proper route associated with the tunnel's local-address may cause a TMM crash.

Conditions:
When the following conditions are met:
- No route is associated with the tunnel's local-address.
- A selfip address is assigned to the tunnel.

Then, a connection using the tunnel may cause a TMM crash.

Note that the user can use the TMSH command "show net route lookup <address>" to check if there is a route associated with the tunnel's local-address.

Impact:
The TMM crashes and traffic is disrupted.

Workaround:
Make sure that there is a route associated with the tunnel's local-address, before using the tunnel.

Fix:
The TMM no longer crashes.


678872-2 : Inconsistent behavior for virtual-address and selfip on the same ip-address

Component: Local Traffic Manager

Symptoms:
Inconsistent ICMP/ARP behavior for self IP address or virtual-address when virtual-address and self IP address have the same IP address.

Conditions:
Virtual-address and self IP address have the same IP address.
-- Virtual-address ICMP and ARP disabled.

Impact:
ICMP echo reply and ARP for the IP address might be inconsistent. Self IP address might override the ARP setting of a virtual address.

Workaround:
No workaround.

Fix:
This implements the initialization-order-independent set of rules of whether particular IP address should have ARP/ICMP enabled for multiple maching vaddrs. The lookup is performed from the most fine netmask to the most coarse netmask. If for particular netmask there is no maching vaddr then more coarse netmask is lookedup. Otherwise if any machnig vaddr for particular netmask have ARP/ICMP enabled then IP address will have ARP/ICMP enabled. If none of matching vaddrs for particular netmask have ARP/ICMP enabled the then IP address will have ARP/ICMP disabled.

The rule above have one exception, due to the performance optimizations. If the vaddr have both ARP and ICMP disabled then the vaddr is considered deleted.


678861-3 : DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other

Component: Global Traffic Manager (DNS)

Symptoms:
Upgrade fails with a message similar to the following.

emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 01070356:3: Link Controller feature not licensed. Unexpected Error: Loading configuration process failed.

Conditions:
Previously had Link Controller with DNS:: commands in an iRule proc.

Impact:
Upgrade fails.

Workaround:
Remove DNS:: commands from procs before upgrade.

Or use AFM instead of iRules.


678851-1 : Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()

Component: Access Policy Manager

Symptoms:
Java applets containing call of getDocumentBase() through a reference to java.applet.AppletStub are incorrectly rewritten.

Attempt to call incorrectly patched method causes following exception:
java.lang.VerifyError: (...) Illegal type in constant pool

Conditions:
This occurs when using rewrite on Java applets that call getDocumentBase().

Impact:
Affected Java applets cannot be started through Portal Access.

Workaround:
None.

Fix:
Rewritten applets with calls of java.applet.AppletStub interface methods are no longer causing java.lang.VerifyError exception during execution.


678833 : IPv6 prefix SPDAG causes packet drop

Component: TMOS

Symptoms:
If IPv6 prefix SPDAG is turned on, on systems running v12.1.2 HF1, v12.1.2 HF2, or 12.1.3, it can cause packet drops.

Conditions:
Turn on IPv6 prefix DAG.
-- Assign a value other than 128 to sys db tmm.pem.session.ipv6.prefix.len.
-- Running v12.1.2 HF1, v12.1.2 HF2, or 12.1.3.

Impact:
Packet drops.

Workaround:
Turn off IPv6 prefix SPDAG.


678822-3 : Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed

Component: Policy Enforcement Manager

Symptoms:
If the PEM subscribers are brought up with diameter apps (Gx/Gy) configured and the PCRF is not reachable since there is no route or simply because there is no license configured for those apps. The Provision pending for sessions will get incremented and never rollback to zero even after the subscribers are cleaned up.

Conditions:
If the route to PCRF/OCS is missing or not reachable.

Impact:
Non-Zero stats for provision pending sessions

Workaround:
Disable the Gx/Gy profile if not required or configure the route.

Fix:
The system no longer increments the stats for diameter apps if the PCRF/OCS is not reachable, so this issue no longer occurs.


678820-2 : Potential memory leak if PEM Diameter sessions are not created successfully.

Component: Policy Enforcement Manager

Symptoms:
Memory leak resulting in reduction in available memory.

Conditions:
1. PEM configured with Gx.
2. PCRF Gx end point operationally DOWN
3. Subscriber creation attempt.

Impact:
Loss of service

Workaround:
There is no workaround at this time.

Fix:
Diameter context is freed in case of a failed Diameter session creation.


678801-2 : WS::enabled returned empty string

Component: Local Traffic Manager

Symptoms:
WS::enabled command returned empty string instead of 0 or 1 for status.

Conditions:
-- WS::enabled command is used to query the status of WebSocket processing.
-- WebSocket and HTTP profiles are configured on the virtual server.

Impact:
Unable to determine the status of WebSocket processing using iRule commands.

Workaround:
There is no workaround at this time.

Fix:
Invoke appropriate method via WebSocket Tcl code.


678722-2 : In SSL-O, TMM may core when SSL forward proxy cleanup certificate resources

Component: Local Traffic Manager

Symptoms:
in SSL-O, due to race condition, TMM may core when SSL forward proxy tries to free up memory usage by releasing certificate resources.

Conditions:
This only happens in SSL-O with SSL forward proxy configured.

Impact:
TMM may restart due to using the wrong free function. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores under these conditions.


678715-1 : Large volume of query result update to SessionDB fails and locks down ApmD

Component: Access Policy Manager

Symptoms:
While writing large query results from AD server to sessionDB using memcache API, write operation fails with partial write.

Conditions:
Large volumes of AD query (with Required 'All Attributes') results from AD server while writing to SessionDB.

Impact:
Operation fails with partial write. All worker threads performing authentication eventually gets locks down. Session watchdog thread eventually make a forced abort to recover from the situation. Apmd restarts in this situation.

Workaround:
Make query for specific attributes not the option 'All Attributes'.

Fix:
Partial write failure has been fixed, by writing remaining parts of the query results in several iterations, till the entire result is written.


678714-3 : After HA failover, subscriber data has stale session ID information

Component: Policy Enforcement Manager

Symptoms:
After a failover in a high availability (HA) configuration, subscriber local data is populated with stale session id information

Conditions:
-- HA failover.
-- PEM subscriber.

Impact:
Subscriber data with stale session ID information might cause invalid reference to incorrect subscriber data.

Workaround:
None.

Fix:
Subscriber local data is now populated with new, generated session ID information.


678488-3 : BGP default-originate not announced to peers if several are peering over different VLANs

Solution Article: K59332320

Component: TMOS

Symptoms:
BGP default-originate is not announced to peers if several are configured as peers over different VLANs.

Conditions:
-- default-originate is configured on four similar neighbors.
-- The neighbors are reachable over different interfaces/subnets.

Impact:
Only some of the peered neighbors get the default route.

Workaround:
Add the following to the the BGP configuration:
 network 0.0.0.0/0

Fix:
All peered neighbors now get the default route.


678462-2 : after chassis failover: asmlogd CPU 100% on secondary

Component: Application Security Manager

Symptoms:
After a failover in a chassis:

 - asmlogd CPU 0% on primary slot (which was secondary before the failover).

 - asmlogd CPU 100% on secondary (which was primary before the failover).

Without traffic running through the chassis.

Conditions:
-- ASM provisioned.
-- Chassis with at least two active slots.
-- Chassis failover after some traffic was passed through the chassis.

Impact:
asmlogd CPU shows 100% on secondary (which was primary before the failover), and vice versa.

Workaround:
There is no workaround at this time.

Fix:
The asmlogd process now better handles chassis failovers during which the chassis slots change roles (primary/secondary), so this issue no longer occurs.


678416-2 : Some tmm/umem_usage_stat counters may be incorrect under memory pressure.

Component: Local Traffic Manager

Symptoms:
After the BIG-IP system experiences severe memory pressure, the 'allocated' and 'max_allocated' counters from the tmm/umem_usage_stat table incorrectly show extremely high values.

Conditions:
The BIG-IP system experiences enough memory pressure that slabs are transferred between threads.

Impact:
The 'allocated' and 'max_allocated' counters from the tmm/umem_usage_stat table do not reflect actual values. However, there is no functionality issue as a result. This is a cosmetic issue only.

Workaround:
None.

Fix:
The system now manages better under memory pressure so that the tmm/umem_usage_stat counters correctly reflect actual values.


678388-3 : IKEv1 racoon daemon is not restarted when killed multiple times

Solution Article: K00050055

Component: TMOS

Symptoms:
IPsec IKEv1 tunnels will fail and stay down indefinitely if the IKEv1 racoon daemon crashes. racoon does not get restarted by tmipsecd. This can occur if racoon has crashed more than once beforehand.

Conditions:
The IPsec IKEv1 racoon daemon crashes, or is killed manually, multiple times.

Impact:
IPsec IKEv1 tunnels cannot be established because the racoon daemon is dead. The user will receive no CLI or web UI clues to indicate that racoon is dead. Attempts to reconfigure IPsec while racoon is dead will not resolve the problem.

Workaround:
Run the following command to restart the IPsec IKEv1 racoon and tmipsecd daemons at the same time:
tmsh restart sys service tmipsecd

Fix:
Fixed tmipsecd so it correctly tracks whether the IKEv1 racoon daemon is still running or needs a restart. This also covers odd timing, such as killing racoon right after it starts.


678380-3 : Deleting an IKEv1 peer in current use could SEGV on race conditions.

Solution Article: K26023811

Component: TMOS

Symptoms:
When either deleting a peer in IKEv1 or updating it, this problem causes the v1 racoon daemon to crash with a SIGSEGV under some race conditions, intermittently.

Conditions:
This requires a peer using IKEv1, which gets updated or deleted while the IKEv1 racoon daemon is performing operations related to this peer.

Impact:
If the problem occurs, the IKEv1 racoon daemon restarts and interrupts IPsec traffic.

Workaround:
None.

Fix:
The system now checks whether the old peer definition is valid when navigating from phase-one SAs to the IKEv1 peer definition.


678293-1 : Uncleaned policy history files cause /var disk exhaustion

Solution Article: K25066531

Component: Application Security Manager

Symptoms:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions, which might cause /var disk exhaustion.

Conditions:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions.

Two possible causes might explain what caused the history files to be copied:
-- The device was synchronized from itself.
-- There was a UCS loaded on the device.

Impact:
/var disk usage is high.

Workaround:
Use the following one-liner to find unreferenced policy history files that can be deleted:

----------------------------------------------------------------------
perl -MData::Dumper -MF5::DbUtils -MFile::Find -e '$dbh = F5::DbUtils::get_dbh(); $sql = ($dbh->selectrow_array(q{show tables in PLC like ?}, undef, q{PL_POLICY_VERSIONS})) ? q{select policy_version, policy_id from PLC.PL_POLICY_VERSIONS} : q{select revision, policy_id from PLC.PL_POLICY_HISTORY}; %known_history_files = map { (qq{$_->[1]/$_->[0].plc} => 1) } @{$dbh->selectall_arrayref($sql)}; find({ wanted => sub { next unless -f $_; $_ =~ m|/policy_versions/(.*)$|; if (! $known_history_files{$1}) { print qq{$_\n} } }, no_chdir => 1, }, q{/ts/dms/policy/policy_versions});'
----------------------------------------------------------------------

Manually verity the file list output. If it seems correct, you can then delete the files by piping the output into 'xargs rm'.

In addition, you can delete the following file: /var/ts/var/install/recovery_db/conf.tar.gz.


678254-2 : Error logged when restarting Tomcat

Component: TMOS

Symptoms:
An error is logged after restarting Tomcat and using the web UI.

Conditions:
Using the web UI to restart tomcat.

Impact:
An error is logged after restarting Tomcat and using the web UI.

Workaround:
There is no workaround.

Fix:
When restarting Tomcat and using the web UI, and error will be logged only if the debug flag is enabled.


678228-1 : Repeated Errors in ASM Sync

Solution Article: K27568142

Component: Application Security Manager

Symptoms:
If an error is encountered when building a full sync file for an ASM enabled Device Group, any future attempts at building a sync file will continue to fail.

Conditions:
An error such as a full disk or out of memory occurs when attempting to build a sync file for an ASM enabled Device Group

Impact:
Any future attempts at building a sync file will continue to fail.

Workaround:
Restart the ASM Config processes, or clear out /ts/var/sync.

Fix:
Remnants of failed sync files are now correctly cleaned up before building a new one.


677962-3 : Invalid use of SETTINGS_MAX_FRAME_SIZE

Component: Local Traffic Manager

Symptoms:
When BIG-IP negotiates settings over HTTP/2 connection, it adopts a value of peer's SETTINGS_MAX_FRAME_SIZE parameter as its own.

Conditions:
A virtual is configured with HTTP/2 profile.

Impact:
BIG-IP may accept a DATA frame with size above 16,384 bytes violating RFC.

Workaround:
There is no workaround at this time.

Fix:
BIG-IP no longer accepts DATA frames with sizes exceeding a default value of 16,384 bytes.


677958-2 : WS::frame prepend and WS::frame append do not insert string in the right place.

Component: Local Traffic Manager

Symptoms:
When WS::frame prepend and WS::frame append are used together in the same event, the strings are not inserted in the right place.

Conditions:
-- Both WS::frame prepend and WS::frame append commands are present in the same iRule event.
-- WebSocket and HTTP profile are configured on the virtual.
-- Client/server send and receive WebSocket frames.

Impact:
The user-supplied string is not inserted in the right place when sent to the end-point.

Workaround:
None.

Fix:
Separate buffers were now used for append and prepend, instead of reusing the same buffer.


677937-1 : APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets

Solution Article: K41517253

Component: TMOS

Symptoms:
APM client cannot connect to server when the APM tunnel is encapsulated in an IPsec tunnel.

Conditions:
This requires a relatively complicated network setup of configuring an APM tunnel over an IPsec tunnel (and iSession is in use).

Impact:
No connectivity between the client and the server.

Workaround:
Do not encapsulate APM tunnel in an IPsec tunnel. (The APM tunnel has its own TLS.)

Fix:
APM tunnel and IPsec over IPsec tunnel now correctly accepts isession-SYN connect packets.


677928-2 : A wrong source MAC address may be used in the outgoing IPsec encapsulated packets.

Component: TMOS

Symptoms:
A wrong source MAC address may be used in the outgoing IPsec encapsulated packets when the BIG-IP VE system is operated in Azure.

Conditions:
The BIG-IP VE system is first deployed in Azure with a single NIC. After the first reboot and then power off, a second NIC is added to the BIG-IP system. Then, an IPsec tunnel is configured to associate with a selfip on the second NIC.

Impact:
The Azure environment or a remote device may drop the outgoing IPsec encapsulated packets from the BIG-IP system because the source MAC address of the packets is wrong.

Fix:
The source MAC address of the outgoing IPsec encapsulated packets from the BIG-IP system is set correctly.


677525-3 : Translucent VLAN group may use unexpected source MAC address

Component: Local Traffic Manager

Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.

Conditions:
VLAN group in translucent mode.

Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.

Workaround:
No workaround at this time.

Fix:
Translucent VLAN group no longer send neighbor discovery packets whose source MAC has the locally unique bit flipped.


677473-1 : MCPD core is generated on multiple add/remove of Mgmt-Rules

Component: Advanced Firewall Manager

Symptoms:
MCP crashes with core. MCP automatically restarts causing other dependent daemons, including tmm, to restart. Corresponding messages (restarting mcp, restarting tmm, and so on) are broadcast in all command line connections (terminals). Core files are written into /shared/core directory. The BIG-IP system might become unusable while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped until all daemons restart.

Conditions:
-- AFM is licensed and provisioned.
-- There are firewall policies/rules defined in configuration.
-- Remove firewall rules/policies, especially rules attached to management-IP (might have to repeat this).

Impact:
The BIG-IP system might become unusable for few minutes while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
MCP no longer crashes, and other dependent daemons no longer restart. The BIG-IP system remains operational in both control-plane (tmsh/GUI) and data traffic processing.


677457 : HTTP/2 Gateway appends semicolon when a request has one or more cookies

Solution Article: K13036194

Component: Local Traffic Manager

Symptoms:
With an HTTP/2 profile, a virtual server on a BIG-IP system receives requests and handles cookies converting those into a cookie-string. The BIG-IP system concatenates the cookie pairs with semicolon (%3B) and a space (%20) in the cookie-string. This delimiters pair also is appended to the last cookie pair.

Conditions:
HTTP/2 profile is configured on a virtual server and a request contains one or more cookies.

Impact:
The request forwarded to a backend server contains an extra semicolon at the end of cookie-string.

Workaround:
Use an iRule to remove an extra delimiter if it negatively impacts backend server performance.

For example:

when HTTP_REQUEST {
if {[HTTP::header value "Cookie"] contains ";"}
{
set new_header [string range [HTTP::header "Cookie"] 0 end-2]
log local0.notice "$new_header"
HTTP::header replace "Cookie" $new_header
}
}

Fix:
Virtual server with HTTP/2 profile no longer appends extra delimiter to a cookie-string when it forwards the request to HTTP/1.x backend server.


677400-3 : pimd daemon may exit on failover

Solution Article: K82502883

Component: Local Traffic Manager

Symptoms:
When multicast traffic is passing on a high availability (HA) pair, the pimd daemon on the unit that transitions to standby may exit and drop a core file.

Conditions:
-- Multicast routing configured.
-- PIM-Sparse Mode configured.
-- HA failover configuration.

Impact:
None. The system that goes active will reconverge, and multicast traffic will resume.

Workaround:
No workaround required.

Fix:
The pimd daemon no longer exits when an HA failover occurs.


677193-2 : ASM BD Daemon Crash.

Solution Article: K38243073


677119 : HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE

Component: Local Traffic Manager

Symptoms:
When HTTP2 connection's parameters are negotiated, either side may report about its limits in SETTINGS type frame where one of the parameters SETTINGS_MAX_HEADER_LIST_SIZE determines a maximum size of headers list it is willing to accept. The BIG-IP system incorrectly interchanged this parameter with another one called SETTINGS_HEADER_TABLE_SIZE, limiting value of the former one to 32,768.

Conditions:
HTTP2 is configured and an opposite endpoint (user agent using HTTP2 protocol) tries to set SETTINGS_MAX_HEADER_LIST_SIZE to a value above 32,768.

Impact:
The BIG-IP system does not accept the value, and terminates the connection using GOAWAY frame with PROTOCOL_ERROR as a reason.

Workaround:
None.

Fix:
The BIG-IP system no longer generates an error due to this issue, and allows value for SETTINGS_MAX_HEADER_LIST_SIZE to exceed 32,768.


677088-4 : BIG-IP tmsh vulnerability CVE-2018-15321

Solution Article: K01067037


677058-3 : Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text

Solution Article: K31757417

Component: Access Policy Manager

Symptoms:
Logon page agent with more than one password variable or Citrix logon prompt will log plain text password when debug logging is turned on for access policy.

Conditions:
This occurs when following conditions are met:

- Citrix Logon Prompt with two factor auth or Logon page agent with more than one password variable is added in the Access Policy.
- Access Policy logging is set to debug.

Impact:
APM logs plain text password when debug logging is turned on for access policy.

Workaround:
None.

Fix:
Password values are no longer written in APM logs when debug logging is enabled for access policy.


676982-2 : Active connection count increases over time, long after connections expire

Solution Article: K21958352

Component: Local Traffic Manager

Symptoms:
- Number of active connections is increasing over time.
- Memory used by TMM increases over time.
- Potential TMM restart is possible.

Conditions:
This issue arises only when all the following conditions occur:
- Hardware is chassis type.
- There is more than one blade in service.
- A fastL4 profile is configured (e.g., using bigproto).
- SessionDB is used either by iRules or by native profile
  functionality.

Impact:
- Service may be impacted after a period.
- TMM instances may restart.

Workaround:
None.

Fix:
SessionDB-related accesses initiated via iRules are now properly cleaned up and no longer hang.


676914-1 : The SSL Session Cache can grow indefinitely if the traffic group is changed.

Component: Local Traffic Manager

Symptoms:
If there are entries in the SSL Session Cache, and the traffic group is changed, the cache might grow indefinitely.

Conditions:
-- SSL is configured.
-- Session cache has a limit on the number of entries. --
 After entries are made into the session cache, the traffic group is then changed.

Impact:
Eventually all memory will be consumed causing TMM to restart. Traffic disrupted while tmm restarts.

Workaround:
Disable the session cache.

As an alternative, after changing the traffic group, restart TMM.

Fix:
Changing the traffic group no longer causes the session cache to grow.


676897-1 : IPsec keeps failing to reconnect

Solution Article: K25082113

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

Fix:
This release corrects this issue.


676828-2 : Host IPv6 traffic is generated even when ipv6.enabled is false

Solution Article: K09012436

Component: Local Traffic Manager

Symptoms:
Observing IPv6 traffic from the BIG-IP system, even when ipv6.enabled is set to false.

Conditions:
sys db ipv6.enabled is false.

Impact:
Extraneous IPv6 traffic from the the BIG-IP system.

Workaround:
None.

Fix:
IPv6 traffic now properly observes the ipv6.enabled sys db variable.


676808-2 : FPS: tmm may crash on response with large payload from server

Component: Fraud Protection Services

Symptoms:
A request to a unprotected FPS URL may cause tmm crash if response payload is large and the URL was configured via live update.

Conditions:
1. Page is not protected.
2. Large response payload (e.g.,50 KB).
3. FPS registered for response event (this will happen if a global URL (configured via live update) was matched).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
FPS will check for fast response situation and will act accordingly.


676721-2 : Missing check for NULL condition causes tmm crash.

Solution Article: K33325265

Component: Local Traffic Manager

Symptoms:
Missing check for NULL condition causes tmm crash.

Conditions:
This issue occurs when all of the following conditions are met:

1) The BIG-IP system receives a new connection request and attempts to select a pool member.
2) All pool members are unresponsive. This may be due to one of the following reasons:
  a) The pool members have reached their configured connection limit.
  b) There is no route to the pool members.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM correctly checks for NULL condition to prevent the crash.


676705-2 : do not run agetty on VE without serial port

Component: TMOS

Symptoms:
The init process spawns the /sbin/agetty over and over, filling the log file daemon.log

Conditions:
VE without serial port

Impact:
high disk usage.

Workaround:
Change "respawn" to "off" in /etc/init/serial-ttySX.conf

Fix:
Serial ports are now correctly detected.


676690-3 : Windows Edge Client sometimes crashes when user signs out from Windows

Component: Access Policy Manager

Symptoms:
In rare cases Windows Edge Client may crash when user signs out from Windows

Conditions:
User signs out from Windows or restarts Windows while EdgeClient is running and VPN is established

Impact:
No functional impact, user see a message box with error block sign out process. When the user closes the message box, sign out process continues.

Fix:
Previously, in some instances, the Edge Client on Windows would crash when the user signed out of Windows. This has been fixed.


676471-1 : Insufficient space for core files on i11x00-series platforms

Component: Local Traffic Manager

Symptoms:
The default location for core files is '/var/core'. On i11000 Series platforms, there is insufficient space in this directory for core files. When a process generates a core file, or when a core file is created manually, the system truncates the core file's content.

Conditions:
-- A process encounters a condition that leads to a core file being generated, or a core file is produced manually.

-- Using one of the following platforms:
  + i11400-DS
  + i11600 / i11800
  + i11600-DS / i11800-DS

Impact:
Core file content is truncated. Further analysis of the problem that created the core cannot proceed.

Workaround:
Change the location where the kernel places core files. For example, you might use '/appdata' as the destination.

Change /proc/sys/kernel/core_pattern to define the pathname used to generate the core file.

For more information about core files, refer to the core man page, available by running the following command in tmsh: man core

Fix:
More space has been made available in '/var/core'. Core files are no longer truncated.


676457-3 : TMM may consume excessive resource when processing compressed data

Solution Article: K52167636


676416-2 : BD restart when switching FTP profiles

Component: Application Security Manager

Symptoms:
Switching a Virtual Server from an FTP profile with Protocol Security enabled to an FTP profile with Protocol Security disabled, causes the BIG-IP system to go offline, generates errors in the bd log, and causes BD to restart.

Conditions:
-- Running FTP traffic with FTP profile with Protocol Security enabled.
-- On FTP service, change to FTP profile with Protocol Security disabled.

Impact:
BD restart, traffic disrupted, and failover in high availability (HA) configuration.

Workaround:
There is no workaround at this time.

Fix:
This version provides an improved mechanism for switching FTP profiles, so that now there is no BD restart.


676355-2 : DTLS retransmission does not comply with RFC in certain resumed SSL session

Component: Local Traffic Manager

Symptoms:
The DTLS FINISHED message is not retransmitted if it is lost in the Cavium SSL offloading platform. Specifically, it is the CCS plus FINISHED messages that are not retransmitted.

Conditions:
-- In the Cavium SSL offloading platform.
-- DTLS FINISHED Message is lost.

Impact:
When the DTLS FINISHED Message is lost in the Cavium SSL offloading platform, the CCS and FINISHED messages do not get retransmitted.

Workaround:
None.

Fix:
The FINISHED messages are saved before transmitting the Cavium encrypted FINISHED message, and starting the DTLS re-transmit timer. When the re-transmit timer expires, the CCS plus FINISHED messages will be retransmitted.


676223-2 : Internal parameter in order not to sign allowed cookies

Component: Application Security Manager

Symptoms:
ASM TS cookies may get big (up to 4k).

Conditions:
policy building is turned on (manual or automatic). There are allowed cookies.

Impact:
This increases web site throughput.

Workaround:
N/A

Fix:
Parameter to not to sign allowed cookies added.


676203-1 : Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.

Component: TMOS

Symptoms:
TMM memory usage suddenly increases rapidly.

Conditions:
The inter-blade mpi connection fails and does not recover.

Impact:
Inter-blade mpi requests do not complete and the system eventually exhausts memory.

Workaround:
None.

Fix:
Inter-blade mpi connection now continues as expected, without memory issues.


676092-1 : IPsec keeps failing to reconnect

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

Fix:
The system now correctly handles these conditions so the issue no longer occurs.


676028-2 : SSL forward proxy bypass may fail to release memory used for ssl_hs instances

Solution Article: K09689143

Component: Local Traffic Manager

Symptoms:
TMM leaks memory used for ssl_hs instances when using SSL forward proxy when bypass is enabled.

Conditions:
The leak can be triggered by iRules, where a duplicate forward proxy lookup is initiated and interferes with the initial asynchronous lookup.

Impact:
TMM will core after running out of memory, which impacts availability.

Workaround:
None.

Fix:
Resolved by preventing duplicate forward proxy lookup.


675928-2 : Periodic content insertion could add too many inserts to multiple flows if http request is outstanding

Component: Policy Enforcement Manager

Symptoms:
Multiple flows of the same subscriber could get insert content enabled frequently, if the requests from those flows are outstanding

Conditions:
If the http request from the subscriber is outstanding when the new flow is triggered

Impact:
PEM insert content pem_acton will be enabled on multiple flows till the first response is received

Fix:
Throttle insert content action on new flows only to periodic interval if the transaction is outstanding.


675921 : Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running

Component: TMOS

Symptoms:
Creating 'ssl-mode dedicated' guests on the BIG-IP i5800, the 5th guest and beyond get an error, however they do become deployed with Status of 'running'.

Conditions:
-- Creating 5 (or more) 'ssl-mode dedicated' vCMP guests.
-- Running on the BIG-IP i5800 platform.

Impact:
5th guest and beyond result in an error.

Workaround:
There is no workaround other than not creating more than 4 'ssl-mode dedicated' vCMP guests when provisioning vCMP guests on the i5800 platform.

Fix:
The system now limits the maximum number of 'ssl-mode dedicated' vCMP guests to the number that the BIG-IP i5800 can physically support.


675866-1 : WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO

Component: Access Policy Manager

Symptoms:
Kerberos rejects tickets with 2 minutes left in their ticket lifetime. This causes tickets to be rejected by KDC, causing APM to disable SSO.

Conditions:
This occurs with Kerberos-protected resources using Windows Server 2012-based DC due to issue described in the Microsoft KB: Kerberos authentication fails when the computer tries to request a service ticket from a Windows Server 2012-based DC, https://support.microsoft.com/en-us/help/2877460/kerberos-authentication-fails-when-the-computer-tries-to-request-a-ser.

Impact:
Cannot access the Kerberos-protected resources.

Workaround:
None.

Fix:
Kerberos SSO (S4U) tickets are not used when the remaining lifetime is less than 5 minutes. Existing tickets with more than half the configured lifetime or at least 1 hour of lifetime remaining are used. If there are no such tickets, then new tickets are acquired and used.


675775-2 : TMM crashes inside dynamic ACL building session db callback

Component: Access Policy Manager

Symptoms:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time may cause TMM restart in dynamic ACL building session db callback.

Conditions:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Guard against NULL pointer dereference for dynamic ACL build.


675718-1 : IPsec keeps failing to reconnect

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

Fix:
Corrected an environmental problem with the racoon daemon.


675539-1 : Inter-system communications targeted at a Management IP address might not work in some cases.

Component: Global Traffic Manager (DNS)

Symptoms:
Inter-system communications fail to connect to a BIG-IP system using the Management IP address.

Conditions:
This occurs if the device connection is configured between a Self IP address on one BIG-IP system and the Management IP address on another.

This occurs because the big3d daemon acts as a proxy, listening on the Management IP address and will send proper SSL connections (using SNI) to TMM (since TMM does not listen on the Management IP address).

This is not an issue if either of the following is true:

-- If the source of the connection is coming from the Management IP,
the connection is clear text. (Not SSL encrypted and thus does not use SNI)

-- The destination of the connection is a Self IP address, because TMM (via an iRule) will
handle the connection.

Impact:
Device sync operations do not work.

Workaround:
Do not use the Management IP address for between-device communications.

Fix:
The big3d proxy properly handles SSL SNI connections on the Management IP address.


675399-3 : Network Access does not work when empty variables are assigned for WINS and DNS

Solution Article: K14304639

Component: Access Policy Manager

Symptoms:
Network Access does not work when empty variables are assigned for WINS and DNS.

Conditions:
If the admin configures empty values for WINS or DNS in the Variable Assign agent in the VPE.

Impact:
The system does not parse the XML tags correctly. Users may not be able establish VPN tunnel.

Workaround:
Do not leave the DNS or WINS values empty in the Variable assign Agent.

Fix:
APM now correctly handles the condition where an empty string is assigned for WINS and/or DNS in the Variable Assign policy agent.


675232-3 : Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction

Component: Application Security Manager

Symptoms:
Errors encountered -

In TMSH CLI transaction:
----------------
transaction failed: 01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

In iApp template implementation:
----------------
script did not successfully complete: (01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

Conditions:
In an iApp template implementation or TMSH CLI transaction, create a new ASM policy and then try to modify it's active state.

Impact:
The policy is created but the modify action cannot find the policy.

Workaround:
iApps are built to work with ASM Policy Templates.

A new ASM Policy Template can be created from the desired ASM Policy.

That can be done via GUI and starting from from v13.0 via REST as well.

Then, the newly created ASM Policy Template can be referenced in the iApp template implementation or TMSH CLI transaction as follows:
-----------------
tmsh::create asm policy <some_policy> active policy-template NEWLY_CREATED_POLICY_TEMPLATE
-----------------

Fix:
iApp template implementation and TMSH CLI transaction can now modify a newly created ASM policy.


675212-3 : The BIG-IP system incorrectly allows clients through as part of SSL Client Certificate Authentication

Component: Local Traffic Manager

Symptoms:
Under specific conditions, the BIG-IP system allows clients through (that otherwise should be rejected) as part of SSL Client Certificate Authentication.

Conditions:
This issue occurs when the Trusted Certificate Authority specified in the Client-SSL profile is expired.

Note: The client's certificate must be valid and trusted for the SSL handshake to continue.

This issue purely deals with how the BIG-IP system treats the validity period of the signing Certificate Authority.

Impact:
F5 has reviewed this issue and has not classified it as a Vulnerability. However, F5 recognizes this issue may have a Security Exposure depending on how the BIG-IP system is utilized.

Please observe that the issue here is not validation of the expiration time in the client's certificate. The issue here is handling of the expiration field in the certificate the BIG-IP system explicitly trusts, the so-called 'trust anchor'. In most cases, the trust anchor is a self-signed certificate.

It is important to understand that the expiration field in trust anchors has no clear meaning, and even utilities such as OpenSSL historically treated this field in different ways.

After completing its review, F5 has decided the correct and best behavior for the BIG-IP system is to reject the SSL handshake when the Trusted Certificate Authority has expired.

The impact of this issue will vary greatly based on your deployment and type of business. In most cases, continuing to allow clients through past the validity of the Certificate Authority may be the behavior you expect or one that carries no negative consequences.

However, if you obtained the Certificate Authority from a third party and expected the client certificates signed by that authority to stop working when its validity period expires, this will not happen because of this issue.

Workaround:
F5 recommends that you renew (or obtain renewed copies of) Certificate Authorities that are about to expire and that you want the BIG-IP system to continue trusting.

F5 recommends that you remove from the BIG-IP system Certificate Authorities that are about to expire and that you do not plan to renew or continue trusting.

This will ensure the BIG-IP system behaves optimally on versions affected by this issue.

Fix:
The BIG-IP system now correctly handles the validity period of Trusted Certificate Authorities used for SSL Client Certificate Authentication.


674931 : FPS modified responses/injections might result in a corrupted response

Component: Fraud Protection Services

Symptoms:
in case a connection was congested and FPS tries to send additional egress (modifying the response, e.g. injections) the order of the response sending might break if this send is successful (i.e congestion just ended). instead of sending the buffered data first (response part that was buffered due to congestion), FPS tries to send the new data first and only than will send the buffered data.

Conditions:
- congested connection
- FPS sends modified response (e.g. injections)
- sending egress succeeded (congestion ended)

Impact:
response is corrupted - order of data has erroneously changed

Workaround:
N/A

Fix:
FPS will handle this case correctly, first sending buffered data then sending the new egress.


674909-3 : Application CSS injection might not work as expected when connection is congested

Component: Fraud Protection Services

Symptoms:
Large CSS files configured for phishing protection injection in FPS may be truncated upon response to client.

Conditions:
-- Inject into Application CSS enabled in Anti-Fraud Profile :: Advanced :: Phishing Detection.

-- Large CSS file such as bootstrap files configured for Application CSS Locations.

-- Network congestion engaging TMM flow control.

Impact:
Pages may display incorrectly in client browser depending on application requirements with specific CSS. Application functionality might not work as expected.

Workaround:
You can use either of the following workarounds:

-- Remove affected large files from Application CSS Locations.

-- Disable Inject into Application CSS entirely.

Fix:
FPS now handles the case where injecting to application CSS is interrupted by congestion.


674747-2 : sipdb cannot delete custom bidirectional persistence entries.

Solution Article: K30837366

Component: Service Provider

Symptoms:
Custom bidirectional SIP persistence entries cannot be deleted using the sipdb tool.

Conditions:
Rules and SIP messages created custom bidirectional SIP persistence entries.

Impact:
Custom bidirectional SIP persistence entries exist and can be viewed with the sipdb utility. They cannot be deleted,
however.

Workaround:
None.

Fix:
The sipdb tool now supports deletion of bidirectional SIP persistence entries.


674686-2 : Periodic content insertion of new flows fails, if an outstanding flow is a long flow

Component: Policy Enforcement Manager

Symptoms:
If an outstanding flow with periodic insertion pem_action is very long, it prevents new flow matching the same rule from adding inert content pem_action even for a new periodic interval

Conditions:
If the outstanding flow with insert content pem_action spans multiple periodic interval.

Impact:
No content insertion during the time the long flow is outstanding for new flows matching the same rule as the long flow.

Workaround:
Long flows and short flows need to have separate rule configured

Fix:
New flows will add content insertion, if the new flow request falls in the new periodic interval.


674593-1 : APM configuration snapshot takes a long time to create

Component: Access Policy Manager

Symptoms:
It takes a long time to create the configuration snapshot for a file. This may be accompanied by MEMCACHED related log message, as shown below.

notice apmd[12928]: 0149016a:5: Initiating snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 0149016f:5: Waiting for MEMCACHED to be ready
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1273 Msg: Unable to connect to tmm (sessiondb). Trying again...
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1280 Msg: Successfully connected to tmm (sessiondb)...
notice apmd[12928]: 0149016b:5: Completed snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 01490171:5: MEMCACHED is up

Conditions:
The issue happens if an access profile contains many resources, the resulting configuration
snapshot will have even more configuration variables.

Impact:
TMM will run out of memory If the issue persists. User will not be able to log in due to profile not found error similar to the following:

err apmd[13681]: 01490114:3: /Common/workspace-acess2:Common:a6b495ce: process_request(): Profile '/Common/workspace-acess2' was not found

Workaround:
None.

Fix:
APM policy configuration snapshot generation performance for very large configurations has been improved.


674591-2 : Packets with payload smaller than MSS are being marked to be TSOed

Solution Article: K37975308

Component: Local Traffic Manager

Symptoms:
Packets with length less than the specified MSS are sent as TSO packets, and the Broadcom NIC drops those to degrade performance.

Conditions:
When TM.TcpSegmentationOffload is enabled, Packets with length less than MSS are sent as TSO packets.

Impact:
TCP Packets are dropped.

Workaround:
Disable TSO option by setting the following SYS DB variable to disable: TM.TcpSegmentationOffload.

Fix:
Packets less than MSS are not sent as TSO packets, so there is no performance degradation.


674576-4 : Outage may occur with VIP-VIP configurations

Component: Local Traffic Manager

Symptoms:
In some VIP-VIP configurations, TMM may produce a core with a 'no trailing data' assert.

Conditions:
VIP-VIP configuration.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround at this time.

Fix:
TMM no longer produces a core with a 'no trailing data' assert.


674527-1 : TCL error in ltm log when server closes connection while ASM irules are running

Component: Application Security Manager

Symptoms:
TCL error in ltm log, for example:
TCL error: /Common/bug <ASM_REQUEST_DONE> - plugin_tcl_command_execute: Command error. invoked from within "ASM::severity"

Conditions:
1. ASM irules are attached.
2. There was already one request passed to the web-server
3. Server closes connection.

Impact:
Error in ltm log.


674515 : New revoke license feature for VE only implemented

Component: TMOS

Symptoms:
Prior to this version, the license revoke feature was not implemented/available.

Conditions:
With out revoke implemented, the feature is simply not available.

Impact:
Licenses cannot be revoked and hence re-used.

Fix:
With this feature implemented, VE licenses can be revoked and then re-used on different VE.


674494-1 : BD memory leak on specific configuration and specific traffic

Solution Article: K77993010

Component: Application Security Manager

Symptoms:
RSS memory of the bd grows.

Conditions:
-- Remote logger is configured.
-- IP has ignore logging configured.
-- Traffic is coming from the ignored logging IP.

Impact:
Potential memory exhaustion. The kernel might run out of memory and may kill bd, causing traffic disruption.

Workaround:
None.

Fix:
Freeing up the remote loggers data when deciding not to log remotly.


674486-5 : Expat Vulnerability: CVE-2017-9233

Solution Article: K03244804


674455-7 : Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS

Component: TMOS

Symptoms:
When booted into the Maintenance OS image from the grub boot menu, running tmidiag -r drops the serial console from the grub kernel line, which causes a loss of communication on the serial console after rebooting.

Conditions:
-- Booted into Maintenance OS.
-- Running the command: tmidiag -r

Impact:
Serial console baud rate settings are incorrect. Uses the bios baud rate on the console.

Workaround:
When booting, edit the grub kernel line to include console=ttyS0.

Note: The value is "tty", an uppercase "S" character, and zero, so ttyS0.

Fix:
tmidiag has been fixed to not strip out console=ttyS0.


674410-3 : AD auth failures due to invalid Kerberos tickets

Solution Article: K59281892

Component: Access Policy Manager

Symptoms:
User can not login.

Conditions:
- AAA AD server is configured on BIG-IP.
- AD Auth/Query agent is used in Access Policy.
- Cached Kerberos ticket is invalid or backend AD server is not reachable for some reason

Impact:
AD Auth/Query fails. APM end user won't be able to take successful branch in Access Policy.

Workaround:
None.

Fix:
Invalid Kerberos tickets for AD Query are now automatically renegotiated by APM.


674367-1 : SDD v3 symmetric deduplication may stop working indefinitely

Solution Article: K20983428

Component: Wan Optimization Manager

Symptoms:
In certain high availability (HA) configurations and after performing specific maintenance tasks involving failovers, SDD v3 symmetric deduplication may stop working indefinitely.

Conditions:
This issue occurs when all of the following conditions are met:

1) A BIG-IP HA configuration is deployed on each side of the WOM tunnel.
2) Symmetric deduplication is configured to use the SDD v3 codec.
3) Applications configured to benefit from symmetric deduplication are actively passing traffic.
4) Both BIG-IP HA pairs (the near and far sides) are failed over concurrently (although in more rare cases, even failing over a single pair is sufficient to reproduce the issue).

Impact:
Applications no longer benefit from symmetric deduplication, increasing the amount of data transmitted over the WAN.

Workaround:
Restarting the services on all BIG-IP units involved in the topology (without performing additional failovers after they return on-line) restores symmetric deduplication functionality. This will cause some downtime.

Fix:
Performing failovers in AAM environment no longer breaks SDD v3 symmetric deduplication.


674320-2 : Syncing a large number of folders can prevent the configuration getting saved on the peer systems

Solution Article: K11357182

Component: TMOS

Symptoms:
When syncing a large number of folders (more than 56), the configuration on the peer systems fails to save. An error similar to the following appears in the audit log, possibly followed by garbage characters:

 notice tmsh[15819]: 01420002:5: AUDIT - pid=15819 user=root folder=/Common module=(tmos)# status=[Syntax Error: "}" is missing] cmd_data=save / sys config partitions { tf01 tf02 tf03 tf04 tf05 tf06 tf07 tf08 tf09 tf10 tf11 tf12 tf13 tf14 tf15 tf16 tf17 tf18 tf19 tf20 tf21 tf22 tf23 tf24 tf25 tf26 tf27 tf28 tf29 tf30 tf31 tf32 tf33 tf34 tf35 tf36 tf37 tf38 tf39 tf40 tf41 tf42 tf43 tf44 tf45 tf46 tf47 tf48 tf49 tf50 tf51 tf52 tf53 tf54 tf55 tf56 tf57 tf58 tf59

Note: These 'tfnn' folder names are examples. The audit log will contain a list of the actual folder names. (Folders are also called 'partitions'.)

Conditions:
-- System is in a device group.
-- Sync operation occurs on the device group.
-- There are a large number of folders (more than 56).

Impact:
Configuration on peer systems in a device group does not get saved after a sync.

Workaround:
Manually save the configuration on peer systems after a sync.

Fix:
The configuration on peer systems is now saved when a large number of folders are involved in the sync.


674288-2 : FQDN nodes - monitor attribute doesn't reliably show in GUI

Solution Article: K62223225

Component: TMOS

Symptoms:
When creating more than one node with FQDN configured with monitors, monitors are not displayed in the GUI properly.

Conditions:
Create more than one node with FQDN configured.

Impact:
The previously created FQDN node does not display monitors in the GUI. However, the subsequently created FQDN node does display the correct monitors.

Workaround:
Use tmsh to view monitors for Nodes with FQDN configured.

Fix:
Node page now displays the correct monitors for nodes configured with FQDN.


674189 : iControl-SOAP exposed to CVE-2016-0718 in Expat 2.2.0

Solution Article: K52320548


674145-3 : chmand error log message missing data

Component: TMOS

Symptoms:
When there is an error with communication between chmand and lopd, a message is logged giving information about the problem. That message is missing data useful to F5 for determining the cause of the communications error.

Messages similar to:
Jul 11 11:10:19 localhost warning chmand[7815]: 012a0004:4: getLopReg: lop response data does not match request, u16DataLen=0xb expected=0xb, u8Length=0x8 expected=0x, u8Page=0x28 expected=0x$, u8Register=0x50 expected=0xP

The expected data values are missing in this message, making it more difficult for F5 engineers to determine what caused the original communications problem.

Conditions:
This issue only occurs when there is some problem with the communication channel between chmand and lopd.

Impact:
Added difficulty for F5 to determine what problem caused the error message to be logged.

Fix:
The expected data values are properly printed in the log message.


674004-1 : tmm may crash when after deleting pool member in traffic

Solution Article: K34448924

Component: Local Traffic Manager

Symptoms:
tmm may crash when after deleting pool member that is processing traffic.

Conditions:
-- Two or more pools share the same node as pool member.
-- A pool member (with the shared node) is deleted while traffic is passing.
-- A One-Connect profile is configured on the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes when after deleting pool member while traffic is passing.


673974-1 : agetty auto detects parity on console port incorrectly

Solution Article: K63225596

Component: TMOS

Symptoms:
With a BIG-IP system configured for a console baud rate that is different from the baud rate of the serial terminal that is plugged in to the console port, he system returns garbled characters on the screen. Changing the terminal setting to match the console baud rate has no effect after that: the BIG-IP system continues to send garbage.

Conditions:
BIG-IP system with a console at certain baud rate.
-- Plug in a serial terminal with a different baud rate.
-- Press enter several times.

Impact:
The parity detection code selects the wrong setting, leaving the console port unusable until reboot of the BIG-IP system, or after killing and restarting agetty.

Workaround:
To recover from this condition, log on to the BIG-IP system via ssh, force parity off, and kill the agetty process (assuming the console is not logged in, and is therefore running agetty).

      via ssh:

      # stty -F /dev/ttyS0 -parenb ; killall agetty

   However, this is not an ideal workaround, as a frequent reason to use the serial console is lack of network access to the device.

   In that situation, you can log on by setting the terminal to Mark parity (8 data bits, Mark parity, 1 stop bit).

Note: There is no way to mitigate the issue from the console connection itself, as agetty doesn't run while the console is logged in.

You can also reboot the BIG-IP system, reset the terminal speed on the laptop to match the console speed set on the BIG-IP system, and reconnect the laptop.

Fix:
This issue has been corrected.


673951-4 : Memory leak when using HTTP2 profile

Solution Article: K56466330

Component: Local Traffic Manager

Symptoms:
Memory continues to grow despite reduced volume of traffic. Large number of spdy_frame and xdata allocated.

Conditions:
Virtual server configured with HTTP2 profile.

Impact:
Memory leak, which might eventually trigger aggressive sweeper and potential crash, resulting in failover.

Workaround:
None.

Fix:
Virtual server configured with HTTP2 profile no longer leaks memory.


673842-3 : vCMP does not follow best security practices

Solution Article: K01413496


673814-4 : Custom bidirectional persistence entries are not updated to the session timeout

Solution Article: K37822302

Component: Service Provider

Symptoms:
Custom bidirectional persistence entries will be created using the transaction timeout when processing the request, but will not be updated to the session timeout on a successful response.

Conditions:
-- Using custom bidirectional persistence.
-- Successful response message is received.

Impact:
The persistence timeout will prematurely time out.

Workaround:
Set the transaction timeout to the session timeout value.

Fix:
The persistence timeout is correctly updated to the session timeout value when a successful response message is received.


673748-1 : ng_export, ng_import might leave security.configpassword in invalid state

Solution Article: K19534801

Component: Access Policy Manager

Symptoms:
If import/export of Access Profile or Access Policy results in an error, security.configpassword may retain temporary not <null> state, which can cause problems when the config is saved or loaded using the sys save config or sys load config commands.

Conditions:
Import or export of Access Profile or Access Policy fails with an error.

Impact:
Passwords in .conf might get mangled.

Workaround:
Set the security.configpassword db variable using the following command:
 modify sys db security.configpassword value "<null>"

Fix:
Error handling for access policy import failures has been improved.


673717-1 : VPE loading times can be very long

Component: Access Policy Manager

Symptoms:
When a configuration contains 2000-3000 Access Policy objects, the Visual Policy Editor (VPE) loading operations can take tens of seconds to load.

Conditions:
-- Access Policy configured with 2000-3000 Access Policy objects.
-- Open in VPE.

Impact:
Policies with thousands of entries can take tens of seconds or more to load.

Workaround:
None.

Fix:
Configuration load has been optimized, so VPE loading time is significantly shorter for these types of configurations.


673683-2 : Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener

Component: Policy Enforcement Manager

Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.

Conditions:
When a subscriber action list have Insert content added and if pem and classification profiles are detached and re-attached to the Listener, periodic insertion may fail to insert the content. This happens when more than one subscriber is using the same policy rule and the listener.

Impact:
Periodic insert content action will fail to insert the content

Workaround:
Delete and recreate the subscriber for which insert content action no longer working

Fix:
For subscriber content insertion record lookup, use the right session id storage associated with the subscriber


673678-2 : Periodic content insertion fails, if http request/response get interleaved by second subscriber http request

Component: Policy Enforcement Manager

Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.

Conditions:
When a subscriber action list have Insert content added and if the request/response for that http transaction get interleaved by another subscriber request. This happens when more than one subscriber is using the same policy rule

Impact:
Periodic insert content action will fail to insert the content

Workaround:
Delete and recreate the subscriber for which insert content action no longer working

Fix:
For subscriber content insertion record lookup, use the correct session id storage associated with the subscriber.


673621-2 : Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.

Component: Local Traffic Manager

Symptoms:
Chain certificate is still being sent to the client, despite both ca-file and chain certificate being removed from the clientssl profile.

Conditions:
Set ca-file to 'none' in the clientssl profile.

Impact:
Chain is still sent.

Workaround:
None.

Fix:
Chain certificate is no longer sent to the client when both ca-file and chain certificate are removed from the clientssl profile.


673607-2 : Apache CVE-2017-3169

Solution Article: K83043359


673595-2 : Apache CVE-2017-3167

Solution Article: K34125394


673484-1 : IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO

Solution Article: K85405312

Component: TMOS

Symptoms:
IPsec IKEv2 tunnels cannot be established when the remote peer sends a NON_FIRST_FRAGMENTS_ALSO notification as part of the child Security Association (SA) establishment. This parameter is commonly sent by ASA devices.

Conditions:
-- IPsec IKEv2 with ASA peer.
-- Remote peer sends a NON_FIRST_FRAGMENTS_ALSO notification as part of the child SA establishment.

Impact:
IKEv2 IPsec tunnels cannot be established with ASA peer.

Workaround:
Use IKEv1.

Fix:
During IPsec IKEv2 child SA establishment, the BIG-IP will ignore the NON_FIRST_FRAGMENTS_ALSO notification and will continue to establish the SA.


673472-2 : After classification rule is updated, first periodic Insert content action fails for existing subscriber

Component: Policy Enforcement Manager

Symptoms:
Immediately after the classification rule associated with a static subscriber is updated and if the action list has Insert content, the first periodic insert content action fails for the subscribers. Subsequent Insert content action will proceed as expected

Conditions:
Update of the classification rule associated with the subscribers.

Impact:
First periodic Insert content action, immediately succeeding after the update of the classification rule will fail.

Workaround:
bigstart restart tmm, after updating the classification rule with insert content action will fix the issue

Fix:
Update the record count associated with the subscriber during eval.


673463-2 : SDD v3 symmetric deduplication may start performing poorly after a failover event

Solution Article: K68275280

Component: Wan Optimization Manager

Symptoms:
In certain high availability (HA) configurations and after performing specific maintenance tasks involving failovers, SDD v3 symmetric deduplication may start performing poorly for some file transfers.

Conditions:
This issue occurs when all of the following conditions are met:

1) A BIG-IP HA configuration is deployed on each side of the WOM tunnel.
2) Symmetric deduplication is configured to use the SDD v3 codec.
3) The far side BIG-IP HA configuration (from the perspective of the client performing the download) is failed over.
4) Clients attempt to download files that had previously been transferred through the BIG-IP units.

Impact:
Symmetric deduplication is severely impacted (virtually no hits) for files that had previously been transferred through the units. This causes the amount of data transmitted over the WAN to increase. Files that were not transferred previously through the units are not affected by this issue.

Workaround:
To eliminate the impacted symmetric deduplication condition, restart the receiving (i.e., the near) side.

Fix:
SDD v3 symmetric deduplication no longer performs poorly after a failover event.


673399-1 : HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.

Component: Local Traffic Manager

Symptoms:
The client sends a GET request with switching protocols and the server responds with a 401. Subsequent GET request from client is dropped.

Conditions:
HTTP and Websocket profiles are attached to the virtual server. The client sends a GET request with switching protocols indicating upgrade to Websockets, and the server responds with a 401. Subsequent GET request from client is dropped.

Impact:
Connection is reset.

Workaround:
Disable Websockets profile on the virtual server.

Fix:
We now check whether the Websockets filter is on the virtual server before attempting an insert.


673165 : CVE-2017-7895: Linux Kernel Vulnerability

Solution Article: K15004519


673129 : New feature: revoke license

Solution Article: K41458656

Component: TMOS

Symptoms:
A different license is required for each Virtual Edition (VE) instance.

Conditions:
Creating new instances of VE.

Impact:
Cannot reuse an existing VE license.

Workaround:
None.

Fix:
For Virtual Edition (VE) BIG-IP systems, licenses can now reused by other VE instances by revoking an active license on one and installing it on another.

Behavior Change:
Revoke license is a new feature so that licenses can be reused for other virtual edition configurations.

To revoke a license using tmsh, run the following command:
 tmsh revoke sys license registration-key <reg-key-number>

The system responds with the following confirmation prompt:
 Revoking the license will return this BIG-IP to an unlicensed state. It will stop processing traffic. Are you sure? Y/N:

When you type y, the system revokes the license and returns a response similar to the following:
 License successfully revoked
 [root@bigip11:LICENSE INOPERATIVE:Standalone] config # Jul 17 12:04:28 bigip11 emerg mcpd[5144]: 01070608:0: License is not operational (expired or digital signature does not match contents).


673078-1 : TMM may crash when processing FastL4 traffic

Solution Article: K62712037


673075-1 : Reduced Issues for Monitors configured with FQDN

Component: Local Traffic Manager

Symptoms:
Monitors configured using FQDN might experience several edge cases in some deployment environments. For example, you might experience issues with FQDN-configured monitors when used in environments with volatile/unstable DNS servers, or when network configuration causes ICMP packets from an unreachable DNS server to be non-routable back to 'bigd'. In such cases, the monitor may experiences delay in rotating to the next available DNS server. This is due to complex edge cases that exist within the initial FQDN monitor implementation, where anomalous behavior is aggravated through some network configurations.

Conditions:
Monitors are configured using FQDN, and one-or-more environment conditions exist such as: Unstable DNS servers (i.e., 'flapping' DNS), or the network configuration causes ICMP packets from an unreachable DNS server to be non-routable back to 'bigd'.

Impact:
The monitor will not be updated with information from the (new) DNS server when the previous DNS server becomes unavailable. Other monitor behavior will continue to function normally.

Workaround:
In some cases network configuration can be changed to avoid these edge cases, such as: Ensuring stable DNS servers with only periodic rollovers to backup DNS servers; ensure network ICMP packets are routable back to 'bigd'. Alternatively, monitors may be configured without using FQDN.

Fix:
Monitors configured using FQDN behave as expected in volatile environments, such as those with flapping DNS servers and where ICMP packets for unreachable DNS servers are non-routable back to 'bigd'.


673052-2 : On i-Series platforms, HTTP/2 is limited to 10 streams

Component: Local Traffic Manager

Symptoms:
On i-Series platforms, HTTP/2 is limited to 10 streams by licensing.

"HTTP2 limited to 10 concurrent streams: Web Accelerator feature not licensed." appears in /var/log/ltm

Conditions:
Using an i-Series platform where WAM is unlicensable.

Impact:
HTTP/2 performance may be less than desired

Fix:
It is possible to configure HTTP/2 with more than 10 streams on i-Series platforms.


672988-2 : MCP memory leak when performing incremental ConfigSync

Solution Article: K03433341

Component: TMOS

Symptoms:
MCP will leak memory when performing incremental ConfigSync operations to peers in its device group. The memory leak can be seen tmctl utility to watch the umem_alloc_80 cache over time.

This leak occurs on the device that is sending the configuration.

Conditions:
A device group that has incremental sync enabled. In versions prior to BIG-IP v13.0.0, this is controlled by the 'Full Sync' checkbox. When unchecked, the system attempts to perform incremental sync operations.

Impact:
MCP leaks a small amount of memory during each sync operation, and after an extended period of time, might eventually crash.

Workaround:
None.

Fix:
MCPD no longer leaks when performing incremental ConfigSync operations.


672868-1 : Portal Access: JavaScript application with non-whitespace control characters may be processed incorrectly

Component: Access Policy Manager

Symptoms:
Portal Access server-side JavaScript parser may work incorrectly if JavaScript code includes non-whitespace control characters inside text constants.

Conditions:
JavaScript code with non-whitespace control characters (0x00..0x08, 0x0E..0x1B, 0x7F..0x9F) inside text constants.

Impact:
Web application may not work correctly.

Workaround:
There is no workaround at this time.

Fix:
Now JavaScript code with non-whitespace control characters can be processed by Portal Access.


672818-2 : When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established

Component: Access Policy Manager

Symptoms:
When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established.

Conditions:
-- Install Traditional Chinese Windows.
-- Change the 'Region and Language' setting format to Simplified Chinese.
-- Edge Client or browser.

Impact:
Cannot establish VPN.

Workaround:
There is no workaround if there is a to change the 'Region and language' setting must be Simplified Chinese.

Fix:
VPN can now be established when 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows.


672815-2 : Incorrect disaggregation on VIPRION B4200 blades

Component: TMOS

Symptoms:
During startup of the bcm56xxd daemon, the LTM log shows BCM SDK errors containing the string 'SDK error Invalid parameter'. IP fragments fail to be reassembled. The reassembly time out triggers and the flow is killed.

Conditions:
-- After startup as long as the SDK errors occur.
-- Running on VIPRION B4200 blades.

Impact:
TCP connections and UDP datagrams which have fragmented packets are killed or dropped.

Workaround:
There is no workaround that will process fragments correctly.

Fix:
Incorrect disaggregation on VIPRION B4200 blades has been corrected.


672695-1 : Internal perl process listening on all interfaces when ASM enabled

Component: Application Security Manager

Symptoms:
ASM configuration processes are available on unprotected network interfaces.

Conditions:
ASM provisioned

Impact:
Connections to the ASM configuration processes may interfere with normal ASM operations, leading to reduced performance

Workaround:
None

Fix:
ASM-config Event Dispatcher now listens only on protected interfaces


672667-4 : CVE-2017-7679: Apache vulnerability

Solution Article: K75429050


672504-1 : Deleting zones from large databases can take excessive amounts of time.

Solution Article: K52325625

Component: Global Traffic Manager (DNS)

Symptoms:
When deleting a zone or large number of Resource Records, zxfrd can reach 100% CPU for large amounts of time.

Conditions:
With a significantly sized database, deletes might be very time-intensive.

Impact:
Because zxfrd takes an excessive amount of time deleting records, it can delay transfer requests

Workaround:
None.

Fix:
Dramatically improved algorithm, to remove significant delay in deletions.


672491-2 : net resolver uses internal IP as source if matching wildcard forwarding virtual server

Solution Article: K10990182

Component: Global Traffic Manager (DNS)

Symptoms:
If a net resolver is created and contains a forwarding zone that matches an existing wildcard forwarding virtual server, an incorrect internal IP address will be used as the source.

Upon listener lookup for the net resolver, the wildcard virtual server will be matched to the forwarding zone resulting in a loopback IP address being used as the source IP address.

Conditions:
When creating an AFM policy that restricts FQDNs, a net resolver is needed to resolve the FQDNs. If the forwarding zone of this net resolver matches a wildcard server, DNS queries from the net resolver will use a loopback IP address as the source IP address.

Impact:
Failed DNS queries as a result of incorrect source IP address.

Workaround:
None.

Fix:
This issue was resolved by ensuring listener lookup only matches the exact IP addresses, no-wildcards.


672312-2 : IP ToS may not be forwarded to serverside with syncookie activated

Component: Local Traffic Manager

Symptoms:
IP ToS field may not be preserved on forwarding in a FastL4 virtual server when syncookie is activated.

Conditions:
-- FastL4 ip-forwarding virtual server.
-- ToS in passthrough mode.
-- Syncookie is activated in hardware mode.
-- On a hardware platform with ePVA.

Impact:
IP ToS header is not forwarded to the serverside.

Workaround:
None.

Fix:
The BIG-IP system now forwards IP ToS in syncookie mode.


672301-2 : ASM crashes when using a logout object configuration in ASM policy

Component: Application Security Manager

Symptoms:
bd daemon crash and writes a core file in the /shared/core directory.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Logout object configured in the policy.
-- System receives a POST request.

Impact:
System goes offline for a few seconds, failover occurs.

Workaround:
Remove logout object configuration from ASM policy.

Fix:
The system now handles this condition.


672250-1 : SessionDB update from ApmD with large volume fails

Component: Access Policy Manager

Symptoms:
While writing large amounts of data to sessionDB using memcache API, the write operation fails with partial write.

Conditions:
Large volumes data writing to SessionDB via memcache API.

Impact:
All worker threads performing authentication eventually get locked down. Session watchdog thread eventually makes a forced abort to recover from the situation. ApmD restarts in this situation.

Workaround:
Control write to sessionDB with a smaller data size.

Fix:
Partial write failure has been fixed, by writing remaining part(s) of query results in several iteration(s), until entire result is written.


672221 : TMM cores if the certificate configured to validate message signature does not exist.

Component: Access Policy Manager

Symptoms:
TMM cores if the SAML message signature verification certificate cannot be found in the configuration.

Conditions:
-- SAML is configured with an invalid certificate in the message signature validation setting.
-- The control-plane is unable to detect such misconfiguration.

Note: This is an unlikely occurrence if the usual control-plane is used to configure the SSO/SAML object. In this particular case, the certificate-key was passed in as the certificate which triggered a certificate-not-found error.

Impact:
The issue can lead to momentary service interruption. Traffic disrupted while tmm restarts.

Workaround:
Make sure the certificate configured for use with the SAML message signature verification is correctly configured and the configuration loads successfully.


672124-3 : Excessive resource usage when BD is processing requests

Solution Article: K12403422


672040-3 : Access Policy Causing Duplicate iRule Event Execution

Component: Access Policy Manager

Symptoms:
iRule event gets triggered twice in clientless mode when access policy is executed.

Conditions:
This only occurs when using iRule in clientless-mode.

Impact:
HTTP_REQUEST event is logged twice in /var/log/ltm.

See below example:

when HTTP_REQUEST {
  HTTP::header insert {clientless-mode} 1
  set myCount [expr {$myCount + 1}]
  log local0. "Count is $myCount"
}

LTM logs:
-----------

Jul 3 12:29:35 BIG-IP10002-vcmp2 info tmm1[23908]: Rule /Common/test_irule <HTTP_REQUEST>: Count is 1
Jul 3 12:29:36 BIG-IP10002-vcmp2 info tmm1[23908]: Rule /Common/test_irule <HTTP_REQUEST>: Count is 2


When this iRule is used, you will see duplicate HTTP_REQUEST with increased count in logs. If this count is used in further calculation, it gives you incorrect result.

Fix:
HTTP_REQUEST iRule event is no longer executed multiple times when using APM clientless-mode.


672008-1 : NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds

Solution Article: K22122208

Component: Local Traffic Manager

Symptoms:
Remote syslog logging destinations configured for RFC5424 format might receive malformed timestamp values if the log message is sent when clock rolls over to 1,000,000 microseconds exactly. The resulting log message will have a NUL character appended to the microseconds value in the log's timestamp field.

Example:
Correct timestamp: 2003-08-24T05:14:15.000000-07:00
Malformed timestamp: 2003-08-24T05:14:14.100000\00-07:00

Conditions:
-- syslog destination configured for RFC5424 format.
-- Sending log message when clock rolls over to 1,000,000 microseconds.

Impact:
Some syslog collectors may fail to parse the message, resulting in incorrect log entry or warning.

Workaround:
Change syslog destination format to use RFC3164, which does not include microsecond resolution in timestamp fields.

Fix:
The timestamp field is now formatted correctly for microseconds and seconds values. Seconds now correctly increment when microseconds equal 1,000,000.


671999-2 : Re-extract the the thales software everytime the installation script is run

Component: Local Traffic Manager

Symptoms:
If Thales has already been installed on the BIG-IP system, installing a new version does not overwrite the existing installed version.

Conditions:
/shared/nfast exists on the BIG-IP system before installing the Thales client software.

Impact:
The old version of the software will be used in the installation operation, instead of the expected new version of the software.

Workaround:
You can use either or both of the following workarounds before running the installation script:

-- Run the uninstallation script.
-- Delete the /shared/nfast folder.

Fix:
The Thales installation script now always extracts the Thales software in /shared/thales_install and overwrites the /shared/nfast directory.

Behavior Change:
Thales HSM installation script always overwrites the /shared/nfast directory.


671935-2 : Possible uneven ephemeral port reuse.

Component: Local Traffic Manager

Symptoms:
When selecting server-side source ports, the BIG-IP system favors ephemeral ports in the upper range.

Conditions:
In many cases, the BIG-IP system needs to select a source port for the server-side flow different than the source port selected by the client.

This is always the case when the virtual server's 'source-port' option is set to 'change'.

Impact:
If connections on the servers are in the TIME_WAIT state and connection recycling is not configured, the servers may reset those connections that reused a source port too quickly.

Workaround:
Modify the virtual server's 'source-port' option to 'preserve'.

This will reduce the need to find suitable source ports for the server-side by the BIG-IP system.

Fix:
When searching for an available source port, and wrapping into the privileged port range (<1024), the BIG-IP system now performs a small jump out of that range, thus not going into the upper range unnecessarily.


671920-1 : Accessing SNMP over IPv6 on non-default route domains

Component: TMOS

Symptoms:
The SNMP daemon cannot send traps to a non-default route domain destination. However, it can respond to SNMP requests over from a client that is accessed through a non-default route domain path for IPv4. For IPv6 this does not work.

Conditions:
SNMP access over IPv6 on a client accessed through a non-default route domain does not work.

Impact:
Access to SNMP must be through default route domain for IPv6.

Fix:
With this bug fix you can access SNMP from an IPv6 client on a non-default route domain. There is no plan to allow traps to be delivered to destinations on a non-default route domain.


671741-4 : LCD on iSeries devices can lock at red 'loading' screen.

Component: TMOS

Symptoms:
There are cases when TMOS is under stress conditions that the LCD on iSeries devices can lock at red 'loading' screen.

Conditions:
-- iSeries platforms.
-- Device under stress.

Impact:
LCD on iSeries devices can lock at red 'loading' screen. Appliance power cycle is required to correct the error.

Workaround:
None. You must power cycle the device to correct the condition.

Fix:
This issue is resolved.


671725-1 : Connection leak on standby unit

Solution Article: K19920320

Component: Local Traffic Manager

Symptoms:
High connection count on standby unit.

Conditions:
-- High availability (HA) configuration.
-- Virtual server that has the attribute 'spanning enabled'.

Impact:
Flow leak on Next Active action.

Workaround:
None.

Fix:
Connection leak on standby unit no longer occurs under these conditions.


671714-2 : Empty persistence cookie name inserted from policy can cause TMM to crash

Component: Local Traffic Manager

Symptoms:
Empty persistence cookie name inserted from policy can cause TMM to restart.

Conditions:
Empty persistence cookie name is used in a policy definition.
A connection is made that uses the policy.

Impact:
Traffic disrupted while tmm restarts

Workaround:
Use non-empty peristence cookie name in policy definition.

Fix:
Empty persistence cookie name inserted from policy no longer causes TMM to restart.


671712 : The values returned for the ltmUserStatProfileStat table are incorrect.

Component: TMOS

Symptoms:
An SNMP table entry that intermittently comes back incorrectly. Specifically, an LTM profile user statistic value is returned with an OID that is off by one in the table.

Conditions:
A statistics profile is attached to a virtual server with an iRule that increments statistics on the profile. The SNMP walk of the table created by the statistics profile intermittently returns the values shifted up one OID such that the last row is zero and the first row is lost. A subsequent request is correct.

Impact:
Incorrect data returned in SNMP walk of LTM profile table.

Workaround:
The statistics themselves are kept correctly and can be accessed without using SNMP.

Fix:
The values in the ltmUserStatProfileStat table are always correct.


671675-1 : Centralized Management Infrastructure: asm_config_server restart on device group change

Component: Application Security Manager

Symptoms:
If device is moved from one ASM sync enabled device group immediately to another ASM sync enabled device group the ASMConfig relay listener restarts, and artifacts are left over from the previous device group that could cause undesired config synchronization if it returns to the original device group

Conditions:
A device is moved from one ASM sync enabled device group immediately to another ASM sync enabled device group.

Impact:
ASMConfig relay listener restarts, and artifacts are left over from the previous device group that could cause undesired config synchronization if it returns to the original device group

Workaround:
Wait 30 seconds between leaving an ASM enabled device group before joining a different one.

Fix:
Successive changes to ASM sync enabled device group are handled correctly.


671638-4 : TMM crash when load-balancing mptcp traffic

Solution Article: K33211839


671627-1 : HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.

Solution Article: K06424790

Component: Access Policy Manager

Symptoms:
Some HTTP responses do not contain any body. For instance, responses with status codes 1xx, 204, or 304 must not include body. Portal Access adds 'Transfer-Encoding: chunked' header and may add chunked body with empty payload to such responses.

Conditions:
HTTP response without body processed by Portal Access

Impact:
Most browsers ignore invalid 'Transfer-Encoding' header and/or body for responses which must not include body at all. And yet, some traffic validators may refuse to pass invalid responses.

Workaround:
Use an iRule to remove 'Transfer-Encoding' header and/or body from HTTP responses with status codes 1xx, 204, and 304.

Fix:
Now Portal Access does not add invalid 'Transfer-Encoding' header and/or body to responses which have no body.


671597-1 : Import, export, copy and delete is taking too long on 1000 entries policy

Component: Access Policy Manager

Symptoms:
Huge policies with 10^3 items are impossible to import, export and copy.

Conditions:
When access policy has 1000+ entires.

Impact:
Import, export and copy are abandoned or fail due to out of memory condition.

Workaround:
Use ng_export, ng_import and ng_profile rather than UI to import/export.

Fix:
ng_export speed has been improved 5 times
ng_import and ng_profile are working 50 times faster because of avoiding denormalisation and optimisation

ng_export is still should be used from the console.


671498-3 : BIND zone contents may be manipulated

Solution Article: K02230327


671497-4 : TSIG authentication bypass in AXFR requests

Solution Article: K59448931


671447-2 : ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form

Component: TMOS

Symptoms:
When using a BIG-IP system configured in an IS-IS network; adjacencies may fail to form with other vendor devices.

Conditions:
- BIG-IP configured to participate as a peer in a IS-IS network.
- IS-IS peers perform strict validation on the length of the Restart TLV.
-- The SystemID used by the BIG-IP system is of length 7 instead of 6. (ZebOS uses a 7-Byte SystemID.)

Impact:
IS-IS adjacencies may not form.

Workaround:
None.

Fix:
The BIG-IP system now uses a correct SystemID length in the Restart TLV.


671373-2 : urldb core seen

Component: Access Policy Manager

Symptoms:
Due to having multiple threads, terminating and destroying the database can cause the crash. The main thread does not wait for others to exit before trying to destroy the database.

Conditions:
SWG is provisioned and re-provisioned after the config has loaded.

Note: This core is very rare (it is intermittent and timing-dependent).

Impact:
urldb cores. Since it was in the process of being shut down for the re-provisioning anyway, this has little to no impact.

Workaround:
There is no workaround at this time.

Fix:
urldb no longer cores SWG is provisioned and re-provisioned after the config has loaded.


671337-1 : NetHSM DNSSEC key creation can attempt to change the SELinux label on a file

Component: Local Traffic Manager

Symptoms:
A log message such as type=AVC msg=audit(1498506868.354:3786): avc: denied { relabelfrom } for pid=7567 comm="mv" name="_Common_zsk_127000B6DC9454EACB50A1FD2073C5F5314F.key" dev="dm-15" ino=80012 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:mcpd_tmp_t:s0 tclass=file
can appear in the logs.

Conditions:
When a NetHSM DNSSEC key is created in a temporary directory and is trying to change the SELinux label on a file without permissions.

Impact:
SELinux error will be logged

Fix:
Allow netHSM script via MCPd to relabel files


671326-2 : DNS Cache debug logging might cause tmm to crash.

Solution Article: K81052338

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache debug logging might cause tmm to crash.

Conditions:
This occurs when the following conditions are met:

-- The dnscacheresolver.loglevel debug value is set to 1 - 5.
-- tmm.verbose is enabled.

Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
Do not enable the DNS Cache debug log when tmm.verbose is enabled.

Fix:
DNS Cache debug logging no longer causes tmm to crash.


671314-4 : BIG-IP system cores when sending SIP SCTP traffic

Solution Article: K37093335

Component: TMOS

Symptoms:
Virtual servers with an SCTP profile and a SIP message-routing profile may crash the TMM.

Conditions:
This flaw affects virtual servers that pass SCTP traffic, where the SIP message-routing profile has the record-route option enabled.

Impact:
TMM crashes and fails over, disrupting traffic processing. Traffic disrupted while TMM restarts.

Workaround:
Remove the record-route option, or change the traffic to use TCP or UDP instead of SCTP.

Fix:
This crash has been fixed.


671228-1 : Multiple FQDN ephemeral nodes may be created with autopopulate disabled

Component: Local Traffic Manager

Symptoms:
Multiple FQDN ephemeral nodes may be created unexpectedly if an FQDN node is configured with autopopulate disabled, the DNS server returns multiple address records for the FQDN, and bigd is restarted.

Conditions:
This may occur when:
1. An FQDN node is configured with autopopulate disabled.
2. The DNS server returns multiple address records for the FQDN.
3. There is a pool configured to use the FQDN node.
4. bigd is restarted (such as when the system goes offline or tmm restarts).

Impact:
Multiple FQDN ephemeral nodes may be created unexpectedly.

Workaround:
Configure the FQDN node with autopopulate enabled.

Fix:
Multiple FQDN ephemeral nodes are no longer created unexpectedly if an FQDN node is configured with autopopulate disabled, the DNS server returns multiple address records, and bigd is restarted. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.


671149-3 : Captive portal login page is not rendered until it is refreshed

Component: Access Policy Manager

Symptoms:
Sometimes Edge Client shows an error page for captive portal-redirected URLs.

Conditions:
Some captive portal pages use cloud-based authentication and network management. Such captive portals rely on several HTTP redirects and/or HTML (auto-refresh). Sometimes Edge Client fails to download the page/content from the redirected URL. In such scenarios, a full browser re-attempts and successfully downloads and displays the page, but Edge Client does not re-attempt and shows an error page.

Impact:
For the locked client, an APM end user has no access to the internet until captive portal authentication is performed and the Network Access (VPN) tunnel is created.

Workaround:
None.

Fix:
Edge Client now has a retry mechanism to access and display captive portal login pages in case the first attempt fails.


671082-1 : snmpd constantly restarting

Solution Article: K85168072

Component: TMOS

Symptoms:
sod is restarting snmpd, which also produces a core.
SNMP clients are unable to walk the ifTable.

Conditions:
snmpd takes too long processing a request for the ifTable because there are a large amount of VLANs or VLAN groups configured.

Impact:
SNMP requests will not receive replies while snmpd is restarting.
SNMP clients are not able to walk the ifTable.

Workaround:
None.

Fix:
Significantly reduced the time it takes snmpd to process requests for the ifTable when the number of VLANs or VLAN groups is high.


671052-3 : AFM NAT security RST the traffic with (FW NAT) dst_trans failed

Solution Article: K50324413

Component: Advanced Firewall Manager

Symptoms:
In certain cases, destination translation fails with the following message: reset cause '(FW NAT) dst_trans failed'.

Conditions:
This issue may be seen with Source/Destination translation.

Impact:
Destination translation failure. In most of the cases, TMM restart resolves the issue. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fix addresses a case where one of the fields was not initialized.


671044-3 : FIPS certificate creation can cause failover to standby system

Solution Article: K78612407

Component: TMOS

Symptoms:
FIPS certificate creation can cause failover or outage of a system under heavy load. The certificate creation could take longer than the default timeout, causing TMOS to think the FIPS chip is locked up.

Conditions:
Creating a FIPS certificate while the system is handling a high FIPS traffic load.

Impact:
Possible failover from active to standby, or an outage if there is no standby system, or if the certificate creation causes both active and standby systems to time out.

Workaround:
Setting crypto.queue.timeout to 2000 will avoid this problem. The actual timeout needed depends on the system type and how heavily loaded the FIPS chip is. 2000 should be more than sufficient for all currently supported BIG-IP platforms under high load.

Fix:
FIPS certificate creation no longer causes failover to standby system under these conditions.


670910-2 : Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined

Component: Access Policy Manager

Symptoms:
Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined.

Conditions:
This might occur when using the following definition:

<?xml version="1.0" encoding="utf-8"?>
<s:Application xmlns:fx="http://ns.adobe.com/mxml/2009"
<-->xmlns:s="library://ns.adobe.com/flex/spark"
<-->width="100%" height="100%"
<-->minWidth="256" minHeight="64"
<-->creationComplete="initApp()">
<--><s:VGroup width="100%" height="100%" verticalAlign="middle" horizontalAlign="center">
<--><--><s:TextInput id="f_output" text="..." width="100%" />
<--><--><fx:Script><![CDATA[
<--><--><-->import flash.external.ExternalInterface;
<--><--><-->private function initApp():void {
<--><--><--><-->f_output.text = ExternalInterface.call("function(v){window.alert(/a\\dc/.toString());return '\\\\Done: '+v+' URL: '+location.href;}", "\\\\Ok?");
<--><--><-->}
<--><-->]]></fx:Script>
<--></s:VGroup>
</s:Application>

Impact:
Flash application malfunction.

Workaround:
None.

Fix:
APM Portal Access Rewrite now correctly handles flash.external.ExternalInterface.call() when the loaderInfo object is not defined.


670822-3 : TMM may crash when processing SOCKS data

Solution Article: K55225440


670816-2 : HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters

Solution Article: K44519487

Component: Local Traffic Manager

Symptoms:
An HTTP/HTTPS/TCP monitor response code may contain extraneous trailing characters, such as: 'Response Code: 200 (OKxxx)' where the server response code 'OK' is appended with unrelated characters 'xxx', when the server does not include a carriage-return/line-feed after the response status line.

Conditions:
An HTTP/HTTPS/TCP monitor is configured with a receive string, and the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.

Impact:
The monitor status code displays the correct server response code, but with extraneous trailing characters appended. The monitor continues to function and respond to status changes as expected.

Workaround:
Configure HTTP/HTTPS/TCP servers to return a response that includes a carriage-return/line-feed after the response status line and before the receive string.

Fix:
HTTP/HTTPS/TCP monitor response code for 'last fail reason' no longer contains extraneous trailing characters when the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.


670814-2 : Wrong SE Linux label breaks nethsm DNSSEC keys

Component: Local Traffic Manager

Symptoms:
In /var/log/ltm:

(_Common_thales_key) create failed, retry attempt 1 [nfgk_new: Permission denied rfs-sync: error from NFastApp_Connect `(null)': Permission denied mv: cannot stat `/shared/tmp/_Common_thales_key': No such file or directory mv: cannot stat `/shared/tmp/_Common_thales_key_req': No such file or directory mv: cannot stat `/shared/tmp/_Common_thales_key_selfcert': No such file or directory str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=1024 embedsavefile="_Common_thales_key" plainname="_Common_thales_key" digest=sha256] rfs-sync: error from NFastApp_Connect `(null)': Permission denied rfs-sync: error from NFastApp_Connect `(null)': Permission denied No updates. Update done. Create key pair done. ].

or the output of the following command:

ausearch -m AVC,SELINUX_ERR -ts recent

time->Fri Jun 23 04:38:06 2017
type=SYSCALL msg=audit(1498217886.574:24190): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffd059e2720 a2=6e a3=7ffd059e2470 items=0 ppid=3310 pid=3311 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="generatekey" exe="/shared/nfast/tcl/bin/generatekey" subj=system_u:system_r:mcpd_t:s0 key=(null)
type=AVC msg=audit(1498217886.574:24190): avc: denied { write } for pid=3311 comm="generatekey" name="nserver" dev=dm-1 ino=141191 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file
----
time->Fri Jun 23 04:38:06 2017
type=SYSCALL msg=audit(1498217886.600:24191): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffd9dbc33a0 a2=6e a3=7ffd9dbc30f0 items=0 ppid=3313 pid=3316 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rfs-sync" exe="/shared/nfast/bin/rfs-sync" subj=system_u:system_r:mcpd_t:s0 key=(null)
type=AVC msg=audit(1498217886.600:24191): avc: denied { write } for pid=3316 comm="rfs-sync" name="nserver" dev=dm-1 ino=141191 scontext=system_u:system_r:mcpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=sock_file
----

Conditions:
trying to use a thales nethsm for DNSSEC

Impact:
cannot create DNSSEC keys protected by a thales nethsm

Workaround:
chcon -R --reference=/var/run/rd0.sock /shared/nfast/sockets/

NB: you should also apply the workaround for BZ671337 as well. It's almost certain that if this bug exists, that bug also exists.

Fix:
SE LInux labels no longer prevent the creation of thales-protected nethsm DNSSEC keys


670804-2 : Hardware syncookies, verified-accept, and OneConnect can result in 'verify_accept' assert in server-side TCP

Solution Article: K03163260

Component: Local Traffic Manager

Symptoms:
The system experiences a 'verify_accept' assert in server-side TCP.

Conditions:
-- Verified Accept enabled in TCP profile.
-- Hardware syncookies enabled.
-- OneConnect profile on virtual servers.
-- Syncookie threshold crossed.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Disable verified accept when used with OneConnect on a virtual server.

Fix:
Verified accept, OneConnect, and hardware syncookies now work together correctly.


670528-1 : Warnings during vCMP host upgrade.

Solution Article: K20251354

Component: TMOS

Symptoms:
- Log message repeats every 5 seconds in /var/log/ltm
     slot<#>/<host> warning vcmpd[<pid>]: 01510005:4: Failed to find value for enum::cli_id (ha_feature_t::provisioning-failed).

Conditions:
- Configure vCMP host in 12.1.x or 11.6.x.
 - Deploy 13.x guest.
 - Monitor /var/log/ltm.

Impact:
Warning message displayed every 5 seconds.

Workaround:
Run the following command:
 tmsh create sys log-config filter stop_vcmpd_log message-id 01510005 publisher none


670405-4 : K20486351: glibc vulnerability CVE-2017-1000366:

Solution Article: K20486351


670400-3 : SSH Proxy public key authentication can be circumvented in some cases

Component: Advanced Firewall Manager

Symptoms:
SSH Proxy public key authentication might be circumvented in some cases, allowing a user without the appropriate private key in to the back-end end SSH server.

Conditions:
Public key authentication is being used to authenticate users.

Note: This issue affects only public key authentication, so if additional forms of authentication are being used, the additional security that they provide will not be impacted.

Impact:
Unauthorized access.

Workaround:
A suggested workaround is to configure the back-end SSH server to require 2-factor authentication, or 3-factor authentication. This can be done by adding both publickey+password and publickey+keyboard-interactive as Required Authentications in the configuration file for the back-end SSH server.

See the list below of supported client method orders. Also, keep in mind that the back-end server must support all 3 authentication methods (public-key, password, and keyboard-interactive), as an existing constraint of the current SSH proxy functionality.
 
One cosmetic item to note is that, when multi-factor authentication is used, regardless of the result of the validity check of the public-key, the SSH proxy will report a 'failed' authentication to the client. However, the returned 'failed' code is merely cosmetic: the actual result of the validity check is what is used to determine whether or not the authentication succeeded.

-------
Supported client method orders:
 
publickey,keyboard-interactive
publickey,password
publickey,keyboard-interactive,password
publickey,password,keyboard-interactive
 
Any other combination of authentication methods will fail.

Fix:
Implemented stricter error handling in authentication checking.


670011-2 : SSL forward proxy does not create the server certchain when ignoring server certificates

Component: Local Traffic Manager

Symptoms:
Forward proxy not working correctly when the server certificates are ignored. SSL forward proxy does not create the server certchain when ignoring server certificates, this prevents the client side from trusting the server cert and the SSL handshake hangs and fails after timeout.

Conditions:
-- SSL forward proxy or SSL intercept is configured.
-- Ignore server certificate configured in the server SSL profile.

Impact:
Client cannot establish SSL connection with server due to SSL handshake always timing out.

Workaround:
None.

Fix:
The system now generates the server certchain (even when the server SSL profile ignores server certificates) and passes it to the client SSL, so that the client SSL can forge the cert and finish the SSL handshake.


669974-1 : Encoding binary data using ASN1::encode may truncate result

Solution Article: K90395411

Component: Local Traffic Manager

Symptoms:
When using ASN1::encode to encode one or more values, and where the encoding of any of these values results in a representation containing a NUL ('\x0') byte, the overall result that is presented to the iRule does not include the entire set of encoded values and is truncated at the first NUL byte.

Conditions:
-- Using ASN1::encode with binary values (e.g., INTEGER).
-- Encoded results contain a NUL ('\x0') byte.

Impact:
Encoding results in the wrong/truncated value.

Workaround:
It is possible to encode the problematic values using an alternative method.

Fix:
ASN1::encode now correctly encodes binary values.


669888-2 : No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96

Component: TMOS

Symptoms:
The BIG-IP does not differentiate between IPv4 addresses (such as 1.2.3.4) and IPv6 addresses in the prefix ::ffff:0:0/96 (such as ::ffff:102:304, also written ::ffff:1.2.3.4). If you enter such an IPv6 address, the equivalent IPv4 address will be rendered and used.

Conditions:
Any attempt to use an IPv6 address in that subnet.

Impact:
The BIG-IP system will operate as if you entered the IPv4 address.

Workaround:
No workaround at this time.

Fix:
The differing addresses now are handled correctly. For most modules, this does not change the functionality at all. AFM is one exception; IPv6 traffic in the ::ffff:0:0/96 subnet will be treated differently than IPv4 traffic.


669818-2 : Higher CPU usage for syslog-ng when a syslog server is down

Solution Article: K64537114

Component: TMOS

Symptoms:
Higher CPU usage for syslog-ng when a syslog server is down.

Conditions:
A remote log server is added but it is not available.

Impact:
Potentially higher than expected CPU usage.

Workaround:
To mitigate this issue, use either of the following:
-- Ensure that the remote log server is available.
-- Remove the remote log server from the configuration.


669739-1 : Potential core when using MRF SIP with SCTP

Solution Article: K71963740

Component: Service Provider

Symptoms:
The system may core when using SCTP with MRF SIP if the outgoing connection receives more messages than it can process.

Conditions:
-- SCTP with MRF SIP configured.
-- Outgoing connection receives more messages than it can process.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
With SCTP with MRF SIP, the system better handles conditions when the outgoing connection receives more messages than it can process, so the system does not core and restart.


669645-1 : tmm crashes after LSN pool member change

Component: Carrier-Grade NAT

Symptoms:
Changing LSN pool members while processing traffic may cause tmm to crash.

Conditions:
-- Changing, using, or removing an LSN pool.
-- Traffic is being processed.

Impact:
When tmm crashes, traffic processing will stop until tmm restarts. Note that this can occur, even if the change was on a high-availability peer unit and config-sync has taken place.

Workaround:
Recommend to change LSN pool members during a maintainence window with low traffic or ideally to use an HA pair with a standby unit for implementing configuration changes on live traffic.

Fix:
tmm no longer crashes when changing LSN pool members while processing traffic.


669510-2 : When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.

Component: Access Policy Manager

Symptoms:
- When network changes after VPN is established, network access tunnel is closed when network access configuration has 'Allow local DNS servers' and 'Prohibit routing table changes during Network Access connection' options enabled.

Conditions:
- Allow local DNS servers' option is enabled in Network Access configuration.
- Prohibit routing table changes during Network Access connection option is enabled in Network Access configuration.
- Network changes after VPN is established.

Impact:
- Network access tunnel is dropped due to routing table changes.

Workaround:
User needs to connect to VPN again.


669462-1 : Error adding /Common/WideIPs as members to GTM Pool in non-Common partition

Component: TMOS

Symptoms:
Unable to use Pool Members from /Common/ when outside of /Common/

Conditions:
Adding /Common/WideIPs as members in non-Common GTM Pool

Impact:
Unable to use pool-members from /Common/ when outside of /Common/

Workaround:
No workaround at this time.

Fix:
Fixed issue preventing users from using GTM pool-members within /Common/ on GTM Pools outside of /Common/


669459-2 : Efect of bad connection handle between APMD and memcachd

Component: Access Policy Manager

Symptoms:
When a connection handle (fd) between apmd and memcachd gets bad (someone else is using or already closed by memcachd), all worker threads gets locked out. A cleaner thread then restart APMD with an assert.

Conditions:
This is difficult to reproduce. It happens if one or more connection handle between apmd worker thread and memcachd gets misused.

Impact:
APMD gets locked down , eventually restart with a core.

Workaround:
None.

Fix:
Communication between APMD and TMM has been improved to be more tolerant of error conditions.


669415-1 : Flow eviction for hardware-accelerated flow might fail

Component: TMOS

Symptoms:
In rare cases, evicting a hardware-accelerated ePVA flow might fail. Under normal conditions, this flow eventually idles out of the ePVA, but if traffic happens to be generated over the flow, then it can stay in the ePVA indefinitely, even if there is no software connection context for this connection.

Conditions:
A virtual server using a FastL4 profile.

Impact:
A connection becomes stuck in the ePVA. Traffic might be disrupted if tmm restarts.

Workaround:
Disable hardware acceleration.

Fix:
This release has updated the process for evicting a connection from the ePVA.


669364-1 : TMM core when server responds fast with server responses such as 404.

Component: Fraud Protection Services

Symptoms:
TMM core when server responds fast with server responses such as 404.

Conditions:
-- FPS gets a request with a WebSafe URL (usually global URL - declared by signatures update).
-- Server response is fast (based on URL/headers).
-- FPS need to take some action on response.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
FPS now handles these conditions without a tmm crash.


669359 : WebSafe might cause connections to hang

Component: Fraud Protection Services

Symptoms:
In a loaded environment, FPS might free a connection context without cleaning up the state.

Conditions:
This occurs in a loaded environment (xoff events present).

Impact:
A connection might stall until abandoned by client.

Workaround:
None.

Fix:
when freeing a connection context, FPS will clear internal egress state.


669341 : Category Lookup by Subject.CN will result in a reset

Component: Access Policy Manager

Symptoms:
Category Lookup Agent is unable to find the Subject.CN, so it initiates an SSL Handshake failure.

==> /var/log/apm <==
crit tmm[11181]: 01790602:2: [C] 10.20.100.1:11980 -> 10.11.10.101:443: (ERR_NOT_FOUND) Error processing URL Classification query from CatEngine

Conditions:
Category Lookup agent configured to use Subject.CN. May also apply if a Category Lookup agent is configured to use SNI, but the client does not send an SNI, resulting in the agent trying to use the Subject.CN.

Impact:
Cannot use Subject.CN as a data source for category lookup agent.

Workaround:
None.

Fix:
The category lookup agent is now able to find the Subject.CN.


669288-3 : Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist.

Solution Article: K76152943

Component: TMOS

Symptoms:
From tmsh, running util unix-ls /var/log fails with the following error:

exception: (Failed to canonicalize "/shared/f5optics/images") (util/RealpathHelper.cpp, line 49), continuing...
Data Input Error: /var/log is not an accessible directory for the current mode.

Conditions:
-- A BIG-IP system configured for Appliance mode.
-- Upgrading from a pre-v12.x to v12.x or later.
-- Using a platform that does not have a /shared/f5optics/images directory.

These include the following BIG-IP blades and appliances:
B4400, i4x00, i10x00, i2x00, i7x00, i5x00

Impact:
There is no shell access to the file system when the BIG-IP system is in Appliance mode. This is the intended purpose of Appliance mode. Therefore, unix-* commands are the only way to list directories, and perform other operations specific to the operating system.

Workaround:
To work around this issue, create the /shared/f5optics/images directory. To do so, do the following:

 1. Boot the BIG-IP system into single-user mode.

 2. Create the directory /shared/f5optics/images with the following command:
  mkdir -m 777 -p /shared/f5optics/images.

 3. Reboot the BIG-IP system, and allow it to start up normally.

Fix:
The reported exception does not occur, and unix-* commands commands issued in Appliance mode run as expected.


669268 : Failover in the same availability zone of AWS may fail when AWS services are intermittently available.

Component: TMOS

Symptoms:
Intermittently available AWS services may lead to failure of curl requests to AWS or ec2 tools commands, resulting in failure of failover. As a result, public EIPs (for virtual servers) might remain pointing to the standby BIG-IP system.

Conditions:
AWS services are intermittently available.

Impact:
Failure of failover. Traffic will be routed to the standby BIG-IP system and lost.

Workaround:
Manually fail the systems over till failover succeeds at the desired BIG-IP system.


669262-2 : [GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record

Component: Global Traffic Manager (DNS)

Symptoms:
Creating a reverse zone in ZoneRunner ending not exactly as .arpa but with other case variations like .ARPA, resulting that zone is not treated as reverse zone.

PTR is not available from the 'Type' dropbox menu when creating new resource record for that zone:
DNS :: Zones : ZoneRunner : Resource Record List :: New Resource Record.

Conditions:
Creating a reverse zone in ZoneRunner ending not exactly as .arpa but with other case variations like .ARPA.

Impact:
Cannot create PTR resource record for the created reverse zones.

Workaround:
Create reverse zones exactly ending with .arpa.


669255-2 : An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms

Solution Article: K20100613

Component: TMOS

Symptoms:
If the BIG-IP configuration includes at least one enabled sFlow receiver, certain platforms will experience poor TMM performance. Symptoms will include one or more of the following:

- Higher than normal ping latency to the BIG-IP Self-IP addresses.
- Higher than normal latency for applications flowing through BIG-IP virtual servers.
- TMM clock advanced messages in the /var/log/ltm file.
- Continuous activation and then quick deactivation of the idle enforcer for all TMM instances in the /var/log/kern.log file.

Conditions:
The BIG-IP configuration must include at least one enabled sFlow receiver (it doesn't matter whether this is reachable or not) and the platform type must be one of the following:

- BIG-IP i10000 series
- BIG-IP i7000 series
- BIG-IP i5000 series
- BIG-IP i4000 series
- BIG-IP i2000 series
- VIPRION B4450 blade

Impact:
The BIG-IP system operates at a suboptimal performance level.

Workaround:
If the sFlow receiver is not strictly necessary for the correct functioning of your deployment, this can be disabled or removed to work around the issue.

Fix:
Performance is no longer degraded on certain platforms when the configuration includes enabled sFlow receivers.


669154-1 : Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases.

Solution Article: K25342114

Component: Access Policy Manager

Symptoms:
Adding new SAML IdP configuration object containing empty attribute values via tmsh may cause tmm to restart.

Conditions:
New SSO SAML configuration contains one or more attribute values containing a session variable, following by another empty value "", for example:

multi-values { "%{session.ad.last.attr.name}" "" }

Note: This is not a valid configuration: empty values must not be provided in the list of SAML attributes.

Impact:
TMM may restart when new configuration is added. Traffic disrupted while tmm restarts.

Workaround:
Remove empty attribute values from configuration.

Fix:
SAML object validation has been improved so that empty SAML SSO object attribute values will no longer be accepted.


669025-1 : Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate

Solution Article: K11425420

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain except the self-signed certificate.

Some of the intermediate CA certificates in the cert chain use the SHA1 hash algorithm. This kind of intermediate CAs usually is are the BIG-IP system's ca-bundle. BIG-IP receives the cert chain including the intermediate CA and forges the cert with SHA1, which is rejected by some web clients.

Conditions:
-- The BIG-IP system is configured to use SSL Forward Proxy or SSL Intercept.
-- Some intermediate CA in the web server's cert chain is using a weak algorithm like SHA1 to sign certificates.
-- The web client rejects the weak-algorithm-signed certificate.

Impact:
Clients cannot access the web server due to SSL handshake failure.

Workaround:
There is no workaround at this time.

Fix:
This fix excludes trusted CA certificates in hash algorithm selection. This may prevent forged certificate from using SHA1 hash algorithm.


668964-2 : 'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group

Solution Article: K81873940

Component: TMOS

Symptoms:
When running the 'bgp neighbor <peer IP> update-source <IP>' command to a single peer, the changes may be applied to all peers in peer-group, if the peer IP belongs to a peer group.

Conditions:
- Using BGP with peer-groups.
- Run 'bgp neighbor <peer IP> update-source <IP>', where <peer IP> is an IP of a peer in a peer-group.

Impact:
Changes may apply to all peers in the group.

Workaround:
Depending on the network setup, it may be possible to workaround the issue using the interface version of the command:
bgp neighbor <peer IP> update-source <vlan name>.

Fix:
The command 'bgp neighbor <peer -IP> update-source <IP>' no longer applies the change to all peers in peer-group


668883 : FQDN pool member status may become out-of-sync when enabled/disabled through GUI

Component: Local Traffic Manager

Symptoms:
After toggling enable/disable on an FQDN pool member through the GUI, an FQDN pool member status may become 'out-of-sync', and the pool member might process connections opposite to its status. Specifically: 'disabled' might accept connections, and 'enabled' might not accept connections. In this state, the FQDN pool member appears to be exactly 'one-message-behind' for an enable/disable status change made in the GUI.

The FQDN pool member status for enabled/disabled is always correctly displayed in the GUI and in tmsh, and behavior is correctly restored after a system reboot. Other pool members are unaffected.

Conditions:
-- BIG-IP systems configured for high availability (HA).
-- At least three members within an FQDN pool.
-- Use the GUI to toggle enable/disable state on a FQDN pool member.

Impact:
The FQDN pool member does not correctly participate in receiving connections to the pool when in this error state. Other pool members remain unaffected.

Workaround:
Change FQDN pool to statically assign members.

Fix:
Toggling FQDN pool member between 'enable/disable' correctly changes that member's participation for accepting connections within its parent pool. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.


668802-3 : GTM link graphs fail to display in the GUI

Solution Article: K83392557

Component: Local Traffic Manager

Symptoms:
When a BIG-IP administrator tries to view the GTM link graphs in the GUI, the system reports 'General database error retrieving information'.

statsd reports an error in /var/log/ltm

err statsd[6318]: 011b030d:3: Graph '/Common/Link_AS394043' not found

Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.
-- Trying to view the GTM link graphs in the GUI.

Impact:
Unable to view BIG-IP DNS/GTM link graphs.

Workaround:
None.

Fix:
The GTM graphs are available as expected.


668623-5 : macOS Edge client fails to detect correct system language for regions other than USA

Solution Article: K85991425

Component: Access Policy Manager

Symptoms:
macOS Edge client fails to detect correct system language for regions other than USA.

Conditions:
-- macOS Sierra.
-- Non-English language (e.g., Korean with different regions).

Impact:
Incorrect customization of Edge client for certain items, such as: logo, banner color, banner text color, and tray icon type.

Workaround:
Run one of the following command on the Terminal and re-launch Edge client:

For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"

For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"

For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"

For Japanese:
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"

For French:
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"

For Spanish:
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"

For Chinese traditional:
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"

For Chinese simplified:
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"

Fix:
Customization of the following items for Edge client now correctly reflect the region's language selection.

-- Edge client logo.
-- Banner color.
-- Banner text color.
-- Tray icon.


668522-1 : bigd might try to read from a file descriptor that is not ready for read

Component: Local Traffic Manager

Symptoms:
The bigd process might consume excessive CPU resources or monitor probes might be erroneously marked as failed.

Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.).

Impact:
The bigd process might consume excessive CPU resources for for various amounts of time.

Single monitor probes might fail. Depending upon the timing of these failures, it might be possible to see monitor flapping when multiple probes for a specific monitored object happen to fail.

Workaround:
None.

Fix:
An issue was resolved where the bigd process might consume excessive CPU resources or monitor probes might be erroneously marked as failed.


668521-2 : Bigd might stall while waiting for an external monitor process to exit

Component: Local Traffic Manager

Symptoms:
The bigd process restarts due to a hearbeat failure. /var/log/ltm will contain a message similar to:
warning sod[5444]: 01140029:4: HA daemon_heartbeat bigd fails action is restart.

Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.)

High system load makes this more likely to occur.

Impact:
bigd will restart due to a heartbeat failure and monitoring will be interrupted.

Workaround:
Mitigations:
-- If possible, reduce the system load on the BIG-IP system.
-- If possible, use a built-in monitor type.

Fix:
bigd no longer stalls while waiting for an external monitor process to exit.


668503-3 : Edge Client fails to reconnect to virtual server after disabling Network Adapter

Component: Access Policy Manager

Symptoms:
1. Connect to an APM Virtual Server.
2. Disable Network Adapter.
3. Enable the Network Adapter.

Edge Client fails to reconnect.

Conditions:
Network Adapter is disabled and re-enabled.

Impact:
Edge Client does not re-establish VPN when Network Adapter is re-enabled.

Workaround:
Disconnect and Connect Edge Client.

Fix:
Edge Client now successfully reconnects to virtual server after disabling and enabling Network Adapter.


668501-2 : HTTP2 does not handle some URIs correctly

Solution Article: K07369970


668419-1 : ClientHello sent in multiple packets results in TCP connection close

Solution Article: K53322151

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system receives ClientHello messages in multiple fragments, and the first fragment length is less than 9 bytes, SSL might process it as a non-SSL packet.

Conditions:
-- The system receives ClientHello messages in multiple fragments.
-- The first fragment length is less than 9 bytes.

Impact:
SSL might process the first fragment as a non-SSL packet, and discard it, and then tear down the TCP connection.

Workaround:
None.

Fix:
Now, if the system receives the ClientHello message in multiple fragments, and the first fragment is less than 9 bytes, the system waits for the whole SSL packet to arrive before processing it.


668352-2 : High Speed Logging unbalance in log distribution for multiple pool destination.

Component: TMOS

Symptoms:
Remote High Speed Logging may send logs in an imbalance when configured to use multiple logging pools.
The imbalance may occur if the logging destination remained idle for a while (no logs sent) after initial configuration.

Conditions:
-- Remote High Speed Logging destination configured with multiple pools.
-- The logging destination idle after initial configuration for more than 5 seconds.

Impact:
-- Log distribution imbalance.

Workaround:
There is no workaround at this time.

Fix:
Logs distributed equally on destination pools.


668252-2 : TMM crash in PEM_DIAMETER component

Solution Article: K22784428

Component: Policy Enforcement Manager

Symptoms:
TMM crashes when the route to PCRF is lost.

Conditions:
-- PEM establishes connection with the diameter endpoint (Gx / Gy).
-- The route to the diameter endpoint is lost (interface down / route deleted).

Impact:
TMM diameter module tries to communicate, does not handle the error, and crashes. Module reboot. Traffic disrupted while tmm restarts.

Workaround:
Mitigation: Ensure that the network interface configuration routing diameter packet is not manually brought down.

No workaround for externally triggered failures.

Fix:
The system now handles connections established with the diameter endpoint when the route to PCRF is lost.


668196-2 : Connection limit continues to be enforced with least-connections and pool member flap, member remains down

Component: Local Traffic Manager

Symptoms:
In rare circumstances while using least-connections load balancing with a connection limit applied, if a pool member is at the connection limit and the node is stopped and restarted, the node will remain marked down.

Conditions:
This occurs under the following circumstances:
- Least Connections (node or member).
- Connection limit is set.
- Then a pool member hits the connection limit.
- The pool member is then marked down then up (e.g., manually).

Impact:
Pool member remains marked down.

Workaround:
This condition is very rare but if it occurs you can try removing the pool member or node and re-adding it.

Fix:
Connection limit is now correctly enforced with least-connections and pool member flap, so the member no longer incorrectly remains down.


668184-1 : Huge values are shown in the AVR statistics for ASM violations

Component: Application Security Manager

Symptoms:
Huge values are shown in the AVR statistics for ASM violations.

Conditions:
Out-of memory-condition in the ASM. Some other extreme conditions might also cause this behavior.

Impact:
ASM violation numbers are incorrectly reported.

Workaround:
None.

Fix:
An issue with bd sending wrong numbers to AVR was fixed.


668181-2 : Policy automatic learning mode changes to manual after failover

Component: Application Security Manager

Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.

Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.

Impact:
The policy changes from automatic learning mode to manual.

Workaround:
None.

Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.


668129-1 : BIG-IP as SAML SP support for multiple signing certificates in SAML metadata from external identity providers.

Component: Access Policy Manager

Symptoms:
Certain SAML implementations support configuration of multiple signing certificates to be used for signing SAML messages. In these deployments different signing certificates could be used when certificate rotation takes place. Until now BIG-IP as SP only supported single signing certificate from external IdPs.
When certificate rotation happens on external IdP, BIG-IP signing verification certificates have to be updated.

Conditions:
External IdP advertises multiple signing certificates in SAML metadata.

Impact:
When external IdP starts using new signing certificate previously advertised in metadata, authentication on BIG-IP as SAML SP will fail until administrator adjusts configuration to specify new signature validation certificate on appropriate SAML IdP connector object.

Workaround:
Signing certificates on BIG-IP as SAML SP can be reconfigured manually.

Fix:
BIG-IP as SP now supports multiple signing certificates advertised by external identity providers.


668048-1 : TMM memory leak when manually enabling/disabling pool member used as HSL destination

Solution Article: K02551403

Component: TMOS

Symptoms:
High Speed Logging fails to free an allocated cache memory resulting in memory leak. A small linear increase in mds_btree_nodes memory utilization may occur.

Conditions:
- Remote High Speed Logging configured.
- Server-side connections dropped or closed. OR
- High Speed Logging pool members removed.

Impact:
Increase in mds_btree_nodes memory utilization.

Workaround:
There is no workaround at this time.

Fix:
High Speed Logging frees allocated memory correctly.


668006-1 : Suspended 'after' command leads to assertion if there are multiple pending events

Solution Article: K12015701

Component: Local Traffic Manager

Symptoms:
TMM crashes when an iRule has multi-parking commands including command after.

Conditions:
-- iRule has multi-parking commands.
-- Command after is used multiple times in the iRule.

Note: The exact condition of crashing tmm is not definitive, but when the above situation is met, it could trigger this crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Depending on the iRule, (e.g., script that uses command after very heavily, very often), the usages can be combined:

after 100
after 200 { some script }

can be combined to after 300 { the script }

Fix:
Suspended 'after' command no longer leads to assertion if there are multiple pending events


667922 : Alternative unicode encoding in JSON objects not being parsed correctly

Solution Article: K44692860

Component: Application Security Manager

Symptoms:
JSON content might be blocked when unicode encoding is used in one of the JSON nodes.

Conditions:
Configured ASM Policy with JSON profile.

Impact:
False positive blocked request.

Workaround:
Disable metachars checks in JSON profile.

Fix:
The JSON parser now handles unicode sequences correctly.


667892-2 : FPS: BLFN inheritance won't take effect until GUI refresh

Component: Fraud Protection Services

Symptoms:
1. Create fps profile with a "Additional function to be run before JavaScript load" (BLFN) configured.
2. Clone this profile.
3. In the cloned profile choose another profile to defaults from (where there is no BLFN).
4. Save configuration.

Conditions:
- Current profile has a BLFN configured.
- New parent profile has no BLFN.

Impact:
The original BLFN is still configured on the profile (should have inherited the empty BLFN from parent profile).

Workaround:
1. Use tmsh.
2. Refresh before save.

Fix:
Correct BLFN inheritance logic in GUI.


667872-1 : Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports

Component: Fraud Protection Services

Symptoms:
'Apply cookies to base domain' feature doesn't work for non standard ports.

Conditions:
'Apply cookies to base domain' is enabled and
connection is over non-standard ports (not 80, 443, etc.).

Impact:
Cookies won't be applied to base domain, thus WebSafe functionality will be broken and missing cookie alerts will be sent.

Workaround:
Use only standard ports.

Fix:
FPS now correctly parses base-domain, including port (if exists).


667779-2 : iRule commands may cause the TMM to crash in very rare situations.

Component: Local Traffic Manager

Symptoms:
A TMM crash may occur in very rare situations.

Conditions:
A Tcl iRule command is used.

Impact:
A TMM Core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Tcl iRule commands are more robust to extreme scenarios within the TMM.


667707-2 : LTM policy associations with virtual servers are not ConfigSynced correctly

Component: Local Traffic Manager

Symptoms:
The association of Local Traffic Policies to virtual servers do not synchronize properly.

This can result in configuration sync failures with error messages including:

-- 01070635:3: The policy (/Common/asm_auto_l7_policy__vs_27) is referenced by one or more virtuals.
-- Configuration error: The bot-defense-asm profile /Common/asm_policy_1 was added to virtual server /Common/vs1 but it does not match the asm-controlling policy. The bot-defense-asm profile is added to the virtual server automatically.
-- 010716fd:3: Virtual Server '/Common/vs' cannot contain policies with conflicting controls.

In other circumstances, BIG-IP systems report themselves as 'in sync' despite a virtual server having different local traffic policies associated.

Under certain circumstances, configuration sync fails after an LTM policy is removed from a virtual server and deleted.

Conditions:
This occurs under the following conditions:

-- Full sync operations (e.g., 'full-load-on-sync' or 'force-full-load-push').

And either of the following:
-- Configuration changes made where local traffic policies are removed or added from a virtual server.

-- Configuration changes made where a local traffic policy is removed from a virtual server, and then the virtual server is deleted.

Impact:
Configuration fails to sync, or devices report 'In Sync' but have different LTM policies associated with virtual servers.

Workaround:
There is no workaround at this time.

Fix:
Configuration sync is successful.


667662-1 : Autolasthop does not work for PPTP-GRE traffic.

Solution Article: K06579313

Component: Carrier-Grade NAT

Symptoms:
Autolasthop does not work for PPTP-GRE traffic.

Conditions:
Autolasthop configured for client ingress VLAN, serving PPTP-ALG traffic.

Impact:
PPTP-ALG traffic through the BIG-IP system.

Workaround:
Create static routes to return PPTP-GRE traffic back to the client network.

Fix:
Autolasthop setting works correctly for PPTP-GRE traffic.


667560-3 : FQDN nodes: Pool members can become unknown (blue) after monitor configuration is changed

Solution Article: K69205908

Component: Local Traffic Manager

Symptoms:
A pool member configured through an FQDN node and which has multiple associated monitors may become unknown (blue) after a monitor rule change to one of its associated monitors. The expected behavior is that the node should remain 'green' if monitoring is successful with the new rule, but the node may become unknown (blue) until bigd is restarted.

Conditions:
A pool member is configured through an FQDN node, and has multiple associated monitors, and a monitor rule change is made to one of the associated monitors.

Impact:
The pool member status correctly reflects whether monitoring is successful (green) or the pool member is unknown (blue), but the changed monitor rule may not take effect until bigd is restarted.

Workaround:
When making changes to a monitor rule associated with a pool member configured through FQDN, verify the node remains monitored (green or checking), or restart bigd. Alternatively, change monitor rules within the configuration file, and reload the configuration.

Fix:
Pool members configured through FQDN nodes and with multiple associated monitors continue to be monitored after a monitor rule change to one of the associated monitors. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.


667469-1 : Higher than expected CPU usage when using DNS Cache

Solution Article: K35324588

Component: Global Traffic Manager (DNS)

Symptoms:
CPU usage shows higher than expected usage when using the DNS Cache.

Conditions:
Usage of any of the 3 DNS Cache types, particularly on chassis with multiple blades.

Impact:
Higher than expected CPU usage.

Workaround:
No workaround at this time.

Fix:
Improvements have been made to the efficiency of the DNS Cache inter-tmm mirroring. These efficiencies may result in better CPU utilization and/or higher responses per second.


667405-2 : Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM.

Solution Article: K61251939

Component: TMOS

Symptoms:
When the BIG-IP system receives fragmented IPsec encrypted packets that contain fragmented IP packets, memory leaks may occur in the TMM.

Conditions:
The BIG-IP system receives fragmented IPsec encrypted packets that contain fragmented IP packets.

Impact:
Memory leak in the TMM.

Workaround:
None.

Fix:
No memory leak in the TMM.


667404-2 : Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts

Solution Article: K77576404

Component: TMOS

Symptoms:
If fragmented IP packets match an IPsec policy, then get forwarded to another tmm for actual processing, the flow lookup might accidentally grab a stale flow_key for another connflow, including internal MCP flows. When that happens, if IPsec does tunnel those flows, internal MCP heartbeats later miss and cause tmm restarts.

Conditions:
-- Packet fragmentation.
-- Packets are serviced by IPsec due to a matching policy for those packets.

Impact:
Tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
You can prevent this using either of the following methods:
-- If you can, arrange that fragmented packets are re-assembled before reaching IPsec policy handling.
-- Modify MTU configuration so fragmentation does not happen.

Note: There is no mitigation when fragmented packets reach IPsec and need forwarding from one tmm to another.

Fix:
Now fragmented packets are handled correctly, and other flows cannot experience interference.


667318-3 : BIG-IP DNS/GTM link graphs fail to display in the GUI.

Component: Local Traffic Manager

Symptoms:
When a BIG-IP administrator tries to view the GTM link graphs in the GUI, the system reports 'General database error retrieving information'.

statsd reports an error in /var/log/ltm

err statsd[6318]: 011b030d:3: Graph '/Common/Link_AS394043' not found

Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.

Impact:
Unable to view BIG-IP DNS/GTM link graphs.

Workaround:
None.

Fix:
BIG-IP DNS/GTM link graphs are now available in the GUI.


667304-1 : Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled

Solution Article: K68108551

Component: Access Policy Manager

Symptoms:
'Save Password' checkbox is shown even if the feature is not enabled.

Conditions:
-- APM end user tries to authenticate to APM/BIG-IP Server.
-- 'Save Password' is not enabled.

Impact:
APM end user receives the login page with 'Save Password' checkbox. Checking the box has no effect unless 'Save Password' is enabled.

Workaround:
None.

Fix:
'Save Password' checkbox is not shown unless the feature is enabled.


667278-3 : DSC connections between BIG-IP units may fail to establish

Component: TMOS

Symptoms:
The device service clustering (DSC) connection between two BIG-IP units may fail to establish. One unit will log messages similar to the following example:

-- err mcpd[7912]: 01071af4:3: Inbound CMI connection from IP (192.168.100.1) denied because it came from VLAN (v1542), not from expected VLAN (tmm).

While the unit at the other end of the connection will log messages similar to the following example:

-- notice mcpd[5730]: 01071432:5: CMI peer connection established to 192.168.200.1 port 6699 after 0 retries
May 31 20:58:04 BIG-IP-c-sea notice mcpd[5730]: 0107143c:5: Connection to CMI peer 192.168.200.1 has been removed

Conditions:
This issue occurs when the Self-IP addresses used for Config-Sync by the two BIG-IP units are not in the same IP subnet, and special routing is configured between the BIG-IP units. Examples of special routing include a gateway pool or dynamic routing configurations with multiple routes to the same destination (i.e., ECMP routing).

Impact:
Config-Sync and device discovery operations will fail between affected units.

Workaround:
You can work around this issue by using Self-IP addresses for Config-Sync that are on the same IP subnet or rely on simpler routing to achieve connectivity (i.e., a single route).

Fix:
Config-Sync and device discovery operations no longer fail.


667257-2 : CPU Usage Reaches 100% With High FastL4 Traffic

Component: TMOS

Symptoms:
CPU usage reaches 100% with high FastL4 traffic. Issue with re-offloading evicted FastL4 traffic to ePVA.
Typically observed on systems handling a lot of FastL4 traffic that have been upgraded to a version that has re-offload behavior implemented by Bug ID 563475: ePVA dynamic offloading can result in immediate eviction and re-offloading of flows.

Conditions:
-- Most traffic is FastL4 forwarding deterministic LDNS.
-- ePVA hardware is in use.

Impact:
Default configurations may suddenly show higher CPU performance profile usage after upgrade.

Workaround:
None.

Fix:
The following db variables have been added to control re-offload behavior:

sys db pva.reoffload.delay {
    value "5"
}
sys db pva.reoffload.exponential {
    value "true"
}

pva.reoffload.delay is in seconds. This is the amount of time that needs to expire before TMM attempts to re-offload the flow to the ePVA.

If pva.reoffload.exponential is 'true', then if there is a collision, there is an exponential backoff (5 seconds, 10 seconds, 20 seconds, and so on), before the flow is re-offloaded).

If pva.reoffload.exponential is 'false', then there is no backoff, and the flow is re-offloaded after the pva.reoffload.delay expires.

Behavior Change:
The following db variables have been added to control re-offload behavior:

sys db pva.reoffload.delay {
    value "5"
}
sys db pva.reoffload.exponential {
    value "true"
}

pva.reoffload.delay is in seconds. This is the amount of time that needs to expire before TMM attempts to re-offload the flow to the ePVA.

If pva.reoffload.exponential is 'true', then if there is a collision, there is an exponential backoff (5 seconds, 10 seconds, 20 seconds, and so on), before the flow is re-offloaded).

If pva.reoffload.exponential is 'false', then there is no backoff, and the flow is re-offloaded after the pva.reoffload.delay expires.


667237-3 : Edge Client logs the routing and IP tables repeatedly

Component: Access Policy Manager

Symptoms:
Edge Client logs the routing and IP tables repeatedly - in each reconnecting attempt.

Conditions:
Edge Client is in reconnecting state and gateway is reachable. However, APM server is not reachable/responding.

Impact:
It fills up the log file with information that is not useful.

Workaround:
There is no workaround at this time.

Fix:
When Edge Client is in re-connection state and the APM server is not reachable/responding, skip logging the Routing/IP tables in each reconnecting attempts.


667223 : The merge option for the tmsh load sys config command removes existing nested objects

Component: TMOS

Symptoms:
Nested objects are removed when newer objects are merged in.

Configuration objects can contain nested objects. The merge option for tmsh load sys config command expects the nested-objects passed in to be merged alongside existing objects.

example:

Initial configuration

[root@plate:Active:Standalone] config # tmsh list ltm pool
    ltm pool test-pool-mcconfig {
        members {
            test-mc1:http {
                address 10.13.14.15
                priority-group 1
                session monitor-enabled
                state checking
            }
            test-mc2:http {
                address 10.13.14.16
                priority-group 4
                session monitor-enabled
                state down
            }
        }
        monitor tcp
    }

Run load merge command:

    [root@plate:Active:Standalone] config # tmsh -m
    root@(plate)(cfg-sync Standalone)(Active)(/Common)(tmos)# load sys config merge from-terminal
    Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
    ltm pool test-pool-mcconfig {
     members {
      test-mc2:http {
       priority-group 0
      }
     }
    }
    Loading configuration...
    root@(plate)(cfg-sync Standalone)(Active)(/Common)(tmos)# ^D

New configuration, not merged:

    [root@plate:Active:Standalone] config # tmsh list ltm pool
    ltm pool test-pool-mcconfig {
        members {
            test-mc2:http {
                address 10.13.14.16
                session monitor-enabled
                state down
            }
        }
        monitor tcp
    }

Conditions:
Execute tmsh load sys config merge from-terminal command.

The configuration contains nested objects. The configuration that is being merged in contains nested objects of the same type as the existing configuration.

Impact:
Configuration loss: Post merge the existing nested configuration objects are deleted.

Workaround:
None.

Fix:
The behavior for the merge option of tmsh load sys config is corrected. The nested objects in the existing configuration are not deleted.


667173 : 13.1.0 cannot join a device group with 13.1.0.1

Component: TMOS

Symptoms:
13.1.0.1 cannot form device trust with a 13.1.0 device.

Conditions:
A device running 13.1.0 wanting to establish device trust with a device running 13.1.0.1 or vice versa.

Impact:
Cannot form Device Trust.

Workaround:
13.1.0 cannot initially form device trust with a 13.1.0.1 device. However, if you establish trust from the 13.1.0.1 device and then bring in the 13.1.0 device from 13.1.0.1, you can mitigate this issue. Once trust is formed, there should be no issue.

Fix:
13.1.0.1 now can form device trust with a 13.1.0 device.


667148-1 : Config load or upgrade can fail when loading GTM objects from a non-/Common partition

Solution Article: K02500042

Component: TMOS

Symptoms:
GTM configuration fails to load.

Conditions:
GTM config referencing non-/Common partition objects from /Common.

Impact:
GTM configuration fails to load, which may keep a system from becoming active

Workaround:
No workaround.

Fix:
Fixed issue preventing GTM configurations from loading when non-Common partitioned items present.


667138-1 : LTM 12.1.2 HF1 - Upgrade to 12.1.2 HF1 fails with err "folder does not exist"

Component: TMOS

Symptoms:
After upgrade from 10.2.4 to 12.1.2, full config load fails.

Conditions:
The pre-upgrade version must be 10.2.4 and the pre-upgrade config must have user-defined partitions.

Impact:
After upgrade, if changes are made to the running config (in memory; not on disk), then the config files on disk from upgrade cannot be restored.

Workaround:
10.2.4 config on upgrade is stored at /config/bigpipe/. So, a workaround is to load defaults, then merge the original config using bigpipe.

/usr/libexec/bigpipe merge /config/bigpipe/*.conf

Fix:
Full load after upgrade from 10.2.4 now succeeds.


667028-1 : DNS Express does not run on i11000 platforms with htsplit disabled.

Component: Global Traffic Manager (DNS)

Symptoms:
tmm processes enter a restart loop when trying to run DNS Express (DNSX) on i11000 platforms with htsplit disabled.

Conditions:
-- i11000 platform.
-- htsplit disabled (sys db scheduler.splitplanes.ltm set to false).
-- Trying to run DNSX.

Impact:
tmm processes enter a restart loop. In this condition, DNSX does not run, though other DNS functions are unaffected.

Workaround:
Enable htsplit using the following command:

modify sys db scheduler.splitplanes.ltm value true

Fix:
tmm no longer cores under these conditions. However, you cannot use DNSX with htsplit disabled; htsplit must be enabled.

Note: DNSX works as expected with htsplit enabled, both before and after the fix.


666986-2 : Filter by Support ID is not working in Request Log

Solution Article: K50320144

Component: Application Security Manager

Symptoms:
In some cases the Support ID of a request might be shorter than 19 digits. In this case filter by Support ID does not work in Request Logs.

Conditions:
-- Support ID is shorter than 19 digits.
-- Trying to filter by Support ID.

Impact:
Filter by Support ID is not displayed in filter bar and does not affect the list.

Workaround:
You can try to filter by last 4 digits of Support ID. Although that does not replace filter by Support ID functionality, it might help.

Fix:
Filter by Support ID works for any length but 4 digits (in this case search uses the last 4 digits; also a 4-digit Support ID is not a realistic occurrence).


666884-2 : Message: Not enough free disk space to install! cpcfg cannot copy a configuration on a chassis platform

Solution Article: K27056204

Component: TMOS

Symptoms:
cpcfg fails with errors similar to the following:

info: Getting configuration from HD1.3
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
error: status 256 returned by command: F5_INSTALL_MODE=install F5_INSTALL_SESSION_TYPE=hotfix chroot /mnt/tm_install/23102.e3MAZU /usr/local/bin/im -force /var/local/ucs/config.ucs
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /shared: Not enough free space
info: 6144 bytes required
info: 0 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.

Conditions:
Only on a chassis platform running 12.1.x or 13.0.x.

Impact:
You cannot use cpcfg on a chassis platform.

Workaround:
Save a UCS from the source volume, reboot to the destination volume, then load that UCS file.

Fix:
cpcfg could incorrectly calculate the amount of free space available, refusing to do the copy unless the /shared filesystem had sufficient space to do the copy. This has been resolved and this free space calculation is done correctly.


666790-2 : Use HSB HiGig MAC reset to recover both FCS errors and link instability

Solution Article: K06619044

Component: TMOS

Symptoms:
In addition to HiGig Link instability, FCS errors can be seen on internal switch and HSB Higig link. This is likely some PHY-related issues and can cause instability in communication links.

One symptom associated with this might be that a blade cannot become active and join the cluster.

Conditions:
FCS errors reported in tmm/hsbe2_internal_lbb_hgm. Traffic failure observed on some VIPs or self IPs.

Impact:
Link unstable, frame loss.
TMOS MPI and CDP packet loss and internal blade communication issues.

HSB lockup and accumulated FCS errors observed from stats and log.

Workaround:
A switch port reset might be used to recover this failure. Note, however: that procedure might cause potential HSB lockups.

Fix:
FCS errors and link instability no longer occur.


666689-1 : Occasional "profile not found" errors following activate access policy

Component: Access Policy Manager

Symptoms:
Immediately following the applying of a modified access policy it is possible for some profiles to disappear.
It is transient and within a minute or two the profiles are available again.

Conditions:
Clicking "apply access policy" in the GUI or using tmsh to increment snapshot ids will clear the list of profiles and policies and then rebuild those lists. Authentication requests using profiles or policies not yet rebuilt returned the "profile not found" error.

Impact:
Some authentication attempts fail while the lists get rebuilt.
Retrying the authentication a minute or two later succeeds.

Workaround:
Retry the authentication.

Fix:
Applying Access Policies in APM is improved to avoid a short dead time between when the old policies are removed and the new policies are activated.


666595-2 : Monitor node log fd leak by bigd instances not actively monitoring node

Component: Local Traffic Manager

Symptoms:
Each instance of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis opens a file descriptor for each node or pool member that has monitor logging enabled. However, only one instance of bigd is actively monitoring each individual node, and actively logging health monitor events to the node log. When LTM health monitors are configured with node logging enabled, the bigd daemon may leak file descriptors for the node logs when the monitor is removed from the LTM node, pool, or pool member configuration.

Note: This problem does not occur if node logging is disabled in the LTM node or pool member configuration ('logging' value set to 'disabled' in the LTM node or pool member configuration) prior to removing the monitor from the LTM node, pool or pool member configuration.

Conditions:
This may occur when the following conditions are met:
1. An LTM health monitor is assigned to an LTM node, pool or pool member with node logging enabled ('logging' value set to 'enabled' in the LTM node or pool member configuration).
2. The LTM health monitor is removed from the LTM node, pool or pool member configuration while logging is still enabled ('monitor' value set to 'none').

Impact:
When this problem occurs, the instance of bigd that is actively monitoring a particular node will close its file descriptor to that node's log file (under /var/log/monitors), but other instances of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis will leak their file descriptor to the node log.

File descriptors that are opened by the bigd daemon and not closed will count against bigd's internal file descriptor limit. This may result in file descriptor exhaustion and failure of LTM health monitoring.

Workaround:
Disable node logging (set 'logging' value to 'disabled') in the LTM node or pool member configuration prior to removing the monitor from the LTM node, pool, or pool member configuration.

Fix:
The bigd daemon no longer leaks file descriptors for monitor node logs when multiple instances of bigd are running, LTM health monitors are configured with node logging enabled, and the monitor is then removed from the LTM node, pool, or pool member configuration.


666505-2 : Gossip between VIPRION blades

Component: iApp Technology

Symptoms:
The REST framework's 'gossip' mechanism does not appear to run between VIPRION blades in a device service cluster.

Conditions:
-- VIPRION systems.
-- Configured with device service clustering and a high availability (HA) group.
-- The REST framework's 'gossip' mechanism is configured on the non-primary blade.

Impact:
Gossip being enabled on the non-primary VIPRION blade interferes with communication between the primary and the remote peer.

Workaround:
None.

Fix:
The system no longer enables Gossip sync on non-primary VIPRION blades.

Behavior Change:
Previously, when The REST framework's 'gossip' mechanism was enabled on the non-primary VIPRION blade, it interfered with communication between the primary and the remote peer. Now, the 'gossip' mechanism is disabled on the non-primary blade, so communication between the primary and the remote peer is not impacted.


666454-2 : Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update

Solution Article: K05520115

Component: Access Policy Manager

Symptoms:
Edge client running on Macbook Pro 2016 with a touch bar interface cannot connect to VPN in a full tunneling configuration with 'Prohibit routing table modification' option selected.

Edge client's svpn.log shows an error entry similar to
2017-05-18,13:55:17:000, 16637,16638,svpn, 1, , 870, CMacOSXRouteTable::UpdateIpForwardEntry2(), EXCEPTION - write failed, 22, Invalid argument.

Conditions:
This occurs when all of the following conditions are met:
1) Edge client is running on Macbook Pro that has the iBridge interface (e.g., one with the touch bar).
2) VPN is configured in full tunneling configuration
3) Mac OS X version is v10.12.5.

Note: You can find the interface on the Macbook Pro in the Network Utility under the Info tab.

Impact:
VPN connection will fail.

Workaround:
Use one of the following workarounds:
- Disable 'Prohibit Routing table change' in the network access configuration.
- Enable 'Allow access to local subnets'.
- Enable a split tunneling configuration.


666401-2 : Memory might become corrupted when a Standby device transitions to Active during failover

Solution Article: K03294104

Component: Local Traffic Manager

Symptoms:
When a failover event occurs with connection mirroring enabled, it is possible for memory to be corrupted when the Standby device transitions to Active.

Conditions:
-- Active-Standby high availability configuration.
-- Virtual server configured with the type set to 'Standard'.
-- Connection mirroring enabled.

Impact:
Tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Memory is no longer corrupted.


666315 : Global SNAT sets TTL to 255 instead of decrementing

Component: Local Traffic Manager

Symptoms:
Global SNAT sets the TTL to 255 instead of decrementing.

Conditions:
Global SNAT configured.

Impact:
Possible routing loop.

Workaround:
No workaround.

Fix:
TTL for global SNAT now gets decremented.


666221-2 : tmm may crash from DoSL7

Solution Article: K47152503

Component: Application Security Manager

Symptoms:
tmm crash.

Conditions:
A virtual server configured with the following:
compression profile configuration, HTTP/DoSL7 with DoSL7 iRule, RamCache.

Impact:
SIGSEGV. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a possible tmm crash.


666160-1 : L7 Policy reconfiguration causes a slow memory leak

Solution Article: K63132146

Component: Local Traffic Manager

Symptoms:
When a virtual server with a L7 policy is reconfigured, a small amount of memory is leaked.

Conditions:
A virtual server with L7 policies has a configuration change.

Impact:
The memory leak will reduce the amount of resources for the TMM.

Workaround:
None.

Fix:
L7 Policies no longer leak memory when a virtual server using them is reconfigured.


666112-1 : TMM 'DoS Layer 7' memory leak during config load

Solution Article: K53708490

Component: Application Security Manager

Symptoms:
Degraded performance; potential eventual out-of-memory.

Note: The 'DoS Layer 7' allocations increase by 'TMM count * #domains' after each config load.

Tip: You can watch the watch the 'DoS Layer 7' allocations increase on a shell on the BIG-IP system using the following command:
# watch -n1 -- 'tmctl -s name,allocated,max_allocated,cur_allocs memory_usage_stat | grep -E "^name|---|^DoS Layer 7 "'

Conditions:
-- Provision ASM.
-- Make sure the built-in 'security dos bot-signature' are added to the config.
-- Load the config from another shell using the following command:
 tmsh load sys config

Impact:
Degraded performance; potential eventual out-of-memory.

Workaround:
None.

Fix:
Fix memory leak after each config load.


666058-2 : XenApp 6.5 published icons are not displayed on APM Webtop

Solution Article: K86091857

Component: Access Policy Manager

Symptoms:
While publishing XenApp 6.5 resources through APM Webtop, some applications are not displaying the icons correctly.

VDI Error logs are seen as follows:
failed to handle '/f5vdi/citrix/icon/': Incorrect bitmap size.

Conditions:
-- XenApp 6.5 is used with their rollup hotfix 6 or 7.
-- Some of the third-party applications more icon bitmap information than expected.

Impact:
Icons are not displayed on the APM Webtop

Workaround:
None.

Fix:
Now APM Webtop correctly displays Citrix XenApp icons correctly regardless of the size of the bitmap data.


666035-1 : Obscuring secrets in files collected by qkview

Component: TMOS

Symptoms:
Some config files collected by qkview may have clear text secrets.

Conditions:
Run qkview and extract to see files with cleartext secrets

Impact:
Plaintext secrets are uploaded to iHealth.

Workaround:
To workaround this issue, follow this procedure:
1. Untar qkview file.
2. Obfuscate secrets from the affected file.
3. Recreate qkview file to upload.

For more information, see K55559493: Obfuscating sensitive data in a QKView file :: https://support.f5.com/csp/article/K55559493.

Qkview obfuscation
==================
-- Specific information from text files collected by qkview can be replaced/obscured.
-- Configuration file is in JSON format and it requires regex search pattern and replacement text for given files.

  Config file
  ===========
  /etc/qkview_obfuscate.conf

  Config Template
  ===============
  {
    "filename_regex1":
       {
           "search_regex11": "replace_text11",
           "search_regex12": "replace_text12",
           "search_regex13": "replace_text13" <= No comma after the last element.
       },
    "filename_regex2":
       {
           "search_regex21": "replace_text21",
           "search_regex22": "replace_text22",
           "search_regex23": "replace_text23"
       } <= No comma after the last node.
  }

Notes
=====
-- Search-and-replace rules are applied to the files that match the filename regex.

-- Filename and search_pattern are the regex. JSON special characters need to be escaped in the regex. (JSON special chars list :: http://json.org/.)

   Example:
       search_pattern "bindpw\s+(\S+)" should be "bindpw\\s+(\\S+)".
       ('\' is escaped by '\\'.)

-- If a filename matches multiple filename regexes, all rules of those files' regexes are applied to that file.

   Example:
        {
            "abc123\\.conf": {
                "password\\s+(\\S+)": "password ####",
                "passphrase\\s+(\\S+)": "passphrase ####"
            },
            "abc\\w+\\.conf": {
                "bindpw\\s+(\\S+)": "bindpw dummypasswd"
            }
        }

     Because abc123.conf matches both filename regexes, all three rules are applied to abc123.conf.

-- Obfuscation works only on text files. Compressed files are ignored.

-- The qkview command fails if the config file is syntactically incorrect.

Sample config
=============
  {
      "abc123\\.conf": {
          "password\\s+(\\S+)": "password ####",
          "passphrase\\s+(\\S+)": "passphrase ####"
      },
      "myapp?\\w+\\.conf": {
          "bindpw\\s+(\\S+)": "bindpw dummypasswd"
      }
  }

  "abc123\\.conf" - matches abc123.conf
  "myapp?\\w+\\.conf - matches myapp*.conf


666032-3 : Secure renegotiation is set while data is not available.

Solution Article: K05145506

Component: Local Traffic Manager

Symptoms:
Secure renegotiation is set while data is not available, which causes a crash in certain connections.

Conditions:
This occurs when handling SSL secure renegotiation in certain connections.

Impact:
Crashes happen to certain SSL connections.

Workaround:
None.

Fix:
Secure renegotiation is set while data is not available no longer causes a crash in certain connections.


665924-1 : The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios

Solution Article: K24847056

Component: Local Traffic Manager

Symptoms:
A TMM crash caused by a double-free of memory within the HTTP2 and SPDY filters. This crash could occur in other TMM sub-systems unrelated to HTTP2 or SPDY.

Conditions:
The HTTP2 or SPDY filter is used, together with many other TMM modules. This situation is difficult to trigger.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The HTTP2 and SPDY filters will no longer double-free memory in rare situations.


665905 : Signature System corruption from specific ASU prevents ASU load after upgrade

Solution Article: K83305000

Component: Application Security Manager

Symptoms:
After loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im" on 11.5.4 HF2 (or later) and upgrading to certain software versions, attempts to perform Signature Update fail.

Conditions:
-- Loading Attack Signature Update "ASM-SignatureFile_20170403_145743.im".
-- Using v11.5.4 HF2 (or later).
-- Upgrading the device to 11.6.1, 12.1.0, 12.1.1, or 12.1.2.

Impact:
Attempts to perform Signature Update fail.

Workaround:
The mistaken Signature System can be deleted using the following SQL:

----------------------------------------------------------------------
UPDATE PLC.NEGSIG_SIGNATURE_SYSTEMS set system_id = 14 where system_id = (select system_id FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache');
DELETE FROM PLC.NEGSIG_SYSTEMS where system_name = 'Apache';
----------------------------------------------------------------------

Fix:
Database corruption introduced by loading Attack Signature Update 'ASM-SignatureFile_20170403_145743.im' is now corrected upon upgrade.


665778-1 : Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.

Solution Article: K34503519

Component: iApp Technology

Symptoms:
Non-admin BIG-IP users cannot view deployed iApps, so they cannot redeploy the iApp. The system presents an error and does not allow access to the component view or the reconfiguration view. The error shown is 'An error has occurred while trying to process your request.'

Conditions:
-- Login to the BIG-IP system as a non-admin.
-- Try to view components or reconfigure iApps.

Impact:
Cannot view/re-deploy iApps.

Workaround:
Use TMSH to view/re-deploy iApps.

There are two TMUI workarounds to view/re-deploy iApps. Once you employ one of the workarounds, a Manager user can reconfigure the iApp successfully.

Note: After successful submission, the system posts the error described, and the Manager still cannot access the Component list or iApps editing screens.

-- Click on 'app_name' link anywhere in the system where iApp-related objects are listed. For example, if the iApp created a virtual server, click the Application column link on the 'Local Traffic :: Virtual Servers : Virtual Server List' page.

-- Have an Admin user provide the direct link to app. To do so, perform the following procedure:
1. Login as Admin to the BIG-IP system.
2. Navigate to iApps :: Application Services : Applications :: <app_name>.
3. Get the direct link to the app reconfigure page by hovering over the Settings icon and then clicking 'Direct link to this page'. Note: This link will work as long as 'app_name' and template name have not been modified. The URL appears similar to the following:
   https://10.10.10.10/tmui/Control/jspmap/tmui/application/reenter.jsp?mode=app&name=/ptn1/abcd.app/abcd&template_name=/Common/f5.microsoft_exchange_2010_2013_cas.v1.6.1
4. Logout as Admin and login as Manager.
5. Paste the app direct link in the browser's address bar and press Enter.

Fix:
Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.


665732-2 : FastHTTP may crash when receiving a fragmented IP packet

Solution Article: K45001711

Component: Local Traffic Manager

Symptoms:
A virtual server configured to use FastHTTP may cause a TMM core if fragmented IP packets are received by the virtual. This can be observed by the following TMM log statement: panic: Assertion 'l4hdr set' failed.

Conditions:
A virtual server configured with a FastHTTP profile receiving fragmented IP packets.

Impact:
Intermittent TMM core, resulting in a TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Use a different profile than FastHTTP, such as a full proxy with TCP/HTTP filters.

Fix:
Force packet reassembly before packet is forwarded to a FastHTTP virtual.


665656-1 : BWC with iSession may memory leak

Component: TMOS

Symptoms:
A memory leak may occur when BWC is configured with iSession.

Conditions:
-- BWC is configured with iSession.
-- The BWC policy is removed or reset.

Impact:
A memory leak.

Workaround:
None.

Fix:
The memory leak is prevented when BWC and iSession are configured together and a BWC policy is removed or reset.


665652-2 : Multicast traffic not forwarded to members of VLAN group

Solution Article: K41193475

Component: Local Traffic Manager

Symptoms:
Multicast traffic traversing through the BIG-IP system through a VLAN that is member of a VLAN group does not get forwarded to other members of the VLAN group.

Conditions:
Multicast traffic ingress from a VLAN in a VLAN group.

Impact:
Traffic is not forwarded to the other members of the VLAN group.

Workaround:
None.

Fix:
Multicast traffic is now correctly forwarded to members of VLAN group.


665470-1 : Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised

Component: Application Security Manager

Symptoms:
Failed to Learn page malicious IP addresses in a specific case.

Conditions:
-- IP intelligence is turn on.
-- Logging is turned off.

Impact:
Requests that should be learned are not.

Workaround:
Turn on logging.

Fix:
The system now Learns page malicious IP addresses when IP intelligence is turn on and logging is turned off.


665416-3 : Old versions of APM configuration snapshots need to be reaped more aggressively if not used

Solution Article: K02016491

Component: Access Policy Manager

Symptoms:
Currently, it takes 24 hrs for old versions of APM config snapshots that are not being used to time out and to release the memory. If access profiles are complex and are updated frequently within 24 hrs, memory resource is likely to be exhausted.

Conditions:
If access profiles are updated frequently within 24 hrs and each version of the configuration snapshot contains many variables.

Impact:
TMM may run out of memory and crash, causing service interruption.

Workaround:
None.

Fix:
Per-session access policy snapshots are now deleted after 60 minutes instead of 24 hours.


665362-4 : MCPD might crash if the AOM restarts

Component: TMOS

Symptoms:
In very rare circumstances, mcpd might crash when the AOM restarts.

Conditions:
This can occur while AOM is restarting.

Impact:
System goes offline for a few minutes.

Workaround:
None.

Fix:
Added error handling to prevent crash. If this error occurs in the future it will not crash, but a restart of mcpd is required.


665354-2 : Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log

Solution Article: K31190471

Component: TMOS

Symptoms:
The most common symptom is a reboot of the unit without much detail in the normal tmm or ltm logs. From there, inspect the SEL logs. In the SEL logs, you will see a message about a bad_tlp_status, followed shortly by a message about completion_time_out_status.

Those two messages together indicate this known issue.

Conditions:
-- There are empty 10 GB ports or 10 GB ports that have optics but are not connected to a proper link.
-- Running on one of the following platforms: i2600, i2800, i4600, i4800.

Impact:
The unit intermittently reboots.

Workaround:
To prevent the issue from occurring, you must populate all 10 Gb ports with optic cables and ensure they are connecting to a working peer link. A single 10 Gb empty or improperly connected port can cause a system reboot.

If that is not possible, however, there is no workaround, and you must contact F5 Technical Support to request a software update or engineering hotfix.

Important: A device Return Materials Authorization (RMA) will not prevent this issue.

Fix:
There is a BIG-IP system software update to disable the 10 Gb FPGA mac receiver until a valid link is detected. This eliminates the issue and prevents the ultra jumbo packet from being sent to the FPGA datapath.


665347-2 : GTM listener object cannot be created via tmsh while in non-Common partition

Solution Article: K17060443

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use tmsh to create a GTM listener in a non-Common partition.

Conditions:
-- In a non-Common partition.
-- Create a listener using a command similar to the following:
(/Common/newpart)(tmos)# create gtm listener new address 10.2.2.2

Impact:
The listener will not be created. The system outputs an error similar to the following:
 01020036:3: The requested profile (/Common/newpart/udp_gtm_dns) was not found.

Workaround:
None.

Fix:
GTM Listener parser now correctly handles validation and selections of profiles for GTM listeners.


665330-1 : MSIE 11 should avoid compatibility mode

Component: Access Policy Manager

Symptoms:
MSIE 11 in compatibility mode is causing JS errors because MSIE 7-9 are not good in javascript.

Conditions:
APM Client and MSIE 11 forced to compartibility mode.

Impact:
Certain pages on client UI are not being rendered or being rendered with errors.

Workaround:
Don't push MSIE 11 to compatibility mode with APM
Use browsers that are good with javascript.

Fix:
We've added meta that sets MSIE in native mode. Although group policy in domain still can overwrite it, for most use cases it's enough.


665185-1 : SSL handshake reference is not dropped if forward proxy certificate lookup failed

Solution Article: K20994524

Component: Local Traffic Manager

Symptoms:
In rare cases, when forward-proxy certificate-lookup fails, the SSL handshake reference is not dropped, which can consume memory that is no longer needed.

Conditions:
Forward-proxy certificate-lookup fails; specifically, input string size is larger than maximum allowed.

Impact:
tmm memory use grows.

Workaround:
None.

Fix:
The system now drops the SSL handshake reference when when forward-proxy certificate-lookup fails. This is correct behavior.


665022-1 : Rateshaper stalls when TSO packet length exceeds max ceiling.

Component: Local Traffic Manager

Symptoms:
If a TCP Segmentation Offload (TSO) packet length exceeds the rateshaper's max ceiling, it causes the flow to stall.

Conditions:
Packet length exceeds rateshaper's configured max ceiling.

Impact:
The flow stalls.

Workaround:
Increase the configured rateshaper's max ceiling value to be larger than the largest packet length.

Fix:
Rateshaper no longer stalls when TSO packet length exceeds max ceiling.


664930-2 : Policy automatic learning mode changes to manual after failover

Component: Application Security Manager

Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.

Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.

Impact:
The policy changes from automatic learning mode to manual.

Workaround:
None.

Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.


664894-1 : PEM sessions lost when new blade is inserted in chassis

Solution Article: K11070206

Component: TMOS

Symptoms:
Inserting a blade into a chassis that is using high availability (HA) is configured for 'between clusters' can cause data loss in the SessionDB. This includes iRule table command as well as entries stored in the SessionDB from modules.

Conditions:
HA in use 'between clusters'.

Impact:
Data loss of some SessionDB entries.

Workaround:
In order to cleanly add a blade, put the setting from 'between clusters' to 'within cluster'; then add the new blade(s) to both clusters. Wait 60 seconds, then restore the HA connection to 'between clusters'

Fix:
PEM sessions are now retained when new blade is inserted in chassis when using 'between clusters'.


664829-1 : BIG-IP sometimes performs unnecessary reboot on first boot

Component: TMOS

Symptoms:
Some versions of the BIG-IP Virtual Edition (VE) software incorrectly determine that the size of its disk has changed, and re-sizes the partition table and causes a reboot to occur. This is likely to occur only on VE guests.

Conditions:
-- First boot of VE.
-- Software version that exhibits this issue.

Note: A specific software version for a specific cloud environment either always exhibit this, or never does.

Impact:
Additional, unnecessary minor filesystem size adjustment and additional time for a reboot to occur.

Workaround:
None.

Fix:
An additional, unnecessary reboot of a BIG-IP Virtual Edition during its first boot-up should no longer occur.


664769-1 : TMM may restart when using SOCKS profile and an iRule

Component: Local Traffic Manager

Symptoms:
TMM restarts when sending traffic through a SOCKS virtual server that has an attached iRule that uses certain blocking commands.

Conditions:
Virtual server has a SOCKS profile, and an iRule which triggers on the SERVER_CONNECTED event. If the iRule uses commands that block, tmm might restart.

Impact:
Unexpected tmm restart. Traffic disrupted while tmm restarts.

Workaround:
Avoid adding iRule on the SERVER_CONNECTED event, or avoid using certain iRule commands which do not complete immediately, such as 'after', 'table', 'session', and others.

Fix:
TMM no longer crashes when using SOCKS profile and serverside iRule parks.


664737-2 : Do not reboot on ctrl-alt-del

Component: TMOS

Symptoms:
BIG-IP reboots on ctrl-alt-del keys

Conditions:
VE with ctrl-alt-del keys in the video console.

Impact:
BIG-IP reboots.

Fix:
prevent reboot on ctrl-alt-del


664714-1 : Client-side challenge is changing POST parameter value under some circumstances

Component: Application Security Manager

Symptoms:
A parameter arrives with a different value to the server than was sent from the client. Happens while a brute force attack or web scraping challenge or web scraping session client-side mitigation is happening,

Conditions:
-- POST request with URL-decoded parameters.
-- A parameter is escaped.
-- A client-side challenge is returned for this request.

Impact:
The wrong parameter arrives to the application. In response, the application may stop working or have other errors.

Workaround:
N/A

Fix:
Client-side challenge no longer changes POST parameter value under described circumstances.


664708-2 : TMM memory leak when DoS profile is attached to VS

Component: Application Security Manager

Symptoms:
TMM memory leak when DoS profile is attached to VS

Conditions:
1. have DoS profile
2. traffic from search engine is coming to this VS
3. DNS resolver is configured

Impact:
TMM memory use increases over time.

Workaround:
There is no workaround at this time.

Fix:
Free memory periodically.


664618-3 : Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'

Component: Local Traffic Manager

Symptoms:
When using Protocol Security profiles for HTTP, the HTTP Protocol Checks 'Alarm' vs. 'Block' setting will not be honored for the 'Check maximum number of headers' check. If an HTTP response contains more than the configured maximum number of headers, the connection will be reset.

Client traffic with more than the maximum allowed headers will be allowed through to the server, and an alert will be generated, as expected. The server response will also have too many headers, but the connection will be reset.

Conditions:
-- PSM HTTP Protocol Checks configured in 'Alarm' mode ('Block' disabled).
-- The maximum number of headers is exceeded for server responses.

Impact:
Connections are reset, when only alerting is expected.

Workaround:
None.

Fix:
Two threshold values are now available for monitoring the number of HTTP headers:
-- Use the HTTP security profile and select 'alarm' (as opposed to 'block').
-- Use the HTTP service protocol profile. When the 'alarm' threshold is hit, the HTTP traffic remains intact, and logging can be seen in the PSM event logs. When the HTTP service protocol profile's threshold is hit, the HTTP traffic will be blocked, and logging to be seen in both LTM log and PSM event logs.


664549-2 : TMM restart while processing rewrite filter

Solution Article: K55105132

Component: TMOS

Symptoms:
TMM restart and failover occurs while processing rewrite filter.

Conditions:
-- Virtual server with rewrite-uri-translation profile.
-- Serverside attempts to get data from clientside when connection flow does not exist.

Impact:
TMM restart and failover. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM restart and failover no longer occurs while processing rewrite filter.


664535-1 : Diameter failure: load balancing fails when all pool members use same IP Address

Component: Service Provider

Symptoms:
Case1: Run 2 Servers with same IP but different ports. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server. Same result when use-local-connection is disabled.

Case2: Run 2 Servers with same IP but different ports but this time use MR::message route iRule command to route messages between hosts. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server.

Conditions:
Load balancing scenario with single client and two pool members. The servers use same IP, different ports.

Impact:
All the requests from the same client are delivered to 1 server only.

Workaround:
Use different IP address in the pool member. Or use different IP address as the client request.

Fix:
Load balancing scenario with single client and two pool members now completes successfully even when all pool members use same IP Address.


664528-1 : SSL record can be larger than maximum fragment size (16384 bytes)

Solution Article: K53282793

Component: Local Traffic Manager

Symptoms:
SSL record containing handshake data can exceed maximum fragment size of 16384 bytes because handshake data is not fragmented.

Conditions:
This usually happen when a large certificate or certificate chain is configured for server or client authentication.

Impact:
SSL handshake will fail with client or server that properly checks the record size.

Workaround:
Use a certificate that is smaller in size.

Fix:
Properly fragment handshake data.


664507-3 : When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration

Component: Access Policy Manager

Symptoms:
IdP-connector automation removes certificate reference when update to metadata file is detected, and metadata file contains multiple signing certificates

Conditions:
- BIG-IP is used as SAML SP with configured IdP-connector automation via remotely published metadata.
- Remotely published SAML metadata contains multiple signing certificates.
- Remotely published SAML metadata is periodically updated.

Impact:
Certificate reference to remotely published metadata is removed from local configuration (saml-idp-connector object). As a result, assertions generated by external IdP will not be accepted until proper certificate is configured on saml-idp-connector object again.

Workaround:
When remote metadata is changed, manually update certificate reference on saml-idp-connector object.

Fix:
When changes to remotely published SAML metadata are detected by IdP-connector automation, certificate is no longer removed from saml-idp-connector object.


664461-3 : Replacing HTTP payload can cause tmm restart

Solution Article: K16804728

Component: Local Traffic Manager

Symptoms:
Under certain conditions, using the [ HTTP::payload replace ... ] iRule can result in the tmm restarting.

Conditions:
Occurs when server response is non-chunked, does not contain a Content-Length header, an iRule adds a Content-Length header and performs an HTTP::payload replace command where the length is shorter than the original body length.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The HTTP::payload replace command no longer causes tmm restarts under certain conditions.


664063-1 : Azure displays failure for deployment of BIG-IP from a Resource Manager template

Solution Article: K03203976

Component: TMOS

Symptoms:
When deploying BIG-IP images through Azure Resource Manager or Marketplace Solution templates, the Azure portal will never display success. A timeout will eventually occur and the deployment will appear to have failed.

Conditions:
Deployment from an Azure Resource Manager or Solution template, including the BIG-IP WAF Solution from the Azure Security Center.

Impact:
A successful deployment will appear to have failed when monitoring the status in the Azure portal.

Workaround:
None.

Fix:
Deployments of BIG-IP from Azure Resource Manager or Marketplace Solution templates, or the BIG-IP WAF Solution from the Azure Security Center, now show the correct deployment status.


664057-2 : Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached

Component: TMOS

Symptoms:
Upgrades from pre-12.0.0 to 12.0.0 or beyond would delete WideIPs without pools attached even if they had an iRule attached.

Conditions:
Pre-12.0.0 configuration with an WideIP without any pools, but with an iRule.

Impact:
Some or all of a post-upgrade "GSLB-typed" wideip would be lost during the upgrade process.

Workaround:
Manually add missing WideIPs after upgrade.

Fix:
Fixed issue that could delete certain types of GTM WideIPs after an upgrade from a pre-12.0.0 version to a post 12.0.0 version.


664017-3 : OCSP may reject valid responses

Component: TMOS

Symptoms:
If OCSP is configured with certain responders, a valid response may be rejected with the following error:

OCSP response: got EOF

Conditions:
This is entirely dependent on the behavior of the server. If a responder sends null or blank data (but does not close the connection) OCSP simply ends the response.

Impact:
Valid OCSP responses may be rejected.

Workaround:
None.

Fix:
These responses are now accepted.


663974-2 : TMM crash when using LSN inbound connections

Component: Carrier-Grade NAT

Symptoms:
TMM might crash when using an LSN pool with inbound connections.

Conditions:
LSN inbound connections configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when using an LSN pool with inbound connections.


663924-2 : Qkview archives includes Kerberos keytab files

Component: TMOS

Symptoms:
Qkview captures Kerberos keytab files used for APM dataplane services.

Conditions:
APM provisioned with Kerberos authentication.

Impact:
Private security key exposure.

Workaround:
There is no workaround.

Fix:
Qkview no longer collects 'kerberos_keytab_file_d' directory containing keytab files when creating qkview archive.


663821-3 : SNAT Stats may not include port FTP traffic

Solution Article: K41344010

Component: Local Traffic Manager

Symptoms:
Using 'tmsh show ltm snat' command or the GUI, SNAT stats are not updated for port 21 traffic (FTP).

Conditions:
-- SNAT is configured.
-- FTP connections transverse the SNAT.

Impact:
Stats are not incremented in tmsh or GUI

Workaround:
None.

Fix:
SNAT Stats now include port FTP traffic, and values are incremented as expected.


663770-2 : AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server

Solution Article: K04025134

Component: Advanced Firewall Manager

Symptoms:
AFM rules are bypassed / not evaluated on the 'redirected' virtual server when the traffic is internally forwarded to that virtual server.

This is a regression from 12.1.x behavior.

Conditions:
Incoming traffic matches a virtual server and then gets internally redirected to another virtual server either via an iRule or a LTM local traffic policy.

Impact:
This has the effect of potentially negating firewall protections for the traffic that is being redirected to a different virtual server (application) if that virtual server has an AFM policy enabled on it.

Workaround:
There is no workaround at this time.

Fix:
Cause of the regression is fixed and now AFM policy is applied to traffic that is internally redirected to another virtual server (either via iRule or LTM traffic policy).


663580-1 : logrotate does not automatically run when /var/log reaches 90% usage

Solution Article: K31981624

Component: TMOS

Symptoms:
The alertd daemon does not run logrotate when the diskmonitor utility detects that /var/log has less than 10% free space.

Conditions:
/var/log has less than 10% free space.

Impact:
The /var/log filesystem might become completely full, preventing new log messages from being written.

Note: K8865: Overview of the diskmonitor utility (https://support.f5.com/csp/article/K8865) provides a desription for expected behavior.

Workaround:
None.

Fix:
The alertd daemon now correctly recognizes the log message from diskmonitor to initiate logrotate.


663551-1 : SERVERSSL_DATA is not triggered when iRule issues [SSL::collect] in the SERVERSSL_HANDSHAKE event

Solution Article: K14942957

Component: Local Traffic Manager

Symptoms:
If an iRule calls [SSL::collect] in the SERVERSSL_HANDSHAKE event, the expected result is that the SERVERSSL_DATA event will be raised when the serverside receives the SSL data. Then, the decrypted SSL data can be examined and manipulated.
*****************************
when SERVERSSL_HANDSHAKE {
    SSL::collect
}
when SERVERSSL_DATA {
    log local0. "ServerSSL Data"
    log local0. [SSL::payload]
    SSL::release
}
*****************************

The issue is that SERVERSSL_DATA is not raised, even when the serverside receives the SSL data when the iRule calls the [SSL::collect] in the SERVERSSL_HANDSHAKE:
****************************
when SERVERSSL_HANDSHAKE {
    SSL::collect
}
****************************

Conditions:
Calling the [SSL::collect] in the SERVERSSL_HANDSHAKE event.
****************************
when SERVERSSL_HANDSHAKE {
    SSL::collect
}
****************************

Impact:
SERVERSSL_DATA event is not raised.

Workaround:
Add the [SSL::release] command in the SERVERSSL_HANDSHAKE event.
**********************************
when SERVERSSL_HANDSHAKE {
    SSL::collect
    SSL::release
}

Fix:
SERVERSSL_DATA event is now raised when an iRule calls [SSL::collect] in the SERVERSSL_HANDSHAKE.


663535-1 : Sending ASM cookies with "secure" attribute even without client-ssl profile

Component: Application Security Manager

Symptoms:
ASM cookies can be set with "secure" attribute on when BIG-IP works on SSL profile.

Conditions:
Enabling ASM, network to BIG-IP without client-ssl.

Impact:
When working with encrypted network in the client side but clear network in the ASM virtual, cookies cannot be set with "secure" attributes.

Workaround:
There is no workaround at this time.

Fix:
Added an internal parameter "assume_https", to decide always setting the "secure" attribute, even when the BIG-IP network is clear.


663531-1 : TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel

Component: Carrier-Grade NAT

Symptoms:
TMM crashes when PPTP finds a matching non-PPTP-GRE flow when checking for an existing tunnel.

Conditions:
PPTP-ALG and CGNAT on a BIG-IP system when a GRE tunnel matches a PPTP-GRE flow

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Possible mitigation by not using a forwarding virtual for non-PPTP GRE traffic.

Fix:
The system now drops the new flow/tunnel and allow it to clean up, so TMM no longer crashes when PPTP finds a non-PPTP-GRE flow when checking for an existing tunnel.


663521-2 : Intermittent dropping of multicast packets on certain BIG-IP platforms

Component: TMOS

Symptoms:
The switch device on the VIPRION B2250 and B4300 blades and the BIG-IP 10x00, i10x00, i7x00 and i5x00 platforms might drop multicast packets under certain high traffic conditions.

Conditions:
-- Certain high-traffic conditions.
-- Running on the specified blades/platforms.

Note: These dropped packets are counted under the 'drop_out' column from 'show net interface all-properties'.

Impact:
Dropped multicast packets, possibly impacting multicast protocols.

Workaround:
None.

Behavior Change:
Under certain high traffic conditions, multicast and broadcast packets will no longer be dropped.


663506-7 : apmd crash during ldap cache initialization

Solution Article: K30533350

Component: Access Policy Manager

Symptoms:
apmd crashes.

Conditions:
- LDAP module is in use in an access policy,
- APM end-users are logging in, while administrator modifies AAA LDAP Server or LDAP Agent,
- Cache update takes a while (too many groups in domain and/or slow network).

Impact:
BIG-IP cannot process user logon request, until apmd is restarted and LDAP cache is updated

Workaround:
The best practice is to update policy/AAA LDAP Server when BIG-IP is not under load. Then make one logon manually. apmd updates caches on first APM end-user's logon. Once caches update, all the further logons should happen much faster and should not cause any problems

Fix:
APMD now handles the generation of LDAP Query / AD Query nested group cache correctly during high authentication load.


663396-1 : URL Method override is enforced incorrectly after upgrade

Component: Application Security Manager

Symptoms:
After an upgrade, an overridden HTTP method on a particular URL is enforced incorrectly. Additionally, in a rare circumstance, requests using GET method are illegal after upgrade.

Conditions:
A HTTP method is overridden on a particular URL and the system is upgraded.

Impact:
Requests are incorrectly blocked.

Workaround:
Make a spurious change to any policy and click 'Apply Policy'.

Fix:
Overridden HTTP methods are enforced correctly after upgrade.


663366-3 : SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.

Component: TMOS

Symptoms:
On the i4x00 and i2x00 platforms, TMM can encounter a second SEGV fault while crashing from an initial 'panic'.

Conditions:
-- i4x00 and i2x00 platforms.
-- TMM encounters a second SEGV fault while crashing from an initial 'panic'.

Impact:
TMM is crashing due to a 'panic'. No additional impact, as traffic is already disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes the driver shutdown code to prevent SEGV during TMM panic.


663333-1 : TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high

Component: Carrier-Grade NAT

Symptoms:
TMM may core while trying to allocate a new block

Conditions:
If LSN pool is under provisioned OR if the utilization is high, TMM may need to send MPI messages to other TMMs to search for other blocks. The TMM may core if these operations time out

Impact:
Traffic disrupted while tmm restarts.


663326-2 : Thales HSM: "fipskey.nethsm --export" fails to make stub keys

Component: Local Traffic Manager

Symptoms:
When using "fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey" to export a key file from BIG-IP and import into HSM, the HSM fails to generate the stub key at /config/ssl/ssl.key/ on the BIG-IP system.

Conditions:
-- Thales HSM is installed.
-- Running 'fipskey.nethsm --export' to export a key file from BIG-IP and import it to the Thales HSM.

Impact:
Even the key has been stored in HSM, the BIG-IP is still unable to use it because of its lacking stub key to be configured on the BIG-IP system.

Workaround:
This can be worked around by directly using the Thales command, for example:

[root@localhost:Active:Standalone] config # generatekey --import pkcs11 certreq=yes
type: Key type? (DES3, RSA, DES2) [RSA] >
pemreadfile: PEM file containing RSA key? []
> /shared/tmp/testkey.pem
embedsavefile: Filename to write key to? []
> /config/ssl/ssl.key/thales2
plainname: Key name? [] > thales2
x509country: Country code? [] > US
x509province: State or province? [] > WA
x509locality: City or locality? [] >
x509org: Organisation? [] > F5
x509orgunit: Organisation unit? [] > AS
x509dnscommon: Domain name? [] >
x509email: Email address? [] > test@test.com
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512)
  [default sha1] >

Fix:
When using 'fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey' to export a key file from BIG-IP and import into HSM, the HSM now generates a stub key and stores it at /config/ssl/ssl.key/ on the BIG-IP system, as expected.


663310-3 : named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files

Component: Global Traffic Manager (DNS)

Symptoms:
named reports "file format mismatch", zone files are renamed randomly to db-XXXX files, and zone cannot be loaded.

Conditions:
-- Upgrade from BIG-IP containing pre-9.9.X versions of Bind, to BIG-IP versions with Bind versions later than 9.9.x.
-- Slave zone files are in text format.
-- No options set for masterfile-format text.

Impact:
Zones cannot be loaded.

Workaround:
Before upgrading, add the following line to the named.conf options:
masterfile-format text;

Fix:
BIND 9.9.x changes the default behavior governing the storage format of slave zone files to "raw" from "text".

On upgrade, the config needs to be parsed looking for slave zones that do not specify the masterfile-format and set them to "text".


663197-3 : Security hardening of files to prevent sensitive configuration from being stored in qkview.

Component: TMOS

Symptoms:
Sensitive configuration information, such as auth-related passwords, is being stored in cleartext in qkview files.

Conditions:
Run qkview and extract to see files with cleartext configuration information.

Impact:
Cleartext configuration information is uploaded to iHealth

Workaround:
None.

Fix:
Security hardening of files to prevent sensitive configuration from being stored in qkview. Cleartext passwords will be replaced with **** in all of the following config files while collecting in qkview:

/config/bigip/auth/pam.d/cert-ldap/system-auth.conf
/config/bigip/auth/pam.d/ldap/system-auth.conf
/config/bigip/auth/pam.d/radius/system-auth.conf
/config/bigip/auth/pam.d/tacacs/system-auth
/config/bigip/auth/pam.d/ocsp/*
/config/bigip/auth/pam.d/cc_ldap/*


663178-1 : tmm may crash sometimes usng VPN

Component: Local Traffic Manager

Symptoms:
tmm crash and BIG-IP fail over

Conditions:
VPN is used

Impact:
tmm crash and BIG-IP fail over. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Problem is fixed.


663127-1 : Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration.

Component: Access Policy Manager

Symptoms:
Symptom will show as an error log in /var/log/apm similar to the one below:

Internal error processing sso config /Common/idp_obj_name
sso_tmconf_string_parse_list

When this error message is logged, subsequent authentication attempt using this BIG-IP as IdP object will fail.

Conditions:
SAML Identity Provider configuration is invalid: attribute contains empty value(s), for example:

apm sso saml /Common/idp_obj {
    attributes {
        {
            multi-values { "" user@f5.com }
            name User.Email
        }
    }

Impact:
Authentication will fail for users using affected SAML IdP object.

Workaround:
Manually edit bigip.conf configuration fail and remove empty value(s) in SAML attribute, e.g.:

apm sso saml /Common/idp_obj {
    attributes {
        {
            multi-values { user@f5.com }
            name User.Email
        }
    }

Fix:
Empty values in SAML attributes will no longer be accepted by validation logic.


663073-1 : GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.

Component: Global Traffic Manager (DNS)

Symptoms:
GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.

Conditions:
When adding a pool member via the combo box, if you click the arrow to expand the dropdown list and select a member by clicking on it, that member name is added to the text box.

If you then mouse over other members in the dropdown list, and then click the Add button, the system adds the selected member to the list, but also removes the wrong member from the combo box: more specifically, it removes the member that was last highlighted by the mouse over.

Impact:
Available pool members might be potentially lost from the combo box until a page reload.

Note: The pool members are not gone from the system; they are still present, just not displayed.

Workaround:
Either use TMSH or place the mouse cursor away from the combo box, and use the text box to narrow down the content in the dropdown list. Then use the arrow keys and the Enter key to select the desired pool member.

Fix:
Changed the behavior of the combo box when a member is selected by clicking on it in the dropdown list. Adding a selected pool member as described above will cause the combo box to correctly remove that pool member from the combo box.


663063-2 : Disabling pool member used in busy HSL TCP destination can result service disruption.

Component: TMOS

Symptoms:
Manually disabling an otherwise available pool member from a pool used as HSL TCP destination can result in tmm crash and service disruption.

This is more likely to occur when HSL destination is using 'balanced' distribution.

Conditions:
-- Busy HSL destination configured with TCP protocol, balanced distribution, and using pool.
-- Manually disabling a pool member.

Impact:
Service disruption while tmm recovers. HA fail-over event. Traffic disrupted while tmm restarts.

Workaround:
You can avoid the issue in either of these ways:
-- Do not manually disable busy pool members that can still respond to TCP handshake.
-- Disable the service on the pool member first.

Fix:
TMM crash no longer occurs when HSL TCP pool member with pending connection is manually disabled.


662911-2 : SASP monitor uses same UID for all vCMP guests in a chassis or appliance

Solution Article: K93119070

Component: Local Traffic Manager

Symptoms:
The SASP GWM monitor generates the LB UID from the chassis serial number of the platform on which BIG-IP is running. All vCMP guests running on the platform attempt to use the same UID.

The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.

As a result, only one vCMP guest running on each BIG-IP appliance or VIPRION chassis is able to successfully use the SASP monitor.
- The SASP monitor running on the first vCMP guest can successfully connect to the SASP GWM.
- Subsequent SASP monitor instances running on other vCMP guests will fail to connect to the SASP GWM.

Conditions:
This occurs when multiple vCMP guests are running on a single BIG-IP appliance or VIPRION chassis, each using a SASP monitor connecting to the same SASP GWM to monitor pool member availability.

Impact:
The SASP monitor is unable to monitor pool member availability on more than one vCMP guest running on a single BIG-IP appliance or VIPRION chassis.

Workaround:
None.

Fix:
The SASP monitor can be used to monitor pool member availability on multiple vCMP guests running on a single BIG-IP appliance or VIPRION chassis.


662881-2 : L7 mirrored packets from standby to active might cause tmm core when it goes active.

Solution Article: K10443875

Component: Local Traffic Manager

Symptoms:
L7 mirrored packets from standby to active might cause tmm core when it goes active.

Conditions:
-- Spurious ACK sent to the standby unit that is mirrored over to the active unit for processing.
-- Matching connection on the active has not been fully initialized.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.


662850-2 : Expat XML library vulnerability CVE-2015-2716

Solution Article: K50459349


662844 : TMM crashes if Diameter MRF mirroring is enabled in v12.x.x. Diameter MRF mirroring is not implemented in v12.x.x.

Solution Article: K87735013

Component: Service Provider

Symptoms:
Mirroring for Diameter MRF was not implemented in v12.x.x. However, there is a option that allows the user to enable it. When enabled, tmm crashes.

Conditions:
-- Connection mirroring is enabled for Diameter MRF virtual server's router profile.
-- Using v12.x.x.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Note: Mirroring for Diameter MRF was implemented in v13.0.0. The presence of the option to enable the unimplemented functionality is erroneous.

Workaround:
Do not enable Diameter MRF router profile's connection mirroring setting for v12.x.x.

Fix:
Diameter MRF mirroring for Diameter MR has been implemented beginning with v13.0.0. Enabling this option in v12.x.x results in a tmm crash.


662816-2 : Monitor node log fd leak for certain monitor types

Solution Article: K61902543

Component: Local Traffic Manager

Symptoms:
When certain types of LTM health monitors are configured with node logging enabled, the bigd daemon may leak file descriptors for the node logs when the monitor is removed from the LTM node, pool or pool member configuration.

Conditions:
This may occur when:
1. One of the below-listed LTM health monitor types is assigned to an LTM node, pool, or pool member with node logging enabled ('logging' value set to 'enabled' in the LTM node or pool member configuration).
2. The LTM health monitor is removed from the LTM node, pool, or pool member configuration while logging is still enabled ('monitor' value set to 'none').

Affected LTM health monitor types include:
diameter, external, firepass, ftp, gateway_icmp, icmp, imap, ldap, module_score, mssql, mysql, nntp, oracle, pop3, postgresql, radius, radius_accounting, real_server, rpc, sasp, scripted, sip, smb, smtp, snmp_dca, snmp_dca_base, soap, virtual_location, wap, wmi.

This problem does not occur if node logging is disabled in the LTM node or pool member configuration ('logging' value set to 'disabled' in the LTM node or pool member configuration) prior to removing the monitor from the LTM node, pool, or pool member configuration.

The following LTM health monitor types are not affected:
dns, http, https, inband, mqtt, tcp, tcp_echo, tcp_half_open

Impact:
When this problem occurs, each instance of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis leaks one file descriptor for each node or pool member with monitor logging enabled.

File descriptors that are opened by the bigd daemon and not closed count against bigd's internal file descriptor limit. This can result in file descriptor exhaustion and failure of LTM health monitoring.

Workaround:
Disable node logging (set 'logging' value to 'disabled') in the LTM node or pool member configuration prior to removing the monitor from the LTM node, pool, or pool member configuration.

Fix:
The bigd daemon does not leak file descriptors for monitor node logs when certain types of LTM health monitors are configured with node logging enabled and the monitor is then removed from the LTM node, pool, or pool member configuration.


662663-6 : Decryption failure Nitrox platforms in vCMP mode

Solution Article: K52521791


662639-2 : Policy Sync fails when policy object include FIPS key

Component: Access Policy Manager

Symptoms:
Policy sync failed with a vague error:

err mcpd[5597]: 01071600:3: APM PSync: Atom attribute (fips_exported_key) data type (blob) in class (certificate_key_file_object) object name (/Common/fips1.key) blob value is not empty - no handler for blob Object dump: **certificate_key_file_object:/Common/fips1.key ...

Conditions:
-- Sync-only device group configuration.
-- FIPS cards in use.
-- On one device:
   + Create FIPS key and certificate:
     1. Go to System::Certificate Management::Traffic Certificate Management::SSL Certificate List::Create.
     2. For 'Security Type' field of 'Key Properties' section, select 'FIPS'.
   + Create a rewrite profile:
     1. Go to Access Policy :: Portal Access :: Rewrite :: Create New Profile.
     2. Under 'JavaPatcher Settings' select 'Signer' and 'Signer Key' to the one created above (e.g., 'fips1.crt' and 'fips1.key', respectively).
   + Create an access profile.
   + Create a virtual server and attach the access profile and rewrite profile to it.
     (Note: You must also include other dependent settings, such as a connectivity profile.)
3. Start a policy sync from the device.

Impact:
Feature failure for specific configurations.

Workaround:
None.

Fix:
Now APM policy sync succeeds even when policy includes FIPS key.


662372-1 : Uploading a new device certificate file via the GUI might not update the device certificate

Solution Article: K41250179

Component: TMOS

Symptoms:
After uploading a new device certificate via the 'Upload File' option in the GUI, the device certificate remains unchanged.

Conditions:
-- Upload a new device certificate file via the GUI.
-- There is already a file called /tmp/server.crt.

Impact:
The device certificate is not updated and no error is shown.

Workaround:
Use the 'Paste Text' option to import the certificate.


662364-2 : MRF DIAMETER: IP ToS not passing through with DIAMETER

Component: Service Provider

Symptoms:
IP layer's ToS is not passing through MRF Diameter.

Conditions:
-- The IP ToS bit is received in the clientside connection.
-- ip-tos-to-client is set as pass-through.

Impact:
The ToS from the client does not reach the server.

Workaround:
Use an iRule to preserve the ToS from the client and set it to serverside's connection.

Fix:
The ToS bit that arrives from the clientside connection is able to pass-through with Diameter MRF.


662331-1 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.

Solution Article: K24331010

Component: TMOS

Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message.

Note: There are three parts to this issue, as recorded in the following bugs: 569236, 583285, and 662331.

Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.

Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.

Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>

Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again.

Note: There is a three-part fix provided for this issue, as provided in the following bugs: 569236, 583285, and 662331.


662281-2 : Inconsistencies in Automatic sync ASM Device Group

Component: Application Security Manager

Symptoms:
Some ASM calls are not propagated correctly across an automatic sync device group.

This can cause any of the following depending on the change:
A) Superfluous full syncs
B) Updating the wrong element on the remote devices
C) Missing changes on the remote devices

Conditions:
Automatic Sync is configured for a Device Group with ASM enabled.

Impact:
Any of the following depending on the change:
A) Superfluous full syncs
B) Updating the wrong element on the remote devices
C) Missing changes on the remote devices

Workaround:
Disable automatic sync on the device group, and periodically push changes manually.

Fix:
Calls are correctly propagated across Automatic sync Device Groups


662085-1 : iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages

Component: Local Traffic Manager

Symptoms:
Using Node.js package manager (NPM) to install a large Node.js package in the TMUI results in truncated contents in the workspace.

Conditions:
Installing large Node.js packages using the TMUI.

Impact:
The workspace contents will be truncated. Some of the package contents will be missing, or boilerplate F5 elements (f5-nodejs, package.json, etc.) will not be shown.

Workaround:
None.

Note: TMSH recognizes the entire file structure of node_modules (e.g., package.json and module folders of f5-nodejs and async), but TMUI does not.

Fix:
All contents from the workspace filesystem are now shown and are editable from the TMUI.


662078-1 : Occasionally connections are dropped in response to timing errors

Component: Local Traffic Manager

Symptoms:
Occasionally connections are dropped and the following message is posted, even when TPS is set to UNLIMITED: SSL transaction (TPS) rate limit reached.

Conditions:
-- SSL traffic is received.
-- A certain timing condition is encountered.

Impact:
Connection is dropped. This is an occasional, timing-related issue.

Workaround:
There is no workaround at this time.

Fix:
Timing error no longer occurs when SSL traffic is received, so connections are not dropped.


662022-5 : The URI normalization functionality within the TMM may mishandle some malformed URIs.

Solution Article: K34514540


661881-2 : Memory and performance issues when using certain ASN.1 decoding formats in iRules

Solution Article: K00030614

Component: Local Traffic Manager

Symptoms:
Memory and performance issues when using calls to ASN1::decode with "a" or "B" characters in the format string. This occurs because these calls do not correctly free memory allocated by those functions.

Conditions:
iRules that contain calls to ASN1::decode with "a" or "B" characters in the format string.

Impact:
Memory leak, degraded performance, potential eventual out-of-memory crash.

Workaround:
None.

Note: Because of the memory leak associated with this issue, using calls to ASN1::decode with "a" or "B" characters in the format string should be avoided.

Fix:
Prevented memory leak when using calls to ASN1::decode with "a" or "B" characters in the format string.


661828-1 : TMM may consume excessive resources when processing SSL traffic

Solution Article: K55101404


661764-2 : It is possible to configure a number of CPUs that exceeds the licensed throughput

Solution Article: K53762147

Component: TMOS

Symptoms:
The system does not prevent you from selecting a number of CPUs that exceeds the license's throughput limit.

Conditions:
Configure a number of CPUs that exceeds the licensed throughput, for example, configuring 4 CPUs on a 2Mbps license on a VE system.

Impact:
Depending on the operations performed, it is possible for tmm to core.

Workaround:
None, other than configuring only the available number of CPUs.

Fix:
The system now detects when a configuration invalid for the license is in use and fails gracefully, presenting an error message explaining the failure.


660913-1 : For ActiveSync client type, browscap info provided is incorrect.

Component: Access Policy Manager

Symptoms:
Clients using Microsoft ActiveSync are failing access policy evaluation.

Conditions:
-- This occurs with clients using Microsoft ActiveSync.
-- It can be encountered on upgrade if you are upgrading to version 12.1.2 - 14.1.0 from an earlier version.

Impact:
Clients using ActiveSync cannot authenticate.

Workaround:
None.

Fix:
Session variable session.client.browscap_info is now set correctly.


660711-1 : MCPd might crash when user trying to import a access policy

Solution Article: K05265457

Component: Access Policy Manager

Symptoms:
MCPd restarts during importing an access policy; other daemon might also restart because of MCPd restart.

Conditions:
-- An access policy uses the same agent more than once.
-- Importing that access policy.
-- You do not use GUI/VPE to manage access policy, but directly modify the config file in exported access policy.

Impact:
MCPd and some other daemons restart. GUI unresponsive until daemons restart.

Workaround:
Always use the GUI/VPE to manage access policies; do not modify the config file for an exported access policy.

Fix:
MCP now applies appropriate validation to avoid importing invalid access policies.


660532-2 : Cannot specify the event parameter for redirects on the policy rule screen.

Solution Article: K21050223

Component: TMOS

Symptoms:
Cannot specify the event parameter for redirects on the policy rule screen.

System presents the following error: An error occurred: transaction failed:010716e2:3: Policy '/Common/Drafts/test', rule 'test-rule3'; an action precedes its conditions.

Conditions:
This occurs when setting a policy rule action's "event" parameter in the GUI when configuring redirects.

Impact:
Cannot specify the event parameter.

Workaround:
None.

Fix:
This release has an option for choosing event for redirect action.


660327-2 : Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.

Component: Application Security Manager

Symptoms:
Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.

This happens only if before the upgrade, there was an ASM logging profile which had both remote logging and local logging enabled on it.

In the case of a single logging profile with local-plus-remote ASM enabled on it, upon an upgrade, the logging profile is split into two profiles. One has the '_local' extension added to it. Another attempt to load the config of the pre-upgrade system will fail. This only happens when using 'load sys config' or 'load sys config file', and does not happen when using 'load sys ucs'.

Upon failure, the following error is seen on the terminal:
01070710:3: Cannot update_indexes/checkpoint DB object, class:fw_log_profile status:13 - EdbCfgObj.cpp, line 127
Unexpected Error: Loading configuration process failed.

And in /var/log/ltm:
err mcpd[6618]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:fw_log_profile status:13 - EdbCfgObj.cpp, line 127.

Conditions:
-- Using a configuration that contains a Log Profile with ASM enabled and both Remote Log and Local Log enabled.
-- Upgrade to 12.1.2 or later (Use roll-forward upgrade, or instead use clean install and afterwards load the saved config file).

Impact:
Config load fails. Upgrade fails.

Workaround:
Use one of the following Workarounds:
1.
Save the new configuration before editing and re-loading, using the following commands:
tmsh save sys config partitions all
tmsh load sys config partitions all

(Note: Saving the UCS also saves the configuration.)

2.
Instead of loading the full configuration directly, first load the base and then load the full configuration:
tmsh -c 'load sys config partitions all base; load sys config partitions all'


660263-4 : DNS transparent cache message and RR set activity counters not incrementing

Component: Global Traffic Manager (DNS)

Symptoms:
The message and Resource Record (RR) set counters for transparent caches do not increment to reflect traffic.

Conditions:
The cache is of type transparent.
-- Viewing statistics counters.

Impact:
The statistics counters stay zero.

Workaround:
There is no workaround.

Fix:
The system now enables the code that increments these counters for transparent caches similar to other type caches.


660239-3 : When accessing the dashboard, invalid HTTP headers may be present

Component: TMOS

Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.

Conditions:
Access the dashboard via Statistics :: Dashboard.

Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.

You may see such errors in the http error logs

Feb 20 08:47:58 myBIG-IP err httpd[13777]: [error] [client 10.20.30.40] Response header name '<PostData><![CDATA[table=log%5Fstat]]></PostData>Cache-Control' contains invalid characters, aborting request, referer: https://mybigip.com/tmui/dashboard/MonitorDashboardModule.swf

Workaround:
There is no workaround at this time.

Fix:
Eliminated invalid header data.


660187-3 : TMM core after intra-chassis failover for some instances of subscriber creation

Component: Policy Enforcement Manager

Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of subscriber creation.

Conditions:
-- The chassis is loaded with many blades.
-- The high availability (HA) configuration is intra-chassis.
-- RADIUS subscriber is added with custom attributes.
-- The subscriber attributes are corrupted or erased.

Impact:
TMM crashes. The slot reboots, potentially triggering further daglib hash changes. May result in cascading core under load. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Verify the validity of the AVPs before copying the attributes


660170-1 : tmm may crash at ~75% of VLAN failsafe timeout expiration

Solution Article: K28505910

Component: Local Traffic Manager

Symptoms:
When VLAN failsafe is configured, and the VLAN failsafe timeout is 3/4 expired, tmm wants to generate ICMP traffic to evoke a network response. When this occurs, the system might experience a crash.

Conditions:
- VLAN failsafe is configured on a VLAN, for example with the recommended VLAN failsafe timeout of 90 sec.
- The VLAN does not observe ARP/ndp traffic for 3/4 of the timeout, 67.5 seconds.
- ICMP traffic generated to provoke a network response can under certain circumstances cause a TMM crash.

Impact:
TMM crashes, failover is triggered, as it would with a fully expired VLAN-failsafe-timeout condition (note that failover with a fully expired VLAN failsafe is correct behavior).

Traffic on other VLANs might be disrupted while TMM restarts. (Traffic on the VLAN-failsafe-triggered VLAN is already disrupted, causing the timeout to expire.)

Workaround:
1. To allow for VLAN failsafe to be updated for any frame, run the following command with VLAN failsafe enabled, run the following command:
 tmsh modify failover.vlanfailsafe.resettimeronanyframe enable

This configuration increases the confidence that in the case of a timeout expiry a real traffic disruption is detected.

2. Set the timeout of VLAN failsafe to 4/3 of the setting you want, for example, to have a timeout setting of 90, specify 120. With this setting, failover occurs at 90 seconds for a fully quiescent network.

Note: Having a fully quiescent network is a rare occurrence and likely indicates that another issue is occurring anyway.

Fix:
Generating ICMP traffic from TMM is no longer exposed to a potential crash in an invalid configuration or a completely quiet network, when generating ICMP traffic to provoke a network response on an expiring timer of VLAN failsafe, assuming the following configuration:

- VLAN failsafe is configured.
- VLAN failsafe expired 3/4 of the configured timeout (e.g., 67.5 seconds of 90 seconds ).


659969-1 : tmsh command for gtm-application disabled contexts does not work with none and replace-all-with

Component: Global Traffic Manager (DNS)

Symptoms:
The command for distributed-app's disabled-contexts does not work with the options 'none' and 'replace-all-with'.

Conditions:
Issuing gtm-application disabled contexts commands including the options 'none' and 'replace-all-with'.

Impact:
Command does not complete successfully. This is an internal validation issue.

Workaround:
None.


659912-1 : GSLB Pool Member Manage page display issues and error message

Solution Article: K81210772

Component: Global Traffic Manager (DNS)

Symptoms:
The GSLB Pool Member Manage page displays an error message 'Entry could not be matched against existing objects' when using the static-target checkbox to add a member that does not exist on the BIG-IP config.

Also when editing a pool member, the pool member's name will not be auto-selected in the combo box.

Conditions:
-- GSLB pool configured.
-- Members available for addition to the pool.

Note: This issue can happen when creating a pool in the members section as well as on the pool members manage page.

Impact:
Degraded usability.

Workaround:
Use TMSH to add a static-target and to edit pool members.

Fix:
Fixed issue with the edit button and issue that prevented adding as a static-target a GSLB pool member that was not part of the GTM config. Now, if static target is enabled, you can type the name of the target without the target being configured on the system.


659899-1 : Rare, intermittent system instability observed in dynamic load-balancing modes

Solution Article: K10589537

Component: Local Traffic Manager

Symptoms:
The dynamic pool member load-balancing modes require a precision measurement of active connection counts and/or rates. Rare, intermittent system instability has been observed in dynamic pool member selection when a new connection arrives. TMM may restart, leaving a core file.

Conditions:
LTM pool configured to use a dynamic load-balancing mode ('ltm pool NAME load-balancing-mode MODE' where MODE is one of the dynamic load-balancing modes, such as dynamic-ratio-member, least-connections-node, predictive-node, etc.). The dynamic modes use the session database to share data among all TMM instances, and under extremely rare conditions, the session database may become unreliable.

Impact:
TMM restarts and leaves a core file. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The dynamic load-balancing modes are now more tolerant of errors from the underlying session database.


659791-2 : TFO and TLP could produce a core file under specific circumstances

Solution Article: K81137982


659709-1 : Mirroring persistence records may cause a TMM memory leak

Component: Local Traffic Manager

Symptoms:
Mirroring persistence records may cause a Traffic Management Microkernel (TMM) memory leak.

As a result of this issue, you may encounter one or more of the following symptoms:

-- The tmsh show /sys memory command indicates that TMM memory usage increases over time.
-- The TMM process generates a core file to the /shared/core directory.
-- The BIG-IP system generates a SIGSEGV fault message in the /var/log/tmm log file.

Conditions:
-- Mirroring enabled on virtual server and/or persistence profile.
-- Persistence used.
-- Another error condition exists, such as high availability (HA) channel down or no mirroring address configured.

Impact:
Traffic is disrupted while the TMM process produces a core file and restarts. Systems configured as part of a HA device group may fail over to a peer device.

Workaround:
To work around this issue, you can disable the Mirror Persistence option for the persistence profiles or make sure the mirroring channel is properly configured and operational. For information about troubleshooting the mirroring channel, refer to K54622241: Troubleshooting connection mirroring :: https://support.f5.com/csp/article/K54622241.

Fix:
When HA mirroring is re-established, persist records will now be freed


659648-2 : LTM Policy rule name migration doesn't properly handle whitespace

Component: Local Traffic Manager

Symptoms:
LTM Policy validation does not allow rule names to begin or end with whitespace characters. When migrating configuration to the next version, the migration process attempts to trim off any leading and trailing whitespace. However, this process does not handle leading and trailing whitespace when such characters occur within a double quoted string.

Conditions:
LTM policy with a rule name that contains leading and/or trailing whitespace characters. These will typically occur within a double-quoted string. Here is an example that one might find in bigip.conf:

ltm policy example1 {
    rules {
        " leading and trailing spaces " {
            ...
        }
        ...
    }

Impact:
Policy rules are migrated incorrectly, then fail validation because there of remaining leading and/or trailing whitespace characters.

Workaround:
Prior to migration, LTM Policy rule name can be renamed to remove leading and trailing whitespace. After a failed migration, bigip.conf can be manually edited to remove offending characters and then the configuration can be manually loaded.

Fix:
LTM Policy migration properly handles whitespace in rule names in a quoted string.


659567-1 : iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions

Solution Article: K94685557

Component: Policy Enforcement Manager

Symptoms:
When the RADIUS discovery virtual server and the traffic listener virtual server sit in two different route domains, the iRule command 'PEM::session info $sub subscriber-id' may not be able to fetch the subscriber-id.

Conditions:
-- Running v12.1.x or v13.0.0.
-- RADIUS server.
-- Use of iRule command PEM::session.

Impact:
'PEM::session info state/subscriber-id' commands might not return the expected session info.

Workaround:
None.

Fix:
iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions. The commands now consider route domains.


659519-1 : Non-default header-table-size setting on HTTP2 profiles may cause issues

Solution Article: K42400554

Component: Local Traffic Manager

Symptoms:
HTTP2 connection sent RST_STREAM due to protocol error in response to headers frame.

Conditions:
HTTP2 profile configured with header-table-size with value exceeding 4096.

Impact:
Periodic HTTP2 connection failure to the virtual.

Workaround:
Restore the default header-table-size setting for the HTTP2 profile.


659371-2 : apmd crashes executing iRule policy evaluate

Solution Article: K54310201

Component: Access Policy Manager

Symptoms:
Following a restart, if apmd executes an iRule policy evaluate before its reinitialization is complete, apmd can crash.

Conditions:
If apmd restarts due to a crash or explicit restart command but tmm remains active, then iRule policy evaluate commands can reach apmd before it completes initialization and it will crash.

Impact:
apmd crashes and restarts, preventing end users from logging in.

Workaround:
NOne.

Fix:
Now APMD has a more robust initialization process to ensure that it does not execute access policies from iRule commands before it is ready.


659173-1 : Diameter Message Length Limit Changed from 1024 to 4096 Bytes

Solution Article: K76352741

Component: Service Provider

Symptoms:
Diameter messages longer than 1024 might cause core dumps.

Conditions:
Using Diameter messages longer than 1024.

Impact:
Diameter MRF virtual servers.

Workaround:
Make sure messages are less than 1024 bytes.

Fix:
Messages of 4096 or fewer bytes now pass, and longer messages no longer cause core dumps.


659057-1 : BIG-IP iSeries: Retrieving the gateway from the Host via REST through the LCD

Component: TMOS

Symptoms:
The LCD on BIG-IP iSeries appliances must detect whether the system is in IPv4 or IPv6 context before retrieving the gateway from the Host via REST. If two gateways are configured (IPv4 and IPv6) only whichever is first in the list is returned via REST and will be set on the Host.

Conditions:
If two gateways are configured (IPv4 and IPv6).

Impact:
Incorrect gateway retrieval can create bad configs which would impact traffic resulting in failed ping attempts, destination unreachable errors, request timeouts, etc.

Workaround:
No workaround at this time.

Fix:
LCD code now retrieves the correct gateway when switching between IPV4 and IPV6 context.


658989-2 : Memory leak when connection terminates in iRule process

Component: Local Traffic Manager

Symptoms:
Memory leak eventually leading to alloc failure and TMM crash.

Conditions:
Connection is aborted/terminated when iRule processing is suspended for the current connection.

Impact:
Memory leak and eventual TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Avoid suspend/park commands in iRule processing.

Fix:
Memory no longer leaks when connection is aborted/terminated when iRule processing is suspended.


658852-5 : Empty User-Agent in iSessions requests from APM client on Windows

Component: Access Policy Manager

Symptoms:
'User-Agent' might be empty in some '/isession' requests from APM client on Microsoft Windows. Having empty User-Agent headers is not in RFC compliance and forces some firewall to block the connection. This might result in failure to establish a VPN tunnel.

Conditions:
'/isession' requests from APM client on Windows.

Impact:
Failure to establish a VPN tunnel.

Workaround:
None.

Fix:
Now all connections from Windows APM VPN client contain 'User-Agent' headers, as expected.


658664-3 : VPN connection drops when 'prohibit routing table change' is enabled

Solution Article: K21390304

Component: Access Policy Manager

Symptoms:
When there is a brief network outage and 'prohibit routing table change' is enabled, VPN gets disconnected and no further attempts are made to re-establish the VPN connection.

Conditions:
-- A brief network outage occurs.
-- The 'prohibit routing table change' option is enabled.

Impact:
APM end users must click 'Connect' and re-authenticate in order to re-establish the VPN connection.

Workaround:
To re-establish the VPN connection, click 'Connect' and re-authenticate.

Fix:
Now the Windows Edge Client VPN connection stays active during a brief network outage, regardless of the state of the 'prohibit routing table changes' option.


658636-2 : When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.

Solution Article: K51355172

Component: TMOS

Symptoms:
- LTM/DNS monitors created via tmsh batch/transactions improperly escape newline characters.
- Expected escaping: \r\n
- Actual escaping: \\r\\n
- Impact: The URI sent is not correct,

Conditions:
When creating LTM or DNS monitors through batch/transaction mode when strings contain newline characters. For example, using the following commands to batch-create:

create gtm monitor http one_test_mon { send "GET / HTTP/1.0\r\nHost: abc.example.com\r\nUser-Agent: slb-healthcheck\r\nConnection: Close\r\n\r\n" recv "200"}
submit cli transaction
list gtm monitor http one_test_mon

The system creates the following monitor:

gtm monitor http one_test_mon {
    defaults-from http
    destination *:*
    interval 30
    probe-timeout 5
    recv 200
    send "GET / HTTP/1.0\\r\\nHost: abc.example.com\\r\\nUser-Agent: slb-healthcheck\\r\\nConnection: Close\\r\\n\\r\\n"

Impact:
Cannot use batch/transaction mode in TMSH to create LTM or DNS monitors. Cannot use LTM or DNS monitors created using batch/transaction mode in tmsh.

Workaround:
Create the monitor directly in tmsh without using batch/transaction mode.

Fix:
When creating LTM or DNS monitors through batch/transaction mode newlines are now properly escaped.


658574-2 : An accelerated flow transmits packets to a stale (incorrect) destination MAC address.

Solution Article: K61847644

Component: TMOS

Symptoms:
An accelerated flow can send to a stale destination MAC address after the ARP packet with the updated MAC address is received.

Warning: disabling auto-lasthop is not enough when they want BIG-IP to use updated destination MAC address.

Conditions:
A flow is accelerated with a destination MAC address that changes while the flow is accelerated.

Impact:
The BIG-IP system sends packets to a stale (incorrect) destination MAC address. In this case, the new MAC address is not updated for the accelerated flow and the flow will continue to send traffic using the original MAC address.

Workaround:
Disable HW acceleration. Prevent the downstream destination MAC address from changing. For example, if the downstream unit is a BIG-IP active/standby configuration, then use MAC masquerading to prevent the MAC address from changing.


658557-2 : The snmpd daemon may leak memory when processing requests.

Solution Article: K35209601


658417-1 : REST: Failure to authenticate/renew user who is using expired password

Component: Device Management

Symptoms:
1. Authentication failed for REST user, instead of prompt to renew the password.
2. Authentication is down briefly.

Conditions:
1. REST API is used.
2. User password is expired.

Impact:
1. Core log is dumped.
2. Authentication is down briefly.

Workaround:
There is no workaround at this time.

Fix:
Request to /mgmt/shared/authn/login with a user with an expired password returns a 401 and a response asking the user to change their password using basic auth.


658382-1 : Large numbers of ERR_UNKNOWN appearing in the logs

Component: Local Traffic Manager

Symptoms:
There are times when LTM Policy subsystem attempts to execute particular actions, which fail and result in LTM Policy writing an error to the logs with an error type of ERR_UNKNOWN.

Conditions:
This has been observed when plugins are active and experiencing high traffic volumes. The logging of ERR_UNKNOWN occurs when filters and plug-ins experience failures (such as out of memory) and react by initiating a reset of the connection. When these filters and plug-ins return an error to LTM Policy, LTM Policy logs ERR_UNKNOWN.

Impact:
This is a case of unnecessary logging, and there is no adverse effect other than a higher-than-normal amount of logging.

Workaround:
None


658343-2 : AVR tcp-analytics: per-host RTT average may show incorrect values

Solution Article: K33043439

Component: Application Visibility and Reporting

Symptoms:
When viewing the Statistics :: Analytics :: TCP :: RTT, then selecting (in the table below the graph), View By: "Remote Host IP Address", the values presented RTT Avg (ms) may be incorrect (they could even be larger than the RTT Max column).

As values are aggregated through the data tables, the reported rtt average value becomes larger and larger.

Conditions:
AVR is provisioned, and a tcp-analytics profile is attached to a virtual server.

Impact:
The values reported in the RTT Avg column when viewing by Remote Host IP Address may be incorrect.

Workaround:
None.

Fix:
The rtt_count, rtt_max, rtt_avg, rtt_sum metrics after day aggregation and week aggregations are now correct in the day, week, month reports. The rtt_sum is now aggregated with correct value (exceed max int), as expected.


658321-2 : Websafe features might break in IE8

Component: Fraud Protection Services

Symptoms:
IE8 transform all custom HTTP headers names to lowercase
in case header name configured with upper-case characters, WebSafe feature might break.

Conditions:
custom HTTP header configured with upper case characters
client is IE8.

Impact:
FPS plugin will not find the header, as it received lower-case but configured with upper-case characters
as a result, WebSafe functionality is broken (functionality which involve the custom HTTP header, e.g. ajax username header)

Workaround:
Set custom HTTP header name to lower case only.

Fix:
FPS now performs case-insensitive matches for custom HTTP headers.


658298-3 : SMB monitor marks node down when file not specified

Component: TMOS

Symptoms:
The smb monitor may always mark the node down when the file is not specified in the monitor config.

Conditions:
Pool member monitored with smb monitor.

Impact:
Service impact due to node being marked down.

Workaround:
Configure monitor to fetch file (authenticated).


658261-2 : TMM core after HA during GY reporting

Solution Article: K12253471

Component: Policy Enforcement Manager

Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of GY reporting

Conditions:
-- Failover is triggered,
-- The daglib hash redistributes the subscriber DATA to different slots.
-- Existing flows continue on the slots that were allocated using the old hash of daglib.

Note: This is a rarely encountered issue that occurred in a setup with 8 slots and 750 thousand subscribers.

Impact:
Slot reboots. May trigger more hash rearrangement. Traffic disrupted while tmm restarts.

Workaround:
None.


658214-2 : TCP connection fail intermittently for mirrored fastl4 virtual server

Solution Article: K20228504

Component: Local Traffic Manager

Symptoms:
In some cases, a mirrored FastL4 virtual server may fail to forward the SYN on the server-side after receiving the context-ack from the peer. Note: This is a connection-failure through the active system, not simply a failure to mirror to the peer.

Symptoms include:
-- TCP connection failures.
-- Possibly other packets lost.

Conditions:
-- FastL4 virtual server.
-- Mirroring is enabled.
-- Certain traffic interleaving might be necessary for this intermittent problem to occur.

Impact:
FastL4 mirroring does not always forward SYN to server after receiving context ACK. Connections fail.

Workaround:
Set the tm.fastl4_ack_mirror dv variable using the following command: tmsh modify sys db tm.fastl4_ack_mirror value disable.

Fix:
In this release, mirrored FastL4 virtual server now forward the SYN on the server-side after receiving the context-ack from the peer as expected.


658148-2 : TMM core after intra-chassis failover for some instances of subscriber creation

Solution Article: K23150504

Component: Policy Enforcement Manager

Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of subscriber creation.

Conditions:
-- The chassis is loaded with many blades.
-- The HA configuration is intra-chassis.
-- RADIUS subscriber is added with custom attributes.
-- The subscriber attributes are corrupted or erased.

Impact:
TMM crashes. The slot reboots, potentially triggering further daglib hash changes. May result in cascading core under load. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
If intra-chassis failover is triggered in a loaded chassis, the tmm no longer crashes in some cases of subscriber creation.


657883-2 : tmm cache resolver should not cache response with TTL=0

Solution Article: K34442339

Component: Local Traffic Manager

Symptoms:
tmm cache resolver caches responses with TTL=0, and it shouldn't.

Conditions:
TTL is set to 0 on the BIG-IP DNS system, so TMM will see TTL=0 from the DNS answer.

Impact:
tmm cache resolver caches responses with TTL=0.

Workaround:
None.

Fix:
The system no longer caches ttl=0 response for tmm cache resolver. This is correct behavior.


657795-1 : Possible performance impact on some SSL connections

Solution Article: K51498984

Component: Local Traffic Manager

Symptoms:
Some SSL connections may be delayed by almost exactly 5 seconds. The delay occurs between the SSL client hello and the server hello response from the BIG-IP system.

Conditions:
-- SSL configured on a Virtual Server. Affects VIPRION/vCMP Guests.

-- Client connects with an SSL session ID that is not in the cache, and in a very specific format that causes tmm to associate the session ID to a blade that does not exist.

Impact:
Performance may be impacted on those SSL connections.

Workaround:
Disable SSL session cache by setting cache-size to zero in the clientssl profile.

Fix:
This release fixes an issue that might cause performance impact on certain SSL connections.


657713-5 : Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.

Solution Article: K05052273

Component: Local Traffic Manager

Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:

-- TMM generates a core file in the /shared/core directory.
-- Your BIG-IP system logs a SIGFPE to the /var/log/tmm file at the same time TMM produces a core file and restarts.
-- In one of the /var/log/tmm log files, you may observe error messages similar to the following example:

notice panic: ../modules/hudfilter/hudfilter.c:1063: Assertion "valid node" failed.
notice ** SIGFPE **

Conditions:
This issue occurs when either of the following conditions are met:
1.
-- Your BIG-IP system is configured to route traffic using a gateway pool.
-- Your BIG-IP system is configured with DNS resolver.
-- The gateway pool is configured with Action On Service Down = Reject or Action On Service Down = Drop.
-- The pool monitor marks all members of the gateway pool as unavailable.
-- An outstanding DNS request that is pending response.
2.
-- Your BIG-IP system is not configured to route traffic using a gateway pool.
-- Your BIG-IP system is configured with DNS resolver.
-- All pools are configured with Action on Service Down = None.

Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.

Workaround:
For the set of Conditions defined in the first scenario, you can use the following workaround:

Set service-down-action to Action On Service Down = None or Action On Service Down = Reselect.

There is no workaround for the issue described in the second scenario in Conditions.

Fix:
Gateway pool action no longer triggers TMM to produce a core file and restart.


657632-4 : Rarely if a subscriber delete is performed following HA switchover, tmm may crash

Component: Policy Enforcement Manager

Symptoms:
If a subscriber delete is performed following a HA switchover, tmm may coredump. The probability of this scenario is rare, where a subscriber may have been freed during switchover and a subsequent forced delete command quickly follows.

Conditions:
-- A subscriber delete command followed by a HA switchover.
-- During the switchover, the subscriber was freed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now removes the subscriber index from the table if present in these cases.


657626-2 : User with role 'Manager' cannot delete/publish LTM policy.

Component: Local Traffic Manager

Symptoms:
User with role 'Manager' cannot delete/publish LTM policy.

audit.log contains a message similar to the following:
notice icrd_child[18194]: 01420002:5: AUDIT - pid=18194 user=Manager folder=/Manager module=(tmos)# status=[01070822:3: Access Denied: User (Manager) may not delete objects in partition (Common)] cmd_data=publish ltm policy /Manager/Drafts/draft-test.

Conditions:
-- User with 'Manager' role.
-- Attempting to delete or publish an LTM policy.

Impact:
Operation does not complete, and system posts error.

Workaround:
None.


657502-2 : JS error when leaving page opened for several minutes

Component: Fraud Protection Services

Symptoms:
Google Chrome delays JS execution when the tab is not active.
Therefore anti-debug module acts as if someone is trying to debug JS code.

Conditions:
-- JS runs in hidden tab in Google Chrome.
-- Anti-debug functionality is active.
-- Page is left open for several minutes.

Impact:
Errors in console and JS logic is incorrectly executed.

Workaround:
Identify hidden tab and pause anti-debug functionality.

Fix:
The system now correctly handles JS code running in a hidden tab and pauses anti-debug check.


657463-2 : SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.

Component: Local Traffic Manager

Symptoms:
SSL sends HUDEVT_SENT to TCP in wrong state which causes HTTP disconnect the handshake.

Conditions:
SSL sends HUDEVT_SENT to TCP in wrong state.

Impact:
Then HTTP disconnects the handshake

Fix:
Don't allow SSL send HUDEVT_SENT event in the wrong state.


656912-4 : Various NTP vulnerabilities

Solution Article: K32262483


656900-1 : Blade family migration may fail

Component: TMOS

Symptoms:
Migrating the configuration from a B2100 blade to a newer variant, as documented in the "Migrating the Configuration on B2000 Series Blades" page in the "VIPRION Systems: Blade Migration" manual, may show output indicating a failure.

Conditions:
All such blade upgrades.

Impact:
The line 'load ucs failed!' should be ignored. If the line '/var/local/ucs/upgradeConfig-your-serial-number.ucs is loaded.' is present, then the UCS load was in fact successful and you can proceed with the instructions.

Workaround:
The line 'load ucs failed!' should be ignored. If the line '/var/local/ucs/upgradeConfig-your-serial-number.ucs is loaded.' is present, then the UCS load was in fact successful and you can proceed with the instructions.


656898-2 : 'oops' 'bad transition' messages occur

Component: Local Traffic Manager

Symptoms:
The /var/log/ltm log shows many 'oops' 'bad transition' messages.

Conditions:
These messages occur due to internal invariant violations on full proxy TCP virtual servers. Ramcache or SSL on these virtual servers are likely causes. There may be yet unknown causes.

Impact:
Connections encountering these errors are aborted.

Workaround:
The excess logging may be stopped by setting the DB variable tmm.oops to 'silent'.

Although these errors are not reported, connections are still aborted.

Fix:
The conditions under which this error occurred have been resolved.


656784-2 : Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM

Solution Article: K98510679

Component: Access Policy Manager

Symptoms:
After upgrading to Windows 10 Creators Update (version 1703), when attempting to connect to a remote desktop through APM with the Remote Desktop Gateway (RDG) feature, the remote desktop client is not able to authenticate and connect.

Windows 10 Version 1703 RDP client is using Negotiate HTTP authentication scheme, while APM requires NTLM scheme for RD Gateway.

Conditions:
- You are accessing Microsoft Remote Desktop through BIG-IP APM using Remote Desktop Gateway (RDG) feature.
- You upgrade to Windows 10 Creators Update (version 1703).

Impact:
Remote desktop client is not able to authenticate and connect to the desktop.

Workaround:
Use either of the following workarounds:

-- Force the Windows RDP client to use NTLM authentication scheme (instead of Negotiate) by setting Group Policy 'User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\RD Gateway\Set RD Gateway authentication method' to 'Ask for credentials, use NTLM protocol'.

-- Use the following iRule to convert Negotiate to NTLM:
when HTTP_REQUEST {
    set is_rdg_request [expr { [HTTP::method] starts_with "RDG_" }]
    if {!$is_rdg_request} { return; }

    set auth [HTTP::header Authorization]
    set is_nego_auth [expr { $auth contains "Negotiate" }]

    if { $is_nego_auth } {
        set auth [string map {"Negotiate" "NTLM"} $auth]
        HTTP::header replace Authorization $auth
    }
}
when HTTP_RESPONSE_RELEASE {
    if {!$is_rdg_request || !$is_nego_auth} { return; }

    catch {
        set auth [HTTP::header WWW-Authenticate]
        if { $auth contains "NTLM" } {
            set auth [string map {"NTLM" "Negotiate"} $auth]
            HTTP::header replace WWW-Authenticate $auth
        }
    }
}

Fix:
After upgrading to Windows 10 Creators Update (version 1703), the RDP client can still authenticate and connect via APM used as RD Gateway.


655807-5 : With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score

Solution Article: K40341291

Component: Global Traffic Manager (DNS)

Symptoms:
When choosing QoS Load balance, packet rate is dominating the score.

Conditions:
QoS load balance.

Impact:
Load balance decision is mostly impacted by packet rate.

Workaround:
None.

Fix:
Corrected a calculation error for QoS score involving packet rate.


655793-1 : SSL persistence parsing issues due to SSL / TCP boundary mismatch

Solution Article: K04178391

Component: Local Traffic Manager

Symptoms:
When the SSL client or server system is set up to send SSL messages whose boundaries do not align with underlying TCP boundaries, the parser fails when SSL persistence is enabled.

So, any SSL record spanning over multiple TCP segments (in this case it's ServerHello, Certificate, and ServerHelloDone) triggers the issue with the SSID error RST cause.

This can also result from a message size exceeding the maximum configured size (default is 32K).

Conditions:
[1] SSL persistence is enabled.
[2a] SSL message boundary does not align with underlying TCP segment boundary. One example of boundary mismatch is when the TCP MTU size is changed to a lower value (around 1200 bytes). Even then there may be specific values for which the boundaries match and parsing succeeds.
[2b] The message size is greater than the maximum configured size (default 32k).

Impact:
When the parsing fails, the SSL client or server hangs and times out. In other words, SSL traffic is affected.

The SSL parsing should succeed regardless of a match or mismatch between SSL message boundary and TCP segment boundary.

Workaround:
Disable SSL persistence.

Fix:
The system now switches the state of the SSL persistence to pass through all remaining messages, since no further parsing is needed.


655671-1 : Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced

Component: TMOS

Symptoms:
On platforms that run the bcm56xxd daemon, the polling time that the system waits for I2C bus transactions to complete runs too long. On systems with I2C bus issues, this can lead to bcm56xxd core files, because the bcm56xxd daemon doesn't reset the watchdog so the watchdog timer kills the process.

Conditions:
This is an issue only when there is a stuck I2C bus, which occurs rarely.

Impact:
bcm56xxd process may core and restart. That typically resets the I2C bus, which resolves any issues.

Workaround:
None. Typically, the issue resolves itself.

Fix:
The number of times the bcm56xxd process polls for an I2C bus transaction to complete is reduced to prevent bcm56xxd core files.


655649-2 : BGP last update timer incorrectly resets to 0

Solution Article: K88627152

Component: TMOS

Symptoms:
In ZebOS, every time the scan timer resets it also incorrectly resets the BGP last update timer as shown under the imish command 'sh ip route'.

Output from 'sh ip route':

4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:32
               [20/0] via 10.10.1.6, eno33554952, 00:00:32
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:33
               [20/0] via 10.10.1.6, eno33554952, 00:00:33
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:00 <<<< shouldn't reset
               [20/0] via 10.10.1.6, eno33554952, 00:00:00

Conditions:
Once ZebOS has learned a route from a BGP peer the route will show up under 'sh ip route' and the BGP last update timer will incorrectly reset.

Impact:
If BGP routes are being redistributed into other protocols, the route may flap in the destination process.

Workaround:
None.

Fix:
BIG-IP no longer resets the last update time of learned routes via BGP and BGP routes redistributed into other protocols no longer flap.


655628-1 : TCP analytics does not release resources under specific sequence of packets

Component: Local Traffic Manager

Symptoms:
TCP analytics does not release memory when a specific sequence of packets is observed, and memory usage increases as more such flows occur.

Conditions:
-- A TCP analytics profile is configured to collect clientside/serverside analytics data.
-- AVR is provisioned.
-- FastL4 and HTTP profiles are configured.
-- A specific sequence of packets (on the serverside) occurs.

Impact:
Main memory occupied by TCP analytics is not released which might lead to memory exhaustion on the BIG-IP system.

Workaround:
Turn off collecting TCP analytics data for the virtual server.

Fix:
TCP analytics now releases resources properly.


655617-1 : Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge

Solution Article: K36442669

Component: Application Security Manager

Symptoms:
When running Safari or Firefox in incognito mode on iOS devices, browser gets TCP RST and will not be able to pass client-side challenge. The system posts the following error in tmm log: failed parsing header 3.

Conditions:
1. Web scraping is configured.
2. Persistent client identification is enabled.
3. Using Safari or Firefox on iOS devices.

Impact:
Browser cannot access the site.

Workaround:
Turn off persistent client identification.

Fix:
Safari, Firefox in incognito mode on iOS device can now pass persistent client identification challenge.


655500 : Rekey SSH sessions after one hour

Component: TMOS

Symptoms:
Common Criteria requires that SSH session be rekeyed at least every hour

Conditions:
SSH connections to or from the BIG-IP system.

Impact:
SSH sessions are rekeyed in response to the quantity of data transferred, or on user demand, but not on the basis of elapsed time

Workaround:
If time-based rekeying is required in your environment, edit the SSH configuration to include a RekeyLimit with both data and time parameters using a command similar to the following:
tmsh modify sys sshd include 'RekeyLimit 256M 3600s'

Outbound SSH client connections can be modified by adding the same RekeyLimit configuration to /config/ssh/ssh_config or by including that option on the command line when calling the ssh client.

Fix:
SSH sessions are now rekeyed every hour regardless of the quantity of data transferred.


655470 : IP Intelligence logging publisher removal can cause tmm crash

Solution Article: K79924625

Component: Advanced Firewall Manager

Symptoms:
TMM restart immediately after removing global ip-intelligence logging publisher.

Conditions:
1) Global IP Intelligence logging enabled.
2) While new incoming connections are handled by the system, delete the global logging publisher using the following command:
modify security log profile global-network ip-intelligence { log-publisher none }

Impact:
Traffic disrupted while tmm restarts. This is an intermittent, timing-related issue.

Note: Because deleting the global ip-intelligence logging configuration publisher is uncommon, and might occur once, at setup, this issue is unlikely to manifest.

Workaround:
There is no workaround, other than to not delete the ip-intelligence global logging publisher when heavy traffic is being handled.

Fix:
Error handling now checks for NULL publisher and prevents the TMM restart.


655445-2 : Provide the ability to globally specifiy a DSCP value.

Component: Global Traffic Manager (DNS)

Symptoms:
The DSCP value is not configurable for some types of traffic, which can lead to dropped traffic during adverse network conditions.

Conditions:
Under adverse network conditions, monitor traffic can be dropped by the network.

Impact:
BIG-IP DNS incorrectly reports resources as unavailable because monitor traffic is dropped by the network due to congestion with unrelated traffic.

Workaround:
None.

Fix:
Setting the new db variable tm.egressdscp to a value other than the default value of 0, results in the system setting the DSCP value for outgoing traffic to the configured value.


655432-7 : SSL renegotiation failed intermittently with AES-GCM cipher

Solution Article: K85522235

Component: Local Traffic Manager

Symptoms:
SSL failed to renegotiate intermittently with AES-GCM cipher because IV is not properly updated when a change cipher spec message is received.

Conditions:
This failure is more likely to occur during mutual authentication.

Impact:
Some servers authenticate client using renegotiation. This issue prevents their clients from properly connecting to the servers.

Workaround:
Disable AES-GCM cipher.

Fix:
The system now properly updates AES-GCM IV when a change cipher spec message is received.


655364-1 : Portal access rewriting window.opener causes JS exception

Component: Access Policy Manager

Symptoms:
Portal access engine rewriting window.opener causes JavaScript exception error.

Conditions:
When rewriting window.opener.

Impact:
JavaScript exception error generated.

Workaround:
None.

Fix:
The rewriting window.opener operation now completes with Message 'null', which is correct behavior. No JavaScript exception error is generated.


655357-2 : Corrupted L2 FDB entries on B4450 blades might result in dropped traffic

Solution Article: K06245820

Component: TMOS

Symptoms:
ARP replies reach front panel port of B4450 blades but fail to reach TMMs.

This occurs because the switch in the B4450 blade has an L2 learning issue in the switch fabric that requires the system to correct the new L2 FDB entries learned on Higig trunks. The L2 module runs in poll mode by default, which is exposed to a 3-second race window in software, during which learning events in the switch hardware for a given L2 FDB entry can be lost. That can lead to corrupted L2 FDB entries and cause traffic hitting the corrupted L2 FDB entries to fail.

Conditions:
-- An L2 FDB entry is learned on Higig trunk.
-- Multiple L2 learning events happen on the L2 FDB entry during the 3-second race window in software.

Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.

Workaround:
Delete the corrupted L2 FDB entries and cause the switch to re-learn them.

To do so, identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.

Fix:
A db variable switchboard.l2.mitigation was introduced to configure this feature.

-- A value of "enable" allows packets to be forwarded in the case of corrupted L2 FDB entries. Packets will be hashed on source and destination addresses. Enabling forwarding this way is only a temporary measure.

-- A value of "monitor" does not forward packets but will count packets which were affected by corrupted L2 FDB entries. The stat table switch/l2_mitgation, updated every 11 seconds, reports packet counts. Differences in packet counts are logged to /var/log/ltm.

-- A value of "disable" disables both forwarding and packet counting. Packet counts are reset.


655314 : When failing to load a UCS, the hostname is still changed, only in 12.1.2 or 13.0.0

Component: TMOS

Symptoms:
The platform-migrate option to the UCS load command is supposed to reject UCS archives generated on BIG-IP software v10.x. It does this; however, the hostname of the BIG-IP system changes to the one in the UCS.

Conditions:
You are trying to do a platform-migrate load to 12.1.2 or 13.0.0 of a UCS originating on a system running v10.x.

Impact:
The hostname is changed, but no other configuration is modified.

Workaround:
Set the hostname back to its old value.

Fix:
The hostname is now left unmodified.


655233-1 : DNS Express using wrong TTL for SOA RRSIG record in NoData response

Solution Article: K93338593

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express returns an incorrect TTL for the SOA RRSIG record in a NoData response.

Conditions:
-- DNS Express configured.
-- A query that results in a NoData response and DNSSEC signing requested.

Impact:
This brings the behavior in line with RFC2308. There is no known functional impact.

Workaround:
There is no workaround.

Fix:
The TTL of the RRSIG record now matches the TTL of the covered SOA record.


655211-1 : bigd crash (SIGSEGV) when running FQDN node monitors

Component: Local Traffic Manager

Symptoms:
bigd processing FQDN node monitors may crash due to a timing issue when processing probe responses.

Conditions:
bigd is configured for FQDN node monitors.

Impact:
bigd crashes (SIGSEGV). The system restarts bigd automatically, and monitoring resumes. No other action is needed.

Workaround:
Although no workaround is available for bigd configured for FQDN node monitors, this crash occurs due to a timing issue, and should be rare.

Fix:
bigd no longer crashes (SIGSEGV) when running FQDN node monitors due to a timing issue.


655159-1 : Wrong XML profile name Request Log details for XML violation

Solution Article: K84550544

Component: Application Security Manager

Symptoms:
After system upgrade, Request Log details for XML violation show XML profile name as 'N/A'.

Conditions:
System upgrade.
Request Log details for XML violation.

Impact:
System upgrade does not synchronize properly between policy and already existing XML profiles. System functions properly on existing XML profiles, but violation report reference to the XML profile is wrong.

Workaround:
No workaround for already existing violation records.

For new violation reports, run apply policy.

Fix:
The system now uses the correct XML profile name in the Request Log details for XML violation.


655146-2 : APM Profile access stats are not updated correctly

Component: Access Policy Manager

Symptoms:
The active and established sessions counts in the output of 'tmsh show apm profile access' command are not getting updated as sessions are established and terminated. At the same time, the following errors are showing up in the APM log:

err tmm1[19902]: 01490574:3: (null):Common:00000000: Could not find tmstat. (/Common/Google_vsstats_key)

Conditions:
-- When session is established and terminated.
-- Running the command: tmsh show apm profile access to view stats.

Impact:
APM profile access stats are not accurate.

Workaround:
None.

Fix:
Now the tmsh command "tmsh show apm profile access" displays the correct profile access stats.


655085-2 : While one chassis in a DSC is being rebooted, other members report spurious HA Group configuration errors

Component: TMOS

Symptoms:
Message of the form

"notice sod[nnnn]: 010c006e:5: All devices in traffic group traffic-group-1(1 of 2) should have a HA group."

is logged on peer devices when a Viprion chassis is being rebooted.

Conditions:
Multiple Viprion chassis are configured in a sync-failover device group, using HA Group scores.

Impact:
Log message indicates a configuration error that does not exist.

Workaround:
If these messages occur during a peer reboot, they should be ignored.

Fix:
Viprion chassis does not report HA Group configuration errors during peer reboot.


655059-3 : TMM Crash

Solution Article: K37404773


655021-2 : BIND vulnerability CVE-2017-3138

Solution Article: K23598445


655005-1 : "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync

Solution Article: K23355841

Component: TMOS

Symptoms:
The "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync.

Conditions:
Changing the "Inherit traffic group from current partition / path" setting and syncing to a peer unit using incremental sync.

Impact:
Peers in a Device Group will get out of sync.

Workaround:
Use a full sync instead.

Fix:
The "Inherit traffic group from current partition / path" virtual-address setting is now synchronized during an incremental sync.


654996-1 : Closed connections remains in memory

Solution Article: K50345236

Component: Application Security Manager

Symptoms:
A connection remains open, which results in memory leaks in the tmm for the connections.
The following command shows connections on traffic that was already closed: tmsh show sys conn.

Conditions:
A ASM_RESPONSE_VIOLATION iRule on the ASM-enabled virtual server.
A request with connection: close.

Impact:
Memory increase due to connections left open.

Incoming connections to the virtual server may fail and result in the BIG-IP sending a reset with a reset cause of "TCP closed".

Workaround:
If possible, remove this event from the iRule and/or add the OneConnect profile to the virtual server.


654925-1 : Memory Leak in ASM Sync Listener Process

Solution Article: K25952033

Component: Application Security Manager

Symptoms:
Following several sync errors, a memory leak occurs in the ASM sync listener process (asm_config_server.pl).

Conditions:
-- asm-sync is enabled on an auto-sync Device Group.

-- Errors occur during attempts to sync, either due to full disk or in response to one or more of the following uses in GUI or REST API:
 + Creating/importing/deleting policies.
 + Accepting many suggestions at once.
 + Adjusting Policy Building Settings.

Impact:
RAM is increasing consumed leading to swap usage until the device reaches a panic state.

Workaround:
Restart asm_config_server on all devices using the following command:
 killall asm_config_server.pl

Fix:
Hard limits for memory size are now enforced for ASM processes. The sync listener process now shuts down and restarts after an hour of failed repeated attempts to synchronize the device group state.


654873-2 : ASM Auto-Sync Device Group

Component: Application Security Manager

Symptoms:
Some messages that were meant to be sent to peers in a device group are not successfully sent.

Conditions:
A mix of the following uses in GUI or REST API:
1) Creating/importing/deleting policies.
2) Accepting many suggestions at once.
3) Adjusting Policy Building Settings.

Impact:
1) Overuse of full sync between devices.
2) Possible inconsistencies between devices.
3) Possibility of memory leak in rare cases.

Workaround:
Use manual sync groups for ASM sync.

Fix:
Communication for auto-sync groups repaired.


654599-1 : The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed

Solution Article: K74132601

Component: Global Traffic Manager (DNS)

Symptoms:
Tomcat can potentially drop requests made by the client via the Web GUI on the GSLB Pool Members Manage page.

Conditions:
The config contains a large amount (in the thousands) of GSLB virtual servers or wide IP's, resulting in the action not being completed.

Impact:
The "Finished" button on that page does not save the changes made on that page.

Workaround:
Use TMSH.

Fix:
Fixed an issue with saving GSLB data via the GUI in large configurations.


654549-1 : PVA support for uncommon protocols DoS vector

Component: TMOS

Symptoms:
A new HSB bitstream for VIPRION B4450 blades is needed to support IP uncommon protocols for DoS Vector.

Conditions:
Using the B4450 blade.

Impact:
No support for IP uncommon protocols for DoS Vector.

Workaround:
None.

Fix:
HSB v3.2.13.0 bitsteam for VIPRION B4450 blades now provides support for IP uncommon protocols for DoS Vector.

Behavior Change:
This bitstream now supports IP uncommon protocols for DoS Vector. Any number of protocols with values between 0-255 can be simultaneously enabled.


654513-6 : APM daemon crashes when the LDAP query agent returns empty in its search results.

Solution Article: K11003951

Component: Access Policy Manager

Symptoms:
APM daemon crashes when the LDAP query agent returns no search results.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP access profile access policy is configured with an AD Auth agent.
-- The access policy is configured with an LDAP query agent.
-- A user successfully authenticates to the access profile.
-- The LDAP query agent returns no query results.

Impact:
APM daemon crashes, need to restart RBA and WebSSO. This is a very rarely encountered issue.

Workaround:
Add LDAP Auth agent before the LDAP query to the existing policy.

Note: Adding the extra agent, LDAP Auth agent, in the policy will preserve the functionality and features, enabling the policy to fail in LDAP Auth agent, instead of crash in LDAP Query agent.

Fix:
Now APM daemon no longer crashes when the LDAP query agent returns a specific type of null result from its search.


654508-2 : SharePoint MS-OFBA browser window displays Javascript errors

Component: Access Policy Manager

Symptoms:
SharePoint MS-OFBA browser window displays Javascript errors while doing authentication.

Conditions:
-- SharePoint Access through LTM and APM.
-- MS-OFBA iRule is used.

Impact:
JavaScript errors shown on the MS-OFBA browser window

Workaround:
None.

Fix:
Now the SharePoint MS-OFBA browser window no longer displays Javascript errors while doing authentication from Microsoft applications.


654368-7 : ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require

Solution Article: K15732489

Component: Local Traffic Manager

Symptoms:
Error is not reported if the profile is associated with an invalid Certificate Revocation List (CRL) that is not signed by trusted CAs, if the CRL issuer has the same subject name as one of the certs in trusted CA.

Conditions:
This occurs when associating CRLs with virtual servers.

Impact:
Error is not reported for invalid CRL.

Workaround:
OpenSSL command can be used to check if the CRL is signed by trusted CA.

The command to verify CRL against a CA file is as follows:
openssl crl -CAfile <path to the CA certificate bundle/file> -noout -in <path to CRL file>

Fix:
Error is reported in TMM logs if the CRL is not signed by trusted CA.


654109-2 : Configuration loading may fail when iRules calling procs in other iRules are deleted

Solution Article: K01102467

Component: Local Traffic Manager

Symptoms:
Loading of the configuration fail with a message indicating a previously deleted iRule cannot be found:

 01020036:3: The requested rule (/Common/rule_uses_procs) was not found.

Conditions:
- iRule A is calling another iRule B using proc calls
- iRule A is attached to a virtual server.
- Detaching and deleting iRule A.
- Loading the config (or performing config sync).

Impact:
iRules are still referenced after implicit deletion (via load).
Configuration does not load.

Workaround:
Force reloading of the MCP binary database.

For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

Fix:
Configuration loading no longer fails when iRules calling procs in other iRules are deleted.


654086-3 : Incorrect handling of HTTP2 data frames larger than minimal frame size

Component: Local Traffic Manager

Symptoms:
HTTP2 can vary frame size between 16K bytes (included) and 16 Mbytes (not included).

When a client sends a data frame spawning more than one TCP segment, the BIG-IP system incorrectly decrements the frame size twice from the receive window.

If the proxy flow control is disabled, this just creates an additional window update frame. If the proxy is in flow control, this causes a flow control error.

Conditions:
-- HTTP2 profile is configured on a virtual server.
-- Client sends a data frame larger than 16384 bytes, violating RFC. Note: The receiving maximum frame size of the BIG-IP is permanently set at 16384 bytes.

Impact:
HTTP2 resets the stream with FLOW_CONTROL_ERROR.

Workaround:
There is no workaround at this time.

Fix:
When a client sends HTTP2 a data frame exceeding a negotiated maximum frame size, the BIG-IP system correctly resets the stream.


654046-1 : BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs.

Solution Article: K22121533

Component: Access Policy Manager

Symptoms:
When an external Service Provider (SP) canonicalizes authentication requests with the use of inclusive namespaces, a BIG-IP system used as SAML IdP may fail to process such requests. User's SSO will fail with following errors contained in /var/log/tmm:

err tmm1[13063]: 014d0002:3: 9c7802e1: SSOv2 Digest from SAML message is invalid
err tmm1[13063]: 014d0002:3: 9c7802e1: SSOv2 Error(12) Signature verification failed for SAML Authentication

Conditions:
- BIG-IP is used as SAML IdP.
- User performs SP-initiated SAML SSO.
- External SAML SP sends signed authentication request, in which canonicalization was done with use of inclusive namespaces.

Impact:
Users are unable to perform SAML SSO with certain external service providers.

Workaround:
None.

Fix:
Now BIG-IP APM as IdP SAML canonicalized authentication requests containing inclusive namespaces can be processed successfully.


654011-2 : Pool member's health monitors set to Member Specific does not display the active monitors

Solution Article: K33210520

Component: TMOS

Symptoms:
When you configure a pool to have member-specific health monitoring, the active monitor no longer displays in the GUI.

Conditions:
Have a pool member with Health Monitors set to Member Specific.

Impact:
The specified active monitors will be saved but won't be displayed as active.

Workaround:
Use tmsh to view a pool member's active monitors.

Fix:
Pool member's Health Monitors set to Member Specific now display active monitors.


653993-3 : A specific sequence of packets to the HA listener may cause tmm to produce a core file

Solution Article: K12044607


653976-2 : SSL handshake fails if server certificate contains multiple CommonNames

Solution Article: K00610259

Component: Local Traffic Manager

Symptoms:
SSL server side handshake fails when the external server certificate's Subject field contains multiple CommonNames.

Conditions:
This issue occurs when both of the following conditions are met:
-- The external server certificate's Subject field contains multiple CommonNames.
-- The certificate does not contain subjAltName extension (or if it does, the same names are not included in the subjAltName's dNSName list).

Impact:
Connection with external server cannot be established. In case of forward proxy, bypass or intercept will fail.

Workaround:
In case of forward proxy bypass, configure IP address bypass instead of hostname bypass since IP address bypass check happens before SSL handshake.

The second option is to update the external server's certificate to include the list of CommonNames in subjAltName extension as dNSName.

Fix:
The system now checks all CommonNames in a certificate's Subject field instead of checking only the longest one in length.


653930-2 : Monitor with description containing backslash may fail to load.

Solution Article: K69713140

Component: Local Traffic Manager

Symptoms:
When a monitor description contains a \ (backslash) character, the system adds another backslash for every save-load operation. After enough saves/loads, the description eventually hits the maximum length, causing an error message: '01020057:3: The string with more than 65535 characters cannot be stored in a message' upon loading the config.

Conditions:
Monitor with description containing backslash.

Impact:
Configuration changes without human intervention. Potential load failure.

Workaround:
Don't use backslashes in monitor descriptions.


653895 : Admin user cannot edit policy

Component: Application Security Manager

Symptoms:
While logged into the active device, you are unable to edit a policy. The Save and Reconfigure buttons are grayed out. The standby device allows you to edit the policy and you can deploy the change to the active device, but you occasionally can't edit it from the active device.

Conditions:
It is not known what triggers this intermittent problem.

Impact:
Admin users are unable to edit a policy on the active device.

Workaround:
You can edit the policy on the standby device and deploy it to the active device.


653888-2 : BGP advertisement-interval attribute ignored in peer group configuration

Component: TMOS

Symptoms:
BGP peer-group advertisement-interval attribute may be ignored with default settings set on individual peers belonging to the peer-group.

Conditions:
- BGP configured with peer-groups.
- advertisement-interval configured with a non-default value

Impact:
The BGP peer will have an additional statement added indicating a default value of the advertisement-interval.

Workaround:
Manually set the advertisement-interval of the peer, instead of using the peer-group for this particular setting.

Fix:
BGP advertisement-interval attribute is no longer ignored in peer group configuration


653880 : Kernel Vulnerability: CVE-2017-6214

Solution Article: K81211720


653775-3 : Ampersand (&) in GTM synchronization group name causes synchronization failure.

Solution Article: K05397641

Component: Global Traffic Manager (DNS)

Symptoms:
A GTM synchronization-group-name containing an ampersand (&) might cause an XML parsing failure and GTM sync groups would fail to sync.

Conditions:
A GTM synchronization group name with an ampersand (&) in the name.

Impact:
GTM sync groups does not synchronize.

Workaround:
Remove ampersand from sync group name.

Fix:
Fixed issue that prevented GTM sync groups with an ampersand (&) in the GTM synchronization-group-name from syncing.


653772-2 : fastL4 fails to evict flows from the ePVA

Component: TMOS

Symptoms:
An accelerated flow is in the ePVA with no corresponding software connection.

Conditions:
-- FastL4.
-- ePVA.
-- The other conditions under which this occurs are not well defined.

Impact:
ePVA can continuously send a packet. This might eventually result in a network outage.

Workaround:
Disable HW acceleration.

Fix:
There are now no unknown accelerated flows.

Behavior Change:
The default behavior is to ignore unknown HW accelerated flows (connections). This change will proactively evict unknown HW accelerated flows from the HW (ePVA).


653771-2 : tmm crash after per-request policy error

Component: Access Policy Manager

Symptoms:
TMM core is seen when reject ending in per-request policy encounters error.

Conditions:
The conditions which trigger this are unknown at this time, it was seen once on a per-request policy error.

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM no longer cores when reject ending encounters error in per-request policy


653759-2 : Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update

Component: TMOS

Symptoms:
Chassis Variant number is not specified when checking the log file /var/log/ltm, for example:

#grep queryFDD /var/log/ltm
...debug chmand[12982]: 012a0007:7: queryFDD returned 1 items for: update|F100|||NONE|NONE|NONE|0x0

This should contain the Variant number 400-0028-04, as follows:
...debug chmand[32663]: 012a0007:7: queryFDD returned 1 items for: update|F100|400-0028-04||NONE|NONE|NONE|0x0

Conditions:
-- B2100/B2150/B2200 blade in C2200/C2400 chassis.
-- Checking for the Chassis Variant number.

Impact:
This has no impact, since there are no Variants currently defined for the C2200/C2400 chassis.

Workaround:
There is no workaround at this time.

Fix:
Chassis Variant number is printed out as expected in the log file.


653746-2 : Unable to display detailed CPU graphs if the number of CPU is too large

Solution Article: K83324551

Component: Local Traffic Manager

Symptoms:
Cannot display detail CPU graph. Go to Statistics :: Performance. Click 'View Detail Graph' under System CPU usage. Graph cannot display. System posts the message: Error trying to access the database.

Conditions:
VIPRION with 288 CPU cores or more totaled across all blades.

Impact:
Administrator is unable to view the detail CPU graphs.

Workaround:
None.

Fix:
The GUI can now display detailed CPU graphs for 1024 cores with the default of 4 lines per graph.


653729-2 : Support IP Uncommon Protocol

Component: Advanced Firewall Manager

Symptoms:
A BIG-IP system can have CPU usage be non-uniformly distributed across the datapath (tmm) threads, such that the overall CPU usage is low, but individual datapath threads may show high usage of a subset of the CPUs on the system. This can be observed by viewing the per-CPU usage, and can manifest as spuriously dropped packets/flows.

Conditions:
A BIG-IP system receives packets that have uncommon IP protocols – those not parsed by the BIG-IP system.

Impact:
The packets are eventually dropped but may drive a subset of the CPUs in the system to very high usage. As CPU increases, potentially reaching 100%, then the BIG-IP system will start dropping packets and the system might eventually fail.

Workaround:
None.

Fix:
The system now supports packets that have uncommon IP protocols.

Behavior Change:
This change adds the capability of specifying various IP protocols as 'uncommon' protocols. Using this list of uncommon protocols can have the system mitigate an attack from uncommon protocols.

To do so, perform the following procedure:
1. Set the sys db tunable dos.uncommon.replace.illegal to true (it is false by default).
2. Set the 8 sys db tunables dos.uncommon.protocols[0-7] to specify which protocols should be considered uncommon (by default all protocols except TCP/UDP/ICMPv4/ICMPv6/SCTP - bits 1/6/17/58/132 are uncommon).
- dos.uncommon.protocols0 represents bits 31:0 of a 256-bit vector
- dos.uncommon.protocols1 represents bits 63:32 of a 256-bit vector
- dos.uncommon.protocols2 represents bits 95:64 of a 256-bit vector
- dos.uncommon.protocols3 represents bits 127:96 of a 256-bit vector
- dos.uncommon.protocols4 represents bits 159:128 of a 256-bit vector
- dos.uncommon.protocols5 represents bits 191:160 of a 256-bit vector
- dos.uncommon.protocols6 represents bits 223:192 of a 256-bit vector
- dos.uncommon.protocols7 represents bits 255:224 of a 256-bit vector

Setting the specific bit to '1' means that the specified protocol is considered 'uncommon', and setting the specific bit to '0' means that the specified protocol is not considered 'uncommon'.

Then the DoS vector IP Unknown Protocol can be used to mitigate an attack from the above-specified 'Uncommon Protocols'.


653511-2 : Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve

Component: Local Traffic Manager

Symptoms:
Connections can fail intermittently when multiple clients use the same ephemeral port to connect to BIG-IP and are SNATted to the same address.

Conditions:
When SNAT/Automap is configured with SP-DAG and virtual server source-port setting is "preserve".

Impact:
Service interruption due to intermittent connection failures.

Workaround:
None.

Fix:
Connections no longer fail intermittently with SNAT/automap, SP-DAG and virtual server source-port=preserve.


653453 : ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.

Component: TMOS

Symptoms:
ARP replies reach the front panel port of the B4450 blade, but fail to reach TMMs. This is caused by a L2 defect in the Broadcom Trident2+ switch B4450 blade uses.

Conditions:
The switch learned a corrupted L2 FDB entry on internal HiGig trunk.

Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.

Workaround:
Identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.

Fix:
Resolved an issue on Broadcom Trident2+ switch B4450 blades use in which ARP replies reached the front panel port, but failed to reach TMMs.

Behavior Change:
A new BigDB variable is added to control in which mode the l2xmsg module in Broadcom SDK should run.

bcm56xxd.l2xmsg.mode: poll/fifo (default)

The BIG-IP system used to always run l2xmsg module in poll mode. Now, the BIG-IP system will run l2xmsg mode in fifo by default.


653376-5 : bgpd may crash on receiving a BGP update with >= 32 extended communities

Component: TMOS

Symptoms:
bgpd may crash when receiving a BGP update with >= 32 extended communities

Conditions:
A configured BGP peer sends a route update including and attribute containing 32 or more extended communities.

Impact:
bgpd may crash causing the BGP peering to reset

Workaround:
Ensure that peers do not send 32 or more extended communities to the BIG-IP in BGP routing updates.

Fix:
bgpd no longer crashes on receiving a BGP update with >= 32 extended communities


653324-3 : On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly

Solution Article: K87979026

Component: Access Policy Manager

Symptoms:
On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly; it appears very small.

Conditions:
On macOS Sierra (10.12), edge client, customized icon of size 48x48 pixels.

Impact:
This is a display issue only. There is no functional impact to the system.

Workaround:
Use a custom logo image with the pixel dimensions of 100x121 pixels.

Fix:
On macOS Sierra (10.12), Edge client now shows the customized icon of size 48x48 pixels that is now scaled correctly.


653285-1 : PEM rule deletion with HSL reporting may cause tmm coredump

Component: Policy Enforcement Manager

Symptoms:
tmm coredump caused by deletion of a PEM policy rule with HSL reporting configured and passing active traffic. tmm crash.

Conditions:
PEM policy rule with HSL reporting is deleted while passing subscriber traffic.

Impact:
tmm coredump causes traffic disruption and restart of tmm.

Workaround:
None.

Fix:
PEM rule deletion with HSL reporting no longer causes tmm coredump.


653234 : Many objects must be reconfigured before use when loading a UCS from another device.

Component: TMOS

Symptoms:
Many objects are ignored by the platform-migrate option, and must be reconfigured before use when loading a UCS from another device.

Conditions:
UCS is being loaded from another device, using the platform-migrate option.

Impact:
Risk of configuration load failures.

Workaround:
None, other than reconfiguring for the destination device.

Fix:
The platform-migrate option for UCS loading has been modified so that nearly all configuration is loaded. Now, the only things you must configure are the management IP and license, then you can load the UCS. The end result should be a successfully loaded configuration, but with empty VLANs and trunks. You should be able to pass traffic once you reconnect these VLANs to interfaces.

Behavior Change:
The platform-migrate option for UCS loading has been modified so that nearly all configuration is loaded. Now, the only things you must configure are the management IP and license, then you can load the UCS. The end result should be a successfully loaded configuration, but with empty VLANs and trunks. You should be able to pass traffic once you reconnect these VLANs to interfaces.


653225-1 : coreutils security and bug fix update

Component: TMOS

Symptoms:
A race condition was found in the way su handled the management of child processes.

Impact:
A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. (CVE-2017-2616)

Workaround:
install latest hotfix

Fix:
fixed in coreutils-8.4-46.el6


653224-1 : Multiple GnuTLS Vulnerabilities

Solution Article: K59836191


653217-2 : Multiple Samba Vulnerabilities

Solution Article: K03644631


653201 : Update the default CA certificate bundle file to the latest version and remove expiring certificates from it

Component: Local Traffic Manager

Symptoms:
The default CA certificate bundle file used by the system contains some older certificates, e.g., expired or soon-to-be expired.

Conditions:
If the default CA certificate bundle file is configured in SSL profiles, it is used as a set of built-in trusted certificates when verifying peer's certificate during SSL handshake.

Impact:
When the built-in trusted certificates are obsolete, i.e., containing a certain number of expired certificates, the systems might fail to verify peers certificate correctly.

Workaround:
You can either directly update the default CA certificate bundle file /config/ssl/ssl.crt/ca-bundle.crt with proper certificates and then 'bigstart restart tmm'

Alternatively, you can use a separate certificate, for example:
tmsh install sys crypto cert better_ca_bundle from-local-file /shared/better_ca_bundle.pem
tmsh modify ltm profile client-ssl cssl ca-file better_ca_bundle.crt

Fix:
This release updates the default CA certificate bundle file by adding the latest certificates and removing the expired certificates.


653152-1 : Support RSASSA-PSS-SIGN in F5 crypto APIs.

Component: TMOS

Symptoms:
Client certificate verification in BIG-IP v11.6.0 through v13.1.0 does not support client certificates that are signed using the RSASSA-PSS signature algorithm. Validation of such client certificates will fail.

Conditions:
- Client certificate signed with RSASSA-PSS algorithm.
- Client Certificate is set to 'Required' in Client SSL profile.
- Running any version of BIG-IP software from v11.6.0 through v13.1.0.

Impact:
SSL connections using client PSS certificates are rejected.

Workaround:
There is no workaround at this time.

Fix:
Validation of client certificates that are signed using the RSASSA-PSS signature algorithm now completes successfully.


653017-2 : Bot signatures cannot be created after upgrade with DoS profile in non-Common partition

Component: Application Security Manager

Symptoms:
Bot signatures cannot be created after roll-forward upgrade of configuration with only a DoS profile in non-Common partition.

Conditions:
A DoS profile in non-Common partition has Proactive Bot Defense enabled

Impact:
Bot signatures are not created.

Workaround:
Delete DoS Profile before upgrade, and re-create after upgrade is successful.

Alternatively, another DoS Profile can be created in /Common, even if unused.


653014-1 : Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name

Component: Application Security Manager

Symptoms:
An issue was introduced when dealing with custom Blocking pages containing an HTTP Header that has an underscore in the name.

Conditions:
A custom Blocking page is defined containing an HTTP Header that has an underscore in the name.

Impact:
Set Active fails

Workaround:
Use hyphens instead of underscores in the header name.

Fix:
Underscores in HTTP Headers in Blocking Response pages are handled correctly.


652973-2 : Coredump observed at system bootup time when many DHCP packets arrive

Component: Policy Enforcement Manager

Symptoms:
During system bootup, system coredump is observed when many DHCP packets arrive before system is fully ready and many flow entry creation failures are observed

Conditions:
-- BIG-IP DHCP proxy is in forwarding mode.
-- DHCP relay agent in front of BIG-IP modifies giaddr field of DHCP packets to its own IP address.
-- DHCP packets arrive during system bootup and before system is fully ready (i.e., some VLANs, interfaces and routes are not fully up).

Impact:
System crash and coredump.

Workaround:
Make sure system has come up completely before sending DHCP packets to the system.

Fix:
Coredump no longer occurs under these conditions.


652968-2 : IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys

Solution Article: K88825548

Component: TMOS

Symptoms:
During negotiations that use CREATE_CHILD_SA, IKEv2 will fail to send a KE in the payload when PFS (perfect forward security) is used in config.

Rekey in IKEv2 does not negotiate new keys; the PFS value in phase1-perfect-forward-secrecy is used in the first exchange, then this first key is re-used in later rekey negotiation. Vendor interop problems exist when PFS is required by the other peer.

Conditions:
Define phase1-perfect-forward-secrecy with value other than none. After IPsec SAs expire or are manually deleted, the CREATE_CHILD_SA phase to negotiate new keys has no KEi payload from the BIG-IP Initiator and so no new encryption key.

Impact:
PFS settings apply only to first negotiation and not to subsequent SA rekeys. PFS is therefore absent. When the BIG-IP enters CREATE_CHILD_SA with a third party IPsec peer, negotiation will fail if the peer requires PFS. Under the same conditions, BIG-IP to BIG-IP tunnels will not fail.

Workaround:
To resolve vendor interop problems, disable PFS in the IPsec policy of both peers.

Fix:
When phase1-perfect-forward-secrecy is configured with a value other than none, the BIG-IP will now perform PFS negotiation correctly. Now rekey with CREATE_CHILD_SA generates a new key using the same DH Group as the first exchange that creates the first SA.

Note: In the ipsec-policy configuration object, the ike-phase2-perfect-forward-secrecy option is relevant only to IKEv1 and has no influence on IKEv2 PFS rekeying.


652877-3 : Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades

Component: TMOS

Symptoms:
All services on one or all secondary blades in a VIPRION chassis restart, and MCPD logs errors similar to the following:

-- err mcpd[9063]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)
-- err mcpd[9063]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3:Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)... failed validation with error 17237812.

In versions prior to v11.6.0, the error is: 'Can't save/checkpoint DB object,' rather than 'Can't update_indexes/checkpoint DB object'.

Conditions:
Multi-bladed VIPRION system, where the 'if-index' value for VLANs differs between blades.

You can check the 'if-index' value by running the following command on each blade: tmsh list net vlan all if-index.

Impact:
MCPD restart on all secondary blades results in partial service outage.

Workaround:
Reactivate the license only on a system that is standby/offline.

Fix:
Reactivating the license on a VIPRION system no longer causes MCPD process restart on one or all secondary blades.


652848-2 : TCP DNS profile may impact performance

Solution Article: K44200194


652796-1 : When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.

Component: Access Policy Manager

Symptoms:
ECA may be constantly restarting on BIG-IP appliance that has over 24 CPU cores.

Conditions:
-- BIG-IP appliance has over 24 CPU cores or BIG-IP Virtual Edition (VE) platform has over 24 CPU cores.
-- APM is provisioned.

Impact:
ECA NTLM functionality will not be accessible to the users.

Workaround:
If ECA functionality is not required - disable process by running 'bigstart stop eca'.


If ECA functionality is needed:

1. Stop eca by running "bigstart stop eca'.

2. Modify file '/etc/bigstart/scripts/eca' as follows:

a) Replace line:
 cpu_count=$(get_number_cpu)

with line:
 tmm_count=$(get_tmm_count)

b) Replace line:
 exec /usr/sbin/${service} -n ${cpu_count}

with line:
 exec /usr/sbin/${service} -n ${tmm_count}

3. Save the file, and restart the process by running 'bigstart start eca'.

Fix:
ECA no longer restarts when used on a platform with over 24 CPU cores and under 64 CPU cores.


652792-1 : When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.

Component: Access Policy Manager

Symptoms:
urldb may be constantly restarting on a BIG-IP appliance that has over 24 CPU cores.

Conditions:
-- BIG-IP appliance has over 24 CPU cores or BIG-IP Virtual Edition (VE) platform has over 24 CPU cores.
-- APM is provisioned.

Impact:
URLDB functionality will not be accessible to the users.

Workaround:
If URLDB functionality is not required - disable process by running 'bigstart stop urldb'.


If urldb functionality is needed:

1. Stop urldb by running "bigstart stop urldb'.

2. Modify file '/etc/bigstart/scripts/urldb' as follows:

a) Replace line:
 cpu_count=$(get_number_cpu)

with line:
 tmm_count=$(get_tmm_count)

b) Replace line:
 exec /usr/sbin/${service} -n ${cpu_count}

with line:
 exec /usr/sbin/${service} -n ${tmm_count}

3. Save the file, and restart the process by running 'bigstart start urldb'.

Fix:
urldb no longer restarts when used on a platform with over 24 CPU cores and under 64 CPU cores.


652691-1 : Installation fails if only .iso.384.sig (new format signature file) is present

Component: TMOS

Symptoms:
Tab completion only will complete the names of ISO images that have an old style signature format ("BIG-IP-version-build.iso.sig"), not the new style ("BIG-IP-version-build.iso.384.sig"). Then, installation will fail even if you type out the full name.

Conditions:
This only happens when signature checking is enabled for ISO images. You can determine this by looking at the value of the DB variable "liveinstall.checksig".

Impact:
Tab completion will not show the ISO image, and even if you type out the full name, the installation will fail. An error message will appear in "show sys software status" and /var/log/liveinstall.log .

Workaround:
Put both types of signature file (.iso.sig and .iso.384.sig) on the device.

Fix:
Tab completion and installation will now work if the old signature file format (.iso.sig) is missing, and only the new signature format (.iso.384.sig) is present.


652689-2 : Displaying 100G interfaces

Solution Article: K14243280

Component: TMOS

Symptoms:
Interfaces' Active Media Type and Media Speed rows display none.

Conditions:
Having a server with 100G interfaces.

Impact:
Cannot use GUI to determine interfaces' Active Media Type and Media Speed.

Workaround:
Use tmsh to see the affected interface.

Fix:
100G interfaces now display correctly.


652671-4 : Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.

Solution Article: K31326690

Component: TMOS

Symptoms:
Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. When provision.extramb is synced to the peer unit, mprov is called, which restarts tmm.

Conditions:
-- Configure two devices in a sync group.
-- tmsh modify sys db provision.extramb value 150.
-- Sync to peer unit.

Impact:
TMM restarts on the peer unit. Traffic halted while tmm restarts.

Workaround:
None.

Fix:
The provision.extramb and provision.tomcat.extramb DB keys no longer ConfigSync, which prevents TMM restarting on peer devices after a change is made to the management subsystem provisioning and then performing a ConfigSync.

Behavior Change:
The provision.extramb and provision.tomcat.extramb DB keys no longer ConfigSync between devices.


652638-2 : php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx()

Solution Article: K23731034


652539 : Multiple Bash Vulnerabilities

Solution Article: K73705133


652535-1 : HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.

Solution Article: K54443700

Component: Local Traffic Manager

Symptoms:
HTTP/2 RST_STREAM is seen with PROTOCOL_ERROR when frame header is fragmented.

Conditions:
HTTP/2 profile is enabled on the virtual. The frame header gets fragmented because of TCP segmentation.

Impact:
HTTP/2 stream is reset.

Workaround:
None.

Fix:
HTTP/2 parser changed to handle header splitting across multiple buffers.


652516 : Multiple Linux Kernel Vulnerabilities

Solution Article: K31603170


652484-2 : tmsh show net f5optics shows information for only 1 chassis slot in a cluster

Component: TMOS

Symptoms:
When you run tmsh show net f5optics, f5optics version information is displayed for one blade of a multi-blade chassis.

Conditions:
This occurs when running the tmsh show net f5optics command on VIPRION.

Impact:
The f5optics version is not displayed for all of the blades.

Fix:
f5optics version information for all blades within a chsasis is displayed when the user issues tmsh show net f5optics from the primary blade.


652445-2 : SAN with uppercase names result in case-sensitive match or will not match

Solution Article: K87541959

Component: Local Traffic Manager

Symptoms:
SSL certificates with SAN domain names with uppercase characters will fail to match SNI requests for that domain name.

Conditions:
Multiple client-ssl profiles configured with SNI associated with a single virtual where the SAN (Subject Alternative Name) contains DNS names with uppercase characters.

Impact:
SNI does not match, resulting in the wrong certificate being returned to the client, which potentially results in a security warning in the client application due to a non-matching domain.

Workaround:
Use lowercase characters for SAN domain names in SSL certificates.

Fix:
SNI match is now case-insensitive.


652200-1 : Failure to update ASM enforcer about account change.

Solution Article: K81349220

Component: Application Security Manager

Symptoms:
There is an error updating BD with the following information:
Errors:
------------
  bd_agent|ERR|...|F5::BdAgent::handle_bd_pipe_message,,Some records sent to enforcer were not handled

  ECARD|ERR |...|account_id_table_management.cpp:0222|Failed to PUT table
  ECARD|ERR |...|temp_func.c:0850|CONFIG_TYPE_ACCOUNTS message had errors in block_index: 0. status=9
-------------

Conditions:
In a high availability environment (with manual failover and ASM) with a UCS load that contains policies with the same names.

Impact:
Traffic is blocked due to Unknown HTTP selector

Workaround:
Use one of the following Workaround:
A) Deactivate and reactivate the affected policy.
B) Restart ASM on the affected device.

Fix:
The system now correctly handles a UCS containing policies with the same names in a high availability environment (with manual failover and ASM).


652151-1 : Azure VE: Initialization improvement

Solution Article: K61757346


652094-2 : Improve traffic disaggregation for uncommon IP protocols

Solution Article: K49190243

Component: TMOS

Symptoms:
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default.

Conditions:
Traffic of uncommon IP protocols on VLAN configured with default DAG.

Impact:
Traffic for uncommon IP protocols not distributed evenly among available processing units.

Workaround:
None.

Fix:
The system now correctly distributes traffic for uncommon IP protocols based on src IP and dest IP.

The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default. This DAG enhancement allows the default DAG to disaggregate traffic of uncommon IP protocols based on src IP and dest IP. Two more DB variables are added to control DAG behavior for uncommon IP protocols.

ipproto.lookupip: enable/disable (default)
ah.lookupip: enable/disable (default)

Setting ipproto.lookupip to enable will disaggregate uncommon IP protocols based on src IP and dest IP. DB ipproto.lookupip applies to all IP protocols except for TCP, UDP, SCTP, IGMP, AH, ESP, GRE, ICMP, ICMPv6.

Setting ah.lookupip to enable will disaggregate AH traffic based on src IP and dest IP.

Behavior Change:
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default. This DAG enhancement allows the default DAG to disaggregate traffic of uncommon IP protocols based on src IP and dest IP. Two more DB variables are added to control DAG behavior for uncommon IP protocols.

ipproto.lookupip: enable/disable (default)
ah.lookupip: enable/disable (default)

Setting ipproto.lookupip to enable will disaggregate uncommon IP protocols based on src IP and dest IP. DB ipproto.lookupip applies to all IP protocols except for TCP, UDP, SCTP, IGMP, AH, ESP, GRE, ICMP, ICMPv6.

Setting ah.lookupip to enable will disaggregate AH traffic based on src IP and dest IP.


652052-3 : PEM:sessions iRule made the order of parameters strict

Component: Policy Enforcement Manager

Symptoms:
In the versions before 12.0, the order of parameters for "PEM::SESSIONS" rule was flexible. It was made strict because of the new validation infrastructure in 12.0. This breaks some existing iRules.

The system will report a validation error such as:

01070151:3: Rule [/Common/test_irule] error: /Common/test_irule:2: error: ["invalid argument subscriber-type"][PEM::session create $ip subscriber-type e164 user-name $user imsi $imsi subscriber-id $callingstationid]

Conditions:
Some parameters, for example, subscriber-id come before the parameter user-name.

Impact:
Configuration that was valid in earlier versions is not accepted in newer versions. This may result in the configuration failing to load during an upgrade and return an MCP validation error.

Workaround:
Change the order of the parameters.


652004-2 : Show /apm access-info all-properties causes memory leaks in tmm

Solution Article: K45320415

Component: Access Policy Manager

Symptoms:
When tmsh is used to view session information, memory will leak on each request to pull the session information from tmm. This is a small leak but can be significant issue when all sessions are examined or the sessions are examined multiple times in a short time interval.

Conditions:
when using show /apm access-info all-properties

Impact:
Memory will leak in tmm daemons. This affects all modules that use tmm.

Workaround:
The only workaround is not to use the mcp interface by tmm daemon, or to restart the tmms periodically after using the interface multiple times.

Fix:
Accessing APM session variables via tmsh (e.g., 'tmsh show /apm access-info all-properties') no longer causes a small TMM memory leak.


651910-2 : Cannot change 'Enable Access System Logs' or 'Enable URL Request Logs' via the GUI after upgrading from 12.x to 13.0.0 or later

Component: Access Policy Manager

Symptoms:
You cannot change the 'Enable Access System Logs' and 'Enable URL Request Logs' properties via the GUI.

Conditions:
After upgrade from 12.x to 13.0.0 (where these new fields were added) or later.

Impact:
You cannot change 'Enable Access System Logs' and 'Enable URL Request Logs'.

Workaround:
Manually add the properties via tmsh. To do so, follow these steps (substituting your affected log setting for abc in the following example):

modify log-setting abc access add { general-log { publisher sys-db-access-publisher } }
modify log-setting abc url-filters add { test_logsetting_swg { enabled true publisher sys-db-access-publisher }}

Fix:
Now it is possible to use the GUI to successfully use and configure log-setting objects that were created with tmsh.


651901-2 : Removed unnecessary ASSERTs in MPTCP code

Component: Local Traffic Manager

Symptoms:
There are many scenarios that call ASSERT in the MPTCP code, many of which can be handled without using ASSERT.

Conditions:
A virtual server is configured with a TCP profile with MPTCP enabled.

Impact:
If an ASSERT fails, traffic is disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
Replaced many ASSERTs with other mitigations that allow TMM to continue running.


651889-2 : persist record may be inconsistent after a virtual hit rate limit

Component: Local Traffic Manager

Symptoms:
persist record may be inconsistent after a virtual hit rate limit

Conditions:
A virtual with rate limit set.
persist is enabled.

Impact:
persist behavior will be impacted.

Workaround:
disable rate limit on virtual

Fix:
The problem is fixed.


651826-2 : SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly

Component: TMOS

Symptoms:
When checking the SPI fields of an IKEv2 IPsec SA, the byte order of the displayed number is rendered incorrectly. The SPI details are seen in "tmsh show net ipsec ike-sa all-properties".

For example, the BIG-IP will render this:
Spi(local): 0x3c4742cab016098c
Spi(Remote): 0x959f0a013581e25d

When the actual SPIs viewed on the peer device are:
Local spi: 5DE28135010A9F95
Remote spi: 8C0916B0CA42473C

Conditions:
IKEv2 IPsec SAs are established or attempting to be established.

Impact:
Can confuse a BIG-IP Administrator who is attempting to verify that IPsec peers have the same SAs.

Workaround:
Rearrange the SPI numbers manually or examine the ipsec.log to see the established SA SPI numbers.

Fix:
The correct SPI numbers are displayed when running the "tmsh show net ipsec ike-sa all-properties" command. Note that this command only shows IKEv2 SAs.


651772-3 : IPv6 host traffic may use incorrect IPv6 and MAC address after route updates

Component: Local Traffic Manager

Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, may use an MAC and IPv6 source address from a different VLAN.

Conditions:
- Multiple vlans with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc. that cover the traffic destination.
- Changes in routes that will cause the traffic to the destination to shift from one vlan and gateway to another. This can be typically observed with dynamic routing updates.

Impact:
Traffic to the destination may fail due to using incorrect source IPv6/MAC address.
This may cause monitor traffic to fail.

Workaround:
Continuous traffic to the IPv6 link-local nexthops can avoid this issue.
This may be achieved by a script or an external monitor pinging the nexthop link-local address using the specific vlan.

Fix:
IPv6 host traffic no longer use incorrect IPv6 and MAC address after route updates.

Behavior Change:
Introduction of sys db ipv6.host.router_probe_interval, to control sysctl net.ipv6.conf.default.router_probe_interval value. This value is default to 5s.


651681-4 : Orphaned bigd instances may exist (within multi-process bigd)

Component: Local Traffic Manager

Symptoms:
When multi-process 'bigd' is configured, orphaned 'bigd' instances may be exit; such as an orphaned 'bigd.1' alongside the active 'bigd.1'.

Conditions:
-- db variable Bigd.NumProcs to 2 or higher.
-- System monitors with long timeouts (such as ~183 seconds or longer), might also be relevant.

When 'bigd' manages monitor configurations that results in no monitoring activity for a long time (such as due to long monitor timeouts), the operating system may temporarily suspend (and later resume) the 'bigd' process. The system might treat the 'bigd' process as if it were "hung", and start another 'bigd' instance without explicitly terminating the suspended 'bigd' process.

Impact:
The suspended 'bigd' process consumes process memory. The process might be suspended (consuming no CPU resources), or running, which might result in "double-monitoring" the resources assigned to that 'bigd' process.

Note: If double-monitoring occurs, monitor status should be correct, but the double-monitoring unnecessarily consumes extra resources.

Workaround:
Configure 'bigd' to run as a single process. To do so, set the db variable Bigd.NumProcs to 1.

Shortening monitor timeouts can reduce the possibility of a 'bigd' process being (temporarily) suspended by the operating system.

Fix:
Multi-process 'bigd' no longer produces orphaned (suspended) process instances.


651651-3 : bigd can crash when a DNS response does not match the expected value

Solution Article: K54604320

Component: Local Traffic Manager

Symptoms:
bigd can crash when a response returned from a DNS request does not match the expected value.

Conditions:
Monitoring DNS server(s), or using FQDN.

Impact:
Potential bigd core and restart; may cause endless restart loop as long as DNS monitor instance is configured.

Workaround:
No workaround at this time.

Fix:
Prevented bigd from crashing when a response returned from a DNS request does not match the expected value.


651640-3 : queue full dropped messages incorrectly counted as responses

Component: Service Provider

Symptoms:
negative number of active response messages reported on sipsession profile stats

Conditions:
If a request message is dropped because the sip filter's ingress message queue is full, the wrong stats is incremented

Impact:
Counting the dropped request messages as response messages causes the calculation of the accepted response messages to be incorrectly calculated, thus producing a negative value.

Fix:
correct stats fields are incremented


651541-2 : Changes to the HTTP profile do not trigger validation for virtual servers using that profile

Solution Article: K83955631

Component: Local Traffic Manager

Symptoms:
Changing the HTTP profile does not trigger validation for virtual servers, so no inter-profile dependencies are checked.

Conditions:
Using an HTTP profile with a virtual server that uses other profiles that have settings that are mutually exclusive with those of the HTTP profile.

Impact:
The system will be in an invalid state. One immediate way this can be seen is when syncing to a peer. The sync operation does not complete as expected.

Workaround:
Use the error messages in the logs to determine how to change the configuration to return the system to a valid state.

Fix:
Changing the HTTP profile now triggers validation of all virtual servers using that profile.


651476 : bigd may core on non-primary bigd when FQDN in use

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool member resolution, a non-primary bigd process may core under certain circumstances. A non-primary bigd is any process instance other than zero in a multi-bigd scenario, or any bigd process on a non-primary blade in a chassis.

Conditions:
FQDN is in use.

Impact:
bigd may core and be restarted in a loop, causing some monitor instances to not be serviced. This may cause node/pool member flapping, or may cause certain nodes or pool members to be effectively not monitored.

Workaround:
Use static IPs instead of FQDN for node/pool member address assignment.

Fix:
Known causes of the bug have been fixed.


651413-2 : tmsh list ltm node does not return an error when node does not exist

Solution Article: K34042229

Component: TMOS

Symptoms:
TMSH does not post an error message in response to the tmsh command to list a specific, non-existent LTM node, or when listing a set of non-existent nodes using regular expressions.

Conditions:
-- Running the command: tmsh list ltm node.
-- Running a regular expression to list a set of nodes.
-- The specified node does not exist.

Impact:
The command produces no output or error message. No indication of why there is no output, nor is there a description of the possible error condition.

Workaround:
None.

Fix:
TMSH now posts the appropriate, node-not-found error message when LTM nodes do not exist when running the command: tmsh list ltm node.


651362 : eventd crashes during boot

Component: TMOS

Symptoms:
eventd may crash during boot due to heap corruption.

Conditions:
This happens during subscription and unsubscription of events.

Impact:
eventd crashes.

Workaround:
None.

Fix:
Race condition has been resolved, so eventd no longer crashes.


651221-2 : Parsing certain URIs may cause the TMM to produce a core file.

Solution Article: K25033460


651155-1 : HSB continually logs 'loopback ring 0 tx not active'

Component: TMOS

Symptoms:
In the TMM log files, HSB reports that 'loopback ring 0 tx not active'.

Conditions:
The conditions under which this occurs are not known.

Impact:
Excessive logging. This may also cause an HSB lockup to not be detected.

Workaround:
None.

Fix:
HSB no longer continually logs 'loopback ring 0 tx not active'.


651135-4 : LTM Policy error when rule names contain slash (/) character

Solution Article: K41685444

Component: Local Traffic Manager

Symptoms:
Beginning with v12.0.0, there has been additional validation for LTM Policy rule names to allow only certain valid characters. Prior to v13.1.0, the slash (/) character was included in the set of valid characters.

But because the slash character is used as a delimiter in the BIG-IP virtual path hierarchy (e.g., /Common/my_policy/my_rule), extra slashes in a rule name causes validation problems because the rule appears to the system as having additional path segments.

Conditions:
LTM Policy rule contains the slash (/) character.

Impact:
Configuration will not load.
Configuration may load, but admin GUI may not show policy rule.

Workaround:
In the bigip.conf file, the LTM Policy rule names can be manually edited to either remove the illegal character or to substitute a valid character.

For example, the following policy won't load because the rule name contains a slash (/) character:
   
    ltm policy mypolicy {
    ...
       rules {
          /testperson/a {
    ...
    }

But it will load when the slash (/) characters are changed to a legal character, such as underscores (_):
    ltm policy mypolicy {
    ...
       rules {
          _testperson_a {
    ...
    }

Fix:
For upgraded configurations, the roll-forward process will automatically translate slash (/) to underscore (_) in LTM Policy rule names. When creating new rules, validation will not succeed if a rule name contains an illegal character, such as a slash, so the issue will be prevented.


651106 : memory leak on non-primary bigd with changing node IPs

Component: Local Traffic Manager

Symptoms:
On BIG-IP systems with the multiple blades, or a BIG-IP system with multiple bigd processes running (bigd.1, bigd.2, etc.), if the system has FQDN nodes configured, all secondary bigd processes will consume an unusually high amount of memory, and bigd cores may exist when the FQDN node IP addresses change frequently.

Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes causing IP addresses to change, bigd on the non-primary places memory consumption may be unusually high.

Impact:
bigd memory leak; possible bigd crash.

Workaround:
Mitigation: use static IP nodes and pool members rather than FQDN.


651001-1 : massive prints in tmm log: "could not find conf for profile crc"

Component: Application Security Manager

Symptoms:
Massive messages in tmm log:
"could not find conf for profile crc"

messages are shown while traffic is passing.

Conditions:
1. Have dos profile attached to vs. dos profile does not have dos application enabled.
2. Have ASM policy attached to VS with Web Scraping on/session hijacking/session awarness with DID collection/brute force with DID collection.

Impact:
Massive prints in tmm log that can cause tmm to abort. Traffic disrupted while tmm restarts.

Workaround:
Have DOS application enabled (even if doing nothing).

Fix:
disable prints.


650422-2 : TMM core after a switchover involving GY quota reporting

Component: Policy Enforcement Manager

Symptoms:
Core dump in the code path for async subscriber lookup causes core-dump.

Conditions:
This core happens in an intra-chassis HA configuration, if GY is configured & HA switchover is forced.

Impact:
An initial coredump (or HA switchover) forces multiple core dumps. Traffic disrupted while tmm restarts.


650349 : Creation or reconfiguration of iApps fails if high speed logging is configured

Solution Article: K50168519

Component: TMOS

Symptoms:
If logging destination of any type is configured (ArcSight, IPFIX, remote high speed logging, etc.), creation or reconfiguration of iApps will fail. The following error will be reported in /var/log/webui.log and displayed in the GUI: The connection to mcpd has been lost, try again.

If the iApp is being create or modified via iControl then the following message will be logged in /var/log/audit

-- notice icrd_child[19904]: 01420002:5: AUDIT - pid=19904 user=admin folder=/Common module=(tmos)# status=[The connection to mcpd has been lost, try again.] cmd_data=create sys application service /Common/group2-analytics { template /Common/group2-analytics variables add { statistics__pushinterval { value 120 } statistics__customcollection { value Yes } } lists add { statistics__customcollectionconfig { value { tmm_stat interface_stat cpu_info_stat disk_info_stat host_info_stat profile_dns_stat gtm_wideip_stat dns_cache_resolver_stat tmmdns_zone_stat rule_stat virtual_server_stat pool_member_stat } } } }

The import part of the message is the daemon, which is 'icrd_child', and the status, which is 'The connection to mcpd has been lost, try again.'

Conditions:
-- Logging is configured: filter, destination, and publisher where scriptd logs to a high speed logging target, which can occur if the there is a logging filter that has source of 'all' or 'scriptd'.
-- Attempting to create or reconfigure iApps.

Impact:
iApp creation or reconfiguration fails. Cannot create new iApps or reconfigure existing ones.

Workaround:
This workaround stops scriptd from logging anything to any logging destination, so you should remove it and restart scriptd after the iApp is created/reconfigured.

1. Which step one you take depends on whether you have log filters that have a source of 'scriptd' and a publisher whose destination is of type remote-high-speed-log:

  a. If you do, make sure all those filters have their publisher set to 'none'.

  b. If you do not, create a log-config filter with a source of 'scriptd', a level of 'debug', and a publisher of 'none'.

For example:

sys log-config filter NoScriptd {
    app-service none
    description none
    level debug
    message-id none
    publisher none
    source scriptd
}

2. After the log-config filters are modified, restart scriptd using the following command:

bigstart restart scriptd

Fix:
Can now create or reconfigure iApps if logging is configured.


650317-3 : The TMM on the next-active panics with message: "Missing oneconnect HA context"

Component: Local Traffic Manager

Symptoms:
The next-active TMM panics with message: "Missing oneconnect HA context" on a virtual which doesn't have one-connect on the active.

Conditions:
A mirrored virtual is configured with one-connect on the next-active but no one-connect profile is present on the active. This can occur when the config-sync connection between peers is down or auto-sync on the device group is disabled. The next-active expects a one-connect HA context but the active does not send it.

Impact:
Connections on the active are not mirrored while the next-active restarts.

Workaround:
Resolving configuration differences between the active and next-active will prevent this panic.

Fix:
Mirrored connections which fail to find an HA context on the next-active are not established on the next-active.


650292-2 : DNS transparent cache can return non-recursive results for recursive queries

Component: Local Traffic Manager

Symptoms:
If a non recursive query is cached by the DNS transparent cache, subsequent recursive queries provide the non-recursive answer.

Conditions:
DNS transparent cache that receives a non-recursive query whose result is stored in the cache.

Impact:
Non recursive responses for recursive requests.

Workaround:
An iRule can be attached to the listener to disable the cache if the "rd bit" is not set in the DNS request.

Fix:
The RD bit is now handled as expected. If a recursive request is received, a non-recursive cached entry is ignored, and replaced, when the recursive request is answered.


650286-2 : REST asynchronous tasks permissions issues

Solution Article: K24465120


650152-1 : Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms

Component: Local Traffic Manager

Symptoms:
In Nitrox PX platforms, vCMP guests can't accelerate AES-GCM traffic, which might cause high CPU usage.

Conditions:
For those vCMP guests deployed on Nitrox PX-based platforms, and SSL cipher is configured to use AES-GCM.

The following blades support the Nitrox PX and vCMP combination: VIPRION B4200, B4300, B2100, and B2150 blades.

Impact:
High CPU usage.

Workaround:
No workaround.

Fix:
Added AES-GCM hardware acceleration support for Nitrox PX-based vCMP.


650081-1 : FP feature causes the blank page/delay on IE11

Solution Article: K53010710

Component: Application Security Manager

Symptoms:
When PBD and FP are both enabled, there is a very high client-side latency, especially on Microsoft Internet Explorer (IE).
On IE, sometimes the challenge remains on a blank page, never moving on to the site from the back-end server.

Conditions:
If you use ASM dos with fingerprint, but it causes the delay/blank page on browser Microsoft Internet Explorer v11 (IE11).

Impact:
Delay or blank page when clients access the page using IE11.

Workaround:
None

Fix:
Improved the client-side run-time of the JavaScript challenge and prevented it from getting stuck on Internet Explorer.


650074-1 : Changed Format of RAM Cache REST Status output.

Component: Local Traffic Manager

Symptoms:
The REST API returned cache contents in displayable form, not tagged field form.

Conditions:
Using REST API.

Impact:
Text must be parsed as if the caller plans to post-process it.

Workaround:
To present the data in some other format, the text can be displayed as is, but must be parsed as if the caller plans to post-process it.

Fix:
Now RAM Cache REST Status output is returned in field format, and must be parsed by a JSON parser and formatted for display. If you were using the previous format, you must now parse the JSON and re-format the data for display.

Behavior Change:
REST API calls for ramcache stats now returns data as formatted JSON.


650070-2 : iRule that uses ASM violation details may cause the system to reset the request

Solution Article: K23041827

Component: Application Security Manager

Symptoms:
When an iRule attempts to use the violation details such as attackSignature or MaliciousFingerprint, in some cases a legal request will be reset.

Conditions:
-- An ASM iRule that uses violation details is attached to the virtual server.
-- The request contains the violation

Impact:
A legal request is being reset.

Workaround:
None.

Fix:
iRule that uses ASM violation details no longer causes the system to reset the request.


650059-1 : TMM may crash when processing VPN traffic

Solution Article: K20087443


650002-1 : tzdata bug fix and enhancement update

Component: TMOS

Symptoms:
There have been changes to timezone data that impact tzdata packages:

* Mongolia no longer observes Daylight Saving Time (DST).

* The Magallanes Region of Chile has moved from a UTC-04/-03 scheme to UTC-03 all year. Starting 2017-05-13 at 23:00, the clocks for the Magallanes Region will differ from America/Santiago.

Conditions:
-- Mongolia during DST portion of the year.
-- Comparing clock times in the America/Santiago zone with those in the Magallanes Region.

Impact:
Timezone data provided in tzdata will not match the area's time. Clocks for the Magallanes Region will differ from America/Santiago (its current timezone).

Workaround:
None.

Fix:
To accommodate for Mongolia no longer observing DST, the new America/Punta_Arenas zone was created. Changes were also made to support other timezone changes.

* The zone1970.tab file has been added to the list of files to be installed with the tzdata packages installation.

Note: Users of tzdata are advised to upgrade tzdata to zdata-2017b-1.el6


649949-1 : Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM

Component: TMOS

Symptoms:
Following the instructions at https://support.f5.com/csp/article/K13117 will occasionally fail on iSeries platforms, with the system being unable to find the installation media.

If this happens, running the following command will fail.

  image2disk --instslot=HD1.1 --setdefault --nosaveconfig

Conditions:
This can occur on iSeries platforms while performing a clean installation.

Impact:
The /dev/cdrom softlink points to the virtual CD-ROM drive in iSeries platforms instead of the physical USB DVD-ROM drive. This prevents image2disk from automatically finding the installation media.

Workaround:
After the failure, while in MOS, determine USB CDROM device name, mount it, and tell image2disk specifically where it is:

bash (try 'info') / > dmesg | grep "sr0\|sr1"
sr0: scsi3-mmc drive: 62x/62x writer dvd-ram cd/rw xa/form2 cdda tray <-- cdrom name
sr 6:0:0:0: Attached scsi CD-ROM sr0
sr1: scsi-1 drive
sr 7:0:0:0: Attached scsi CD-ROM sr1

bash (try 'info') / > mount -r -t iso9660 /dev/srX /cdserver
bash (try 'info') / > image2disk --instslot=HD1.1 --nosaveconfig /cdserver

In the mount command, replace "/dev/srX" with whichever device is the physical drive.


649933-1 : Fragmented RADIUS messages may be dropped

Component: Service Provider

Symptoms:
Large RADIUS messages may be dropped when processed by iRules.

Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.

Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:

Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""

Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.


649929-1 : saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it

Component: Access Policy Manager

Symptoms:
Cannot delete saml_sp_connector from a transaction even when all related objects are specified.

Conditions:
When deleting saml_sp_connector from a transaction along their associated objects.

Impact:
Cannot delete saml_sp_connector and associated objects.

Workaround:
Delete objects in the following order:
SSOResource
SSOSAMLConfig
SPConnector

Fix:
The apm sso saml_sp_connector object can now be deleted from a transaction involving all the related objects regardless of the order in which the objects are specified.


649907-2 : BIND vulnerability CVE-2017-3137

Solution Article: K30164784


649904-2 : BIND vulnerability CVE-2017-3136

Solution Article: K23598445


649866-1 : fsck should not run during first boot on public clouds

Component: TMOS

Symptoms:
Although it is not needed, filesystem check runs during the first boot. This increases the boot time, especially for images that were created more than 180 days before the first boot, because twice year, booting up runs a more comprehensive fsck operation.

Conditions:
This occurs when booting up public cloud configurations of Virtual Edition (VE).

Impact:
Potentially unacceptable long boot times.

Workaround:
None.

Fix:
fsck does not run during first boot on public cloud configurations of VE. Running fsck is postponed until the second boot. If the more comprehensive fsck operation is required, it runs during the second boot as well.


649617-2 : qkview improvement for OVSDB management

Component: TMOS

Symptoms:
The user can configure ovsdb-server in the BIG-IP system to communicate with an OVSDB-capable controller.

If the user wants the BIG-IP system to connect to an OVSDB-capable controller via a SSL connection, the user needs to configure a certificate and a certificate key in the TMSH command "sys management-ovsdb". Later on, if the user invokes qkview to collect system information, the configured certificate key can be collected in qkview.

Conditions:
The following conditions need to be met:

- BIG-IP has the SDN services license.

- The TMSH command "sys management-ovsdb" is set to "enabled". Note that this is set to "disabled" by default.

- The TMSH command "sys management-ovsdb cert-key-file" is set to a certificate key. Note that this is set to "none" by default.

Impact:
If the user invokes qkview to collect system information, the certificate key configured in the command "sys management-ovsdb cert-key-file" will be collected in qkview.

Workaround:
If OVSDB management is currently set to "enabled" in the BIG-IP system, then the user can reset "sys management-ovsdb cert-file" and "sys management-ovsdb cert-key-file" to "none" before calling qkview to collect system information.

In general, if OVSDB management has ever been set to "enabled", the user with the bash shell access can check if the file /var/run/openvswitch/BIG-IP_ovs_cert_key exists and delete it before calling qkview to collect system information.

Fix:
The certificate key configured in the "sys management-ovsdb" will not be collected when invoking qkview.


649613-3 : Multiple UDP/TCP packets packed into one DTLS Record

Component: Access Policy Manager

Symptoms:
The system converts the server provided packet into PPP buffers. These PPP packets are used to pack into DTLS records. Currently there is a limit of about 14 KB of DTLS records, such that the system can pack multiple PPP records into one DTLS record.

However, creating bigger DTLS record can cause server IP Fragmentation. In the lossy environment, losing one IP fragment can cause the complete DTLS record to be lost, resulting in poor performance.

Conditions:
Multiple UDP/TCP packets packed into one DTLS Record.

Impact:
In networks with packet losses, the APM end-user application might suffer poor network performance.

Workaround:
None.

Fix:
DTLS performance has been improved in lossy or high latency networks by optimizing the number of encoded ppp records inside of DTLS records.


649571-1 : Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not act on the absence of renegotiation.

Conditions:
A BIG-IP system acts as TLS client, a TLS server ignores renegotiation request. Finite TLS session data or time limits are configured in Server SSL Profile on the BIG-IP system.

An example of such a TLS server is Apache/2.4.10 on Fedora Linux.

Impact:
Limits, such as data limits ("Renegotiate Size" in Server SSL) or time limits ("Renegotiate Period" in Server SSL) are not enforced with finite "Handshake Timeout".

Workaround:
None.

Fix:
BIG-IP system acting as TLS client (Server SSL Profile) now shuts down the connection if a TLS server did not continue with TLS renegotiation within "Handshake Timeout" seconds after the ClientHello, corresponding to the renegotiation initiation, was sent by the BIG-IP system.


649564-2 : Crash related to GTM monitors with long RECV strings

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd core dump related to GTM monitors with long RECV strings.

Conditions:
Sufficiently large RECV (receive) string on a GTM Monitor.

Impact:
Core dump. Traffic might be disrupted while gtmd restarts.

Workaround:
None.

Fix:
Fixed an issue relating to a crash when a GTM monitor has a sufficiently large receive string configured.


649465-1 : SELinux warning messages regarding nsm daemon

Component: TMOS

Symptoms:
Receiving SELinux warning messages regarding nsm daemon when BFD is enabled, and deleting VLANs.

Conditions:
-- BFD enabled for any route-domain.
-- Deleting VLANs.

Impact:
None. This warning message references actions that are extraneous for the nsm daemon.

Workaround:
None.

Fix:
nsm no longer triggers SELinux warning messages with BFD enabled, and deleting VLANs


649234-3 : TMM crash from a possible memory corruption.

Solution Article: K64131101

Component: Access Policy Manager

Symptoms:
When APM resumes an iRule event from an asynchronous session data lookup, the resumption fails due to a bad memory access resulting in a crash.

Conditions:
The following must be true for this to happen:
- APM provisioned and licensed.
- Use of APM iRule events.
- Session data lookup from iRule events.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Access to an invalid or stale Access session result from custom iRules no longer causes TMM crash.


649177-2 : Testing for connection to SMTP Server always returns "OK"

Solution Article: K54018808

Component: Application Visibility and Reporting

Symptoms:
When you click the SMTP GUI config "Test Connection" button it always gives green "OK" response, even if there is no network, or if the DNS response is NXDomain.

Conditions:
This is encountered when testing the SMTP connection using the GUI.

Impact:
Validation of SMTP server availability is incorrect

Workaround:
You can test SMTP at the command line by attempting to send a test email, as in this example (substitute user@example.com with your valid email address):

# echo "ssmtp test mail" | mail -vs "Test email" user@example.com

Fix:
The 'Test Connection' button for the SMTP server configuration reports errors as expected.


649171-4 : tmm core in iRule with unreachable remote address

Component: Local Traffic Manager

Symptoms:
TCP::unused_port <remote_addr> <remote_port> <local_addr> [<hint_port>] with a non reachable remote_addr, tmm cores

Conditions:
This occurs when using TCP::unused_port in an iRule and the remote address is not reachable

Impact:
Traffic disrupted while tmm restarts.

Workaround:
create faux route for the destination address


649161-1 : AVR caching mechanism not working properly

Solution Article: K42340304

Component: Application Visibility and Reporting

Symptoms:
The AVR caching mechanism fails to store dimension-based queries properly, which leads to incorrect reports.

Conditions:
Using AVR caching mechanism (turned-on by default).

Impact:
Reports will be incorrect.

Workaround:
Using the following TMSH command should solve the problem:
tmsh modify sys db avr.requestcache value disable

* NOTE: the above might cause AVR to perform a bit slower.

Fix:
The system no longer stores the dimension-based queries in the AVR cache.


648990 : Serverside SSL renegotiation does not occur after block cipher data limit is exceeded

Component: Local Traffic Manager

Symptoms:
If you have a virtual server with a serverssl profile configured that serves large (>2GB) files, you may see these errors in /var/log/ltm:

info tmm[17859]: 01260034:6: Block cipher data limit exceeded.

Conditions:
This occurs when a serverssl profile is in use, and the server-side traffic exceeds 2GB.

Impact:
Serverssl renegotiation does not occur, log message is displayed.


648954-5 : Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls

Solution Article: K01102467

Component: Local Traffic Manager

Symptoms:
Configuration validation fails spuriously, including potentially as a result of a ConfigSync or modifying an iRule, with an error similar to the following:

    01020036:3: The requested rule (/Common/rule_uses_procs) was not found.

Referencing an iRule that previously existed, but has been deleted (or is being deleted as a result of a ConfigSync).

Conditions:
-- iRule using procedures in a different iRule.
-- iRule attached to virtual server.

Impact:
iRule procs are still referenced after deletion. Configuration validation fails spuriously.

Workaround:
Force reloading of the MCP binary database.

For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).


648879-2 : Linux kernel vulnerabilities: CVE-2016-6136 CVE-2016-9555

Solution Article: K90803619


648865-2 : Linux kernel vulnerability: CVE-2017-6074

Solution Article: K82508682


648802-3 : Required custom AVPs are not included in an RAA when reporting an error.

Component: Policy Enforcement Manager

Symptoms:
Custom Attribute-Value-Pairs (AVPs) defined on the system will not be visible in a Re-Auth-Answer (RAA).

Conditions:
This occurs when the following conditions are met:
-- PEM enabled with Gx.
-- Custom AVPs configured.
-- PEM responds with an error code in an RAA against a Policy and Charging Rules Function (PCRF) triggered action.

Impact:
Lack of custom AVPs in such an RAA may result in loss of AVP dependent service.

Workaround:
There is no workaround at this time.

Fix:
Custom AVPs included regardless of an error code in an RAA.


648786-5 : TMM crashes when categorizing long URLs

Solution Article: K31404801


648766-1 : DNS Express responses missing SOA record in NoData responses if CNAMEs present

Solution Article: K57853542

Component: Global Traffic Manager (DNS)

Symptoms:
A valid NoData response can contain CNAMEs if a partial chase occurred without final resolution. DNS Express is not including the expected SOA record in this scenario.

Conditions:
-- DNS Express configured.
-- Partial CNAME chase resulting in incomplete resolution.

Impact:
A valid DNS response with a a partial chase but missing the SOA record may not be considered authoritative due to the missing record.

Workaround:
None.

Fix:
The SOA record is now included as appropriate.


648715-2 : BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0

Component: Local Traffic Manager

Symptoms:
LACP, STP, and LLDP PDUs sent from either of the i2x00 or i4x00 platforms have a VLAN tag added to the PDU when they shouldn't.

Conditions:
Provision any of the three protocols: LLDP, STP, or LACP and the PDU sent by the BIG-IP will incorrectly have a VLAN tag with a tag-id of 0 added to the PDU.

Impact:
Some 3rd party devices may reject the packet. This will adversely affect operation of the affected protocol.

Workaround:
None.

Fix:
This release ensures that the VLAN tag is stripped before the PDU is sent onto the wire.


648639-3 : TS cookie name contains NULL or other raw byte

Solution Article: K92201230

Component: Application Security Manager

Symptoms:
The TS cookie name may intermittently contain NULL.

Conditions:
This can occur intermittently when ASM is provisioned and has a unique combination of security policy name and the server's cookie attributes (path and domain).

Impact:
False positives triggered on modified domain cookies.

Workaround:
To resolve this, change the policy security name.

Fix:
Fixed an issue with the TS cookie name length.


648617 : JavaScript challenge repeating in loop when URL has path parameters

Solution Article: K23432927

Component: Application Security Manager

Symptoms:
The JavaScript challenge is repeating in a loop on URLs which have path parameters (when the URL contains the ';' character). The request never reaches the back-end server.
This happens in the following challenges:
* Proactive Bot Defense with Suspicious Browsers enabled
* Client-Side Integrity Defense
In the rest of the challenges, the challenges will succeed, but POST requests will not be reconstructed correctly and sent as a multipart message to the back-end server.

Conditions:
URLs contain the ';' character, AND:
Either:
* Proactive Bot Defense with Suspicious Browsers enabled, OR
* Client-Side Integrity Defense is enabled and is used as a DoSL7 mitigation during an attack.

Impact:
Requests with ';' character will be blocked and the browser will repeat the challenge in a loop.

Workaround:
None

Fix:
The JavaScript challenge no longer gets stuck in a loop on URLs which have path parameters.


648544-5 : HSB transmitter failure may occur when global COS queues enabled

Solution Article: K75510491

Component: TMOS

Symptoms:
An HSB transmitter failure may occur if global COS queues enabled. The HSB transmitter failure is logged in the TMM log files.

Conditions:
With global COS queues enabled, the HSB's watchdog loopback packets are sent on HSB ring 2, instead of ring 0. If HSB ring 2 is heavily utilized, this could cause the loopback packets to be dropped. If this occurs, then the watchdog may trigger an HSB transmitter failure.

Impact:
If this issue occurs then the BIG-IP is rebooted.

Workaround:
Do not use global COS queues.

Fix:
Loopback packet priority is now set during runtime to guarantee transmit on mgmt ring 0.


648320-3 : Downloading via APM tunnels could experience performance downgrade.

Solution Article: K38159538

Component: Local Traffic Manager

Symptoms:
Multiple DTLS records can be packed into one UDP packet. When packet size is too large, packet fragmentation is possible at IP layer. This causes high number of packet drops and therefore performance downgrade.

Conditions:
When downloading using APM tunnels.

Impact:
High number of packet drops and inferior performance.

Workaround:
None.

Fix:
One DTLS record is now contained in each UDP packet to avoid packet fragmentation.


648286-2 : GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.

Component: Global Traffic Manager (DNS)

Symptoms:
The combobox does not auto-select the next entry in the list of virtual servers/wide IPs after pressing the Add button and successfully adding an entry to the member list.

Conditions:
-- Have at least two entries in the combobox.
-- Add one of the entries to the member list.

Impact:
The other entry is not selected automatically (as it was in BIG-IP versions 12.1 and earlier). Must manually select each entry to add to the member list.

Loss of functionality from earlier releases.

Workaround:
Manually select each entry to add to the member list.

Fix:
Restored behavior that selects the next available entry in list after pressing the Add button on GSLB Pool's Member manage page.


648242 : Administrator users unable to access all partition via TMSH for AVR reports

Solution Article: K73521040

Component: Application Visibility and Reporting

Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).

Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.

Impact:
AVR reports via TMSH will fail when using partition based entities.

Workaround:
None.

Fix:
Allowing for administrator users to get all partitions available on query.


648056-2 : bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.

Solution Article: K16503454

Component: TMOS

Symptoms:
bcm56xxd constantly crashes, device goes off-line.

Conditions:
Reboot the system with QinQ VLANs configured and vCMP provisioned.

Impact:
Device goes off-line.

Workaround:
None.

Fix:
bcm56xxd no longer crashes when QinQ VLANs are configured and vCMP provisioned.


648053-1 : Rewrite plugin may crash on some JavaScript files

Solution Article: K94477320

Component: Access Policy Manager

Symptoms:
Rewrite plugin may crash parsing JavaScript files in US ASCII encoding.

Conditions:
JavaScript file in US ASCII encoding (not in UTF-8).

Impact:
Rewrite plugin may crash parsing this file. No response is sent to client.

Workaround:
It is possible to change/add 'charset' parameter in response header 'Content-type' to 'UTF-8' by iRule.

Fix:
Now Portal Access rewrite correctly handles JavaScript data if the web page uses US ASCII encoding.


648037-2 : LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash

Component: Local Traffic Manager

Symptoms:
tmm crashes after the LB::reselect iRule fails to connect to the server.

Conditions:
This issue can occur when a virtual server is configured with HTTP and the LB::reselect iRule. If the LB::reselect fails to connect to the server and there is not a monitor on the pool, tmm will crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure a monitor for the pool.

Fix:
Fixed a tmm crash related to LB::reselect


647988-3 : HSL Balanced distribution to Two-member pool may not be balanced correctly.

Solution Article: K15331432

Component: TMOS

Symptoms:
When configuring a two-member pool as HSL destination and using "balanced" distribution, logs from iRule HSL::send may end up balanced to a single pool member.

Conditions:
- Two-member pool configured as remote-high-speed-log destination.
- The remote-high-speed-log distribution is set to "balanced"
- Data-Plane logging using for example but not limited to: iRule HSL::send.

Impact:
Log message may not be distributed correctly resulting in more load on a single pool member.

Workaround:
None.

Fix:
Logs are distributed more equally on pool members in "balanced" distribution HSL.


647944-2 : MCP may crash when making specific changes to a FIX profile attached to more than one virtual server

Component: TMOS

Symptoms:
When a FIX profile is attached to more than one virtual server, making specific edits to the profile may result in MCP crashing and restarting.

Conditions:
A FIX profile is be in use and attached to more than one virtual server. You then edit the profile (and click "Update") in this order:

- Change the Error Action from "Don't Forward" to "Drop Connection"
- Add a new mapping to the Sender and Tag Substitution Data Group Mapping.

Impact:
Traffic disrupted while mcpd restarts.

Fix:
Prevented MCP from crashing when the FIX profile is edited.


647757-2 : RATE-SHAPER:Fred not properly initialized may halt traffic

Solution Article: K96395052

Component: Local Traffic Manager

Symptoms:
RATE-SHAPER:Fred is not properly initialized and might halt traffic.

Conditions:
Initialize RATE-SHAPER:Fred as the drop policy using its default properties.

Impact:
Traffic is halted.

Workaround:
There are two possible workarounds:
-- Initialize the drop policy fred to the value of 9999 instead of default 0.
-- Use RED as drop policy instead of fred.


647137 : bigd/tmm con vCMP guests

Component: Local Traffic Manager

Symptoms:
bigd/tmm con vCMP guests.

Conditions:
Set up vCMP guest on VIPRION B2100, B4200, or B4300 blades.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
This release corrects this issue so the crash no longer occurs.


647108-1 : Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction

Component: Access Policy Manager

Symptoms:
The system posts messages similar to the following even when the server associated to the connector is also being deleted in the same transaction:
01070734:3: Configuration error: apm aaa saml-idp-connector: Cannot delete saml-idp-connector /Common/saml_connector because it is being used by aaa-saml-server (/Common/saml_server_test1

Conditions:
When deleting saml-idp-connector first then the associated saml server.

Impact:
Cannot delete saml-idp-connector and associated server in that specific order.

Workaround:
Delete saml server first and then delete the saml connector.

Fix:
Now saml-idp-connector can be deleted with associated objects in any order from a transaction.


646928-1 : Landing URI incorrect when changing URI

Component: Access Policy Manager

Symptoms:
User accesses resource1, and an access policy starts. Before the policy completes, the user changes to resource2. There is a warning page that the session already exists, and the user clicks to create a new session. After the policy completes, the user is directed to the landing URI of the resource1.

Conditions:
Attempting to change landing URI in the middle of an access policy

Impact:
End-user is inconveniently directed to the first resource instead of the second.

Fix:
Now the "To open a new session, please click here." link on the APM logout page reflects the last used landing URI rather than the first used landing URI.


646890-1 : IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512

Solution Article: K12068427

Component: TMOS

Symptoms:
Changing the IKEv1 phase2 authentication algorithm to sha256, sha384, or sha512 does not work immediately, without a restart of the tmipsecd daemon.

Conditions:
If you change the ike-phase2-auth-algorithm attribute (inside an instance of ipsec-policy) to a value of sha256, sha384, or sha512, this causes a parse error when received by racoon. Thus the change does not take affect without a racoon restart.

Impact:
Cannot switch IKEv1 ipsec-policy to sha256, sha384, or sha512 authentication without either restarting BIG-IP or restarting tmipsecd.

Workaround:
Restarting the tmipsecd daemon causes a restart of all racoon processes, which causes the config to be re-read and then IKEv1 IPsec works correctly with SHA authentication algorithms.

Fix:
Now tmipsecd sends the correct incremental config description of SHA authentication algorithms to racoon, so that IKEv1 ipsec-policy reconfiguration works immediately without requiring a restart of tmipsecd.


646800-2 : A part of the request is not sent to ICAP server in a specific case

Component: Application Security Manager

Symptoms:
The portion of the request that is not sent is not checked for viruses

Conditions:
ICAP is configured.

Impact:
There might be a false negative on anti-virus check

Workaround:
N/A


646760 : Common Criteria Mode Disrupts Administrative SSH Access

Component: TMOS

Symptoms:
If Common Criteria mode is enabled the administrative SSH interface on BIG-IP may become unavailable.

Conditions:
CC-mode enabled.

Impact:
SSH interface not available, sshd may fail to start.

Workaround:
There is no workaround at this time.

Fix:
Correct SSH configuration when in CC mode


646643-2 : HA standby virtual server with non-default lasthop settings may crash.

Solution Article: K43005132

Component: Local Traffic Manager

Symptoms:
A long-running high availability (HA) Standby Virtual Server with non-default lasthop settings may crash TMM.

Conditions:
-- HA standby virtual server is configured on the system with non-default lasthop configurations (e.g., lasthop pools or autolasthop disabled, etc).

-- That virtual server receives more than 2 billion connections (2 billion is the maximum value of a 32-bit integer).

Impact:
TMM on the next-active device crashes. The Active device is not affected. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
HA standby virtual server configured with non-default lasthop configurations no longer crashes.


646615-1 : Improved default storage size for DNS Express database

Component: Global Traffic Manager (DNS)

Symptoms:
A tweak has been made to the DNS Express database to improve the initial database size.

Conditions:
DNS Express with configured zones.

Impact:
Possibly reduced database size.

Workaround:
N/A as this is an improvement.

Fix:
A tweak has been made to the DNS Express database to improve the initial database size.


646604-5 : Client connection may hang when NTLM and OneConnect profiles used together

Solution Article: K21005334

Component: Local Traffic Manager

Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.

Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.

Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.

Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.

Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.


646511-1 : BD crashes repeatedly after interrupted roll-forward upgrade

Component: Application Security Manager

Symptoms:
After roll-forward upgrade of version 12.1.x with ASM traffic data is interrupted, BD crashes repeatedly.

Conditions:
Roll-forward upgrade with ASM traffic data from version 12.1.x (with or without hotfixes) to any 12.1.x or later is interrupted by restart/reboot.

Impact:
BD crashes repeatedly on subsequent attempts to start ASM.

Workaround:
Disable roll-forward upgrade of ASM traffic data before upgrade:

tmsh modify sys db ucs.asm.traffic_data.save value disable

Fix:
ASM completes roll-forward upgrade with traffic data correctly, even after upgrade process is interrupted.


646443-1 : Ephemeral Node may be errantly created in bigd, causing crash

Solution Article: K54432535

Component: Local Traffic Manager

Symptoms:
When FQDN Ephemeral Nodes are being used at the same time as static Node objects, and there is change in those objects, either via DNS resolver changes or manual changes to static nodes, there exists a chance where one may be misidentified as the other during an update, causing a crash in bigd.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP configuration contains a mix of FQDN pool members or nodes, and static node objects.
-- You perform one of the following actions:
  + Modify current node settings
  + Create or delete nodes

Impact:
The bigd process restarts and produces a core file, causing interruption of pool member monitors.

Workaround:
Avoid use of FQDN Nodes and Pool Members; use only static-IP Nodes/Members instead.

Fix:
Fixed case where misidentification may occur, resulting in bigd running without crashing.


645805 : LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain incorrect Ethernet source MAC addresses

Solution Article: K92637255

Component: TMOS

Symptoms:
LACP PDUs generated by lacpd on the i4x00 and i2x00 platforms contain the wrong Ethernet source MAC address.

Conditions:
LACP configured on an trunk interface on i4x00 or i2x00 platforms.

Impact:
Some Cisco and Juniper switches discard these PDUs. They send PDUs as if the BIG-IP system is not transmitting with an all-zeros 'Partner' section System ID. This renders LACP inoperable, and simply does nothing if the far end is configured for 'Passive'.

Workaround:
None.

Fix:
The BIG-IP software now inserts the correct Source MAC address in the LACP PDU.


645729-1 : SSL connection is not mirrored if ssl session cache is cleared and resume attempted

Component: Local Traffic Manager

Symptoms:
SSL connection is not mirrored if ssl session cache is cleared before attempting to resume the ssl connection.

Conditions:
A previous ssl session is attempting to resume the connection after the ssl session cache has been cleared.

Impact:
Connection is established but is not mirrored.

Workaround:
Could be avoided by disabling ssl session cache.

Fix:
SSL connection is not mirrored if ssl session cache is cleared before attempting to resume the ssl connection.


645723-2 : Dynamic routing update can delete admin ip route from the kernel

Solution Article: K74371937

Component: TMOS

Symptoms:
Routes obtained from dynamic routing (BGP, etc.) can replace existing management route for the admin IP address, making the BIG-IP lose its management route. Static routes created via TMSH can replace management route.

Conditions:
Using TMSH to create "net route" that matches management network, or dynamic routing accepts a route that matches the management network.

Impact:
Losing the management network route, and potential loss of access to the BIG-IP via the management network.

Workaround:
Don't accept route updates for the management network. Don't create static routes for the management network.

Fix:
Management network admin IP address is now protected from being overwritten.


645717 : UCS load does not set directory owner

Component: TMOS

Symptoms:
When loading a UCS file the directory /etc/ssh will become owned by the first user in the UCS with an .authorized_keys file.

Conditions:
UCS loaded that contains users with .authorized_key files

Impact:
Ownership of /etc/ssh is set to a non-root user after UCS load. This does not interfere with normal system operation or SSH authentication but does not follow secure coding practices

Workaround:
Ownership of on /etc/ssh can be restored with the command: chown root /etc/ssh

Fix:
UCS load now explicitly sets ownership of the /etc/ssh directory to root.


645684-2 : Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application components are loaded into incorrect ApplicationDomain and in some rare cases this may cause errors in application.

Conditions:
This can occur when viewing Flash video while connected to APM.

Impact:
Flash applications might fail to render through Portal Access.

Workaround:
None

Fix:
Flash files accessed through Portal Access are now loading components into correct Application Domain. This improves compatibility with Flash apps.


645663 : Crypto traffic failure for vCMP guests provisioned with more than 12 vcpus.

Component: Local Traffic Manager

Symptoms:
Accelerated crypto and compression traffic may fail; stuck queue reports appear in logs.

Conditions:
Guests provisioned with more than 12 vcpus, and crypto or compression traffic passed through hardware acceleration.

Impact:
Can cause the hardware accelerator to fail and require host reboot.

Workaround:
Limit guest provisioning to 12 vcpus.

Fix:
Allow guests provisioned with more than 12 vcpus to operate without stalling hardware accelerators.


645615-2 : zxfrd may fail and restart after multiple failovers between blades in a chassis.

Solution Article: K70543226

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.

Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.

Impact:
zxfrd will create a core file and restart, picking up where it left off.

Workaround:
None.

Fix:
The cause of the failure is now addressed.


645480-3 : Unexpected APM response

Solution Article: K45432295


645339-2 : TMM may crash when processing APM data

Component: Access Policy Manager

Symptoms:
Under certain conditions TMM may crash while processing APM data

Conditions:
APM enabled

Impact:
TMM crash leading to a failover event

Fix:
TMM processes APM data as expected


645220-2 : bigd identified as username "(user %-P)" or "(user %-S)" in mcpd debug logs

Component: Local Traffic Manager

Symptoms:
When mcpd debug logging is enabled, mcp messages sent to or received from the bigd daemon are logged with a username of "(user %-P)" or "(user %-S)" instead of "(user %bigd.#)" [where # is the bigd process index] or "(user %bigd)".

Conditions:
mcpd debug messages with the "(user %-P)" identifier are logged on affected BIG-IP versions when mcpd debug logging is enabled and multiple instances of bigd are running.
mcpd debug messages with the "(user %-S)" identifier are logged on affected BIG-IP versions when mcpd debug logging is enabled and a single instance of bigd is running.

Impact:
Confusion about which daemon is referenced in mcpd debug logs with username "(user %-S)" or "(user %-P)".

Fix:
mcpd debug messages sent to or received from the bigd daemon are correctly logged with a username of "(user %bigd.#)" [where # is the bigd process index] or "(user %bigd)".


645197-3 : Monitors receiving unique HTTP 'success' response codes may stop monitoring after status change

Component: Local Traffic Manager

Symptoms:
Monitors that return unique HTTP/1.1 200 codes (indicating success) accumulate in the monitor history. Upon monitor status change (such as to 'fail'), this history is sent (from 'bigd' to 'mcpd') to indicate that monitor's new-status, plus historical context. This history may grow too large if no monitor status is detected for an extended time (such as days or weeks) when unique status codes are returned from the web server and accumulated in the history. Upon a monitor status change (such as from 'success' to 'fail'), notification from 'bigd' to 'mcpd' fails due to this too-large history, resulting in the monitor remaining in its previous state (i.e., 'success'). 'bigd' properly records the monitor status and continues to monitor, but 'mcpd' is not notified of that status change (due to message-send failure from the history being too large).

This is typically not an issue when the web server returns the same HTTP/1.1 200 code (indicating 'success'), as 'bigd' elides/merges the response-value into the monitor history (so the history does not continue to grow). However, for web servers generating a unique value for each success code (e.g., by appending an always-unique transaction ID to the end of the HTTP/1.1 200 response), the history continues to grow for that monitor until a status-change is detected.

Conditions:
-- Web server returns unique HTTP/1.1 200 (success) codes, such as an included date/time stamp.
-- Success history is accumulated for that monitor without status-change for extended time (typically days-or-weeks); followed by a monitor status change (such as from 'success' to 'fail').

Impact:
The monitor remains in the 'success' state, as the status-change is lost' ('bigd' properly recognizes the changed monitor status, but 'mcpd' is not notified of the change). The system may eventually self-correct, such as when 'bigd' detects further monitor status changes, and again forwards status-change notifications for that monitor to 'mcpd'.

Workaround:
Modify the web server configuration to not respond with unique HTTP/1.1 200 codes.

(Receiving the same return-code elides/merges content with previously accumulated values in the monitor history.)

Fix:
HTTP/1.1 200 codes with unique values accumulate for limited history, rather than unbounded history, such that monitor status change notifications are always recorded.


645179-6 : Traffic group becomes active on more than one BIG-IP after a long uptime

Component: TMOS

Symptoms:
Traffic-groups become active/active for 30 seconds after a long uptime interval.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.

For example:

-- For 7 traffic groups, the interval is ~710 days.
-- For 15 traffic groups, the interval is ~331 days.

Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.

Impact:
Outage due to traffic-group members being active on both systems at the same time.

Workaround:
There is no workaround.

The only option is to reboot all the BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.

Fix:
Traffic groups no longer becomes active on more than one BIG-IP system in a device group after a long uptime interval.


645101-2 : OpenSSL vulnerability CVE-2017-3732

Solution Article: K44512851


645058-3 : Modifying SSL profiles in GUI may fail when key is protected by passphrase

Component: Local Traffic Manager

Symptoms:
When a client SSL profile has a Certificate Key Chain (CKC) entry with a passphrase-protected key, attempting to modify/update the profile via the GUI may fail, and produce an error similar to the following:

01070313:3: Error reading key PEM file <Key_File_Path> for profile <Profile_Name>: error:0906A068:PEM routines:PEM_do_header:bad password read.

This can occur even when the passphrase already in the SSL profile is correct.

Conditions:
Upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.

Alternately, creating an SSL profile with a custom cert-key-chain name that references a passphrase-protected key, e.g.:

tmsh create ltm profile client-ssl example-profile defaults-from clientssl cert-key-chain replace-all-with { no { cert protected.crt key protected.key passphrase password } }

Impact:
User cannot update client SSL profile via the GUI.

Workaround:
Modifications to the profile can be made from tmsh. Alternately, delete the CKC and recreate it.

Fix:
User can now update client SSL profile after upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.


645036-3 : Removing pool from virtual server does not update its status

Solution Article: K85772089

Component: Local Traffic Manager

Symptoms:
Removing a pool from a virtual server does not update the virtual server's status.

Conditions:
1) Create a pool and assign a monitor to it.
2) Ensure the pool goes green.
3) Create a virtual server without assigning the pool to it.
4) Ensure the virtual server stays blue (unknown).
5) Associate the pool to the virtual server.
6) Ensure the virtual server goes green (available).
7) Remove the pool from the virtual server.
8) The virtual server should go back to blue (unknown); however, it doesn't and stays green.

Impact:
The virtual will appear to be associated with a monitored pool when it is not. This should have no functional impact on the virtual server, since a virtual server without a pool has no traffic to pass, and associating a pool with the virtual server will reflect the pool status.

Workaround:
Restart the BIG-IP system. The status should be blue/unchecked once again after the BIG-IP is restarted.

Note: Restarting the BIG-IP system might have an impact on existing traffic. Because this issue is cosmetic, this workaround is not recommended for BIG-IP systems in production.

Fix:
Associating a pool with the virtual server now correctly updates the virtual server status.


644975-4 : /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost

Solution Article: K09554025

Component: TMOS

Symptoms:
Entries in /var/log/maillog similar to the following:
err sSMTP[25793]: Unable to connect to "localhost" port 25.

Conditions:
This happens when certain crontab configuration files do not specify MAILTO="" at the top, and some of the scripts appearing in those files output something to STDOUT or STDERR. This causes the system to try to send an email with that output, which will fail when ssmtp is not configured to use a valid mailhost.

Impact:
Error messages logged to /var/log/maillog. Note that the maillog file is rotated so it doesn't fill up the /var/log volume.

Workaround:
1) Run the "crontab -e -u root" command; this will open the root user's crontab configuration in your default text editor.

2) Move the MAILTO="" line to the top of the file, right under the "# cron tab for root" banner.

3) Save the file and exit the text editor to install the root user's new crontab configuration.

4) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/crontab file.

5) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/cron.d/0hourly file.

6) To verify that MAILTO=root does not appear anywhere else, run the following command: grep -i -r mailto /etc/cron*.

7) If the previous command shows MAILTO=root still appears in some files, also modify those file so that MAILTO=root becomes MAILTO="".

Fix:
The crontab configuration files now specify MAILTO="" at the top, so the /var/log/maillog errors no longer occur.


644970-1 : Editing a virtual server config loses SSL encryption on iSession connections

Component: Wan Optimization Manager

Symptoms:
Editing a virtual server configuration causes iSession connection resets or unencrypted iSession connections to be established, because the virtual server's dynamically configured default server-ssl profile has been deleted.

Conditions:
A virtual server has a server-side iSession profile with data-encrypt enabled. This virtual server also lacks client-ssl and server-ssl profiles.

Impact:
After editing the virtual server, iSession connections fail to be established if the destination iSession listener has a client-ssl profile with allow-non-ssl disabled. If the destination iSession listener has allow-non-ssl enabled, unencrypted iSession connections are established.

Workaround:
Modify the virtual server's configured server-side iSession profile. For example toggle the iSession profile from A to B and then back to A.

Fix:
Editing a virtual server configuration no longer deletes
an iSession dynamically configured default server-ssl profile.


644946-2 : Enabling mirroring on SIP or DIAMETER router profile effects per-client connection mode operation

Solution Article: K05053251

Component: Service Provider

Symptoms:
When the mirror flag is enabled in the siprouter and diameterrouter profiles, outgoing per-client create connection will be usable by any client connection from the same IP address.

Conditions:
This occurs when the mirror flag is enabled in the siprouter and diameterrouter profiles.

Impact:
In the siprouter and diameterrouter profiles, enabling mirroring incorrectly enables the internal ignore_peer_port flag, which causes the router to not consider the remote port of the client side connection when determining which of an outgoing per-client connection can be used for forwarding messages.

Workaround:
None.

Fix:
The ignore_peer_port flag is no longer affected by the setting of the mirror flag, which is correct functionality.


644904-5 : tcpdump 4.9

Solution Article: K55129614


644892-1 : Files captured multiple times in qkview

Component: TMOS

Symptoms:
When running a qkview, some files are captured more than once.

Conditions:
This occurs when generating a qkview.

Impact:
Some small files are duplicated in the qkview; there is no other impact.

Workaround:
None.

Fix:
Files are now captured only once when running qkview.


644873-2 : ssldump can fail to decrypt captures with certain TCP segmenting

Solution Article: K97237310

Component: Local Traffic Manager

Symptoms:
ssldump fails to decrypt a capture. In rare circumstances, ssldump can crash.

The ssldump might display output similar to the following:
1 25 0.4781 (0.0000) S>CShort record
Unknown SSL content type 224
1 26 0.4781 (0.0000) S>CShort record
Unknown SSL content type 142
...
1 30 0.4781 (0.0000) S>CShort record
1 31 0.6141 (0.1359) S>CV231.213(45857) application_data

Conditions:
ssldump is decrypting traffic where an SSL record header spans TCP segments.

Impact:
ssldump can fail to fully decrypt the capture starting at the frame where the SSL record spans a TCP segment. Depending on the remaining data in the TCP stream, ssldump can crash.

Workaround:
None.

Fix:
ssldump now successfully decrypt a capture, so ssldump no longer crashes.


644855-2 : irules with commands which may suspend processing cannot be used with proactive bot defense

Component: Application Security Manager

Symptoms:
A request is dropped.

Conditions:
1. The proactive bot defense is assigned to the virtual.
2. An iRule which suspends processing is assigned to the virtual. (includes a command like the "after" commands")

For more information on which TCL commands park, see K12962: Some iRule commands temporarily suspend iRule processing, available at https://support.f5.com/csp/article/K12962

Impact:
All requests which issue the proactive bot defense and the iRule will get dropped.

Workaround:
N/A

Fix:
irules which suspends the execution won't cause a request drop when the proactive bot defense is assigned.


644851-2 : Websockets closes connection on receiving a close frame from one of the peers

Component: Local Traffic Manager

Symptoms:
Websocket connection should be closed once an endpoint has both sent and received a Close control frame. BIG-IP closes connection on receiving a close frame from peer and does not wait for close frame from other endpoint. This results in data sent in the other direction to be dropped.

Conditions:
Websocket and HTTP profile are attached to the virtual.

Impact:
One endpoint sends a Websocket Close control frame. Other endpoint continues sending data which is dropped by BIG-IP.

Fix:
Half-close of connection will be triggered instead of closing the connection entirely.


644822-2 : FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned

Solution Article: K19245372

Component: Advanced Firewall Manager

Symptoms:
If AFM provisioned, a FastL4 virtual server with enabled loose-init option drops all RST packets that do not relate to any existing flows.

This behavior does not match the BIG-IP behavior when AFM is not provisioned.

Conditions:
AFM provisioned.
-- FastL4 virtual server.
-- Loose-init option enabled.

Impact:
RST packets that do not relate to any existing flows are dropped, while they should not be dropped if the loose-init option enabled.

Workaround:
No workaround.

Fix:
Fixed, so FastL4 virtual servers with enabled loose-init option will forward any RST packets.


644799-1 : TMM may crash when the BIG-IP system processes CGNAT traffic.

Solution Article: K42882011

Component: TMOS

Symptoms:
TMM may crash when the BIG-IP system processes CGNAT traffic.

Conditions:
A TMM connflow related to CGNAT traffic is expired.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when the BIG-IP system processes CGNAT traffic.


644725-4 : Configuration changes while removing ASM from the virtual server may cause graceful ASM restart

Solution Article: K01914292

Component: Application Security Manager

Symptoms:
Configuration changes while removing ASM from the virtual server may cause graceful ASM restart.

Conditions:
A reconfiguration / headers configuration happens while the ASM is removed from a VIP. This may happen especially in scripts that create a config or remove a config.

Impact:
ASM restarts. The system goes offline. A failover may happen.

Workaround:
Ensure that there is some time between setting a configuration to removing ASM from the VIP.


644723-1 : cm56xxd logs link 'DOWN' message when an interface is admin DISABLED

Component: TMOS

Symptoms:
If you disable an interface, the interface is erroneously logged as DOWN:

Feb 12 23:14:09 i5800-R18-S30 info bcm56xxd[8210]: 012c0015:6: Link: 1.1 is DOWN

Conditions:
This is logged when disabling an interface.

Impact:
Log message says the interface is DOWN, it should say DISABLED.


644694 : FPS security update check ends up with an empty page when error occurs.

Component: Fraud Protection Services

Symptoms:
While checking for security updates in FPS, GUI may display an empty page caused by internal errors, such as network errors or temporary downtime.

Conditions:
-- Provision and license FPS.
-- Check for security updates.

Impact:
Empty page is presented, with no indication of what error occurred.

Workaround:
Use TMSH or REST API to perform an update check.

Fix:
Now, when an error occurs, the error will be displayed.


644693-3 : Fix for multiple CVE for openjdk-1.7.0

Solution Article: K15518610


644565-1 : MRF Message metadata lost when routing message to a connection on a different TMM

Component: Service Provider

Symptoms:
The system might choose to create a new outgoing connection when there is an available exiting connection that can be used.

Conditions:
When a message is forwarded to another TMM for delivery, an internal state might be lost.

Impact:
Messages should be delivered correctly as the metadata is lost after routing. There might be an impact if routing is retried and the ignore-peer-port setting is lost. This might cause a new connection to be created when an available existing connection exists.

Workaround:
None.

Fix:
The system now ensures that the ignore-peer-port flag is preserved when forwarding a message to a connection on another TMM.


644490-1 : Finisar 100G LR4 values need to be revised in f5optics

Component: TMOS

Symptoms:
The original tuning values for the Finisar 100G LR4 optics don't support module tuning. You might see FCS errors.

Conditions:
FCS errors can be observed with the shipping Finisar 100G LR4 tuning values.

Impact:
Occasional packet loss at the 100G physical layer.

Workaround:
Use 100G SR4 optics modules on the link if possible.

Fix:
FCS errors no longer occur using the latest Finisar 100G LR4 tuning values.

For information on installing and using the latest f5optics package (build 48.0 or later) that contains these tuning values, see F5 Platforms: Accessories (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/f5-plat-accessories.html).


644489-1 : Unencrypted iSession connection established even though data-encrypt configured in profile

Solution Article: K14899014

Component: Wan Optimization Manager

Symptoms:
iSession connections may be intermittently established as unencrypted even though they are configured to be secure.

Conditions:
Either of two scenarios can result in an unencrypted iSession connection being established:
    1) An error occurs during dynamic server-ssl profile replacement.
    2) Both the WOM local-endpoint and destination WOM remote-endpoint lack server-ssl profiles.

In both cases the virtual server must have a server-side iSession profile with data-encrypt enabled and the remote virtual must have a client-ssl profile with allow-non-ssl enabled.

Impact:
An unencrypted iSession connection may be established which is inconsistent with configuring data-encrypt as enabled in the sever-side iSession profile.

Workaround:
Configure the client-ssl profile with allow-non-ssl disabled (the default value) to reject non-SSL connections.

Fix:
The outgoing connection is aborted if the server-side iSession profile is configured with data-encrypt enabled and either of the two following scenarios occurs:
    1) The destination remote-endpoint and the local-endpoint lack server-ssl profiles.
    2) An error occurs during dynamic server-ssl profile replacement.


644447-2 : sync_zones script increasingly consumes memory when there is network connectivity failure

Component: Global Traffic Manager (DNS)

Symptoms:
sync_zones memory usage exponentially increases during network disruption

Conditions:
Network interruption occurs during the "Retrieving remote DNS/named configuration" stage of a gtm_add operation.

Impact:
Memory increases exponentially, potentially resulting in an eventual out-of-memory condition.

Workaround:
None.

Fix:
sync_zones script now exits successfully at network failure.


644418-2 : Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain including the self-signed certificate.
Many of the self-signed certificates use the SHA1 hash algorithm, which is not acceptable to many sites. The SSL handshake may be rejected.

Conditions:
This may occur when SSL Forward Proxy is in use.

Impact:
Forged certificate with SHA1 hash algorithm may be rejected during SSL handshake and the SSL handshake will then fail.

Workaround:
None.

Fix:
In this release, the system excludes self-signed certificates in hash algorithm selection (which is correct behavior). This may prevent forged certificate from using SHA1 hash algorithm


644404-1 : Extracting SSD from system leads to Emergency LCD alert

Component: TMOS

Symptoms:
When an SSD in a dual-SSD system configuration is extracted, an emergency alert may be issued on the LCD. This does not match the actual severity (Warning) as reported in the LTM log.

Conditions:
Dual SSDs in any BIG-IP system where one has been selected for removal.

Impact:
LCD reports an Emergency-level alert, which does not match the actual Warning severity reported in the LTM log.

Workaround:
Clear the Emergency alert from the LCD.

Fix:
The classification for SSD removal has been changed to 'Warning' to match the LTM log level.


644220-3 : Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page

Component: Global Traffic Manager (DNS)

Symptoms:
Under LTM :: Virtual Servers :: Properties, the "Link" value sometimes displays "none" when it should display an actual link name.

Conditions:
This happens under certain configuration of Self IP / GTM Servers / GTM Links / LTM Virtual Servers.

Impact:
When conditions are met, the Virtual Server's link information displayed is not correct.

Workaround:
None.

Fix:
Virtual Server's assigned Link on the LTM Virtual Server Properties page is now displayed correctly.


644184-4 : ZebOS daemons hang while AgentX SNMP daemon is waiting.

Solution Article: K36427438

Component: TMOS

Symptoms:
ZebOS daemons hang while AgentX SNMP daemon is unresponsive.

Conditions:
- Dynamic routing is enabled.
- SNMP is enabled.
- SNMP is unresponsive which could be caused by several issues such as snmpd calling an external script that takes several moments to return or mcpd is slow to respond to snmpd queries.

Impact:
Dynamic routing may be halted for the duration of AgentX daemon being busy.

Workaround:
If snmpd is calling external scripts that take several moments to return, then stop using the external script.

Fix:
ZebOS daemons no longer hangs while AgentX is waiting.


644112-2 : Permanent connections may be expired when endpoint becomes unreachable

Solution Article: K56150996

Component: Local Traffic Manager

Symptoms:
Permanent connections, such as those used between tunnel endpoints, can be deleted when the route to the remote endpoint is removed.

Conditions:
-- Permanent connection, such as a tunnel.
-- Routing updates, either from explicit static or dynamic routes, or modifying self IP addresses.

Impact:
Tunnel, or other affected connection, will not pass traffic.

Workaround:
Remove and re-add the affected connection: e.g., delete and re-configure tunnel.

Fix:
Routing updates can no longer lead to expired permanent connections.


643813-2 : ZoneRunner does not properly process $ORIGIN directives

Component: Global Traffic Manager (DNS)

Symptoms:
During an import zone operation, ZoneRunner incorrectly associates the "@" directive with the zone name and not $ORIGIN specified.

Conditions:
If the zone file to be imported contains the $ORIGIN directive, the following "@" directives will reference the zone name, which is incorrect.

Impact:
Zones will not be imported correctly.

Workaround:
Use the named-compilezone tool to "normalize" the zone file before importing into ZoneRunner.

The syntax for this command is similar to the following:
named-compilezone -s full -o outputfilename zone_name input.file
(For information about the other available options, see the named-compilezone tool's man page.)

For example, given a zone file named example.com.file that contains the following information:

"example.com"
$TTL 3600
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
@ IN NS ns1.example.com.
ns1.example.com. IN A 1.1.1.1
$ORIGIN alpha.example.com.
@ IN A 2.2.2.2
$ORIGIN bravo.example.com.
@ IN A 3.3.3.3

The command is as follows:

named-compilezone -s full -o example.com.file.full example.com example.com.file

The contents of the new file are:
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
example.com. 3600 IN NS ns1.example.com.
alpha.example.com. 3600 IN A 2.2.2.2
bravo.example.com. 3600 IN A 3.3.3.3
ns1.example.com. 3600 IN A 1.1.1.1

Which is correct. This file can then be used to import into ZoneRunner.


643785-3 : diadb crashes if it cannot find pool name

Component: Service Provider

Symptoms:
diadb utility crashes if it cannot find pool name.

Conditions:
-- diadb utility is running.
-- Pool name is not available in the Diameter persistence record.

Impact:
diadb utility crashes.

Workaround:
None.

Fix:
diadb will not crash even if it cannot find the pool name in the Diameter persistence record.


643777-2 : LTM policies with more than one IP address in TCP address match may fail

Solution Article: K27629542

Component: Local Traffic Manager

Symptoms:
An LTM policy using a rule that attempts to match based on a list of IP addresses may fail if more than one IP address is used.

Conditions:
LTM policy rule with a 'tcp match address' statement that attempts to match against more than one IP address.

Impact:
The action configured with the match may not be taken.

Workaround:
Use one of the following workarounds:
- Use a subnet instead of single IP addresses.
- Use a datagroup with the list of IP addresses to match.
* Datagroup option available beginning in v13.0.0.

Fix:
The BIG-IP system now correctly matches several IP addresses in LTM policies.


643631 : Serverside connections on virtual servers using VDI may become zombies.

Solution Article: K70938130

Component: Local Traffic Manager

Symptoms:
Listing connections with "tmsh show sys connection all-properties" (please be cautious executing this command as it could have performance impact) will show connections with only a server side whose age is greater than the configured idle timeout. As more zombie connections accumulate, the BIG-IP may run out of memory.

Conditions:
APM provisioned and VDI (Virtual Desktop Infrastructure) is configured on the affected virtual.

Impact:
Zombie connections consume memory that cannot be reclaimed. Potential out-of-memory condition.

Workaround:
None.

Fix:
Expired serverside connections are properly torn down.


643602-2 : 'Select All' checkbox selects items on hidden pages

Component: Fraud Protection Services

Symptoms:
In FPS GUI, clicking 'Select All' when the list contains more than 10 items, selects all items and not just the items on the current page, as expected.

Conditions:
-- FPS provisioned and licensed.
-- Check 'Select All' and click Delete on a list page containing enough items to span more than one page, for example:

On the Security :: Fraud Protection Service :: Anti-Fraud Profile :: Mobile Security :: Man in the Middle Detection page, add 20 domains. This creates two pages of domains on the list page. When you then check 'Select all' and click Delete, all 20 domains are deleted instead of the expected 10 visible on the page.

Impact:
Unexpected behavior: items are deleted from pages that are not visible.

Workaround:
Check one or more items individually for deletion.

Fix:
Clicking the 'Select All' checkbox now selects all items on the currently visible page.


643582-2 : Config load with large ssl profile configuration may cause tmm restart

Component: Local Traffic Manager

Symptoms:
When doing a config load with a large number of ssl profiles tmm may become busy enough to cause mcp tcp connection to go down and cause tmm restart.

Conditions:
Doing a full config load with large number of ssl profiles.

Impact:
Possible tmm restart.

Workaround:
Doing incremental sync of changes can avoid this issue.

Fix:
A full configuration reload with large number of ssl profiles may cause tmm restart.


643554-12 : OpenSSL vulnerabilities - OpenSSL 1.0.2k library update

Solution Article: K37526132 K44512851 K43570545


643547-1 : APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP

Solution Article: K43036745

Component: Access Policy Manager

Symptoms:
Requests to /my.policy are not getting HTTP responses.

Log file '/var/log/apm' contains large number of error messages about failed XML data creation:

err apmd[5076]: 01490207:3: SAML Agent XML thread specific data creation error: ERR_FAIL.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP APM system is configured with a large number of access policy agents.
-- You are performing an operation that requires the apmd process to start.
-- For example, your BIG-IP APM system is reloaded, you install a new image, or you manually restart the apmd process.

Impact:
APMD will not able to process any requests.

Workaround:
For some configurations and platforms, you can use the following steps to recover:

- Remove all unused access policies (if applicable).
- Restart apmd.

Fix:
Now APMD initialization will no longer fail at XML initialization when a large number of access policies/agents are present in the configuration.


643404-2 : 'tmsh system software status' does not display properly in a specific cc-mode situation

Solution Article: K30014507

Component: TMOS

Symptoms:
If software image verification is enabled, the system must first verify a software archive with a cryptographic signature file before using it. If that file is not available, the software change will (intentionally) not proceed. It is also intended that 'tmsh system software status' will explain the condition. But instead, it shows 'failed (reason unknown)'.

Conditions:
Trying to initiate a software change, but there is no signature file available that corresponds to the selected software archive if any of the following is also true:
-- The system is in Common Criteria mode (db var Security.CommonCriteria).
-- The system is in FIPS compliance mode (db var security.fips140.compliance).
-- Signature checking is manually enabled (db var LiveInstall.CheckSig).

Impact:
It is difficult to ascertain why the software change cannot be made.

Workaround:
The installation logs a more detailed explanation for the failure. In the case of Common Criteria mode, it is essential to have the signature file in the same images directory as the .iso image you intend to install.

To do so, copy the .sig file from the F5 Downloads site to the image location, and try the installation again.

Fix:
The 'tmsh show system software status' now displays the relevant issue, for example:
failed (No signature verification possible for image /shared/images/BIG-IP-12.1.2.0.0.249.iso).

Although you must still download the .sig file from F5 Downloads, it's clear what the failure is and what to do next.


643396-2 : Using FLOW_INIT iRule may lead to TMM memory leak or crash

Solution Article: K34553627

Component: Local Traffic Manager

Symptoms:
Memory leak in TMM or even crash may be observed if using FLOW_INIT event in iRules.

Conditions:
iRule triggered by FLOW_INIT event is in use. Note: The leak is difficult to observe, and the crash requires specific steps, so encountering this issue is relatively uncommon.

Impact:
TMM memory leak or crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a memory leak in the FLOW_INIT iRule event.


643375-1 : TMM may crash when processing compressed data

Solution Article: K10329515


643294 : IGMP and PIM not in self-allow default list when upgrading from 10.2.x

Component: TMOS

Symptoms:
IGMP or PIM not in self-allow by default after upgrade.

Conditions:
Upgrade from 10.2.x.

Impact:
Advance routing with multicast or PIM does not work, when configured after upgrade with default self-allow.

Workaround:
Manually add PIM or IGMP to self-allow default.


643210-2 : Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM

Solution Article: K45444280

Component: Local Traffic Manager

Symptoms:
When mcpd (re)starts on a secondary slot, part of the initialization process triggers the delete of any netHSM keys on the SafeNet HSM.

Conditions:
This occurs on a chassis that is configured to use a SafeNet netHSM.

Impact:
The key is removed from the HSM and must be reimported to the HSM from a backup, if it exists.

Workaround:
When rebooting a secondary blade, temporarily remove the BIG-IP from the network it uses to connect to the SafeNet HSM. Once the BIG-IP is Active, it is safe to reconnect it to the network.

Fix:
The BIG-IP no longer deletes keys from the Safenet HSM when the key is deleted from the BIG-IP system. Now, you must manually delete keys using fipskey.nethsm or 'cmu delete'.

Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.

Behavior Change:
Beginning with this release, the BIG-IP system will not delete a key from the SafeNet HSM when you delete the corresponding key on the BIG-IP system: You must manually delete the key on the HSM using either fipskey.nethsm or 'cmu delete'.

Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.


643187-2 : BIND vulnerability CVE-2017-3135

Solution Article: K80533167


643143-2 : ARP and NDP packets should be QoS/DSCP marked on egress

Component: Local Traffic Manager

Symptoms:
There is currently no way to prioritize ARP/NDP traffic on BIG-IP or configure QoS on TMM-originated ARP/NDP packets.

Conditions:
ARP and/or NDP is in use.

Impact:
When the BIG-IP system's CPU is saturated, there is a possibility that ARP and NDP packets might be dropped.

Workaround:
N/A

Fix:
You can now configure QoS on TMM-originated ARP/NDP packets.

To have ARP and NDP packets be treated with high priority internally within the BIG-IP system, set the following database keys to 'high':
-- arp.priority
-- ipv6.nbr.priority

To explicitly assign the 802.1p/q priority (QoS bits), set the following database keys:
-- arp.vlanpriority
-- ipv6.nbr.vlanpriority

Note: The 802.1q/p QoS priority applies to queries that originate on the BIG-IP system. Replies generated by BIG-IP will preserve the QoS value received in the request.

These variables are set with the following commands:

tmsh modify sys db arp.priority value (normal|high)
tmsh modify sys db arp.vlanpriority value [-1-7]
tmsh modify sys db ipv6.nbr.priority value (normal|high)
tmsh modify sys db ipv6.nbr.vlanpriority value [-1-7]

Behavior Change:
You can now configure QoS on TMM-originated ARP/NDP packets.

To have ARP and NDP packets be treated with high priority internally within the BIG-IP system, set the following database keys to 'high':
-- arp.priority
-- ipv6.nbr.priority

To explicitly assign the 802.1p/q priority (QoS bits), set the following database keys:
-- arp.vlanpriority
-- ipv6.nbr.vlanpriority

Note: The 802.1q/p QoS priority applies to queries that originate on the BIG-IP system. Replies generated by BIG-IP will preserve the QoS value received in the request.

These variables are set with the following commands:

tmsh modify sys db arp.priority value (normal|high)
tmsh modify sys db arp.vlanpriority value [-1-7]
tmsh modify sys db ipv6.nbr.priority value (normal|high)
tmsh modify sys db ipv6.nbr.vlanpriority value [-1-7]


643121-1 : Failed installation volumes cannot be deleted in the GUI.

Component: TMOS

Symptoms:
Failed installation volumes aren't displayed under Disk Management and, therefore, cannot be deleted.

Conditions:
Have a failed installation volume.

Impact:
Cannot use the GUI to delete

Workaround:
Use tmsh to delete failed installation volumes using a command similar to the following:
tmsh delete /sys software volume <HDx.y>.

For example, to delete software volume HD1.0, use the following command:
tmsh delete /sys software volume HD1.0.

Fix:
Failed installation volumes can now be deleted in the GUI.


643054-2 : ARP and NDP packets should be CoS marked by the swtich on ingress

Component: Local Traffic Manager

Symptoms:
When ARP and NDP requests are dropped, ARP caches can time out, and peer nodes may fail to resolve the BIG-IP system's self-IP addresses or virtual servers.

Conditions:
TMM0 is saturated and dropping packets.

Impact:
ARP requests can be dropped, and peer devices, such as routers and monitored devices, can fail to resolve the BIG-IP system's address.

Workaround:
None.

Fix:
You can now use db variables to control internal traffic priority for ingress ARP/NDP packets in the switch.

-- arp.priority : high/normal (default)
-- ipv6.nbr.priority : high/normal (default)

The 'normal' value is the default.

-- Setting arp.priority to high raises ARP packet priority.
-- Setting ipv6.nbr.priority to high raises NDP packet priority.

Behavior Change:
You can now use db variables to raise the internal traffic priority for ingress ARP/NDP packets in switch.

arp.priority : high/normal(default)
ipv6.nbr.priority : high/normal(default)

Setting arp.priority to high raises ARP packet priority.
Setting ipv6.nbr.priority to high raises NDP packet priority.


643034-1 : Turn off TCP Proxy ICMP forwarding by default

Solution Article: K52510343

Component: Local Traffic Manager

Symptoms:
Forwarding of ICMP PMTU messages through the BIG-IP can negatively impact performance if OneConnect or SNAT functionality is active.

Conditions:
Forwarding of ICMP PMTU messages through the BIG-IP when OneConnect or SNAT are active.

Impact:
Peers use suboptimal Path Maximum Transmission Units (PMTUs).

Workaround:
For TCP and UDP proxies, ensure proxy-mss is disabled in the profile.

OR

Disable MTU caching on pool members.

Fix:
There are legitimate reasons to forward ICMP messages through BIG-IP, so in some cases mitigation must occur at pool members. However, we have introduced more control (tm.tcp.enforcepathmtu) to tune this more precisely.

Behavior Change:
The default behavior on TCP proxies is now to not forward ICMP messages, restoring the default from TMOS 12.0.0 and earlier.

For TCP proxies to forward ICMP PMTU messages now requires BOTH proxy-mss 'enabled' in the TCP profile (which is the default setting) and 'tm.tcp.enforcepathmtu' set to 'enabled' (not the default).


643013 : DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3

Component: TMOS

Symptoms:
DAGv2 is a new DAG type and is designed to run on new platforms, including i5600, i5800, i7600, i7800, i10600, i10800 platforms. DAGv2 was not ready when these platforms were first released. DAGv2 is enabled on these platforms in v12.1.3.

Conditions:
i5600, i5800, i7600, i7800, i10600, i10800 platforms.

Impact:
No functional impact. This is simply an announcement of a change in the DAG version.

Workaround:
None.

Fix:
DAGv2 introduced on i5600, i5800, i7600, i7800, i10600, i10800 platforms in v12.1.3.


642983-1 : Update to max message size limit doesn't work sometimes

Solution Article: K94534313

Component: Device Management

Symptoms:
There is a cap on all REST request/response message size. By default it is set to 32 MB, and you can modify it to higher limit using /mgmt/shared/server/messaging/settings/8100 REST endpoint. But the REST framework may not apply this change.

When this occurs, you will see 501 Bad Gateway error from Apache and error message link "java.lang.IllegalArgumentException: 47177925 is more than 33554432" in restjavad log (/var/log/restjavad.0.log).

Conditions:
This can occur when requesting or receiving more than 32 MB of data via iControl REST.

Impact:
REST framework applies message body limit only on incoming request and response. If incoming request results in requests to iControl REST or restnoded, the same settings (message body limit) are not applied.

Workaround:
None.

Fix:
Messaging settings are applied on requests/responses, rather than on RestServer as forwarded outgoing requests/responses will not have server instance attached to request.


642982-3 : tmrouted may continually restart after upgrade, adding or renaming an interface

Solution Article: K23241518

Component: TMOS

Symptoms:
tmrouted continually restarts when it fails to resolve the interface index for a VLAN, VLAN group, or tunnel.

Conditions:
-- Dynamic routing configured.
-- Non-default partition name or VLAN names greater than 15 characters.

Impact:
Dynamic routing does not function. This may include monitors not functioning properly and marking pool members down incorrectly.

Workaround:
Shorten VLAN, VLAN group, or tunnel name, or move the interface into the Common partition.

Fix:
tmrouted no longer restarts when using long VLAN, VLAN group, or tunnel names in a non-default partition.


642952 : platform_check doesn't run PCI check on i11800

Component: TMOS

Symptoms:
When "platform_check misc" is run, it will return

Miscellaneous Tests
  PCI: NOT RUN
    Test not available on this platform

Conditions:
This always happens.

Impact:
No platform check for PCI is executed.

Workaround:
There is no workaround.

Fix:
It is fixed, platform check for PCI is executed.


642923-2 : MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system

Component: TMOS

Symptoms:
MCP may timeout and be killed by the sod watchdog, causing mcpd to restart.

Conditions:
Certain operations, under certain conditions, on certain platforms, may take longer to complete than the mcpd heartbeat timeout (300 seconds). When that happens, the system considers mcpd unresponsive, and will kill mcpd before it has finished its task, resulting in this issue.

There are a number of ways that this issue may manifest.

For example, the default mcpd heartbeat timeout might be reached when loading a configuration file with a large number* of file objects configured (e.g., SSL certificates and keys, data-groups, APM customizations, EPSEC file updates, external monitors, or other data present in the filestore (/config/filestore)).

*Note: Depending the operations mcpd is performing, the performance of the hardware, the speed of disk access, and other potential factors, 3,000 is a relative estimate of the number of filestore objects that might cause this issue to occur.

Impact:
mcpd restarts, which causes a system to go offline and restart services.

Workaround:
To prevent the issue from occurring, you can temporarily disable the heartbeat timeout using the following command:

   modify sys daemon-ha mcpd heartbeat disable

Important: Disabling the heartbeat timer means that, should the mcpd process legitimately become unresponsive, the system will not automatically restart mcpd to recover.

Note: If you have a large number of objects (more than 3,000) in the filestore, and are able to reduce this by deleting their related configuration objects, you may be able to work around the issue.

To determine the specific cause of the issue, you can open a support case with F5, to inspect the resulting mcpd core file.

Fix:
A possible case where mcpd goes too long without updating the heartbeat has been fixed by replacing one algorithm with a more efficient one.


642874-1 : Ready to be Enforced filter for Policy Signatures returns too many signatures

Solution Article: K15329152

Component: Application Security Manager

Symptoms:
Signatures that have not passed the staging period are shown when the filter is set to only show those that are ready to be enforced.

Conditions:
Signatures exist on a policy that have not passed their staging period and have no learning suggestions for them.

Impact:
Incorrect results are shown as a result of the filter.

Workaround:
The result should be inspected to see if the staging period has passed for each individual signature.

Fix:
The "Ready to be Enforced" filter works correctly.


642723-3 : Western Digital WD1600YS-01SHB1 hard drives not recognized by pendsect

Component: TMOS

Symptoms:
In version 11.4.0, when pendsect was introduced, the Western Digital WD1600YS-01SHB1 hard drive was not supported. This drive was used in very early shipments of the 1600/3600 products.

If you are running 11.4.0 and have a WD1600YS-01SHB1, you might see the following errors in /var/log/ltm:

-- notice pendsect[1662]: skipping drive -- Model: WDC WD1600YS-01SHB1
-- notice pendsect[1662]: No known drives detected for pending sector check. Exiting

Conditions:
-- Running 11.4.0.
-- Using WD1600YS-01SHB1 hard drives.

Impact:
The only impact is a pendsect notice in /var/log/ltm. The hard drive operates as expected.

Workaround:
There is no mitigation or workaround for this issue.

Fix:
The WD1600YS-01SHB1 hard drive was added to the supported list of hard drives in versions 11.5.x, 11.6.x, and 12.1.3.


642703-2 : Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.

Component: TMOS

Symptoms:
Installation from external media (PXE or USB) fails with error:

error: status 768 returned by command: /sbin/lvcreate -L -4719088K -n dat.share vg-db-cpmirror
info: >++++ result:
info: Negative size is invalid
info: Run `lvcreate --help' for more information.
info: >----
error: MultiVolume_add cpmirror.dat.share failed.

Conditions:
-- i5000, i7000, i10000, i11000, and i12000 platforms.
-- Installation from external media (PXE or USB).
-- Running software v12.1.2 or v13.0.0.

Impact:
System is non-functional. It will not work at all, until an 'installation from external media' is performed. There is no software on the system because the operation failed during the early stages of a formatting installation.

Workaround:
Use an earlier version for the formatting installation, such as 12.1.1, and then upgrade to the target version.

Fix:
The error no longer occurs; the formatting installation succeeds.


642659-2 : Multiple LibTIFF Vulnerabilities

Solution Article: K34527393


642400-2 : Path MTU discovery occasionally fails

Component: Local Traffic Manager

Symptoms:
Connections using a TCP profile that receive an ICMP needsfrag message may incorrectly ignore the message. This may cause Path MTU discovery to fail.

Conditions:
TCP profile assigned to VIP. Smaller MTU on data path than on TCP endpoints.

Impact:
The connection may stall as large TCP segments are continually retransmitted.

Workaround:
Configure the MSS in the TCP profile to match the lowest MSS. Use or disable Path MTU discovery with the tm.pathmtudiscovery database key.

Fix:
Path MTU discovery functions correctly with the TCP profile.


642330-2 : GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.

Component: Global Traffic Manager (DNS)

Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.

Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the BIG-IP_gtm.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the BIG-IP_gtm.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list gtm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.


642314-2 : CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x

Solution Article: K24276198

Component: TMOS

Symptoms:
gtm config load failure after upgrade from v11.x to v12.x or v13.x.

Conditions:
Create GTM pool with canonical-name ending with dot - for example "cname-with-dot.com." in v11.x and then upgrade to v12.x or v13.x.

Impact:
gtm config load failure after upgrade.

Workaround:
Remove trailing dots or set "Domain Validation" to "none".

Fix:
Upgrading from 11.x to 12.x or 13.x with GTM Pool with canonical-name removes trailing FQDN dot.


642298-3 : Unable to create a bidirectional custom persistence record in MRF SIP

Component: Service Provider

Symptoms:
Setting a persistence key via iRule sets the persistence entry as uni-directional

Conditions:
Setting a persistence key via iRule sets the persistence entry as uni-directional

Impact:
Custom SIP persistence entries cannot be bidirectional.

Fix:
This change adds a new SIP::persist key to set or reset the persistence entry as bidirectional.


642284 : Closing a PCP connection while an asynchronous mapping request is in progress may result in memory corruption.

Component: Carrier-Grade NAT

Symptoms:
Memory corruption caused by closing a PCP connection while requests are being processed.

Conditions:
This can occur when a PCP client sends multiple requests and closes before receiving the replies. When the client OS receives a reply it will send an ICMP destination unreachable message which causes the BIG-IP to close the PCP connection. If the PCP connection is closed while a request is being processed, memory corruption may occur when the request completes.

Impact:
When memory corruption occurs, TMM may crash or assert. Traffic disrupted while tmm restarts.

Fix:
Closing the PCP connection will not cause memory corruption.


642221-2 : Incorrect entity is used when exporting TCP analytics from GUI

Component: Application Visibility and Reporting

Symptoms:
When exporting statistics from the TCP Analytics page, the resulted data is for the default "view by" entity rather than the one that's actually selected

Conditions:
This occurs in Statistics :: Analytics : TCP, when you are viewing any dimension other than the default, and clicking Export.

Impact:
Incorrect data is being exported.

Workaround:
Use tmsh.

Fix:
The correct entity is now used when exporting TCP analytics from GUI, so the correct data is being exported.


642185-1 : Add support for IBM AppScan scanner schema changes

Component: Application Security Manager

Symptoms:
IBM AppScan changed schema for its report file.

Conditions:
Using IBM AppScan for reporting.

Impact:
Data from new IBM AppScan scanner report file is not extracted properly for URL, parameters and cookies.

Workaround:
None.

Fix:
Added support for IBM AppScan scanner schema changes.


642068-1 : PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens

Component: Policy Enforcement Manager

Symptoms:
PEM sessions stay in the marked-for-delete state if CCR-T times out.

Conditions:
This occurs if PCRF does not respond to CCR-T packets from the BIG-IP system during session termination.

Impact:
PEM sessions remain in the marked-for-delete state.

Workaround:
Configure the required timeout value in the sys db variable tmm.pem.session.timeout.endpointdeleteresponse.

Note: The value must be greater than 0 (zero).

Fix:
PEM sessions no longer stay in the marked-for-delete state if CCR-T times out.


642058-1 : CBL-0138-01 Active Copper does not work on i2000/i4000/HRC-i2800 Series appliances

Component: TMOS

Symptoms:
CBL-0138-01 will not come up or show link on i2000/i4000/HRC-i2800 series appliances.

The following message will appear on the LCD:
0 01/30/17 09:02:59 error 0x1660016 Interface 5.0 detected a non 10GbE optic

The following message will appear in /var/log/ltm:
err pfmand[7630]: 01660016:3: Interface 5.0 detected a non 10GbE optic

The interface will report in tmsh as down:
tmsh show net interface 5.0

--------------------------------------------------------
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
                In Out In Out
--------------------------------------------------------
5.0 down 0 0 0 0 0 0 none

Conditions:
i2000/i4000/HRC-i2800 series appliances and CBL-0138-01.

Impact:
The CBL-0138-01 will not work.

Workaround:
None.

Fix:
CBL-0138-01 Active Copper now works correctly on i2000/i4000/HRC-i2800 Series appliances.


642039-2 : TMM core when persist is enabled for wideip with certain iRule commands triggered.

Solution Article: K20140595

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV.

Conditions:
This occurs when persist is enabled for wideip, and an iRule with the following commands triggered:
forward
reject
drop
discard
noerror
host

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable persist on wideip.

Note: Although this is not an ideal workaround, it provides a way that to use those iRule commands without causing a tmm core.

Fix:
TMM no longer coreswhen persist is enabled for wideip with certain iRule commands triggered.


642015-2 : SSD Manufacturer "unavailable"

Component: TMOS

Symptoms:
On systems with an SSD, the manufacturer displayed in 'tmsh show sys hardware' may appear as "unavailable"..

Conditions:
BIG-IP system with SSD installed.

Impact:
No functional impact, cosmetic only.

Workaround:
No workaround but the issue is only cosmetic and does not indicate an issue with the system.

Fix:
SSD Manufacturer now displays "Samsung" as expected.


641869-1 : Assertion "vmem_hashlist_remove not found" failed.

Solution Article: K62744980

Component: Local Traffic Manager

Symptoms:
TMM cores with the following assertion: "vmem_hashlist_remove not found" failed.

Conditions:
It is unknown what leads to that situation directly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The memory function fails the allocation gracefully.


641753-2 : Syncookies activated on a genuine connection gets reset almost 30-50% of the time

Component: TMOS

Symptoms:
Syncookies activated on a genuine connection to a TCP-based virtual server gets reset almost 30%-50% of the time.

Conditions:
-- VADC platform when syncookie protection mode is configured and activated on a virtual server.

Note: This issue might also occur on v12.x systems using the L7-intelligent-fpga HSB firmware.

Impact:
Potential performance impact.

Workaround:
None.

Fix:
When syncookie protection mode is activated, all the genuine connections go through as expected, so there are no resets.


641612-2 : APM crash

Solution Article: K87141725


641574 : AVR doesn't report on virtual and client IP in DNS statistics

Solution Article: K06503033

Component: Application Visibility and Reporting

Symptoms:
On the analytics DNS page, the virtual and client IP stats will be shown as "Aggregated".

Conditions:
This can be seen in DNS analytics, when view-by virtual or client-ip is selected.

Impact:
DNS statistics show incomplete results.

Workaround:
None.

Fix:
AVR now provides the complete report results on virtual and client IP in DNS statistics.


641512-4 : DNSSEC key generations fail with lots of invalid SSL traffic

Solution Article: K51064420

Component: Local Traffic Manager

Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.

The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.

Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).

Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.

Workaround:
Restart the TMM after the new key generation is created.

Fix:
DNSSEC key generations now complete successfully, even with a lot of SSL traffic with invalid certificates.


641491-2 : TMM core while running iRule LB::status pool poolname member ip port

Solution Article: K37551222

Component: Local Traffic Manager

Symptoms:
An iRule response to a DNS request may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart. As a result of this issue, you may encounter one or more of the following symptoms:

-- The BIG-IP system may temporarily fail to process traffic as it recovers from the TMM restart, and devices configured as an HA pair may fail over.
-- The BIG-IP system generates a TMM core file to the /shared/core directory.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP DNS system is configured with a wide IP that utilizes an iRule.
-- The iRule uses the DNS_REQUEST event command LB::status to check a pool member status.
-- The iRule pool address and port are separated by white space.

Example iRule syntax:

gtm rule pool_member_selection {
    when DNS_REQUEST {
        LB::status pool pool-one member 10.0.0.10 80
    }
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use format 'ip:port' or vsname instead of 'ip port. Following are two examples:
1.
gtm rule rule_crash_test {
    when DNS_REQUEST {
        LB::status pool pool-one member 10.2.108.100:80
    }
}

2.
gtm rule rule_crash_test {
    when DNS_REQUEST {
        LB::status pool pool-one member pool_vs_name
    }
}

Fix:
An iRule response to a DNS request no longer triggers TMM to produce a core file and restart.


641482-2 : Subscriber remains in delete pending state until CCR-t ack has success as result code is received

Component: Policy Enforcement Manager

Symptoms:
BIG-IP subscriber session will remain in delete pending (stale) state if the Result-code received Acknowledgement from Gx or Gy and is marked as Failure for CCR-T request.

Conditions:
The stale session happens, during subscriber termination and if any CCR-T request for Gx or Gy receives an acknowledgement with non-SUCCESS in Result-code AVP

Impact:
The subscriber session in BIG-IP will stay in delete pending state (stale)

Workaround:
A tmm restart will cleanup all the stale sessions

Fix:
Fix will cleanup the session if a CCR-T acknowledgement is received irrespective of the Result-code AVP


641445-1 : iControl improvements

Solution Article: K22317030


641390-5 : Backslash removal in LTM monitors after upgrade

Solution Article: K00216423

Component: TMOS

Symptoms:
After upgrading, BIG-IP fails to load the configuration and reports that a monitor failed to load.

Conditions:
-- Specific backslash escaping in LTM monitors.
-- Upgrading from 11.5.x, 11.6.0, 11.6.1, 11.6.2, or 11.6.3 to 12.0.0, 12.1.0, 12.1.1, 12.1.2, or 13.0.0.

Note: This issue is specific to LTM monitors. It does not occur in BIG-IP DNS/GTM monitors.

For example, to have two backslashes in the value, you specify three backslashes. The first backslash is the 'escape' character.

ltm monitor https /Common/my_https {
    adaptive disabled
    cipherlist DEFAULT:+SHA:+3DES:+kEDH
    compatibility enabled
    defaults-from /Common/https
    destination *:*
    interval 5
    ip-dscp 0
    recv "Test string"
    recv-disable \\\"Test\\\"me\\\" <-- pertinent string value (can be in recv, send or username attributes too).
    send Test
    time-until-up 0
    timeout 16
    username test\\\"me
}

Impact:
The monitor fails to load.

Workaround:
Manually correct the string to be the way it was before upgrade, then the configuration will load.

Fix:
Upgrade no longer results in incorrectly removing backslashes for some LTM monitor attributes.


641360-2 : SOCKS proxy protocol error

Solution Article: K30201296


641307-2 : Response Page contents are corrupted by XML policy import for non-UTF-8 policies

Component: Application Security Manager

Symptoms:
If non-UTF-8 policy has Response Pages configured with non-ASCII characters, the Response Page contents will be corrupted by an XML export/import.

Conditions:
1) Response pages are configured with Non-ASCII characters in a non-UTF-8 Policy.
2) The Policy is exported via XML export.

Impact:
Response Page contents are corrupted

Workaround:
1) Use binary policy export/import for non-UTF-8 policies.
or
2) Encode the non-ascii characters using the html entities/code representations of them. (Example: 日本語 -> &#26085;&#26412;&#35486;)

Fix:
Response Page contents are correctly exported.


641256-1 : APM access reports display error

Solution Article: K43523962


641248 : IPsec-related tmm segfault

Component: TMOS

Symptoms:
The tmm cores and all connections are reset.

Conditions:
Race condition during IPsec tunnel tear down.

Impact:
The tmm restarts and all connections reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The IPsec-related tmm segfault has been corrected.


641083-2 : Policy Builder Persistence is not saved while config events are received

Component: Application Security Manager

Symptoms:
Policy Builder Persistence is not saved while config events are received.

Conditions:
This occurs when there are many changes made to the policy.

Impact:
Statistics are lost after pabnagd restarts.

Workaround:
None.

Fix:
Persistence is now saved every 24 hours.


641013-5 : GRE tunnel traffic pinned to one TMM

Component: TMOS

Symptoms:
GRE tunnel traffic can be sent to one TMM if BIG-IP doesn't proxy the GRE tunnel and uses forwarding virtual to handle GRE tunnel traffic.

Conditions:
Use forwarding virtual to handle GRE tunnel traffic.

Impact:
GRE tunnel traffic can overwhelm the one TMM and cause performance degradation.

Workaround:
None.

Fix:
Improved GRE tunnel traffic handling so traffic does not overwhelm one TMM and cause performance degradation.


640903-1 : Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen

Component: Global Traffic Manager (DNS)

Symptoms:
Extremely long page load on Link Controller Inbound Wide IP list page.

Conditions:
The preference settings "Records per screen" must be a high value. 50 or more will start causing the page to load very slowly.

Impact:
Extremely long page load time.

Workaround:
Prior to the fix, the workaround is to set the preference settings "Records per screen" to a low value. The default value of 10 is fine.

Fix:
The page can now load hundreds of records on a single screen under 3 seconds.


640824-1 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log

Solution Article: K20770267

Component: Application Security Manager

Symptoms:
Upon first start after upgrade, the following error messages appear in asm log:
-------------------------
notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
info tsconfig.pl[21351]: ASM initial configration script launched
info tsconfig.pl[21351]: ASM initial configration script finished
info asm_start[19802]: ASM config loaded

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead

 crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted

info perl[21860]: 01310053:6: ASM starting
-------------------------

Conditions:
-- ASM provisioned.
-- Local request logging enabled.
-- Upgrade of a maintenance release, hotfix, or engineering hotfix.

Impact:
Upgrade fails.

Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.

In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.

There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) Do not load a Request Log, when loading a UCS:
    # tmsh modify sys db ucs.asm.traffic_data.load value never

2) Do not save a Request Log, when saving a UCS:
    # tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------

Fix:
Roll-forward upgrade including traffic data now works correctly.


640768 : Kernel vulnerability: CVE-2016-10088

Solution Article: K05513373


640636-3 : F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade

Component: TMOS

Symptoms:
Inserting a 40G optic into a 100G port, or inserting a 100G optic into a 40G shows the optic as "Unsuported Optic". That is not correct, it may be a supported optic, just inserted in the wrong port.

Conditions:
B4450 Blades with 100G or 40G optics inserted in a port that does not support that speed optic.

Impact:
The user may be confused on why the optic is not working, the error message is misleading when the optic is inserted in the wrong port.

Workaround:
If the optic shows up in "tmsh list net interface" as "Unsuported Optic" remove the optic and verify that the optic speed matches the port.

Fix:
The "tmsh list net interface" will now show:
 
module-description "F5 Qualified Optic in invalid port"

And the LCD warning message will show:
Optic OPT-XXXX not valid in Interface <InterfaceNumber>.


640565-1 : Incorrect packet size sent to clone pool member

Solution Article: K11564859

Component: Local Traffic Manager

Symptoms:
Cloned packets do not obey the egress interface MTU, and clone pool members may get traffic exceeding the link MTU.

Conditions:
Clone pool is configured on a virtual server.

Impact:
Clone pool members may get traffic exceeding the link MTU.

Workaround:
Disable TSO using the following tmsh command:
tmsh modify sys db tm.tcpsegmentationoffload value disable.


640521-1 : EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices

Component: Access Policy Manager

Symptoms:
Connect to a public network which has Captive Portal and the Captive Portal uses jQuery library for mobile devices. EdgeClient does not render login page for such Captive Portal.

Conditions:
Use public network with Captive Portal that uses jQuery library for mobile devices.

Impact:
EdgeClient can not establish VPN connection.

Workaround:
Use a browser to authenticate to Captive Portal. For locked client, there is no suitable workaround.

Fix:
Now Edge Client can successfully interact with a greater number of wifi captive portals.


640510-3 : BWC policy category attachment may fail during a PEM policy update for a subscriber.

Component: Policy Enforcement Manager

Symptoms:
The correct BWC category is not applied resulting in incorrect BWC handling of subscriber traffic.

Conditions:
PEM policies against a subscriber should be modified such that the BWC policy stays the same while the BWC category changes.

Impact:
Use cases dependent on BWC can be impacted.

Fix:
Code changes were added such that BWC policy and category changes through PEM are handled correctly.


640457-2 : Session Creation failure after HA

Component: Policy Enforcement Manager

Symptoms:
Under some HA scenarios, the subscriber session will be lost. If such a deleted session is added (the same subscriber-id), the addition attempt fails.

Conditions:
Intra-chassis HA is configured. One of the blades goes down & comes back up very rapidly & some subscriber sessions are lost.
An attempt to add the lost subscriber again fails.

Impact:
A set of subscribers lost during HA will never be added back.

Workaround:
No workaround.


640407-1 : Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF

Component: Service Provider

Symptoms:
A core may occur with message routing framework (MRF) virtuals or transport-config connections if trying to use certain iRule commands during CLIENT_CLOSED event.

Conditions:
Use of an iRule command that gets or sets state in a MRF protocol filter or MR proxy during CLIENT_CLOSED iRule event may core. This is because CLIENT_CLOSED event is raised after all state has been freed for the current connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use iRule command to get or set state during CLIENT_CLOSED iRule event.


640384-3 : New iRule options for MR::message route command

Component: Service Provider

Symptoms:
When routing a message via the MR::message route command, the connection-mode and max-connections attributes are not settable.

Conditions:
This is encountered when using the MR::message or MR::peer iRule commands and you wish to set the connection mode or max connections.

Impact:
For applications where other connection-modes are required (for example PER_CLIENT), it is not possible to implement via iRule.

Workaround:
NA

Fix:
New keywords added to MR::message route command to allow specification of the connection-mode and max-connections attributes of the temporary route added to the message.


640376-3 : STPD leaks memory on 2000/4000/i2000/i4000 series

Component: Local Traffic Manager

Symptoms:
STPD process on any 2000/4000/i2000/i4000 series platform that sends BPDUs will grow in physical memory usage indefinitely so long as its role in the tree results in sending BPDU packets. The memory usage will be faster for each interface that is sending BPDUs.

Conditions:
Spanning tree is enabled on any 2000/4000/i2000/i4000 series platform and the device has a role in the tree that results in sending BPDUs on one or more interfaces. Memory can be seen to increase when tracking with Linux top commands.

ex. top -b -n 1 | grep stpd

The 5th and 6th columns 'VIRT' and 'RES' slowly increase over time, indicating the memory leak.

Impact:
Memory leak resulting in indefinite consumption of available physical memory over time.

Workaround:
While the memory leak itself cannot be mitigated without a hotfix, the problem can be avoided if the tree can be configured in such a way that the defect affected platforms don't generate BPDUs. This can be done by choosing a root such that the defect affected platforms will have its interfaces to be in blocking mode, or if possible, to be in passthrough mode.

Fix:
BPDU process source code fixed to release memory allocated for each BPDU packet created and sent.


640369-2 : TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, TMM may respond to an ICMPv6 echo request using the auto-lasthop mechanism, when this has been disabled on the vlan.

Conditions:
- Auto-lasthop disabled on the ingress vlan
- ICMPv6 echo request for a self-IP on the ingress vlan.
- Route to the client IP address via a different vlan

TMM may respond directly using the auto-lasthop feature and not via the route lookup.

Impact:
Traffic may not follow the expected path.

Fix:
TMM now correctly uses the configured option for auto-lashop and ICMPv6 traffic


640352-2 : Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet

Solution Article: K01000259

Component: Local Traffic Manager

Symptoms:
Connflow entry memory are leaked when BIG-IP DHCP proxy is configured in forwarding mode and the DHCP relay agent between
the DHCP client and the BIG-IP system sets giaddr field to itself after connflows created are aged out in a particular order.

Conditions:
1) BIG-IP DHCP proxy is configured in forwarding mode.
2) DHCP relay agent sits between the DHCP client and the BIG-IP system sets giaddr field in DHCP renewal packet to itself (this has been observed in Cisco devices), so that DHCP renewal packet will be sent to a relay agent by DHCP servers.
3) Connflow created to giaddr(relay agent) ages out before
connflows created to DHCP clients.

Impact:
Some connflows are not freed. Memory leak occurs. Eventually memory is exhausted.

Workaround:
None.

Fix:
Ref count handing for giaddr connflows are now decremented when the client side connflow is removed, preventing the memory leak.


639970-3 : GUI - Client SSL profile certificate extensions names switch to numbers in case of validation error

Component: Local Traffic Manager

Symptoms:
Client SSL profile certificate extensions names switch to numbers if there is any validation error in save.

Conditions:
Try to Create/Modify client ssl profile such that it results in a validation error and click 'Finished/Update'.

Impact:
No functional impact: certificate extensions names switch to their number representation, but if you correct the actual validation error and submit the change, the saved object will have the expected set of certificate extensions.

Workaround:
Use TMSH to create/update client SSL profile.

Fix:
GUI client SSL profile certificate extensions names are displayed even if there is a validation error.


639929-2 : Session variable replace with value containing these characters ' " & < > = may case tmm crash

Component: Access Policy Manager

Symptoms:
TMM crash with session variable replace with value containing these characters ' " & < > =

Conditions:
Session variable replace with value containing these characters ' " & < > =

Impact:
Traffic disrupted while tmm restarts.

Workaround:
avoid session variable values containing ' " & < > = if possible. Otherwise, there is no workaround.

Fix:
Session variable overwrite operation with value containing special characters now works correctly


639767-2 : Policy with Session Awareness Statuses may fail to export

Component: Application Security Manager

Symptoms:
ASM policy with many Session Awareness Statuses may fail to export.

Conditions:
There are many Session Awareness Statuses configured for the policy.

Impact:
ASM policy export will fail.

Workaround:
Remove all Session Awareness Statuses before export.

Fix:
ASM policy export only includes Session Awareness Statuses set to "Block All", and completes reliably.


639750-1 : username aliases are not supported

Component: Fraud Protection Services

Symptoms:
in is a common practice to use aliases for username. for example, an app might allow users to login with either their ID, cell number, or nickname.
WebSafe doesn't support username aliases.

Conditions:
This is encountered when your application uses username aliases.

Impact:
You are unable to use username aliases in your applications.

Workaround:
None.

Fix:
providing new ANTIFRAUD irule command for setting username (replace username alias with the "real" username)


639744-1 : Memory leak in STREAM::expression iRule

Solution Article: K84228882

Component: Local Traffic Manager

Symptoms:
If you are using the STREAM::expression iRule with APM, the stream filter can leak memory.

Conditions:
This can occur when using the STREAM::expression iRule with an APM virtual.

Impact:
This causes a memory leak in tmm.

Workaround:
None.

Fix:
This release fixes a memory leak in STREAM::expression iRule.


639729-2 : Request validation failure in AFM UI Policy Editor

Solution Article: K39428424


639619-3 : UCS may fail to load due to Master key decryption failure on EEPROM-less systems

Component: TMOS

Symptoms:
The following error:
'Symmetric Unit Key decrypt failure - decrypt failure'
is logged to /var/log/ltm when attempting to load a UCS.
Configuration fails then to load due to a secure attribute decryption failure.

Conditions:
1. UCS contains secure attributes.
2. UCS contains a '/config/bigip/kstore/.unitkey' file.
3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS.
4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)

Impact:
The configuration fails to load.

Workaround:
Perform the following procedure:

1. Stop the system:
# bigstart stop
2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS
3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS
4. Remove the mcp db to forcibly reload the keys:
# rm -f /var/db/mcpd.bin
# rm -f /var/db/mcpd.info

5. Restart the system and reload the configuration:
# bigstart start
# tmsh load sys config
or
# reboot

Fix:
The system now always reload the .unitkey from storage when loading other keys, so the UCS loads as expected.


639575-5 : Using libtar with files larger than 2 GB will create an unusable tarball

Component: TMOS

Symptoms:
Programs such as qkview create a .tar file (tarball) using libtar. If any of the files collected are greater than 2 GB, the output tar file cannot be read by /bin/tar.

This occurs due to a limitation of the file compression library employed by qkview command; the system cannot collect files larger than 2 GB in size in a Qkview.

The qkview command may generate output that iHealth cannot parse, and that the tar command cannot extract.

Conditions:
-- The file collected via libtar (e.g., by qkview or other program dynamically linking with /usr/lib/libtar-1.2.11) is greater than 2 GB.
-- A 2 GB or larger file exists in a directory that qkview normally collects.

Impact:
No qkview diagnostics file is created. Although you can extract the qkview tarball using /usr/bin/libtar, the file will be a zero-length file. Cannot submit a qkview to iHealth for analysis. Other applications using libtar will produce invalid tar files.

Workaround:
Remove the file larger than 2 GB from the system prior to running qkview or other program that uses libtar.

Fix:
With the fix to third party software, libtar, programs using libtar no longer create an unusable tarball when dealing with files larger than 2 GB.


639505-3 : BGP may not send all configured aggregate routes

Component: TMOS

Symptoms:
As a result of a known issue, BGP may not send all configured Aggregate routes if one is a supernet of another.

Conditions:
- BGP established sessions.
 - BGP configuration contains several aggregate routes, one or more being a supernet of others.

Impact:
The smaller prefix aggregate (least specific), may not be sent to the BGP peer.

Fix:
BGP now sends all configured aggregates

Behavior Change:
BGP now sends all configured aggregates, even if one is supernetwork of another.


639486-4 : TMM crash due to PEM usage reporting after a CMP state change.

Component: Policy Enforcement Manager

Symptoms:
TMM crash due to a code assertion resulting in potential loss of service.

Conditions:
A CMP state change due to a card reboot, disable, enable, insert or remove should have occurred while or right before a PEM usage reporting action.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Instead of asserting, handled the error condition gracefully.


639395-2 : AVR does not display 'Max read latency' units.

Solution Article: K91614278

Component: Application Visibility and Reporting

Symptoms:
AVR does not display units for 'Max Read Latency'.

Conditions:
AVR, ASM, DoS, or AFM are provisioned.

Impact:
No units are displayed.

Workaround:
1. Edit the following file: /etc/avr/monpd/monp_disk_info_measures.cfg.
2. Add the following line at line 63: units=microsecond.
3. Restart monpd.

Fix:
Added units (microsecond) to AVR report.


639283-4 : Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate

Component: Access Policy Manager

Symptoms:
Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate

Conditions:
* Virtual Server has untrusted certificate
* Using Custom Dialer or Windows logon integration features on client machine for establishing secure VPN

Impact:
Windows logon integration doesn't work. Cannot establish secure VPN connection before logging in to the machine.

Custom dialer doesn't work. Cannot establish secure VPN using Dial-up entry.

Workaround:
- Install trusted certificate to Virtual Server or whitelist untrusted certificate on the client machine.
or
- Use Edge Client to establish secure VPN connection.

Fix:
The Custom Dialer/Windows Logon Integration feature now shows a certificate warning when the certificate is untrusted by the client. This allows the logon to proceed if the user accepts the certificate.


639236-1 : Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute

Solution Article: K66947004

Component: Service Provider

Symptoms:
Incoming SIP REGISTER messages are rejected by the SIP MRF parser when they contain Contact header expires value set to 0 that is not the last attribute

Conditions:
If the Contact header has an expires value of 0 and it's not the last attribute, for example:
Contact: <sip:+414000400@10.0.0.42:5060>;expires=0;q=0.1.

Impact:
REGISTER is rejected with a '400 Bad request' error message

Workaround:
None.

Fix:
Updated SIP parser to handle a Contact header with an expires value set to 0 that is not the last attribute.


639193-1 : BIG-IP devices configured with Manual Sync, deleting parent policy causes sync to fail.

Solution Article: K03453591

Component: Advanced Firewall Manager

Symptoms:
In high availability (HA) environment where BIG-IP devices are configured for Manual Sync, deleting parent policy causes sync to fail.

Conditions:
This occurs when you delete the parent of a policy that was used as the parent of another policy. For example:
1. Clone Policy A and create Policy B.
2. Clone Policy B and create Policy C.
3. Delete Policy B.

Impact:
Manual sync operation fails.

Workaround:
Use one of the following Workarounds:
A. Enable automatic sync for HA configurations.
B. Run the following commands:
   tmsh save sys config partitions all
   tmsh load sys config partitions all
   Sync

Fix:
In HA environments containing BIG-IP devices configured for Manual Sync, deleting parent policy no longer causes sync to fail.


639039-4 : Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons

Solution Article: K33754014

Component: Local Traffic Manager

Symptoms:
Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons.

Conditions:
Dynamic routing in use, and you change the host name of the BIG-IP.

Impact:
Dynamic routing information is lost and must be relearned.

Workaround:
When using dynamic routing, only change the host name during a maintenance window.


638997-2 : Reboot required after disk size modification in a running BIG-IP VE instance.

Component: TMOS

Symptoms:
- BIG-IP VE supports disk size modification during the lifetime of a running instance to expand or reduce the disk size that was allocated at the time of deployment.

- A reboot is required after any such modification in the disk size for the changes to take effect. In previous versions, the reboot happened automatically but an affected BIG-IP VE will not have the reboot happening automatically.

- Due to the lack of reboot, changes in disk size do not take effect on the BIG-IP system.

Conditions:
Modifying disk size in a running BIG-IP VE instance.

Impact:
Changes in the disk size do not take effect till BIG-IP system is rebooted.

Workaround:
Manually reboot the running BIG-IP VE instance after making changes in disk size.

Fix:
Reboot required after disk size modification in a BIG-IP VE instance.


638935-3 : Monitor with send/receive string containing double-quote may cause upgrade to fail.

Component: TMOS

Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.

Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the bigip.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the bigip.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list ltm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.

If you have an escaped quote in your configuration, and are moving to a configuration with this the dependency of this fix, you cannot reload the configuration or the license which also reloads the configuration. Doing so, will cause the config load to fail.


638881-1 : Incorrect fan status displayed when fan tray is removed on BIG-IP iSeries appliances

Component: TMOS

Symptoms:
When the fan tray is removed, the fan status in tmctl tables and 'tmsh show sys hardware' are not updated correctly to reflect the current status of the fan tray i.e. not-present.

Conditions:
When the fan tray is physically removed.

Impact:
It is important to be aware of the fan status since malfunctioning of the fan tray can result in thermal shutdown when temperature thresholds are reached. Having incorrect/incomplete status would result in delayed corrective actions if a problem should arise.

Workaround:
No workaround at this time.


638825-2 : SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD

Component: TMOS

Symptoms:
Value returned for sysInterfaceMediaActiveSpeed OID has value of 80 for interface with type 100000SR4-FD instead of value of 100000.

Conditions:
This always occurs for this type of interface.

Impact:
User sees wrong value for this interface in SNMP get. Value is correct in tmsh 'show net interface'.

Workaround:
Use tmsh to obtain the value by running the following command: show net interface. Note: There is no workaround in SNMP.


638799-1 : Per-request policy branch expression evaluation fails

Component: Access Policy Manager

Symptoms:
Per-request policy branch expression evaluation fails and you see the following in /var/log/ltm:

info tmm[20278]: 01870007:6: /Common/<policy>:Common:640446c9: Executed expression (expr { [mcget {perflow.category_lookup.failure}] == 1 || [mcget {perflow.response_analytics.failure}] == 1 }) from policy item (Category Lookup) with return value (Failed)

Conditions:
Per-request policy branch expression evaluation fails for any non-Access (non-APM) iRule events that are attached to the virtual server.


The evaluation does not trigger for some requests when, in the same connection, the virtual server gets a request for an internal Access whitelisted URL, and then request for backend resource URIs.

Impact:
Per-request policy branch expression evaluation fails. If Access gets a request for whitelisted URL, the system disables all iRule events except the following:

   #define ACCESS_ALLOWED_IRULE_EVENTS ( \
       ((UINT64)1 << TCLRULE_ACCESS_SESSION_STARTED) | \
       ((UINT64)1 << TCLRULE_ACCESS_SESSION_CLOSED) | \
       ((UINT64)1 << TCLRULE_ACCESS_POLICY_AGENT_EVENT) | \
       ((UINT64)1 << TCLRULE_ACCESS_POLICY_COMPLETED))

Workaround:
None.

Fix:
Per-request policy branch expression evaluation now complete successfully for non-Access (non-APM) iRule events that are attached to the virtual server.


638780-3 : Handle 302 redirects for VMware Horizon View HTML5 client

Component: Access Policy Manager

Symptoms:
Starting from v4.4, Horizon View HTML5 client is using new URI for launching remote sessions, and supports 302 redirect from old URI for backward compatibility.

Conditions:
APM webtop with a VMware View resource assigned.
HTML5 client installed on backend is of version 4.4 or later.

Impact:
This fix allows for VMware HTML5 clients v4.4 or later to work properly through APM.

Workaround:
For versions 11.6.x and 12.x:
===============================

priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] vmview_html5_prefix dummy
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location [substr $location $path_index]
                regsub "/portal/" $new_location $vmview_html5_prefix new_location
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}

======================
For version 13.0:
priority 2
when HTTP_REQUEST {
    regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] dummy vmview_html5_prefix
}

when HTTP_RESPONSE {
    if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } {
        if { [info exists vmview_html5_prefix] } {
            set location [HTTP::header "Location"]
            set location_path [URI::path $location]
            if { $location_path starts_with "/portal/" } {
                set path_index [string first $location_path $location]
                set new_location "$vmview_html5_prefix[substr $location $path_index]"
                HTTP::header replace "Location" $new_location
            }
            unset vmview_html5_prefix
        }
    }
}

Fix:
Handle 302 redirects for VMware View HTML5 client are now handled properly.


638715-3 : Multiple Diameter monitors to same server ip/port may race on PID file

Solution Article: K77010072

Component: Local Traffic Manager

Symptoms:
Two 'Diameter_monitor' instances probing the same server (IP/port) from different pools may interfere with each other, causing one of the monitor instances to fail. This is caused by a possible race in creating a PID file for this 'Diameter_monitor' configuration.

Conditions:
Configuration with multiple Diameter monitors probing the same server IP/port.

Impact:
One Diameter monitor may fail, while the other Diameter monitor to the same server IP/port succeeds. On subsequent probe-retry, the failed monitor may now succeed.

Workaround:
A possible work-around is to establish different monitor periods for the two pools (such as 28 seconds and 31 seconds), so a simultaneous probe-collision will fail one monitor once, which upon retry will succeed (as three monitor failures are required for a virtual server to be marked down).

Fix:
The fix includes the monitor-template name in the generation of the PID file, which ensures multiple Diameter monitor instances probing the same server (IP/port) do not interfere with each other.


638629-2 : Bot can be classified as human

Component: Application Security Manager

Symptoms:
A bot is classified as human in a rare case.

Conditions:
Web scraping is turned on. The CSHUI is tried on the user.

Impact:
Bot traffic gets classified as human by ASM.

Workaround:
N/a

Fix:
Fixed the CSHUI algorithm to have better bot detection.


638594-3 : TMM crash when handling unknown Gx messages.

Component: Policy Enforcement Manager

Symptoms:
TMM crash resulting in potential loss of service.

Conditions:
PCRF sends unsupported Gx messages to PEM.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Add support for identifying unknown messages types and handle them gracefully.


638556-2 : PHP Vulnerability: CVE-2016-10045

Solution Article: K73926196


638170-1 : Pagination broken or missing while viewing pool statistics for GTM wideip

Solution Article: K36455356

Component: Global Traffic Manager (DNS)

Symptoms:
Error occurs while viewing pool statistics for GTM wideip if the number of pools are more than what can be displayed in a single screen.

Conditions:
When the number of pools are more than what can be displayed as specified in the System :: Preferences :: Record Per Screen setting.

Impact:
Unable to view the statistics of GTM wideip pools beyond those displayed on the screen.

Workaround:
Increase the number of Records Per Screen (System :: Preferences :: Records Per Screen) to a number larger than the number of pools in the GTM wideip.

Fix:
Can now view the statistics of GTM wideip pools beyond those displayed on the initial screen.


638137 : CVE-2016-7117 CVE-2016-4998 CVE-2016-6828

Solution Article: K51201255


638091-4 : Config sync after changing named pool members can cause mcpd on secondary blades to restart

Component: TMOS

Symptoms:
After performing a ConfigSync, mcpd restarts and the following error is seen in /var/log/ltm:

     01070734:3: Configuration error: Invalid mcpd context, folder not found <foldername>

Conditions:
- Chassis cluster with at least two blades
- sync-failover device group set to full-sync and auto-sync disabled
- Changing a named pool-member in non-default partition without syncing between delete and create

Impact:
Secondary blades do not process traffic as they restart

Workaround:
To prevent blade restart, follow the workaround in K16592: ConfigSync may fail when deleting and recreating a pool member with a node name set (https://support.f5.com/csp/article/K16592).

To work around this issue, you can synchronize the configuration just after deleting the pool member and node, before re-creating the pool member. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure may impact client connectivity to the node. You should perform this procedure only during a maintenance window.

1. Log in to the BIG-IP system Configuration utility.
2. Navigate to Local Traffic :: Pools, and select the Pool with the member you want to delete.
3. From the top of the menu, click Members.
4. Select the checkbox next to the pool member you want to delete, and click Remove.
5. Navigate to Local Traffic :: Nodes.
6. Select the checkbox next to the node with the same name, and click Delete.
7. Navigate to Device Management :: Overview.
8. Select the local device by hostname (self).
9. Click the Sync option.
10. If the ConfigSync was successful, you may now re-create the pool member.

Fix:
Config sync after changing named pool members no longer causes mcpd on secondary blades to restart.


637666-2 : PHP Vulnerability: CVE-2016-10033

Solution Article: K74977440


637561-1 : Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice

Component: TMOS

Symptoms:
The wildcard wideip is not functioning as a wildcard wideip, but as a regular wideip.

Conditions:
Run tmsh load after the wildcard wideip is created:
# tmsh load sys conf gtm-only.

Impact:
Wildcard wideips are not returning wildcard requests correctly.

Workaround:
reload mcpdb using commands:
# touch /service/mcpd/forceload
# bigstart restart mcpd

Fix:
Wildcard wideips now handle matching queries after tmsh load sys from gtm conf file twice.


637559-1 : Modifying iRule online could cause TMM to be killed by SIGABRT

Component: TMOS

Symptoms:
If iRule is used by several virtual servers, and you edit the iRule online, it could cause TMM to be eventually killed by SOD (watchdog).

Conditions:
This can occur under the following conditions:
1. The iRule is used by large number of virtual servers.
2. You edit the iRule and save changes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
If iRule is used by several virtual servers, and you edit the iRule online, it no longer causes TMM to be eventually killed by SOD (watchdog).


637308-8 : apmd may crash when HTTP Auth agent is used in an Access Policy

Solution Article: K41542530

Component: Access Policy Manager

Symptoms:
apmd may crash when HTTP Auth agent is used in an Access Policy.

Conditions:
This might occur on heavy load, when AAA HTTP Server is configured in 'Form based' or 'Custom body' mode.

The probability of occurrence is greater if there are session variables specified in the AAA HTTP Server configuration.

Impact:
apmd daemon crash. APM cannot process requests until apmd starts up again.

Workaround:
Use basic auth, or do not use HTTP Auth.

Fix:
apmd no longer crashes when HTTP Auth agent is used in an Access Policy.


637252-1 : Rest worker becomes unreliable after processing a call that generated an error

Solution Article: K73107660

Component: Application Security Manager

Symptoms:
Unreliable behavior from ASM REST API.
1) REST API tasks (like apply-policy) sometimes do not execute.
2) Calls that end in error are not correctly rolled back on the system.

Conditions:
A REST worker can enter this state if it processes specific calls that ended in error, such as creating a new active Policy.

Note: Policies are meant to be created inactive and then activated through the apply-policy task.

Impact:
1) REST API tasks (like apply-policy) sometimes do not execute.
2) Calls that end in error are not correctly rolled back on the system.

Workaround:
1) Do not create 'active' policies. Create them with 'active': false, and then use the apply-policy task to set them active.

2) To recover a device that has reached this state, restart restjavad using the following command:
 bigstart restart restjavad

Fix:
REST workers maintain correct state and behavior after calls with errors.


637227-4 : DNS Validating Resolver produces inconsistent results with DNS64 configurations.

Solution Article: K60414305

Component: Global Traffic Manager (DNS)

Symptoms:
A DNS Validating Resolver incorrectly validates DNS responses received from A queries made as a result of a front-end AAAA query received on a profile with DNS64 configured.

A SERVFAIL response may be sent to the client unless the Validating Resolver cache has previously successfully validated a front-end A query. In this scenario where the A records already exist in the cache, the expected DNS64 AAAA records are synthesized.

Conditions:
This issue may be observed with a DNS Validating Resolver configured on a DNS profile with DNS64 configured when processing AAAA queries.

Impact:
Incorrect SERVFAIL responses for AAAA queries that should get valid responses.

Workaround:
None.

Fix:
DNS validation now occurs as expected, resulting in valid answers to AAAA queries.


637181-4 : VIP-on-VIP traffic may stall after routing updates

Component: Local Traffic Manager

Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.

Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.

Impact:
Existing connections to the outer VIP may stall.

Workaround:
None.

Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.


636918-2 : Fix for crash when multiple tunnels use the same traffic selector

Component: TMOS

Symptoms:
Given multiple tunnels with the same traffic selector, a crash could sometimes occur.

Conditions:
Same traffic selector used with more than one tunnel.

Impact:
Possible tmm restart if problem happens. Traffic disrupted while tmm restarts.

Workaround:
Use different traffic selectors for different tunnels.

Fix:
Fixed a tmm crash related to traffic selectors used with more than one tunnel.


636853-2 : Under some conditions, a change in the order of GTM topology records does not take effect.

Solution Article: K19401488

Component: Global Traffic Manager (DNS)

Symptoms:
A change in the order of topology records does not take effect in GTM until the configuration is reloaded or a topology record is added or deleted.

Conditions:
This occurs only when Longest Match is disabled and the order of topology records is changed without adding or deleting records.

Impact:
In certain configurations, the topology load balancing decision may not be made correctly.

Workaround:
Reload the GTM configuration or add/delete a topology record.

Fix:
Changes in the order of topology records now take effect immediately.


636790-3 : Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete.

Component: Global Traffic Manager (DNS)

Symptoms:
While logged in as a Manager role, if a user attempts to modify an object this role does not have access to, the GUI will post a validation error.

Conditions:
This occurs when users in the Manager role make changes to Datacenter links/servers/prober-pool/Topology.

Impact:
The system posts generic validation errors when Create, Update, Delete actions are initiated by a user without proper permissions. These permissions are not allowed for the Manager, but the GUI makes it appear as if they are.

Workaround:
None.

Fix:
The GUI now properly hides or disables the action buttons if a user does not have proper permissions to perform the action.


636774-1 : Potential TMM crash credits to BWC token distribution logic

Component: TMOS

Symptoms:
tmm crashes at 'bwc_stb_static_recharge (stb_static=0x560086f501f0) at ../net/bwc_stb.c:364'.

Conditions:
Bandwidth Control (BWC) policies enabled with PEM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Fixed a potential TMM crash credits to BWC token distribution logic.


636744-1 : IKEv1 phase 2 SAs not deleted

Solution Article: K16918340

Component: TMOS

Symptoms:
The BIG-IP system will not start phase 1 or phase 2 ISAKMP negotiation after an Active -> Standby -> Active failover within a short period of time.

Conditions:
The HA Active BIG-IP system goes Standby and then becomes Active again within the phase 2 lifetime.

Impact:
IPsec tunnel(s) is/are not initiated by the BIG-IP system. Network connectivity is broken between the private networks.

Workaround:
Option 1: Switch to IKEv2 and 12.x, which skips the problem altogether. This combination will mirror the SAs and so deleting existing SAs upon failover is not required.

Option 2: Edit /config/failover/active and add the following two lines at the end:

logger -p local0.notice "Employ ID636744 workaround. Purge IPsec phase2 SAs."
tmsh delete net ipsec ipsec-sa


636702-3 : BIND vulnerability CVE-2016-9444

Solution Article: K40181790


636699-5 : BIND vulnerability CVE-2016-9131

Solution Article: K86272821


636541-3 : DNS Rapid Response filters large datagrams

Component: Global Traffic Manager (DNS)

Symptoms:
Assigning a profile with DNS rapid response enabled to a virtual server on a P8 chassis might result in problems with blades and the cluster.

Depending on the timing of operations (config is loaded and tmm restarts), blades might never join the cluster properly and you will see errors similar to the following looping in /var/log/tmm:
notice CDP: exceeded 1/2 timeout for PG 0
notice CDP: PG 0 timed out
notice CDP: New pending state ff -> fe
notice CDP: New pending state fe -> ff
notice CDP: Selected DAG state from PG 0 for CMP state ff with clock 2445394
notice CDP: exceeded 1/2 timeout for PG 0
notice CDP: PG 0 timed out
notice CDP: New pending state ff -> fe
notice CDP: New pending state fe -> ff
notice CDP: Selected DAG state from PG 0 for CMP state ff with clock 2445416

Conditions:
-- Assigning a profile with DNS rapid response enabled to a virtual server.
-- P8 chassis.
-- Large datagrams being passed.

Impact:
DNS Rapid Response filters large datagrams. Blades might never join the cluster.

Workaround:
There is no workaround at this time.

Fix:
The system now passes through any datagrams too big for DNS rapid response.


636535 : HSB lockup in vCMP guest doesn't generate core file

Solution Article: K24844444

Component: TMOS

Symptoms:
If an HSB lockup occurs in a vCMP guest, the system does not generate a core file.

Conditions:
HSB lockup, which occur rarely.

Impact:
Limited ability to diagnose failures due to HSB lockups.

Workaround:
None.

Fix:
Whenever an HSB lockup occurs in a vCMP guest, the system generates a core file.


636520-3 : Detail missing from power supply 'Bad' status log messages

Solution Article: K88813435

Component: TMOS

Symptoms:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, no detail is included which indicates which characteristic of the power supply's state is resulting in a 'Bad' overall status for the power supply.
In this scenario, the message logged at default logging level contains information similar to the following:
... crit chmand[...]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV03G): Bad

Conditions:
This occurs when the system posts an internal hardware sensor alert.

Impact:
Unable to diagnose cause of 'Bad' power supply status at default logging level to determine whether the probable cause is due to a power supply hardware fault or a possible external power source issue.

Workaround:
If power supply errors continue to be logged:

1. Set the libhal logging level to 'Debug':
tmsh mod sys db log.libhal.level { value "Debug" }

2. Let the system run in this configuration for at least a few minutes to collect a number of chmand error logs, such as:
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x3 pin:0x2 action:0xd
... debug chmand[...]: 012a0007:7: Received Sensor Alert: sensor id 0x16f slot 0xff
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x1 pin:0x2 action:0x3.

3. Set the libhal logging level back to 'Notice':
tmsh mod sys db log.libhal.level { value "Notice" }

4. Take a qkview or an archive of /var/log/ltm, and engage F5 Professional Services for further analysis.

Fix:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, additional detail is now logged to help identify the cause of the 'Bad' overall status for the power supply.


636397-1 : bd cores when persistent storage configuration and under some memory conditions.

Component: Application Security Manager

Symptoms:
bd cores. Log signature in /var/log/bd looks similar to the following:

BD_MISC|ERR |Jan 02 14:24:06.422|27867|io_manager_init.c:0395|internal_keep_alive: BD shrinking...,going down - BD will be right back.
ptr BD_MISC|CRIT |Jan 02 14:24:06.422|27867|signals.c:0073|Received SIGSEGV - Core Dumping.

Conditions:
There is persistent storage configuration. There is high memory usage.

Impact:
bd crash. Traffic resets and/or failover

Workaround:
None.

Fix:
This release fixes a bd crash due to specific memory conditions and persistent storage.


636370 : Application Layer Encryption AJAX support

Component: Fraud Protection Services

Symptoms:
WebSafe doesn't support parameters encryption in Single Page Applications (using AJAX)

Conditions:
Application uses AJAX for sending parameters to web server

Impact:
Encryption won't work for Single Page Applications

Workaround:
N/A

Fix:
Adding AJAX encryption support (full payload encryption)

for 12.1.2-hf, enabling this feature requires:

tmsh modify sys db antifraud.internalconfig.string1 value <AJAX-HEADER-NAME>

AJAX-HEADER-NAME existence will enable AJAX support for current request and its value may contain the username used in current request (if configured and exists)

Note that activating AJAX support in releases > 12.1.2-hf is done differently (configured in profile, not in db)


636290 : vCMP support for B4450 blade

Component: TMOS

Symptoms:
vCMP is not supported in the B4450 blade

Conditions:
This occurs on the B4450 blade on specific BIG-IP software versions, for more information on supported vCMP versions see K14088: vCMP host and compatible guest version matrix, available at https://support.f5.com/csp/article/K14088

Impact:
You are unable to configure vCMP on the B4450 blade.

Fix:
vCMP is supported on the B4450 blade in this version.


636289-2 : Fixed a memory issue while handling TCP::congestion iRule

Component: Local Traffic Manager

Symptoms:
Increased memory usage in tmm.

Conditions:
TCP::congestion highspeed iRule is executed for the TCP connection. The issue is only observed for highspeed congestion control.

Impact:
The memory allocated for congestion control is not freed.

Workaround:
If it is desired to use highspeed congestion control under some conditions, it is possible to start with highspeed by choosing highspeed congestion control in the TCP profile and switch to other desired congestion control when condition does not hold. With this workaround, once congestion control is changed to something other than highspeed, it is not possible to switch back to highspeed again.

Fix:
Improved memory utilization while using TCP::congestion iRule.


636254-2 : Cannot reinitiate a sync on a target device when sync is completed

Component: Access Policy Manager

Symptoms:
After a policy sync is successful, re-initating a sync fails with the following error:
"PolicySyncMgr: Sync already in progress for policy xxx"

Conditions:
This occurs rarely when performing a sync after a successful sync.

Impact:
You cannot re-sync a policy. This is a rare occurrence, and after waiting a small amount of time sync should start working again.

Fix:
Now APM Policy Sync no longer hangs in rare cases with the message: "PolicySyncMgr: Sync already in progress for policy xxx"


636149-3 : Multiple monitor response codes to single monitor probe failure

Component: Local Traffic Manager

Symptoms:
A monitor probe failure to a monitor (such as HTTP) is logged to '/var/log/ltm' when the probed resource is unavailable. In some cases, for a probe resulting in an 'Unable to connect' error, multiple log entries are made, with the last log entry being the error that triggered the log entry. The other monitor entries made during this event are not specifically relevant, as they are 'stale' and due to previous monitor probe behavior that was logged earlier.

This is due to an error where the 'Could not connect' event appends rather than overwrites existing earlier error messages.

Conditions:
A monitor probe to a monitor is attempted (such as over HTTP), resulting in an 'Unable to connect' failure; and where that specific monitor previously reported an error (which is now appended).

Impact:
No system behavior is affected, but multiple log entries are made. The final log entry of the 'Could not connect' or 'Unable to connect' message is relevant, while the possible multiple log entries immediately preceding are 'stale' and not relevant (as they are due to an earlier issue that was previously successfully logged).

Workaround:
For an external monitor that generates a 'Could not connect' or 'Unable to connect' error, consider only the last-line for the '/var/log/ltm' log entry, and ignore possibly-present log entries associated with that specific monitor that might be appear immediately above the 'Could not connect' line.

Fix:
The system now handles previous monitor-log errors when reporting a 'Could not connect' error, rather than appending a previous error that might be present.


636044-1 : Large number of glob patterns affects custom category lookup performance

Solution Article: K68018520

Component: Access Policy Manager

Symptoms:
The number of glob patterns in a custom category linearly affects custom category lookup compute times. For example, twice as many glob patterns will roughly double the CPU resources required to compute a match.

Conditions:
A large number of custom category glob patterns. The precise number is not so important as the observed effect of slow response times. However, more than 1000 glob patterns is known to cause a significant observed performance degradation.

Impact:
Slow response times to HTTP requests.

Workaround:
It may be possible to compress the large collection of glob patterns into fewer patterns.

Fix:
Glob pattern matching has been extended to be context sensitive. If the pattern includes the marker "://", a glob immediately before it is restricted to the scheme, and a glob immediately after it is restricted to the hostname. If the match can be satisfied with prefix matching, the pattern will be processed with a prefix comparison rather than as a glob. Also, multiple glob patterns are combined together to create a more optimal match pattern. If custom categories patterns use the context sensitive feature, custom category lookup will be optimized.


635961-1 : gzipped and truncated files may be saved in qkview

Component: TMOS

Symptoms:
When looking at the files in the qkview, some files might be both gzipped and truncated, when only one or the other is expected.

Conditions:
This occurs for certain files that are large enough to require truncation and gzipping.

Impact:
Minimal impact, as the extra file can be ignored. This is primarily an issue of wasting image space.

Workaround:
Ignore the extra copy of the file.

Fix:
Files are no longer both gzipped and truncated.


635933-3 : The validation of ICMP messages for ePVA accelerated TCP connections needs to be configurable

Solution Article: K23440942


635754-1 : Wildcard URL pattern match works inncorectly in Traffic Learning

Solution Article: K65531575

Component: Application Security Manager

Symptoms:
In the policy with URL learning mode set to ALWAYS, wildcard URL matching for *.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]" will prevent you from adding other wildcard destinations using policy builder.

Conditions:
Policy builder enabled. PolicyBuilder creates the wildcard urls "*.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]".
If you need to manually create another wildcard url "/polo/images/*", the pattern match will be incorrect and you will not be able to accept the learning suggestion.

Impact:
You will not be able to accept the learning suggestion to the correct wildcard URL.

Workaround:
In order to get suggestions on the correct wildcard match, remove "png" from the URL list in the policy: To do so, navigate to Security :: Application Security :: Policy Building :: Learning and Blocking Settings :: URLs :: File types for which wildcard HTTP URLs will be configured (e.g., *.jpg).

Also make sure that you have correct wildcard order. Go to
Security :: Application Security :: URLs :: Wildcards Order :: HTTP URLs.

"/polo/images/*" should be above "*.[Pp][Nn][Gg]" in the list. If it is not, move it using "Up" button".

Fix:
Wildcard URL pattern match now works as expected in Traffic Learning


635703-1 : Interface description may cause some interface level commands to be removed

Solution Article: K14508857

Component: TMOS

Symptoms:
Adding a description to the interface from within ZebOS may cause interface level routing protocol commands to be lost on restart.

Conditions:
- Add interface level description to a configuration with interface level routing protocol commands.
- Restart services, tmrouted, or reboot.

Impact:
Interface level commands after the description will not appear in the imish running config and will not be loaded/functional.

Workaround:
To prevent this issue, do not use interface-level descriptions.

If the issue has already occurred, and the configuration is not loading, you can manually correct it using the following procedure:
1. Stop tmrouted using the following command: bigstart stop tmrouted
2. Edit the ZebOS.conf from the corresponding route-domain file manually and remove the interface-level 'description' and 'no shutdown' commands.
3. Restart tmrouted using the following command: bigstart restart tmrouted.

Note: Performing the workaround procedure will temporarily disrupt dynamic routing, so care and adequate planning must be taken into consideration.

Fix:
Routing protocol interface commands are no longer lost with the addition of interface descriptions.


635561-1 : Heavy URLs statistics are not shown after upgrade.

Component: Application Visibility and Reporting

Symptoms:
Heavy URLs statistics are not shown after upgrade.

Conditions:
Upgrading to newer version

Impact:
Missing statistics.

Workaround:
No workaround

Fix:
Upgrade and verify all heavy URLs statistics are shown.


635541 : "Application CSS Locations" is not inherited if changing parent profile

Component: Fraud Protection Services

Symptoms:
"Application CSS Locations" is not inherited if changing parent profile, which can cause to the following error while saving: Application CSS Locations cannot be empty.

Conditions:
This occurs in the GUI when FPS provisioned when the system is configured with phishing detection license.

Impact:
Cannot use FPS GUI to configure Application CSS Locations.

Workaround:
Use tmsh or the REST API to configure Application CSS Locations.

Fix:
"Application CSS Locations" is inherited if parent profile is changed. No errors are shown while saving.


635412 : Invalid mss with fast flow forwarding and software syn cookies

Solution Article: K82851041


635314-5 : vim Vulnerability: CVE-2016-1248

Solution Article: K22183127


635274-1 : SSL::sessionid command may return invalid values

Solution Article: K21514205

Component: Local Traffic Manager

Symptoms:
The SSL::sessionid iRule command might return random, invalid values. This also causes high CPU usage on TMM. This occurs when the SSL ID retrieved from SSL is on the stack and gets overwritten prior to use, resulting in a persist lookup loop which causes the high CPU. The issue is also associated with the SSL::sessionid iRule command because SSL::sessionid and SSL persistence use the same internal mechanism to retrieve the SSL session ID.

Conditions:
This issue occurs when either of the following conditions exists:
-- An iRule exists that queries the SSL::sessionid.
-- An SSL persist profile is configured on the virtual server.

Impact:
The iRule might not work as expected.
High CPU usage.

Workaround:
Do not use the SSL:sessionid iRule.

Fix:
The SSL::sessionid iRule returns the session ID as expected.


635257-2 : Inconsistencies in Gx usage record creation.

Solution Article: K41151808

Component: Policy Enforcement Manager

Symptoms:
Duplicate usage records may be created or expected usage records may be missing.

Conditions:
A subscriber session is associated with the following policies:

1. At least 1 PEM policy with multiple rules containing the same usage monitoring key and applicationId or URLcat filter will result in the creation of duplicate usage records.

2. At least 2 PEM policies containing one or more rules with the same MK across policies will result in failure to create expected usage records.

Impact:
Failure to create usage records. Duplicate usage records will reduce the effective usage records supported per session. Both can result in inconsistencies with billing use cases.

Workaround:
To prevent duplicate usage records, do not create PEM policies with multiple rules that have the same usage monitoring key and applicationId or UrlCat filter.

To make sure all expected usage records are created, do not use the same monitoring key across multiple policies for the same subscriber.

Fix:
Checks to create usage records are now done using the same keys that are used to create them, so there are no duplicate usage records created or expected usage records missing.


635252-1 : CVE-2016-9256

Solution Article: K47284724


635233-3 : Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages

Solution Article: K80902149

Component: Policy Enforcement Manager

Symptoms:
CCR-u or CCR-t sent in response to a non-existent policy may be missing some of the custom AVPs such as IMSI, E164, etc., even if the AVPs are marked mandatory.

Conditions:
This occurs when the BIG-IP system sends a CCR-u or CCR-t when the specified policy received from PCRF does not exist.

Impact:
CCR-u and CCR-t may miss some of the subscriber attributes such as IMSI, E164.

Workaround:
None.

Fix:
Added the custom AVPs in the case of CCR-u and CCR-t, if those attributes are enabled for reporting in the protocol profile.


635191-1 : Under rare circumstances TMM may crash

Component: Local Traffic Manager

Symptoms:
tmm crash and BIG-IP failover.

Conditions:
There are no known, reproducible conditions under which this occurs. However, the tmm restart happens once, and then does not recur. The only way to determine that the issue exists is through a review of the core stack, which must be completed by F5 Support.

Impact:
tmm restart and failover. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The tmm restart and failover no longer occur.


635129 : Chassis systems in HA configuration become Active/Active during upgrade

Component: TMOS

Symptoms:
When devices in a Device Service Cluster are upgraded, multiple devices will become Active simultaneously.

The affected versions erroneously clear their management-ip during reboot and synchronize this to other members of the Device Service Cluster. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the Device Service Cluster members lose contact with each other, and all become Active.

Conditions:
This problem occurs on VIPRION chassis systems, either running natively, or as a VCMP guest, when upgrading from the affected versions (12.1.0, 12.1.1, 12.1.2), to any other version. The problem occurs on any upgrade, whether on the list of affected versions, or a later version.

Impact:
When multiple devices become Active simultaneously, traffic is disrupted.

Workaround:
There is no workaround other than to remain in Active/Active state until all Chassis are finished upgrade. See https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.

Fix:
The erroneous management-ip change is not made, and the HA failover mechanism operates correctly across upgrade.


635116-1 : Memory leak when using replicated remote high-speed logging.

Solution Article: K34100550

Component: TMOS

Symptoms:
As a result of a known issue when a system uses a High Speed Logging (HSL) configuration with replication across the HSL pool TMM may leak memory.

Conditions:
Remote HSL setup with distribution set to replicated in the log destination configuration.
More than one poolmember, and one of them becomes unavailable.

Impact:
TMM will leak memory at a rate proportional to the amount of logging.
Over time this may cause an outage should TMM run out of memory.

Workaround:
Do not use replication in the HSL destination configuration.

Fix:
TMM no longer leaks memory when using a replicated HSL setup.


634779-1 : TMM may crash will processing SSL Forward Proxy traffic

Solution Article: K43945001


634576 : TMM core in per-request policy

Solution Article: K48181045

Component: Access Policy Manager

Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.

Conditions:
APM or SWG per-request policy with reject ending.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when per-request policy encounters reject ending.


634371-2 : Cisco ethernet NIC driver

Component: TMOS

Symptoms:
The Cisco Ethernet NIC driver is version 2.1.1.67

Conditions:
N/A

Impact:
Cisco recommends using the updated version 2.3.0.12

Fix:
Cisco VIC Ethernet NIC Driver 2.3.0.12 is now used.


634265-2 : Using route pools whose members aren't directly connected may crash the TMM.

Solution Article: K34688632

Component: Local Traffic Manager

Symptoms:
The TMM crashes when trying to resolve routes using route pools whose members are not directly connected.

Conditions:
A configuration has route pools whose members aren't directly connected. Additionally, this is an issue only in configurations where the TMM doesn't proxy traffic but sources traffic. An example is an sFLOW configuration.

Impact:
Traffic disrupted while tmm restarts. The TMM crashes whenever a connection tries to resolve such a route.

Workaround:
Create route pools with directly connected members.

Fix:
Using route pools whose members aren't directly connected no longer crashes the TMM.


634252 : TMM crash with per-request policy in SWG explicit

Solution Article: K99114539

Component: Access Policy Manager

Symptoms:
TMM crash is seen intermittently when evaluating per-request access policies for SWG-explicit use cases.

Conditions:
Although the exact conditions required for this issue are unknown, evaluating per-request access policies for SWG-explicit use cases might be related.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM crash is no longer seen when evaluating per-request access policies for SWG-explicit use cases.


634215-1 : False detection of attack after restarting dosl7d

Component: Application Visibility and Reporting

Symptoms:
False detection of an attack.

Conditions:
Restarting dosl7d during traffic.

Impact:
False attack is reported.

Workaround:
No workaround

Fix:
Restart dosl7d during moderate traffic and verify no false attack is reported.


634115-1 : Not all topology records may sync.

Component: TMOS

Symptoms:
Some GTM topology records may silently not be synchronized to other devices in the sync group.

Conditions:
One known case occurs when topology records have overlapping subnet specifiers (such as 1.0.0.0/8 and 1.0.0.0/9). It is possible that there are other conditions that might cause this issue.

Impact:
Other devices in the GTM sync group will have an incomplete set of topology records, so the returned DNS answers may differ from the expected values.

Workaround:
After updating topology records, run the following command to force a push of all GTM objects: run cm config-sync force-full-load-push to-group gtm.


This can be performed from tmshell or bash.

tmshell:
---------
(/Common)(tmos)# run cm config-sync force-full-load-push to-group gtm
Force a full load sync? (y/n)y

bash:
---------
tmsh run cm config-sync force-load-push to-group gtm

Note: This command executes and returns to bash with no feedback. To determine the outcome, you can check /var/log/gtm for 'success'.

Fix:
Some GTM topology records may have silently not been synchronized to other devices in the sync group. This is now resolved; all topology objects will be synchronized to all expected devices.


634078-2 : MRF: Routing using a virtual with SNAT set to none may select a source port of zero

Component: Service Provider

Symptoms:
If a virtual server has a SNAT setting of none and the 'source-port' attribute set to 'preserve' or 'preserve-strict', the outgoing connection will be created with a source port of zero (0) instead of the remote port of the originating connection.

Conditions:
This occurs when a message routing SIP profile is in use.

Impact:
Source port is set to 0.

Workaround:
None.

Fix:
Source port is now set to the source port of the client when SNAT is set to none. This is correct behavior.


634015-3 : Potential TMM crash due to a PEM policy content triggered buffer overflow

Solution Article: K49315364

Component: Policy Enforcement Manager

Symptoms:
Failure to add a PEM policy to a subscriber session in addition to a TMM crash.

Conditions:
PEM configured with a large number of policy rules that goes beyond the maximum supported PEM resources.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Buffer allocation checks have been added in that result in an error log along in case of a buffer overflow.


634001-2 : ASM restarts after deleting a VS that has an ASM security policy assigned to it

Component: Application Security Manager

Symptoms:
ASM restarts with the following errors:

'ltm' log error:
--------
err mcpd[9458]: 0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------

'ts_debug.log' error:
--------
asm|INFO|0107102e:3: gtm_vs_score refers to nonexistent virtual server (/<partition>/<app>/<vsname>).
--------

Conditions:
ASM provisioned
Deleting a virtual server that has an ASM security policy assigned to it.

Impact:
ASM restart

Workaround:
None.

Fix:
ASM no longer restarts when deleting a virtual server that has an ASM security policy assigned to it.


633879-1 : Fix IKEv1 md5 phase1 hash algorithm so config takes effect

Solution Article: K52833014

Component: TMOS

Symptoms:
BIG-IP does not recognize the choice of md5 as hash algorithm in phase1 negotiation for IKEv1, but the GUI indicates it is available and configured.

Conditions:
Using either the command line or web UI to change hash algorithm to md5 in IKEv1 phase1.

Impact:
You are unable to configure md5 as hash algorithm in IKEv1, despite the UI and command line indicating this as an option.

Workaround:
You may be able to select md5, then save and then restart, this would set up the daemon from a config file instead of via incremental config parsing. So while it would not work right after being changed in the UI, the md5 option may work after a restart.

Fix:
The choice of md5 for hash algorithm now works correctly and immediately for an IKEv1 peer. The message causing this is now parsed correctly so md5 is recognized and used.


633723-3 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot

Component: Local Traffic Manager

Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a 'request queue stuck' error. When this occurs, the system posts a log message such as:
crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck.

Conditions:
-- A Cavium Nitrox 'request queue stuck' error occurs.
-- The db variable 'crypto.ha.action' is set to reboot.

Impact:
The system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

The system immediately fails over to the standby system, but will then spend approximately one minute gathering diagnostic information before rebooting.

See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.

Workaround:
None.

Fix:
The system now automatically gathers nitrox data collection when request queue stuck errors occur.

Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.

If a Cavium Nitrox 'request queue stuck' error occurs and the db variable 'crypto.ha.action' is set to reboot, the system will automatically run 'nitrox_diag' to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

When the error happens, failover to the standby system will still happen immediately. The delay occurs only on rebooting the system that has already gone to standby mode.


633691-4 : HTTP transaction may not finish gracefully due to TCP connection is closed by RST

Component: Local Traffic Manager

Symptoms:
HTTP or other higher layer protocol transactions may not finish gracefully due to TCP connection is closed by RST.

Conditions:
1. There is ClientSSL or ServerSSL configured on the Virtual Server.
2. HTTP or other higher layer protocol has not finished the translations yet.
3. Client or Server sends out the TCP FIN packet.

Impact:
Application-level responses may not be received at all by the client.

Workaround:
No Workaround.

Fix:
TMM should try to use the TCP FIN to close the connection gracefully as much as possible instead of using RST which will abandon the data which has not been sent out to the wire.


633512-1 : HA Auto-failback will cause an Active/Active overlap, or flapping, on VIPRION.

Solution Article: K20160253

Component: TMOS

Symptoms:
When a preferred device becomes available and takes over due to an Auto-Failback configuration, the takeover is not performed as a smooth handoff, but instead results in both devices becoming Active for the network failover timeout period (3 seconds).

Conditions:
This problem affects traffic groups on VIPRION systems configured with HA Order and Auto-Failback enabled.

Impact:
Since both nodes are Active for (by default) 3 seconds, this may cause network traffic to be dropped or interrupted during the overlap interval. In addition, the Active/Active overlap may not resolve in favor of the preferred device. When this happens, the preferred device attempts to Auto-Failback again after the Auto-Failback expires, and the process repeats forever.

Workaround:
Do not configure Auto-Failback on VIPRION.

Fix:
The devices perform a clean handoff during Auto-Failback, with no Active/Active overlap.


633413-1 : IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI

Component: TMOS

Symptoms:
IPv6 addr can't be deleted; not able to add ports to addr in a data-group using the GUI. System posts an error similar to the following:
err mcpd[31438]: 01070378:3: The requested data group IP member network address (10.10.12.184) does match the netmask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff).

Conditions:
Modify IPv6 data-group in the GUI on the Local Traffic :: iRules :: Data Group List.

Impact:
Get error with unrelated IPv4 address.

Workaround:
Use tmsh to delete data group IP addresses in an iRules data group.

Fix:
You can now add/remove/edit IPv6 and IPv4 within an existing iRules data group.


633391-1 : GUI Error trying to modify IP Data-Group

Component: TMOS

Symptoms:
While trying to add/remove/edit IPv6&IPv4 within an existing data group list for iRules, the properties page throws a parsing error.

Conditions:
Try to modify the value field under Address Records Row whether string/int, and click Update

Impact:
There is an "Error parsing IP address" messave at the top of the page. You cannot modify internal data groups using GUI. You can delete and re-create the entry, but cannot modify it.

Workaround:
Use tmsh to modify the record field of the data groups.

Fix:
You can now modify the IPv6&IPv4 value within an existing data group.

Behavior Change:
users would be able to modify and update data groups


633333-3 : During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent

Component: Local Traffic Manager

Symptoms:
During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent.

Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and an MPTCP connection is established.

Impact:
The serverside connection is reset before all data has been sent, causing the tail end of the data stream to not be proxied.

Workaround:
There is no workaround

Fix:
Fixed sequence of events on connection closure.


633181-1 : A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section

Component: TMOS

Symptoms:
Certificate signing requests generated from the Configuration Utility or in tmsh on affected versions may have an empty 'Attributes' or 'Requested Extensions' section if no data was supplied for these fields during CSR generation. The correct behavior is to supply an empty set (a0:00) for the Attributes section and to omit the 'Requested Extensions' section if no data were supplied for these fields.

Conditions:
- Running an affected version of BIG-IP software
- Using tmsh or the Configuration Utility to generate the CSR
- Not filling in 'E-mail Address' and/or 'Subject Alternative Name' sections while generating the CSR

Impact:
Impact varies according to the CA signing the request. An empty attribute section is generally well-tolerated but may be incompatible with some CA's.

Workaround:
Use openssl from the bash command line to generate CSR's.
Solution article K14534 contains the appropriate procedure.


633070-1 : Sync Inconsistencies when using Autosync ASM Group between Chassis devices

Component: Application Security Manager

Symptoms:
When at least two Bladed Devices are in two autosync device groups together, where one device group is the failover device group, and the other device group has ASM sync enabled on it, Devices may go out of sync and may end up with incorrect ASM configuration

Conditions:
At least two Bladed Devices are in two autosync device groups together, where one device group is the failover device group, and the other device group has ASM sync enabled on it.

An ASM policy is created.

Impact:
Devices may go out of sync and may end up with incorrect ASM configuration

Workaround:
Enable ASM sync on the failover device group, or use manual sync for the ASM device group.

Fix:
Bladed devices (chassis) handle ASM autosync device groups correctly


632968-2 : supported_signature_algorithms extension in CertificateRequest sent by a TLS server fails

Component: Local Traffic Manager

Symptoms:
Clients are unable to establish an SSL session.

If the backend server sends a Certificate Request with Signature Hash Algorithms set to SHA256, the server SSL profile responds with Certificate and Certificate Verify containing a signature signed by SHA1 when ssl-sign-hash in that profile is set to 'ANY'. Because the backend server does not expect SHA1, the handshake fails.

If the BIG-IP server SSL profile advanced configuration setting for SSL sign hash is set to SHA-256 (and not ANY), the handshake fails with the following error:
Connection error: ssl_hs_rsaprivenc:8528: no shared hash algorithm (40).

Conditions:
* BIG-IP system is communicating with a TLS server (applies to server SSL profiles).
* TLS server is requesting client authentication (this is less common).
* TLS client is using the supported_signature_algorithms extension (this is very common)
* TLS 1.2 is likely needed. TLS 1.0 does not support extensions.
* SSL sign hash for the server SSL profile is set to either 'any' or 'sha-256'.

Impact:
BIG-IP systems sign the TLS handshake with the SHA1 algorithm, which fails on the server.

Note that this issue is orthogonal to the issue of hash algorithm in X.509 certificates, e.g., 'SHA1 in X.509 certificates'.

Workaround:
No mitigation is known.

Fix:
BIG-IP now properly parses the following extension in CertificateRequest by a TLS server.:

SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>.

This allows the existing logic to work, in particular, to learn that the server supports SHA2 family of hash algorithms and use them with the signature in the TLS handshake.


632875-3 : Non-Administrator TMSH users no longer allowed to run dig

Solution Article: K37442533


632824-1 : SSL TPS limit can be reached if the system clock is adjusted

Solution Article: K00722715

Component: Local Traffic Manager

Symptoms:
If you adjust the system clock you will occasionally get error messages of the form "SSL transaction (TPS) rate limit reached". (For the intended feature of this message, see K7747: Error Message: SSL transaction (TPS) rate limit reached https://support.f5.com/csp/article/K7747.)

Conditions:
Occurs when you adjust the system clock.

Impact:
When the message occurs, the connection and often several subsequent connections are dropped.

Workaround:
None.

Fix:
The message no longer occurs when the system clock is changed and only occurs when system legitimately reaches the SSL TPS limit.


632798-2 : Double-free may occur if Access initialization fails

Solution Article: K30710317

Component: Access Policy Manager

Symptoms:
Double-free may occur if Access initialization fails.

Conditions:
Access initialization failure occurs, possibly due to license issues.

Impact:
tmm crashes and cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes a double free condition so that the associated tmm crash no longer occurs.


632731-2 : specific external logging configuration can cause TMM service restart

Solution Article: K21964367

Component: Advanced Firewall Manager

Symptoms:
When external logging is configured for ACL rule hits, and the logging server connection is routed through a Forwarding Virtual, the ACL logging causes a TMM crash and service disruption.

Conditions:
The problem is seen when all the following conditions match:

1. External Logging server configured for ACL rule match.

2. External logging server is routed through a Forwarding Virtual (the destination IP of the external logging server matches a Forwarding Virtual's destination address/mask and hence gets routed through the Forwarding VIP).

3. The forwarded logging destination connection causes a crash in TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use one of the following workarounds:
--Avoid configuring remote logging to be forwarded through a Forwarding Virtual.
-- Do not have logging enabled on the forwarding Virtual.

Fix:
Connections originated from the BIG-IP to the remote logging server are not subjected to ACL checks, which prevents generation of logs for log server connection, which prevents the error conditions.


632685 : bigd memory leak for FQDN nodes on non-primary bigd instance

Component: Local Traffic Manager

Symptoms:
On BIG-IP systems with the multiple blades, or a BIG-IP system with multiple bigd processes running (bigd.1, bigd.2, etc.), if the system has FQDN nodes configured, all secondary bigd processes will consume an unusually high amount of memory, and bigd cores may exist.

Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes, bigd on the non-primary places memory consumption may be unusually high.

Impact:
bigd memory leak; possible bigd crash.

Workaround:
None.


632668-5 : When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds

Component: TMOS

Symptoms:
When a BIG-IP using statically configured BFD sessions (i.e. "bfd session <IP> <IP>" in the ZebOS configuration) is forced offline, it continues to send "State Up" BFD packets for an additional ~30 seconds.

Conditions:
System is using statically configured BFD sessions. System is forced offline.

Impact:
The BFD peer thinks the BIG-IP is still online and may send packets to it.

Fix:
Ensure BFD "State Up" packets are not sent when the BIG-IP is forced offline.


632658-4 : Enable SIP::persist command to operate during SIP_RESPONSE event

Component: Service Provider

Symptoms:
Without this change, it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Conditions:
It is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Impact:
it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Workaround:
NA

Fix:
It is possible to change the timeout of a SIP persistence entry during SIP response message processing.


632646-4 : APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.

Component: Access Policy Manager

Symptoms:
APM - OAM login with invalid ObSSOCookie results in error page instead of redirecting to login page.

Conditions:
This happens occasionally if a session cookie (ObSSOCookie) is deleted from OAM server, or an OAM session is deleted from server.

Impact:
OAM login with invalid ObSSOCookie results in error page. However, expected behavior is that user is redirected to login page if login with ObSSOCokkie fails.

Workaround:
No Workaround

Fix:
Issue is fixed - On authenticate with ObSSOCookie, read getStatus() API call to check the ObSSOCookie status and redirect to IDP if it is not 1 (LOGGEDIN, AWAITINGLOGIN). With this fix user will be redirected to IDP on logging with cookie that is deleted manually from the OAM server.


632552-2 : tmm crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event

Solution Article: K08634156

Component: Local Traffic Manager

Symptoms:
tmm crashes.

Conditions:
When CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event which is fired before either event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Move the script in _CLOSED events to another events.

Fix:
tmm no longer crashes when CLIENT_CLOSED or SERVER_CLOSED is used with parking command in another event.


632504-1 : APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list

Solution Article: K31277424

Component: Access Policy Manager

Symptoms:
Non-LSO resources such as webtop, even they are assigned via a normal resource assign agent, are listed under dynamic resource as opposed to static one.

Conditions:
- Create a webtop resource.
- Create an access profile.
- Launch VPE to assign webtop resource via a normal resource assign agent ("Advanced Resource Assign").
- Click on "Sync policy" button to bring up the policy sync dialog, click on "Advanced Settings" drop-down button and select "Static resources".

Impact:
No impact when default settings are configured for policy sync. Only in advanced setting is it confusing that a static resource is only listed in the dynamic resource list, with a prompt to include it as dynamic resource. Doing so does not cause any harm, but is unnecessary.

Workaround:
If it is a static resource, do not select it as dynamic resource.

Fix:
Static non-LSO resources such as webtop will be listed in static resource list in the advanced setting dialog for policy sync.


632499-1 : APM Policy Sync: Resources under webtop section are not sync'ed automatically

Solution Article: K70551821

Component: Access Policy Manager

Symptoms:
Resources put under webtop section such as webtop link, portal access requires to be included as dynamic resource or else sync will fail.

Conditions:
- Create a webtop section source such as portal access.
- Create a webtop section and add the above-create portal access to it.
- Create an access profile and add the webtop section resource via a resource assign agent in VPE.
- Sync the profile.

Impact:
Sync will fail and some configured resources will not be available on the other devices.

Workaround:
Includes those resources as dynamic resources in Policy Sync advanced settings.

Fix:
Now administrators can sync access profiles with resources under webtop sections without including them manually as dynamic resources.


632472-1 : Frequently logged "Silent flag set - fail" messages

Component: Access Policy Manager

Symptoms:
APM logs excessive messages similar to the following:

2016-12-07,21:46:10:864, 1740,884,APPCTRL, 2, \UBindSecurityMgr.h, 119, UBindSecurityMgrImpl::GetWindow, Silent flag set - fail

Conditions:
This can occur when connecting to APM via the Edge Client.

Impact:
Excessive messages are logged. These messages can be ignored.


632423-4 : DNS::query can cause tmm crash if AXFR/IXFR types specified.

Solution Article: K40256229

Component: Global Traffic Manager (DNS)

Symptoms:
Passing "AXFR" or "IXFR" as the type to the DNS::query iRule command can cause a tmm crash.

Conditions:
DNS Express must be enabled when one of the XFR types is used in the DNS::query iRule command.

Impact:
tmm will crash and restart every time this command is issued. Traffic disrupted while tmm restarts.

Workaround:
Do not explicitly use AXFR or IXFR query types.

If the [DNS::question type] command is being used to dynamically pass in the type, add a preceding check similar to the following:

if { not [DNS::question type] ends_with "XFR" } {
    set rrs [DNS::query dnsx [DNS::question name] [DNS::question type]]
}

Fix:
The iRule now provides an error message in /var/log/ltm indicating that AXFR and IXFR are not valid types to use with the DNS::query command, and no tmm crash occurs as a result.


632386-1 : EdgeClient cannot establish iClient control connection to BIG-IP if another control connection exists

Component: Access Policy Manager

Symptoms:
When a iClient control connection, between Edge Client and BIG-IP, exists for a given session id, a new iClient control connection for the same session id cannot be established until the existing connection is torn down. When the client interface is down or the client changes networks, it takes time for the BIG-IP to detect that the existing control connection is down. During this time, if the client attempts to establish a new control connection (interface up or different network), BIG-IP rejects the new connection request.

Conditions:
EdgeClient attempts to open a new iClient control connection with the same session id as that of an existing control connection and without explicitly closing the current connection. This could happen when the client interface is down or clients changes the network it is on.

Impact:
Edge Client cannot establish a iClient control connection and hence a tunnel to the BIG-IP.

Fix:
When BIG-IP sees a new iClient control connection request for a session id for which another iClient control connection exists, the existing connection is closed and the new connection request is attempted to be accepted.


632366-1 : Prevent a spurious Broadcom switch driver failure.

Component: TMOS

Symptoms:
When a high volume traffic is sent to a BIG-IP system, the Broadcom network switch driver might fail. The failure occurs because the switch driver is preempted (by tmm) from completing a long chip reprogramming routine and touching a watchdog. Sod, which monitors the watchdog, thinks the switch driver has become nonfunctional and kills it.

Conditions:
A very high volume traffic is sent to a BIG-IP system under certain circumstances.

Impact:
Potential eventual system outage if the Broadcom switch driver fails.

Workaround:
None.

Fix:
A spurious Broadcom switch driver failure is not possible anymore.


632344-2 : POP DIRECTIONAL FORMATTING causes false positive

Component: Application Security Manager

Symptoms:
ASM reports false positive violation for the XML request.

Conditions:
This occurs when using "%E2%80%AC" POP DIRECTIONAL FORMATTING as a input in the XML request.

Impact:
When one of the following 3 byte chars arrives to the XML parser, the payload considered as malformed XML:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).

Workaround:
None.

Fix:
This release now supports the following 3 byte chars within the XML parser:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).


632326-2 : relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation

Solution Article: K52814351

Component: Application Security Manager

Symptoms:
You observe Malformed XML violations on valid XML, even with the relax_unicode_in_xml flag set. The same can apply to JSON with the relax_unicode_in_json flag.

Conditions:
Valid XML containing unicode characters is passed through ASM, and the relax_unicode_in_xml flag is enabled.

Impact:
False positive Malformed XML violations may still be reported.

Workaround:
N/A

Fix:
XML and JSON unicode now operates as expected when using the relax_unicode_in_xml or relax_unicode_in_json internal parameter.
To set these parameters, run the following commands:
/usr/share/ts/bin/add_del_internal add relax_unicode_in_xml 1.
/usr/share/ts/bin/add_del_internal add relax_unicode_in_json 1.
bigstart restart asm.


632324-2 : PVA stats does not show correct connection number

Component: Local Traffic Manager

Symptoms:
do command tmsh show sys pva-traffic global

The current connection number showed up may not be correct

Conditions:
This occurs when there is PVA Traffic

Impact:
Wrong stats number for current PVA connections

Fix:
Fixed incorrect statistics for PVA Traffic


632178-1 : LDAP Query agent creates only two session variables when required attributes list is empty

Component: Access Policy Manager

Symptoms:
When required attributes list is empty, LDAP Query agent produces only two session variables.
in previous releases, the default behavior was - to get all user's attributes and populate those as session variables

Conditions:
LDAP Query agent configured in an Access Policy.
Required attributes list is empty (not any attr is configured)

Impact:
LDAP Query agent failed if branch rule expects to get user's attributes.
any other agent in the policy that relies on user's LDAP attributes will also fail.

Workaround:
As a workaround you can configure required attributes to be retrieved by LDAP Query agent explicitly

Fix:
The default behavior is back; when the required attributes list is empty, the LDAP Query Agent will retrieve all user's attributes and populate them as session variables.


632069-3 : Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076

Component: TMOS

Symptoms:
On VE platforms, under certain conditions, the sudo utility does not correctly enforce all restrictions specified in its configuration file.

Conditions:
VE platform
Authenticated user with advanced shell access

Impact:
BIG-IP does not depend on the restrictions related to these vulnerabilities, and sudo is only present on VE platforms. Only VE users who have modified the sudo configuration by editing its configuration file directly are impacted.

Fix:
Update sudo package to improve security


632060-1 : restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header

Component: iApp Technology

Symptoms:
when upgrading to 12.1.1, 12.1.2 or 13.0 releases, executing a command similar to

curl -k -u admin:admin https://127.0.0.1:443/mgmt/shared/device-discovery-tasks causes the following error:

"errorMessage": "Could not connect to host 10.0.0.160. Please ensure there are no licensing, firewall, port lockdown or network connectivity issues. Error: Failed to read key /config/filestore/files_d/Common_d/trust_certificate_key_d/:Common:dtca.key_12100_2: invalid header",

Conditions:
Upgrading from releases prior to 12.1.1 to 12.1.1 or 12.1.2 or 13.0

Impact:
if your device has an iApps LX application, then that application sill not synchronize to the standby device. So if a failover occurs, then the iApps LX application will seem to disappear, and traffic will not pass through the application.

Workaround:
If you have upgraded and are in this condition, and you need to use iAppsLX, you can perform the following procedure to recover.

Impact of procedure: this procedure disables HA and requires you to rebuild your HA environment. You only need to use this procedure if you absolutely need to run an iAppLX.

1. Reset device trust, then re-establish device trust, your device group(s), and your traffic group(s)
2. At the BIG-IP command line for each of the devices, run the following command:
clear-rest-storage

Fix:
Upgrade to 13.1 or 13.0.x hot fix


632005-1 : BIG-IP as SAML SP: Objects created by IdP connector automation may not be updated when remote metadata changes

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML Service provider (SP), IdP connector creation can be automated using list of URIs containing IdP metadata.

Symptom for this issue:
When remotely published metadata changes - BIG-IP will not be able to modify previously created idp-connector object(s) to reflect the changes.

When issue happens, the error similar to following is logged in /var/log/saml_automation.log :

"apm aaa saml-idp-connector *NAME* import-metadata only supports create operations."

Conditions:
BIG-IP is used as SP. IdP connector creation is automated. Metadata published on automation URIs changes.

Impact:
BIG-IP configuration will not contain the latest changes reflected in published IdP metadata.

This may have different impact based on how metadata is changed.
Impact can be from none to user authentication failure (e.g. when IdP signing certificate is changed).

Workaround:
When error is encountered:
- Manually remove affected idp-connector configuration object
- Restart samlidpd service : "bigstart restart samlidpd"

As a result, SAML connector automation will re-create new idp-connector objects will current up-to-date metadata files.

Fix:
BIG-IP is able to modify previously created idp-connector object(s) to reflect the changes when connector automation is deployed.


632001-1 : For Thales net-HSMs, fipskey.nethsm now defaults to module protected keys

Component: Local Traffic Manager

Symptoms:
fipskey.nethsm uses a Thales utility to actually generate/export keys. This utility looks at files in .../kmdata/local to determine what type of protection to use. If there are any softcard or OCS files, then the key will be token protected. If there aren't any files then the key will be module protected.

This can be a problem for BIG-IP since that entire folder is synced down to it, so OCS or softcard files unrelated to the BIG-IP operation will change fipskey.nethsm's behavior.

Conditions:
Use fipskey.nethsm to generate/export a nethsm-protected key while there are OCS or softcard files in the BIG-IP system's .../kmdata/localfolder.

Impact:
Key protection type changes based on the presence of softcard or OCS files in .../kmdata/local.

Workaround:
Explicitly use the -c or --protect option to define the protection type when generating/exporting keys.

Fix:
fipskey.nethsm will now default to making a module-protected key regardless of the presence of OCS or softcard files in .../kmdata/local.

Scripts that export or generate token or softcard protected keys will now need to explicitly set the protection type via the -c or the --protect option in all situations.


631866-2 : Cannot access LTM policy rules in the web UI when the name contains certain characters

Component: TMOS

Symptoms:
Access LTM policy rules in the web UI when the name contains percent (%) or slash (/) displays an empty page.

Conditions:
The LTM policy rule name being accessed contains the characters percent (%) or slash (/).

Impact:
The policy rule properties page displays an empty page.

Workaround:
Update the LTM policy rule using tmsh.

Fix:
LTM policy rules can be accessed as expected in the web UI regardless of their names.


631862-1 : Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk

Solution Article: K32107573

Component: Local Traffic Manager

Symptoms:
When OWS sends a chunked response and the only chunk has a zero size, HTTP2 profile receives neither the response's body nor indication that the response has zero size.

Conditions:
A virtual server must have HTTP2 profile, and OWS must serve a response with Transfer-Encoding: chunked and a zero size chunk (empty body).

Impact:
On a stream with such response, BIG-IP doesn't generate a frame which would have END_STREAM flag. Some browsers may not handle the response properly. For example, a redirect may not be performed when the stream is not finalized. It results in incorrect page rendering on a client.

Workaround:
Use following iRule for broken URLs:

when HTTP_RESPONSE {
  if {[HTTP::header exists "Transfer-Encoding"] && [HTTP::status] eq 301} {
    HTTP::respond 301 -version 1.1 noserver Location [HTTP::header Location] Date [HTTP::header Date] Content-Type [HTTP::header Content-Type] Connection [HTTP::header Connection]
  }
}

A condition may be changed to narrow the iRule for specific URLs.
HTTP::respond may be modified to include other important headers and serve a proper status code.

Fix:
When OWS serves Transfer-Encoding chunked with zero size chuck, BIG-IP properly handles the response and sends END_STREAM flag finalizing the response.


631737-1 : ArcSight cs4 (attack_type) is N/A for certain HTTP Compliance sub-violations

Solution Article: K61367823

Component: Application Security Manager

Symptoms:
ArcSight cs4 (attack_type) is reported as "N/A" for a violation whose sub-violation does not have a specific attack_type_code.

Conditions:
This occurs when there are HTTP Compliance sub-violations such as "Header name with no header value" that do not correlate to any attack_type. Other attack types are as follows:
-- HTTP Protocol Compliance/ High ASCII characters in headers.
-- HTTP Protocol Compliance/ Host header contains IP address.
-- HTTP Protocol Compliance/ CRLF characters before request start.
-- HTTP Protocol Compliance/ Header without header value.
-- HTTP Protocol Compliance/ Body in GET/HEAD requests.
-- Evasion technique/ directories traversals.

Impact:
When one of these violations occurs, the system does not assign the appropriate attack type to the logged request in the log or in the remote logger. The system reports the ArcSight remote logger message as attack_type="N/A". (If no other violation was found.)

Workaround:
None.

Fix:
Now, when ArcSight cs4 (attack_type) HTTP Compliance sub-violations do not correlate to any attack_type, the system assigns the parent violation's attack type when reporting the violation.


631722 : Some HTTP statistics not displayed after upgrade

Component: Application Visibility and Reporting

Symptoms:
Some statistics will disappear after upgrade due to bug in HTTP statistics backup.

Conditions:
Upgrading to newer version

Impact:
Not all statistics are shown.

Workaround:
No workaround

Fix:
Fixed an issue where some ASM HTTP statistics would disappear after upgrade.


631700-1 : sod may kill bcm56xxd under heavy load

Solution Article: K72453283

Component: TMOS

Symptoms:
Under heavy load, bcm56xxd may not get enough CPU cycles to finish some of its operations and activate the watchdog process. In that case, sod will suspect that bcm56xxd has halted and terminate the process.

Conditions:
When the system is very busy, tmm has higher execute priority, and bcm56xxd does not have enough CPU cycles.

Impact:
The switch will not operate during the restart, and traffic might be interrupted.

Workaround:
Reduce the traffic to make the system less busy.

Fix:
The system now has bcm56xxd activate the watchdog so that sod does not terminate the bcm56xxd process.


631688-7 : Multiple NTP vulnerabilities

Solution Article: K55405388 K87922456 K63326092 K51444934 K80996302


631627-4 : Applying BWC over route domain sometimes results in tmm not becoming ready on system start

Component: TMOS

Symptoms:
Rebooting after applying BWC to route domain stops vlan traffic on VCMP guest. You will experience connection failures when bandwidth Controller (bwc) and Web Accelerator are enabled.

Running the tmsh show sys ha-status all-properties command will indicate that tmm is in "ready-for-world", but the Fail status will read "Yes" when this is triggered.

Conditions:
BWC enabled and associated with a route domain, Web Accelerator is enabled, and the system is rebooted.

Impact:
The system does not comes up fully. TMM does not reach a ready state and will not pass traffic.

Workaround:
Remove BWC from route domain and then reapply the BWC back.

Fix:
BWC enabled and associated with a route domain, Web Accelerator enabled, and the system is rebooted, now results in the system and TMM coming up fully and passing traffic.


631626 : Unable to delete an access profile which contains a route domain agent

Component: Access Policy Manager

Symptoms:
If an Access profile contains a policy with a route domain agent, the policy cannot be copied or deleted from the GUI or command line tools.

The GUI and CLI both fail with the following message:
Operation error: getHash failed

Conditions:
Access profile contains a route domain agent.

Impact:
Cannot delete or copy the Access profile.

Workaround:
Delete the route domain agent from the VPE and then copy/delete the Access profile.

Fix:
You can now copy and delete Access profiles which contain a route domain agent.


631609-1 : ASM Centralized Management Infrastructure Sync issues

Component: Application Security Manager

Symptoms:
Devices in a multiple Automatic sync device-groups may extraneously request a full sync after initial device sync creation, or after a full sync event.

Conditions:
Devices are in an autosync failover group and an autosync sync-only group with ASM sync enabled.

Impact:
A device may extraneously request additional full syncs after receiving a full sync from its peer or after adding an ASM policy.

Workaround:
No workaround.

Fix:
Extraneous full sync requests are no longer sent.


631582 : Administrative interface enhancement

Solution Article: K55792317


631472-1 : Reseting classification signatures to default may result in non-working configuration

Component: Traffic Classification Engine

Symptoms:
Configuration will not load when running "tmsh load ltm classification signature default" or clicking Reset to Defaults button on Traffic Intelligence :: Applications : Signature Update page.

Conditions:
1. You upgrade classification signatures to an IM package, and reference one of the newly added applications / categories in your configuration (e.g., PEM classification filter).
2. You reset classification signatures back to default by running "tmsh load ltm classification signature default" or selecting "Reset To Defaults" on the Traffic Intelligence :: Applications : Signature Update page.

Impact:
Configuration will not load.

Workaround:
Remove application that came with the new IM from the configuration.

Fix:
The release solves the problem of potentially non-working configurations after classification signatures were reset to default.


631444-2 : Bot Name for ASM Search Engines is case sensitive

Component: Application Security Manager

Symptoms:
CS challenge is returned for request with known search engine which is sent with different case than configured.

Conditions:
ASM profile is configured on the VS; DoS profile is not configured on the VS.

Impact:
Known search engines will get CS challenge.

Workaround:
Have DoS profile on the VS, in which the only feature turned on is Bot Signature, in report only, where only search engine category is turned on.

Fix:
making the ASM Search Engines case insensitive


631334-4 : TMSH does not preserve \? for config save/load operations

Component: TMOS

Symptoms:
TMSH strips the escape characters for literal strings '\?' to be '?' or '\[' to be '[' in ltm monitor send/recv strings.

Conditions:
This condition manifests whenever the send/recv string in LTM monitor contains '\?' (backslash-question mark) or '\[' (backslash-open square bracket).

Impact:
This might cause the BIG-IP system to load incorrect monitor send/recv strings.

Workaround:
Use [] (open square bracket-close square bracket) in these cases when using a recv string, for example:

[?] [[]

Another option is not using '\' (backslash) in front of '[' (open square bracket) to indicate a literal string.

Note: This workaround is not valid for send strings.


631316 : Unable to load config with client-SSL profile error

Solution Article: K62532020

Component: TMOS

Symptoms:
Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'

Conditions:
This occurs when both of the following conditions are met:
 -- The system is loading config.
 -- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example:

    cert-key-chain {
        cert /Common/default.crt <==== default cert
        chain /Common/chainCA.crt <==== non-empty
        key /Common/default.key <==== default key
        rsa {
            cert /Common/default.crt <==== default cert
            chain /Common/chainCA.crt <==== non-empty
            key /Common/default.key <==== default key
        }
    }

Impact:
Configuration can not be loaded.

Workaround:
Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again.

Steps:
1. Open the configuration file in a text editor.
2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition).
   
3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example:

    cert-key-chain {
        cert /Common/kc.crt <==== changed to non-default
        chain /Common/chainCA.crt
        key /Common/kc.key <==== changed to non-default
        rsa {
            cert /Common/kc.crt <==== changed to non-default
            chain /Common/chainCA.crt
            key /Common/kc.key <==== changed to non-default
        }
    }

4. Save your changes, and then run the following command:
 tmsh load sys conf


631286-1 : TMM Memory leak caused by APM URI cache entries

Component: Access Policy Manager

Symptoms:
Tmctl stats for "access_uri_info" gradually grows and can lead to TMM memory exhaustion.

Conditions:
APM or SWG in use.

Impact:
TMM memory exhaustion.

Workaround:
Restart tmm.

Fix:
This release implements a limit of how many entries the system stores in the URI cache. The default is 2048 entries. The DB variable allows a range of 2048 - 8192. You can the following DB variable to control the max limit:

access.max.euie_uri.cache.entries


631204-1 : GeoIP lookups incorrectly parse IP addresses

Solution Article: K23124150


631172-4 : GUI user logged off when idle for 30 minutes, even when longer timeout is set

Solution Article: K54071336

Component: TMOS

Symptoms:
GUI user is auto-logged off when idle for 30 minutes, even though the configured idle timeout is longer.

Conditions:
User logged in to gui and idle for 20-30 minutes

Impact:
User is logged out of the GUI.

Workaround:
None.

Fix:
GUI user is no longer auto-logged off when idle for 30 minutes when the configured idle timeout is longer.


631131-3 : Some tmstat-adapters based reports stats are incorrect

Component: Application Visibility and Reporting

Symptoms:
Stats are being collected in a wrong way for tmstat tables that are using partial-key. This leads to wrong values on reports.

Conditions:
Using partial key from tmstat-table on tmstat-adapter

Impact:
Wrong stats values for some reports.

Fix:
Tmstat-Adapters is now using the correct API from tmstat-framework which simulate a 'group-by' function on the query, and thus provide the correct result-set.


631060-1 : BIG-IP may incorrectly reject serverside connection when REQLOG is configured.

Component: Access Policy Manager

Symptoms:
Serverside connection can be reset when V2 plugin e.g. REQLOG is configured on virtual.

Conditions:
Virtual server configured with REQLOG and SSL clientside and serverside profiles.

Impact:
Serverside connections can not be established due to early TCP RST and failing TCP handshake.

Workaround:
Remove REQLOG from configuration.

Fix:
V2 Plugins work correctly if clientside is disabled on the hudchain.


631048-1 : Portal Access [PeopleSoft] 'My Preferences' page does not have content

Component: Access Policy Manager

Symptoms:
IN PeopleSoft (PS) web-application 'My Preferences' page contains no content.

Conditions:
Steps to Reproduce:

1. Navigate and login to PS Portal through reverse proxy.
2. Click on 'My Preferences' item in 'Action list' button.

Impact:
Page contains no content. Web-application does not work as expected.

Workaround:
To work around this issue, use an iRule.

Fix:
The issue is fixed.


631025-1 : 500 internal error on inline rule editor for certain firewall policies

Component: Advanced Firewall Manager

Symptoms:
While attempting to use the inline rule editor on a firewall policy, the system returns a 500 internal error. Viewing and editing the same policy in tmsh works as expected.

Conditions:
-- This occurs when editing certain firewall policies in the GUI.
-- The issue is specific to policies with rules that meet the following criteria:

a) At least two addresses with the same first three octets.
b) Addresses should have non-default partition.

141.146.155.40%1 { }
141.146.155.41%1 { }

Impact:
Unable to view or edit the policy, page returns an error

Workaround:
You can view these rules in the GUI by disabling the inline rule editor.

Fix:
Fixed an issue with certain AFM rules generating a 500 internal error in the GUI.


630929-1 : Attack signature exception list upload times-out and fails

Solution Article: K69767100

Component: Application Security Manager

Symptoms:
httpd_errors log:
------------
err httpd[<PID>]: [error] [client <client_IP>] PHP Fatal error: Maximum execution time of 30 seconds exceeded in /var/ts/dms/common/classes/Thrift/packages/asmconfig/f5_thrift.php on line <line_ID>, referer: https://<BIG-IP_MGMT_IP>/dms/policy/pl_header_normalization.php
------------

Conditions:
ASM provisioned.
Attack signature exception list uploaded.

Impact:
Attack signature exception list upload times-out and fails.

Workaround:
N/A

Fix:
Improved the Attack signature exception list upload process to take much less time.


630661-2 : WAM may leak memory when a WAM policy node has multiple variation header rules

Solution Article: K30241432

Component: WebAccelerator

Symptoms:
When a WAM policy node has multiple variation header rules, a memory leak occurs upon evaluation of each request.

Conditions:
WAM policy with node utilizing multiple variation header rules.

Impact:
Potential per-request memory leakage driven by client traffic.

Workaround:
The only workaround is to ensure that individual WAM policy nodes have fewer than two header variation rules.

Fix:
WAM no longer leaks memory when evaluation policy nodes which utilize two or more header variation rules.


630622-1 : tmm crash possible if high-speed logging pool member is deleted and reused

Component: TMOS

Symptoms:
When deleting and then re-using a high-speed logging pool member that is in use, a rare tmm crash may occur.

Conditions:
High-speed logging profile configured, high-speed logging pool configured, and a pool member is removed and re-added while the pool is in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Rare tmm crash no longer occurs if high-speed logging pool member is deleted and reused.


630611-1 : PEM module crash when subscriber not fund

Solution Article: K84324392

Component: Policy Enforcement Manager

Symptoms:
Under rare circumstances, PEM usage reporting for a subscriber will cause a crash.

Conditions:
PEM subscriber info is missing for the current tmm, e.g., after a CMP state change.

Impact:
PEM/TMM SIGSEV.

Workaround:
None.

Fix:
PEM usage reporting for a subscriber no longer causes a crash when PEM subscriber info is missing for the current tmm.


630610-5 : BFD session interface configuration may not be stored on unit state transition

Solution Article: K43762031

Component: TMOS

Symptoms:
'bfd session' statements missing in ZebOS 'running-config'.

Conditions:
State transitions from online to offline.

Impact:
BFD configuration will become missing in ZebOS running config and no BFD sessions will be established.

Workaround:
Re-add statements manually.

Fix:
BFD session interface configuration is now stored on unit state transition.


630571-1 : Edge Client on Mac OSX Sierra stuck in a reconnect loop

Solution Article: K35254214

Component: Access Policy Manager

Symptoms:
Upon waking laptop Edge Client stuck in a reconnect loop.

Conditions:
Full-Tunnel, no Local LAN Access profile; when opening the device lid, which attempts to reconnect to the VPN service. This occurs only with MAC OS X 10.12.1.

Impact:
Cannot connect to VPN, and the Edge Client gets stuck in a reconnect loop.

Workaround:
Allow local subnet access set to enabled.

Fix:
In this release, using MAC OS X 10.12.1 now resumes a connection to VPN using the Edge Client.


630546-1 : Very large core files may cause corrupted qkviews

Component: TMOS

Symptoms:
If a core file is found on a slave blade in a chassis, that is too large for qkview to include, this can cause the qkview file for the blade to be corrupted.

Conditions:
qkview is run when core files greater than 2.4 GB exist in /var/core.

Impact:
iHealth will not parse the qkview.

Workaround:
Copy the core files on the slave blade from /etc/core to a back up location and delete the original files before creating the qkview.

Fix:
qkview files run when core files greater than 2.4 GB exist in /var/core now complete as expected.


630475-5 : TMM Crash

Solution Article: K13421245


630446-1 : Expat vulnerability CVE-2016-0718

Solution Article: K52320548


630356-1 : JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge

Component: Application Security Manager

Symptoms:
The JavaScript challenge that is sent to a POST request within an iframe will have a follow-up request of GET when coming from Microsoft Internet Explorer or Edge browser. The request reconstruction is incorrect, and the back-end server does not receive the request payload.
This is relevant to all types JavaScript challenges: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.

Conditions:
JavaScript challenge is used in a POST request, when one of the following features in enabled: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.

Impact:
POST requests will be sent as GET and the request payload will not reach the back-end server.

Workaround:
None.

Fix:
JavaScript challenges to POST requests are sent correctly to the back-end server when coming from iframe in Microsoft Internet Explorer/Edge browsers.


630306-1 : TMM crash in DNS processing on UDP virtual server with no available pool members

Component: Local Traffic Manager

Symptoms:
TMM crash when processing requests to a DNS virtual server.

Conditions:
The issue can occur if a UDP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.

Ensure datagram LB mode is enabled on UDP DNS virtuals.

Fix:
This release prevents a crash in DNS processing on UDP virtual server with no available pool members.


630150-1 : Websockets processing error

Solution Article: K51351360


629921-4 : [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.

Component: Access Policy Manager

Symptoms:
With SWG client side NTLM auth configuration while doing the NTLM auth for backend, ECA plugin is trapping the Authorization credentials (NTLMSSP_NEGOTIATE) sent by the client, it sinks the request and generates the 407 to the client to do proxy authentication.

Conditions:
Set-up SWG for auth with ntlm credentials
Access a proxied resource which also requires ntlm auth

Impact:
Backend server access is restricted.

Workaround:
None

Fix:
Now when using SWG in explicit proxy mode with NTLM authentication with the Proxy-Authenticate header, BIG-IP allows NTLM authentication to proceed simultaneously to protected resource servers that also use NTLM authentication with the Authenticate header.


629871-2 : FTP ALG deployment should not rewrite PASV response 464 XLAT cases

Component: Carrier-Grade NAT

Symptoms:
Deploying NAT64 part of a 464 XLAT solution may overwrite PASV response 464 XLAT cases.

Conditions:
FTP ALG deployment.

Impact:
PASV response 464 XLAT cases overwritten.

Workaround:
None.

Fix:
Deploying NAT64 part of a 464 XLAT solution no longer overwrites PASV response 464 XLAT cases.


629845-2 : Disallowing TLSv1 connections to HTTP causes iControl/REST issues

Component: Device Management

Symptoms:
When HTTP disallows TLSv1 connections, UCS via iControl/REST fails with the following in the logs:

[SEVERE][86][08 Nov 2016 16:47:20 UTC][com.f5.rest.icontrol.IControlRunnable] (iControl execution) AxisFault[; nested exception is:
          javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]:
[WARNING][87][08 Nov 2016 16:47:20 UTC][8100/tm/shared/sys/backup/52d67805-3aab-4260-8770-a690154c698e/worker UcsBackupTaskWorker] Failed to restore from backup: backup_test.ucs

Conditions:
This occurs when TLSv1 is explicitly disallowed in the HTTP profile.

Impact:
iControl REST clients are unable to connect.

Workaround:
None.

Fix:
Explicitly disallowing TLSv1 in the HTTP profile no longer causes iControl/REST issues.


629801-2 : Access policy is applied automatically on target device after policy sync, when there is a also a FODG in the trust domain.

Component: Access Policy Manager

Symptoms:
After syncing an access policy, the access policy change on the other device should be prompting you to apply the policy, but instead it applies the policy automatically.

Conditions:
Two or more devices configured in a trust group, one device group is a failover device group, and one device group is a sync-only device group with automatic sync enabled.

A key component that triggers this symptom is that the failover device group is listed first in the configuration. When this occurs, the policy will be applied automatically, which shouldn't occur.

Impact:
Policy changes are automatically applied, when they should only be synced with a prompt to apply after the sync.

Workaround:
None.

Fix:
After syncing an access policy, the access policy change on the other device in the trust group now prompts you to apply the policy, which is correct behavior.


629698-1 : Edge client stuck on "Initializing" state

Component: Access Policy Manager

Symptoms:
It takes a lot of time to reestablish the VPN connection when the Edge Client switches to network with Captive Portal authentication. Edge client freezes on "Initializing" state for around 1 minute.

Conditions:
This can occur on the Edge Client with Captive Portal configured.

Impact:
Edge client is stuck on "Initializing" for an excessive amount of time.


629663-1 : CGNAT SIP ALG will drop SIP INVITE

Solution Article: K23210890

Component: Service Provider

Symptoms:
SIP INVITE message is dropped.

Conditions:
Subscriber registers and then attempts to call out.

Impact:
Subscriber not able to make calls.

Workaround:
None.

Fix:
The system now uses the expiration value from the SIP message i.e. either from expires parameter or the Expire header to update the timeout of the registration record.


629627-1 : FPS Log Publisher is not grouped nor filtered by partition

Component: Fraud Protection Services

Symptoms:
If there are several log publishers assigned to different partitions, it is not clear which log publisher is assigned to which partition.

All log publishers are displayed regardless of the partition selected.

Conditions:
Provision FPS.
Two or more partitions
Two or more log publishers assigned to different partitions

Impact:
All log publishers are displayed regardless of partition.

Workaround:
None.

Fix:
Log publishers are now grouped in GUI and filtered by the currently selected partition.


629573-1 : No drill-down filter for virtual-servers is mentioned on exported reports when using partition

Solution Article: K66001885

Component: Application Visibility and Reporting

Symptoms:
The selected filters will not appear in exported reports for virtual servers created under non 'Common' partitions.

Conditions:
When using virtual-servers and ASM policies under a non 'Common' partition, exported reports will not display the the selected drill-down filters.

Impact:
Exported reports will be displayed without the filters.

Workaround:
None.

Fix:
Exported reports will take into consideration partitions which will make the drill-down filters appear as expected.


629530-2 : Under certain conditions, monitors do not time out.

Solution Article: K53675033

Component: Global Traffic Manager (DNS)

Symptoms:
Some monitored resources are marked as "Unknown" when the actual status is "offline".

Conditions:
This can rarely occur when the monitor timeout period elapses when either no response has been received, or a response has been received indicating that the resource is "down" and the monitor is configured to ignore down responses. It is more likely to occur when many monitor timeout periods elapse at the same time, and the monitor timeout value is evenly divisible by the monitor's monitor interval.

Impact:
The status of the monitored resource is incorrect. This does not materially affect the operation of the system since resources marked "Unknown" will not be used.

Workaround:
Disable the affected resources, and then enable them again.

Fix:
The resource status is now correct under all monitor timeout conditions.


629499-9 : tmsh show sys perf command gives an error "011b030d:3: Graph 'dnsx' not found"

Component: TMOS

Symptoms:
When you run the command tmsh show sys perf, you get an error:
011b030d:3: Graph 'dnsx' not found

This can also occur with other tmsh commands related to performance statistics, like show sys perf dnssec and show sys perf dnsexpress.

Conditions:
It is not known what exactly triggers this, it is caused by a timing issue that occurs during system initialization of multi-blade chassis.

Impact:
Certain tmsh sys perf commands fail to work and give an error.

Workaround:
Restart statsd on all blades once the chassis is up.

e.g.

"bigstart restart statsd" on each blade.

Fix:
statsd has been updated to reparse the statsd config file before rebuild it's config so that it doesn't lose the unsupported tables in it's list.


629421-1 : Big3d memory leak when adding/removing Wide IPs in a GTM sync pair.

Component: Global Traffic Manager (DNS)

Symptoms:
The memory consumption of Big3d will slowly increase if a lot of Wide IPs are being created or deleted.

Conditions:
Adding or removing Wide IPs on a GTM sync pair.

Impact:
A few bytes of memory will be leaked by Big3d on sync.

Workaround:
there is no workaround at this time.

Fix:
The leak has been eliminated.


629412-3 : BIG-IP closes a connection when a maximum size window is attempted

Component: Local Traffic Manager

Symptoms:
HTTP2 provides flow control options which allow you to limit the amount of data on flight. A client can send an increment for a window size to an initial value set by standard to 65,535 bytes. BIG-IP used 64K value inherited from SPDY, causing overflow when the client tried to increment the value to its maximum.

Conditions:
HTTP2 profile is configured on a virtual, and client sends a WINDOW_UPDATE frame to increment the value to its maximum.

Impact:
BIG-IP considers the window size overflow as a protocol violation thus it shuts the connection down not serving any request.

Workaround:
None.

Fix:
With a correct value for initial window size (for both a connection and a stream) BIG-IP correctly processes an increment request of the window size to its maximum.


629178-1 : Incorrect initial size of connection flow-control window

Solution Article: K42206046

Component: Local Traffic Manager

Symptoms:
When a client establishes an HTTP2 connection, both endpoints can update their flow-control windows for the connection but their initial sizes of connection flow-control windows must be 65,535. BIG-IP erroneously sets it immediately to a configured value instead. Discrepancy in the window size calculation can result in cancelling of the client's requests.

Conditions:
A virtual server that has an HTTP2 profile with a custom value for receive-window exceeding 79 (Kilobytes).

Impact:
BIG-IP updates another endpoint with a WINDOW_UPDATE frame for the connection once it reaches a certain threshold. It doesn't happen when receive-window is set above 79 (Kilobytes). If a client has a large request (e.g., POST with a large amount of data), it resets the stream with HTTP2 RST_STREAM frame, canceling the request.

Workaround:
Configure receive-window attribute in HTTP2 profile to a value below 80 (Kilobytes).

Fix:
The fix in this release allows BIG-IP to behave according to RFC and send WINDOW_UPDATE frames, preventing the connection flow-control window from exhaustion on a remote endpoint.


629145-1 : External datagroups with no metadata can crash tmm

Component: Local Traffic Manager

Symptoms:
If a large data group exists or the db variable tmm.classallocatemetadata is set to disabled, tmm may crash if the class match iRule matches 9 or more items in the datagroup.

Conditions:
External datagroups in use, a class match iRule will produce at least 9 matches, and the datagroup is extremely large or the db variable tmm.classallocatemetadata is set to disabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash related to large datagroups.


629127-1 : Parent profiles cannot be saved using FPS GUI

Component: Fraud Protection Services

Symptoms:
Any parent profile (profile that has bee inherited) cannot be saved in FPS GUI.

Conditions:
Provision FPS
License FPS.
1 or more child profiles.

Impact:
User configurations may not be saved.

Workaround:
Can use TMSH or REST.


629085-1 : Any CSS content truncated at a quoted value leads to a segfault

Solution Article: K55278069

Component: TMOS

Symptoms:
Any CSS content truncated at a quoted value leads to a segfault.

Example:
...
.c1 {background-image: url('some

Conditions:
CSS ends without closing quote in value.

Example:
...
.c1 {background-image: url('some

Impact:
TMM or rewrite segfault. Traffic disrupted while tmm restarts.

Workaround:
Use a particular iRule.

Fix:
CSS content truncated at a quoted value no longer leads to a segfault.


629069-2 : Portal Access may delete scripts from HTML page in some cases

Component: Access Policy Manager

Symptoms:
If JavaScript uses Range.createContextualFragment() call to insert new scripts into HTML document, in some cases Portal Access may delete one of the scripts in the page.

Conditions:
JavaScript with Range.createContextualFragment() call which is used to add new scripts by subsequent insertBefore()/insertAfter() calls.

Impact:
Web application may not work correctly.

Workaround:
None.

Fix:
Now web apps delivered via APM Portal Access can use Range.createContextualFragment(), insertBefore(), and insertAfter() javascript properly.


628972-2 : BMC version 2.51.7 for iSeries appliances

Component: TMOS

Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to BMC version 2.51.7.

Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- Upgrading firmware.

Impact:
This is a firmware upgrade.

Workaround:
None.

Fix:
This release contains BMC version 2.51.7 which includes the fix for a BMC firmware update failure on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

Behavior Change:
This release contains BMC version 2.51.7 which includes the fix for a BMC firmware update failure on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.


628897-1 : Add Hyperlink to gslb server and vs on the Pool Member List Page

Component: Global Traffic Manager (DNS)

Symptoms:
Hyperlinks to the GSLB Server and Virtual-server are missing from the GSLB Pool Member list page.

Conditions:
This can be seen in the DNS :: GSLB : Pools : Pick a pool : Members tab

Impact:
You are unable to to quickly get to the server and virtual server from this page.

Workaround:
Manually navigate to associated server and Virtual Server.

Fix:
Hyperlinks for associated server and VS are not showing on the Pool Member list page.


628890-1 : Memory leak when modifying large datagroups

Component: Local Traffic Manager

Symptoms:
When modifying large external datagroups, a significant memory leak may occur.

Conditions:
This can occur when a large datagroup is in use and is modified.

Impact:
Memory is leaked, and the amount of memory leaked can be significant.

Workaround:
None.

Fix:
Fixed a memory leak related to modifying large datagroups.


628869-4 : Unconditional logs seen due to the presence of a PEM iRule.

Component: Policy Enforcement Manager

Symptoms:
TMM log files will fill up.

Conditions:
Execution of an iRule with the following iRule command:

PEM::subscriber config policy get <subscriber-id> <e164 | imsi | nai | private | mac-address | dhcp | mac-dhcp | dhcp-custom | sip-uri>.

Impact:
Limits the gathering and traversal of relevant data from the TMM logs if the condition is encountered several times.

Workaround:
Do not use an iRule containing the following iRule command: PEM::subscriber config policy get.

Fix:
Unconditional logs are no longer seen in response to the presence of a PEM iRule.


628836-4 : TMM crash during request normalization

Solution Article: K22216037


628832-4 : libgd vulnerability CVE-2016-6161

Solution Article: K71581599


628739-1 : BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD

Component: TMOS

Symptoms:
Configuring the management IP outside the management subnet succeeds without error.

Conditions:
On the LCD, navigate to the 'Setup' tab, and select 'Management'.
1. Set the default Gateway for the network.
2. Now set an IP address outside the Gateway subnet.
3. Notice no errors and commit is successful.

Impact:
Admin IP and Gateway for management route (/Common/default) not in a connected network.

Workaround:
Do not configure the IP and Gateway outside the management route.

Fix:
LCD no longer allows invalid configuration of mgmt IP (with gateway IP outside mgmt subnet).


628735-1 : Displaying Hardware SYN Cookie Protection field in TCP/FastL4/FastHTTP profiles

Component: TMOS

Symptoms:
The Hardware SYN Cookie Protection field is not displayed in the GUI configuration screen for TCP/FastL4/FastHTTP profiles, despite hardware support for the feature existing on the
platform.

Conditions:
Configuring TCP/FastL4/FastHTTP profiles in the BIG-IP GUI.

This occurs on vCMP guests, on the 5000/5050, 5200/5250, 7000/7050/7055, 7200/7250/7255, 10000/100050/10055, 10200/10250/10255, 10350N, i5600, i5800, i7600, i7800, i10600, i10800 platforms, and on VIPRION systems using the B4450 or B4450N blades.

Impact:
The Hardware SYN Cookie Protection field is not displayed.

Workaround:
Use tmsh to set the Hardware SYN Cookie Protection field.

Fix:
The system no longer uses a static list of platforms that have an HSB as a basis for displaying the Hardware SYN Cookie Protection option in the GUI, so the field is shown as expected.


628721-1 : In rare conditions, DNS cache resolver outbound TCP connections fail to expire.

Component: Local Traffic Manager

Symptoms:
If a TCP connection is initiated by the DNS cache resolver but fails to be fully created, it may be leaked until the next restart of tmm.

Conditions:
This is only known to occur when other internal issues are affecting the tmm's functionality. If there are ongoing log messages in the tmm logs of the form: "hud_msg_queue is full," and a DNS cache resolver is attempting new outbound TCP connections, then it is possible to leak these connections.

Impact:
If enough connections are leaked, the tmm will not be able to create new connections even if the conditions causing the "hud_msg_queue" log messages resolve.

Workaround:
Restarting tmm will clear the leaked connections.

Fix:
The connections are now properly cleaned up if they are unsuccessfully created.


628712-1 : Advanced customization doesn't work for Profiles in non-common partition with . (period) with name

Solution Article: K53129098

Component: Access Policy Manager

Symptoms:
Advanced customization doesn't work for Profiles in non-common partition with . (period) with name.
For example, when selecting logon.inc, it shows no source in the window.

Conditions:
Access Profile outside of Common partition.

Impact:
Unable to modify advanced customizaiton. Other functionality is not affected.

Workaround:
Rename profile and policy to non-period version or import profile and then reexport with no periods.

Fix:
Advanced customization now works for Profiles in non-Common partition with . (period) with name


628687-2 : Edge Client reconnection issues with captive portal

Component: Access Policy Manager

Symptoms:
Edge Client stuck at 'Reconnecting' when losing connection to Captive Portal with certificate warning.

Conditions:
Connect to APM through a captive portal.

Impact:
EdgeClient stuck at "Reconnecting".

Workaround:
None.

Fix:
Edge Client no longer hangs at 'Reconnecting' when losing connection to Captive Portal with certificate warning.


628685-2 : Edge Client shows several security warnings after roaming to a network with Captive Portal

Solution Article: K79361498

Component: Access Policy Manager

Symptoms:
Network is blocked by a captive portal. Captive portal uses HTTPS. Periodic-session-check reports SSL certificate is not trusted because access to APM is redirected (to captive portal).

Conditions:
Create a VPN tunnel over WiFi.
Place the computer in sleep/hibernate.
Move to a new network with Captive Portal with SSL and resume from sleep/hibernate.

Impact:
Numerous security warnings.

Workaround:
None.

Fix:
Edge Client no longer shows several security warnings after roaming to a network with Captive Portal.


628623-1 : tmm core with AFM provisioned

Component: Advanced Firewall Manager

Symptoms:
tmm cores on the secondary blade while passing traffic.

Conditions:
This can occur intermittently with AFM provisioned while passing traffic, even if AFM is not in use.

Impact:
Traffic disrupted while tmm restarts.


628402-4 : Operator users receive 'can't get object count from mcpd' error in response to certain commands

Component: TMOS

Symptoms:
Operator users receive the following error in response to certain commands:
Unexpected Error: Can't display all items, can't get object count from mcpd.

Conditions:
-- The user is 'Operator' level.
-- The command is a top-level list or show command, such as the 'show running-config' command.

Impact:
Operator-level users are unable to issue 'show' and 'list' commands on top-level objects, but can 'show' and 'list' specific configuration objects.

Workaround:
Issue commands for specific configuration objects.

Fix:
Operator-level users are now able to issue 'show' and 'list' commands on top-level objects without error.


628351-1 : Redirect loops on URLs with Path Parameters when Proactive Bot Defense is enabled

Component: Application Security Manager

Symptoms:
When Proactive Bot Defense is enabled, requests to URLs with Path Parameters (URLs containing a semicolon ;) may get stuck on a redirect loop. This typically applies to URLs which do not respond with HTML content or to URLs with low traffic.

Conditions:
-- Proactive Bot Defense is enabled.
-- URLs use Path Parameters (containing the semicolon ; character).

Impact:
Clients cannot access the web server, getting caught in an infinite redirect loop.

Workaround:
None.

Fix:
Requests to URLs with ";" no longer get stuck in a redirect loop when Proactive Bot Defense is enabled.


628348-1 : Cannot configure any Mobile Security list having 11 records or more via the GUI

Component: Fraud Protection Services

Symptoms:
Any item added to a list with more than 10 records in Mobile Security section is ignored.

Conditions:
Provision FPS
License mobilesafe
add 11 records to a list

Impact:
User configuration may not be saved.

Workaround:
Use TMSH or Rest.

Fix:
GUI allows adding items to lists with more than 10 records.


628337-1 : Forcing a single injected tag configuration is restrictive

Component: Fraud Protection Services

Symptoms:
Injected tags configuration in profile is globally controlled from the db variable antifraud.injecttags, and forces all protected pages to have a common set of HTML tags. If your web application has pages that do not work with the injected tags, then this will cause the application to work improperly.

Conditions:
This occurs when the injected tags db variable (antifraud.injecttags) is configured.

Impact:
Your web application may have pages that do not handle the tags properly and may malfunction.

Workaround:
Configure injected tags in a way which can applied to all URLs protected in a profile. If it is not possible due to some URL HTML structure, HTML must be modified.

Fix:
Injected tags configuration has been moved to the URL level.


628311-3 : Potential TMM crash due to duplicate installed PEM policies by the PCRF

Solution Article: K87863112

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash due to duplicate installed PEM policies by the PCRF.

Conditions:
- PEM enabled with Gx and Gy.
- PEM policies configured with Gy quota management.
- PCRF installs an already-installed policy against a subscriber.

Impact:
Loss of service. Traffic disrupted while tmm restarts.

Workaround:
Configure the PCRF to not install an already-installed policy against a subscriber.

Fix:
PEM now prevents PCRF from installing an already-installed policy against a subscriber.


628202-4 : Audit-forwarder can take up an excessive amount of memory during a high volume of logging

Component: TMOS

Symptoms:
During a period where a lot of data is logged (such as the loading of a large configuration), audit_forwarder can use up a large amount of memory.

Conditions:
audit_forwarder is used with config.auditing.forward.type set to either "none" or "radius" and config.auditing set to "verbose" or "all".

Impact:
The excessive memory usage may result in processes getting restarted. Once the logging is done, audit_forwarder will not release all of the used memory.

Workaround:
Setting config.auditing value to "enable" or "disable" will slow or stop the excessive memory usage.

Fix:
Prevented audit_forwarder from using more memory than it needs.


628164-3 : OSPF with multiple processes may incorrectly redistribute routes

Solution Article: K20766432

Component: TMOS

Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.

Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.

Impact:
Incorrect routing information in the network when OSPF converges.

Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.

Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.

OSPF routes are now created synchronously when the LSA database is updated. If routes are rapidly deleted and re-added, OSPF will send maxage LSAs followed by new LSAs. This is potentially a behavior change where, previously, only a single updated LSA would have been sent.


628016-2 : MP_JOIN always fails if MPTCP never receives payload data

Component: Local Traffic Manager

Symptoms:
MP_JOIN during an MPTCP connection always fails if the BIG-IP never receives payload data.

Conditions:
A virtual server is configured with a TCP profile attached and "Multipath TCP" is enabled.
An MPTCP connection is established where payload data is never sent to the BIG-IP.

Impact:
Unidirectional data connections receiving data from the BIG-IP (like with FTP) cannot join additional subflows.

Workaround:
There is no workaround at this time.

Fix:
Allow MP_JOIN after receiving a DATA_ACK that acknowledges data.


628009-1 : f5optics not enabled on Herculon iSeries variants HRC-i2800, HRC-i5800, HRC-i10800

Component: TMOS

Symptoms:
The f5optics functionality is not initialized on Herculon iSeries variants.

Conditions:
This occurs on the following Herculon iSeries platforms: HRC-i2800, HRC-i5800, HRC-i10800.

Impact:
None. No f5optics optics module database is presently provided for Herculon platforms. Herculon uses no optics modules that require tuning (e.g., 100G).

Workaround:
None.

Fix:
With the fix, if an optics module data base is provided via an f5optics install, f5optics will become operational on Herculon. An f5optics database will be provided if optics modules requiring tuning are ever used with Herculon.


627972-2 : Unable to save advanced customization when using Exchange iApp

Solution Article: K11327511

Component: Access Policy Manager

Symptoms:
When Policy created using Microsoft Exchange iApp script, Advanced Customization (usually of logon page) might fail with error similar to the following: 01020066:3: The requested Customization Template File (/Common/Exchange.app/exch_custom_logon_ag logon.inc) already exists in partition Common.

Conditions:
Usually: HA Pair, iApp exchange created profile, in general any advanced customization where name not equals customization_group_name:filename is affected.

Impact:
Unable to edit advanced customization, functionality is unaffected.

Workaround:
edit bigip.conf
apm policy customization-group /Common/Exchange_2010.app/exch_custom_logon_ag {
    templates {
        logon.inc {
            name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
        }
    }
}
change
name /Common/Exchange_2010.app/exch_custom_logon:logon.inc
to customizaton_group_name:filename i.e.

name /Common/Exchange_2010.app/exch_custom_logon_ag:logon.inc

Fix:
Can now save advanced customization when using Microsoft Exchange iApp.


627961-3 : nic_failsafe reboot doesn't trigger if HSB fails to disable interface

Solution Article: K15130343

Component: TMOS

Symptoms:
The HSB driver attempts a nic_failsafe in the case of failing to disable the interface.

Conditions:
The driver disables nic_failsafe prior to triggering the nic_failsafe. This is in hsb_ifdown_go_dead.

Impact:
TMM may restart continuously resulting in interfaces bouncing constantly.

Workaround:
Reboot the device.

Fix:
This release fixes issues where nic_failsafe reboot did not happen on HSB failures.


627926-1 : Retrieving a server-side SSL session ID in iRules does not work

Solution Article: K21211001

Component: Local Traffic Manager

Symptoms:
Retrieving the server-side SSL session ID using iRule does not work.

Conditions:
Retrieve server-side SSL Session ID using an iRule.

Impact:
iRules that try to log or capture an SSL session ID will not work properly.

Workaround:
None.

Fix:
The server-side SSL session ID can now be retrieved with an iRule.


627916-1 : Improve cURL Usage

Solution Article: K81601350


627914-1 : Unbundled 40GbE optics reporting as Unsupported Optic

Component: TMOS

Symptoms:
When a 40G interface is configured "bundle disabled" the optic module in use on the interface will be declared as an "Unsupported optic" module even though the optic module is F5 branded.

Conditions:
Using unbundled 40GbE optics.

Impact:
This is a cosmetic problem. The interface is able to function as intended.

Workaround:
No workaround, problem is cosmetic.

Fix:
The fix for the defect results in no longer declaring an otherwise supported optics module as unsupported when bundling is configured disabled on the interface.


627907-1 : Improve cURL usage

Solution Article: K11464209


627898-2 : tmm leaks memory in the ECM subsystem

Solution Article: K53050234

Component: TMOS

Symptoms:
tmm leaks memory in the ECM subsystem.

Conditions:
-- You import one or more SSL certificates onto the system.
-- The SSL certificates names contain the 'ca-bundle.crt'. For example, 'my-ca-bundle.crt'.

Impact:
With this configuration in place, tmm leaks memory each time the configuration is modified. tmm eventually runs out of free memory. This initially impacts traffic and might eventually lead to tmm crashing and restarting. Traffic disrupted while tmm restarts.

Workaround:
You can work around this issue by renaming your SSL certificates so that their names do not contain the 'ca-bundle.crt' string.

Fix:
TMM no longer leaks memory in the ECM subsystem.


627798-3 : Buffer length check for quota bucket objects

Component: Policy Enforcement Manager

Symptoms:
For quota bucket (Rating Groups) object, BIG-IP allocates a large buffer locally, and doesn't expect it to be over-run as the objects are expected to be smaller

Conditions:
Any quota bucket objects which are being inserted in PEM database

Impact:
For quota bucket objects which are in PEM database, the buffer is usually large enough, so there should not be any impact. But if the quota bucket ever gets larger, then potential corruption of the quota bucket information could occur. This could trigger a tmm core. Traffic disrupted while tmm restarts.

Workaround:
quota bucket with fewer rules


627764-2 : Prevent sending a 2nd RST for a TCP connection

Component: Local Traffic Manager

Symptoms:
After a specific sequence of packets resulting in sending a RST packet, TCP connection was kept alive and sent another RST when connection expired.

Conditions:
A specific sequence of packets (a second SYN segment within the TCP window) is received by a TCP connection.

Impact:
2 RST segments is sent to the client instead of 1. In addition, the TCP connection was kept alive until the sweeper cleaned it.

Workaround:
There is no workaround at this time.

Fix:
TCP sends a single RST for specific sequence of packets


627747-1 : Improve cURL Usage

Solution Article: K20682450


627695-2 : [netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational

Component: Local Traffic Manager

Symptoms:
'Yes' and 'No' options to proceed or cancel the uninstall operation are not operational.

Conditions:
Issue happens when running safenet-sync.sh -u.

Impact:
No impact.

Workaround:
None.

Fix:
In this release, there is no Yes or No option for the SafeNet uninstall 'safenet-sync.sh -u.' command.


627616-3 : CCR-U missing upon VALIDITY TIMER expiry when quota is zero

Component: Policy Enforcement Manager

Symptoms:
CCR-U is not sent upon VALIDITY TIMER experts.

Conditions:
If PCRF does not grant any GSU (no quota), but only specifies the VALIDITY timer.

Impact:
OCS does not get the CCR-U message and misses the information about quota.

Workaround:
Work around is to set the following timers using sysdb to non-zero value. Here is an example:
sys db tmm.pem.session.quota.bucket.denied.timeout { value "1" }
sys db tmm.pem.session.quota.bucket.depleted.timeout { value "2" }
sys db tmm.pem.session.quota.bucket.idle.timeout { value "3" }

Fix:
CCR-U is now sent upon VALIDITY TIMER experts.


627574-1 : After upgrade to BIG-IP v12.1.x, Local Traffic Policies in partitions other than Common cannot be converted into a draft.

Component: Local Traffic Manager

Symptoms:
If a BIG-IP system has Local Traffic Policies defined in a non-Common partition, and the system is upgraded to version 12.1.0, 12.1.1, or 12.1.2, attempting to create a new draft of the policy by selecting "Create Draft" will fail and give an error message similar to:

err mcpd[8140]: 01070734:3: Configuration error: Can't associate policy rule (/Partition1/Drafts/policy_name policy_name_policy_rule) folder does not exist

Conditions:
A system is upgraded to version v12.1.x with Local Traffic Policies in a non-default partition.

Impact:
You cannot modify existing Local Traffic Policies.

Workaround:
Manually create a 'Drafts' folder in the appropriate partition, e.g.:

    tmsh create sys folder /Partition1/Drafts

Alternately, create a new (different) policy in the specified partition, and then delete it. Doing this has a side-effect of creating the Drafts folder.


627454 : Trimming leading whitespaces at logging profile creation

Component: Advanced Firewall Manager

Symptoms:
If a logging profile has a TAB character in its name, the name does not get double-quoted in bigip.conf, so configuration load fails.

Conditions:
Copy-pasting the logging profile name including a leading TAB character.

Impact:
Configuration loading failure upon next boot.

Workaround:
Copy-paste only the name (without the TAB character).

Fix:
Leading whitespaces (including TAB characters) are trimmed at profile creation, so the condition that caused the issue is eliminated.


627433-1 : HSB transmitter failure on i2x00 and i4x00 platforms

Component: TMOS

Symptoms:
On the BIG-IP i2x00 and i4x00 platforms, tmm enters an infinite 'restart' loop after a 'bigstart restart' or 'bigstart restart tmm' command if traffic is actively flowing through the TMM. This is the result of an HSB transmitter failure.

Conditions:
Traffic actively flowing through the tmm and you issue 'bigstart restart' or 'bigstart restart tmm'.

Another instance occurs when syncing the datasync-global-dg device-group for an HA configuration on iSeries platforms.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure all traffic is stopped before issuing the 'bigstart restart' or 'bigstart restart tmm' commands.

Set HSB::failures_before_reset in /config/tmm_init.tcl to a high value, such as 1000 (default is 50) may resolve the issue, depending on the conditions this issue occurred.

Fix:
TMM restart loop no longer occurs following 'bigstart restart' on i2x00 and i4x00 platforms.


627403-2 : HTTP2 can can crash tmm when stats is updated on aborting of a new connection

Component: Local Traffic Manager

Symptoms:
HTTP2 allocates a block of memory for collecting stats on a connection. If the connection is aborted for any reason, tmm may try to update stats prior the memory is allocated.

Conditions:
HTTP2 profile is configured and assigned to a virtual.

Impact:
Traffic disrupted while tmm restarts.

Fix:
A fix stops HTTP2 from accessing stats prior memory is allocated preventing TMM crash for this reason.


627360-1 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log

Component: Application Security Manager

Symptoms:
These errors come up in asm log, upon first start after upgrade:
-------------------------
2016-11-02T08:33:09-06:00 localhost notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
Nov 2 08:35:34 c5af5ltm1b info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
Nov 2 08:36:03 c5af5ltm1b info tsconfig.pl[21351]: ASM initial configration script launched
Nov 2 08:36:17 c5af5ltm1b info tsconfig.pl[21351]: ASM initial configration script finished
Nov 2 08:36:23 c5af5ltm1b info asm_start[19802]: ASM config loaded

Nov 2 08:37:40 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined

Nov 2 08:38:28 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead

Nov 2 08:38:28 c5af5ltm1b crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted

Nov 2 08:38:33 c5af5ltm1b info perl[21860]: 01310053:6: ASM starting
-------------------------

Conditions:
ASM provisioned
Local request logging enabled
Upgrade of a maintenance release, HF or EHF

Impact:
Upgrade fails

Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.

In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.

There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) do not load a Request Log, when loading a UCS:
    # tmsh modify sys db ucs.asm.traffic_data.load value never

2) do not save a Request Log, when saving a UCS:
    # tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------


627279-2 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
tmm on a blade may crash during a CMP and PEM change.

Conditions:
Multi-blade chassis undergoing a CMP state change. Additionally requires PEM policy changes resulting in usage record updates.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use an HA pair and have the active chassis fail over during a CMP state change. Allow for the new stand by chassis to complete its CMP state change activity.

Fix:
Handle sessionDB failures gracefully.


627257-2 : Potential PEM crash during a Gx operation

Component: Policy Enforcement Manager

Symptoms:
Tmm may core during a Gx operation

Conditions:
Requires a PEM virtual with Gx, Sd or Gy enabled. This occurs when tmm starts.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Perform proper validation checks as part of API processing.


627246-1 : TMM memory leak when ASM policy configured on virtual server

Solution Article: K09336400

Component: Local Traffic Manager

Symptoms:
TMM memory leak in hud_oob when ASM policy configured on virtual server.

Conditions:
-- ASM policy is configured on a virtual server.
-- URL access via the virtual server.

Impact:
System leaks 64 bytes of memory. TMM might run out of memory and eventually crash.

Workaround:
None. But disabling ASM policy configuration on the virtual server can alleviate the problem.

Fix:
A memory leak in hud_oob when ASM policy configured on virtual server has been fixed.


627214-3 : BGP ECMP recursive default route not redistributed to TMM

Component: TMOS

Symptoms:
ECMP recursive routes are not properly redistributed to TMM, resulting in an incorrect routing table.

Conditions:
Dynamic routing configured with multiple equal cost paths reachable through a recursive nexthop.

Impact:
Packets are not routed to all ECMP nexthops.

Workaround:
None.

Fix:
ECMP routes with a recursive nexthop are now used correctly by TMM.


627203-1 : Multiple Oracle Java SE vulnerabilities

Solution Article: K63427774


627117-1 : crash with wrong ceritifcate in WSS

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
Web services security is turned on.
a bad / wrong / missing certificate is attached.

Impact:
Traffic drop until the BD is back (or failover).

Workaround:
The workaround would be to fix the attached certificate.

Fix:
Fix an issue with wrong certificates.


627059-1 : In some rare cases TMM may crash while handling VMware View client connection

Component: Access Policy Manager

Symptoms:
TMM crashes.

Conditions:
VMware View client uses PCoIP to connect to backend via APM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed rare TMM crash during handling of VMware View client PCoIP connection


626990-1 : restjavad logs flooded with messages from ChildWrapper

Solution Article: K64915164

Component: TMOS

Symptoms:
Running iControl REST under heavy load might result in restjavad logs being filled with multiple, repeating messages similar to the following:

[WARNING][76559][13 Dec 2016 07:08:00 UTC][ChildWrapper] Exception found in child runner thread: null

Conditions:
-- Put iControl REST under a heavy load.
-- View restjavad logs.

Impact:
Logs fill with messages and rotate out. Logs full of these error messages might cause other messages to be missed.

Workaround:
None.

Fix:
iControl REST properly handles the exception described.


626910-1 : Policy with assigned SAML Resource is exported with error

Component: Access Policy Manager

Symptoms:
If Access Profile's Access Policy has saml resource assigned export is failing with error.

Conditions:
1. Access profile/access policy
2. Saml resource is assigned

Impact:
Unable to Export Policy

Fix:
Work order is restored


626861-2 : Ensure unique IKEv2 sequence numbers

Solution Article: K31220138

Component: TMOS

Symptoms:
Although BIG-IP generates random sequence numbers for use in protocol negotiation, it is possible to allocate a new number already in use by a phase-one ike-SA or a phase-two child-SA.

Conditions:
When a sufficiently large number of tunnels are in use (e.g., numbering in thousands), odds of generating a duplicate sequence number is relatively high, given the number of random bits used to generate the number. More tunnels makes it more likely to occur.

Impact:
On sequence number collision, this might confuse an old SA, and probably never complete negotiation of a new SA. In addition, the system might crash if updating an old SA happened in a state where update is not expected.

Workaround:
None.

Fix:
Now BIG-IP uses more random bits in generated sequence numbers, and it always checks whether a new sequence number is currently in use anywhere else before proceeding. Thus collisions cannot be generated in sequence number allocation. New numbers should always be guaranteed unique now.


626851-2 : Potential crash in a multi-blade chassis during CMP state changes.

Solution Article: K37665112

Component: Policy Enforcement Manager

Symptoms:
CMP state change can result in a blade crash.

Conditions:
CMP state change with a PEM profile enabled on a virtual. The former can be triggered using a TMM restart/unrelated crash, blade insertion or blade administrative state change.

Impact:
Blade crash resulting in potential loss of service.

Workaround:
Deploy PEM in an HA-pair with a chassis fail over configured to occur if at most one blade on the active chassis fails.

Fix:
The system now gracefully handles sessionDB errors due to a CMP state change.


626839 : sys-icheck error for /var/lib/waagent in Azure.

Component: TMOS

Symptoms:
On a BIG-IP deployed in Azure cloud, sys-icheck reports readlink error for /var/lib/waagent directory as following:

ERROR: ....L.... /var/lib/waagent

Conditions:
BIG-IP deployed in Azure cloud.

Impact:
sys-icheck reports "rpm --verify" errors for /var/lib/waagent. This doesn't have any functional impact on the product but looks like factory RPM settings were modified externally and incorrectly.

Workaround:
No workaround exists for this issue.

Fix:
sys-icheck error for /var/lib/waagent in Azure.


626721-5 : "reset-stats auth login-failures" command for unknown users causes secondary mcpd processes to restart

Component: TMOS

Symptoms:
Running the command "tmsh reset-stats auth login-failures <username>" on a bladed system can cause the mcpd process to restart on secondary blades if the <username> is not an actual user on the system. The /var/log/ltm log file will contain errors messages similar to:

Configuration error: Configuration from primary failed validation: 01020036:3: The requested username (username) was not found.... failed validation with error 16908342

Conditions:
This occurs on VIPRION systems when running the command for a user that doesn't exist on the other blades.

Impact:
mcpd processes on secondary blades restart, possibly causing loss of traffic and a failover (if in a device cluster).

Workaround:
Run the command "tmsh reset-stats auth login-failure <username>" using only valid usernames.

Fix:
Prevented the command "tmsh reset-stats auth login-failure <username>" from restarting mcpd instances on secondary blades when <username> is an unknown user. The bad command is intercepted at the primary blade and is dealt with there.


626596 : Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections'.

Component: TMOS

Symptoms:
Statistics :: Analytics :: Hardware Acceleration menu contains misspelled menu item: 'Assited Connections' instead of 'Assisted Connections'.

Conditions:
-- Running vCMP.
-- System provides hardware acceleration.
-- Statistics :: Analytics :: Hardware Acceleration menu.

Impact:
Spelling of 'Assited' instead of the expected 'Assisted'.

Workaround:
N/A

Fix:
Changed spelling of 'Assited' to 'Assisted'.


626542-2 : Unable to set maxMessageBodySize in iControl REST after upgrade

Component: Device Management

Symptoms:
After upgrading and attempting to set maxMessageBodySize via iControl REST, you get an error indicating the command is not implemented:

{"code":400,"message":"onPut Not implemented","originalRequestBody":"{\"maxMessageBodySize\": \"111111111\"}","referer":"127.0.0.1","restOperationId":216941,"kind":":resterrorresponse"}

Conditions:
This occurs when upgrading from v11.6.1 to v12.1.0, v12.1.1,or v12.1.2, and applying the UCS from the 11.6.1 release. The error is generated because new defaults were added but they are not set on UCS restore.

Impact:
Command fails, unable to set maxMessageBodySize.

Workaround:
If you encounter this after an upgrade and UCS restore, you can run the following commands from the BIG-IP command line:

1. curl -X DELETE http://localhost:8100/shared/storage?key=shared/server/messaging/settings/8100.
2. bigstart restart restjavad.

Fix:
You can now set maxMessageBodySize via iControl REST after upgrading.


626438-1 : Frame is not showing in the browser and/ or an error appears

Component: Application Security Manager

Symptoms:
frame going blank when ASM policy enabled. this will trigger the following JS error in clients console:
Uncaught TypeError: Cannot read property '3' of undefined

Conditions:
Asm policy enabled. Device id is enabled theough one of the supporting features

Impact:
Site not operating correctly.

Workaround:
N/a

Fix:
Fixed device id javascript issue that prevented a frame from being displayed .


626434-6 : tmm may be killed by sod when a hardware accelerator does not work

Solution Article: K65283203

Component: Local Traffic Manager

Symptoms:
tmm may hang and crash (killed by the switchover daemon, sod), when the Cavium hardware accelerator does not come back after the reset from the driver.

Conditions:
This is a rarely seen occurrence. It is triggered when the Cavium hardware accelerator stops working.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Power cycling the system might correct the error.

Fix:
The system now prints out an error message in the log file, improving the way tmm handles the failure.


626386-1 : SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled

Solution Article: K28505256

Component: Local Traffic Manager

Symptoms:
On a BIG-IP device, whenever a large-sized client certificate is sent by an SSL client to a virtual service, and SSL persistence is enabled, the SSID parser does not reassemble fragmented ClientKeyExchange messages correctly. It interprets the next incoming fragment - part of the CertificateVerify message - as a new record, incorrectly calculates its length and ends up waiting endlessly for more bytes to receive the record.

Conditions:
When SSL persistence is enabled and a large-sized client
certificate is sent by the SSL client to the BIG-IP device.

Impact:
Client connection hangs during the handshake. No impact to any other module.

Workaround:
Disable SSL persistence.

Fix:
SSL now reassembles fragments correctly with a large-sized client certificate when SSL persistence is enabled.


626360 : TMM may crash when processing HTTP2 traffic

Solution Article: K22541983


626311-2 : Potential failure of DHCP relay functionality credits to incorrect route lookup.

Solution Article: K75419237

Component: Local Traffic Manager

Symptoms:
DHCP requests from client to server may not make it through.

Conditions:
-- BIG-IP system configured as a DHCP relay.
-- Input variable (flow_key) incorrectly initialized.

Impact:
Clients might not get an IP address from the DHCP server.

Workaround:
None.

Fix:
Input variable (flow_key) is initialized properly to prevent a potential route-lookup failure.


626141-3 : DNSX Performance Graphs are not displaying Requests/sec"

Component: Global Traffic Manager (DNS)

Symptoms:
The DNSX Performance graphs have a X and Y axis of Requests/second but the data actually shows total requests.

Conditions:
Always.

Impact:
The data displayed in the graph is not correct.


626106-3 : LTM Policy with illegal rule name loses its conditions and actions during upgrade

Component: Local Traffic Manager

Symptoms:
BIG-IP version 12.0.0 introduced more strict checking on the characters allowed in policy and rule names, and it also introduced an auto-migration feature to convert any disallowed characters to an underscore (_). Allowed characters in policy and rule names are:
  A-Z a-z 0-9 . / : % -
Spaces are allowed between these characters.

When there is a pre-v12.0 Policy that contains an illegal character, the rule has each illegal character converted to a legal one. But conditions and actions, which are joined to the rule by name were not similarly adjusted. After migration, LTM Policy rule does not have any conditions or actions referring to its new name.

Conditions:
- Pre-v12.0 BIG-IP
- Policy and/or rule names contain illegal characters like: * < > ( ) [ ]
- Upgrade to v12.0 or later

Impact:
Policy rule name is changed, illegal characters converted to benign underscore (_). The upgraded configuration will load successfully, but the Rule's associated conditions and actions are not changed, and still point to the policy by its former name, effectively becoming orphaned. Inspecting rule using UI or tmsh shows conditions and actions missing.

Workaround:
The bigip.conf file can be manually edited to fix illegal characters and configuration reloaded.


625892-2 : Nagle Algorithm Not Fully Enforced with TSO

Component: Local Traffic Manager

Symptoms:
Sub MSS packets are more numerous than Nagle's algorithm would imply.

Conditions:
TCP Segmentation Offload is enabled.

Impact:
Sub-MSS packets increase overhead and client power consumption.

Workaround:
Disable TCP Segmentation Offload by running the following command:
tmsh modify sys db tm.tcpsegmentationoffload value disable

Fix:
Deliver Integer Multiples of MSS to the TSO hardware when Nagle's algorithm applies.


625860-2 : Improved handling of crypto hardware decrypt failures on B4450 platform.

Solution Article: K55102452


625832-4 : A false positive modified domain cookie violation

Component: Application Security Manager

Symptoms:
An unexpected modified domain cookie violation on system that has more than 127 policies configured.

Conditions:
This occurs when more than 127 policies are configured. The violation modified domain cookie is turned on and there are enforced cookies.

Impact:
A false positive violation.

Workaround:
Remove the modified domain cookie violation from blocking.

Fix:
Fixed a false positive modified domain cookie violation.


625824-1 : iControl calls related to key and certificate management (Management::KeyCertificate) might leak memory

Component: TMOS

Symptoms:
iControl calls related to Management::KeyCertificate might leak memory slowly, which causes swap space to increase continuously and might lead to exhaustion of swap space

Conditions:
This occurs with the iControl command bigip.Management.KeyCertificate.certificate_export_to_pem

Impact:
iControlPortal.cgi memory increases.

Workaround:
Restart httpd to reload the iControl daemon.

Fix:
Fixed a memory leak associated with iControl.


625784 : TMM crash on i4x00 and i2x00 platforms with large ASM configuration.

Component: TMOS

Symptoms:
With large ASM configurations (50 virtual servers, 50 ASM policies), TMM continuously crashes on boot-up or restart.

Conditions:
-- Large ASM configurations (50 virtual servers, 50 ASM policies).
-- Using i4x00 and i2x00 platforms.

Impact:
TMM continuously crashes and restarts; system is unusable.

Workaround:
None.

Fix:
TMM no longer crashes on i4x00 and i2x00 platforms with large ASM configurations.


625783-1 : Chassis sync fails intermittently due to sync file backlog

Component: Application Security Manager

Symptoms:
Chassis sync may fail intermittently if policies are changed and applied in a short interval.

Conditions:
Policies are changed and applied in a short interval on a chassis platform.

Impact:
Disk partition /var may fill up and synchronized changes may not appear on secondary blades.

Fix:
ASM configuration sync on chassis platform now works more reliably.


625703-2 : SELinux: snmpd is denied access to tmstat files

Component: TMOS

Symptoms:
When a custom SNMP MIB is created by using Tcl scripts or other methods, the snmpwalk will fail to access the created MIB data.

Conditions:
Custom created MIBs.

Impact:
Access to that MIB is denied.

Workaround:
None.

Fix:
When a custom SNMP MIB is created by using a Tcl scripts or other methods, the snmpwalk no longer fails to access the created MIB data.


625671-4 : The diagnostic tool dnsxdump may crash with non-standard DNS RR types.

Component: Global Traffic Manager (DNS)

Symptoms:
If the dnsxdump diagnostic tool is run when the DNS Express database has a DNS resource record using a non-standard type, the process may crash providing incomplete diagnostic output.

Conditions:
Running dnsxdump with a DNS Express database containing non-standard resource record types.

Impact:
dnsxdump provide incomplete diagnostic output, stopping on the zone containing the resource record with the non-standard type.

Workaround:
This is primarily known to be caused by non-standard RR types created for WINS records. Removing the WINS records from the master nameserver, will allow dnsxdump to work again after the next zone transfer.

Fix:
dnsxdump handles non-standard resource record types.


625602-3 : ASM Auto-Sync Device Group Does Not Sync

Component: Application Security Manager

Symptoms:
Some messages that should be sent to peers in a device group are not successfully sent.

Conditions:
A series of create/delete ASM policies and multiple changes to the ASM sync Device Group (creation, deletion, joining devices, removing devices).

Impact:
ASM configuration does not sync properly

Workaround:
Reconfigure the device group and restart asm_config_server using the following command:
# pkill -f asm_config_server

Fix:
Communication over the ASM Device Group now works correctly after leaving/joining Device Groups.


625542-1 : SIP ALG with Translation fails for REGISTER refresh.

Component: Service Provider

Symptoms:
SIP-MBLB-ALG-Translation mode doesn't translate SIP REGISTER refresh message when arriving on the original flow.

Conditions:
1. LSN Pool selected on CLIENT_ACCEPTED event.
2. SIP REGISTER request refresh happens on the original flow.

Impact:
SIP Register message egressed will not have translation applied i.e. the CONTACT and VIA header will not be translated.

Workaround:
None

Fix:
SIP REGISTER refresh processing identifies the translation used for the original SIP REGISTER and applies that translation to the SIP REGISTER refresh message.


625474-1 : POST request body is not saved in session variable by access when request is sent using edge client

Component: Access Policy Manager

Symptoms:
POST body sent by Edge Client is not saved in the session db session variable by access hudfilter.

Conditions:
- Configure BIG-IP as SAML Service Provider. To simplify reproduction change Access Policy execution timeout to few seconds.
- Use Edge Client to connect to BIG-IP.
- Saml Agent will redirect user for authentication to IdP
- Wait for few seconds for access policy to time out on BIG-IP.
- Enter credentials/complete authentication on IdP
- User will be redirected back to BIG-IP as SP. At this moment APM will create a new session, and will evaluate access policy again.

Impact:
SAML Agent will now fail with the following error:
SAML Agent: <AgentNameHere> cannot find assertion information in SAML request

Workaround:
Removing the ‘Origin’ header from the request with iRule does fix the issue, and the POST body becomes available to access hudfilter.

Fix:
Check for receipt of HUDEVT_REQUEST_DONE before falling through from EV_ACCESS_TCL_COMPLETION to EV_ACCESS_REQUEST_DONE in client wait for request body to ensure proper storage of POST request body in sessiondb.


625456-5 : Pending sector utility may write repaired sector incorrectly

Component: TMOS

Symptoms:
When the pendsect process detects a pending sector and performs a repair of that sector, incorrect data may be written to an incorrect location on the hard disk.
This may result in corruption of files on the BIG-IP volume that may not be detected for an indeterminate period of time after the pending sector was repaired.

When a pending sector is repaired, a message similar to the following is logged to :
warning pendsect[17377]: Recovered Pending LBA:#########
(where ######### is the Logical Block Address of the repaired sector)

For more information on the pendsect utility, see:
SOL14426: Hard disk error detection and correction improvements

Conditions:
This may occur on BIG-IP appliances or VIPRION blades which contain hard disks which use 4096-byte physical sectors.

Currently-known affected platforms include:
BIG-IP 5000-/7000-series appliances
BIG-IP 10000-series appliances
VIPRION B4300 blades
VIPRION B2100 blades

Due to manufacturing changes and RMA replacements, additional platforms may potentially be affected.

The smartctl utility can be used to identify hard disks using 4096-byte physical sectors:

# smartctl --scan
/dev/sda -d scsi # /dev/sda, SCSI device

# smartctl -i /dev/sda | grep "Sector Size"

Affected:
Sector Sizes: 512 bytes logical, 4096 bytes physical

Not Affected:
Sector Size: 512 bytes logical/physical

Impact:
Potential corruption of unknown files on BIG-IP volumes.


625372-5 : OpenSSL vulnerability CVE-2016-2179

Solution Article: K23512141


625275-1 : Unable to add and modify URL parameters containing square brackets "[]" in FPS GUI

Component: Fraud Protection Services

Symptoms:
When trying to add URL parameters containing square brackets "[]" in FPS GUI >> URL the parameters name become "0". If trying to modify, the parameters are not saved.

Conditions:
Provision FPS
Create URL

Impact:
FPS GUI

Workaround:
via tmsh, an example:

tmsh modify security anti-fraud profile criteria urls modify { /xml.php { parameters add { "mouse\[2]" } } }

Fix:
It is now possible to add parameters containing square brackets in FPS GUI.


625198-1 : TMM might crash when TCP DSACK is enabled

Component: Local Traffic Manager

Symptoms:
TMM crashes

Conditions:
All of the below are required to see this behavior:

DSACK is enabled

MPTCP, rate-pace, tail-loss-probe, and fast-open are disabled.

cmetrics-cache-timeout is set to zero; congestion control is high-speed, new-reno, reno, or scalable; AND Nagle is not set to 'auto'.

an iRule exists that changes any of the conditions above besides DSACK.

various client packet combinations interact in certain ways with the iRule logic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change any of the conditions above.

Fix:
TCP maintains state appropriately to avoid crash.


625172-1 : tmm crashes when classification is enabled and ftp traffic is flowing trough the box

Component: Traffic Classification Engine

Symptoms:
tmm crash

Conditions:
1. classification profile attached to the virtual server
2. ftp traffic flows through the system
3. complex configuration with iRules and multiple modules enabled

Impact:
Traffic disrupted while tmm restarts.

Workaround:
remove classification profile from the virtual server

Fix:
Incorrect memory management in one of classification matching mechanisms led to a crash.


625166-1 : Suspended iRules cannot complete on aborted flows

Component: Local Traffic Manager

Symptoms:
An suspended iRule does not resume if the connection aborts in the interim.

Conditions:
an iRule suspends, connection aborts.

Impact:
Not all business logic may execute.

Workaround:
None

Fix:
Keep the connflow alive if TCL operations are pending.


625159-1 : Policy sync status not shown on standby device in HA case

Component: Access Policy Manager

Symptoms:
After policy sync, policy sync statuses are not shown in admin GUI on standby device in a failover device group.

Conditions:
- Create a failover device group whose members are in a bigger sync-only device group for policy.
- Initiate a policy sync from an active device
- Check policy sync stats on standby device

Impact:
It does not affect sync functionality and user still can see the sync status on an active device.

Workaround:
Check sync status on an active device in the group.

Fix:
User will be able to see the sync statuses on a standby device, including itself as well as the list of devices in the whole sync-only group where sync is performed.


625114-2 : Internal sync-change conflict after update to local users table

Solution Article: K08062851

Component: Device Management

Symptoms:
User sync is initiated unexpectedly and automatically by the REST framework. To the internal sync system, this will appear as if the same change is being made manually on all devices, causing a change conflict. In other words, 'show cm sync-status' will return output similar to the following:

-------------------------------------------------------------------------------------------------
CM::Sync Status
-------------------------------------------------------------------------------------------------
Color red
Status Changes Pending
Mode high-availability
Summary There is a possible change conflict between device1 and device2.
Details
         device1: connected
         mydg (Changes Pending): There is a possible change conflict between device1 and device2.
          - Recommended action: Synchronize device2 to group mydg

In addition, users that were synchronized by the REST framework may not have the correct role and/or partition assigned to them.

Conditions:
A sync-failover device group exists.

In addition, the REST framework's 'gossip' mechanism must be set up correctly. This should happen automatically, but might not be ready yet. You can confirm that this is the case by running 'restcurl shared/resolver/device-groups/tm-shared-all-BIG-IPs/devices'. The output must show all your devices, and show that they all have the same 'version' and the same 'restFrameworkVersion'.

Impact:
An unexpected change conflict between your devices.
In some cases, high CPU utilization by restjavad may be observed.

Workaround:
When you have the change conflict, force a sync to the device group from the device where the user was originally created.

The high CPU utilization by restjavad may persisting after a full sync.
Recommendation is to restart the restjavad service: restart sys service restjavad

Fix:
Internal sync-change conflict is no longer present after update to local users table.


625106-2 : Policy Sync can fail over a lossy network

Component: Local Traffic Manager

Symptoms:
Policy Sync fails.

Conditions:
BIG-IPs are connected over a lossy link.

Impact:
HA redundancy fails.

Workaround:
tmsh modify sys db TM.TCPProgressive.AutoBufferTuning value disabled

Fix:
Change configuration as described.


625098-3 : SCTP::local_port iRule not supported in MRF events

Component: Service Provider

Symptoms:
SCTP::local_port iRule not supported in MRF events

Conditions:
If MRF events are used, such as MR_INGRESS, MR_EGRESS and MR_FAILED events are used.

Impact:
SCTP::local_port won't work under MR events.

Fix:
After the fix, SCTP::local_port iRule will be supported in MRF events.


625085 : lasthop rmmod causes kernel panic

Component: TMOS

Symptoms:
If someone attempts to unload the lasthop kernel module, it will cause a kernel panic.

Conditions:
Attempting to unload the lasthop kernel module.

Impact:
The system reboots.

Workaround:
Avoid running the following command:

# rmmod lasthop

Fix:
The lasthop kernel module should never be unloaded. The system now prevents the lasthop kernel module from being unloaded, so no kernel panic occurs.


624966-2 : Edge client starts new APM session when Captive portal session expire

Component: Access Policy Manager

Symptoms:
When a Captive portal session expires during Network Access,
Edge-Client shows the Captive portal Authentication page. If the user doesn't authenticate for some amount of time (30-60sec) the Edge Client tries to disconnect the current session. When the user successfully authenticates, Edge Client starts new APM session instead of waiting until the user authenticates on Captive page.

Conditions:
This can occur when Captive portal is configured and the session expires.

Impact:
The Edge Client starts a new session when it should re-use the existing session.


624903-6 : Improved handling of crypto hardware decrypt failures on 2000s/2200s or 4000s/4200v platforms.

Solution Article: K55102452


624876-1 : Response Policy Zones can trigger even after entry removed from zone

Component: Global Traffic Manager (DNS)

Symptoms:
If an entry (resource record) is removed from a response policy zone it is possible that it may still trigger as a match for RPZ.

Conditions:
-- An RPZ zone contains an entry, for example badzone.example.com.
-- That entry is subsequently removed.

Impact:
The badzone.example.com entries will continue to be blocked by RPZ, even though the item has been removed.

Workaround:
Delete /var/db/zxfrd.bin and /var/db/tmmdns.bin and restart the system using the following command: bigstart restart zxfrd.

This recreates the databases without the remnants of the deleted entries.

Fix:
The deleted entries are now properly handled and no longer trigger incorrect matches.


624846-1 : TCP Fast Open does not work for Responses < 1 MSS

Component: Local Traffic Manager

Symptoms:
BIG-IP does not send the data until receiving the first client ACK.

Conditions:
TCP Fast Open requests an object of less than 1 MSS in size.

Fast open and delayed acks enabled.

Impact:
Delayed completion of the connection.

Workaround:
Disable delayed acks.

Fix:
TCP sends SYN/ACK immediately after receiving the SYN, and the response as soon as it arrives from the server.


624831-2 : BWC: tmm crash can occur if dynamic BWC policy is used at max-user-rate over 2gbps

Component: TMOS

Symptoms:
tmm crashes while using Bandwidth Control (BWC) dynamic policies.

Conditions:
max-user-rate is set at 2gbps or higher.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
Use a maximum of 1gbps for dynamic BWC policy max-user-rate.

Fix:
tmm crashes while using Bandwidth Control (BWC) dynamic policies with max-user-rate set at 2gbps or higher.

Behavior Change:
no


624826-2 : mgmt bridge takes HWADDR of guest vm's tap interface

Solution Article: K36404710

Component: TMOS

Symptoms:
MGMT interface becomes unreachable and stops responding to traffic. Whenever guest is in provisioned state MAC address assigned to mgmt is correct (taken from base MAC). Whenever guest is in deployed state MAC address on host mgmt interface changes and is exactly the same as mgmt_vm_tap MAC.

Conditions:
The platform shipped with a "low" F5 base_mac

A Linux bridge by default takes as its mac the lowest mac of its constituent interfaces. This did not cause a problem before because F5 Networks systems' baseMacs have historically been "low", e.g., with legacy_baseMacs in {00:01:D7, 00:0A:49, 00:23:E9}.

When a guest tap interface is added to the mgmt bridge, the bridge takes its Linux default action, which is to take as its mac the lowest mac address of its constituent interfaces. With the comparison min(eth0's mac, guestTap's mac) returning guestTap's mac, the mgmt bridge incorrectly assumes a guestTapIntfc mac.

Impact:
Connectivity to the vCMP host platform is lost when the guest is deployed.

Workaround:
Use ifconfig to ensure that the mac address of the mgmt bridge never changes from eth0. For example, the following command sets as the mac of this bridge, the value passed in Mac.

ifconfig <bridgeName= mgmt> hw ether <Mac of Eth0>


Note: This assumes that eth0 will always be contained in the mgmt bridge.

Fix:
The system now uses ifconfig to assign the mac of interface eth0 to bridge mgmt.


624805-1 : ILX node.js process may be restarted if a single operation takes more than 15 seconds

Component: Local Traffic Manager

Symptoms:
There is an ILX node.js process restart that occurs, conditional on the code and operations of the node.js process. The restart occurs when one specific operation (code path in your node.js app) takes longer than 15 seconds to complete.

Conditions:
-- Running ILX with a node.js RPC or streaming setup.
-- A single operation takes more than 15 seconds.

Impact:
Connflow is dropped, traffic processing for the flows handled by that process stops until it restarts fully.

Workaround:
To work around this issue, you can time yourself in your node.js app, to either make sure operations complete within the timeframe, or determine where operations exceed the 15 second limit and rework the code so that operations complete within 15 seconds.

Fix:
There is no longer a time restriction on a single operation.


624744-1 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash resulting in flows being impacted.

Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.

Impact:
Traffic disrupted while tmm restarts.

Fix:
NULL check has been added prior to calling a callback for asynchronous handling.


624733-1 : Potential crash in a multi-blade chassis during CMP state changes.

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash resulting in flows being impacted.

Conditions:
A multi-blade chassis with PEM needs to undergo a CMP state change with flows on the active blade.

Impact:
Traffic disrupted while tmm restarts.

Fix:
NULL check has been added to facilitate a graceful failure during asynchronous handling.


624692-3 : Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying

Component: TMOS

Symptoms:
SSL Certificate List page displays "An error has occurred while trying to process your request." or unable to view certificate information via iControl/REST.

Conditions:
Certificate with multi-byte encoded strings.

Impact:
Unable to view certificate list page or view certificate information via iControl/REST.


624616-1 : Safenet uninstall is unable to remove libgem.so

Component: Local Traffic Manager

Symptoms:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, it can't remove libgem.so and generates the following error:

rm: cannot remove `/usr/lib64/openssl/engines/libgem.so': Read-only file system.

Conditions:
This can be triggered when uninstalling the safenet client using the command safenet-sync.sh -u.

Impact:
Uninstall is unable to complete.

Workaround:
None.

Fix:
When uninstalling Safenet client 6.2 from a BIG-IP chassis, the system can now remove libgem.so, so there is no error condition, and uninstall can complete as expected.


624570-1 : BIND vulnerability CVE-2016-8864

Solution Article: K35322517


624526-3 : TMM core in mptcp

Solution Article: K10002335


624484-2 : Timestamps not available in bash history on non-login interactive shells

Solution Article: K09023677

Component: TMOS

Symptoms:
There are no timestamps in bash history when bash is initiated from tmsh.

Conditions:
This issue arises when an Administrator or Resource Administrator with tmsh as the default shell runs bash from tmsh and then runs the 'history' command.

Impact:
Running 'history' in bash will not include timestamps of commands.

Workaround:
Timestamps can be added to bash history by running the following command in bash: export HISTTIMEFORMAT="%Y-%m-%d %T ".

Fix:
Added timestamps to bash history for non-login interactive shells.


624457-5 : Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195

Solution Article: K10558632


624370-1 : tmm crash during classification hitless upgrade if virtual server configuration is modified

Component: Traffic Classification Engine

Symptoms:
tmm crash

Conditions:
1. classification hitless upgrade is triggered
2. pending (not saved) changes on any of the virtual servers

Impact:
Traffic disrupted while tmm restarts.

Fix:
Change of virtual server configuration triggers new library to be loaded during upgrade which wasn't expected by hitless upgrade mechanism and led to tmm crash. This is fixed in versions starting with 12.1.2.


624362-1 : VCMP guest /shared file system growth due to /shared/tmp/guestagentd.out file

Component: TMOS

Symptoms:
/shared disk usage growth and the diskmonitor can alarm when percent of disk usage reaches the configured threshold.

Conditions:
VCMP guest, overtime /shared/tmp/guestagentd.out grows and not rotated.

Impact:
/shared filesystem can fill and cause alerting and inability to copy files such as .iso to /shared.

Workaround:
1. periodically delete the non-critical file /shared/tmp/guestagentd.out

OR,

2. bigstart stop guestagentd (this will disable vcmp health feature on the host)

Fix:
The guestagentd logs no longer fill the tmp file.


624361-1 : Responses to some of the challenge JS are not zipped.

Component: TMOS

Symptoms:
Performance is affected on the JS challenge.

Conditions:
The following is turned on in the application dos configuration :
CS challenge, or PBD challenge when Suspicious browsers are disabled or the Device-ID challenge.

Impact:
1. These responses consume more CPU and more Bandwidth than needed.
2. Client-side latency is degraded.
3. More disk space is utilized than needed

Workaround:
None.

Fix:
Some of the JS challenge have better performance now.


624314-1 : AVR reports incorrect 'actions' in ACL reports

Component: Advanced Firewall Manager

Symptoms:
AVR reports incorrect 'actions' in ACL reports:
-- 'Default" reports as 'Drop'.
-- 'Drop" reports as 'Reject'.
-- 'Reject" reports as 'Accept'.
-- 'Accept" reports as 'Accept decisively'.
-- 'Accept decisively' reports as "Default'.

Conditions:
AVR reporting on ACL statistics.

Impact:
The system reports incorrect actions.

Workaround:
There is no workaround.

Fix:
AVR reports now shows correct actions.


624263-4 : iControl REST API sets non-default profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets profile's non-default property value as "none"; properties missing in iControl REST API response

Component: TMOS

Symptoms:
For profiles, iControl REST does not provide visibility for profile property override when "none" is specified, including references, passwords, and array of strings.

Conditions:
-- Use iControl REST API.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.

Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for profile property overrides.

Workaround:
None.

Fix:
iControl REST API now returns elements (i.e., string, enum, or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.


624231-5 : No flow control when using content-insertion with compression

Component: Policy Enforcement Manager

Symptoms:
Packets can get queued in PEM and cause performance impact.
It could cause memory corruptions in some cases

Conditions:
This issue can happen when system there is are a lot of connections with compression enabled, hardware offload is not enabled, and content insertion is enabled

Impact:
Performance impact to flows and possible system crash.

Workaround:
Enable hardware offload and use the pem throttle feature for content insertion


624228-1 : Memory leak when using insert action in pem rule and flow gets aborted

Component: Policy Enforcement Manager

Symptoms:
Memory keeps increasing in PEM after several hours of live service.

Conditions:
Insert action in pem rule and response spawning multiple segments. Connection gets aborted midway.

Impact:
Connections can get reset once memory usage increases beyond threshold

Fix:
free xfrags when aborting flows


624198-1 : Unable to add multiple User-Defined alerts with the same search category

Component: Fraud Protection Services

Symptoms:
Adding 2 or more User-Defined alerts causes to DB exception error.

Conditions:
Provision FPS
Malware Detection license

Add multiple User-Defined alerts with the same "Search In" category.

Impact:
Can impact detection of certain malware.

Workaround:
Adding single record each time.
Use TMSH or Rest.

Fix:
GUI allows adding multiple User-Defined alerts of the same search category.


624193-2 : Topology load balancing not working as expected

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, load balancing decisions can result in an unequal or unexpected distribution.

Conditions:
Occurs when topology load balancing is used for a wide IP and more than one pool share the highest assigned score for a particular load balancing decision.

Impact:
The resulting load balancing decisions can lead to an unequal or unexpected distribution of pool selections.

Workaround:
Topology records and pools can be configured to avoid the conditions which cause the condition.

Fix:
A system DB variable, gtm.wideiptoporandom, has been added. When this system DB variable is assigned the value of "enable" and more than one pool shares the highest assigned score for a given load balancing decision, a random pool is selected.


624168-2 : DATA_ACK and DATA_FIN ignored on a subflow not currently used for transmission

Component: Local Traffic Manager

Symptoms:
During an MPTCP connection, if a DATA_ACK or DATA_FIN is received on a subflow that is not currently being used to transmit data, that DATA_ACK or DATA_FIN is ignored. Clients generally respond on the same subflow that they received data on, making this situation somewhat rare.

Conditions:
MPTCP is in use on a connection and a DATA_ACK or DATA_FIN is received on a subflow that is not currently being used to transmit data.

Impact:
The DATA_ACK or DATA_FIN is ignored. If the same information is not sent on other subflows, this can cause the connection to hang until the subflow times out.

Fix:
Accept DATA_ACK and DATA_FIN on any subflow.


624155-2 : MRF Per-Client mode connections unable to return responses if used by another client connection

Component: Service Provider

Symptoms:
When an outgoing connection is created in per-client mode, that connection is exclusively for use by the client whose message was routed to the destination. All messages (response or requests) received by the server are automatically forwarded to the client. The messages received from the server are forwarded to the original connection from the client (even if it has been closed).

Conditions:
The connection from the client closes and the client connects again.

Impact:
Messages from the new client connection will be routed using the previously created outgoing connection. But messages received from the server will be forwarded to the original connection from the client which is closed. These message will fail to be delivered.

Workaround:
None.

Fix:
When message arrive from a new client connection, the outgoing connection will be to forward messages received from the server to the new connection.


624023-3 : TMM cores in iRule when accessing a SIP header that has no value

Component: Service Provider

Symptoms:
When used an iRule to access a SIP header attribute with no value, TMM cores.

Conditions:
Use iRule to access the value of SIP message header attribute with no value.
Eg:
"Supported: " IEOL
"Session-Expires:" IEOL

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No Workaround.

Fix:
Fix includes adjusting the buffer offset properly to handle the empty header attributes while parsing the SIP message.


623940-3 : SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello

Component: Local Traffic Manager

Symptoms:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.

The ltm error log message looks like:
*****************************************************
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260009:4: Connection error: ssl_select_suite:6799: no shared ciphers (40)
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260026:4: No shared ciphers between SSL peers 10.1.6.50.36563:10.1.6.15.443.
*****************************************************

Conditions:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.

Impact:
SSL Handshake fails.


623930-3 : vCMP guests with vlangroups may loop packets internally

Component: TMOS

Symptoms:
If a vlangroup is configured within a vCMP guest, under some circumstances unicast packets may be looped between the switchboard and the BIG-IP guest. This is most likely to occur when the guest is part of an HA pair.

Conditions:
vCMP guest, vlangroups.

Impact:
High CPU utilization and potentially undelivered packets.

Workaround:
Correctly configure proxy ARP excludes on the vlangroup and increase the FDB timeout by setting the vlan.fdb.timeout database key to a larger value such as 3600.

Fix:
Packets are no longer looped between vlangroup children on vCMP guests.


623927-2 : Flow entry memory leaked after DHCP DORA process

Solution Article: K41337253

Component: Policy Enforcement Manager

Symptoms:
After DHCP discover/offer/request/ack process (DORA), client side connection flow entry memory is not freed.

Conditions:
Run the DHCP DORA process through BIG-IP (in relay mode or forwarding mode, and wait for client connection flow entry ages out.

Impact:
The system leaks flow entry memory. Over a long period of time, system memory will eventually run out.

Workaround:
None.

Fix:
After DHCP discover/offer/request/ack process (DORA), client side connection flow entry memory is now freed, so no memory leak occurs.


623922-5 : TMM failure in PEM while processing Service-Provider Disaggregation

Solution Article: K64388805

Component: Policy Enforcement Manager

Symptoms:
TMM failure in PEM while processing Service-Provider Disaggregation.

Conditions:
System crashes when traffic flows and rules get executed on the flow.

Impact:
System crashes.

Workaround:
Set Service-Provider Disaggregation to sp as suggested by documentation.

Fix:
There is no longer a TMM failure in PEM while processing Service-Provider Disaggregation.


623885-4 : Internal authentication improvements

Solution Article: K41107914


623803-2 : General DB error when select Profiles: Protocol: SCTP profile. Error due to 'read access denied type Virtual Address profile SCTP'

Solution Article: K12921801

Component: TMOS

Symptoms:
When SCTP profile is selected, the system posts a general DB error due to 'read access denied type Virtual Address profile SCTP'.

Conditions:
-- Login to GUI with non-Admin user.
-- Select SCTP profile from the GUI

Impact:
Cannot get the SCTP profile.

Workaround:
Login with Admin user.

Fix:
The non-Admin user is now be able to login to GUI, select the SCTP profile and retrieve SCTP profile information correctly.


623562-3 : Large POSTs rejected after policy already completed

Component: Access Policy Manager

Symptoms:
When the policy has already completed, access still rejects POSTs greater than 64k. Client will see a reset, and these error messages will appear on the BIG-IP:

/var/log/ltm
Oct 18 19:10:04 bigip6 err tmm[14242]: 01230140:3: RST sent from 10.2.61.80:8080 to 10.2.61.10:55280, [0x1d4cb2c:2863] APM HTTP body too big

/var/log/apm
Oct 19 09:42:37 bigip3922mgmt err tmm1[7636]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 2960

Conditions:
Policy has already been fully evaluated to allow. Then the client sends a large POST. Only applies to POSTs made to '/'. Would not apply if the URL is something else like '/test'. Also does not apply to clientless modes, where the db key tmm.access.maxrequestbodysize can be used to increase the maximum POST body size allowed.

Impact:
Clients are unable to send POST bodies to '/' that are larger than 64kb, even though the policy has already been evaluated to allow.

Workaround:
Move the resource from '/' to another URL.

Fix:
The logic of '/' in this area was changed to be consistent with other URLs.


623518-1 : Unable to add users in User Enforcement list under user-defined partition. Update check fails in user-defined partition

Component: Fraud Protection Services

Symptoms:
If a profile is assigned to a user-defined partition, it is not possible to add users to User Enforcement list.

Also, if a user-defined partition is selected, the GUI will not display a message if a there are available signatures/engine updates.

Conditions:
Provision and license FPS.
Create user-defined partition.

Impact:
You are unable to manage the profile in the user-defined partition.

Workaround:
Use tmsh to add users.

Fix:
Users can be added to User Enforcement list and a message will be displayed if a new update is available.


623491-2 : After receiving the first Gx response from the PCRF, the BWC action against a rule is lost.

Component: Policy Enforcement Manager

Symptoms:
The BWC action against a rule is lost and the traffic flow is capped at the maximum bandwidth configured in the BWC policy.

Conditions:
A flow should be associated with a PEM rule that has atleast a BWC action along with a Gx reporting action.

Impact:
The traffic flow is not capped by the correct BWC action, instead it is capped by the maximum configured bandwidth in the BWC policy.

Fix:
The BWC policy is restored correctly after a policy update.


623401-1 : Intermittent OCSP request failures due to non-optimal default TCP profile setting

Component: TMOS

Symptoms:
The connection between BIG-IP and OCSP responder is not reliable since it uses the default internal TCP configuration which doesn't fit the usage well.

Conditions:
When the OCSP stapling option is enabled in the clientSSL profile that is in use by a virtual server.

Impact:
The BIG-IP as a SSL server fails to staple the OCSP response to the SSL client. In other words, the certificate status messages are not added in the Server Hello message in the TLS handshakes to the SSL client.

Workaround:
The fix proposed an optimal TCP configuration used by the connection between BIG-IP and OCSP responder which makes the connection reliable now. Therefore the virtual server can now always correctly staple the certificate status in the Server Hello message to the SSL client.


623391-5 : cpcfg cannot copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size

Component: TMOS

Symptoms:
cpcfg fails with errors similar to:

Getting configuration from HD1.2
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /: Not enough free space info: 739487744 bytes required
info: 259965952 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.

Conditions:
Use cpcfg for a UCS that is larger than free space on root filesystem of target volume set.

Impact:
You cannot use cpcfg to copy a UCS file to a volume set with a root filesystem that has less free space than the total UCS size

Workaround:
Run the below to fix /etc/mtab on target (HD1.3 is used in this example; substitute the correct target volume) before cpcfg:
- volumeset -f mount HD1.3
- grep HD1.3 /proc/mounts | sed 's_/mnt/HD1.3_/_g;s_//_/_g' > /mnt/HD1.3/etc/mtab
- volumeset -f umount HD1.3

Fix:
cpcfg could incorrectly calculate the amount of free space required, refusing to do the copy unless the / filesystem on the target volume had sufficient space to do the copy (not taking into account /config, /usr, /var, and other filesystems). This has been resolved and this free space calculation is done correctly.


623336-4 : After an upgrade, the old installation's CA bundle may be used instead of the one that comes with the new version of TMOS

Component: TMOS

Symptoms:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check is performed incorrectly, and the old bundle may accidentally be chosen.

Conditions:
This happens when /config/ssl/ssl.crt/ca-bundle.crt in the old version contains an RCS revision number near the top of the file, and the newer TMOS version does not contain a revision number. (This is a change in the format of the file generated by the organization providing F5 with this bundle.)

Impact:
Upgrades to versions that ship the "non-RCS" files will incorrectly retain the ca-bundle.crt from the previous version, instead of keeping the newer version that shipped with those versions.

This can result in certificate verification failures (e.g. for an OCSP stapling profile), or a BIG-IP creating an inconsistent/incomplete certificate chain for a virtual server.

Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:

1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
   cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

2. Reboot the system and clear the MCPD binary database. Refer to SOL13030, but essentially:
    touch /service/mcpd/forceload && reboot

3. After reboot, verify that the two files match (they should have the same checksum):
   md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

Fix:
When installing a new version of TMOS, the installer will choose the bundle by looking at the current installation and what came with the target version, choosing the newer one. This check was performed incorrectly, and the old bundle could accidentally have been chosen. This has been fixed, and the newer version of the file is correctly chosen.


623119 : Linux kernel vulnerability CVE-2016-4470

Solution Article: K55672042


623093-1 : TIFF vulnerability CVE-2015-7554

Solution Article: K38871451


623055-1 : Kernel panic during unic initialization

Component: TMOS

Symptoms:
During system initialization, the kernel panics during unic initialization.

Conditions:
This can occur on BIG-IP Virtual Edition if an error (on memory allocation, io etc.) occurs during unic initialization.

Impact:
The kernel panics, system will not boot.

Fix:
Initialize resources to fail gracefully on error.


623037-2 : delete of pem session attribute does not work after a update

Component: Policy Enforcement Manager

Symptoms:
it will not be possible to delete the session attribute through rules.

Conditions:
rules with session attribute update & delete

Impact:
unable to delete session attribute


623023-1 : Unable to set DNS Topology Continent to Unknown via GUI

Component: Global Traffic Manager (DNS)

Symptoms:
No option in dropdown menu to select Unknown Continent when configuring DNS Topology Record via GUI. Existing Topology Records will be displayed as "Continent is", instead of "Continent is Unknown".

Conditions:
Attempting to configure a DNS Topology Record via the GUI.

Impact:
Unable to set the Continent field to 'Unknown' via GUI.

Workaround:
Set the continent via tmsh using the command `create gtm topology ldns: continent -- server: continent --`

Fix:
The dropdown menu now has an option to select an "Unknown" Continent.


622913-2 : Audit Log filled with constant change messages

Component: Application Security Manager

Symptoms:
Frequent changes by Policy Builder fill the audit log too quickly and can affect viewing the Security Logs:

Error 502 Bad Gateway when clicking "Application Security" logs

Conditions:
Frequent Policy Builder changes occur and no ASM device group is configured.

Impact:
Disk space usage and errors viewing the Application Security logs

Workaround:
Workarounds:
1) Turn off "Recommend Sync when Policy is not applied". (Security ›› Options : Application Security : Preferences)

2) Enable ASM sync on a device group.

Fix:
Updates to the audit log are throttled at max 1/minute.


622877-1 : i2000 and i4000 series appliances may show intermittent DDM alarms/warnings at powerup that clear right away

Component: TMOS

Symptoms:
Messages like the following in /var/log/ltm:

Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface: 6.0 transmit power too low alarm. Transmit power:0.0515 mWatts
Oct 14 12:22:26 localhost err pfmand[5637]: 01660011:3: DDM interface:6.0 receive power too low alarm. Received power:0.0000 mWatts
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 transmit power too low alarm cleared
Oct 14 12:23:29 localhost err pfmand[5637]: 01660013:3: DDM interface:6.0 receive power too low alarm cleared
'

Conditions:
i2000 or i4000 series appliances with DDM enabled and a reboot or restart of the pfmand daemon

Impact:
No functional impact, these are not valid DDM alarms or warnings.

Workaround:
Ignore DDM errors that clear right away after powerup or pfmand restart.

Fix:
During DDM initialization clear any alarms or warnings cached in the hardware registers.


622856-1 : BIG-IP may enter SYN cookie mode later than expected

Component: Local Traffic Manager

Symptoms:
BIG-IP entry to SYN cookie mode may not occur even though traffic pattern would dictate that it should.

Conditions:
Verified accept enabled on a Virtual IP.
Large volume of traffic being processed by BIG-IP.

Impact:
BIG-IP does not enter SYN cookie mode at the expected time.

Workaround:
Disable verified accept on all VIP TCP profiles.

Fix:
BIG-IP correctly enters SYN cookie mode when traffic pattern
dictates that it should.


622790-1 : EdgeClient disconnect may take a lot of time when machine is moved to network with no connectivity to BIG-IP

Component: Access Policy Manager

Symptoms:
Edge Client takes a lot of time to disconnect when machine is moved to network with no connectivity to BIG-IP

Conditions:
* VPN is established
* Machine is moved to different network (with no BIG-IP) connectivity
* EdgeClient stays in "Disconnecting..." state for few minutes

Impact:
User have to wait until Disconnect procedure is complete

Fix:
Now Edge Client uses 5000msec timeout in order to complete logout HTTP request. This is enough in normal conditions


622735 : TCP Analytics statistics does not list all virtual servers

Component: Application Visibility and Reporting

Symptoms:
In "Statistics :: Analytics : TCP", displaying the stats by virtual server will only allow the option of "Aggregated".

Conditions:
This occurs on virtual servers with the TCP Analytics profile attached.

Impact:
GUI does not list all virtual servers that have the TCP Analytics profile attached.

Fix:
Fixed an issue with displaying TCP Analytics statistics for virtual servers.


622662-7 : OpenSSL vulnerability CVE-2016-6306

Solution Article: K90492697


622619-5 : BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD

Component: TMOS

Symptoms:
MCPd cpu utilization is high and renders it unresponsive.

Conditions:
A ranged log query where the log files are excessively large, e.g., 1 GB uncompressed.

Impact:
MCPd is killed due to being unresponsive, which restarts multiple daemons.

Workaround:
Lower the logging level, thereby decreasing the size of the file which must be parsed.


622496 : Linux kernel vulnerability CVE-2016-5829

Solution Article: K28056114


622386-1 : Internet Explorer getting blocked when Web Scraping and Proactive Bot Defense are both enabled

Component: Application Security Manager

Symptoms:
Internet Explorer browsers will get into an endless loop of requests, never reaching the back-end server, when accessing a Virtual Server which is enabled with both the Web Scraping feature, and the Proactive Bot Defense, if the mode of Proactive Bot Defense is set to During Attacks.

Conditions:
1. ASM Security Policy is attached to the Virtual Server, and has Web Scraping's Bot Detection set to Alarm & Block.
2. Within Web Scraping, both Fingerprint and Persistent Client Identification are disabled.
3. DoS profile is attached to the Virtual Server, and has Proactive Bot Defense set to During Attacks.
4. Users are using the Internet Explorer browser.

Impact:
Internet Explorer browser users are getting blocked from accessing the back-end server.

Workaround:
Two options for workaround:
1. Set Proactive Bot Defense to Always instead of During Attacks.
2. Enable either Fingerprint or Persistent Client Identification in the Web Scraping configuration.

Fix:
Internet Explorer users are no longer blocked when accessing a Virtual Server which has both Web Scraping enabled, and Proactive Bot Defense set to During Attacks.


622281-1 : Network DoS logging configuration change can cause TMM crash

Component: Advanced Firewall Manager

Symptoms:
Whenever a DoS Network logging profile is assigned or removed from a Virtual Server, it could cause random TMM crash.

Conditions:
The problem happens only with runtime config change.

Any logging profile config settings which was configured already and which gets loaded on TMM startup does not have this problem. Since this problem is a one time event on config change, TMM restart will pickup the config change and will work without any problem after the one time crash and TMM restart.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Invalid memory reference after free resulted in crash, which is fixed.


622244-2 : Edge client can fail to upgrade when always connected is selected

Component: Access Policy Manager

Symptoms:
Attempt to upgrade an Edge client may fail if the Always Connected mode is enabled

Conditions:
Always Connected is selected in BIG-IP when upgrading the client

Impact:
Upgrade will fail

Workaround:
Disable the Always Connected mode

Fix:
Upgrade functions as intended regardless of connection mode


622220-2 : Disruption during manipulation of PEM data with suspected flow irregularity

Component: Policy Enforcement Manager

Symptoms:
tmm crashes.

Conditions:
It is not known exactly what conditions trigger this; it was observed with Policy Enforcement Manager configured. It may occur when a new blade is added or HA event occurs and flows get rebalanced before the session is established.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a tmm crash related to manipulating Policy Enforcement Manager data.


622199 : sys-icheck reports error with /var/lib/waagent

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /var/lib/waagent.

On BIG-IP version 12.0.0:
ERROR: ....L.... /var/lib/waagent
L - readLink(2) path mismatch

On BIG-IP version 12.1.0 and 12.1.1:
ERROR: .M....... /var/lib/waagent

M - Mode differs (includes permissions and file type)

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with waagent that was causing sys-icheck to fail.


622194 : sys-icheck reports error with ssh_host_rsa_key

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_rsa_key and ssh_host_rsa_key.pub

ERROR: SM5...... /config/ssh/ssh_host_rsa_key
ERROR: SM5...... /config/ssh/ssh_host_rsa_key.pub

Conditions:
This occurs on BIG-IP running on Azure cloud when running the sys-icheck utility.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with ssh_host_rsa_key and ssh_host_rsa_key.pub that was causing sys-icheck to generate an error.


622183-5 : The alert daemon should remove old log files but it does not.

Component: TMOS

Symptoms:
When the utilization of the log filesystem goes above the configuration setting 'sys db logcheck.alertthres' (default 90%), it is intended that the alert daemon should delete old log files. It does not.

Conditions:
System activity generates a high number of log messages, and/or a user puts large files in /var/log.

Impact:
The log filesystem may become completely full, and new log messages cannot be saved.

Fix:
The alert daemon will now remove old log files as intended.


622178-1 : Improve flow handling when Autolasthop is disabled

Solution Article: K19361245


622148-5 : flow generated icmp error message need to consider which side of the proxy they are

Component: Local Traffic Manager

Symptoms:
when generating an error message from a flow, the icmp6 code does not check which side the messages needs to be crafted for.

Conditions:
error handling

Impact:
As a result generated ICMP error message might contain the wrong addressing

Workaround:
no workaround

Fix:
now the code checks flow type before crafting the error message


622133-1 : VCMP guests may incorrectly obtain incorrect MAC addresses

Component: TMOS

Symptoms:
vCMP guests may be re-configured to use MAC addresses based off an all zero MAC address (00:00:00:00:00:00).

The 'tmsh show net vlan' command will show the vlan interfaces having mostly 0's in the MAC address:

-------------------------------------
Net::Vlan: external
-------------------------------------
Interface Name external
Mac Address (True) 00:00:00:00:00:01
MTU 1500
Tag 3702
Customer-Tag

-------------------------------------
Net::Vlan: internal
-------------------------------------
Interface Name internal
Mac Address (True) 00:00:00:00:00:02
MTU 1500
Tag 3703
Customer-Tag

Conditions:
For this to manifest the vCMP host vcmpd process will have to have had a prior crash or be killed.
In this scenario vcmpd on restart uses a default zero-base MAC address for the guests.
The guests will not use the new zero-based MAC until services are restarted on the guest, on which the new MAC address will take effect.

Impact:
This can cause network issues and conflicts if occurring on multiple guests in the same VLAN as the same MAC addresses will be used.

Workaround:
Restart the guest from the hypervisor.

Fix:
vCMP no longer uses zero-based MACs on vcmpd crash/kill.


622126-1 : PHP vulnerability CVE-2016-7124

Solution Article: K54308010


622017-8 : Performance graph data may become permanently lost after corruption.

Solution Article: K54106058

Component: Local Traffic Manager

Symptoms:
During an upgrade, system reboot or restart of the statsd daemon, if a performance graph /var/rrd/*.info file is corrupt, the system is expected to backup the performance data before replacing it and starting with new empty graph data. It is then possible to manually recover the previous performance data.

However, if the /shared/rrd.backup directory already exists, the system restarts the performance graph with new data without backing up the previous data.

Conditions:
During startup of the statsd daemon (such as after an upgrade or reboot), the issue occurs if the following two conditions are present:
* The /var/rrd/<filename>.info files are corrupt (CRC value does not match contents).
* The /shared/rrd.backup directory exists.

Impact:
The previous performance graph data is not displayed, and is no longer available for manual recovery.

Workaround:
Old performance graph data can be extracted from the var/rrd directory of a QKView taken prior to the beginning of the problem.

Fix:
Corrupt performance graph RRD data is now backed up to the /shared/rrd.backup directory during startup even if the directory already exists.


621976-4 : OneDrive for Business thick client shows javascript errors when rendering APM logon page

Component: Access Policy Manager

Symptoms:
OneDrive for Business thick client shows javascript errors when rendering APM logon page

Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses OneDrive for Business thick client to authenticate.

Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working OneDrive for Business app.

Workaround:
Click thru javascript error dialogs.

Fix:
OneDrive for Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.


621974-4 : Skype For Business thick client shows javascript errors when rendering APM logon page

Component: Access Policy Manager

Symptoms:
Skype For Business thick client shows javascript errors when rendering APM logon page

Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses Skype For Business thick client to authenticate.

Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working Skype For Business app.

Workaround:
Click thru javascript error dialogs.

Fix:
Skype For Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.


621957-2 : Timezone data on AOM not syncing with host

Component: TMOS

Symptoms:
Updating the timezone on the host does not sync to the AOM, because certain tzdata files are placed in the wrong directories.

Conditions:
A system using tzdata version v2016i-1 may encounter this problem. If the following files exist:

/usr/share/zoneinfo/posix/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/zoneinfo/right/F5zone.tab
/usr/share/zoneinfo/zoneinfo/F5zone.tab

then the system has this problem.

Impact:
Time on the AOM is incorrect.

Workaround:
If the following files exist:

/usr/share/zoneinfo/posix/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/zoneinfo/right/F5zone.tab
/usr/share/zoneinfo/zoneinfo/F5zone.tab

move them to:

/usr/share/zoneinfo/F5zone.tab
/usr/share/zoneinfo/posix/F5zone.tab
/usr/share/zoneinfo/right/F5zone.tab

Fix:
Timezone data on AOM now syncs correctly with host again


621937-1 : OpenSSL vulnerability CVE-2016-6304

Solution Article: K54211024


621935-6 : OpenSSL vulnerability CVE-2016-6304

Solution Article: K54211024


621909-4 : Uneven egress trunk distribution on 5000/10000 platforms with odd number of trunk members

Solution Article: K23562314

Component: TMOS

Symptoms:
When a trunk on the BIG-IP 5000 or 10000 platforms has an odd number of members, the traffic distribution to those interfaces will be unbalanced. Some interfaces will see more traffic than others.

Conditions:
This can occur for two reasons:
-- Purposefully configuring an odd number of members.
-- A port goes down in a trunk that has an even number of members.

Impact:
Uneven traffic distribution.

Workaround:
None.

Fix:
This release fixes uneven egress trunk distribution on the BIG-IP 5000 or 10000 platforms when there is an odd number of ports.


621870-2 : Outage may occur with VIP-VIP configurations

Component: Local Traffic Manager

Symptoms:
In some VIP-VIP configurations, a system outage may occur while processing traffic.

Conditions:
VIP-VIP configuration

Impact:
System outage

Workaround:
None.


621808-1 : Proactive Bot Defense failing in IE11 with Compatibility View enabled

Component: Application Security Manager

Symptoms:
Microsoft Internet Explorer version 11 (IE11) browsers which have 'Compatibility View' enabled (under Compatibility View Settings IE11 menu), fail the JavaScript challenge when Proactive Bot Defense is enabled and the 'Block requests from suspicious browsers' checkbox is checked.

The challenged request is blocked using a TCP_RST flag, and the browser displays 'This page can't be displayed'.

Conditions:
-- DoS profile that is attached to the virtual server.
-- Proactive Bot Defense is enabled
-- The 'Block requests from suspicious browsers' checkbox is checked.
-- IE11 browsers are in use.
-- The site's domain is inserted to the 'Compatibility View Settings' in the browser's menu.

Impact:
Legitimate browsers get blocked when accessing the site.

Workaround:
None.

Fix:
IE11 browsers with 'Compatibility View' enabled on the site no longer get blocked when Proactive Bot Defense is enabled on the DoS profile.


621736-6 : statsd does not handle SIGCHLD properly in all cases

Solution Article: K00323105

Component: Local Traffic Manager

Symptoms:
- Performance graphs are not updating or are not existent.
- proc_pid_stat shows statsd time not increasing.
- Top also shows that statsd is not taking any processor time.

In fact statsd is stuck on a wait in a signal handler.

Conditions:
If statsd receives a SIGCHLD signal.

Impact:
The system gets stuck and does not process anything. No performance graphs are collected / generated

Workaround:
Restart statsd using the following command:
bigstart restart statsd

Fix:
statsd now handles SIGCHLD properly.


621682-1 : Portal Access: problem with specific JavaScript code

Component: Access Policy Manager

Symptoms:
Portal Access does not rewrite JavaScript code with try...catch... operator followed by literal regular expression.

Conditions:
JavaScript code like follows:
try {} catch (e) {} /aaa/.test(b)

Impact:
Web application may not work correctly.

Fix:
Now try / catch operator followed by literal regular expression in JavaScript code is handled correctly by Portal Access.


621524-2 : Processing Timeout When Viewing a Request with 300+ Violations

Component: Application Security Manager

Symptoms:
When attempting to view a request that triggered hundreds or thousands of violations, a timeout is encountered.

Conditions:
Attempting to view a request that triggered hundreds or thousands of violations

Impact:
A timeout is encountered.

Workaround:
increase the "max_execution_time" timeout in /usr/loca/lib/php.ini from 30 to 240 seconds.

Fix:
Processing high violation requests is now more efficient.


621452-1 : Connections can stall with TCP::collect iRule

Solution Article: K58146172

Component: Local Traffic Manager

Symptoms:
Connection does not complete.

Conditions:
-- A TCP::collect command is in use.
-- The first packet received after the SYN carries data.

The Initial Sequence number in the SYN, plus the length of the data in the first packet, plus 1, is greater than-or equal to 2^31.

Note: APM VDI profiles internally use TCP::collect, so virtual servers with VDI profiles may be affected as well.

Impact:
-- Connection fails.
-- This issue can also cause the Configuration Utility's Device Management :: Overview page to stop responding.

Workaround:
There is no workaround at this time.

Fix:
The system now properly sets state variables associated with TCP::collect, so this issue no longer occurs.


621447-1 : In some rare cases, VDI may crash

Component: Access Policy Manager

Symptoms:
VDI process crashes and connections to VDI resources are aborted.

Conditions:
VDI receives unexpected session variable result which is meant for some other VDI thread.

Impact:
Existing VDI connections are aborted and the user needs to login again.

Fix:
VDI should gracefully handle the error condition and should not crash


621423 : sys-icheck reports error with /config/ssh/ssh_host_dsa_key

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /config/ssh/ssh_host_dsa_key and other files:

ERROR: missing /config/ssh/ssh_host_dsa_key
ERROR: missing /config/ssh/ssh_host_dsa_key.pub
ERROR: missing /config/ssh/ssh_host_key
ERROR: missing /config/ssh/ssh_host_key.pub

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with files in /config/ssh/ that was causing sys-icheck to report errors.


621422 : i2000 and i4000 series appliances do not warn when an incorrect optic is in a port

Component: TMOS

Symptoms:
A 1G optic is inserted in a port that only supports 10G optics, or a 10G optic is inserted in a port that only supports 1G optics.

The invalid optic may show a link light, and no warning appears on the LCD.

Conditions:
i2000 or i4000 platforms ports do not auto-negotiate between 1G and 10G optics. Ports are assigned to one or the other speed.

Impact:
User may not understand why optic is not working correctly

Workaround:
Move the optic to the correct port.


621401 : When HA is configured on BIG-IPs managed by BIG-IQ, the AVR reporting from BIG-IQ may fail under the load

Component: Device Management

Symptoms:
When BIG-IQ is monitoring more than 1 BIG-IP in a HA clustser, AVR reporting on the BIG-IQ may fail if one of the BIG-IPs is under heavy load.

Conditions:
BIG-IQ monitoring BIG-IPs in a HA cluster
BIG-IPs running AFM and/or ASM
BIG-IQ used to monitor AFM and/or ASM reporting.
At least one of the BIG-IPs is under significant load so as to cause delays in responding to BIG-IQ requests.

Impact:
AVR reporting will stop functioning.

Workaround:
bigstart restart restjavad


621386-1 : restjavad spawns too many icrd_child instances

Solution Article: K91988084

Component: TMOS

Symptoms:
icrd_child process keeps crashing and can lead to an out-of-memory condition.

Conditions:
This occurs due to a race condition while restarting the icrd daemon.

Impact:
icrd might crash.

Workaround:
None.

Fix:
Fixed race condition that caused the system to run out of memory by spawning too many icrd_child processes.


621379-2 : TCP Lossfilter not enforced after iRule changes TCP settings

Component: Local Traffic Manager

Symptoms:
TCP Lossfilter function doesn't work properly, although the first few losses will be properly ignored.

Conditions:
TCP profile has ALL of the following settings:
mptcp disabled; rate-pace disabled; tail-loss-probe disabled; fast-open disabled; cmetrics-cache-timeout = 0; congestion ctrl is reno, new-reno, high-speed, or scalable; nagle enabled or disabled; rtx_thresh = 3; loss-filter settings are both > 0.

an iRule changes any of the above settings except loss-filter.

Impact:
Sending rate declines due to packet losses improperly interpreted as congestion.

Workaround:
Change any of the conditions above.

Fix:
Properly handle loss-filter state when switching TCP stacks.


621374-1 : "abbrev" argument in "whereis" iRule returns nothing

Component: Global Traffic Manager (DNS)

Symptoms:
The iRule [whereis <ip|ldns> abbrev] does not return a value.

Conditions:
iRule relying on whereis abbrev is used.

Impact:
The whereis iRule command will not return the expected value.


621371-2 : Output Errors in APM Event Log

Solution Article: K43523962


621337-6 : XSS vulnerability in the BIG-IP and Enterprise Manager Configuration utilities CVE-2016-7469

Solution Article: K97285349


621314-6 : SCTP virtual server with mirroring may cause excessive memory use on standby device

Solution Article: K55358710

Component: TMOS

Symptoms:
If a SCTP virtual server has high availability (HA) mirroring enabled, the send buffer on the standby may have extremely high memory usage until the connections close.

Conditions:
SCTP virtual server has mirroring enabled.

Impact:
TMMs will have high memory usage on standby device.

Workaround:
Disable mirroring on the SCTP virtual server.

Fix:
SCTP virtual server with mirroring no longer causes excessive memory use on standby device.


621273-1 : DSR tunnels with transparent monitors may cause TMM crash.

Component: TMOS

Symptoms:
The TMM may crash if the BIG-IP system is configured with a DSR tunnel with a transparent monitor.

Conditions:
The BIG-IP system is configured with a DSR tunnel with a transparent monitor and the DB variable tm.monitorencap is set to "enable".

Impact:
Traffic disrupted while tmm restarts.

Fix:
The TMM does not crash.


621259-3 : Config save takes long time if there is a large number of data groups

Component: TMOS

Symptoms:
Config save takes a long time to complete

Conditions:
This occurs when there is a large number (~2000) of data-group objects in the configuration

Impact:
When take longer than 90 seconds soap iControl will time out.
This make it impossible to manage via EM


621242-1 : Reserve enough space in the image for future upgrades.

Component: TMOS

Symptoms:
Increased the reserved free space in VM image from 15% to 30% to accommodate upgrades to future versions. Each next version tends to be bigger and require more disk space to install. The increased reserved space will allow upgrading to at least next 2 versions.

Conditions:
VE in local hypervisors and VE in the Cloud (AWS, Azure).

Impact:
Extends the disk image to reserve more disk space for upgrades.

Workaround:
N/A

Fix:
Increased the reserved free space on VE images.


621239-2 : Certain DNS queries bypass DNS Cache RPZ filter.

Component: Global Traffic Manager (DNS)

Symptoms:
A DNS query with the DO-bit set to 1 will bypass the RPZ filter on a DNS Cache.

Conditions:
A DNS Cache configured with RPZ.

Impact:
Queries with DO-bit set to 1 will bypass the RPZ filter and be answered normally.

Fix:
The DO-bit is now ignored with respect to RPZ filtering.


621233-1 : FastL4 and HTTP profile or hash persistence with ip-protocol not set to TCP can crash tmm

Solution Article: K49440608


621225 : LTM log contains misleading error messages for front panel interfaces, "PCI Device not found for Interface X.0"

Component: TMOS

Symptoms:
When BIG-IP is initially booted or re-started, there are certain conditions under which the LTM log may report the following message for front panel interfaces, "PCI Device not found for Interface <X.0>", where X can be in the range of 1-6. These messages are misleading because the front panel interfaces do not have any PCI devices associated with them and should not have been flagged as errors.

Conditions:
i2600/i2800 products intermittently produce these messages upon power-up or BIG-IP re-start.

Impact:
They are false alarms in the log. The associated interfaces do not have said PCI devices.

Fix:
Removed the possibility of getting false alarm messages in the LTM log for front panel interfaces 1.0-6.0 that claim, "PCI Device not found for Interface X.0".


621210-2 : Policy sync shows as aborted even if it is completed

Component: Access Policy Manager

Symptoms:
After syncing a policy in a sync-only device group, the policy appears to be synced to the target successfully, however, the remote HA pair devices show status as canceled/aborted.

Conditions:
It is not known exactly what triggers this condition. It was observed in a 4-device trust group consisting of 2 sync/failover groups and a single sync-only device group for all 4 devices. After the sync the status reported as cancelled/aborted.

Impact:
Sync status is displayed incorrectly, even after the sync was successful.

Workaround:
None.

Fix:
Policy sync now shows as completed when it is completed.


621126-2 : Import of config with saml idp connector with reuse causes certificate not found error

Component: Access Policy Manager

Symptoms:
Export and then Import with reuse of config that has SAML Idp Connector as part of configuration would fail with Object not found or Certificate not found error:

Import Error: 01070734:3: Configuration error: /Common/my_cert.crt certificate not found.

Conditions:
Exporting and then importing with "Reuse existing objects" checked. Normal import is ok.

Impact:
Importing fails.

Workaround:
On From box:Disconnect Idp configuration, export config.
On To box:Recereate Idp configuration, import, reconnect it.

Fix:
Importing with reuse is fixed.


621115-1 : IP/IPv6 TTL/hoplimit may not be preserved for host traffic

Component: Performance

Symptoms:
Traffic to and from the Linux host has TTL set to 255 or hop limit set to 64. This may impact any protocols that scrutinize the TTL such as IGMP or BGP.

Conditions:
IP/IPv6 TTL/hoplimit for host traffic.

Impact:
IGMP packets will not be passed from TMM to the Linux host and remote routers may reject IGMP packets from the BIG-IP.

BGP neighbors may reject packets from the BIG-IP.

Workaround:
Adjust TTL verification restrictions on peer devices.

Fix:
The IP/IPv6 TTL/hoplimit of host traffic is no longer modified when it traverses TMM.


620929-4 : New iRule command, MR::ignore_peer_port

Component: Service Provider

Symptoms:
For incoming connections where the client used a ephemeral source port, subsequents connections from the same client may connect using a different ephemeral port. Without being able to identify the current connection as equivalents to other connections from the same IP, it will not be discoverable as an equivalent connection.

Conditions:
For incoming connections where the client used a ephemeral source port, subsequents connections from the same client may connect using a different ephemeral port.

Impact:
Without being able to identify the current connection as equivalents to other connections from the same IP, it will not be discoverable as an equivalent connection.

Workaround:
Without this change, a new connection would need to be created to the client.

Fix:
New iRule command allow script author to identify the current connection as equivalent to other connections of the IP and route domain ID matches.


620903-1 : Decreased performance of ICMP attack mitigation.

Component: Performance

Symptoms:
Decreased performance of ICMP attack mitigation.

Conditions:
A Big-Ip is under attack, for example a ICMP flood attack.

Impact:
Decreased performance of ICMP attack mitigation.

Workaround:
NA

Fix:
Increased performance of ICMP attack mitigation.


620829-2 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly

Solution Article: K34213161

Component: Access Policy Manager

Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.

Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:

var a = { default: 1, continue: 2 };

Impact:
JavaScript code is not rewritten and may not work correctly.

Workaround:
None.

Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.


620801-3 : Access Policy is not able to check device posture for Android 7 devices

Component: Access Policy Manager

Symptoms:
APM identifies Android devices based on their MAC address. With Android 7, it is not possible to retrieve device MAC address and hence APM is not able to check for device compliance against configured Endpoint Management System (EMS) using the Managed Endpoint Status Policy Item.

If the Access Policy is configured to restrict access based on APM's Managed Endpoint Status, and the user attempts to connect to APM using an Android 7 device with the F5 Edge Client app, access will be disallowed.

Conditions:
- Access policy is configured to deny access on endpoint compliance failure with Managed Endpoint Status
- User accesses APM from an Android 7 device using F5 Edge Client app.

Impact:
Connection is denied because F5 Edge Client is not able to determine the device MAC address to transmit to APM. The lookup for endpoint posture will result in a compliance check failure.

Workaround:
This workaround only applies to IBM Maas360:

Add Variable Assign agent just before Managed Endpoint Status agent with the following variables:

session.client.platform_tmp = expr {[mcget session.client.platform]}
session.client.platform = expr {"iOS"}
session.client.unique_id = expr {"Android[mcget session.client.unique_id]"}

And add Variable Assign agent after Managed Endpoint Status agent to reset session.client.platform to its original state:
session.client.platform = expr {[mcget session.client.platform_tmp]}

Fix:
Access policy now uses multiple fallback types to correlate the device identity with endpoint management systems: Device Serial Number, IMEI number, and MAC address, respectively.


620788-1 : FQDN pool created with existing FQDN node has RED status

Solution Article: K05232247

Component: Local Traffic Manager

Symptoms:
After creating an FQDN pool using an existing FQDN node, the pool has RED status.

Conditions:
-- Existing FQDN node.
-- Pool created with an existing FQDN node as a member.

Impact:
Traffic will not pass in this pool.

Workaround:
As a workaround, follow these steps:
1. Delete the existing FQDN node.
2. Create a new one.
3. Create a pool that includes the new FQDN node.

Fix:
When creating an FQDN pool with an existing FQDN node, the pool status now reflects the actual monitor status.


620782 : Azure cloud now supports hourly billing

Component: TMOS

Symptoms:
Prior to 12.1.2 hourly billing was not supported in Azure cloud.

Conditions:
Any version prior to 12.1.2 in Azure Cloud

Impact:
Hourly billing not possible

Fix:
With 12.1.2 hourly billing is now supported in Azure.


620759-4 : Persist timeout value gets truncated when added to the branch parameter.

Component: Service Provider

Symptoms:
Persist timeout value gets truncated when added to the branch parameter due to difference in storage type.

Conditions:
If the persist timeout value was higher that 65535 then the value gets truncated.

Impact:
Incorrect persist timeout get into affect for the call other than the value set in the config.

Workaround:
None.

Fix:
Persist timeout value no longer gets truncated when added to the branch parameter.


620746-1 : MCPD crash

Component: TMOS

Symptoms:
MCPD may crash while processing large requests.

Conditions:
The conditions under which this occurs are not yet defined.

Impact:
MCPD crash, leading to a failover event.

Workaround:
None.

Fix:
MCPD now processes large requests as expected.


620659-3 : The BIG-IP system may unecessarily run provisioning on successive reboots

Component: TMOS

Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
  info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'

During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
  info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'

Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).

Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.

The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
  <13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB

The /var/log/tmm logfile on the vCMP guest will contain:
  <13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
  <13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
  <13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **

Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.

Fix:
The BIG-IP software now always removes the /mprov_firstboot file when the system is reprovisioned.


620635-2 : Request having upper case JSON login parameter is not detected as a failed login attempt

Component: Application Security Manager

Symptoms:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.

Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ JSON login parameter with an upper-case character

Impact:
Not able to detect failed login attempt if ASM policy is case insensitive, and incoming JSON string contains upper case.

Workaround:
N/A

Fix:
We've made sure that JSON login parameter are always treated as case sensitive, regardless of the ASM policy case sensitivity setting.


620625-2 : Changes to the Connection.VlanKeyed DB key may not immediately apply

Solution Article: K38094257

Component: Local Traffic Manager

Symptoms:
Changes to the Connection.VlanKeyed DB key may not immediately apply to all TMMs

Conditions:
The Connection.VlanKeyed DB key is changed

Impact:
Asymmetrically routed connections may fail with Connection.VlanKeyed disabled

Workaround:
Restarting TMM will resolve the issue, though this will interrupt traffic so should be performed during a maintenance window. To do so, run one of the following tmsh commands:

-- on an appliance (BIG-IP platform): bigstart restart tmm
-- on a clustered system (a VIPRION or VIPRION-based vCMP guest): clsh bigstart restart tmm

Fix:
Asymmetrically routed connections no longer fail with Connection.VlanKeyed disabled.


620614-4 : Citrix PNAgent replacement mode: iOS Citrix receiver fails to add new store account

Component: Access Policy Manager

Symptoms:
iOS Citrix receiver fails to add new store account and touching on the Save option after providing the credentials displays "Loading" and comes back to previous save option.

/var/log/apm displays "An exception is thrown: EVP_CipherFinal_ex failed: EVP_DecryptFinal_ex:bad decrypt" from VDI.

The above error, otherwise, below error which deletes the session id abruptly.

Oct 24 16:33:12 slot2/vip-guest7-test notice tmm[11547]: 01490567:5: /Common/mvdi-r_ap:Common:e19516fd: Session deleted (internal_cause).

Conditions:
APM is configured with Citrix replacement mode. Provide wrong passcode values for RSA SecurId auth for continuously three times which trigger the next token input for the fourth time entering the right passcode. APM rotate session is enabled.

Impact:
iOS Citrix receiver could not add the account after providing wrong token values for two factor auth

Workaround:
Kill the iOS Citrix receiver application and click on the receiver again to add the account.

Fix:
Use the right session id for decrypting the password.


620543-1 : Security Address Lists and Port Lists can't change Description field

Component: Advanced Firewall Manager

Symptoms:
'Description' doesn't get saved when a user tries to create a Address List, or Port List.

Conditions:
Create an Address List/Port List with a description, and hit 'Finished'. The Address/Port List will be created, but the object will not be saved.

Impact:
Users will not be able to save description when Address List/Port List gets created via GUI.

Workaround:
Use tmsh to create Address/Port List.

Fix:
'Description' gets saved when a user tries to create a Address List, or Port List.


620445-4 : New SIP::persist keyword to set the timeout without changing key

Component: Service Provider

Symptoms:
Setting the SIP persistence key's timeout using SIP::persist <new_key> <new_timeout> disables bidirectional persistence.

Conditions:
Setting the SIP persistence key's timeout using SIP::persist <new_key> <new_timeout>.

Impact:
Disables bidirectional persistence. Persistence entry only records destination (not source) of the session.

Workaround:
None.

Fix:
New keyword, SIP::persist timeout <new_timeout> allows changing the timeout without changing the key.

Behavior Change:
There is a new keyword, SIP::persist timeout <new_timeout> allows changing the timeout without changing the key. Previously, if you changed the timeout, it disabled bidirectional persistence.


620400-1 : TMM crash during TLS processing

Solution Article: K21154730


620366-4 : Alertd can not open UDP socket upon restart

Component: TMOS

Symptoms:
alertd fails to restart due to the following error:
Sep 29 18:29:44 B2200-R76-S19 err alertd[16882]: 01100009:3: Couldn't open file UDP listener

Conditions:
alertd has spawned a long-running process (e.g. ntpd) which does not close inherited file descriptors.

Impact:
alertd fails to restart

Fix:
Mark alertd file descriptors for automatic closure in child processes.


620215-5 : TMM out of memory causes core in DNS cache

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.

Conditions:
This can occur when the TMM memory is exhausted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Provision sufficient memory for the TMM or reduce load.

Fix:
The fix was to properly handle the failure allocating memory.


620079-3 : Removing route-domain may cause monitors to fail

Component: Local Traffic Manager

Symptoms:
Removing a route-domain may cause icmp and gateway-icmp monitors in unrelated route-domains to fail.

Conditions:
-- Route-domain is removed.
-- icmp/gateway-icmp monitor is used.

Impact:
Monitor marks the node down, resulting in partial service outrage.

Workaround:
Restart bigd using the following command:
bigstart restart bigd

Fix:
Removing route-domain no longer causes monitors to fail.


620056-1 : Assert on deletion of paired in-and-out IPsec traffic selectors

Component: TMOS

Symptoms:
When two traffic-selectors, one in and one out, mirror each other by reversing source and destination addresses, then deleting one can miss-fire an assert, restarting tmm.

Conditions:
Defining two clearly related traffic selectors, one for in and one for out, can confuse a later check of their names.

Impact:
When a traffic selector is deleted, from such a pair, an assert can fail that restarts tmm processes. Traffic disrupted while tmm restarts.

Workaround:
Using one traffic selector with direction=both would avoid the problem, before this change appears in a release.

Fix:
The confusion of over names for such paired traffic selectors is now fixed, so the assert cannot occur. Such traffic selectors -- just like each other execpt for reversed source and destination -- will work correctly for IKEv1 configs. For IKEv2 it is still best to use single TS insances with direction=both.


619879-1 : HTTP iRule commands could lead to WEBSSO plugin being invoked

Component: Access Policy Manager

Symptoms:
With SSO logs set to 'Debug' in Access log configuration, the following log messages are seen in '/var/log/apm':
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: constructor
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext constructor ...
Sep 30 12:46:17 BIG-IP3900mgmt err websso.3[14520]: 014d0005:3: Unsupported SSO Method
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914b510, SERVER: TMEVT_REQUEST
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: ctx: 0x914a718, CLIENT: TMEVT_ABORT_PROXY
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoContext destructor ...
Sep 30 12:46:17 BIG-IP3900mgmt debug websso.3[14520]: 014d0001:7: webssoConfig destructor

With 'rstcause' enabled, the following log message is seen in '/var/log/ltm':
Sep 30 12:46:17 BIG-IP3900mgmt err tmm2[13116]: 01230140:3: RST sent from 172.17.90.92:57611 to 127.0.0.1:10001, [0x24ccbbc:820] Internal error (APM::WEBSSO requested abort (Unsupported SSO Method))

Conditions:
HTTP::disable followed by HTTP::enable.

when CLIENT_ACCEPTED {
    HTTP::disable
    // do some other stuff
    HTTP::enable
}

Impact:
client receives a HTTP 503 reset

Workaround:
When the access profile is added to the virtual server, the websso plugin profile is automatically added. Manually removing the websso plugin fixes this bug.

Fix:
The server-side access hudfilter was mistakenly enabling the websso plugin. The logic has been updated so that this does not happen.


619849-4 : In rare cases, TMM will enter an infinite loop and be killed by sod when the system has TCP virtual servers with verified-accept enabled.

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGABRT (killed by sod)

Conditions:
TCP (full proxy) virtual servers with verified-accept enabled in the TCP profiles, that must be handling traffic.

This issue occurs extremely rarely.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
disable verify accept.

Fix:
the loop is fixed.


619844-2 : Packet leak if reject command is used in FLOW_INIT rule

Component: Local Traffic Manager

Symptoms:
TMM memory usage (packets) increases steadily over time.

Conditions:
'reject' command is used in a FLOW_INIT rule

Impact:
Packet leak over time will consume TMM memory.

Workaround:
Do not use reject command in FLOW_INIT iRule


619811-2 : Machine Cert OCSP check fails with multiple Issuer CA

Component: Access Policy Manager

Symptoms:
If there are multiple CAs in the CA bundle and issuing CA is not first in it, the OCSP responder returns "unauthorized" response.

Conditions:
This can only happen when issuing CA is not first in the CA file.

Impact:
OSCP check in machine cert will fail and user won't be able to follow successful branch in Access Policy. This might result in Authentication failure even though the machine cert is valid.

Workaround:
Use iRule Event and variable Assign agent in between Machine Cert and OCSP Auth agent.

Follow these steps:

iRule:

1) Loop through the CA bundle until you find matching issuer cert
2) Set this new issuer cert to "session.check_machinecert.last.cert.issuer.cert"

Variable Assign:

3) Read this issuer cert from the session db and assign it back to the same session variable:

session.check_machinecert.last.cert.issuer.cert = expr { [mcget -nocache {session.check_machinecert.last.cert.issuer.cert}] }

Fix:
Issuer cert is now looked up and set properly from the CA bundle. So there is no longer any failure response from OCSP responder.


619757-1 : iSession causes routing entry to be prematurely freed

Component: Wan Optimization Manager

Symptoms:
iSession may cause TMM to prematurely free a routing entry resulting in memory corruption and TMM restarting.

Conditions:
iSession-enabled virtual.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
No reasonable workaround short of not using iSession functionality.

Fix:
iSession no longer causes routing entries to be prematurely freed.


619706-1 : tmsh appears to allow password change for internal lcd admin user

Component: TMOS

Symptoms:
The 'tmsh modify auth password' command appears to allow the password to be changed for the f5hubblelcdadmin user.

Conditions:
Using the 'modify auth password' command under tmsh, and manually specifying the 'f5hubblelcdadmin' user (which does not appear among the list of available users, such as via tab-completion).

Impact:
This operation appears to succeed, but has no actual effect on BIG-IP operations.
This is an internal user account which provides the context for communication with the lcd front panel display on newer BIG-IP appliances. Changing the stored password for this user account does not affect these operations.

Fix:
Removed the appearance of the ability to change the password for the internal lcd admin user.


619663-3 : Terminating of HTTP2 connection may cause a TMM crash

Solution Article: K49220140

Component: Local Traffic Manager

Symptoms:
TMM crashes when an HTTP2 connection is being terminating on client and server sides concurrently.

Conditions:
-- HTTP2 profile is configured and assigned to a virtual server.
-- A client SSL profile is also used on the same virtual server.
-- Client interrupting a connection and server terminating a connection at the same time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
A fix stops HTTP2 from further processing when a connection is terminating preventing TMM crash for this reason.


619528-4 : TMM may accumulate internal events resulting in TMM restart

Component: Local Traffic Manager

Symptoms:
Under some uncommon circumstances, long-lived connections may cause internal events to be accumulated causing excessive memory usage potentially resulting in TMM restarting.

Conditions:
HTTP virtual with long-lived connections.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
The issue can be mitigated by setting the HTTP 'max-requests' profile option to a reasonably low value - this value will depend on application requirements.

Fix:
Internal events are no longer accumulated thus avoiding low memory conditions.


619516-1 : Inconsistencies in Automatic sync ASM Device Group

Component: Application Security Manager

Symptoms:
Some ASM calls are not propagated correctly across an automatic sync device group.

Conditions:
Automatic Sync is configured for a Device Group with ASM enabled.

Impact:
This can cause any of the following depending on the change:
-- Superfluous full sync operations.
-- Updating the wrong element on the remote devices.
-- Missing changes on the remote devices.

Workaround:
Disable automatic sync on the device group, and periodically push changes manually.

Fix:
Calls are correctly propagated across Automatic sync Device Groups with ASM enabled.


619486-3 : Scripts on rewritten pages could fail with JavaScript exception if application code modifies window.self

Component: Access Policy Manager

Symptoms:
Attempts to call some JavaScript methods (such as XMLHttpRequest.open) on a page accessed through Portal Access could fail if application modifies window.self builtin object. As a result, the application will stop working and optionally log an undefined variable/reference exception into Developer Tools console.

To verify that window.self is modified, run 'window.self == window' command in Developer Tools console of the page with error and check if it returns 'false'.

Conditions:
This can occur if a web application has javascript that modifies the value of window.self.

Impact:
Affected web-applications will not work when accessed through Portal Access.

Workaround:
None

Fix:
Scripts on pages accessed through Portal Access are no longer failing when web application code modifies window.self.


619473-2 : Browser may hang at APM session logout

Component: Access Policy Manager

Symptoms:
Browser hangs at logout from APM session with RDP client and/or VMware View client.

Conditions:
- APM Virtual server with RDP client and/or VMware View client on webtop;
- active session on this webtop with opened client.

Impact:
Logout from APM session may take a long time (several minutes). In some cases, it may be necessary to restart browser.

Fix:
Now browser does not hangs at logout from APM session with RDP client and/or VMvare View client.


619410-1 : TMM hardware accelerated compression not registering for all compression levels.

Component: TMOS

Symptoms:
DEFLATE/gzip/zlib compression levels other than level 1 bypass the hardware accelerator and are serviced in software, resulting in higher CPU utilization and slower compression times.

Conditions:
-- Compression requests for DEFLATE/gzip/zlib levels other than level 1.
-- BIG-IP devices using Coleto Creek SSL hardware acceleration.

Impact:
Compression requests serviced by software are scheduled on local CPUs. During heavy compression traffic, overall system traffic flow may be reduced. Compression requests serviced in software may take significantly longer to complete.

Workaround:
None.

Fix:
Hardware accelerator correctly registers for all DEFLATE/gzip/zlib compression levels, not just level 1.


619398-7 : TMM out of memory causes core in DNS cache

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes and service is lost until it restarts. You may see several "aggressive mode sweeper" messages in /var/log/ltm prior to the crash.

Conditions:
This can occur when the TMM memory is exhausted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Provision sufficient memory for the TMM or reduce load.

Fix:
The fix was to properly handle the failure allocating memory.


619250-1 : Returning to main menu from "RSS Feed" breaks ribbon

Component: Access Policy Manager

Symptoms:
When you go to "RSS Feed" configuration page for Document, Picture Library, List etc. and go back to SharePoint Dashboard using link at the top pointing to "RSS FEED for ..." and then click any option on the ribbon, you got "500 Internal Server Error" and ribbon stops working. When you use built-in browser button "go back" instead, everything works Ok.

Conditions:
"500 Internal Server Error" occurred. Ribbon stop working.

Impact:
Ribbon stop working.

Workaround:
Use built-in browser "go back" button instead.

Fix:
Returning to main menu from "RSS FEED for ...", ribbon continue to work. No more "500 Internal Server Error".


619158-1 : iRule DNS request with trailing dot times out with empty response

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS request takes about 20 seconds to respond and the response is empty.

Conditions:
An iRule uses RESOLV::lookup or NAME::lookup to resolve a domain name that ends with a dot.

Impact:
The request does not properly resolve to an IP address.

Workaround:
Strip the trailing dot from the domain name before calling RESOLV::lookup or NAME::lookup.

Fix:
Domain names with trailing dots are properly resolved from iRules. The trailing dot is stripped when the request is saved to later match with the response.


619110-1 : Slow to delete URLs, CPU spikes with Automatic Policy Builder

Component: Application Security Manager

Symptoms:
Deleting a URL causes an incorrect event to be generated and logged for every other URL in the Policy.

When a policy has many URLs configured, deleting a URL takes a long time and consumes heavy CPU time.

Conditions:
Many URLs are configured in the Policy.
This can be due to Policy Builder being set to "Always" learn new HTTP URLs.
If Policy Builder is also configured to collapse common URLs to wildcards, then it deletes the collapsed urls and these calls can be resource intensive.

Impact:
1) GUI is slow to delete URLs
2) Misleading (incorrect) logs are present in the audit log for each other URL in the system after a URL delete.
3) CPU can spike to 100%

Workaround:
A) Change "Learn New HTTP URLs" mode to "Selective" from "Always"
B) Disable collapse URLS.

Fix:
URL delete no longer incorrectly generates an event for every other URL in the system.


619097 : iControl REST slow performace on GET request for virtual servers

Component: TMOS

Symptoms:
Performing a GET request on a BIG-IP with a large number of virtual servers may result in slow performance and timeout errors.

Conditions:
When a significant number of virtual servers reference persistence profiles.

Impact:
Unable to perform large GET query on virtual servers.

Workaround:
None.

Fix:
Improved iControl REST performance for Performing a GET request on a BIG-IP with a large number persistence profiles on virtual servers.


619071-3 : OneConnect with verified accept issues

Component: Local Traffic Manager

Symptoms:
System may experience an outage.

Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed

Impact:
System outage.

Workaround:
Disabled verified accept when used with OneConnect on a VIP.

Fix:
Verified accept, OneConnect and hardware syncookies work
correctly together.


619060 : Reduction in boot time in BIG-IP Virtual Edition platforms

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) version has experienced increased boot time.

Conditions:
The increased boot time occurs each time a VE is booted.

Impact:
Long boot time, longer than previous releases.

Workaround:
None.

Fix:
Reduction in boot time in BIG-IP Virtual Edition platforms.


618957-1 : Certificate objects are not properly imported from external SAML SP metadata when metadata contains both signing and encryption certificates

Component: Access Policy Manager

Symptoms:
BIG-IP supports import of external SAML SP metadata to create SP-Connector objects. When such metadata file contains two certificates (one with 'signing' and one with 'encryption use) then BIG-IP will import certificate that is positioned 'second' in metadata twice.

Conditions:
Imported metadata contains two certificates with different use types: 'signing' and 'encryption'

Impact:
There is no impact if in metadata signing and encryption certificates are the same. If certificates are different - SAML SSO may not function properly due to incorrect certificate imported in configuration.

Workaround:
Import certificates manually, and assign them to created from metadata SAML SP connector

Fix:
Issue is now fixed: both certificates are imported correctly.


618944-1 : AVR statistic is not save during the upgrade process

Component: Application Visibility and Reporting

Symptoms:
All AVR statistics will be lost after upgrade from 12.1.0 or 12.1.1.

Conditions:
AVR statistic was collected on 12.1.0 or 12.1.1.
The BIG-IP was upgraded.

Impact:
Old AVR statistics will be lost

Workaround:
1. before upgrade edit the following file:
./usr/libdata/configsync/avr_save_pre
2. change the following line " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 $(is_provisioned asm) -eq 1 ] && "

with " [ $(is_provisioned avr) -eq 1 -o $(is_provisioned pem) -eq 1 -o $(is_provisioned afm) -eq 1 -o $(is_provisioned swg) -eq 1 -o $(is_provisioned asm) -eq 1 ] && "

Fix:
AVR upgrade script fixed


618905-1 : tmm core while installing Safenet 6.2 client

Component: Local Traffic Manager

Symptoms:
tmm core while installing Safenet 6.2 client.

Conditions:
Safenet 6.2 client installation

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm core related to Safenet 6.2 client installation.


618902-4 : PCCD memory usage increases on configuration changes and recompilation due to small amount of memory leak on each compilation

Component: Advanced Firewall Manager

Symptoms:
Each time the Packet Classification Compiler Daemon (PCCD) process recompiles rules due to configuration changes, it loses approximately 20 bytes or more (depends on the rule complexity) due to small memory leak.

Conditions:
This occurs when making changes to the firewall configuration when AFM is configured.

Impact:
This can potentially lead to an out-of-memory situation if the system runs for a long time without reboot and PCCD continuously recompiles due to frequent configuration changes.

Workaround:
None.

Fix:
The PCCD memory leak was identified and fixed.


618884-1 : Behavior when using VLAN-Group and STP

Component: Local Traffic Manager

Symptoms:
May not see ICMP response traffic when using Ping within the same VLAN when STP mode is configured.

Conditions:
-- STP mode is configured.
-- Ping is issued in the same VLAN.

Note: This issue is a constraint to soft switched platforms.

Impact:
May not see ICMP response traffic.

Workaround:
None.


618779-1 : Route updates during IPsec tunnel setup can cause tmm to restart

Component: TMOS

Symptoms:
During the setup of IPsec tunnel flows, tmm depends on a valid route being available towards a remote peer to correctly create the IPsec inbound tunnel flows. The absence of the route at this stage, causes tmm to crash and restart. This is more likely to happen if the route towards the endpoint is dynamic.

Conditions:
IPsec tunnels are being set up with a given remote peer and the route towards that peer is not reliably present (as is in the case of dynamic route updates)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure that there is always a valid route towards each of the remote peers.

Fix:
The tmm process no longer restarts if there is no valid route towards the remote peer during IPsec tunnel setup.


618771-1 : Some Social Security Numbers are not being masked

Component: Application Security Manager

Symptoms:
ASM does not block or mask some SSN numbers.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains social security numbers with specific ranges.

Impact:
The traffic passes neither masked nor blocked to the end client.

Workaround:
None.

Fix:
The system now correctly masks and/or blocks all relevant social security numbers.


618657-4 : Bogus ICMP unreachable messages in PEM with ipother profile in use

Component: Policy Enforcement Manager

Symptoms:
The ipother virtual server will send bogus ICMP unreachable messages caused by incorrect error handling in the PEM filter.

Conditions:
A VS with ipother profile configured together with the PEM profile. In the field defect the additional piece needed was the missing classification, but this is due to code ordering, so in non-fixed versions this can also happen with the classification profile present.

Impact:
Unnecessary ICMP traffic

Fix:
Fixed an issue related to unnecessary ICMP traffic in the PEM filter.


618656-2 : JavaScript challenge repeating in loop on Firefox when URL is longer than 1033 characters

Component: Application Security Manager

Symptoms:
The JavaScript challenge is repeating in a loop on Firefox on URLs which are longer than 1033 characters. The request never reaches the back-end server.
This happens in the following challenges:
* Proactive Bot Defense with Suspicious Browsers enabled
* Client-Side Integrity Defense
In the rest of the challenges, the challenges will succeed, but POST requests will not be reconstructed correctly and sent as a multipart message to the back-end server.

Conditions:
URLs are longer than 1033 characters, AND:
Users are using the Firefox browser, AND:
Either:
* Proactive Bot Defense with Suspicious Browsers enabled, OR
* Client-Side Integrity Defense is enabled and is used as a DoSL7 mitigation during an attack.

Impact:
Requests to URLs longer than 1033 will be blocked on Firefox, and the browser will repeat the challenge in a loop.

Workaround:
None

Fix:
The JavaScript challenge no longer gets stuck in a loop on Firefox, on URLs which are longer than 1033 characters.


618549-1 : Fast Open can cause TMM crash CVE-2016-9249

Solution Article: K71282001


618517-1 : bigd may falsely complain of a file descriptor leak when it cannot open its debug log file; bigd stops monitoring

Solution Article: K61255401

Component: Local Traffic Manager

Symptoms:
- In v11.6.1, bigd reports pool members were marked down that are not actually down, and logs messages similar to the following in the ltm log file:

warning bigd[7413]: 01060154:4: Bigd PID 7413 throttling monitor instance probe because file descriptor limit 65436 reached.

- Because of changes in the v12.1.x software, although the problem is still present, it has negligible impact.

Conditions:
-- Monitoring is in use.
-- bigd debug logging is enabled.
-- The bigd debug log file (/var/log/bigdlog) is full.

Impact:
- On v11.6.1 this can cause bigd to stop monitoring, resulting in pool members being marked down erroneously.

- In v12.1.x, some of the underlying logging code changed, and there is no real impact.

Workaround:
Prevent the log file from getting full. To do so, rotate the log file using the following command:
logrotate -f bigdlog

Fix:
Stopped bigd from thinking it was out of file descriptors when it was unable to open its debug log file.


618506 : TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.

Component: Access Policy Manager

Symptoms:
TMM may core under certain conditions when APM is provisioned and access profile is attached to the virtual.

Conditions:
APM is provisioned and access profile is attached to the virtual.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Correctly handle session DB data in APM to prevent memory segmentation fault.


618430-2 : iRules LX data not included in qkview

Component: Local Traffic Manager

Symptoms:
Qkview does not contain any of the iRuleLX information.

Conditions:
N/A

Impact:
Support engineers will have to ask for the iRuleLX information separately. No iHealth heuristics possible at the moment.

Fix:
The following ILX information was added to the qkview:

TMSH commands:
  list ilx workspace all-properties
  list ilx plugin all-properties
  list ilx global-settings (13.0.0+)
  list ltm profile ilx all-properties (13.0.0+)
  show ilx plugin all
  show ltm profile ilx all (13.0.0+)

The files in the following folders:
  /var/ilx - master copies of workspaces
  /var/sdm - running files of the plugins
  /var/log/ilx - ILX specific logs


618428 : iRules LX - Debug mode does not function in dedicated mode

Component: Local Traffic Manager

Symptoms:
In case if the debug option is enabled in the dedicated mode, sometimes some of the nodejs process can be allocated a "in-use" port, which prevents it from starting successfully.
By design every process is guaranteed a debug port in the configured range as long as there are enough ports available in the system. In-use ports are skipped, so consecutive port allocation is not guaranteed.

Conditions:
some of the ports in the range are busy.

Impact:
Some of the nodejs processes fail to start which prevents normal iRuleLX operation.

Workaround:
Consult with netstat output and set the debug-port-range-low to a higher value (eg. 10000+) to minimise the change of a port conflict.


618421 : Some mass storage is left un-used

Component: TMOS

Symptoms:
It is intended that all mass storage capacity be available for use by application data, site-local configuration, or sofwtare. In some conditions, about 10% of the mass storage capacity is not made available for application data.

Conditions:
This occurs on the BIG-IP i-Series platforms.

Impact:
Applications that use a lot of storage may not function optimally.

Fix:
The storage is optimally reallocated.


618404-1 : Access Profile copying might be invalid if policies are named series of names.

Component: Access Policy Manager

Symptoms:
After copying an access policy, you receive an error when trying to open the copy: Unable to load accessPolicy '/Common/my_policy_access_1_1' from source.

In version 11.5.x, there was no name resolution, so this issue appeared only because of name truncation. Beginning in version 12.0.0, bot name resolution, truncation and _x reduction happen simultaneously.

Conditions:
When policies have with names ending with _1, _2, etc. For example, my_policy_access_1_1, my_policy_access_1_2, etc.

Impact:
Unable to copy the policy properly.

Workaround:
Export the policy, and then import it with reuse.

Fix:
Copying is fixed for these conditions.


618382-4 : qkview may cause tmm to restart or may take 30 or more minutes to run

Component: TMOS

Symptoms:
When taking a qkview on a heavily loaded BIG-IP device (with lots of connections) running 12.1.0 or 12.1.1, the qkview utility may take a very long time to complete (30+ minutes) or cause tmm to restart. This is due to a new qkview command that was added to gather a list of recent connections with the tmsh show sys connection command, which has a significant performance impact when run while the BIG-IP is heavily loaded.

Conditions:
This can occur on the following versions:

- 12.1.0 including 12.1.0 HF1 and 12.1.0 HF2
- 12.1.1 including 12.1.1 HF1

This can occur when the BIG-IP is heavily loaded and while running the qkview command.

Impact:
Qkview command can take an exceedingly long time to run (30+ minutes).
Traffic disrupted while tmm restarts.

Workaround:
Do not run the qkview command if the device is heavily loaded.

Fix:
Removed offending "show sys connection" command from qkview utility.


618324-1 : Unknown/Undefined OPSWAT ID show up as 'Any' in APM Visual Policy Editor

Component: Access Policy Manager

Symptoms:
When upgrading from OPSWAT SDK V3 to V4, opening Access Policy in VPE if one of the opswat checker (e.g. Anti-Virus checker) contains an Undefined (i.e. previously defined but out of support) ID it will display as "Any." The correct display should be "Unsupported" or "Invalid" product.

Conditions:
Wrongful information displayed.

Impact:
Wrongful information displayed.

Workaround:
N/A

Fix:
Correct (*** Invalid ***) information displayed.


618306-2 : TMM vulnerability CVE-2016-9247

Solution Article: K33500120


618263-1 : OpenSSL vulnerability CVE-2016-2182

Solution Article: K01276005


618261-6 : OpenSSL vulnerability CVE-2016-2182

Solution Article: K01276005


618254-4 : Non-zero Route domain is not always used in HTTP explicit proxy

Component: Local Traffic Manager

Symptoms:
You may experience connectivity failure in certain situations where a sideband communications are required as part of the transaction.

Conditions:
BIG-IP has http-explicit configuration, where a sideband connection is required, say in the case of getting an OCSP response or a DNS resolver response when those services are associated with a different route domain.

Impact:
End-to-end connectivity failure.

Workaround:
Change configuration so that all services required are on the default route domain, 0.


618185-1 : Mismatch in URL CRC32 calculation

Component: Fraud Protection Services

Symptoms:
In some cases URL CRC32 calculated by JS does not match referrer CRC32 calculated by Plugin.

Conditions:
Each one of next conditions cause this problem:
1. CRC32 calculated for URL with path parameters while strip_path_parameters BigDB variable value is 'true'.
2. CRC32 calculated for URL with a fragment (hashmark '#') in query string.

Impact:
A component validation alert is triggered as a result of mismatch between URL CRC32 calculated by JS and referrer CRC32 calculated by Plugin.

Workaround:
No workaround.

Fix:
strip_path_parameters BigDB variable value is passed to JS and JS URL normalization before CRC32 calculation is now similar to the one Plugin does.


618170-3 : Some URL unwrapping functions can behave bad

Component: Access Policy Manager

Symptoms:
Some URL unwrapping functions can behave incorrectly with different web application malfunctions as a result.

Conditions:
JavaScript with "location.pathname" like fields at the right side of an expression.

Impact:
Different web application malfunctions. One example is SharePoint 2010 using IE11, clicking the Edit button results in "Only secure content is displayed" at the bottom of the page.

Fix:
Fixed.


618161-1 : SSL handshake fails when clientssl uses softcard-protected key-certs.

Component: Local Traffic Manager

Symptoms:
SSL handshake fails when clientssl uses softcard-protected key-certs.

Conditions:
Softcard-protection is enabled and token protection is disabled.

Impact:
SSL handshake fails

Workaround:
None known.

Fix:
SSL handshake no longer fails when clientssl uses softcard-protected key-certs.


618121 : "persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x

Component: Local Traffic Manager

Symptoms:
"persist add" irule validation fails for RTSP_RESPONSE event on upgrade to v12.x.x

Conditions:
When the RTSP_RESPONSE event and "persist add" iRule are used and upgrade to v12.x.x.

Impact:
"persist add" iRule validation failed. The iRule will not be loaded.

Workaround:
possible workaround is to bypass validation

when RULE_INIT {
  set static::persist_cmd { persist add uie $SessionID $static::persist_timeout }
}

when RTSP_RESPONSE {
   set SessionID [RTSP::header value "Session"]
  if { $SessionID != "" }{
    #persist add uie $SessionID $static::persist_timeout
    eval $static::persist_cmd
  }
}


618106-1 : bigd core due to memory leak, especially with FQDN nodes

Solution Article: K74714343

Component: Local Traffic Manager

Symptoms:
The bigd daemon may core due to excessive memory consumption caused by a slow memory leak that occurs when creating or updating an LTM node or pool member.

This memory leak occurs much more quickly on BIG-IP v12.1.3.2 and earlier when using FQDN nodes/pool members with the 'autopopulate' feature enabled.

Conditions:
The bigd memory leak occurs slowly with non-FQDN nodes/pool members, but much more quickly on BIG-IP v12.1.3.2 and earlier when using FQDN nodes/pool members with the 'autopopulate' feature enabled.

On BIG-IP v12.1.3.2 and earlier, an additional leak occurs each time an FQDN name is resolved for an FQDN node or pool member. The rate of the leak in this case is determined by the number of FQDN nodes/pool members configured with the 'autopopulate' feature enabled, and the FQDN name resolution interval (determined by the 'interval' setting of the 'fqdn' configuration for the FQDN node).

Impact:
The bigd daemon may core due to excessive memory consumption.

Workaround:
It is possible to work around this issue by one of the following methods:
1. Restart the bigd daemon before memory consumption becomes excessive. (Note that this may interrupt traffic to configured pool members.)

On BIG-IP v12.1.3.2 and earlier:
2. Configure a longer 'interval' value in the 'fqdn' configuration for configured FQDN nodes.
3. Configure FQDN nodes/pool members without the 'autopopulate' setting enabled.

Fix:
The bigd daemon no longer leaks memory when configuring an LTM node or pool member.


618024-2 : software switched platforms accept traffic on lacp trunks even when the trunk is down

Component: Local Traffic Manager

Symptoms:
On software switched platforms tmm owned LCAP trunks still accept traffic even though the trunk is down from the control plane ( LACP status down).

Conditions:
LACP trunk with status down

Impact:
VLAN failsafe timers are erroneous reset, VLAN failsafe is broken.

Workaround:
no workaround

Fix:
tmm now checks the link status on tmm owned lacp trunks before accepting traffic.


617986-2 : Memory leak in snmpd

Component: TMOS

Symptoms:
Memory usage in snmpd is increases until the OOM process kills snmpd.

Conditions:
BIG-IP configured with virtual servers that have the same destination IP address

Impact:
snmp disrupted while snmp restarts.

Workaround:
No workaround

Fix:
Fixed memory leaks.


617935 : IKEv2 VPN tunnels fail to establish

Component: TMOS

Symptoms:
IKEv2 VPN tunnels fail to establish.

Conditions:
This occurs with IKEv2 on a specific 12.1.2 HF1 engineering hotfix.

Impact:
IPsec IKEv2 VPN tunnels fail to establish.

Workaround:
Use IPsec IKEv1.

Fix:
IKEv2 VPN tunnels now establish as expected.


617901-1 : GUI to handle file path manipulation to prevent GUI instability.

Solution Article: K00363258


617865-1 : Missing health monitor information for FQDN members

Component: TMOS

Symptoms:
Health monitor information and status are both missing for FQDN nodes and pool members.

Conditions:
FQDN nodes and pool members configured.

Impact:
GUI does not show health monitors info/status in node properties page, pool member properties page, or monitor instances page. Difficulty checking health monitor info/status for FQDN members.

Workaround:
Check logs for this info.

Fix:
The system now exposes health monitors info/status and the GUI shows them in node properties page, pool member properties page, and monitor instances page.


617862-2 : Fastl4 handshake timeout is absolute instead of relative

Component: Local Traffic Manager

Symptoms:
TCP connections that are pending completion of the three-way handshake are expired based on the absolute value of handshake timeout. For example, if handshake timeout is 5 seconds, then the connection is reset after 5 seconds of receiving the initial SYN from the client.

Conditions:
A TCP connection in three-way handshake.

Impact:
Connections are expired prematurely if they are still in three-way handshake.

Workaround:
Disable handshake timeout.

Impact of workaround: Your TCP handshake will not prematurely timeout and connections remains open until the Idle Timeout expires.

Fix:
The handshake timeout now expires based on idleness of the connection, taking into consideration of any SYN retransmissions, etc., that might occur.


617858-2 : bigd core when using Tcl monitors

Component: Local Traffic Manager

Symptoms:
If a Tcl monitor encounters an error, it may exit with an assert which causes bigd to core.

Conditions:
This can occur rarely when Tcl monitors are in use (specifically, SMTP, FTP, IMAP, POP3 monitors).

Impact:
bigd can core, which temporarily suspends monitoring while bigd restarts.

Workaround:
None.

Fix:
Now, when a Tcl monitor encounters an error, it no longer exits with an assert, so bigd no longer cores.


617824-3 : "SSL::disable/enable serverside" + oneconnect reuse is broken

Component: Local Traffic Manager

Symptoms:
If "SSL::disable/enable serverside" is configured in an iRule and oneConnect is configured in the iRule or in the Virtual Server profile, BIG-IP may not receive the backend server's HTTP response for every client's HTTP Request.

Conditions:
1. "SSL::disable/enable serverside" exists in the iRule
2. OneConnect is configured in the iRule or in the VS profile
3. apply the iRule and oneConnect Profile to the VS.

Impact:
The oneConnect behavior is unexpected, and may not get the backend Server's HTTP response for every client's HTTP Request.

Workaround:
You can work around the problem by disabling oneConnect.


617733-1 : Error message: subscriber id response; Subscription not found

Component: TMOS

Symptoms:
BIG-IP restarts the icr_eventd process and generates a core file. You might see the following messages in the LTM log file:

-- err icr_eventd[4589]: 01a10003:3: Receive MCP msg failed: could not get subscriber id response, status: 0x1020046
-- err mcpd[4206]: 01070069:3: Subscription not found in mcpd for subscriber Id %icr_eventd.

Conditions:
Might be related to restarting a BIG-IP Virtual Edition installation.

Impact:
The icr_eventd process restarts, and the system produces a core file.

Workaround:
None.


617690-4 : enable SIP::respond iRule command to operate during MR_FAILED event

Component: Service Provider

Symptoms:
When an message fails to route, it is not possible to return an error status back to the client.

Conditions:
When a message fails to route, the MR_FAILED event is raised for the message.

Impact:
Without this change, it is not possible for the script author to generate a response message to the client based on the routing failure.

Workaround:
NA

Fix:
SIP::respond command now works during MR_FAILED event.


617688 : Encryption is not activated unless "real-time encryption" is selected

Component: Fraud Protection Services

Symptoms:
Encryption is not activated as expected

Conditions:
Encryption enabled
Real-time encryption disabled

Impact:
Encryption error alert received in alert server

Workaround:
Enable "real-time encryption"

Fix:
Encryption on submit is now supported better.


617648 : Surfing with IE8 sometimes results with script error

Component: Fraud Protection Services

Symptoms:
Slow devices running Internet Explorer 8 can suffer performance issues on websafe protected sites.

Conditions:
Slow device running Internet Explorer 8.
Large number of configured or updated malware signatures.

Impact:
Clientside slowness.
In extreme cases, a popup asking the user whether to stop the script.

Workaround:
Reduce the number of malware signatures

Fix:
Compressed signatures


617628-1 : SNMP reports incorrect value for sysBladeTempTemperature OID

Component: TMOS

Symptoms:
SNMP reports incorrect value for sysBladeTempTemperature OID, while TMSH reports the corresponding value correctly.

# snmpwalk -v2c -c public localhost .1.3.6.1.4.1.3375.2.1.3.2.4.2.1.2.8.1
F5-BIGIP-SYSTEM-MIB::sysBladeTempTemperature.8.1 = Gauge32: 4294967245

# tmsh show sys hardware

Sys::Hardware
Blade Temperature Status
  Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
...
  1 8 0 -48 0 Blade CPU #1 TControl Delta tem
...

The negative "Blade CPU #1 TControl Delta" temperature is being incorrectly reported as a large positive temperature by SNMP.

Impact:
A negative temperature may be incorrectly reported by SNMP as an impossibly high positive value.

Workaround:
Use tmsh show sys hardware to view blade temperatures. Negative temperatures are properly reported.

config # tmsh show /sys hardware
Sys::Hardware
Blade Temperature Status
  Slot Index Lo Limit(C) Temp(degC) Hi Limit(C) Location
  1 1 0 19 49 Blade air outlet temperature 1
  1 2 0 14 41 Blade air inlet temperature 1
  1 3 0 21 57 Blade air outlet temperature 2
  1 4 0 16 41 Blade air inlet temperature 2
  1 5 0 25 60 Mezzanine air outlet temperatur
  1 6 0 27 72 Mezzanine HSB temperature 1
  1 7 0 17 63 Blade PECI-Bridge local tempera
  1 8 0 -48 0 Blade CPU #1 TControl Delta tem
  1 9 0 25 68 Mezzanine BCM56846 proximity te
  1 10 0 22 69 Mezzanine BCM5718 proximity tem
  1 11 0 19 57 Mezzanine Nitrox3 proximity tem
  1 12 0 16 46 Mezzanine SHT21 Temperature


617622 : In TM Shell, saving the AAM configuration removes value from matching rule causing system configuration loading failure

Component: TMOS

Symptoms:
In TMSH, when trying to save the AAM configuration, TMSH removes value from matching rule. It corrupts bigip.conf and causes system loading configuration failure, with the following error in /var/log/ltm:

01070734:3: Configuration error: Policy "/Common/Drafts/<policy>", node "test_node", matching rule "path:Path": Must have a value.
Unexpected Error: Validating configuration process failed.

Conditions:
-- Use TM Shell to load configuration.
-- AAM configuration is loaded on BIG-IP and it is saved

Impact:
TMSH fails to load system configuration file.

Before the configuration save the policy would look like this:
matching {
  path {
    values {
      / { }
    }
  }
}

After the save it is converted to
matching {
  path { }
}

Workaround:
None.

Fix:
TMSH now saves AAM configuration without removing values from matching rules. Saving/loading system configuration succeeds.


617481-1 : TMM can crash when HTML minification is configured

Component: TMOS

Symptoms:
When AAM is provisioned and is used to cache dynamic pages, it can be configured to use HTML Minification to improve performance and optimize memory utilization. In some cases, HTML may incorrectly process the HTML code and cause TMM to crash.

Conditions:
1) AAM has to be provisioned and
2) AAM policy has to be configured and
3) has HTML minification enabled and
4) be applied to a virtual.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disabling minification prevent TMM from crashing for this reason.


617391-1 : Custom ASM Search Engines causing sync, offline, and upgrade issues

Solution Article: K53345828

Component: Application Security Manager

Symptoms:
-- The Device sync status constantly shows 'Changes Pending' when a custom ASM Search Engine is added with a new Bot Name to an existing Search Engine name.

For example, the Yandex search engine is a built-in search engine with Bot Name 'Yandex'. When adding a custom search engine with the same name: 'Yandex', but a different Bot Name, for example: 'yandexbot', the issue occurs.

When the issue appears, the device sync status shows 'Changes Pending'. Running a config-sync brings the status to 'In Sync', but a few seconds later, the status again changes to 'Changes Pending'.

-- Adding a custom ASM Search Engine with Bot Name and Domain Name identical to an existing Search Engine reports an error message, but the Search Engine will be successfully added. The next time ASM is restarted, the device remains offline and ASM restarts indefinitely.

-- Adding a custom ASM Search Engine and then upgrading to a release that already includes it as a built-in Search Engine under a different name, causes ASM to restart indefinitely and the system to remain offline. For example: adding a custom Search Engine with Domain Name '.msn.com' and Bot Name 'msnbot' in 12.1.3.5 and then upgrading to 12.1.3.6 triggers this issue.

Conditions:
This issue occurs when any of the following sets of criteria are met:

-- Multiple devices are joined in sync-failover device-group and ASM sync is enabled, and a custom ASM Search Engine is added with a new Bot Name, for which there is an existing Search Engine Name.

-- Adding a custom Search Engine with a Bot Name and Domain Name identical to an existing Search Engine.

-- Upgrading to 12.1.3.6, and ASM sync is enabled. Note: Only 12.1.3.6 exhibits this behavior.

Impact:
-- Device sync status constantly shows 'Changes Pending'.

-- The custom ASM Search Engine might not be bypassed for JavaScript challenges that are sent as a result of either the Web Scraping Feature, or Device-ID. This applies also to standalone deployments.

-- System might remain offline while ASM is constantly restarting.

-- Upgrade might fail.

Workaround:
-- Add the custom ASM Search Engine under a new name. For example, if adding the 'yandexbox' search engine, then use the Search Engine name 'Yandex-yandexbot' instead of simple 'Yandex'.
-- Before upgrading, remove any custom Search Engines whose Bot Name and Domain Name is identical to an existing Search Engine after the upgrade.

Fix:
Adding custom ASM Search Engines no longer triggers sync, offline or upgrade issues.


617382-1 : Csyncd memory leak on multi-bladed systems

Component: Local Traffic Manager

Symptoms:
Csyncd memory use increases over time. The system might be logged to the ltm log if csyncd fails due to large size (larger than 2.2 GB):

err csyncd[8258]: 013b0004:3: Fatal error: fork failed.

Memory pressure may develop, leading to an increased use of swap, and the system may become sluggish and show other low-memory symptoms.

If memory pressure is severe, the Linux oom killer will likely terminate csyncd. On systems with more free memory, csyncd will terminate with a core file when it is above ~2.2 GB in size. In both cases csyncd automatically restarts.

Conditions:
Multi-bladed vCMP guest or VIPRION.

Impact:
Low free memory may lead to system instability.

If memory pressure is severe, the Linux oom killer will likely terminate csyncd. On systems with more free memory, csyncd will terminate with a core file when it is above ~2.2 GB in size. In both cases csyncd automatically restarts.

Workaround:
Restart csycnd on all blades to free the memory it has in use:

clsh bigstart restart csyncd

This is typically not service-affecting.

Fix:
Memory leak identified and fixed.


617310-2 : Edge client can fail to upgrade when Always Connected is selected

Component: Access Policy Manager

Symptoms:
Attempt to upgrade from an Edge client version to a current version fails when Always Connected is enabled

Conditions:
Always Connected is selected in BIG-IP when upgrading the client.

Impact:
Upgrade fails. Must turn off Always Connected to upgrade client.

Workaround:
Turn off Always Connected before upgrading.

Fix:
Edge client now succeeds during upgrade when Always Connected is selected.


617273-7 : Expat XML library vulnerability CVE-2016-5300

Solution Article: K70938105


617229-1 : Local policy rule descriptions disappear when policy is re-saved

Solution Article: K54245014

Component: TMOS

Symptoms:
Local policy rule descriptions disappear when policy is re-saved.

Conditions:
A rule with description exists, and the policy it's under is saved.

Impact:
An existing rule description disappears when the policy it's under is saved.

Workaround:
Use TMSH to modify the policy's properties.

Fix:
Local policy rule descriptions now remain visible when policy is re-saved.


617187-1 : APM CustomDialer can't connect to APM server with invalid/untrusted SSL certificate

Component: Access Policy Manager

Symptoms:
If APM server uses untrusted SSL certificate/or it is accessed using IP address CustomDilaer, access is refused and there is no prompt to confirm the security warning.

Conditions:
APM has invalid certificate
User uses CustomDialer to access VPN

Impact:
VPN connection can't be established

Workaround:
Use valid SSL certificate on APM or add particular invalid certificate to trusted store on Windows

Fix:
Now CustomDialer warns user about invalid certificate and allows to proceed with invalid certificate.


617124 : Cannot map hardware type (12) to HardwareType enumeration

Component: TMOS

Symptoms:
iControl-SOAP throws an error whenever a method call to SystemInfo::get_hardware_information() is made.

Conditions:
This is reproducible in under all conditions.

Impact:
iControl-SOAP crashes when this call is made.

Workaround:
Don't call this SystemInfo::get_hardware_information().

Fix:
Call this method no longer leads to a crash.


617063-1 : After VPN tunnel established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel

Component: Access Policy Manager

Symptoms:
After VPN tunnel is established, if network is switched and a Captive Portal is present in the new network, EdgeClient fails to re-establish VPN tunnel.

Conditions:
VPN tunnel is established. Place the computer in hibernation. Resume from hibernation and connect to a new network where a Captive Portal is present, e.g. Starbucks.

Impact:
EdgeClient may show an error page for captive portal or stay in Reconnecting state for extended period. Disconnect button may not be responsive.

Fix:
If captive portal is detected during reconnect, close VPN resources before showing captive portal authentication page.


617014-3 : tmm core using PEM

Component: Policy Enforcement Manager

Symptoms:
tmm core when using PEM with cloning monitored traffic

Conditions:
Using PEM with iRules and cloning traffic

Impact:
Traffic disrupted while tmm restarts.

Fix:
The problem with PEM and cloning traffic via iRule has been corrected.


617002-1 : SWG with Response Analytics agent in a Per-Request policy fails with some URLs

Component: Access Policy Manager

Symptoms:
SWG with Response Analytics agent in a Per-Request policy fails with some URLs

Conditions:
Response analytics agent is added to per-request policy and per-request policy is attached to the virtual. APM and SWG are provisioned and licensed.

Impact:
Client might receive resets for some URLs when response analytics doesn't function correctly.

Workaround:
Remove response analytics agent from the per-request policy and perform categorization based only on URLs.

Fix:
Correctly handle the response analytics for these URLs and dont send resets to client.


616918-1 : BMC version 2.50.3 for iSeries appliances

Component: TMOS

Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to BMC version 2.50.3.

Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- PXE boot.

Impact:
This is a firmware upgrade.

Workaround:
None.

Fix:
This release contains BMC version 2.50.3 which includes support for PXE boot on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

Behavior Change:
This release contains BMC version 2.50.3 which includes support for PXE boot on the following BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.


616864-1 : BIND vulnerability CVE-2016-2776

Solution Article: K18829561


616838-3 : Citrix Remote desktop resource custom parameter name does not accept hyphen character

Component: Access Policy Manager

Symptoms:
While adding the custom parameter in Citrix Resource would give parser error as following,

01070734:3: Configuration error: apm resource remote-desktop /Common/ctx_resource: Parse error on line 1: DesktopViewer-ForceFullScreenStartup=On"

Conditions:
Having Citrix resource with custom parameter name with hyphen character

Impact:
Custom parameter can not be used with hyphen character

Workaround:
None

Fix:
Accept custom parameter name with hyphen character


616242-3 : basic_string::compare error in encrypted SSL key file if the first line of the file is blank

Solution Article: K39944245

Component: TMOS

Symptoms:
Trying to load a configuration that references an encrypted SSL key file may fail if the first line of the SSL key file is blank. When this occurs, the system will report a vague error message:

    01070711:3: basic_string::compare

If this happens during an upgrade, the system will not load the configuration under the new software version, and will remain inoperative.

Conditions:
This can occur if an affected configuration is present on a system running BIG-IP v11.3.0 or earlier, and is upgraded to BIG-IP v11.4.0 through v12.1.1.

Impact:
Configuration fails to load on upgrade with extremely unhelpful error message, and absolutely no indication as to what file was being processed at the time (or that this relates to a filestore file).

Workaround:
Remove the newlines at the beginning of any SSL key files that begin with a newline. During an upgrade scenario, edit the files in the filestore.


616215-4 : TMM can core when using LB::detach and TCP::notify commands in an iRule

Component: Local Traffic Manager

Symptoms:
TMM cores when running an iRule that has the LB::detach command before the TCP::notify command.

Conditions:
A virtual server with an iRule that has the LB::detach command executed before the TCP::notify command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the combination of the TCP::notify and LB::detach commands.

Fix:
TMM no longer cores in this instance.


616169 : ASM Policy Export returns HTML error file

Component: Application Security Manager

Symptoms:
When attempting to export an ASM Policy the resulting file contains an HTML error page.

Conditions:
It is not known what triggers this condition.

Impact:
Unable to export ASM Policies.

Workaround:
Delete all files in /ts/dms/policy/upload_files/. All files are transient and can safely be deleted.

Fix:
Permissions are now explicitly set on exported ASM Policies so the GUI PHP process can successfully download it.


616161-1 : BD process crash and restarts

Component: Application Visibility and Reporting

Symptoms:
bd restarts and generates a core file. bd.log contains messages similar to the following:
-- BD_MISC|ERR ... BD shrinking...,going down - BD will be right back.
-- BD_MISC|CRIT ... Received SIGSEGV - Core Dumping.

Conditions:
The virtual server has a Security Policy and there is a heavy load of traffic.

Note: This is a rare race condition case that might occur occasionally when the system is under heavy stress.

Impact:
bd restarts, causing a halt to traffic for few seconds.

Workaround:
None.

Fix:
Race condition has been fixed.


616104-2 : VMware View connections to pool hit matching BIG-IP virtuals

Component: Access Policy Manager

Symptoms:
When a VMware View resource is configured to use a pool as a destination, for all the connections to this pool, except the very first one, a matching virtual lookup is performed.
This doesn't align with the typical BIG-IP behavior on pool connections that should go directly to the chosen pool member and not hit matching virtual servers.

Conditions:
If a VMware View resource is configured to connect to a pool and there is a virtual server matching some or all the IP/port values of pool members, connections to those members will go through the matching virtual server, except for the very first one.

Impact:
If a matching virtual is not intended to pass the traffic through (e.g., a 'reject-all' virtual), those connections routed to this virtual server will fail.

Workaround:
None.

Fix:
All the connections to VMWare View pool members now go directly without hitting matching BIG-IP virtual servers.


616059-1 : Modifying license.maxcores Not Allowed Error

Solution Article: K19545861

Component: TMOS

Symptoms:
Your sync-failover device group status says 'Sync Failed' and reports the following error in Device Management :: Overview: Sync error on <device name>: Load failed from /Common/BIG-IP1 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed.

Conditions:
-- Non-homogeneous Virtual Edition (VE) configured with different licenses in a device group, or with hardware-based BIG-IP systems.
-- License variable perf_VE_cores is different among licenses.

Impact:
The device group fails to sync.

Workaround:
If you are using VEs in a device group, ensure that their licenses are the same.

Fix:
The license variable perf_VE_cores no longer syncs, so there is no error message.


616022-2 : The BIG-IP monitor process fails to process timeout conditions

Solution Article: K46530223

Component: Local Traffic Manager

Symptoms:
Pool members that are down are not marked down by the monitor. The BIG-IP system continues to attempt to monitor the object.

Conditions:
It is not known exactly what triggers this condition. It was encountered on an HTTPS monitor.

Impact:
Incorrect monitor state. Pool members may not be marked down even though the target pool-member is down.

Workaround:
No known workaround.

Fix:
The monitor process no longer inadvertently skips processing monitor timeouts and correctly marks monitored objects down.


616008-3 : TMM core may be seen when using an HSL format script for HSL reporting in PEM

Solution Article: K23164003

Component: Policy Enforcement Manager

Symptoms:
TMM core resulting in potential loss of service.

Conditions:
Requires a PEM HSL reporting action with an HSL format script against a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
In an iRule against the virtual server, set a Tcl variable in the first line after an iRule event. Unset the same Tcl variable in the last line of the iRule event.

Fix:
TMM core no longer occurs when using an HSL format script for HSL reporting in PEM.


615970-1 : SSO logging level may cause failover

Component: Access Policy Manager

Symptoms:
SSO logging level may cause failover.

Conditions:
SSO logging level set to "Debug".

Impact:
TMM may crash. Core file may be generated.

Workaround:
Lower the SSO log level from "Debug" to either "Info" or "Notice".

Fix:
The SSO logging level of "Debug" no longer causes failover.


615934-1 : Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in key/certificate management iControl functions is ignored and might result in errors.

Conditions:
If there is an existing key/certificate, and the key/certificate management iControl functions are used to overwrite the key/certificate by setting the overwrite flag, the flag is ignored, and an error is returned.

Impact:
Key/certificate overwrite using iControl operations might fail.

Fix:
The fix honors the overwrite flag, so that the key/certificate is overwritten when the flag is set to true.


615824-1 : REST API calls to invalid REST endpoint log level change

Component: iApp Technology

Symptoms:
In Big-IP 12.x versions before 12.1.2 invalid requests to a REST endpoint were being recorded in the FINE level logs, making it difficult to audit when an invalid request to a REST endpoint was coming in. In version 12.1.2, the log level was changed to INFO so that these messages are more easily consumed by users attempting to audit the log.

Conditions:
Any request made to an invalid REST endpoint will trigger a log message at the FINE level indicating that a request came in to an invalid REST endpoint.

Impact:
Auditing the REST Framework logs is more difficult, requiring you to look at messages logged at the FINE level.

Workaround:
Users can increase the log level of the REST Framework to FINE by making the following change to the file '/etc/restjavad.log.conf':

Before:
.level=FINE
After:
.level=INFO

Fix:
This message is included in the INFO log level on BIG-IP v12.1.2.


615432-1 : Multiple TFTP data transfers cannot be initiated in a single session

Component: Carrier-Grade NAT

Symptoms:
Multiple TFTP data transfers cannot be initiated in a single session.

Conditions:
Virtual server with TFTP profile is configured to handle TFTP traffic.

Impact:
Multiple TFTP data transfers cannot be initiated in a single session.

Workaround:
There is no workaround at this time.

Fix:
Multiple TFTP data transfers can be initiated in a single session


615388-1 : L7 policies using normalized HTTP URI or Referrer operands may corrupt memory

Component: Local Traffic Manager

Symptoms:
TMM may restart when using a L7 policy that contains the 'normalized' keyword for HTTP URI or Referrer operands.

Conditions:
Normalized HTTP URI or Referrer operands used in L7 policies.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
No workaround short of removing use of normalization for HTTP URI and Referrer instances in L7 policies.

Fix:
Use of URI or Referrer normalization in L7 policies no longer results in memory corruption.


615377-3 : Unexpected rate limiting of unreachable and ICMP messages for some addresses.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system might fail to send RSTs, ICMP unreachable, or ICMP echo responses for some addresses.

/var/log/ltm might contain messages similar to the following:
-- Limiting icmp unreach response from 251 to 250 packets/sec.
-- Limiting icmp ping response from 251 to 250 packets/sec.
-- Limiting closed port RST response from 251 to 250 packets/sec.

Conditions:
Certain traffic patterns to addresses in two or more different traffic-groups.

Impact:
Certain response messages from addresses in one or more traffic-groups (but not all) might be rate limited by the BIG-IP system even though the level of traffic has not exceeded the tm.maxrejectrate setting.

Workaround:
None known.

Fix:
The rate limiting messages in the ltm log will now include the name of the traffic group that is being rate limited.

Example old log message:
  warning tmm[6167]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec.
Example new log message:
  warning tmm[19109]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec for traffic group /Common/traffic-group-1.

Behavior Change:
The rate limiting messages in the ltm log will now include the name of the traffic group that is being rate limited.

Example old log message:
  warning tmm[6167]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec.
Example new log message:
  warning tmm[19109]: 011e0001:4: Limiting icmp ping response from 251 to 250 packets/sec for traffic group /Common/traffic-group-1.


615338-2 : The value returned by "matchregion" in an iRule is inconsistent in some cases.

Component: Global Traffic Manager (DNS)

Symptoms:
The value returned by "matchregion" in an iRule is inconsistent when the GTM global setting, "cache-ldns-servers", is set to "yes" and the region contains a region, continent, country, state, or ISP.

Conditions:
The GTM global setting, "cache-ldns-servers" must be set to "yes" and the region must contain a region, continent, country, state, or ISP.

Impact:
The value returned by "matchregion" in an iRule is inconsistent and may lead to inconsistent behavior in the iRule.

Workaround:
Set the GTM global setting, "cache-ldns-servers" to "no".

Fix:
"Matchregion" returns the correct value under all conditions.


615269-1 : CVE-2016-2183: AFM SSH Proxy Vulnerability

Solution Article: K13167034


615267-2 : OpenSSL vulnerability CVE-2016-2183

Solution Article: K13167034


615254-2 : Network Access Launch Application item fails to launch in some cases

Component: Access Policy Manager

Symptoms:
If access policy has multiple network resources with application launch configured, applications will launch only from first network resource.

Conditions:
Multiple Network access resources are configured with application launch.

Impact:
Applications will launch only from first network resource. Applications will not launch for other network resources

Workaround:
Launch applications manually after VPN is established.

Fix:
Applications from all network resources are now detected and launched correctly.


615226-5 : Libarchive vulnerabilities: CVE-2016-8687 and others

Solution Article: K13074505


615222-1 : GTM configuration fails to load when it has GSLB pool with members containing more than one colon character

Solution Article: K79580892

Component: Global Traffic Manager (DNS)

Symptoms:
The user configuration set (UCS) configuration file may fail to load due to the global server load balancing (GSLB)-referenced virtual server name syntax. The system posts errors similar to the following:

01070226:3: Pool Member 20002 references a nonexistent Virtual Server.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have configured your BIG-IP DNS system (formerly known as BIG-IP GTM) with a virtual server name that includes the colon (:) character.
-- The virtual server is included as a GSLB pool member.
-- You save the configuration to a UCS file.
-- You attempt to load the UCS configuration file.

Impact:
Unable to create GTM Pool Member from TMSH, or to load a configuration with this object in it.

Workaround:
None.

Fix:
Fixed issue related to parsing of GTM Pool member names that prevents the use of GTM virtual servers or GTM servers with a colon (:) in the name from being used as a GTM pool member.


615143-1 : VDI plugin-initiated connections may select inappropriate SNAT address

Component: Local Traffic Manager

Symptoms:
When the VDI plugin makes outgoing connections, the source address is selected from a SNAT pool. Should the connection pass through another matching virtual server before reaching the external network, the selected SNAT address may be inappropriate for the egress VLAN.

Conditions:
-- APM configuration.
-- VDI functionality enabled.
-- Additional virtual server matching the VDI-initiated connections.

Impact:
Return traffic from destination may not be able to return to the BIG-IP, thus breaking the VDI functionality.

Workaround:
No workaround short of removing the additional virtual server matching the VDI traffic.

Fix:
Outgoing VDI connections now select an appropriate SNAT address even when passing through additional matching virtual servers before reaching the external network.


615107-1 : Cannot SSH from AOM/SCCP to host without password (host-based authentication).

Component: TMOS

Symptoms:
Issuing commands from the AOM/SCCP menu to the host do not function, or password is required when SSH from AOM/SCCP to the host.

Conditions:
Presence of /etc/ssh directory on host.

Impact:
AOM/SCCP unable to connect to host without password.

Workaround:
None.

Fix:
Can now SSH from AOM/SCCP to host without password (host-based authentication).


615097-1 : Incorrect use of HTTP::collect leads to TMM core.

Component: Local Traffic Manager

Symptoms:
Incorrect use of HTTP::collect leads to TMM hang. Watchdog kills TMM on timeout leading to core.

Conditions:
If the iRule requests non-incremental HTTP::collect or amount greater than content-length when the whole-body has already been received, then this leads to TMM hang.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Add an HTTP::release after the HTTP::payload instruction;
Or
Use incremental HTTP::collect commands.

Fix:
HTTP state machine was modified to handle non-incremental collects and condition where whole body has been received when the collect is issued.


614891-2 : Routing table doesn't get updated when EDGE client roams among wireless networks

Component: Access Policy Manager

Symptoms:
Clients using the EDGE client report that they are unable to reach the VPN when they switch wifi networks.

Conditions:
This is triggered when a device running the EDGE client is on a wifi network, then roams to another wifi network that has a different default route.

Impact:
Clients have an incorrect route to the VPN and are forced to re-connect.


614865-5 : Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Component: TMOS

Symptoms:
Overwrite flag in iControl functions key/certificate_import_from_pem functions is ignored and might result in errors.

Specifically, the functions are:
key_import_from_pem()
certificate_import_from_pem()
key_import_from_pem_v2()
certificate_import_from_pem_v2()

Conditions:
When there is an existing key or certificate on the BIG-IP system, and you want to overwrite them using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls, it results in errors stating that the key or certificate already exists on the BIG-IP system.

Impact:
Cannot overwrite the key/certificate file-objects using these iControl calls.

Workaround:
There are two workarounds:
- Delete and import the key/certificate using key_import_from_pem(), certificate_import_from_pem(), key_import_from_pem_v2(), or certificate_import_from_pem_v2() iControl calls.

- Use key_import_from_file and certificate_import_from_file iControl calls as an alternative to import key/certificate from a file.

Fix:
Overwrite flag in iControl functions key/certificate_import_from_pem_v2() functions are now processed correctly and no longer produce errors.


614788-1 : zxfrd crash due to lack of disk space

Component: Global Traffic Manager (DNS)

Symptoms:
It is possible that the zone transfer daemon (zxfrd) can crash if the /var disk partition fills up and zxfrd needs to increase the size of its database.

Conditions:
DNS Express configured
Full /var partition
Changes to the zone database require more space to be allocated for zxfrd.

Impact:
zxfrd may crash and restart. This process may repeat depending on the need for space on restart.

Workaround:
Free up space in the /var partition.

Fix:
zxfrd now correctly handles the out of space condition.


614766-1 : lsusb uses unknown ioctl and spams kernel logs

Component: TMOS

Symptoms:
RHEL6 version of lsusb and associated libusb1 libraries
are using an ioctl that isn't properly supported by the kernel in the 32-bit syscall path.

Conditions:
RHEL6 version of lsusb and associated libusb1 libraries.

Impact:
Spamming of kernel logs.

Workaround:
None.

Fix:
kernel.el6.5: fix missing ia32 compat mapping for USBDEVFS_GET_CAPABILITIES.


614730-1 : Session opening log shows incorrect number of challenged responses.

Component: Application Security Manager

Symptoms:
Session opening log shows the incorrect number of challenged response.

Conditions:
Session opening is configured to mitigate session opening attack by client-side challenges.

Impact:
The log viewed contains incorrect values.

Workaround:
None.

Fix:
Fixed a reporting issue with the session opening client-side challenges.


614702-1 : Race condition when using SSL Orchestrator can cause TMM to core

Solution Article: K24172560

Component: Local Traffic Manager

Symptoms:
A race condition you encounter when you use the F5 Herculon SSL Orchestrator system can cause the Traffic Management Microkernel (TMM) to restart.

Conditions:
Running the F5 Herculon SSL Orchestrator system with large numbers of connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes the race condition so that TMM does not restart.


614563-3 : AVR TPS calculation is inaccurate

Component: Application Security Manager

Symptoms:
The TPS that AVR calculates for DoS is 11% more than the real TPS.

Conditions:
DoS profile attached to the virtual server.

Impact:
Attack can wrongly be detected.

Workaround:
None.

Fix:
TPS that AVR calculates for DoS now reflects the actual TPS.


614530-2 : Dynamic ECMP routes missing from Linux host

Component: TMOS

Symptoms:
When an ECMP route is learned via dynamic routing, it is not added to the Linux host and local processes may not be able to reach the destination prefix. Load balanced traffic is not affected.

Conditions:
Dynamic routing in use, ECMP configured, ECMP route received from neighbors.

Impact:
Monitors may fail, other host-originated traffic may be sent out the wrong interface or nowhere at all.

Workaround:
Disable ECMP in ZebOS by setting "maximum-paths 1" in imish.

Fix:
ECMP routes are correctly added to the Linux host.


614509-1 : iRule use of 'all' keyword with 'class match' on large external datagroups may result in TMM restart

Component: Local Traffic Manager

Symptoms:
When the 'all' keyword is used with 'class match' on large external datagroups, the results will be incorrect and may result in TMM restarting.

Conditions:
iRule utilizing 'all' keyword with 'class match' on large external datagroups. A more unusual case is external datagroups with the tmm.classallocatemetadata bigdb entry set to the non-default 'disable' value.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No reasonable workaround short of not using 'all' keyword with 'class match' in iRules.

Fix:
'all' keyword with 'class match' now returns the correct results and TMM does not restart.


614486-1 : BGP community lower bytes of zero is not allowed to be set in route-map

Component: TMOS

Symptoms:
The bgpd process does not accept community attributes that contain values of the form ASN:0.

Conditions:
set the BGP community value to a value of form ASN:0

Impact:
if you attempt to configure a BGP daemon community attribute with a value of the form ASN:0, the system does not set the community value. This could also impact upgrading from the old versions to the version that doesn't support community values of the form ASN:0.

Workaround:
None

Fix:
BGP community can be set to values of the form ASN:0.


614441-4 : False Positive for illegal method (GET)

Solution Article: K04950182

Component: Application Security Manager

Symptoms:
False Positive for illegal method (GET) and errors in BD log on Apply Policy:
----
ECARD|ERR |Sep 04 07:38:47.992|23835|table.h:0287|KEY_REMOVE: Failed to REMOVE data
----

Conditions:
This was seen after upgrade and/or failover.

Impact:
-- False positives.
-- BD has the incorrect security configuration.

Workaround:
Run the following command: restart asm.


614322-1 : TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway

Solution Article: K31063537

Component: Access Policy Manager

Symptoms:
TMM might crash during handling of RDG-RPC connection when APM is used as RD Gateway.

Conditions:
RDP client uses RDG-RPC protocol to connect via APM's RD Gateway implementation.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Fixed TMM crash, which occurred during RDG-RPC protocol handling.


614296-1 : Dynamic routing process ripd may core

Component: TMOS

Symptoms:
As a result of a known issue the dynamic routing protocol daemon ripd, used for the RIP protocol may produce a core file when configuring it to use a interface configured with multiple self IP addresses on different subnets on the same VLAN.

Conditions:
- Use the RIP dynamic routing on an affected version.
- Have multiple self IP addresses belonging to different subnets on the same VLAN
- Add one of the subnets with the network command within the "router RIP" stanza.

Impact:
ripd will core and the configuration will not be allowed.

Workaround:
Configure one subnet/self IP address per VLAN.

Fix:
ripd no longer cores when configured with multiple subnets on the same VLAN.


614284-2 : Performance fix to not reset a data structure in the packet receive hotpath.

Component: Advanced Firewall Manager

Symptoms:
No symptoms. This is a performance fix.

Conditions:
This will happen always in the packet receive hotpath.

Impact:
No impact. Without this fix BIG-IP could have 0.5% (hard to measure) performance impact.

Workaround:
No workaround.

Fix:
Made an optimization to the packet receive hotpath.


614180-1 : ASM is not available in LTM policy when ASM is licensed as the main active module

Component: TMOS

Symptoms:
ASM is not available in LTM policy rule creation when ASM is licensed as the main active module

Conditions:
ASM is licensed as the main active module

Impact:
ASM is not available in LTM policy rule creation

Workaround:
Use a license that has ASM as a sub-module. For example, LTM with Best Bundle.

Fix:
Fixed license data parsing so that the main module is also included in the license map used to determine whether a module is licensed or not.


614147-1 : SOCKS proxy defect resolution

Solution Article: K02692210


614097-1 : HTTP Explicit proxy defect resolution

Solution Article: K02692210


613765-3 : Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.

Component: TMOS

Symptoms:
Creating 0.0.0.0:0 Virtual Server in TMUI results in slow-loading virtual server page and name resolution errors.

Conditions:
When a virtual server with a destination address of 0.0.0.0:0 is in the list, sorting the list is slow because of extra name resolution performed.

Impact:
Degraded user experience waiting for the extra logic and misleading error in logs.

Workaround:
None.

Fix:
Creating 0.0.0.0:0 Virtual Server in TMUI no longer results in slow-loading virtual server page and name resolution errors.


613728-1 : Import/Activate Security policy with 'Replace policy associated with virtual server' option fails

Component: Application Security Manager

Symptoms:
Visible errors in the BIG-IP Configuration utility:

-- MCP Validation error - 01071abb:3: Cannot create/modify published policy '/Common/<ltm_policy_name>' directly, try specifying a draft folder like '/Common/Drafts/<ltm_policy_name>'.

-- MCP Validation error - 01071726:3: Cannot deactivate policy action '/Common/<asm_policy_name>'. It is in use by ltm policy '/Common/<asm_policy_name>'.

Conditions:
-- ASM provisioned.

-- Having an active Security policy 'A' assigned to an LTM L7 Policy 'L'.

-- Import/Activate Security policy 'B' with the option 'Replace policy associated with virtual server' enabled, to replace security policy 'A'.

Impact:
Security Policy is activated but not assigned to the LTM policy.

Workaround:
Run the following command prior to the Import/Activate of a Security policy action:
---------
# tmsh modify ltm policy L legacy
---------

Fix:
The process of importing/activating a Security policy now correctly replaces an existing policy, when the option 'Replace policy associated with virtual server' is enabled.


613671-2 : Error in the Console, when configured nonexistent parameter with Encryption and Obfuscation

Component: Fraud Protection Services

Symptoms:
Wrong handling of nonexistent parameter configured with Encryption and Obfuscation

Conditions:
nonexistent parameter configured with Encryption and Obfuscation

Impact:
Error in console

Fix:
Ignore nonsexist parameter


613618-1 : The TMM crashes in the websso plugin.

Component: Local Traffic Manager

Symptoms:
The TMM core and plugins operate asynchronously. A connection may abort and the TMM may deallocate connection context before the plugin has finished processing asynchronous events. The TMM crashes when a plugin accesses deallocated connection context.

Conditions:
Events raised during normal use of the sessiondb store may be processed after the connection context has been deallocated.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The TMM will no longer crash.


613613-2 : Incorrect handling of form that contains a tag with id=action

Component: Access Policy Manager

Symptoms:
In some cases, a form with an absolute path in the action is handled incorrectly in Internet Explorer (IE) versions 7, 8, and 9. The resulting action path is wrong and the form cannot be submitted.

Conditions:
This issue occurs under these conditions:
-- HTML Form with absolute action path.
-- A tag with id=action inside this form.
-- A submit button in the form.
-- IE versions 7 through 9.

Impact:
The impact of this issue is that the web application can not work as expected.

Workaround:
This issue has no workaround at this time.

Fix:
Forms with absolute action paths and tag with id=action inside are handled correctly.


613576-1 : QOS load balancing links display as gray

Component: Global Traffic Manager (DNS)

Symptoms:
All links in all data centers appear gray. After this patch all link appear to be green and the functional of load balancing to the first available link in each pool is restored.

Conditions:
This bug only affects devices licensed after 9/1/2016 which contain the gtm_lc: disabled field.

Impact:
Any GTM/LC devices licensed after 9/1/2016 and using links as part of their configuration will have the links reported as gray.

Workaround:
Remove all ilnks from configuration or install this hotfix.


613536-5 : tmm core while running the iRule STATS:: command

Component: TMOS

Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.

Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED


613524-3 : TMM crash when call HTTP::respond twice in LB_FAILED

Component: Local Traffic Manager

Symptoms:
TMM core-dumps when these conditions are met:
- LB_FAILED event
- irule script must use a "delay" (parked) statement together with two HTTP::respond statements.

Conditions:
- LB_FAILED event must be triggered by good IP address and bad port so that the serverside connflow is establish. you will not see this bug if no pool member is used or invalid IP address is used.
- irule script must use a "delay" (parked) statement. the delay together with http response creates the right timing for the client side connflow to go away while proxy is pushing Abort event down to both clientside and serverside.

Impact:
Traffic disrupted while tmm restarts.

Fix:
This fix rectifies the problem.


613509-1 : platforms using RSS DAG hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve

Solution Article: K49101035

Component: TMOS

Symptoms:
The BIG-IP system running RSS DAG hash attempts to reuse ports while pool members remain in a TIME_WAIT state and are unable to process new connections.

Conditions:
This issue occurs when all of the following conditions are met:

-- You are running on a BIG-IP platform using RSS DAG hash, for instance, z100 and 2000 or 4000 series hardware platform.
-- You have the FastL4 profile associated with a virtual server.
-- The virtual server is configured with source-port preserve.

Impact:
Traffic throughput may be degraded.

Workaround:
Set source-port to change.

Fix:
Platforms running RSS DAG hash now reuse source port at the correct rate when virtual server sets source-port preserve.


613476-2 : IKEv1 racoon daemon delayed timer use of ike-peer (rmconf) after deletion

Component: TMOS

Symptoms:
The IKEv1 racoon daemon can crash and restart when a v1 ike-peer is removed entirely from the config, or simply changed from v1 to v2.

Conditions:
When you remove an ike-peer whose version is v1, including any change from version v1 to v2 (since this has the effect of changing who handles that peer from the racoon daemon to tmm).

Impact:
IKEv1 racoon daemon restart that causes tunnel outage until re-established by future traffic.

Workaround:
None.

Fix:
Validity of a v1 ike-peer inside the racoon daemon is more carefully checked. This release also prevents stale references from old security associations when a peer is removed.

Note: A peer can be removed by complete erasure, or by changing the version to v2 so the IKEv1 racoon daemon no longer handles it.


613459-1 : Non-common browsers blocked by Proactive Bot Defense

Component: Application Security Manager

Symptoms:
Some non-common browsers may get blocked by the Proactive Bot Defense feature. This has been seen in rare cases, and causes these browsers to remain in a white page while the request is not being sent to the back-end server.

Conditions:
Proactive Bot Defense enable on the DoS profile.

Impact:
In rare cases, some non-common browsers may get blocked.

Workaround:
None

Fix:
Non-common browsers no longer get blocked when Proactive Bot Defense is enabled.


613429-2 : Unable to assign wildcard wide IPs to various BIG-IP DNS objects.

Component: Local Traffic Manager

Symptoms:
Assigning a wide IP with wildcard characters in the name to a DHS distributed application may not work properly when done via tmsh, and such configurations created via the GUI will result in configuration files that fail to load.

Conditions:
A wide IP with a wildcard character in its name.

Impact:
Unable to assign wide IP to BIG-IP DNS distributed-app.

Workaround:
None.

Fix:
Fixed issue preventing wide IPs to be assigned to BIG-IP DNS distributed apps if those wide IPs have a wildcard character in their name.


613415-2 : Memory leak in ospfd when distribute-list is used

Solution Article: K22750357

Component: TMOS

Symptoms:
Memory might be leaked when a distribute-list is used to filter routes between OSPFv2 and the Routing Information Base (RIB). The leak may lead to a the daemon being terminated via the oom-killer.

Conditions:
OSPFv2 in use with a distribute-list, and Link State Advertisements (LSAs) in the database whose prefixes will be filtered by the distribute-list.

Impact:
ospfd may leak memory until the system terminates the process via the oom-killer.

Workaround:
Position the BIG-IP system in the network so there are no LSAs that need to be filtered using a distribute-list, such as in a stub area.

Fix:
ospfd no longer leaks memory when a distribute-list is configured.


613396-1 : Invalid XML Policy Exported for Policies with Metachar Overrides on Websocket URLs

Component: Application Security Manager

Symptoms:
Exported Policy in XML format cannot be imported.

Conditions:
Metacharacter overrides are defined on a Websocket URL in the policy.

Impact:
Exported XML policies cannot be imported back into the system without manual manipulation

Workaround:
If such a policy has already been exported only manual manipulation would allow it to be imported again.

Fix:
Policy export now correctly creates valid XML Policies for configurations with metachar overrides configured on Websocket URLs.


613373-2 : Access may be denied to users with Application Editor role when accessing SAML Authentication Context UI page

Component: Access Policy Manager

Symptoms:
When accessing the SAML Authentication Context UI page with application editor user role, the following error will be displayed:
Read Access Denied: user (username) type (SAML authentication context classes list)

Conditions:
User attempting to view the page belongs to application editor group/role

Impact:
SAML Authentication Context UI page will not display existing objects

Workaround:
SAML Authentication Context UI page will still show existing object for users with administrative role.

Fix:
With the fix, no errors will be shown to users with Application Editor role when accessing SAML Authentication Context UI page


613369-4 : Half-Open TCP Connections Not Discoverable

Component: Local Traffic Manager

Symptoms:
New TCP connection requests are reset after a specific sequence of TCP packets.

Conditions:
A TCP connection in half-open state.

Impact:
Half-open TCP connections are not discoverable

Fix:
Properly acknowledge half-open TCP connections.


613326-1 : SASP monitor improvements

Component: Local Traffic Manager

Symptoms:
A SASP monitor created in versions earlier than 13.0.0 might exhibit problems in certain situations, such as:
-- Attempting to connect multiple times with GWM pairs.
-- Dropping and reconnecting frequently with GWM pairs.
-- Problematic behavior with mixed Push/Pull workgroups on the same GWM.
-- Overly-chatty use of the SASP protocol when establishing/reestablishing connections.
-- Marking pool members down during GWM switch-over.
.-- Inability to handle many hundreds of workgroups/workloads

Conditions:
Using versions of the SASP monitor created in versions earlier than 13.0.0.

Impact:
Might cause flapping pool members or unstable pools.

Workaround:
None.

Fix:
A significantly improved SASP monitor has been developed in version 13.0.0. It properly handles the SASP protocol, GWM pairs, and connection semantics. In addition, it has the ability to briefly delay node down on GWM switchover, resulting in no interrupted traffic in most cases, and has vastly improved scalability.

When run in push mode (now the default), it is more efficient with the SASP protocol, only asking for changes from GWM, and pinging GWM infrequently if no traffic has been received.

The improved monitor uses Pool name rather than Monitor name as the Workload name. This allows a single Monitor definition to be shared among many Pools, where previously a single unique Monitor was required for each SASP Pool.


613297-3 : Default generic message routing profile settings may core

Component: Service Provider

Symptoms:
If a virtual is created using the default generic message profile, the first packet received will produce an infinite number of messages and overflow the internal buffers.

Conditions:
The default generic message profile has the internal parser enabled but a zero byte message separator pattern. This causes the parser when receiving traffic to create an infinite number of empty packets and overflow the system.

Impact:
The infinite number of message will cause an internal panic producing a core. Traffic disrupted while tmm restarts.

Workaround:
Each usage of generic message should either provide a separator pattern or disable the internal parser.

Fix:
In this release, the system automatically disables the internal parser if no separator is provided, so if a virtual is created using the default generic message profile, the first packet received no longer produces an infinite number of messages and overflows the internal buffers.


613282-2 : NodeJS vulnerability CVE-2016-2086

Solution Article: K15311661


613275-2 : SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up

Solution Article: K62581339

Component: TMOS

Symptoms:
The values returned during an SNMP get/MIB walk are incorrect for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.

The values should match what is displayed in tmsh list net interface media-max and tmsh list net interface media-active respectively which are correct.

Conditions:
-- Performing an SNMP get or MIB walk.
-- Viewing values for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.

Impact:
The system reports inaccurate information for these objects.

Workaround:
To get the correct results, use the following commands:
 tmsh list net interface media-max
 tmsh list net interface media-active

Fix:
SNMP get/MIB walk now return correct information for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.


613225-7 : OpenSSL vulnerability CVE-2016-6306

Solution Article: K90492697


613127-3 : Linux TCP Stack vulnerability CVE-2016-5696

Solution Article: K46514822


613088-3 : pkcs11d thread has session initialization problem.

Component: Local Traffic Manager

Symptoms:
pkcs11d does not initialize, especially in the secondary slot(s). SafeNet connections cannot be established on the secondary blades.

Conditions:
This occurs when SafeNet is configured with VIPRION chassis

Impact:
When this occurs, BIG-IP is unable to establish SafeNet connections from the secondary blades.

Workaround:
None.

Fix:
Fixed a pkcs11d thread session initialization problem that prevented SafeNet connections.


613079-4 : Diameter monitor watchdog timeout fires after only 3 seconds

Component: Local Traffic Manager

Symptoms:
The Diameter monitor has a 3-second timeout that overrides the interval and timeout settings configured for the monitor.

Conditions:
A Diameter monitor must be configured.

Impact:
If the Diameter server takes longer than 3 seconds to reply to requests, it will be marked down.

Workaround:
None.

Fix:
Removed the 3-second Diameter monitor watchdog timeout so that interval and timeout can be used like other external monitors.


613065-1 : User can't generate netHSM key with Safenet 6.2 client using GUI

Component: Local Traffic Manager

Symptoms:
With Safenet6.2, creating key using GUI may hang and timeout. The GUI eventually quits with error message.

Conditions:
Installing Safenet6.2 client and attempting to create netHSM key from the GUI

Impact:
netHSM key creation fails, GUI hang.

Workaround:
You can use the corresponding tmsh command to create key.

Fix:
NetHSM key waiting time has been increased and you can now create a netHSM key using GUI.


613045-7 : Interaction between GTM and 10.x LTM results in some virtual servers marked down

Component: Global Traffic Manager (DNS)

Symptoms:
Some GTM virtual servers are never marked up when interacting with 10.x LTM.

Conditions:
1. On a GTM server, with autoconf off, manually create a virtual server that is using translated IP/port and either no LTM virtual server name or an incorrect LTM virtual server name.
2. Make sure the LTM virtual server is available.

Impact:
On the GTM side, that LTM virtual server will never get marked up.

Workaround:
None.

Fix:
Interaction between GTM and 10.x LTM now works, so virtual servers are correctly marked up.


613023-4 : Update SIP::Persist to support resetting timeout value.

Component: Service Provider

Symptoms:
SIP::persist needs improvement to support long-lived SIP sessions. Having a long timeout for persistence entries globally does not seem efficient for resource usage.

Conditions:
Efficiently using long-lived SIP sessions.

Impact:
Smaller persist timeouts will result in messages being delivered to the wrong entity in the case of supporting long lived SIP sessions.

Workaround:
Set a higher persist timeout value globally.

Note: This workaround might result in memory issues, depending on the BIG-IP system setup and traffic.

Fix:
New SIP Persist iRule commands allow persistence key and an additional parameter to redefine lifetime of the persistence entry to any new value.

Behavior Change:
In previous versions, the SIP Persist iRule command allowed only the persistence key as the parameter to store the persistence entry in the table.

New SIP Persist iRule commands allows persistence key and an additional parameter to define the lifetime of persistence entry. BIG-IP systems now can have better control on the persistence entry for long lived SIP sessions.


612952-1 : PSU FW revision not displayed correctly

Component: TMOS

Symptoms:
When EUD displays the PSU FW revison it is truncated from 16 bytes to 14 bytes.

Conditions:
This occurs when using a Murata REV02 M1845 PSU with AOM FW less than 2.7.14

Impact:
Incomplete PSU FW rev.

Workaround:
Infer the last 2 characters of the PSU FW rev from the 14 that are displayed and the HW revision of the PSU.


612874-1 : iRule with FLOW_INIT stage execution can cause TMM restart

Component: Advanced Firewall Manager

Symptoms:
If you have an iRule that has FLOW_INIT stage execution, it is likely to result in random TMM crashes.

Conditions:
iRule that has FLOW_INIT stage action in it.

The FLOW_INIT stage iRule could be executed either because it was attached to a Virtual Server or configured on an AFM ACL Rule.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use iRule with FLOW_INIT action. Other stage iRules does not cause this problem.

Fix:
Memory allocation and release during iRule FLOW_INIT execution was not handled right in a specific scenario, which was corrected.


612809-1 : Bootup script fails to run on on a vCMP guest due to a missing reference file.

Component: TMOS

Symptoms:
Script /etc/sysconfig/sysinit/10virtual-platform.sysinit fails to run. sod log spamming.

Conditions:
Startup in a vCMP guest.

Impact:
vCMP guests shows dbg_echo related errors in /var/log/boot.log.

Workaround:
Disable sys db variable "failover.usetty01" and restart sod.

If unable to restart sod at the moment, apply a filter with no publisher matching message-id 012a0003:
    sys log-config filter no-serial-failover-logs {
        message-id 012a0003
    }

Fix:
This release adds a separate sysinit file for vCMP instead of using sysinit-virtual-platform.


612769-1 : Hard to use search capabilities on the Pool Members Manage page.

Solution Article: K33842313

Component: Global Traffic Manager (DNS)

Symptoms:
With hundreds of potential pool members the GUI does not make it easy to search for them. The search list only supports searches that match the beginning of the pool member's name.

Conditions:
This difficulty exists when there are more than a few potential pool members.

Impact:
Frustrating BIG-IP system administrator experience.

Workaround:
A workaround is to perform the needed virtual server/member addition to the pool via TMOS/CLI using a command similar to the following:


$ tmsh modify gtm pool <record> <pool> members add { <member> }.

Tip: You can take advantage of auto-completing the member's name by pressing the <tab> key, which saves typing the entire name.

Fix:
The system now provides better search capabilities on the Pool Members Manage page.


612752-1 : UCS load or upgrade may fail under certain conditions.

Component: TMOS

Symptoms:
UCS load fails, with the following error message: loaddb[20786]: 01080023:3: Error return while getting reply from mcpd: 0x10718e6, 010718e6:3: The requested primary admin user (user1) must exist in local user database.

Conditions:
Root login is disabled and the primary administrative user is set to anything other than 'admin', the default.

Impact:
UCS load or upgrade will fail.

Workaround:
Before upgrading or generating the UCS, re-enable the root account by setting DB variable systemauth.disablerootlogin to 'false'.

Unset the custom primary administrative user by setting DB variable systemauth.primaryadminuser to 'admin'.

These settings may be safely reinstated after the upgrade is complete.


612721-4 : FIPS: .exp keys cannot be imported when the local source directory contains .key file

Component: TMOS

Symptoms:
*.exp exported FIPS keys cannot be imported from local directory when the directory contains any file named *.key with matching name. For example, if the directory /shared/abc/ contains an exported FIPS key named xyz.exp and another file named xyz.key, the user will fail to import xyz.exp as a FIPS key into the system.

Conditions:
When the local source directory of the exported FIPS key (xyz.exp) also contains a file with matching name (xyz.key).

Impact:
Unable to import the FIPS key

Workaround:
Remove the same name *.key file from the local directory before importing the FIPS exported key *.exp.


612694-5 : TCP::close with no pool member results in zombie flows

Component: Local Traffic Manager

Symptoms:
'tmsh show sys conn all-properties' shows connections whose idle time exceeds the timeout.

Conditions:
There is no pool member, and a TCP::close iRule activates (typically after a TCP::respond).

Impact:
Connection does not tear itself down.

Workaround:
Make TCP::close conditional on pool failure, and rely on the pool failure to RST the connection rather than perform a clean TCP close.

Fix:
The system now properly handles TCP teardown when TCP::close has already torn down the rest of the stack.


612564 : mysql does not start

Component: TMOS

Symptoms:
ASM storage initialization does not happen.

Conditions:
BIG-IP iSeries platforms; this occurs after new software install.

Impact:
Application is non-functional.

Workaround:
remove the sentinel file ;
/appdata/mprov/local/HD1.4/mysqldb/.moved.to.asmdbvol.
and reboot.


612419-1 : APM 11.4.1 HF10 - suspected memory leak (umem_alloc_32/network access (variable))

Component: Access Policy Manager

Symptoms:
When there are multiple network access resources, and users switch between them within the same connection, a small memory leak happens.

Conditions:
Network access; full webtop, multiple Network Access resources.

Impact:
Memory usage increases over time.

Workaround:
There is no workaround. It is a relatively slow leak though. In the case where it was observed, the leak was about 130MB per month.

Fix:
Fixed a memory leak related to network access.


612229-1 : TMM may crash if LTM a disable policy action for 'LTM Policy' is not last

Component: Local Traffic Manager

Symptoms:
TMM may crash while processing an LTM policy.

Conditions:
- VIP with LTM policy attached.
- LTM policy contains rule with 2 or more actions.
- Policy action of disable - LTMN Policy is not the last one in the list of actions.

Impact:
TMM crash with the following in one of the /var/log/tmm log files:
notice ** SIGABRT **
Traffic disrupted while tmm restarts.

Workaround:
Ensure any LTM policy disable action is the last in the list of actions.

Fix:
TMM no longer crashes if LTM a disable policy action for 'LTM Policy' is not last in the list of actions in the rule.


612135-3 : Virtual with GenericMessage profile without MessageRouter profile will core when receiving traffic

Component: Service Provider

Symptoms:
Configuring a virtual server with generic message profile without message routing profile will core when a packet is received by the virtual.

Conditions:
Configuring a virtual server with generic message profile without message routing profile.

Impact:
The system will core when a packet is received by the virtual server. Traffic disrupted while tmm restarts.

Workaround:
Each virtual server that contains a generic message profile should also have a message routing profile.

Fix:
Validation has been improved to fail unless both a generic message profile and a message routing profile are used.


612040-4 : Statistics added for all crypto queues

Component: Local Traffic Manager

Symptoms:
Requests for crypto operations that have been issued but not yet actively queued in the crypto hardware will not show up in the "tmm/crypto" statistics table.

Conditions:
Crypto requests issued but not actively queued in the crypto hardware.

Impact:
Crypto requests do not show up in the "tmm/crypto" statistics table.

Fix:
New rows have been added to the "tmm/crypto" statistics table that will count requests that have been issued but not actively queued to the crypto hardware.


611968-3 : JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow

Component: Access Policy Manager

Symptoms:
JavaScript Active content at an HTML page browsed by IE8 with significant amount of links (>1000) can run very slow.

Conditions:
- IE8 only.
- Significant number of links: >1000.
- JavaScript event handlers presence.

Impact:
Web application performance slowdown.

Workaround:
None

Fix:
Fixed.


611922-1 : Policy sync fails with policy that includes custom CA Bundle.

Component: Access Policy Manager

Symptoms:
Policy sync fails with a policy that includes a custom CA Bundle with an error similar to the following: mcpd[6191]: 01070710:3: Database error (65), Can't set attribute value, type:certificate_summary attribute:name.

Conditions:
- Add a custom certificate bundle
- Add it to a policy, e.g. create an LTM SSL CA profile and add it to the endpoint security check agent in the access policy.
- Initiate a policy sync.

Impact:
Policy sync fails.

Workaround:
Use a built-in certificate bundle on source device and sync the policy.

Import the custom certificate bundle to all devices

Replace the built-in certificate bundle with the custom one in the policy.

Fix:
Policy sync now succeeds when the policy includes a custom certificate bundle.


611704-5 : tmm crash with TCP::close in CLIENTSSL_CLIENTCERT iRule event

Component: Local Traffic Manager

Symptoms:
A tmm crash was discovered during internal testing.

Conditions:
HTTPS virtual server configured with an iRule that uses TCP::close in the CLIENTSSL_CLIENTCERT iRule event.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash related to TCP::close in CLIENTSSL_CLIENTCERT


611691-5 : Packet payload ignored when DSS option contains DATA_FIN

Component: Local Traffic Manager

Symptoms:
The payload of a packet is ignored when an MPTCP DSS option has DATA_FIN set.

Conditions:
A packet contains both a payload and an MPTCP DSS option with DATA_FIN set. This has been observed when uploading files from a Linux client to a server.

Impact:
The last packet of data is not received.

Workaround:
Disable MPTCP.

Fix:
Accept data when a packet contains both a payload and an MPTCP DSS option with DATA_FIN set.


611669-4 : Mac Edge Client customization is not applied on macOS 10.12 Sierra

Component: Access Policy Manager

Symptoms:
Mac Edge Client's Icon, application name, company name, amongst other things can be customized on BIG-IP before deploying on end user's machine. But on Mac Edge Client on macOS 10.12 Sierra this customization is not applied.

Conditions:
macOS Sierra 10.12, Edge client, customization

Impact:
Mac Edge Client customization is not applied on macOS 10.12 Sierra. Functionally there should be no impact except that user will see default application visually.

Workaround:
run following command on Terminal and re-launch Edge client:

For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"

For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"

For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"

For Japanese
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"

For French
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"

For spanish
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"

For Chinese traditional
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"

For Chinese simplified
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"

Fix:
Edge client honors customization on macOS Sierra 10.12 now.


611658-3 : "less" utility logs an error for remotely authenticated users using the tmsh shell

Component: TMOS

Symptoms:
when using 'less' Syntax Error: unexpected argument "/usr/bin/lesspipe.sh"

Conditions:
admin user configured with tmsh shell

Impact:
admin user cannot use the less command from shell

Workaround:
configure admin user to use the bash shell


611512-1 : AWS: Pool member autoscaling in BIG-IP fails to add pool members when pool name is same as AWS Autoscaling Group name.

Component: TMOS

Symptoms:
In AWS, Pool member autoscaling in BIG-IP fails to add pool members when pool name in BIG-IP is same as Autoscaling Group name in AWS.

Conditions:
- BIG-IP is configured to perform autoscaling of pool members in AWS.
 - Pool name in BIG-IP is same as the autoscaling group name in AWS attached with it.

Impact:
- Pool member autoscaling doesn't occur correctly without user intervention.

Workaround:
When configuring pool member auto-scaling in AWS, you must choose a different name for the pool compared to the autoscaling group name attached with it.

Fix:
Choose different names for Pool in BIG-IP and autoscaling group in AWS to correctly configure Pool member autoscaling in BIG-IP .


611487-3 : vCMP: VLAN failsafe does not trigger on guest

Component: TMOS

Symptoms:
vCMP: VLAN failsafe does not trigger on guest due to IPv6 link-local neighbor discovery traffic from host.

Conditions:
vCMP host configured, VLAN failsafe enabled on a VLAN, one or more VCMP guests enabled that use that VLAN

Impact:
Since the heartbeat messages going over IPv6 link-local addresses continue to be successfully passed from host to guest, VLAN failsafe does not trigger if a downstream router or switch goes down that's connected to the VLAN.

Workaround:
If you are able to, disabling IPv6 on the host will allow VLAN failsafe to work as expected.


611482-4 : Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule) .

Solution Article: K71450348

Component: Local Traffic Manager

Symptoms:
Local persistence record kept alive after owner persistence record times out (when using pool command in an iRule).

Conditions:
Universal persistence is configured. A loop of HTTP request is sent to tmm which doesn't own the record. Persistence lookup is performed, but finally the pool command is used for load-balancing pick.

Impact:
Discrepancy between persistence records.

Workaround:
Use persist, not pool command, to bind persistence record to a flow.

Fix:
Fixed keeping alive the owner record.


611469-3 : Traffic disrupted when malformed, signed SAML authentication request from an authenticated user is sent via SP connector

Solution Article: K95444512


611467-3 : TMM coredump at dhcpv4_server_set_flow_key().

Component: Policy Enforcement Manager

Symptoms:
TMM coredump at dhcpv4_server_set_flow_key().

Conditions:
1. You are using Policy Enforcement Manager (PEM) DHCP to discover subscribers.
2. You have configured a DHCP relay virtual server.
3. Two PEM DHCP subscriber connections share the same connection to a remote DHCP server.
4. One of the PEM DHCP subscriber connections expires.
5. The non-expired PEM DHCP subscriber connection sends a new DHCP request.
6. The remote PEM DHCP server responds to the new PEM subscriber request.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The client uses broadcast to do DHCP renewal is an indication the client did not get ACK from DHCP server when it uses unicast to talk to DHCP server directly. The most likely reason for this to happen is the server routing table is not configured to send DHCP ACK packets back to the client.

You can work around this problem by configuring DHCP server routing table so that it knows how to send DHCP ACK to the client.


611385-1 : "Learn Explicit Entities" may continue to work as if it is 'Add All Entities'

Component: Application Security Manager

Symptoms:
Under some scenarios, setting "Learn Explicit Entities" to 'Never' has no effect; it continues to work as if it is 'Add All Entities'

Conditions:
Steps to Reproduce:
1) Create a default policy, set "Learn New HTTP URLs" to "Add All Entities".
2) Create a non-pure wildcard URL "/in*".
3) Send the following request:
     GET /index.html HTTP/1.1\r\n
     Host: <Host URL>\r\n
     \r\n
4) There will be no suggestion to add /index.html URL since learning mode on "/in*" wildcard is "Never" by default.
5) Set "Learn Explicit Entities" to "Add All Entities" on "/in*" wildcard.
6) Send the same traffic again; there will be suggestion to add /index.html URL (which is still correct).
7) Delete all suggestions.
8) Set "Learn Explicit Entities" to "Never" on "/in*" wildcard.
9) Send the same traffic again.

Impact:
There is suggestion to add /index.html URL when there should be no such suggestion since the wildcard is in 'Never' mode now.

Workaround:
Go to "Learning and Blocking Settings", set "Learn New HTTP URLs" to "Never" press "Save", then set it back to "Add All Entities". press "Save" again.

Fix:
"Learn Explicit Entities" to 'Never' now works as expected.


611352 : Benign message "replay num rollover error condition correctable errors" counter on iSeries platforms

Solution Article: K68092141

Component: TMOS

Symptoms:
In /var/log/sel you see these errors:
0082 11/23/16 08:23:11 MAJ CPU 0 PCI/DMI Error B:D:F 0x1a: corerrsts: replay_num_rollover_status
0083 11/23/16 08:23:11 MAJ CPU 0 PCI/DMI Error B:D:F 0x1a: rperrsts: correctable_error_received

Conditions:
This can be seen on BIG-IP iSeries platforms.

Impact:
This error message is benign and can be safely ignored.

Workaround:
N/A

Fix:
Benign message "replay num rollover error condition correctable errors" counter is no longer seen.


611320-3 : Mirrored connection on Active unit of HA pair may be unexpectedly torndown

Component: Local Traffic Manager

Symptoms:
Mirrored connection on Active unit is torn down. TCP connection is RST with cause of 'HA Expire flow'.

Conditions:
Mirrored connection on Standby unit times out due state mismatch with connection on Active unit.

Impact:
Traffic loss.

Workaround:
Disable mirroring.

Fix:
The system no longer mirrors connflow expiration from Standby to Active. This is correct behavior.


611240-3 : Import of config with securid might fail

Component: Access Policy Manager

Symptoms:
Import of the profile used for securid auth might fail if the profile has already been used for auth purposes at the moment of export.

Conditions:
This occurs when the following conditions are met:
-- Profile configured for securid authenticaiton with securid server attached.
-- Profile has been used for authentication more than 0 times.
-- Full import (no reuse) or Reuse import when secureid server under the same name is not present.

Impact:
Unable to import certain configurations.

Workaround:
1. In VPE, open securid auth item and set server to none before export.
2. Export profile.
3. Import profile.
4. Re-create the aaa securid server.
5. In VPE, open the securid auth item and set server to one from step #4.

Or
1. Export profile.
2. Create aaa securid server under the same name.
2. Import profile with reuse.

It is also possible to remove securid entry from config-files of securid server configuration in .conf.tar.gz, which would also work.

Fix:
It is now possible to successfully export and the import profile using securid in any state.


611161-3 : VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.

Solution Article: K28540353

Component: Local Traffic Manager

Symptoms:
VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.

Conditions:
VLAN failsafe configured on a non-default cmp-hash VLAN.
When the VLAN failsafe situation occurs, and the generated arp requests are not being answered, VLAN failsafe resorts to ICMP.

Impact:
There are very rare situations in which failsafe triggers but it should have not.

Workaround:
None.

Fix:
VLAN failsafe no longer generates traffic using ICMP, and now supports non-default cmp-hash on VLAN.


611154-1 : BD crash

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
An iRule (or other non-ASM module) that adds or delete the server headers. Especially if it touches the Set-Cookies header

Impact:
Failover, traffic disrupted while TMM restarts.

Workaround:
No workaround at this time.

Fix:
Added checking for bad dictionary on the response side.


611151-2 : An upper case JSON sensitive parameter is not masked when ASM policy is case-insensitive

Component: Application Security Manager

Symptoms:
If you configure a sensitive parameter with an upper-case character (like "Password"), the data masking does not take place. When the sensitive parameter is all lower-case (like "password"), the data masking takes place as expected.

Conditions:
ASM provisioned
ASM policy is case-insensitive
JSON profile, w/ a sensitive parameter with an upper-case character

Impact:
no data masking for a JSON sensitive parameter

Workaround:
N/A

Fix:
We've made sure that JSON parameters are always treated as case sensitive, regardless of the ASM policy case sensitivity setting.


610897-2 : FPS generated request failure throw "unspecified error" error in old IE.

Component: Fraud Protection Services

Symptoms:
If FPS generated request sent and failed in old IE, it will throw "unspecified error" error.

Conditions:
FPS generated request sent and failed in old IE

Impact:
The browser will show error message in the left bottom side.

Workaround:
N\A

Fix:
N\A


610857-1 : DoSL7 Proactive Bot Defense should block requests from a browser (Chrome/Firefox) when it is running selenium webdriver.

Component: Application Security Manager

Symptoms:
When selenium client webdriver is detected running a browser Chrome or Firefox it is not being blocked due to low score being assigned by PBD (Suspicious Browsers) mechanism.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.

Impact:
A bot which running selenium Chrome or Firefox webdriver isn't mitigated by DoSL7 PBD mechanism.

Workaround:
N/A

Fix:
Adjusted scoring for selenium detection to trigger CAPTCHA upon an attempt to access a website without TSPD101 cookie (usually occurs upon accessing a website's first page)


610830-1 : FingerPrint javascript runs slow and causes bad user browsing experience when accessing a webapp's first page.

Component: Application Security Manager

Symptoms:
When an end-user accesses a web-site's first page there is a noticeable latency until it gets the page content.

Conditions:
This occurs when ASM is provisioned and to a virtual sever assigned dos application profile where Device ID mitigation configured or ASM policy with WebScraping and FingerPrint detection enabled.

Impact:
Bad user experience when accessing the website's first page.

Workaround:
tmsh modify sys db dosl7.fp_fonts_enabled disabled

Fix:
The javascript slowness bottleneck is fonts collection, to improve the performance the number of font reduced from 300 to 50. If you wish to eliminate the slowness of the fonts collection at all, a new sys db has been added. tmsh list sys db dosl7.fp_fonts_enable. Note, that eliminating the fonts collection for the fingerprint can reduce the its entropy.


610710-2 : Pass IP TOS bits from incoming connection to outgoing connection

Component: Service Provider

Symptoms:
ToS is set to 0 when going through a SIP profile.

Conditions:
This occurs when a SIP profile is in use and ToS is set.

Impact:
Currently outgoing packets TOS bits are configured via profile and are not affected by TOS bits of incoming packet.

Workaround:
NA

Fix:
Outgoing packets TOS bits can be configured via profile to preserve the TOS bits of incoming packet.

Behavior Change:
This change will only change existing behavior if the transport protocol (TCP, UDP or SCTP) has the ip-tos-to-client attribute set to pass-through. If configured as pass-through, the TOS bits of the incoming packet containing a message will be used on the outgoing packets containing the message. Without this change, the TOS bits of the outgoing packet would be undefined if configured this way.


610609-3 : Total connections in bigtop, SNMP are incorrect

Component: Local Traffic Manager

Symptoms:
While looking at total connections for the active BIG-IP using bigtop or SNMP, the connections are reported too high. For example if you sent a single connection through BIG-IP it is reported as 2 connections. Meanwhile, the standby device with mirroring configured accurately shows the number of connections.

Conditions:
This occurs on PVA-enabled hardware platforms.

Impact:
The total connection count statistic is incorrect.


610582-2 : Device Guard prevents Edge Client connections

Component: Access Policy Manager

Symptoms:
When Device Guard is enabled, BIG-IP Edge Client cannot establish a VPN connection.

Conditions:
-- Clients running Windows 10.
-- Device Guard enabled.
-- Attempting to connect using the Edge client.

Impact:
Clients are unable to establish a VPN connection.

Workaround:
As a workaround, have the affected Edge Client users disable Device Guard.

Note: Previously, Device Guard was disabled by default. Starting with the Windows 10 Creators Update, however, Device Guard is enabled by default.

Fix:
The F5 VPN Driver is recertified and is now compliant with Microsoft Device Guard, so that Edge Client users can now establish a VPN connection as expected.


610449-2 : restarting mcpd on guest makes block-device-images disappear

Component: TMOS

Symptoms:
tmsh list sys software block-device-images typically shows available BIG-IP images saved on the platform which are available for install via tmsh install sys software ...

When running BIG-IP on a vcmp guest, GuestAgentDaemon is responsible for fetching from the host these available images and displaying them to the user.

When mcpd goes down, GuestAgentDaemon loses the connection required to fetch and display this information.

If mcpd has gone down since GuestAgentDaemon came up, running "(tmos)# show sys software block-device-image" a second time will no longer display the BIG-IP images available for install.

Restarting GuestAgentDaemon when mcpd restart ensures that GuestAgentDaemon will reestablish the required connection. With this fix, GuestAgentDaemon will restart only in response to mcpd going down and subsequently coming back up. Once both daemons are up and running again, the command '(tmos)# list sys software block-device-image' will again function as designed.

Conditions:
vCMP is provisioned to level dedicated.
One or more guests is provisioned and deployed.
The user is operating inside a deployed guest.
The user attempts to use a block-device-image,
but mcpd has restarted since GuestAgentDaemon began execution.
No block-device-images are shown by GuestAgentDaemon

Impact:
tmsh list sys software block-device-images returns nothing from inside the guest.

Workaround:
Restart GuestAgentDaemon in response to mcpd successfully restarting.

Fix:
GuestAgentDaemon now automatically restarts in response to McpDaemon successfully restarting.


610442-2 : vcmp_media_insert failed message and lind restart loop on vCMP guest when installing with block-device-image with bad permissions on .iso

Solution Article: K75051412

Component: TMOS

Symptoms:
On a vCMP guest, If a user attempts to install using the block-device-image argument (e.g., install sys software block-device-image <some.iso>), and the .iso file has incorrect file permissions (e.g., $chmod 600 <some.iso>), then the lind process on the guest will enter a restart loop, and the system posts the following error:
  lind[23565]: 013c0004:3: Fatal error: vcmp_media_insert failed

Conditions:
-- vCMP guest.
-- Run a command similar to the following:
install sys software block-device-image <some.iso>.
-- <some.iso> has bad permissions, e.g., -r--------.

Impact:
On the guest, lind restarts continuously, logging its restart to /var/log/ltm each time and posting the vcmp_media_insert failed error message.

Workaround:
Use either of the following workarounds:
-- Avoid installing block-device-images known to have bad permissions.

-- From the host, attempt to repair the file with bad permissions, copy the repaired file to /shared/images/, and try the install again. To do so, follow this procedure, running these commands from the host:

1. To repair the file, run the following command:
 chmod 644 <some.iso>

2. To copy the file, run the following command:
 scp <some.iso> mysystem:/shared/images/

3. To install the guest, run the following commands:
 bigstart restart lind
 tmsh install sys software block-device-image <some.iso>

Fix:
Instead of throwing a runtime error, lind will log an error to /var/log/ltm and return.


610441-3 : When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.

Component: TMOS

Symptoms:
When using iControl REST to add a member to an existing pool, the pool member is successfully created. However, a 404 response is received.

Conditions:
This occurs when adding a new member to an existing pool using iControl REST.

Impact:
Unable to tell if the request has succeeded or failed via iControl REST.

Workaround:
Add the following to partitionInfo in icrd.conf.

{"gtm/pool/a/members":[true, true]},
{"gtm/pool/aaaa/members":[true, true]}


610429-5 : X509::cert_fields iRule command may memory with subpubkey argument

Component: Local Traffic Manager

Symptoms:
The X509::cert_fields iRule command can leak memory in the 'method' memory subsystem if called with the 'subpubkey' argument, when the 'subpubkey' argument is not the last argument.

Conditions:
Create an iRule using X509::cert_fields where the subpubkey is not the last argument.

Example/signature to look for:
ltm rule rule_leak {
    when HTTP_REQUEST {
        if { [SSL::cert 0] ne "" } {
            HTTP::respond 200 content "[X509::cert_fields [SSL::cert 0] 0 subpubkey hash]\n"
        } else {
            HTTP::respond 200 content "no client cert (WRONG!)"
        }
    }
}

Impact:
Memory will leak, eventually impacting the operation of tmm.

Workaround:
Ensure that 'subpubkey' is the last argument to X509::cert_fields


610417-1 : Insecure ciphers included when device adds another device to the trust. TLSv1 is the only protocol supported.

Solution Article: K54511423

Component: TMOS

Symptoms:
When adding a device to the trust, the SSL connection can use insecure ciphers. Also it will use the undesirable TLSv1 protocol instead of negotiating to the highest safest protocol available which is TLSv1.2

If the peer device is configured to use TLSv1.1 or TLSv1.2 only, device trust will not be established

Conditions:
This exists when configuring devices in a device cluster.

Impact:
Unable to configure stronger ciphers for device trust.

If the peer device is modified to not use TLSv1.0, it is impossible to establish Device Trust.

Workaround:
None.

Fix:
Advertised client ciphers reduced to what the common criteria compliance standard approves.
Changed the initial OpenSSL call to use the correct one to negotiate to the highest available TLS protocol (1.2).


610354-1 : TMM crash on invalid memory access to loopback interface stats object

Component: TMOS

Symptoms:
TMM can crash with segmentation fault when TMM drops packets on its internal loopback interface. TMM needs to update interface stats associated with the loopback interface when dropping packets on that interface. The interface stats object for loopback interface is not allocated yet. That results in segmentation fault.

Conditions:
TMM drops packets on its internal loopback interfaces.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No Workaround.


610352-1 : sys-icheck reports error with /etc/sysconfig/modules/unic.modules

Component: TMOS

Symptoms:
On Azure cloud, running sys-icheck may report an error with /etc/sysconfig/modules/unic.modules:

ERROR: S.5...... /etc/sysconfig/modules/unic.modules

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with files in /etc/sysconfig/modules/unic.modules that was causing sys-icheck to report errors.


610350-1 : sys-icheck reports error with /config/bigpipe/defaults.scf

Component: TMOS

Symptoms:
n Azure cloud, running sys-icheck may report an error with /config/bigpipe/defaults.scf and /usr/share/defaults/defaults.scf:

ERROR: S.5...... c /config/bigpipe/defaults.scf (no backup)
ERROR: S.5...... /usr/share/defaults/defaults.scf

Conditions:
This occurs on BIG-IP running on Azure cloud.

Impact:
sys-icheck utility indicates an error. The sys-icheck utility is used to find file system changes that have occurred since initial installation and provide information about their status.

Fix:
Fixed an issue with files in /config/bigpipe/defaults.scf that was causing sys-icheck to report errors.


610307 : Spurious error message from mcpd at shutdown: Subscription not found in mcpd for subscriber Id BIGD_Subscriber

Component: TMOS

Symptoms:
This error message may be generated once or twice at shutdown:

01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.

Conditions:
Occurs once or twice per boot as a BIG-IP is being shut down or restarted.

Impact:
None. This can be ignored.

Workaround:
No workaround necessary. This message indicates no ill effects and can be ignored.

Fix:
This error message could have been generated once or twice at shutdown:

01070069:3: Subscription not found in mcpd for subscriber Id BIGD_Subscriber.

It no longer appears. Note that even when it was present, it only occurred at system shutdown and could be ignored.


610302-1 : Link throughput graphs might be incorrect.

Component: Local Traffic Manager

Symptoms:
The link throughput performance graphs available in the GTM, DNS or Link Controller modules might show the throughput for the wrong link in the graph.

Conditions:
Multiple links exist and one of the links has a name that is a prefix for the name of one or more other links.

For example, there are two links defined and named "mylink" and "mylink2".

Impact:
The graphs for all links that contain the prefix might show the throughput for the link whose name matches the prefix.

For example, the throughput graphs for both "mylink" and "mylink2" might both show the throughput data for "mylink"

As a result of this issue, the historical link throughput data is gathered and stored incorrectly. This data is used to generate the throughput graphs.

Workaround:
Do not create links where the name of one link forms a prefix for the name of other links.

Fix:
Link throughput graphs now collect and show the throughput for the proper link when one link name is a prefix of one or more other links. Note that historical information gathered before the fix will not be corrected.


610295-1 : TMM may crash due to internal backplane inconsistency after reprovisioning

Solution Article: K32305923

Component: TMOS

Symptoms:
In some scenarios on BIG-IP Virtual Edition (VE) platforms, TMM may crash due to backplane inconsistency shortly after a provisioning change.

Conditions:
- BIG-IP VE with performance-limited license.
- Additional licensing/provisioning of modules raises performance limits. New TMM processes are started.
- No reboot has occurred after provisioning.

Impact:
TMM may core with panic and post the following message in /var/log/tmm log: 'Unexpected backplane address'. Traffic disrupted while tmm restarts.

Workaround:
Reboot after provisioning if new license add-on keys raises performance of the BIG-IP system.

Fix:
TMM no longer crashes after provisioning if new license add-on keys raises performance of the BIG-IP system.


610273-3 : Not possible to do targeted failover with HA Group configured

Component: TMOS

Symptoms:
With a traffic-group configured to use HA Group, it is not possible to disable the HA Group to perform targeted failover. Running tmsh run sys failover standby traffic-group traffic-group-1 produces an error:
"Unexpected Error: SOD command standby may not be issued for traffic group /Common/traffic-group-1 because it is configured to use HA group."

Conditions:
Traffic-group configured to use HA Group. Versions prior to 12.0.0 allowed you to disable the HA Group to do targeted failover.

Impact:
Unable to force the traffic-group to standby if HA Group is configured. You would need to change it to use a different mode, such as HA Order.

Workaround:
Temporarily change the traffic group to use a different Failover Method such as Load Aware or HA Order in order to failover. Note that this will disable HA Group functionality until the Failover Method is restored.


610255-1 : CMI improvement

Solution Article: K62279530


610224-3 : APM client may fetch expired certificate when a valid and an expired certificate co-exist

Component: Access Policy Manager

Symptoms:
APM client does not consider the expiration when it matches certificates for Machine Cert Check. If a matching but expired certificate is found before a valid certificate, the expired certificate is used for Machine Cert Check on Windows.

Conditions:
A valid and an expired certificate co-exist in the certificate store.

Impact:
Machine Certificate check fails.

Workaround:
Remove the expired certificate from the store.

Fix:
When a valid and an expired certificate co-exist, the system now matches the valid certificate.


610180-2 : SAML Single Logout is misconfigured can cause a minor memory leak in SSO plugin.

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML SP, and SLO is not properly configured on associated saml-idp-connector objects, IdP initiated SAML SLO may result in memory leak in SSO plugin.

Conditions:
- BIG-IP is used as SP.
- Associated saml-idp-connector object has 'single-logout-uri' property configured, but 'single-logout-response-uri' property is empty.
- User performs IdP initiated SAML SLO

Impact:
SSO plugin leaks memory

Workaround:
There are two possible workarounds:
- Fix misconfiguration: Configure SLO correctly by adding value to 'single-logout-response-uri' property of IdP connector object.
- Disable SLO by removing single-logout-uri' property of IdP connector object.

Fix:
When fixed, memory will no longer leak in SSO plugin even when SLO is misconfigured.


610138-2 : STARTTLS in SMTPS filter does not properly restrict I/O buffering

Solution Article: K23284054

Component: Local Traffic Manager

Symptoms:
Commands following STARTTLS in a group are accepted and processed after TLS is in place.

Conditions:
SMTPS profile in use.

Impact:
SMTPS filter will improperly process commands after STARTTLS.

Workaround:
None.

Fix:
Commands in a group after STARTTLS are dropped. This is correct behavior.


610129-3 : Config load failure when cluster management IP is not defined, but instead uses address-list.

Solution Article: K43320840

Component: Advanced Firewall Manager

Symptoms:
In Cluster setup with multiple blades, if configurations do not have management IP addresses assigned to individual blades, but instead assign a cluster management IP address list to the cluster of blades. The configuration load will fail. System posts an error message similar to the following: err mcpd[24235]: 01071824:3: The address list is referenced by one of the rules of the admin IP either directly or in a nested manner, and the entry is of a different address family from that of the Admin IP.

Conditions:
1. Cluster setup with multiple blades.
2. No management IP assigned to individual blades.
3. Assign cluster management IP address list to the cluster of blades.

Impact:
After reboot, configuration load failure on secondary blades.

Workaround:
Define the cluster management IP address as the destination (in rule) without using address list.

Fix:
Config load failure no longer occurs when cluster management IP is not defined, but instead uses address-list.


610122-1 : Hotfix installation fails: can't create /service/snmpd/run

Component: TMOS

Symptoms:
Hotfix installation fails with RPM transaction errors.
The system posts several errors similar to the following in /var/log/liveinstall.log: info: RPM: can't create /service/snmpd/run at usr/share/perl5/vendor_perl/daemon.pm line 99.

Conditions:
12.x hotfix installation from 11.6.0 on top of a 12.x base image that was previously booted.

Impact:
It is not possible to perform a hotfix installation to a 12.x volume from 11.6.0 after the 12.x volume has been booted.

Workaround:
- Install the hotfix directly to a new slot which has not been booted into before using a command similar to the following:
     tmsh install sys software hotfix 12.1.0-hf1 create-volume volume HD1.4


609967-2 : qkview missing some HugePage memory data

Solution Article: K55424912

Component: TMOS

Symptoms:
Some HugePage status data is missing from qkview, if the contents of /proc/meminfo does not list a units column for the Huge Page data.

Conditions:
/proc/meminfo file does not list units for HugePage data.

Impact:
HugePage data is missing from qkview diagnostics file.

Workaround:
Separately provide /proc/meminfo file.

Fix:
HugePage status data is now collected as expected.


609793-1 : HTTP header modify agent logs error message as it is disabled since it cannot modify headers/cookies in HTTP Response.

Component: Access Policy Manager

Symptoms:
HTTP Header Modify agent skips execution if it believes it is in the serverside chain, as the check is based on receipt of HUDEVT_REQ_DONE, which can be true on the clientside chain, causing HTTP header modify agent operations to log out with an error message.

Conditions:
Receipt of HUDEVT_REQ_DONE before execution of HTTP Header Modify agent.

Impact:
HTTP header modify agent cannot perform modification of headers/cookies.

Workaround:
None.

Fix:
Appropriate check for disabling HTTP header agent only in serverside chain has been added and the check for the receipt of request has been processed has been removed.


609788 : PCP may pick an endpoint outside the deterministic mapping

Component: Carrier-Grade NAT

Symptoms:
When PCP is picking an endpoint for a LSN pool in deterministic mode and the initial pick fails due to an existing mapping, the subsequent picks are from the entire LSN pool translation port range. This may result in a mapping that violates the deterministic mapping algorithm.

Conditions:
With PCP configured and enabled with a lsn-pool in deterministic mode.

Impact:
Deterministic mapping restriction may be violated causing reverse mapping of public IP address to private IP address to not identify the correct subscriber.

Workaround:
Configure PCP with a NAPT pool (such as the DNAT mode's backup pool) and enable logging. Do not use an lsn-pool in deterministic mode.

Fix:
PCP no longer picks mappings outside of a client's DNAT range after the first mapping attempt fails.


609691-1 : GnuPG vulnerability CVE-2014-4617

Solution Article: K21284031


609677-1 : Dossier warning 14

Component: TMOS

Symptoms:
After each boot, the var/log/ltm log file contains messages similar to the following: warning mcpd[6296]: 01070267:4: Dossier warning 14.

Conditions:
This occurs upon reboot after licensing and management port configuration is complete on i5000/i7000/i10000-Series platforms.

Impact:
There is no functional impact. This is a benign message that can be safely ignored.

Workaround:
None.

Fix:
The var/log/ltm log file no longer contains the benign messages similar to the following: warning mcpd[6296]: 01070267:4: Dossier warning 14.


609628-2 : CLIENTSSL_SERVERHELLO_SEND event in SSL forward proxy is not raised when client reuses session

Component: Local Traffic Manager

Symptoms:
When a client performs an abbreviated handshake by reusing the session from a previously established full handshake, the SSL forward proxy does not raise the CLIENTSSL_SERVERHELLO_SEND event.

Conditions:
This occurs when the following conditions are met:
-- SSL forward proxy configured
-- Session cache is enabled.

Impact:
iRule commands inside of the CLIENTSSL_SERVERHELLO_SEND are only executed for full handshakes but not for abbreviated handshakes; thus any logic that's applied per SSL connection should not run inside of CLIENTSSL_SERVERHELLO_SEND event since it is not reliably raised under all types of handshakes.

Workaround:
To make sure that the CLIENTSSL_SERVERHELLO_SEND event is reliably raised, disable session cache in the client SSL profile.


609614-3 : Yafuflash 4.25 for iSeries appliances

Component: TMOS

Symptoms:
Firmware on BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx needs to be upgraded to Yafuflash 4.25.

Conditions:
-- BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.
-- Yafuflash.

Impact:
This is a firmware upgrade.

Workaround:
None.

Fix:
This release contains Yafuflash v4.25 for BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.

Behavior Change:
This release contains Yafuflash v4.25 for BIG-IP iSeries appliances: i2xx, i4xx, i5xx, i7xx.


609575-5 : BIG-IP drops ACKs containing no max-forwards header

Component: Service Provider

Symptoms:
When a sip profile is in use and receives an acknowledgment packet missing the Max-Forwards header, BIG-IP will treat the packet as un-forwardable and does not forward the ACK. This can be experienced as a specific cilent being unable to make a call.

Conditions:
This would only be seen when BIG-IP is connected to specific clients that fail to populate the Max-Forwards header on an ACK.

Impact:
BIG-IP treats packets with the missing header as having a value of 0, which means "Do not forward".


609527-2 : DNS cache local zone not properly copying recursion desired (RD) flag in response

Component: Global Traffic Manager (DNS)

Symptoms:
When a DNS query sets the RD flag, that setting is supposed to be copied to the response. When a DNS query is handled by a cache local zone, the RD flag is not set properly.

Conditions:
A DNS cache local zone must be configured and a DNS query with the RD flag set must be handled by this local zone.

Impact:
The flag is not set properly in the DNS response. This most likely will only be noticed by protocol validation tools as standard DNS clients generally do not check this bit.

Workaround:
Use an equivalent DNS Express configuration instead of the local zone.

Fix:
The fix is to properly check the RD flag on the query so that it can be copied to the response.


609499-1 : Compiled signature collections use more memory than prior versions

Component: Application Security Manager

Symptoms:
Compiled signature collections use more memory than prior versions.

Conditions:
Different signature sets are used for different policies.

Impact:
BD memory usage for compiled signature collections is increased.

Fix:
Compiled signature collections memory usage was consolidated and reduced.


609496-2 : Improved diagnostics in BD config update (bd_agent) added

Component: Application Security Manager

Symptoms:
Improved diagnostics in BD config update (bd_agent) are needed.

Conditions:
Further troubleshooting of BD config update transmission is needed.

Impact:
No diagnostics are available.

Workaround:
None.

Fix:
Improved diagnostics in BD config update (bd_agent) were added.


609335-1 : IPsec tmm devbuf memory leak.

Component: TMOS

Symptoms:
A small memory leak was discovered during internal testing of IPsec tunnels. Over time tmm might run out of memory and crash.

Conditions:
It is not known exactly what triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


609328-3 : SIP Parser incorrectly parsers empty header

Solution Article: K53447441

Component: Service Provider

Symptoms:
If a SIP message contains an empty header, the following header will be included as the value of the empty header.

Conditions:
A SIP header without any value will incorrectly cause the next header to be used as the value.

Impact:
If the following header is needed for processing the message, it will not be seen (since it is incorrectly considered the value of the previous header).

Workaround:
None.

Fix:
Parser has been corrected to terminate an empty header when a line ending is seen.


609325 : Unsupported DDM F5 SFP modules do not write log message saying DDM is not supported

Component: TMOS

Symptoms:
QSFP modules that do not support DDM (Digital Diagnostic Monitoring), write messages to /var/log/ltm indicating DDM is not supported, however, there are certain unsupported DDM F5-branded SFP modules that do not write a message to the log.

Conditions:
Upon inserting the unsupported DDM SFP modules.

Impact:
DDM is not reporting information for the following optics:

Unsupported DDM 1Gb-10GB SFP modules:

OPT-0004
OPT-0007
OPT-0011
OPT-0015
OPT-0051
OPT-0033

Workaround:
None.

Fix:
All DDM SFP 1Gb-10GB modules now log in /var/log/ltm that DDM is not supported with that optical transceiver.


609244-4 : tmsh show ltm persistence persist-records leaks memory

Component: Local Traffic Manager

Symptoms:
A small memory leak is detected when running the following command: tmsh show ltm persistence persist-records.

Conditions:
This occurs when running tmsh show ltm persistence persist-records.

Impact:
The memory leak is small, however if the command is run constantly the memory growth can become large.

Workaround:
None.

Fix:
tmsh show ltm persistence persist-records no longer leaks memory.


609199-6 : Debug TMM produces core when an MPTCP connection times out while a subflow is trying to join

Component: Local Traffic Manager

Symptoms:
If an MPTCP connection times out while a subflow is still performing the three-way handshake, the TMM produces a core. This only affects the debug TMM, not the default one.

Conditions:
An MPTCP connection times out while a subflow is still performing the three-way handshake with MP_JOIN. This only affects the debug TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP.

Fix:
Remove unestablished joining subflows when freeing the MPTCP connection structure.


609119-7 : Occasionally the logging system prints out a blank message: err mcpd[19114]: 01070711:3:

Component: TMOS

Symptoms:
Occasionally the logging system prints out a blank message, similar to the following example:

-- err mcpd[19114]: 01070711:3:

For this log statement, there is text associated with the error in the bigip_mcpd_error_defs.in file, so something should be logged.

Conditions:
The problem is the result of an exception handler issue in mcpd's File Object validator. The damaged logs can come from anywhere in mcpd, but appear only after a File Object configuration change fails validation. If the problem occurs, it will happen only once per validation error. The damage caused by the exception handler is automatically corrected when the system rewrites the log.

Impact:
Except for the missing log text, the state and behavior of the BIG-IP system is unaffected.

Workaround:
None. The problem corrects automatically when the system rewrites the log.

Fix:
The logging system prints out a blank message in response to failed file object configuration change validations.


609114-1 : Add the ability to control dropping of alerts by before-load-function

Component: Fraud Protection Services

Symptoms:
Too many alerts prevents you from enabling FPS. If it does get enabled, a large number of 'missing component' alerts are generated.

Conditions:
This can occur when enabling FPS will trigger a high number of alerts.

Impact:
FPS is disabled, or alerts are not categorized.

Fix:
Add before-load-function capability to drop alert on client.


609107-1 : mcpd does not properly validate missing 'sys folder' config in bigip_base.conf

Component: TMOS

Symptoms:
If a 'sys folder' is manually removed from bigip_base.conf, and the config is then reloaded, mcpd does not produce any warning or error messages, and allows the config to load.

Conditions:
A folder is removed from a previously valid configuration file.

Impact:
Inconsistent configuration between devices in the same device-group, shows in-sync when they are not, prevents config loading after mcpd has been reset.

Workaround:
Do not remove folders from the configuration file.

Fix:
mcpd now properly validates missing 'sys folder' config in bigip_base.conf, so the config performs as expected.


609098-1 : Improve details of ajax failure

Component: Fraud Protection Services

Symptoms:
When AJAX request fails, insufficient information is provided to debug the failure.

Conditions:
AJAX failure

Impact:
Difficult to diagnose the failure.

Workaround:
Not relevant

Fix:
Add information to alert about AJAX failure.


609095-1 : mcpd memory grows when updating firewall rules

Component: Advanced Firewall Manager

Symptoms:
While updating firewall rules such as adding/deleting a blacklist, mcpd memory grows by a small amount with each update.

Conditions:
This can occur when making changes to firewall policies.

Impact:
mcpd memory grows unbounded; over a significant amount of time with many changes and no restarts, mcpd can run out of memory and oom killer can trigger a failover.


609084-2 : Max number of chunks not configurable above 1000 chunks

Solution Article: K03808942

Component: Application Security Manager

Symptoms:
If you want to support requests larger than 1000 chunks, the request is blocked and the system posts the following message in the ASM event log:

Unparsable request content Chunks number exceeds request chunks limit: 1000.

Conditions:
This occurs when the request exceeds 1000 chunks.

Impact:
Requests that are valid from the server side are being rejected.

Workaround:
None.

Fix:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000

Behavior Change:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000


609027-1 : TMM crashes when SSL forward proxy is enabled.

Component: Local Traffic Manager

Symptoms:
TMM crashes when SSL forward proxy is enabled.

Conditions:
This can occur when SSL forward proxy is enabled and there is a server handshake done when client SSL handshake is not ongoing.

Impact:
Traffic disrupted while tmm restarts.

Fix:
SSL forward proxy now ignores server handshake done when client SSL handshake is not ongoing, so an intermittent TMM crash no longer occurs.


609005-2 : Crash: tmm crashing when 2nd client (srcPort=68) sends a DHCP renew with giaddr (Relay Agent IP) in the packet after 1st client (srcPort=67).

Component: Policy Enforcement Manager

Symptoms:
Two client side DHCP packets with giaddr field set, one with source port 67 and another client side packet with source port 68 (not conforming to RFC since giaddr set DHCP packet (from relay agent) should use 67 as source port per RFC),
tmm will crash during err message logging.

Conditions:
1) Two client side DHCP packets arrive one after another.
2) Both DHCP packets have giaddr fields set
3) One packet uses 67 as source port, the other uses 68

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The conditions that cause the crash should not happen in a normal network setup. A DHCP relay agent should only use 67 as source port.


608991-7 : BIG-IP retransmits SYN/ACK on a subflow after an MPTCP connection is closed

Component: Local Traffic Manager

Symptoms:
If a SYN with MP_JOIN is received on a new subflow during an MPTCP connection and the connection closes before the three-way handshake is complete, the BIG-IP will continue trying to complete the three-way handshake.

Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and a SYN with MP_JOIN is received on another flow during an MPTCP connection.

Impact:
The BIG-IP retransmits the SYN/ACK to the joining flow after the connection is closed.

Workaround:
There is no workaround

Fix:
Free joining connections when an MPTCP connection is closed.


608941-1 : AAA RADIUS system authentication fails on IPv6 network

Component: Access Policy Manager

Symptoms:
APM supports RADIUS authentication to IPv6 servers for APM clients if the IPv6 servers are in a pool, but using RADIUS for system authentication directly to a RADIUS server fails on invalid IP address. The signature in the log file is as follows:

err apmd[13481]: 01490108:3: /Common/profilename: RADIUS module: authentication with 'aa' failed: Invalid Server IP(0)/Port(0) (1)

Conditions:
RADIUS authentication configured for system authentication direct to a RADIUS server, and the RADIUS server is an IPv6 server.

Impact:
RADIUS is unable to connect directly to the IPv6 RADIUS server, clients unable to log into the system.


608826-1 : Greylist (bad actors list) is not cleaned when attack ends

Component: Anomaly Detection Services

Symptoms:
When attack ends the greylist (detected bad actors) remains till the timeout expiration.

Conditions:
Detected bad actors and attack end.

Impact:
If new attack will start sooner than greylist expiration time, greylist member will be mitigated even if they are not related to the current attack.

Workaround:
It it's necessary it's possible to clear greylist manually using ipidr utility.

Fix:
Clear the greylist upon attack end.


608742-2 : DHCP: DHCP renew ACK messages from server are getting dropped by BIG-IP in Forward mode.

Solution Article: K48561135

Component: Policy Enforcement Manager

Symptoms:
When the BIG-IP system is configured in Forwarding mode, the BIG-IP system drops the renewal ACK message from the server in response to unicast renewal message from DHCP clients.

Conditions:
-- BIG IP system configured in forwarding mode.
-- DHCP clients sending unicast renewal message to DHCP server.

Impact:
Unicast DHCP renewal requests are not responded to with ACKs. DHCP clients will send broadcast renewal messages and will receive ACK from servers.

Workaround:
None.

Fix:
After being unable to receive ACK responses from DHCP servers for unicast DHCP renewal messages, the DHCP client will send broadcast DHCP renewal messages and receive an ACK from the DHCP server and ACKs forwarded by the BIG-IP system and received by DHCP clients.


608591-1 : Subscriber ID type should be set to NAI over Diameter for DHCP discovered subscribers

Component: Policy Enforcement Manager

Symptoms:
CCR-I requests from PEM to PCRF have subscriber ID type set to 6 (UNKNOWN) for DHCP subscribers instead of 3 (NAI).

Conditions:
Occurs for DHCP discovered subscribers on a BIG-IP system that uses a PCRF for policy determination.

Impact:
Might impact the way policies are provided from the PCRF.

Workaround:
None

Fix:
Subscrbier ID type is marked as NAI for DHCP discovered subscribers.


608566-1 : The reference count of NW dos log profile in tmm log is incorrect

Component: Advanced Firewall Manager

Symptoms:
In certain circumstances when virtual servers are configured with security log profiles, the log message in tmm log is showing incorrect reference cnt to the log profiles.

Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.

Impact:
This may lead to issues such as TMM crash if the reference count is not calculated correctly

Fix:
The reference count now is showing correct number in the log message after the fix


608555-1 : Configuring asymmetric routing with a VE rate limited license will result in tmm crash

Component: Local Traffic Manager

Symptoms:
Configuring asymmetric routing with a VE rate limited license results in tmm crash.

Conditions:
Asymmetric routing is configured (i.e., client and/or server ingress and egress travel on different VLANs), and a VE rate limited license is used.

Impact:
tmm might continually crash when passing traffic. Traffic disrupted while tmm restarts.

Workaround:
Do not use asymmetric routing with a rate limited license.

Fix:
The VE rate shaper now works correctly when asymmetric routing is configured, tmm does not crash.


608551-3 : Half-closed congested SSL connections with unclean shutdown might stall.

Component: Local Traffic Manager

Symptoms:
Half-closed congested SSL connections with unclean shutdown might stall.

Conditions:
If SSL egress is congested and the client FINs with no Close Notify, connection might stall as SSL does not request more egress data from HTTP.

Impact:
Possible stalled flow.

Workaround:
Use SSL client that sends clean shutdown.

Fix:
Resolved half-closed congested SSL connections with unclean shutdown, so connections no longer stall.


608509-1 : Policy learning is slow under high load

Component: Application Security Manager

Symptoms:
On systems with high load, policy learning is slow and learning suggestions are slow to arrive.

Conditions:
Policy builder generates many learning suggestions on a system that processes intense traffic.

Impact:
Learning suggestions appear with considerable delay, policy learning speed goes down.

Workaround:
No workaround

Fix:
Fixed an issue with slow policy learning on heavily loaded systems.


608424-2 : Dynamic ACL agent error log message contains garbage data

Component: Access Policy Manager

Symptoms:
Starting in BIG-IP version 12.0.0, Dynamic ACL error log messages might contain garbage data.

Conditions:
This occurs when Dynamic ACL detects incorrect syntax of an ACL entry.

Impact:
The system logs garbage data.

Workaround:
Make sure the ACL entry is correct.

Fix:
Dynamic ACL error log messages no longer contain garbage data when Dynamic ACL detects incorrect syntax of an ACL entry.


608408-2 : TMM may restart if SSO plugin configuration initialization fails due to internal error in tmconf library

Component: Access Policy Manager

Symptoms:
TMM may restart when new SAML SSO configuration is created on BIG-IP systems as SAML IdP. This could also happen when BIG-IP is restarted, or a saved configuration containing SAML SSO objects is loaded on running BIG-IP.

Conditions:
All of the following
- The BIG-IP system is used as SAML IdP
- New SAML SSO configuration is added on BIG-IP
- Rarely occurring internal tmconf error happens when processing newly added configuration.

Impact:
TMM may restart.

Workaround:
None.

Fix:
TMM no longer restarts when internal error happens upon adding new SAML SSO configurations. Instead, the system logs the following error in /var/log/apm to indicate problematic configuration object: Internal error processing sso config <name>.


608373-2 : Some iApp LX packages will not be saved during upgrade or UCS save/restore

Component: iApp Technology

Symptoms:
iApp LX packages that include dependencies on system utilities (like /bin/sh, /bin/bash, python etc.) cannot be imported to iApp LX RPM database.

Conditions:
oApp LX packages that depends on system utilities.

Impact:
iApp LX packages with dependencies will not be restored during upgrade or UCS restore process.

Workaround:
None.

Fix:
iApp LX UCS save process is updated turn off automatic dependency generation by rpmbuild so iApp LX package can be imported during UCS restore or upgrade.


608348-4 : Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system

Component: TMOS

Symptoms:
After deleting an iApp build from the f5.citrix_vdi.v2.3.0 template then running a config sync, the system that received the sync could have a tunnel object left over which should have been deleted.

Running 'tmsh load sys config verify' after this sync would give the following error.
01070734:3: Configuration error: The object (Tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect) is owned by a non-existent application (/Common/test-citrix-app-svc.app/test-citrix-app-svc).
Unexpected Error: Validating configuration process failed.

Conditions:
This occurs when the iApp has been deployed in a sync group, then the iApp is deleted, then a config sync is initiated.

Impact:
Config validation fails, and you must delete the tunnel manually.

Workaround:
On the system that received the sync, edit /config/BIG-IP_base.conf to remove the following objects (replace "test-citrix-app-svc" with the name of the deleted iApp):
a. vlan from net route-domain: /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
b. net fdb tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
c. net tunnels tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect

Fix:
The autogenerated tunnel is now successfully removed on receiving devices.


608320-3 : iControl REST API sets non-default persistence profile prop to "none"; properties not present in iControl REST API responseiControl REST API, sets persistence profile's non-default property value as "none"; properties missing in iControl REST API response

Component: TMOS

Symptoms:
For persistence profiles, iControl REST does not provide visibility for property override when "none" is specified, including references, passwords, and array of strings.

Conditions:
-- Use iControl REST API with persistence profiles.
-- string, enum, or vector of enum/string property explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf.

Impact:
The iControl REST API response skips these elements. iControl REST does not provide visibility for persistence profile property overrides.

Workaround:
None.

Fix:
iControl REST API now returns persistence profile elements (i.e., string, enum , or vector of enum/string property that is explicitly set to "none" for a component within any REST API endpoint specialized in /etc/icrd.conf) with a value "none". The exclusion to this policy is the secured attributes. Secured attributes are always excluded from the iControl REST API response.


608304-1 : TMM crash on memory corruption

Solution Article: K55292305

Component: Local Traffic Manager

Symptoms:
In rare cases tmm might crash on memory corruption.

Conditions:
It is not known what sequence of events triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes on memory corruption in rare cases.


608245 : Reporting missing parameter details when attack signature is matched against parameter value

Component: Application Security Manager

Symptoms:
A parameter is shown without parameters details or with garbled parameter details in the local logging GUI.

Conditions:
An attack signature was detected in a parameter value.

Impact:
Bad reporting

Workaround:
N/A


608024-3 : Unnecessary DTLS retransmissions occur during handshake.

Component: Local Traffic Manager

Symptoms:
Unnecessary DTLS retransmissions occur during handshake.

Conditions:
During DTLS handshake, unnecessary retransmissions of handshake message may occur on VE platform.

Impact:
Possible DTLS handshake failure on VE platform.

Workaround:
None.

Fix:
This release fixes a possible failed DTLS handshake on VE platforms.


608009-1 : Crash: Tmm crashing when active system connections are deleted from cli

Component: Policy Enforcement Manager

Symptoms:
When the BIG-IP is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address by relay agent, tmm may crash when active system connections are deleted from cli or via aging.

Conditions:
1) BIG-IP in forwarding mode
2) giaddr field in unicast DHCP renewal packet is set to IP address of relay agent (Typically, it is set to 0 by the DHCP client)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This is not a typical network setup. Usually DHCP relay agent will not modify DHCP renewal packet to insert its own address as giaddr.


607961-1 : Secondary blades restart when modifying a virtual server's route domain in a different partition.

Component: TMOS

Symptoms:
Secondary blades restart when modifying a virtual server's route domain in a different partition. This log signature is in /var/log/ltm before the secondaries restart: err mcpd[1255]: 0107004d:3: Virtual address (/stef/1.1.1.1%0) encodes IP address (1.1.1.1) which differs from supplied IP address field (1.1.1.1%1).

Conditions:
- Only happens on chassis.
- Route domains created on each device.
- Route domain assigned to a new partition after they were created.

Impact:
Traffic disrupted while secondary blades restart.

Workaround:
None.

Fix:
Secondary blades no longer restart when modifying a virtual server's route domain in a different partition.


607857-1 : Some information displayed in "list net interface" will be stale for interfaces that change bundle state

Component: TMOS

Symptoms:
Changing the bundling on an interface does not clear the following fields in the previously configured interface:
module-description, serial, vendor, vendor-oui, vendor-partnum, vendor-revision.

That information will be correct for the active interface, it is just not cleared for the previously configured interface.

Module description is not correctly reported on unbundled interfaces.

Conditions:
Bundling change on an interface

Impact:
"list net interface" on previously configured interfaces will show stale information. May be confusing.
Module description is missing from "list net interface" on unbundled interfaces.

Workaround:
Stale data will clear on a reboot. This is purely a display issue, it does not affect the functionality of the currently configured interfaces.


607803-3 : DTLS client (serverssl profile) fails to complete resumed handshake.

Solution Article: K33954223

Component: Local Traffic Manager

Symptoms:
DTLS client (serverssl profile) fails to complete resumed handshake.

Conditions:
This occurs when the BIG-IP system acts as a DTLS client.

Impact:
Possible failed resumed handshake.

Workaround:
Disable session reuse.

Fix:
This release fixes a possible failed resumed DTLS handshake.


607724-2 : TMM may crash when in Fallback state.

Solution Article: K25713491

Component: Local Traffic Manager

Symptoms:
There is a chance, when HTTP in Fallback mode, that the HTTP filter will send an Abort event to the TCP filter (causing tear down) prematurely while the Aborting that was triggered by the upper filter/proxy is occurring.

TMM may crash when this happens.

Conditions:
It is not known exactly what conditions trigger this, but it has been known to occur when issuing HTTP::respond in the LB_FAILED event in an iRule, and it has been seen only rarely.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a rarely occurring tmm crash that might be related to issuing HTTP::respond in the LB_FAILED event in an iRule.


607713-3 : SIP Parser fails header with multiple sequential separators inside quoted string.

Component: Service Provider

Symptoms:
SIP Parser fails header with multiple sequential separators inside quoted string.

Conditions:
If a SIP header contains multiple attribute separators ',' or ';' in an attribute.

Impact:
The SIP parser flags the message as an error. If this occurs in a quote within the attribute, it should be allowed, but it will still fail, Valid SIP messages are failing to be parsed.

Workaround:
None.

Fix:
The SIP parser has been improved to ignore multiple sequential separators if within quotes.


607658-1 : GUI becomes unresponsive when managing GSLB Pool

Component: Global Traffic Manager (DNS)

Symptoms:
GUI Locks Up and becomes unresponsive. Most major web browsers will complain about slow javascript and prompt you to kill the script.

Conditions:
Managing an A type GSLB pool when hundereds of virtual servers exist. These virtual servers do not have to be associated with the pool you are attempting to manage.

Impact:
Page takes a significantly long time to load.

Workaround:
Manage pools through tmsh, or wait for it to load.


607524-2 : Memory leak when multiple DHCP servers are configured, and the last DHCP server configured is down.

Component: Local Traffic Manager

Symptoms:
When the last member of a list of multiple DHCP servers is down, the original DHCP packet from client is not freed and memory is leaked.

Conditions:
Multiple DHCP servers are configured, and the last DHCP server configured is down.

Impact:
Packet memory is leaked.

Workaround:
Remove the last DHCP server that is down, or move it to the middle or front of the server member list.

Fix:
Free the original packet memory when last DHCP server is down.


607410-1 : In the iRule output of X509 Certificate's subject and issuer, the display is not OpenSSL compatible

Solution Article: K81239824

Component: Local Traffic Manager

Symptoms:
When using an iRule to output X509 Certificate's subject and issuer, the display is not OpenSSL compatible.

Conditions:
Using iRule command 'X509::subject' and 'X509::issuer' to get the Cert's subject and issuer, and then using log to display them.

Impact:
The BIG-IP system fails to pass properly formatted certificate information to the server. You observe messages similar to the following example in the /var/log/ltm file, displaying incorrectly parsed attributes:

-- tmm1[12345]: Rule /Common/test <HTTP_REQUEST>: BEFORE subject: serialNumber=2485870712015,CN=Milan Mastnak,SN=Mastnak,GN=Milan,OU=individuals,ST=Slovenija,C=SI

-- tmm1[12345]: Rule /Common/test <HTTP_REQUEST>: BEFORE issuer: CN=SI-TRUST Root,2.5.4.97=#0C0E56415453492D3137363539393537,O=Republika Slovenija,C=SI

Workaround:
None.

Fix:
In the iRule output of X509 Certificate's subject and issuer, the system now outputs the information in a format that is 'OpenSSL X509' compatible.

Behavior Change:
In this release, the order of output is reversed for the X509::subject. This change was done to make the output of [X509::subject [SSL::cert 0]] OpenSSL-compatible.

-- In v12.x, the format is:
CN=USERNAME,OU=CONTRACTOR,OU=PKI,OU=DEPT,O=COMPANY,C=US

-- In v13.x, the format is:
C=US,O=COMPANY,OU=DEPT,OU=PKI,OU=CONTRACTOR,CN=USERNAME

IMPORTANT: Depending on iRules you have configured, this change might impact your application functionality that depends on the old format. If the output your application expects the X509::subject to be formatted as it was in pre-13.0.0 releases, make sure to modify the iRules after upgrading.

To use the new format, in any iRules that use the old structure, change the output format of the X.509 certificate subject to use this format:

C=US,O=COMPANY,OU=DEPT,OU=PKI,OU=CONTRACTOR,CN=USERNAME


607360-5 : Safenet 6.2 library missing after upgrade

Component: Local Traffic Manager

Symptoms:
After upgrading BIG-IP, a symbolic link is missing to the core Safenet library.

Conditions:
This occurs when a BIG-IP installation with Safenet 6.2 already installed is upgraded.

Impact:
Safenet 6.2 is not functional.

Workaround:
Reinstall Safenet 6.2. Or,

run this command at all blades of BIG-IP after the installation.

ln -sf /shared/safenet/toolkit/libgem.so /usr/lib64/openssl/engines/libgem.so

Fix:
Add symbolic link to libgem at time of pkcs11d daemon start/restart.


607314-1 : Oracle Java vulnerability CVE-2016-3500, CVE-2016-3508

Solution Article: K25075696


607304-5 : TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Component: Local Traffic Manager

Symptoms:
TMM is killed by SOD (missing heartbeat) during geoip_reload performing munmap.

Conditions:
This can occur under normal operation, while running the geo_update command.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Running the geo_update command no longer causes this error.


607246-10 : Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires

Component: Local Traffic Manager

Symptoms:
You notice erratic persistence behavior when you set cookie persistence to "required" in your cookie persistence profile

Conditions:
Encrypted cookie persistence with fallback where the fallback persistence has a reasonable short timer such that a request containing a valid cookie is handled after the fallback entry has expired.

Impact:
Persistence fails after fallback expired.

Workaround:
Change cookie-encryption to preferred which allows persistence on either encrypted or decrypted cookie.


607200-1 : Switch interfaces may seem up after bcm56xxd goes down

Component: TMOS

Symptoms:
'tmsh show net interface' may show that switch ports are still up after bcm56xxd is brought down. This is because bcm56xxd does not notify mcpd that bcm56xxd will go down.

Conditions:
If the switch ports are up and bcm56xxd is brought down, 'tmsh show net interface' will show that the switch ports are still up.

Impact:
The switch ports may seem up, but traffic can't be sent/received.

Workaround:
None.

Fix:
Fix for bcm56xxd to notify mcpd that all ports become uninitialized before it goes down has already been implemented.


607152-1 : Large Websocket frames corrupted

Component: Local Traffic Manager

Symptoms:
If large Websocket frames are being sent by the end-point and this transfer is interleaved with frames being sent by the other endpoint, corrupted frames could be sent by BIG-IP.

Conditions:
Websocket profile is attached to the virtual. Large Websocket frames are sent by the end-point. This transfer is interleaved with frames being sent in the other direction.

Impact:
Connection reset because of corrupted frames being received by the end-point.


606983-3 : ASM errors during policy import

Component: Application Security Manager

Symptoms:
Import failure when importing ASM policy with many Session Awareness Data Points.

ASM logs errors similar to the following:
-- crit g_server_rpc_handler_async.pl[10933]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Could not update the Export Policy Task 'Export Policy Task (1469519765.114479)'. DBD::mysql::db do failed: Got a packet bigger than 'max_allowed_packet' bytes.

Conditions:
-- ASM provisioned.
-- Session Awareness enabled.
-- Many (more than 1000) active Session Awareness 'Block All' data points are present.
-- Export a policy.
-- Import the same policy.

Impact:
asm_config_server crash occurs. asm_config_server recovers automatically, within ~15-30 seconds.

Workaround:
Either release all Session Awareness Data Points before export, or remove them from the exported policy before importing it back.

Fix:
Import failure no longer occurs when importing ASM policy with more than 1000 Session Awareness Data Points. Now, there is a maximum of 1000 Session Awareness Data Points exported into an XML policy export.


606940-3 : Clustered Multiprocessing (CMP) peer connection may not be removed

Component: Local Traffic Manager

Symptoms:
- High memory usage due to connflow allocations
 - conn_remove_cf_not_found stat is non-zero

Conditions:
CMP with multiple TMMs. CMP peer connection is removed before it has been established.

Impact:
Low memory may lead to allocation failures that may lead to tmm core

Fix:
Fix validation performed on parsed CMP flow keys that allows unknown CMP connections to be removed.


606875-1 : DoS Application - Block requests from suspicious browsers feature causes javascript latency for webapp first page

Component: Application Security Manager

Symptoms:
When an end-user accesses a web-site's first page there is a noticeable latency until it gets the page content.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled, when accessing the page for a first time.

Impact:
Bad user experience when accessing the website's first page.

Workaround:
N/A

Fix:
The javascript has improved as much as possible to reduce the time to get the website's first page.


606807-1 : i5x00, i7x00, i10x00 series appliances may use sensor number instead of name "LCD health" reporting communication error

Component: TMOS

Symptoms:
If the LCD is not communicating with BIG-IP when the chassis manager daemon starts occasionally LCD errors will be displayed using the sensor number rather than the name "LCD"

Conditions:
chmand restart and LCD unable to commuicate

Impact:
cosmetic

Fix:
LCD error will show name "LCD" rather than sensor number in communication error.


606771-2 : Multiple PHP vulnerabilities

Solution Article: K35799130


606710-10 : Mozilla NSS vulnerability CVE-2016-2834

Solution Article: K15479471


606575-6 : Request-oriented OneConnect load balancing ends when the server returns an error status code.

Component: Local Traffic Manager

Symptoms:
Request-oriented OneConnect load balancing ends when the server returns an error status code.

Conditions:
OneConnect is enabled and the server responds with a HTTP error status code.

Impact:
The client remains connected to the server, and no further load-balancing decisions are made.

Workaround:
It may be possible to detect the HTTP status code in the response, and manually detach the client-side.

To do so, use an iRule similar to the following:

when HTTP_RESPONSE {
    if { [HTTP::status] == 200 } { return }
    if { [HTTP::status] == 401 } {
        set auth_header [string tolower [HTTP::header values "WWW-Authenticate"]]
        if { $auth_header contains "negotiate" || $auth_header contains "ntlm" } {
            # Connection-oriented auth. System should already be doing the right thing
            unset auth_header
            return
        }

        unset auth_header
    }

    catch { ONECONNECT::detach enable }
}.

Note: These workarounds should not be used when the backend server is using connection-oriented HTTP authentication (e.g., NTLM or Negotiate authentication).

Fix:
With OneConnect, the client-side remains detachable when the server-side returns an HTTP error status code.


606573-3 : FTP traffic does not work through SNAT when configured without Virtual Server

Component: Local Traffic Manager

Symptoms:
After upgrading to 12.1.0 or 12.1.1, FTP traffic no longer works correctly with SNAT, when SNAT is configured without a virtual server.

Conditions:
The BIG-IP system configured to allow FTP traffic through, and SNAT is configured without a virtual server.

Impact:
The BIG-IP system does not SNAT port 21 traffic. In rare circumstances this can cause tmm to restart.

Workaround:
None.

Fix:
FTP traffic now works through SNAT when SNAT is configured without a virtual server.


606565-2 : TMM may crash when /sys db tm.simultaneousopen is set to reset or drop_connection

Solution Article: K52231531

Component: Local Traffic Manager

Symptoms:
When the /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection', TMM may crash during a TCP simultaneous 4 way handshake.

Conditions:
1. The /sys db tm.simultaneousopen variable is set to 'reset' or 'drop_connection'.
2. A TCP 4 way handshake (simultaneous open) occurs as described in RFC 793.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The crash can be avoided, while still mitigating TCP 4 way handshakes, by setting the /sys db tm.simultaneousopen variable to 'drop_pkt'.


606521-1 : Policy with UTF-8 encoding retains disallowed high ASCII meta-characters after upgrade

Component: Application Security Manager

Symptoms:
Policy with UTF-8 encoding has disallowed high ASCII meta-characters even after upgrade, which results in suggestions for allowing meta-characters that cannot be accepted.

Conditions:
System with a policy with encoding set to UTF-8 (uppercase).
Upgrading from v11.6.x/v12.x to v12.1.2 or 13.0.0.

Impact:
Suggestions for allowing high ASCII meta-characters cannot be accepted.

Workaround:
None.

Fix:
The upgrade process now fixes policies that had their encoding stored in uppercase as well.


606518-3 : iControl REST with 3rd party auth does not function as expected with special characters in the username e.g., '$', '@' / email addresses as username.

Solution Article: K00762373

Component: Device Management

Symptoms:
Cannot use usernames containing special characters ('$', '@', '.', etc.) when requesting an authentication token for iControl REST when 3rd party authentication provider being used. An 'at' ( @ ) character is a common instance when using an email address as the username.

Conditions:
-- BIG-IP system uses 3rd party RADIUS or LDAP authentication.
-- Username contains a special character (e.g., an email address).

Impact:
Cannot authenticate and get authentication token using iControl REST.

Workaround:
Do not use username with special characters, e.g., 'at' ( @ ), period ( . ), dollar sign ( $ ), and so on.

Fix:
Updated logic to allow any special characters in username and password when 3rd party authentication system is used on the BIG-IP system.


606509-4 : Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover

Component: TMOS

Symptoms:
Incorrect process priority in vCMP guest results in low priority of the guest control-plane, which might cause high availability failover.

Conditions:
This occurs when the following conditions are met:
* vCMP provisioned.
* vCMP hypervisor (host) running 12.1.0
* vCMP guest with 2 or more cores deployed and running 11.5.0 or greater.
* vCMP guest has HT-Split enabled (tmsh list sys db scheduler.splitplanes.ltm).

Impact:
vCMP guests may experience control-plane issues (such as failures to send or receive network failover traffic in an HA-pair, causing a failover).

Fix:
This release restores the process nice value of VCMP guest control-plane, so the vCMP guest no longer experiences potential frequent failovers.


606316-4 : HTTPS request to F5 licensing server fails

Component: iApp Technology

Symptoms:
Licensing BIG-IP systems through REST API fails.

Conditions:
Licensing BIG-IP systems using the REST API.

Impact:
Cannot use REST API to license BIG-IP systems.

Workaround:
Use TMUI or TMSH to license BIG-IP systems.

Fix:
Licensing BIG-IP systems through REST API now completes successfully.


606257-3 : TCP FIN sent with Connection: Keep-Alive header for webtop page resources

Solution Article: K56716107

Component: Access Policy Manager

Symptoms:
When using customized webtops (for example, using custom images for the webtop links), sometimes a TCP FIN flag will be sent with a packet with an HTTP "Connection: Keep-Alive" header. Not all clients recover from this.

Conditions:
Use a customized webtop link.

Impact:
The webtop links page does not render correctly.

Fix:
Weptop page resources no longer send FIN flags with Keep-Alive headers.


606110-2 : BIG-IP VE dataplane interfaces change to using UNIC modules instead of sockets.

Component: TMOS

Symptoms:
On AWS and Azure, dataplane interfaces use socket-based networking instead of UNIC modules. After upgrading a version later than 12.1.0, the default module for dataplane interfaces is UNIC modules instead of socket-based networking.

Conditions:
Upgrading BIG-IP VE on AWS or Azure running versions 12.0.0 or 12.1.0.

Impact:
The raw socket-based tmm driver is replaced by a UNIC driver. The socket-based driver eliminates kernel driver dependencies and provides better portability during kernel/driver upgrades.

Workaround:
None.

Fix:
BIG-IP VE socket-based networking driver retained after upgrade on AWS or Azure.


606066-2 : LSN_DELETE messages may be lost after HA failover

Component: Carrier-Grade NAT

Symptoms:
After a failover, an LSN_DELETE message may be lost if the connection continued after the failover.

Conditions:
CGNAT configured as an HA pair, with session logging enabled.

Impact:
An LSN_DELETE message may be missing from the logs.

Fix:
After the fix, the LSN_DELETE message will not be lost.


606035-1 : csyncd crash

Component: Local Traffic Manager

Symptoms:
csyncd crashes and dumps core under certain conditions. You might see messages such as the following: emerg logger: Re-starting csyncd.

Conditions:
csyncd handles filenames that contain certain exotic characters or symbols, or files with very long filenames.

Impact:
csyncd will crash and dump core. csyncd retarts continuously.

Workaround:
None.

Fix:
csyncd now handles filenames that contain certain exotic characters or symbols, and files with very long filenames.


605983-1 : tmrouted may crash when being restarted in debug mode

Component: Local Traffic Manager

Symptoms:
tmrouted may restart after it being manually restarted with debug level equal or higher than 2.

Conditions:
tmrouted is manually restarted with debug level equal or higher than 2.
Multi route-domain setup with independent routing processes enabled on several route-domains.

Impact:
tmrouted may restart additional times which can add delay to getting back to service after manually restarting tmrouted.
Any restart of tmrouted already causes loss of dynamic routing sessions.

Workaround:
Do not use equal or higher than 2 debug level for tmrouted. This should be carried out only under recommendation from F5 Support.

Fix:
tmrouted no longer crashes when being restarted in debug mode


605982-1 : Policy settings change during export/import

Component: Application Security Manager

Symptoms:
Exporting a security policy from one device with specific learning and blocking settings selected, and then imports it to another device, the security policy does not load the expected learning and blocking settings on the target device, and is a mismatch from what is on the source device.

Conditions:
On device A: Security :: Application Security : Policy Building : Learning and Blocking Settings

• Select 'Enable' and 'Learn' under HTTP protocol compliance failed for all the sub-violations.

• Save and export the policy in XML format.

• Import to device B.

Impact:
The loaded policy on device B does not have all the options checked for HTTP protocol compliance failed for all the sub-violations as expected.

When exporting the policy from device B, the name of the exported file does not change to match device B's name, but still remains as device A's name.

Workaround:
For exporting a policy that has Policy Builder enabled, use either of the methods below:

-- Use XML export:

  + On export:
    - Stop policy builder.
    - Export to XML policy.
    - Start policy builder.

   + On import:
     - Import the XML policy.
     - Start the policy builder on the newly imported policy.

  2) Use binary export/import.

Fix:
This release fixes the XML Policy export/import processes so that there are no differences created in the 'HTTP protocol compliance' learning settings


605894-3 : Remote authentication for BIG-IP users can fail

Component: TMOS

Symptoms:
While trying to log into the command line of BIG-IP as a remotely authenticated user, login will intermittently fail. You may see the following in /var/log/secure: "err httpd[19596]: pam_ldap: ldap_simple_bind Can't contact LDAP server" but the LDAP server is up and is accessible by the BIG-IP

Conditions:
Remote authentication configured, users configured to use remote authentication, ssl-check-peer is enabled and one or more of these properties are different than "none": ssl-ca-cert-file, ssl-client-cert, ssl-client-key.

Impact:
The remote authentication service will fail to initiate a connection to the LDAP server with the ssl-check-peer setting enabled, even if the ssl-ca-cert-file is valid. It will terminate the connection and remote authentication will fail.

Workaround:
Disabling ssl-check-peer and setting ssl-ca-cert-file, ssl-client-cert and ssl-client-key to "none" can work around this issue.


605865-4 : Debug TMM produces core on certain ICMP PMTUD packets

Component: Local Traffic Manager

Symptoms:
The debug TMM will produce a core on the assert "cwnd or ssthresh too low" when receiving an ICMP PMTUD packet with an MTU larger than the current MTU. This does not affect the default TMM.

Conditions:
While using the debug TMM, an ICMP PMTUD packet is received with an MTU larger than the current MTU.

Impact:
Debug TMM crashes on assert "cwnd or ssthresh too low." Traffic disrupted while tmm restarts.

Workaround:
Block incoming ICMP PMTUD packets. Note that this will cause Path MTU Discovery to fail, and IP packets sent by the BIG-IP system with the Don't Fragment (DF) bit set may be dropped silently if the MTUs of the devices on the path are configured incorrectly.

Fix:
The system now always updates TCP MSS after an ICMP PMTUD packet, so there is no debug TMM core.


605792-1 : Installing a new version changes the ownership of administrative users' files

Component: TMOS

Symptoms:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID.

Conditions:
A user is an administrative user who has advanced shell (bash) access and custom files in their home directory.

Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.

Workaround:
Run the following command, substituting a different filename as needed: chown 0 /home/theuser/.ssh/authorized_keys.

Fix:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID. This still happens by design, but no longer applies to the user's SSH configuration files, which stay at UID 0. Therefore, these users are no longer be prevented from using stored public keys in authorized_keys.


605682-2 : With forward proxy enabled, sometimes the client connection will not complete.

Component: Local Traffic Manager

Symptoms:
If forward proxy is enabled, and a required forged certificate is not in the cache, the connection might not complete.

Conditions:
Forward proxy is enabled, and a required forged certificate is not in the cache.

Impact:
Degraded service due to connections not completing.

Workaround:
None.

Fix:
The stalling caused by a missing forged certificate no longer happens.


605649-3 : The cbrd daemon runs at 100% CPU utilization

Solution Article: K28782793

Component: Application Security Manager

Symptoms:
The cbrd daemon runs at 100% CPU utilization.

You may notice this issue while inspecting:

- The performance graphs for the BIG-IP device.
- SNMP reports from the BIG-IP device.
- The output of utilities such as top or ps.

Note: The cbrd daemon performs XML Content-Based Routing on the BIG-IP system. However, the daemon runs regardless of provisioning and whether the feature is actually being utilized or not.

Conditions:
This is a rarely occurring event whose cause is not known.

Impact:
The cbrd daemon may run inefficiently. Additionally, other control-plane processes running on the BIG-IP device may also be detrimentally affected (depending on the size of the BIG-IP device and its configuration).

Workaround:
You can try to work around this issue by restarting the cbrd daemon using the following command:
bigstart restart cbrd

As the issue occurs rarely, you may not experience this issue again for a long time. This is, however, only a temporary workaround, and will have to be repeated as needed.


605627 : Selinux denial seen for apmd when it is being shutdown.

Component: Access Policy Manager

Symptoms:
When Apmd process is stopped, you observe a selinux related log which indicates that apmd process does not have the getattr permission for shared memory component owned by tmm.

Conditions:
When apmd is stopped or restarted.

Impact:
No Impact to APMD functionality. APMd stops and starts normally.


605616-1 : Creating 256 Fundamental Security policies will result in an out of memory error

Component: Application Security Manager

Symptoms:
ASM out of memory error will occur when 256 fundamental security policies are created.

Conditions:
Create 256 fundamental security policies.

Impact:
Out of memory error.

Workaround:
None.

Fix:
Improved memory allocations for shared XML profiles to enable more than 256 fundamental security policies.


605579-8 : iControl-SOAP expat client library is subjected to entropy attack

Solution Article: K65460334


605537-5 : Error when resetting statistics on GSLB Pool Members

Solution Article: K03997964

Component: Global Traffic Manager (DNS)

Symptoms:
GUI error: "An error has occurred while trying to process your request." when attempting to reset the GSLB stats for DNS Pool Members.

Conditions:
-- In the GUI on the Statistics :: Module Statistics : DNS : GSLB :: Pool Members page.
-- Attempting to reset statistics.

Note: This occurs only on Pool Members Statistics. Other Types are unaffected.

Impact:
Inability to reset stats for BID-IP DNS Pool Members statistics from the GUI.

Workaround:
You can attempt to reset using a command line command similar to the following:

$ tmsh reset-stats gtm pool <record> <pool> members { <server_obj>:<member> }.


For example:

$ tmsh reset-stats gtm pool a myPool1 members { LTM107:/Common/myFastL4VS }.

Fix:
Fixed issue on the GSLB Pool Member stats page.


605525-1 : Deterministic NAT combined with NAT64 may cause a TMM core

Component: Carrier-Grade NAT

Symptoms:
TMM crashes when a virtual is configured with nat64 enabled, and a deterministic NAT lsn-pool, and there is traffic.

Conditions:
lsn-pool in deterministic mode is attached to a virtual server with nat64 enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Deterministic NAT is not supported with nat64, and should not be configured.


605480-4 : BIG-IP sends MP_FASTCLOSE after completing active close of MPTCP connection

Component: Local Traffic Manager

Symptoms:
After completing an active close of an MPTCP connection, the BIG-IP sends MP_FASTCLOSE.

Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and MPTCP performs an active close of a connection.

Impact:
The BIG-IP retransmits MP_FASTCLOSE after the connection closing is complete until the maximum number of retransmissions is reached.

Fix:
Fixed sequence of events on connection closure.


605476-3 : statsd can core when reading corrupt stats files.

Component: TMOS

Symptoms:
-- The istatsd process produces a core file in the /shared/core directory.

Conditions:
This issue occurs when the following condition is met:

The istatsd process attempts to read a corrupt iStats segment file with duplicate FIDs.

Under these conditions, the istatsd process continually consumes memory which produces a core causing the istatsd process to restart.

Impact:
iStatsd process will restart due to resource exhaustion.

Workaround:
To work around this issue, you can remove the iStats files and restart the istatsd processes. To do so, perform the following procedure:

Impact of workaround: This workaround will cause all statistics in the iStats files to reset.

1. Log in to the BIG-IP command line.
2. To stop the istatsd and related processes, type the following command:
tmsh stop sys service istatsd avrd merged.

3. To delete the iStats files, type the following command:
find /var/tmstat2/ -depth -type f -delete.

4. To start the istatsd and related processes, type the following command:
tmsh start sys service istatsd avrd merged.

Fix:
Added a fix to protect against a continually reading a segment file that is corrupted and has Duplicate Fids.


605427-1 : TMM may crash when adding and removing virtual servers with security log profiles

Component: Advanced Firewall Manager

Symptoms:
In certain circumstances when virtual servers are configured with security log profiles TMM may crash.

Conditions:
Creation, modification and deletion of many virtual servers with security log profiles attached.

Impact:
TMM may crash with the following log in /var/log/tmm:
<13> Apr 18 13:23:04 <hostname> notice panic: ../base/fw_log_profile.c:3368: Assertion "fw_log_profile_protocol_sip_dos ref non-zero" failed.

Traffic disrupted while tmm restarts.

Fix:
TMM no longer crashes with multiple creation, modification and deletion of many virtual servers with security log profiles attached.


605420-5 : httpd security update - CVE-2016-5387

Solution Article: K80513384


605270-5 : On some platforms the SYN-Cookie status report is not accurate

Component: TMOS

Symptoms:
On a vCMP guest, after a ePVA-enabled virtual server enters SYN Cookie mode, the FPGA will never leave SYN Cookie mode even though BIG-IP has returned to normal mode.

Conditions:
This occurs intermittently on virtual servers with ePVA enabled on a vCMP instance where SYN Protection is triggered.

Impact:
Since this occurs very intermittently, the entire impact is not known. Initially this is an incorrect SYN Cookie status reporting issue for LTM Virtual statistics, but it is possible that if SYN Cookie mode is triggered again, hardware SYN might not be enabled properly.

Workaround:
Upgrade with new fixes for this.

Fix:
BIG-IP FPGAs now correctly report hardware SYN Cookie mode.


605260-1 : [GUI] Changes can not be made to GTM listener in partition with default route domain <> 0

Component: Global Traffic Manager (DNS)

Symptoms:
When a listener is created in a partition that has a default route domain set, you cannot make changes to the listener in the GUI via DNS -> Delivery -> Listeners. It gives 'Instance not found' error when you try to save the change. Also, a listener in the /Common partition cannot even be viewed when a partition that has a default route domain other than 0 is selected.

Conditions:
This occurs when using partitions that have default-route-domain set to something other than 0.

Impact:
You will be unable to make changes to the listener.

Workaround:
Use TMSH or through LTM GUI: Local Traffic :: Virtual Servers.


605147-1 : No mirroring for TCP TIME-WAIT reconnections and new TCP flows after HA reconnections.

Component: Local Traffic Manager

Symptoms:
New connections made when a BIG-IP flow is in TCP TIME-WAIT state are not mirrored. New TCP flows after high availability (HA) reconnections may not be mirrored correctly.

Conditions:
This occurs when a TCP profile is used, along with one of the following:
 -- A BIG-IP flow is in TCP TIME-WAIT state.
 -- HA connection is reestablished and a mirrored BIG-IP flow has lost some packets.

Impact:
The connections affected are not mirrored.

Workaround:
Disable TIME-WAIT for the TCP profile.

Fix:
Reconnections in TCP TIME-WAIT state are now mirrored correctly. New connections after HA reconnections are now mirrored correctly.


605125-2 : Sometimes, passwords fields are readonly

Component: Fraud Protection Services

Symptoms:
Sometimes, passwords fields are readonly so the user won't be able to type any password.

Conditions:
WebSafe protection enabled on a site

Impact:
the user won't be able to type any password on the site.

Workaround:
N/A

Fix:
N/A


605123-1 : IAppLX objects fail to sync after establishing HA in auto-sync mode

Component: Device Management

Symptoms:
IAppLX objects are part of REST Framework. REST Framework implements gossip based replication. This replication might not work when restFrameworkVersion in device-group device out of sync with actual restFrameworkVersion

Conditions:
DeviceInfoWorker detects and update the framework version after rest RPM upgrade. But device group device doesn't get updated correctly

Impact:
REST framework objects (Including iAppLX instances, templates, packages) fail to sync to HA peer

Workaround:
Mitigation is to run DeviceRefreshWorker and it is responsible for patching the localhost resource in all device groups with correct framework version on update. Workaround is to patch the restFrameworkVersion manually on the device-group device.

Fix:
Run the DeviceRefreshWorker and it is responsible for patching the localhost resource in all device groups with correct framework version on update.


605039-3 : lwresd and bind vulnerability CVE-2016-2775

Solution Article: K92991044


605010-1 : Thrift::TException error

Component: Application Visibility and Reporting

Symptoms:
Trying to send a scheduled report might fail in some cases with the error "Thrift::TException=HASH(0x9a65410)".

Conditions:
This occurs when sending scheduled reports.

Impact:
Failure on sending scheduled-report.

Workaround:
Modify the script to use the explicit address instead of the 'localhost' value. This can be achieved with the following command:

mount -o remount -rw /usr
sed -i 's/localhost/127\.0\.0\.1/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
mount -o remount -r /usr

Fix:
Changing script to use explicit address instead of 'localhost'.


604977-2 : Wrong alert when DTLS cookie size is 32

Solution Article: K08905542

Component: Local Traffic Manager

Symptoms:
When ServerSSL profile using DTLS receives a cookie with length of 32 bytes, the system reports a fatal alert.

Conditions:
Another LTM with ClientSSL profile issues 32-byte long cookie.

Impact:
DTLS with cookie size 32-byte fails.

Workaround:
None.

Fix:
DTLS now accepts cookies with a length of 32 bytes.


604926-3 : The TMM may become unresponsive when using SessionDB data larger than ~400K

Solution Article: K50041125

Component: Local Traffic Manager

Symptoms:
There is a hard limit on messages sizes sent on the backplane on chassis platforms. Messages larger than the limit (~400K) are refused from being sent at a lower layer but buffered for resending at a higher layer. The messages are never sent which cases backplane communication to lockup.

Conditions:
-- The BIG-IP system is a chassis with more than one blade.
-- Client traffic triggers the creation of SessionDB data larger than ~400K.

Impact:
The TMM becomes unresponsive to client traffic. If left running under load, the TMM might run out of memory from buffering SessionDB data and crash.

Workaround:
The workaround is the avoid sending large SessionDB data. The TMM may be restarted in the event it does become unresponsive.

Fix:
There is no longer a hard limit for sending SessionDB data on the backplane.


604923-5 : REST id for Signatures change after update

Component: Application Security Manager

Symptoms:
The REST id of existing signatures are unexpectedly modified after updating a User Defined Signature, or downloading an Attack Signature Update that modifies existing signatures.

Conditions:
A User-Defined Signature is updated, or an ASU containing updated signatures is downloaded.

Impact:
The REST id of the modified signatures is changed which may confuse REST clients.

Workaround:
Execution of the following script will repair an affected device:

perl -MF5::Utils::Rest -MF5::DbUtils -MF5::ASMConfig::Entity::Signature -e '$dbh = F5::DbUtils::get_dbh(); $dbh->begin_work(); $dbh->do("UPDATE PLC.NEGSIG_SIGNATURES SET rest_uuid = \"\" "); F5::Utils::Rest::populate_uuids(dbh => $dbh, rest_entities => ["F5::ASMConfig::Entity::Signature"]); $dbh->commit();'

Fix:
Updated Signatures now retain the correct REST id.


604885-1 : Redirect/Route action doesn't work if there is an alert logging iRule

Component: Fraud Protection Services

Symptoms:
When "Trigger iRule Events" is enabled in FPS profile and there are configured FPS rules with Route/Redirect actions, the actions will not be performed.

Conditions:
"Trigger iRule Events" is enabled in FPS profile and the virtual server has at least one iRule with ANTIFRAUD_ALERT or ANTIFRAUD_LOGIN events.

Impact:
Configured FPS rules with Route/Redirect actions will not be performed.

Workaround:
Disabling the "Trigger iRule Events" in FPS profile.

Fix:
"Trigger iRule Events" no longer breaks FPS rules with configured Route/Redirect actions.


604880-4 : tmm assert "valid pcb" in tcp.c

Component: Local Traffic Manager

Symptoms:
tmm panic tcp.c:2435: Assertion "valid pcb" failed

Conditions:
Unknown.

Impact:
Traffic disrupted while tmm restarts.


604838-1 : TCP Analytics reports incorrectly reports entities as "Aggregated"

Component: Local Traffic Manager

Symptoms:
Although the user has configured TCP Analytics to store statistics for a certain entity, it reports data for that entity in a single "Aggregated" row.

Conditions:
ALL of these conditions must be true:

The TCP Analytics profile is attached to a virtual with both clientside or serverside collection turned off in the profile.

TCP profile has mptcp, rate-pace, tail-loss-probe, fast-open, AND enhanced-loss-recovery all disabled. Also, Nagle, send-buffer, receive-window, proxy-buffer are not in AUTO mode. Finally, rexmt-thresh is 3 and the congestion control algorithm is not delay-based (NewReno, HighSpeed, Cubic). Regrettably, this matches the default TCP profile.

An iRule enables TCP-Analytics when disabled by default in the tcp-analytics profile.

Impact:
Defect eliminates nearly all data granularity for TCP Analytics.

Workaround:
Change the TCP profile on the virtual to violate any of the conditions listed above. The easiest is probably to enable rate pace or mptcp. For all affected versions, this will result in a noticeable CPU performance penalty.

Fix:
Load entity information for both TCP stacks.


604767-1 : Importing SAML IdP's metadata on BIG-IP as SP may result in not complete configuration of IdP connector object.

Component: Access Policy Manager

Symptoms:
When importing SAML IdP's metadata, certificate object might not be assigned as 'idp-certificate' value of saml-idp-connector object.

Conditions:
BIG-IP is used as SAML SP.

Impact:
Described behavior will result in misconfiguration. SAML WebSSO will subsequently fail.

Workaround:
Manually assign imported certificate as a 'idp-certificate' value of saml-idp-connector object.


604727-1 : Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4.

Component: TMOS

Symptoms:
Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4. After upgrade from 10.2.4 to 12.1.x, you are unable to use the GUI. The system posts the following message: The configuration has not yet loaded. CLI login works, and /var/log/ltm shows that the following message was recorded during the device bootup phase:

emerg load_config_files: "/usr/libexec/bigpipe base daol" - failed. -- BIGpipe parsing error (/config/bigpipe/bigip_sys.conf Line 113): 012e0010:3: The requested value ({ i192_168_0_20_1) is invalid (<trapsess list> ` none) [add ` delete]) for 'trapsess' in 'snmpd'.

Conditions:
Upgrade from 10.2.4 to 12.1.x fails when SNMP trap exists in config from 10.2.4. The root cause is that the host parameter in the trap is encapsulated in quotation marks.

Impact:
The upgrade completes, but the configuration does not load when the system restarts.

Workaround:
After the configuration fails to load in this case, you can remove the SNMP trap destination configuration by editing the /config/bigpipe/bigip_sys.conf file, and performing a manual configuration conversion and reload to recover.

Alternatively, to prevent the configuration load failure from occurring, you can remove the SNMP trap destination configuration before you upgrade to BIG-IP 12.1.x. Both procedures require that you re-create the SNMP trap destination configuration once the upgrade to BIG-IP 12.1.x and/or configuration load are complete.

Fix:
Upgrade from 10.2.4 now completes successfully when the host parameter exists in the 10.2.4 configuration includes SNMP traps.


604612-1 : Modified ASM cookie violation happens after upgrade to 12.1.x

Solution Article: K20323120

Component: Application Security Manager

Symptoms:
False positive modified ASM cookie violation. Perhaps other false positive cookie related violations.

Conditions:
System upgraded to 12.1.x. Existing end users are connected with their browsers to the site.

Impact:
False positive violations. A blocking page will be shown in case the modified ASM cookie is set to blocking (which is the default for this violation in case the policy is in blocking state).

Workaround:
There are three options:
A. Set the modified ASM cookie violation to transparent after an upgrade for some time after the upgrade.
B. Use the erase cookie blocking page as the default blocking page for some time after the upgrade.
C. Use an iRule similar to the following:
when ASM_REQUEST_DONE {
    if {[ASM::violation names] contains "VIOLATION_MOD_ASM_COOKIE"} {
        log local0. "remove TS01d2cce8 cookie"
        HTTP::respond 302 Location "http://sub.some_domain.com/index.html?[ASM::support_id]" "Set-Cookie" "TS01d2cce8=deleteOldTSCookie;expires=Thu, 01 Jan 1970 00:00:01 GMT"
    }

Fix:
Modified ASM cookie violation no longer happens after upgrade to this version.


604549-7 : MPTCP connection not closed properly when the segment with DATA_FIN also DATA_ACKs data

Component: Local Traffic Manager

Symptoms:
If a DATA_FIN is received with a DATA_ACK that acknowledges data, the BIG-IP will not process the DATA_ACK and will not shutdown the connection properly as it thinks there is still outstanding data to be acknowledged.

Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and a DATA_FIN that DATA_ACKs data is received on an MPTCP connection.

Impact:
The connection is not closed properly and eventually times out.

Fix:
Fixed DATA_FIN handling.


604547-1 : Unix daemon configuration may lost or not be updated upon reboot

Solution Article: K21551422

Component: TMOS

Symptoms:
The confpp script is invoked to pass TMOS configuration information to other non-TMOS daemons running on a BIG-IP system. When a BIG-IP system is rebooted, if TMOS configuration elements are parsed or configuration changes or other events occur early in the boot process, the corresponding changes may not be propagated to the confpp.dat file and processed by the confpp script. As a result, configuration information may not be propagated as expected to non-TMOS daemons.

A common symptom of this issue is that syslog-ng configuration is not updated to reflect the selection of the primary blade in a VIPRION chassis.

Conditions:
This issue may occur when booting an affected version of BIG-IP, such as:
- Rebooting blades in a VIPRION chassis.
- Rebooting a BIG-IP appliance or Virtual Edition instance.

Impact:
Expected configuration settings may not be applied to non-TMOS daemons upon a reboot.

For example, syslog-ng configuration may not be updated to include expected logging on the primary blade in a VIPRION chassis.

Workaround:
On a running BIG-IP system that shows symptoms of this issue, changing a db variable will trigger the confpp script to run and update the relevant non-TMOS daemons with appropriate settings from the current configuration. To implement this workaround, use the Traffic Management Shell (tmsh) to update a db variable.

For example:
tmsh modify sys db log.clusterd.level value "Informational"

This issue can be avoided by forcing the MCP configuration to be reloaded from configuration files instead of from the MCP binary database (mcpdb.bin).

For details, see:
K13030: Forcing the mcpd process to reload the BIG-IP configuration.

Fix:
Configuration data/changes that occur early in the BIG-IP boot process are propagated successfully to non-TMOS daemons by the confpp script.


604496-4 : SQL (Oracle) monitor daemon might hang.

Component: Local Traffic Manager

Symptoms:
SQL (Oracle) monitor daemon might hang with high monitoring load (hundreds of monitors). DBDaemon debug log contains messages indicating hung connection aborting and that the address in use, unable to connect.

Conditions:
High number of SQL (Oracle, MSSQL, MySQL, PostgresSQL) monitors. Slow SQL responses might make the condition worse.

Impact:
Flapping pool members connected to SQL monitors. Frequent aborts and restarts of SQL monitor daemon.

Workaround:
You can mitigate this issue in the following ways:
-- Reduce number of monitored pool members.
-- Reduce frequency of monitor interval.
-- Split monitors among multiple devices.
-- Run monitors on bladed systems.

Fix:
This release fixes the address-in-use issue, and contains multiple monitor improvements to handle aborts and restarts of the SQL monitor daemon as well so that the system handles hung connections without aborting.


604459-1 : On i5x00, i7x00 and i10x00 platforms, bcm56xxd may restart on power-up

Component: TMOS

Symptoms:
The following message appears on the console shortly after the system boots:

emerg logger: Re-starting bcm56xxd.

Conditions:
This occurs as a result of a possible race condition on On i5x00, i7x00 and i10x00 platforms.

Impact:
No functional impact, bcm56xxd daemon restarts successfully.

Workaround:
None.


604371-1 : Pagination controls missing for GSLB pool members

Component: Global Traffic Manager (DNS)

Symptoms:
The pagination controls for GSLB pool members do not appear when there are more items in the list than can be displayed (Record Per Screen)

Conditions:
Customer is running 12.1.0 - 12.1.2

Impact:
Unable to view the status of, or modify GSLB pool members beyond those displayed on the screen

Workaround:
Increase the number of Records Per Screen (System / Preferences / Records Per Screen) to a number larger than the number of items in your pool


604272-1 : SMTPS profile connections_current stat does not reflect actual connection count.

Component: Local Traffic Manager

Symptoms:
SMTPS profile connections_current stat does not reflect actual connection count.

Conditions:
This occurs if you have an SMTPS virtual server configured.

Impact:
profile_smtps_stat.connections_current rises over time and doesn't reflect actual number of SMTPS connections active.


604237-3 : Vlan allowed mismatch found error in VCMP guest

Component: TMOS

Symptoms:
Your vCMP guests are unable to reach the network. You see in /var/log/ltm "mcpd[5503]: 01071322:4: Vlan allowed mismatch found: hypervisor "

Conditions:
When a VLAN exists in the vlan-allowed list contains a VLAN which matches the suffix of another VLAN in the list and both VLANs are configured on the VCMP guest. For example, xyz and abc_xyz will produce the error "warning mcpd[6374]: 01071322:4: Vlan allowed mismatch found: hypervisor (abc_xyz:1860), guest (/Common/xyz:1850)."

Impact:
Unable to use VLAN.

Workaround:
Rename the VLANs such that no VLAN matches suffix of any other VLAN.


604223-2 : pkcs11d signal handler improvement to turn off all threads at time of "SIGTERM"

Component: Local Traffic Manager

Symptoms:
The current signal handler use 'exit' at time of 'SIGTERM'. This may result in a core under some abnormal situations.

Conditions:
When stopping pkcs11d using command like 'bigstart restart pkcs11d' or 'kill pkcs11d'.

Impact:
pkcs11d cores.

Workaround:
pkcs11d automatically comes up again after the core.

Fix:
The system now waits for all threads to finish before the pkcs11d program exits, so the core no longer occurs.


604211-1 : License not operational on Azure after upgrading from 12.0.0 HF1-EHF14 to 12.0.0-HF4 or 12.1.0-HF1 or 12.1.1.

Solution Article: K72931250

Component: TMOS

Symptoms:
On Azure, after upgrading to any version other than 12.0.0 HF1-EHF14 or 12.1.0-HF1-EHF22, the system boots up as Not Licensed and Inoperative.

Although certain cloud-specific 12.x EHFs such as BIG-IP Virtual Edition 12.1.0 HF1 EHF1 is intended for AWS only, BIG-IP does not prevent you from accidentally downloading and installing it into Azure environments. If you upgrade Azure from BIG-IP Virtual Edition 12.0.0 HF1 EHF14 to the 12.1.0 HF1 EHF1 or 12.0.0-hf4 or 12.1.1, the Azure license becomes nonoperational and gets invalidated.

Conditions:
Upgrading a BYOL instance on Azure to 12.1.0 HF1 EHF1 or 12.1.1. The Azure-specific versions are as follows:
- 12.0.0-HF1-EHF14.
- 12.1.0-HF1-EHF22.

Impact:
License becomes unusable. Re-licensing the instance gets an invalid license.

Workaround:
The workaround for this issue is to boot back into previous boot volume, and then upgrade to 12.1.0-HF1-EHF22 in Azure.

To change default boot volume, choose one of the following methods:
1. tmsh reboot volume volume-name.
2. switchboot utility (interactive mode by default).
3. Admin UI.

For more information about the switchboot utility, see SOL5658: Overview of the switchboot utility, available here: https://support.f5.com/csp/#/article/K5658

Fix:
This release fixes the issue that occurred when the Azure license become nonoperational after upgrading to BIG-IP Virtual Edition 12.1.0 HF1 EHF1 from 12.0.0 HF1 EHF14.

Note: Do not use BIG-IP 12.1.0 HF1 EHF1 in the Azure environments.


604191-1 : AVR: Loading the configuration after upgrade might fail due to mishandling of scheduled-reports

Component: Application Visibility and Reporting

Symptoms:
Loading the configuration after upgrade might fail due to mishandling of scheduled-reports, with an error similar to the following:

err mcpd[5492]: 01071afc:3: Report scheduling requires specifying valid measures for entity asm_repev_ip.

Conditions:
-- AVR provisioned.
-- Having scheduled report defined on a version earlier than v12.1.0, and upgrading to v12.1.0, v12.1.0, or v12.1.0.

Impact:
Loading the configuration after upgrade might fail.

Workaround:
None.

Fix:
Loading the configuration after upgrade of scheduled-reports is now properly handled.


604133-2 : Ramcache may leave the HTTP Cookie Cache in an inconsistent state

Component: Local Traffic Manager

Symptoms:
Ramcache may re-use internal HTTP data without clearing the cookie cache. If other filters later inspect that cache they may read corrupted cookie information, or cause a TMM crash.

Conditions:
Ramcache + another filter or iRule inspecting/modifying cookies in a Ramcache response.

Impact:
The modifications of the corrupt cookie cache may cause HTTP headers to be malformed. Inspecting the cookie cache may cause the TMM to crash with an assert. Traffic disrupted while tmm restarts.

Fix:
Ramcache clears the HTTP cookie cache in its responses.


604061-2 : Link Aggregation Control Protocol May Lose Synchronization after TMM Crash

Component: TMOS

Symptoms:
Traffic does not pass through a trunk interface and /var/log/ltm contains messages such as:

lacpd[6636]: 01160011:6: Link 2.2 Actor Out of Sync
lacpd[6636]: 01160012:6: Link 2.2 Partner Out of Sync

Conditions:
1) BIG-IP 2000/4000 or similar platform where "qprop tmos.lacpd_depends_on_tmm == true"
2) Passive LACP trunk
3) tmm has crashed after box has come up
4) tmm startup delayed by dumping large core file
5) tmm startup delayed by large config or busy control plane

Impact:
Trunks created by LACP do not pass traffic.

Workaround:
Restart lacpd after tmm has come up again: "bigstart restart lacpd"

Alternatively, modify /etc/bigstart/scripts/tmm.finish to restart lacpd on tmm going down

Modify this line:
for d in admd asm avrd dosl7d; do

With these:
for d in lacpd admd asm avrd dosl7d; do
        if [ `$BIGSTART singlestatus $d` = "run" ]; then
            $BIGSTART restart $d &
        fi
    done


604011-1 : Sync fails when iRule or policy is in use

Component: TMOS

Symptoms:
After upgrading and attempting to sync to devices in a sync group, sync fails with the following error:

Load failed from 119.big.ip 01070621:3: Rule priorities for virtual server (vs1) must be unique.

Load failed from /Common/big152 01070712:3: Caught configuration exception (0), Values (/Common/vs1) specified for virtual server policy (/Common/vs1 /Common/asm_auto_l7_policy__vs1): foreign key index (vs_FK) do not point at an item that exists in the database.

Conditions:
- A virtual address exists in the traffic-group-local-only group, meaning that it is not synced
- A CPM policy or iRule is applied to that virtual server
- Conduct a sync

This was seen on an upgrade from 12.0.0 to 12.1.0 HF1 or beyond, but could be triggered on an upgrade from any version from 11.4.0 and beyond to 12.1.0 HF1.

Impact:
Config sync fails.

Workaround:
Disassociate the iRule or policy from the virtual server, then attempt to sync.


603997 : Plugin should not inject nonce to CSP header with unsafe-inline

Component: Fraud Protection Services

Symptoms:
When injecting CSP header values to enable FPS Plugin to work, unnecessary injections may invalidate the application's 'allow inline script' policy, since the more restrictive directive is always applied.

Conditions:
Server response contains either header from the 'Content-Security-Policy' header family.

Impact:
The application's inline scripts will refuse to run since FPS Plugin injects nonce. This breaks user's application.

Workaround:
None.

Fix:
CSP header's 'unsafe-inline' and 'nonce' directive injection has been made mutually exclusive.


603979-4 : Data transfer from the BIG-IP system self IP might be slow

Component: Local Traffic Manager

Symptoms:
TCP traffic on a BIG-IP system using a self IP address may not correctly honor the MSS size specified during the connection establishment. The result is IP fragmentation of TCP segments sent out on the wire. The expected behavior is that TSO would package the TCP segments in a way that would not require fragmentation.

When a large amount of data needs to be transferred using a self IP address, the BIG-IP system might send out fragmented IP packets with both the DF and MF bits set. Setting both bits is RFC compliant and valid, however some routers drop such packets. This might result in retransmissions and low throughput

Conditions:
This occurs when a self IP address processes large data transfers, and the router between the two endpoints does not process the IP fragments that have both the DF and MF bits set.

This occurs only when TCP segmentation offload (TSO) is enabled, and traffic is using a tmm interface. TSO enabled is the default setting.

Impact:
Data transfer from the BIG-IP system's self IP address might be slow or fail.

Workaround:
To work around this issue, you can disable TSO by issuing the command:
ethtool -K tmm tso off.

Note: This has a different effect from setting the db key tm.tcpsegmentationoffload to 'disable' (which is not a workaround for the issue).

Note: To persist the effect of this command across reboots, use the solution specified in K14397: Running a command or custom script based on a syslog message, available here: https://support.f5.com/csp/#/article/K14397. For example,

alert tmmready "Tmm ready" {
exec command="/sbin/ethtool -K tmm tso off"
}

Fix:
Data transfer from the BIG-IP system self IP address has been improved.


603945-2 : BD config update should be considered as config addition in case of update failure

Component: Application Security Manager

Symptoms:
A configuration update fails when the system cannot find the item to update. Configuration failures are shown in bd.log.

Conditions:
The condition that leads to this scenario is not clear and is still under investigation.

Impact:
The update fails and the entity is not added.

Workaround:
Delete the faulty entity and re-add, and then issue the following command: restart asm.

This fixes the issue in the cases in which it is a single entity.

Fix:
A configuration update no longer fails when the system cannot find the item to update. Now, the system adds the item with its updated value if the entity does not already exist. Otherwise, the operation updates the value of the existing entry.


603875-2 : The statistic ASM memory Utilization - bd swap size: stats are wrong

Component: Application Visibility and Reporting

Symptoms:
AVR reports incorrect bd swap size statistics.

Conditions:
-- ASM provisioned.
-- Viewing swap size statistics.

Impact:
Wrong value is displayed.

Workaround:
1. Edit /etc/avr/tmstat_tables.xml
2. Change the following line:
From:
<value publishName="swap_size" columnName="swap_size" behavior="total" type="diff"/>
To:
<value publishName="swap_size" columnName="swap_size" behavior="average" type="status"/>
3. Run the following command: restart avrd.

Fix:
The statistic ASM memory Utilization - bd swap size: stats are now correct.


603825-2 : Crash when a Gy update message is received by a debug TMM

Component: Policy Enforcement Manager

Symptoms:
Debug TMM will crash when a Gy update message is received.

Conditions:
- Need a Debug TMM running
- Gy update message must be received by the BIG-IP

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use non-debug TMM.

Fix:
Added checks to detect Gy udpate messages and handle them accordingly in the debug TMM. Thus, preventing a crash in the debug TMM.


603758-1 : Big3D security hardening

Solution Article: K82038789


603755-1 : dwbld core dump when Auto Blacklisting is configured, in a rare scenario

Component: Advanced Firewall Manager

Symptoms:
The dynamic white/black daemon (dwbld) (a Control Plane daemon that supports the AFM IP intelligence feature) generates a core when processing an Auto Blacklisting Entry addition by TMM, when attack traffic causes a blacklist entry to be added.

The problem happens in a rare scenario when dwbld and tmm are out of sync with respect to category names. This might happen for a very short window when configuration changes are made to Blacklist Categories (such as adding or removing a category).

Conditions:
-- DoS Auto Blacklisting feature enabled.
-- Attack traffic generates an Auto Blacklist IP address entry.
-- Configuration change to Blacklist Category occurs at the same time.

Impact:
dwbld crashes and restarts. No significant impact, as after restart, the dwbld should work properly.

Workaround:
None.

Fix:
The release adds handling for the case in which dwbld is not up-to-date with configuration changes to Blacklist Categories when it simultaneously receives an Auto Blacklist Entry.


603746-1 : DCDB security hardening

Component: WebAccelerator

Symptoms:
The DCDB utility, as used in AAM processing, does not use current secure coding practices.

Conditions:
AAM active

Impact:
DCDB usage does not follow current secure coding practices.

Fix:
Update DCDB use to meet current secure coding standards.


603723-2 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
None.

Fix:
The system now successfully handles TLS v1.0 fallback when pool members are configured to use TLS v1.2 only, so pool members are correctly marked as being up.


603700 : tmm core on multiple SSL::disable calls

Component: Local Traffic Manager

Symptoms:
tmm can crash if SSL::disable is called repeatedly in an iRule event.

Conditions:
Invoking SSL::disable multiple times in the same iRule event

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a crash related to multiple calls of SSL::disable


603667-2 : TMM may leak or corrupt memory when configuration changes occur with plugins in use

Component: Local Traffic Manager

Symptoms:
TMM may leak memory when plugins are in use and the plugin is re-initialized (typically due to configuration changes). In rare cases, memory corruption may occur causing TMM to restart.

Conditions:
Plugin-based functionality configured (ASM, APM, etc.) and configuration changes occur.

Impact:
The memory leakage generally occurs infrequently and at a rate that TMM operations are not affected. However, when memory corruption occurs, a traffic interruption may occur due to TMM restarting.

Workaround:
No workaround except disabling plugin-based functionality (such as ASM, APM, etc.).

Fix:
TMM now properly manages plugin memory, and no longer leaks or corrupts this memory.


603658-1 : AAM security hardening

Solution Article: K25359902


603609-2 : Policy unable to match initial path segment when request-URI starts with "//"

Component: Local Traffic Manager

Symptoms:
HTTP URI path policy does not match when request-URI starts with "//".

Conditions:
Policy unable to catch request when HTTP URI path configured to match value anywhere in path or in initial path segment when the request-URI starts with "//".

Impact:
The policy does not match in this case.

Workaround:
The policy could be modified to scan the full URI instead of just the path element however care should be taken to correctly handle potential matches with absolute URIs or in the query string.


603605-1 : Cannot install DoS Hybrid Defender on standby device in HA pair if it's already installed on active

Component: iApp Technology

Symptoms:
After installation, the rpm on active device applications will be replicated to the standby. If standby does not have DHD installed, the installation page is never shown.

Conditions:
HA setup for DoS Hybrid Defender, with DHD only installed on Active.

Impact:
HA cannot be supported for DHD application on 12.1.0 and 12.1.1.

Workaround:
None.

Fix:
Can now install DoS Hybrid Defender on standby device in HA pair if it's already installed on active.


603598-3 : big3d memory under extreme load conditions

Component: Global Traffic Manager (DNS)

Symptoms:
big3d memory consumption can grow if big3d is unable to process monitor requests in a timely fashion.

This can be seen by monitoring the memory consumption of big3d using standard OS tools such as top.

Conditions:
big3d maintains a queue for monitor requests.
Incoming monitor requests are first placed in the Pending queue.
Requests are moved from the Pending queue to the Active queue, if there is room in the Active queue.

When the Pending queue is full, there is no room for the Monitor Request. big3d attempts to clean up the Monitor request, but fails to completely free the memory.
This might result in a significant memory leak.

For this to happen, the Active queue must be full as well as the Pending queue.

One possible condition that might cause this is if multiple Monitors time out. This results in Monitors having long life times, which keeps the Active queue full.

Thus the Pending queue might become full and the memory leak can occur.

In BIG-IP 11.1.0 versions of big3d,
the Active queue has 256 slots and
the Pending queue has 4096 slots.

In BIG-IP 11.1.0-hf3, the queue sizes were expanded to
2048 for the Active queue and 16384 for the Pending queue.

Since the queues were smaller n versions prior to
11.1.0-hf3, this leaks is more likely to manifest itself.

In later versions, the leak is still possible, but is less likely to occur.

Impact:
big3d memory consumption grows unbounded. This might result in a big3d restart or memory starvation of other processes.

Workaround:
This can be partially mitigated by ensuring that monitors
settings are reasonable and that big3d is not overloaded.

This will minimize the chances that the Pending queue
does not become full.

There is no mechanism to resize the queues.

Fix:
When a monitor request is unable to be placed in the queue, the memory for the request is freed properly.


603550-1 : Virtual servers that use both FastL4 and HTTP profiles at same time will have incorrect syn cache stats.

Solution Article: K63164073

Component: Local Traffic Manager

Symptoms:
Virtual server remains in syncookie mode even after the syn flood stops.

As a result of this issue, you might see the following symptoms:
-- Virtual servers that use both FastL4 and HTTP profiles might show incorrect 'Current SYN Cache' stats.

-- Virtual stats 'Current SYN Cache' does not decrease.

Conditions:
This issue occurs when the configuration contains a virtual server that uses FastL4 as a filter (for example, has both the FastL4 profile and layer 7 profile (HTTP) syn flood to the virtual server).

Impact:
The virtual server stays stuck in syncookie mode after the synflood is over, and does not recover.

Workaround:
None.

Fix:
Virtual servers that use both FastL4 and HTTP profiles will have correct syn cache stats.


603397-2 : tmm core on MRF when routing via MR::message route iRule command using a non-existant transport-config

Component: Service Provider

Symptoms:
tmm will core if the transport config specified in a MR::message route iRule command does not exist.

Conditions:
the transport config specified in a MR::message route iRule command does not exist.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use the correct name for the trasnport-config object.

Fix:
fixed a tmm core.


603236-1 : 1024 and 4096 size key creation issue with SafeNet 6.2 with 6.10.9 firmware

Component: Local Traffic Manager

Symptoms:
Creating 1024 and 4096 size keys fail when the SafeNet client version installed on BIG-IP is 6.2 and SafeNet appliance firmware is 6.10.9.

Conditions:
-- SafeNet appliance: 6.2.
-- SafeNet client: 6.2.
-- SafeNet firmware: 6.10.9.

Impact:
Cannot create 1024 or 4096 size RSA keys.

Workaround:
None.

Fix:
Removed the config line, RSAKeyGenMechRemap = 1, that was conflicting with 6.10.9 firmware.


603234-3 : Performance Improvements

Component: Fraud Protection Services

Symptoms:
Certain detection algorithms can slow down the client application.

Conditions:
FPS enabled, full AJAX encryption enabled

Impact:
Client side AJAX detection can be slow.

Fix:
The performance of some detection algorithms has been improved


603149-2 : Large ike-phase2-lifetime-kilobytes values in racoon ipsec-policy

Component: TMOS

Symptoms:
Setting max data limit transmitted (in kilobytes) to a very large limit results in a smaller limit, causing SAs to expire too quickly. Values for ike-phase2-lifetime-kilobytes inside ipsec-policy can reach 2^32-1 kilobytes, but will be processed incorrectly, as if the value were smaller.

Conditions:
When lifetime-kilobytes is large enough, it can act as though it were smaller.

Impact:
Negotiated SAs expire too quickly when size lifetime is calculated too small.

Workaround:
Before the fix, decrease lifetime-kilobytes until properly stable.

Fix:
The fix should make every value no more than 4294967295 kilobytes work correctly, without becoming some smaller value. (Note this value is 2^32-1.) If the size of ike-phase2-lifetime-kilobytes becomes 64-bit in the future, this will also work, causing a 64-bit value for kilobytes to occur in isakmp negotiation.


603082-3 : Ephemeral pool members are getting deleted/created over and over again.

Component: Local Traffic Manager

Symptoms:
When fqdn nodes are configured, you may see ephemeral pool members getting created and deleted continuously. In severe cases, this can cause mcpd to run out of memory and crash.

Conditions:
It is not known exactly what triggers this condition, but it has been observed after running bigstart restart in a configuration containing many fqdn nodes.

Impact:
Traffic disrupted while mcpd restarts.


603032-1 : clientssl profiles with sni-default enabled may leak X509 objects

Component: Local Traffic Manager

Symptoms:
SSL memory consumption grows when virtuals with sni-default-enabled clientssl profiles are modified.

Conditions:
clientssl profile with sni-default enabled combined with configuration manipulations of virtuals with such profiles.

Impact:
The amount of leakage will depending on the number of virtuals with sni-default-enabled clientssl profiles and frequency of configuration manipulations. For large configurations, the leakage can be very noticeable over time.

Workaround:
No workaround short of not using sni-default.

Fix:
SSL now handles sni-default-enabled clientssl profiles without leaking the X509 objects.


603019-3 : Inserted SIP VIA branch parameter not unique between INVITE and ACK

Component: Service Provider

Symptoms:
The branch parameter of the inserted VIA header is sometimes the same between an INVITE and ACK message.

Conditions:
If the CSEQ number of a SIP message is the same, the inserted VIA header will contain the same branch parameter.

Impact:
SIP proxy servers which perform strict message validations may reject the call.

Fix:
Included a hash of the branch parameter of the received top-most via header into the branch parameter of the inserted via header. Thus is the received top-most via conforms to the spec and generates a different branch parameter between INVITE and ACK, the inserted via will have a different branch parameter.


602975-1 : Unable to update the HTTP URL's "Header-Based Content Profiles" values

Component: Application Security Manager

Symptoms:
When HTML5 Cross-Domain Request Enforcement is enabled on a URL, Header-Based Content Profiles cannot be updated.

Conditions:
HTML5 Cross-Domain Request Enforcement is enabled on a URL.

Impact:
Header-Based Content Profiles cannot be updated on the URL.

Workaround:
Use the following procedure:
1. Disable HTML5 Cross-Domain Request Enforcement on the URL.
2. Update the Header-Based Content Profiles.
3. Re-enabled HTML5 Cross-Domain Request Enforcement.

Fix:
Updating Header-Based Content Profiles for a URL with HTML5 Cross-Domain Request Enforcement is now successful.


602854-8 : Missing ASM control option from LTM policy rule screen in the Configuration utility

Component: TMOS

Symptoms:
In the Configuration utility, when creating or editing a LTM policy, the ASM control option may be missing from the rule screen.

Conditions:
Whether the ASM control option is present or missing purely depends on the license installed on the system.

The system incorrectly reports certain licensed modules to the Configuration utility, which fails to parse them and ultimately to display the ASM control option. If you wish to determine whether you are affected by this issue, SSH to the advanced shell of the BIG-IP system and run this command:

# grep -E '^active module : [^|]*\|[^|]*$' /config/bigip.license

If any output is returned, then you are affected by this issue.

Impact:
ASM cannot be enabled in LTM policies using the Configuration utility.

Workaround:
Use the TMSH utility to enable ASM in LTM policies.

Fix:
ASM can now be enabled in LTM policies using the Configuration utility regardless of the license installed on the system.


602830-1 : BIG-IP iSeries appliance LCD does not indicate when BIG-IP is in platform_check diagnostic mode

Component: TMOS

Symptoms:
The LCD display does not indicate diagnostic mode when you stop BIG-IP daemons(bigstart stop) and run platform_check diagnostic command.

Conditions:
Dignostic mode is not displayed on LCD.

Impact:
There is no visible indication on LCD display to indicate when system in diagnostic mode.

Fix:
Diagnostic message display on LCD when system is diagnostic mode.


602708-2 : Traffic may not passthrough CoS by default

Solution Article: K84837413

Component: Local Traffic Manager

Symptoms:
Traffic being forwarded by TMM may not passthrough the Class of Service (CoS) received.

Conditions:
-- IP forwarding Virtual server.
-- Traffic received with priority other than 3.

Impact:
Traffic is set to L2 QoS priority 3 and may cause issues on other networking devices.

Workaround:
Create a default CoS configuration or apply L2 QoS settings in the FastL4 profile.

Fix:
TMM now correctly passes through CoS by default.


602654-2 : TMM crash when using AVR lookups

Component: Application Visibility and Reporting

Symptoms:
When trying to find/insert data into AVR lookups TMM/AVR core might occur.

Conditions:
AVR lookups in use.

Impact:
tmm crashes. The crash occur when two processes simultaneously try to access the same cell in the lookup. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when using AVR lookups.


602653-1 : TMM may crash after updating bot-signatures

Component: Local Traffic Manager

Symptoms:
TMM may crash after DOSL7 bot signatures config has changed.

Conditions:
This is likely to happen after DOSL7 bot signatures config has changed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Try adding/removing some signatures, this should avoid the crash.

Fix:
Fixed a memory corruption when updating bot signatures.


602566-5 : sod daemon may crash during start-up

Component: TMOS

Symptoms:
sod daemon produces core file during start-up

Conditions:
sod encounters an error during start-up and attempts to recover.

Impact:
sod restarts

Fix:
Reset freed pointers to prevent double free during error recovery.


602502-2 : Unable to view the SSL Cert list from the GUI

Component: TMOS

Symptoms:
When you try to see information about any SSL certificates in the GUI, it displays an error: An error has occurred while trying to process your request.

Conditions:
Can not view any SSL certificates in the GUI if at least one certificate has a double extension(like test.crt.crt) in its name.

Impact:
Unable to view the any SSL Cert from the GUI

Workaround:
Delete such certificate through TMSH and reimport without .crt extension in the certificate name.

delete sys file ssl-cert test.crt.crt

Fix:
Should be able to view/delete/export certificates from GUI.


602434-1 : Tmm crash with compressed response

Component: Application Visibility and Reporting

Symptoms:
AVR decompressed all the traffic in order to do classification.
This can cause tmm core due to too many decompress request.

Conditions:
Sending stressed compressed traffic on virtual with dos profile.

Impact:
Traffic disrupted while tmm restarts.

Fix:
AVR will ask no more than 10 decompressed request simultaneously.


602429-1 : DNS suffix is not restored after disconnecting Network Access

Component: Access Policy Manager

Symptoms:
DNS suffix search list is not restored after disconnecting the VPN connection. The client DNS search list retains the suffix that came from Network Access Resource.

Conditions:
-- On Microsoft Windows.
-- Use APM client to establish VPN tunnel.

Impact:
Certain hostname resolution may fail.

Workaround:
There is no workaround at this time.

Fix:
DNS suffix is restored after disconnecting from VPN.


602385-1 : Add zLib compression

Component: Local Traffic Manager

Symptoms:
Current driver supports only compress GZip and compress deflate.

Conditions:
APM Network Access tunnel has an option for compression. Compression is implemented in GZIP hudfilter which uses COMPRESS_ZLIB compression method. Currently only 'zlib' compression provider (software based) is implementing this method. None of the hardware providers (such as Coleto Creek) support it; they support COMPRESS_DEFLATE and COMPRESS_GZIP. GZIP hudfilter could use all 3 methods, but only ZLIB is compatible with current and older versions of the client. To preserve backward compatibility it must use ZLIB.

Impact:
Current compression hardware (such as Coleto Creek) is needed to support ZLIB method, otherwise compression in APM Network Access tunnel does not scale.

Workaround:
None.

Fix:
zLib compression is now supported.


602376-1 : qkview excludes files

Component: TMOS

Symptoms:
When running the qkview command to generate a diagnostic file, some files are omitted from the qkview.

Conditions:
This occurs when running qkview, when the configuration settings for qkview for the admin user include the --exclude flag. For example if the setting has --exclude core then none of the core files will be included in the qkview even if it is run without the --exclude parameter.

Impact:
Debugging of issues impaired if the missing files were needed to resolve the problem.

Workaround:
None.

Fix:
Corrected errors and made sure all files are included or excluded as designed.


602366-1 : Safenet 6.2 HA performance

Component: Local Traffic Manager

Symptoms:
With Safenet 6.2 HA setup, you only sees the performance of one HSM.

Conditions:
Safenet 6.2 client is installed and Safenet HA is used.

Impact:
Only one HSM is used for the HA setup.

Workaround:
Add primary hsm to the newly created ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>

or
echo "copy" | /shared/safenet/lunasa/bin/lunacm -c hagroup createGroup -serialNumber 464683014 -label ha_test -password <pw>

Add following hsm to the ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup addMember -serialNumber 470379014 -group ha_test -password <pw>

Enable HAonly
/shared/safenet/lunasa/bin/lunacm -c hagroup HAOnly -enable

Delete ha group
/shared/safenet/lunasa/bin/lunacm -c hagroup deleteGroup -label ha_test

Fix:
Installation script is updated for Safenet 6.2 HA.


602358-5 : BIG-IP ServerSSL connection may reset during rengotiation with some SSL/TLS servers due to ClientHello version

Component: Local Traffic Manager

Symptoms:
During SSL/TLS renegotiation, the TLS standard requires that the new ClientHello version matches the first session.

Usually, SSL/TLS servers require the new ClientHello version to match the previous negotiated (ServerHello) version. The BIG-IP ServerSSL default behavior is to match this requirement.

The problem occurs if the SSL/TLS server requires the ClientHello (both in the Record layer and Handshake Protocol) in the new ClientHello to be exactly the same as the SSL/TLS version of the first ClientHello; that is:
************************************************************
1st ClientHello record layer version == 2nd ClientHello record layer version;
1st ClientHello Handshake Protocol version == 2nd ClientHello Handshake Protocol version.
************************************************************
As a result, the SSL/TLS server will reject the renegotiation handshake, causing the connection to terminate.

Conditions:
This occurs when using virtual servers configured with one or more ServerSSL profiles, and an SSL/TLS renegotiation occurs, and the server requires the new ClientHello version to match the first ClientHello instead of the previous ServerHello version.

Impact:
SSL/TLS renegotiation between BIG-IP ServerSSL profile and server may fail, resulting in an unexpected connection close or reset.

Workaround:
Manually setting the ciphers in the ServerSSL to TLS1.0 can solve the issue.

Fix:
A new db variable called ssl.RenegotiateWithInitialClientHello has been added to control the SSL/TLS version in the 2nd ClientHello:

1. The default is disable, which means that the 2nd ClientHello SSL/TLS version will be set to the negotiated version in the 1st round ServerHello.

2. If it is set to enable, both ClientHello versions will be exactly the same.


602326-1 : Intermittent pkcs11d core when stopping or restarting pkcs11d service

Component: Local Traffic Manager

Symptoms:
Sometimes you may see pkcs11d core when stopping/restarting pkcs11d service. This may happen when installing netHSM software or when restarting an existing pkcs11d service.

Conditions:
bigstart issues 'stop' to pkcs11d while pkcs11d receives message.

Impact:
pkcs11d may core intermittently.

Workaround:
pkcs11d may automatically restart without intervention.

Fix:
This release fixes the intermittent pkcs11d core that might have occurred when stopping or restarting the pkcs11d service.


602300-1 : Zone Runner entries cannot be modified when sys DNS starts with IPv6 address

Component: Global Traffic Manager (DNS)

Symptoms:
Zone Runner entries cannot be modified if an IPv6 DNS name server is listed first. This can happen when a user runs the tmsh command
tmsh modify sys dns name-servers add { <IPv6> }

as the first dns name-server.
This will show in the /etc/resolv.conf file (an example)
nameserver 2001::1
nameserver 192.168.100.1

Conditions:
When an IPv6 nameserver is the first server defined.

Impact:
ZoneRunner records cannot be modified.

Workaround:
Do not use DNS server with IPv6 address or add IPv4 server at top of the list.

Fix:
The IP address type was not set properly while communicating with BIND. This does not matter if the first nameserver listed is an IPv4 address or if there are no nameservers listed at all.

If the first nameserver listed is an IPv6 and the IP address type is not set to IPv4 (AF_INET), BIND libraries will attempt to use the IPv6 library from /etc/resolv.conf.

We not properly set the AF_INET type to IPv4.


602221-2 : Wrong parsing of redirect Domain

Component: Application Security Manager

Symptoms:
ASM learns wrong domain names

Conditions:
no '/' after domain name in the redirect domain

Impact:
wrong learning suggestion can lead to wrong policy

Workaround:
N/A

Fix:
Fixing an issue with parsing the URL in the location header


602171-1 : TMM may core when remote LSN operations time out

Component: Carrier-Grade NAT

Symptoms:
TMM configured with LSN may core during high utilization, when local endpoint resources are exhausted, and request for remote resources times out.

Conditions:
LSN remote operation time out. LSN can request remote TMM for resources when local resources are exhausted, when such request time out, this can result in a core in affected versions.

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM LSN remote operations will no longer cause core.


602136-5 : iRule drop/discard/reject commands causes tmm segfault or still sends 3-way handshake to the server.

Component: Local Traffic Manager

Symptoms:
If you have a client-side iRule that terminates a client-side connection, either tmm will segfault or the BIG-IP system still sends the SYN to the server, and then a RST. The reset cause will be 'TCP 3WHS rejected'.

Conditions:
Client-side iRule that terminates a connection using one of the following commands:

- drop
- discard
- reject

Impact:
TMM segfaults or the BIG-IP system still sends a SYN to the server. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


602061 : i5x00, i7x00, i10x00 series appliances have inconsistent firmware update messages

Component: TMOS

Symptoms:
When firmware is updated on a i5000, i7000, i10000 series series appliance messages appear on the console indicating the update is in progress. The messages are inconsistent, some give an expected time the update will take and some do not.

Conditions:
Firmware update following the installation of a new iso with new firmware that must be programmed.

Impact:
cosmetic

Workaround:
None


602040-3 : Truncated support ID for HTTP protocol security logging profile

Component: Local Traffic Manager

Symptoms:
The HTTP Protocol Security logging profile yields to incomplete support ID published in the local storage.

Conditions:
Configuration: LTM with Protocol Security Module provisioned, LTM virtual server with HTTP Protocol Security and local-storage logging profile attached. The log-db entries created by the HTTP Protocol Security logging profile have a truncated support ID.

Impact:
The support ID presented to the user does not match the one in the logs because the log entry is truncated (missing a few digits)

Workaround:
There is no workaround


601989-3 : Remote LDAP system authenticated username is case sensitive

Solution Article: K88516119

Component: TMOS

Symptoms:
Unable to login via ssh, with cause being reported as 'user account has expired'. Wrong role being assigned for remote-user.

Conditions:
The character-case for the username returned from LDAP must match the login username and the configured account name. This can be exposed on an upgrade from 11.6.0 to 12.1.0 or 12.1.1.

Impact:
Unable to login via ssh with remote-user or remote-user being assigned incorrect role when multiple accounts exists with the same name and mixed case.

Workaround:
Avoid configuring the same account username with different case. The authenticated user account in TMOS used to login should exactly match the user account name returned from LDAP.

Fix:
When logging in to BIG-IP via ssh, the case of the logged-in user name is preserved when authenticating against an LDAP source, and matched in a case-sensitive manner to the appropriate locally defined user role.


601938-2 : MCPD stores certain data incorrectly

Solution Article: K52180214


601927-1 : Security hardening of control plane

Solution Article: K52180214

Component: TMOS

Symptoms:
File permissions changes needed as found by internal testing

Conditions:
N/A

Impact:
N/A

Fix:
Apply latest security practices to control plane files.


601924-1 : Selenium detection by ports scanning doesn't work even if the ports are opened

Component: Application Security Manager

Symptoms:
When selenium server package is running on an end point and a traffic being sent from there, proactive bot defense mechanism doesn't see selenium server opened ports.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.

Impact:
Low impact as the selenium detection by ports scan has a low score and doesn't mitigate a client, unless it has another suspicious client properties (for example tor browser)

Workaround:
N/A

Fix:
Ports scanning has fixed - wider range of ports are scanned.


601919-2 : Custom categories and custom url filter assignment must be specific to partition instead of global lookup

Component: Access Policy Manager

Symptoms:
Custom categories lookup and matching is not partition specific.

Conditions:
Create SWG Explicit VS, access policy, per-request policy, custom-category with a glob URL and URL filter in custom partition say partition1
and similarly create similar set in partition2 (Note make sure the glob URL is matched in custom categories in 2 different partitions). Set the browser to explicit proxy:port information of partition1 VS and access the URL to be matched to the custom category.

Impact:
Partition specific custom category match is not available if user specific whitelist needs to be applied.

Workaround:
None

Fix:
Code to check custom categories only for the partition that connflow belongs to and Common partition has been added


601905-1 : POST requests may not be forwarded to backend server when EAM plugin is enabled on the virtual server

Component: Access Policy Manager

Symptoms:
POST requests appear to hang when they are sent through a virtual server with EAM plugin enabled.

Conditions:
Most likely, the POST request contains large post data.

Impact:
The POST request will fail.

Workaround:
The following iRule will workaround the issue:

 when HTTP_REQUEST {

  if {[HTTP::method] eq "POST"}{
    # Trigger collection for up to $max_collect of data
    set max_collect 1000000
    if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= $max_collect}{
      set content_length [HTTP::header "Content-Length"]
    } else {
        set content_length $max_collect
    }
    # Check if $content_length is not set to 0
    if { $content_length > 0} {
      HTTP::collect $content_length
    }
  }


601893-2 : TMM crash in bwc_ctb_instance_recharge because of pkts_avg_size is zero.

Solution Article: K89212666

Component: TMOS

Symptoms:
Tmm cores. There might be messages similar to the following notice in /var/log/ltm just before the crash: notice BWC: instance already exist. This is an extremely rarely occurring issue.

Conditions:
This extremely rare issue occurs when the following conditions are met:
Dynamic BWC use with dynamic change in rate for each instance.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use dynamic modification of rates for dynamic policies.

Fix:
You can now successfully use dynamic modification of rates for dynamic policies.


601828-1 : An untrusted certificate can cause tmm to crash.

Solution Article: K13338433

Component: Local Traffic Manager

Symptoms:
If the certificate sent by an SSL server to the server-side BIG-IP profile is untrusted, tmm might crash.

Conditions:
-- Server-side SSL profile is attached to a virtual server.
-- The SSL server sends an untrusted certificate to the BIG-IP system.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The BIG-IP system will now log the certificate name 'unknown' if an SSL server sends an untrusted certificate, and tmm does not restart.


601709-2 : I2C error recovery for BIG-IP 4340N/4300 blades

Solution Article: K02314881

Component: TMOS

Symptoms:
The I2C internal bus for the front switch on BIG-IP 4340N/4300 blades may not work.

Conditions:
This rarely happens.

Impact:
Corrupted serial number information from SFPs, and fiber SFPs may not come up.

Workaround:
bigstart restart bcm56xxd

Fix:
The system now ensures that the I2C internal bus can recover from occasional errors.


601536-1 : Analytics load error stops load of configuration

Component: Application Visibility and Reporting

Symptoms:
After upgrading, the configuration fails to load and you see this log message: 01071ac1:3: Non-Comulative metric (max-request-throughput) cannot be calculated per single entity (pool-member).
Unexpected Error: Validating configuration process failed.

Conditions:
This can occur any time the analytics configuration was valid in a previous release and is no longer valid. For example, if you have an analytics profile set at pool-member granularity, it will load in 12.0.0 but will fail to load on 12.1.0 as granularity must be set at the virtual-server level, not the pool level.

Impact:
Configuration fails to load, will not pass traffic.

Workaround:
Fixing the configuration manually is the only option when this occurs. In the pool-member granularity example, you can check all your analytics profiles for granularity pool-member and set them to granularity virtual-server.

Fix:
An analytics configuration that was valid in a previous release now loads successfully in the current release.


601527-4 : mcpd memory leak and core

Component: TMOS

Symptoms:
Mcpd can leak memory during config update or config sync.

Conditions:
All of the conditions that trigger this are not known but it seems to occur during full configuration sync and is most severe on the config sync peers. It was triggered making a single change on the primary by configuring a monitor rule, e.g., tmsh create ltm pool p members { 1.2.3.4:80 } monitor http

Impact:
Loss of memory over time, which may result in out-of-memory and mcpd core.

Fix:
Fixed a memory lean in mcpd


601502-4 : Excessive OCSP traffic

Component: TMOS

Symptoms:
With OCSP configured on a virtual server, you see excessive OCSP requests going to the OCSP server.

Conditions:
Virtual server configured with an OCSP profile

Impact:
OCSP responses are not cached properly and excessive requests are sent to the server.

Workaround:
None.

Fix:
OCSP responses are now cached properly, so excessive requests are no longer sent to the server.


601496-4 : iRules and OCSP Stapling

Component: Local Traffic Manager

Symptoms:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile might cause OCSP requests to be reissued, resulting in a memory leak.

You may notice warning messages similar to the following in /var/log/ltm:
warning tmm[11300]: 011e0003:4: Aggressive mode sweeper: /Common/default-eviction-policy (0) (global memory) 115 Connections killed.

Conditions:
This occurs when the following conditions are met:
-- Virtual server with OCSP Stabling enabled.
-- iRule attached to the virtual server that uses SSL::renegotiate.

Impact:
TMM memory used increases gradually, eventually the aggressive mode sweeper is activated.

Workaround:
None.

Fix:
Using certain iRules on virtual servers with OCSP Stapling enabled on the Client SSL profile no longer causes OCSP requests to be reissued, so there is no associated memory leak.


601420-3 : Possible SAML authentication loop with IE and multi-domain SSO.

Component: Access Policy Manager

Symptoms:
When APM is configured with SAML authentication and multi-domain SSO, Internet Explorer may encounter authentication loop and never complete the access policy.

Conditions:
APM is configured with SAML authentication and multi-domain SSO.

Impact:
Using Internet Explorer, the client may not be unable to connect to its desired destination.

Workaround:
Chrome and Firefox do not seem to be affected.

Fix:
Use cookie for session for multi-domain if TOKEN lookup fails. Previously, the cookie was ignored for multi-domain response URI. However, with the introduction of TOKEN based session lookup, this causes a failure if the client retries the request (since the TOKEN was consumed in the request prior to the retry).


601378-2 : Creating an ASM security policy with "Auto accept" language leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons

Component: Application Security Manager

Symptoms:
These errors can be observed in '/var/log/asm':
-------------------------
The caller:[F5::ASMConfig::Entity::Charset::get_policy_encoding_type] did not pass in a value for 'encoding_name' to retrieve the 'encoding_type' for -- aborting.

ASM subsystem error (asm_config_server.pl,): ASM Config server died unexpectedly

ASM subsystem error: (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: pabnagd, Failure: Insufficient number of threads.

ASM subsystem error: (asm_start,F5::NwdUtils::Nwd::log_failure): Watchdog detected failure for process. Process name: asm_config_server.pl, Failure: Insufficient number of threads.
-------------------------

Conditions:
ASM provisioned.
Create security policy with "Auto accept" language.

Impact:
ASM daemons restart, numerous errors in asm log.

Workaround:
None.

Fix:
Creating an ASM security policy with "Auto accept" language no longer leads to numerous errors in asm log and restarts of 'pabnagd' and 'asm_config_server' daemons


601309 : Locator LED no longer persists across reboots

Component: TMOS

Symptoms:
The Locator LED (blinking F5 logo ball) state could be retained across reboots if the TMSH config was saved. The intended behavior is to default to disabled on reboot.

Conditions:
Setting the Locator to "enabled" via either the LCD or TMSH, then saving the TMSH config.

Impact:
i5600, i5800, i7600, i7800, i10600, and i10800 appliances

Workaround:
Disable the Locator LED and save the TMSH config

Fix:
Fixed Locator LED state persisting through reboots


601268-5 : PHP vulnerability CVE-2016-5766

Solution Article: K43267483


601255-4 : RTSP response to SETUP request has incorrect client_port attribute

Component: Service Provider

Symptoms:
- Clientside data is sent to UDP port 0
- RTSP response to SETUP request contains incorrect 'client_port' attribute (0)

Conditions:
- Virtual with RTSP profile.
- 200/OK is received from server in response to the initial SETUP request
- SETUP request was the initial message received on a new connection

Impact:
Unicast media may forwarded to incorrect UDP port (0).

Fix:
Initialize 'client_port' attribute to value received from server when re-writing response to client.


601180-2 : Link Controller base license does not allow DNS namespace iRule commands.

Solution Article: K73505027

Component: Global Traffic Manager (DNS)

Symptoms:
The Link Controller base license improperly prevents DNS namespace iRule commands.

Conditions:
A Link Controller license without an add-on that allows Layer 7 iRule commands.

Impact:
An administrator cannot add DNS namespace commands to an iRule. Cannot upgrade from a pre-11.5 configuration, where the commands were working, to 11.5.4 through 12.1.2.

Workaround:
To enable upgrade, remove DNS namespace commands from the configuration prior to upgrade.

Fix:
DNS namespace iRule commands are now properly accepted with a Link Controller base license.


601178-6 : HTTP cookie persistence 'preferred' encryption

Component: Local Traffic Manager

Symptoms:
When encryption is 'preferred' in the http cookie persistence profile, when the client presents a plain-text route domain formatted cookie the BIG-IP will ignore the cookie and re-load balance the connection.

Conditions:
This occurs when route-domain-compatible cookies are sent in plaintext.

Impact:
Cookie does not get accepted by the persistence profile and flow does not persist.


601168-1 : Incorrect virtual server CPU utilization may be observed.

Component: TMOS

Symptoms:
The virtual_server_cpu_stat table counters are always at zero.

Conditions:
ASM license is in effect.

Impact:
Wrong CPU utilization per virtual server.

Workaround:
No workaround.

Fix:
An issue in computing CPU averages for virtual server has been resolved.


601083-1 : FPS Globally Forbidden Words lists freeze in IE 11

Component: Fraud Protection Services

Symptoms:
When attempting to move more than 1 item in Globally Forbidden Words in Internet Explorer 11 browser, the lists freeze.

Conditions:
FPS Provisioned
Add 2 or words in "Search for malicious words in the HTML or JavaScript code"

Impact:
FPS GUI freezes

Workaround:
Add 1 item each time and save.
Use tmsh.

Fix:
Internet Explorer 11 will not freeze if moving more than one item at a time.


601076 : Fix watchdog event for accelerated compression request overflow

Component: TMOS

Symptoms:
Accelerated compression requests that exceed 128 in-flight requests can cause a watchdog event.

Conditions:
Very rapid queuing of concurrent accelerated compression requests.

Impact:
TMM generates an HA failover driven by the accelerated compression watchdog timer.

Workaround:
Disable accelerated compression by disabling hardware accelerated compression with:

  % tmsh modify sys db compression.strategy value softwareonly

Fix:
Apply a constraint on accelerated compression request DMA ring so no more than 128 in-flight requests are queued at any one time.


601059-6 : libxml2 vulnerability CVE-2016-1840

Solution Article: K14614344


601056 : TCP-Analytics, error message not using rate-limit mechanism can halt TMM

Component: Application Visibility and Reporting

Symptoms:
An error message is displayed when TCP-Analytics fails to save new data. This error message is not rate-limited, as all other TMM error messages are, so if the error situation is encountered very frequently, the message will be displayed only occasionally, and not for every error event.

Since the error message is not rate-limited, hitting this error many times might eventually lead to TMM halt.

Conditions:
-- TCP-Analytics is assigned to virtual server.
-- The aggregation method of TCP Analytics causes a full table situation because of the distribution of the client IP addresses and subnets.

Impact:
TMM can halt. Traffic disrupted while tmm restarts.

Workaround:
Remove TCP-Analytics from virtual servers.

Fix:
Error message is performed with rate-limiting mechanism.


601035 : TCP-Analytics can fail to collect all the activity

Component: Application Visibility and Reporting

Symptoms:
When the traffic reaching the BIG-IP system comes from a very large number of different client IP addresses and subnets, the TCP-Analytics table can get full, which leads to ignoring the activity that follows, until next snapshot of data.

Conditions:
-- TCP-Analytics profile is attached to a virtual server.
-- Incoming traffic represents a large amount of client IP addresses and subnets (the exact number that causes the full table condition depends on machine type and provisioned modules).

Impact:
TCP Analytics is showing only some of the activity, not all of it. In addition, numerous log messages might fill the logs.

Workaround:
Disable TCP-Analytics.

Fix:
Aggregation method of TCP Analytics was fixed, so the system no longer reaches the full table situation, no matter the distribution of the client IP addresses.


600982-5 : TMM crashes at ssl_cache_sid() with "prf->cache.sid == 0"

Component: Local Traffic Manager

Symptoms:
When SSL is configured, the TMM might rarely crash, logging the following error in /var/log/ltm: notice panic: ../modules/hudfilter/ssl/ssl_session.c:538: Assertion "cached" failed.

Conditions:
No conditions to be set, however this is a very rare occurrence in which a random number generator can technically generate the number Zero ( 0 ) which would trigger this.

Impact:
Traffic disrupted while TMM restarts, and failover occurs if high availability is configured. Mirroring and LB may be lost with renegotiation for certain types of traffic.

Workaround:
None.

Fix:
When SSL is configured, the TMM no longer intermittently crashes with the message: Assertion "cached" failed.


600894-1 : In certain situations, the MCPD process can leak memory

Component: TMOS

Symptoms:
In certain situations, the MCPD process can leak memory. This has been observed, for example, while updating large external data-group file objects. Each time an external data-group file is updated, MCPD's memory utilization grows a little bit. Once enough iterations have occurred, the system may no longer be able to update the external data-group file, but instead return the following error message:

err mcpd[xxxx]: 01070711:3: Caught runtime exception, std::bad_alloc.

Conditions:
So far, this issue has only been observed while updating a large external data-group file object.

Impact:
The system may no longer be able to update the external data-group file object. It is also possible for MCPD to crash, or be killed by the Linux OOM killer, as a result of the memory leak.


600859-2 : Module not licensed after upgrade from 11.6.0 to 12.1.0 HF1 EHF.

Component: TMOS

Symptoms:
After upgrading 11.6.0 Hourly instances to 12.1.0 EHF Hourly instances with Instance Registration support, instance license becomes invalid and BIG-IP is unable to acquire a new hourly license.

Conditions:
Upgrading 11.6.0, or earlier Hourly Licensing instance to 12.1.0 HF1 EHF.

Impact:
License is invalidated and instance becomes unusable.

Workaround:
- Run "/usr/libexec/autoLicense -l" from command-line.

Fix:
Module licenses correctly after upgrade from 11.6.0 to 12.1.0 HF2 or later.


600827-8 : Stuck Nitrox crypto queue can erroneously be reported

Solution Article: K21220807

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Cavium Nitrox-based (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Hardware Error(Co-Processor): n3-crypto0 request queue stuck.

Conditions:
This issue occurs when all of the following conditions are met:
- Your BIG-IP system uses Nitrox PX or Nitrox 3 encryption hardware.
- You are making use of hardware-based SSL encryption.
- The BIG-IP system is under heavy load.

Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.

Workaround:
None.

Fix:
The Nitrox crypto driver uses a proper timeout value for crypto requests.


600812-1 : IPv6 virtual address with icmp-echo is enabled on a IPv6 Host IP forwarding ignores the neighbor advertisement packet.

Component: Local Traffic Manager

Symptoms:
tmsh show net ndp shows an incomplete entry for the neighbor

Conditions:
icmp-echo is enabled for an IPv6 virtual address on a IPv6 Host IP forwarding virtual server.

Impact:
The neighbor advertisement reaches the LTM, but the ndp entry for that neighbor is left incomplete, leading to not being able to connect to that neighbor.

Workaround:
This issue can be resolved by disabling the icmp-echo on the virtual IPv6 address or configuring a static mac-address
for the neighbor

Fix:
The neighbor entry in the LTM displays the correct neighbor information.


600811-2 : CATEGORY::lookup command change in behavior

Component: Access Policy Manager

Symptoms:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions. Only a valid hostname can be used and have its category returned.

In versions prior to v12.1.1, the following iRule command was valid:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host][HTTP::uri]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

Starting in v12.1.1, using the previous example, you must remove the HTTP::uri statement. If an HTTP::uri is provided to the command, the system returns an error similar to the following:

err tmm2[12601]: 01220001:3: TCL error: /Common/_1_categ_test <HTTP_REQUEST> - Categorization engine returned an error. invoked from within "CATEGORY::lookup $this_uri"

Correcting the iRule for post-v12.1.1 installation, the example must be modified to pass in the HTTP::host only, as follows:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

Note: If APM and SWG are licensed and provisioned, the CATEGORY::lookup iRule command will accept an HTTP URI as a part of the argument to the command.

Conditions:
- BIG-IP licensed and provisioned for:
  o APM and URL Filtering
  o URL Filtering (used for SSL Bypass decisions in SSL Air-Gap deployments).
- An iRule that supplies a URI path to the CATEGORY::lookup iRule command.
- Upgrading from pre-v12.1.1 versions that use the CATEGORY::lookup iRule command and use an HTTP::uri or pass in a plain text string that contains anything other than an HTTP hostname.

Impact:
There is an error returned from the command. This can cause errors in existing deployments.

Workaround:
Update the iRule to only pass an HTTP hostname to the CATEGORY::lookup iRule command

Fix:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions.

Only a valid hostname can be used and have its category returned.

Behavior Change:
Starting in v12.1.1, the CATEGORY::lookup iRule command will no longer accept an HTTP URI in its argument to the command if the BIG-IP system has APM and URL Filtering provisioned or just URL Filtering provisioned along for SSL Bypass decisions. Only a valid hostname can be used and have its category returned.

In versions prior to v12.1.1, the following iRule command was valid:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host][HTTP::uri]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

Starting in v12.1.1, using the previous example, you must remove the HTTP::uri statement. If an HTTP::uri is provided to the command, the system returns an error similar to the following:

err tmm2[12601]: 01220001:3: TCL error: /Common/_1_categ_test <HTTP_REQUEST> - Categorization engine returned an error. invoked from within "CATEGORY::lookup $this_uri"

Correcting the iRule for post-v12.1.1 installation, the example must be modified to pass in the HTTP::host only, as follows:

when HTTP_REQUEST {
  set this_uri http://[HTTP::host]
  set reply [CATEGORY::lookup $this_uri]
  log local0. "Category lookup for $this_uri returns $reply"
}

Note: If APM and SWG are licensed and provisioned, the CATEGORY::lookup iRule command will accept an HTTP URI as a part of the argument to the command.


600662-9 : NAT64 vulnerability CVE-2016-5745

Solution Article: K64743453


600614-5 : External crypto offload fails when SSL connection is renegotiated

Component: Local Traffic Manager

Symptoms:
If and external crypto offload client is configured with an SSL profile and renegotiation is enabled for the SSL profile, the crypto client connection will fail when the SSL connection is renegotiated.

Conditions:
External crypto offload client configured with an SSL profile with renegotiation enabled.

Impact:
Crypto client connection to the crypto server will fail.

Workaround:
Disable renegotiation on the SSL profile.

Fix:
The crypto client connection to the crypto server will no longer fail when the SSL connection is renegotiated.


600593-1 : Use of HTTP Explicit Proxy and OneConnect can lead to an issue with CONNECT HTTP requests

Component: Local Traffic Manager

Symptoms:
After a CONNECT request is sent to the BIG-IP system and processed, if the client disconnects before a response is received from the server, the FIN is not propagated to the server-side and that connection remains open. If a client sends another CONNECT request to the same destination, the previous server-side flow is reused for the new request. Inspection of packet captures reveals that the BIG-IP system does not process the new CONNECT request as such, but instead forwards it to the server using the old server-side flow. This behaviour is incorrect. The CONNECT method should disable connection reuse, and the BIG-IP should close the server-side flow if the client disconnects first.

Conditions:
Use of HTTP Explicit Proxy and OneConnect together. CONNECT requests must arrive to the virtual server. The client must disconnect before the server responds.

Impact:
Some connections may fail. Depending on what data is sent to the server over an unintended connection, unpredictable results may be experienced.

Workaround:
You can apply the following iRule to the HTTP Explicit Proxy virtual server to mitigate the issue:

when HTTP_PROXY_REQUEST {
   if { [HTTP::method] equals "CONNECT" } {
      ONECONNECT::reuse disable
   }
   else {
      ONECONNECT::reuse enable
   }
}


600558-5 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may be observed:

1. After approximately 10 minutes, an error similar to the following appears in the LTM log (/var/log/ltm):

mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests

This message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.

Fix:
Errors are no longer logged after deleting user in GUI.


600385-1 : BIG-IP LTM and BIG-IP DNS monitors are allowed to be configured with interval value larger than timeout

Solution Article: K43295141

Component: Local Traffic Manager

Symptoms:
When configuring BIG-IP LTM and BIG-IP DNS monitors, administrators can set the interval value be larger than the timeout value.

Conditions:
Setting interval value to be larger than the timeout value.

Impact:
The misconfigured monitor setting might result in unexpected monitor behavior.

Workaround:
Set the interval value lower than the timeout value.

Fix:
Monitors are no longer allowed to set the interval value be larger than the timeout. This is correct behavior.

Behavior Change:
Monitors are no longer allowed to set the interval value be larger than the timeout. This is correct behavior.


600357-2 : bd crash when asm policy is removed from virtual during specific configuration change

Component: Application Security Manager

Symptoms:
BD restarts and produces a core file

Conditions:
A configuration change which involves headers configuration or a policy re-configuration and at the same time, while this update is taking place the ASM policy is removed from the virtual.
This is more likely to happen in scripted tests than in the field.

Impact:
Traffic gets dropped while the ASM gets restarted.

Workaround:
Don't change ASM configuration at the same time as changing the virtual server configuration.

Fix:
System will still restart but will not produce a core file when this happens.


600232-9 : OpenSSL vulnerability CVE-2016-2177

Solution Article: K23873366


600223-2 : OpenSSL vulnerability CVE-2016-2177

Solution Article: K23873366


600205-9 : OpenSSL Vulnerability: CVE-2016-2178

Solution Article: K53084033


600198-2 : OpenSSL vulnerability CVE-2016-2178

Solution Article: K53084033


600119-3 : DNS name resolution for servers outside of Network Access Name Split scope can be slow in some conditions

Component: Access Policy Manager

Symptoms:
When connected to the vpn and wifi adapter is enabled (not connected to any wlan) access to websites outside the vpn is very slow.
Access is fine when wifi interface is disabled.

Conditions:
- number of DNS servers configured for active network adapters matches the number of DNS servers configured in Network Access resource

Impact:
User experience while navigating servers outside of VPN scope is impacted by increased connection time

Workaround:
Disable unused adapters or change the number of configured DNS servers

Fix:
DNS requests for names outside the VPN scope sent to VPN DNS server are redirected to DNS servers from NIC using Round Robin algorithm


600069-6 : Portal Access: Requests handled incorrectly

Solution Article: K54358225


600052-1 : GUI displaying "Internal Server Error" page when there many (~3k) certs/keys in the system

Component: Local Traffic Manager

Symptoms:
Cannot access SSL certs/keys using the GUI. GUI displays "Internal Server Error" page.

Conditions:
Having large (~3k) number of SSL certs/keys in the system.

Impact:
Cannot use the GUI to view/edit the SSL certs/keys.

Workaround:
User tmsh to access SSL certs/keys.

Fix:
Can now access SSL certs/keys using the GUI


599858-7 : ImageMagick vulnerability CVE-2015-8898

Solution Article: K68785753


599839-3 : Add new keyords to SIP::persist command to specify how Persistence table is updated

Component: Service Provider

Symptoms:
SIP::persist command keywords were not present prior to 12.1.2

Conditions:
Using the SIP::persist command in an iRule

Impact:
Limited control via SIP::persist

Workaround:
N/A

Fix:
The following new keywords were introduced with SIP::persist command that improve some key entry issues.

-reset: remove any persistence entry associated with the key stored with the message.
-use: normal persistence and routing operation.
-replace: replace any persistence existing with the result of the routing operation used on this message.
-bypass: route the message ignoring any persistence entry, if no entry exists, add a new entry based on the result of this message
-ignore: route the message ignoring any persistence entry. Do not add or update the persistence entry.

Behavior Change:
The following new keywords were introduced with SIP::persist command that improve some key entry issues.

-reset: remove any persistence entry associated with the key stored with the message.
-use: normal persistence and routing operation.
-replace: replace any persistence existing with the result of the routing operation used on this message.
-bypass: route the message ignoring any persistence entry, if no entry exists, add a new entry based on the result of this message
-ignore: route the message ignoring any persistence entry. Do not add or update the persistence entry.


599816-2 : Packet redirections occur when using VLAN groups with members that have different cmp-hash settings.

Component: TMOS

Symptoms:
Packets arriving on members of the VLAN group are CMP redirected. Redirections may be tracked with the tmm/flow_redir_stats table.

Conditions:
VLANs in the VLAN group must have different cmp-hash settings. For example, one VLAN may configure src-ip and another dst-ip.

Impact:
Throughput drops because of the redirections. However, because this is an error in the software disaggregator, components and features which depend on correct disaggregation may fail. Some features of PEM may fail.

Fix:
Packets are correctly disaggregated without redirections.


599803 : TMM accelerated compression incorrectly destroying in-flight contexts.

Component: Performance

Symptoms:
You see a tmm core while using compression profiles.

Conditions:
Related to use of hardware compression.

Impact:
Report of a watchdog event, or an ASSERT generated by the compression layer. Traffic disrupted while tmm restarts.

Workaround:
Disable accelerated compression using the following command:

% tmsh modify sys db compression.strategy value softwareonly.

Fix:
The system now correctly dispatches cancelled in-flight accelerated compression contexts when cancellation comes while hardware is still actively compressing.


599769 : TMM may crash when managing APM clients.

Component: Local Traffic Manager

Symptoms:
When managing APM clients it is possible to encounter a rare tmm crash.

Conditions:
APM enabled and actively managing clients.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
There is no longer a rarely encountered TMM crash when managing APM clients.


599720-2 : TMM may crash in bigtcp due to null pointer dereference

Component: Local Traffic Manager

Symptoms:
TMM crashed in bigtcp_queue_pkt() due to null pointer dereference of clientside flow.

Conditions:
This only occurs for serverside flow whose peer no longer exists.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
A problem of null pointer dereferece in bigtcp has been fixed.


599567 : APM assumes SNAT automap, does not use SNAT pool

Component: Local Traffic Manager

Symptoms:
When a virtual server configured to use a SNAT pool is also associated with APM (for example, when configured as a RDP gateway), the SNAT pool setting is not honored.
Also SNAT configuration of 'None' does not work. It always works as if it is configured with Automap.

Conditions:
SNAT pool configured.
-- APM configured (one example is deploying the Horizon View iApp for APM).

Impact:
The VLAN Self IP address is used instead of the SNAT pool addresses.

Workaround:
First, follow the configuration details in K03113285: Overview of BIG-IP APM layered virtual servers :: https://support.f5.com/csp/article/K03113285, to ensure everything is configured properly.

Then ensure that the appropriate SNAT pool is set on the new layered forwarding virtual sever.

Note: This workaround does not work when using a pool of VMware vCenter Server (VCS) as configured by default with the iApp.

Fix:
The system now honors the virtual server SNAT configuration.


599543-3 : Cannot update (overwrite) PKCS#12 SSL cert & key while referenced in SSL profile

Component: TMOS

Symptoms:
When PKCS#12 cert and key are in use by SSL profiles, importing key/cert fails with the below error message:

Import Failed: Exception caught in Management::urn:iControl:Management/KeyCertificate::pkcs12_import_from_file_v2()
0107160f:3: Profile /Common/z-cssl's SSL forward proxy CA key and certificate do not match

Conditions:
1. When the cert and key are in the PKCS#12 format.
2. When the cert and key are in use by SSL profiles.

Impact:
When PKCS#12 cert and key are in use by SSL profiles, they can not be directly updated (overwritten) using key/cert import.

Workaround:
Use tmsh to install the PKCS#12 key. For example, suppose the key/cert to be replaced is called orig.key and orig.crt, it can be overwritten using the below command:

tmsh install sys crypto pkcs12 orig from-local-file /shared/eee.pfx


599536-1 : IPsec peer with wildcard selector brings up wrong phase2 SAs

Solution Article: K05263202


599521-5 : Persistence entries not added if message is routed via an iRule

Component: Service Provider

Symptoms:
MRF SIP route table implementation does not add a persistence entry if the message was routed via an iRule.

Conditions:
If the message is routed via an iRule, a SIP persistence entry will not be created.

Impact:
Since MRF SIP persistence may be bidirectional, not having the persistence entry will keep message flowing in the opposite direction from being automatically routed via persistence.

Workaround:
An iRule could be used to route messages directed towards the original client.

Fix:
MRF SIP will add a persistence entry for message routed via an iRule.


599424-2 : iApps LX fails to sync

Component: iApp Technology

Symptoms:
In a device group, iApps LX applications fail to sync to the other devices. In restjavad.0.log you notice this log entry, approximately once per hour:

[8100/tm/shared/BIG-IP-failover-state BIG-IPFailoverStateWorker] Failed to discover [address]: java.lang.IllegalStateException: Authentication Failure to host [address]. Please check the credentials provided.

Conditions:
- This occurs after upgrading devices in a device group from 12.1.1 to a version higher than 12.1.1, such as 12.1.1 HF1.

- It can also occur on UCS restore.

- This occurs after upgrading devices in a device group from 12.1.0 to a version higher than 12.1.0, such as 12.1.0-HF1 (or above).

- Also found this can occur with a clean install of v12.1.2-Final and upgraded to v12.1.2 HF1.

Impact:
If you do not have iApps LX configured, there should be no impact other than the warning in restjavad.0.log which you can safely ignore. If you have iApps LX configured and the iApp is not syncing, then this will impact traffic if a failover event occurs.

Workaround:
None.

Fix:
iApps LX will now sync correctly.


599423-1 : merged cores and restarts

Solution Article: K24584925

Component: TMOS

Symptoms:
The vCMP host overwrites the stats table with data from guests.

Conditions:
vCMP running SSL traffic for more than one day.

Impact:
An internal value that tracks the interfaces changes, and merged cores and restarts.

Workaround:
None.

Fix:
The host no longer overwrites the reference values in the interface stats table, so merged does not core and restart.


599285-2 : PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095

Solution Article: K51390683


599223-1 : Prevent static destructors in tmipsecd daemon

Component: TMOS

Symptoms:
The tmipsecd daemon can leave a core when it exits main().

Conditions:
When tmipsecd exits deliberately, say in response to an exception, this can crash during program cleanup, despite the cleanup not being necessary. What begins as a clean termination turns into a messy crash.

Impact:
Generation of a distracting core, using disk space and attracting user attention unnecessarily. (Since tmipsecd was restarting anyway, the restart is not extra impact.)

Workaround:
there is no workaround.

Fix:
When a tmipsecd process terminates, cleaning up globals on shutdown is unnecessary, so this has now been prevented. So we cannot get a core when cleanup fails.


599221-1 : ASM Policy cannot be created in non-default partition via the Import Policy Task

Component: Application Security Manager

Symptoms:
An ASM Policy cannot be created in a non-default (/Common) partition using the Import Policy Task (/mgmt/tm/asm/tasks/import-policy).

Conditions:
User attempts to create a new ASM policy in a non-/Common partition using a file or template via the import policy tasks.

Impact:
Policy is created in /Common instead of the specified partition.

Workaround:
1) Create a Policy in the desired partition via a POST to the /mgmt/tm/asm/policies endpoint.
2) Execute the Import Policy Task (/mgmt/tm/asm/tasks/import-policy) using the created policy as the policyReference to overwrite it.

Fix:
Policy Import creates new policies in the specified partition.


599191-2 : One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card

Component: TMOS

Symptoms:
When running the tmsh show sys crypto fips command, you notice stale keys that you have previously deleted are left behind on the FIPS card.

Conditions:
This occurs when you have BIG-IPs with FIPS HSMs, configured in manual sync mode, under the following set of actions:
- Create a key-cert pair
- Associate the new key-cert pair with a clientssl profile
- Config sync to the peers
- Associate the clientssl profile with the default key and cert
- Delete the key and cert
- Manual sync

Impact:
A stale key is left on the FIPS card. There is no impact to functionality.

Workaround:
Check for the handles/key-ids of the keys in configuration using tmsh. Then remove the key that is not in use using the command tmsh delete sys crypto key <keyname>


599168-7 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Solution Article: K35520031


599135-2 : B2250 blades may suffer from high TMM CPU utilisation with tcpdump

Component: Local Traffic Manager

Symptoms:
B2250 blades may suffer from continuous TMM CPU utilization when tcpdump has been in use.

Conditions:
Run tcpdump on a B2250 platform

Impact:
Increment in TMM CPU utilization with every run of tcpdump.

Workaround:
Restart TMM, avoid the use of tcpdump.

Fix:
B2250 blades no longer suffer from high TMM CPU utilisation with tcpdump


599121-2 : Under heavy load, hardware crypto queues may become unavailable.

Solution Article: K24036315

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system is under heavy load, it may erroneously determine that the hardware crypto queues are unavailable and trigger an HA failover event.

Conditions:
BIG-IP system under heavy load and using hardware crypto.

Impact:
HA failover. You might see messages similar to the following:
 -- crit tmm2[22560]: 01010025:2: Device error: crypto codec cn-crypto-2 queue is stuck.
 -- warning sod[6892]: 01140029:4: HA crypto_failsafe_t cn-crypto-2 fails action is failover.
 -- notice sod[6892]: 010c0052:5: Standby for traffic group /Common/traffic-group-1.

Workaround:
None.

Fix:
BIG-IP system now performs an extra check to determine whether the crypto hardware queues are available.


599054-2 : LTM policies may incorrectly use those of another virtual server

Component: Local Traffic Manager

Symptoms:
LTM policies may use policies configured on another virtual server.

Conditions:
- A configurations with several virtual servers and several configured ltm policies attached to those virtual servers.
- Configuration load: manually using the command tmsh load sys conf, or automatically by an upgrade or full config-sync.

Impact:
LTM policies get incrementally added to virtual servers as the policies are compiled, causing unexpected traffic handling decisions based on other policies.

Workaround:
Do not run tmsh load sys conf if you have policies configured. After an upgrade or full config-sync issuing a bigstart restart command or restarting the device will fix this condition.

Fix:
LTM policies no longer incorrectly use those of another virtual server


599033-5 : Traffic directed to incorrect instance after network partition is resolved

Component: TMOS

Symptoms:
After a network partition is resolved, the BIG-IP high availability subsystem may select a different device to handle traffic than the external network.

Conditions:
If the external network does not respond to GARP (Gratuitous ARP) messages to direct IP traffic to the correct device after an Active/Active condition is resolved, then it may continue to send traffic to a device that is now in Standby mode.

Impact:
Traffic will be interrupted since the upstream network is sending traffic to a device that won't process it.

Workaround:
The administrator might be able to manually run a script or command to redirect traffic to the correct device that is hosting the virtual service.

Fix:
When a network partition is resolved, and an Active/Active high availability pair chooses a single Active node, it now invokes a script that can be used to automatically notify the external network infrastructure of the new location for the virtual service. This new script is located in /config/failover/tgrefresh, and is invoked in addition to the transmission of GARP messages.


598983-7 : BIG-IP virtual server with HTTP Explicit Proxy and/or SOCKS vulnerability CVE-2016-5700

Solution Article: K35520031


598981-3 : APM ACL does not get enforced all the time under certain conditions

Solution Article: K06913155

Component: Access Policy Manager

Symptoms:
APM ACL does not get enforced all the time under certain conditions

Conditions:
The following conditions individually increase the chances for this problem to occur:
1. The device is very busy. (Construction of ACL windows is prolonged.)
2. Concentration of connections into one TMM. (e.g., VPN feature.)
3. Small number of TMMs (e.g., BIG-IP low-end platform, Virtual Edition (VE) configurations.)
4. Application starts with a high number of concurrent connections.

Impact:
ACL is not applied for subsequent connections for that TMM. This issue does not consistently reproduce.

Workaround:
Mitigation:
Administrator can kill the affected session, which forces the user to re-login, and ultimately restarts the ACL construction process.

Fix:
Switching context when applying ACL is properly processed, and no longer cause ACL to be not enforced.


598874-2 : GTM Resolver sends FIN after SYN retransmission timeout

Component: Local Traffic Manager

Symptoms:
If a DNS server is not responding to TCP SYN, GTM Resolver sends a FIN after a retransmission timeout (RTO) of the SYN.

Conditions:
GTM Resolver tries to open a TCP connection to a server that does not respond.

Impact:
Firewalls may log the FIN as a possible attack.

Fix:
Do not send anything in response to a SYN retransmission timeout.


598860-4 : IP::addr iRule with an IPv6 address and netmask fails to return an IPv4 address

Component: Local Traffic Manager

Symptoms:
The IP::addr iRule can be used to translate an IPv6 address containing an IPv4 address, but instead it converts it into an IPv4 compatible IPv6 address.

Example:
ltm rule test_bug {
    when CLIENT_DATA {
    log local0. "[IP::addr 2A01:CB09:8000:46F5::A38:1 mask ::ffff:ffff]"
}

Expected result:
Rule /Common/test_bug <CLIENT_DATA>: 10.56.0.1

Actual result:
Rule /Common/test_bug <CLIENT_DATA>: ::10.56.0.1

Conditions:
using IP::addr to convert an IPv6 to an IPv4 address

Impact:
Address is converted into an IPv4-compatible IPv6 address.


598854-3 : sipdb tool incorrectly displays persistence records without a pool name

Component: Service Provider

Symptoms:
MRF SIP persistence records added for a forwarding route (a peer object without a pool), will not be displayed properly by sipdb

Conditions:
If a persistence record is added for a route that does not contain a pool, this persistence entry will not be displayed correctly.

Impact:
The persistence entry is correctly stored in the persistence table and will operate correctly. Due to the bug in the sipdb tool, this entry will not be viewable for debugging purposes.

Fix:
The fix corrects the sipdb tool so that entries which do not have a pool name will display correctly.


598748 : IPsec AES-GCM IVs are now based on a monotonically increasing counter

Component: TMOS

Symptoms:
IPsec was using random IVs.

With random IVs and shortest packets the complete integrity loss will happen before 8 Gb of data are exchanged over the security association in one direction (assuming probability of collision at 0.1%).

Conditions:
Use of AES-GCM or GMAC in IPsec.

Impact:
The use of random IVs limits the amount of traffic that can be sent with AES-GCM in IPsec.

Workaround:
The workaround is to limit the amount of traffic per above guidelines for long-lived security associations in IPsec.

A re-key before 10 Gbyte of data are exchanged is recommended. For 1 Gbps connection the rekey should happen in under 1 min (100 Mbps -- 15 min, 10 Gbps -- 10 sec).

Fix:
Changed IPsec AES-GCM IV scheme to use a counter-based IV.

This is an improvement that allows maximum amount of traffic to be sent on the same security association for AES-GCM in IPsec.


598724-1 : Abandoned indefinite lifetime SessionDB entries on STANDBY devices.

Component: TMOS

Symptoms:
Memory hold/leak in SessionDB due to poor HA connection. Active device cannot tell the Standby device that an entry has been deleted because of poor HA connection. These entries accumulate on the Standby device, consuming extra memory which is not released.

Conditions:
A poor HA or insufficient connection exists, one that is not capable of handling the required HA traffic between devices.

Impact:
Eventual out-of-memory errors on standby device.

Workaround:
The mitigation steps in ID 555465 apply to this as well:

You can mitigate by temporarily disabling HA:
- Disable session mirroring: tmsh modify sys db statemirror.mirrorsessions value disable
- Wait a minute for HA connections to stabilize
- Sync the config changes
- Reboot the standby
- Re-enable session mirroring: tmsh modify sys db statemirror.mirrorsessions value enable

Fix:
On the Next Active ("Standby") device, SessionDB will remove all Subkey entries that the Next Active did not receive HA (re)mirror messages for during the HA sync that occurs after an HA (re)connect; the Next Active not receiving a (re)mirror for an entry generally indicates that the entry no longer exists on the Active.


598707-4 : Path MTU does not work in self-IP flows

Component: Local Traffic Manager

Symptoms:
While performing an Update Check, the network connection fails. Path MTU is not working in self-IP initiated flows.

Conditions:
Network flows initiated by the Self IP address (in this case it was encountered while running Update Check)

Impact:
If the downstream router sends ICMP Path MTU messages back to the Self IP, the messages will be ignored and MTU will not be adjusted.


598700-6 : MRF SIP Bidirectional Persistence does not work with multiple virtual servers

Component: Service Provider

Symptoms:
Messages received by different virtual servers (sharing the same router) are not able to be properly routed using the call-id persistence.

Conditions:
A router with multiple virtual servers bridging between networks are not able to use the same call-id persistence entry for routing messages. Messages trying to use a persistence entry created by a different virtual server may be routed to the wrong device.

Impact:
Messages received on another virtual server trying to use the persistence entry will be routed to the wrong device.

Fix:
Fix corrects problems identifying which end of the bi-directional persistence the message has arrived on so that it can be forwarded to the proper device.


598697-1 : vCMP guests may fail after vCMP host system is upgraded to BIG-IP v12.1.x when 'qemu' user isn't created

Component: TMOS

Symptoms:
After installing v12.1.0 on a vCMP host system the guests don't start anymore and remain in "failed" state.

Errors similar to these are logged in the ltm log file:

Jun 10 08:17:22 slot1/VIP4480-R68-S26 crit vcmpd[14354]: 01510003:2: User "qemu" doesn't exist
<..>
Jun 10 08:17:22 slot1/VIP4480-R68-S26 err vcmpd[14354]: 01510004:3: Guest (test-guest): Failure - Error starting VM.
Jun 10 08:17:22 slot1/VIP4480-R68-S26 info vcmpd[14354]: 01510007:6: Guest (test-guest): VS_STARTING->VS_FAILED

Conditions:
Upgrade vCMP host to v12.1.0 or higher
vCMP host system was originally installed with v11.6.0 or older builds.

Impact:
After installing v12.1.0 on a vCMP host system the guest don't start anymore and remain in "failed" state.

Workaround:
Workaround is to run the following command:

useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu

then:
 
bigstart restart vcmpd


598498-7 : Cannot remove Self IP when an unrelated static ARP entry exists.

Component: TMOS

Symptoms:
Cannot remove a self-IP when an unrelated static ARP entry exists. The system produces an error similar to the following: err mcpd[6743]: 01071907:3: Cannot delete IP <addr> because it would leave a static neighbor (ARP/NDP) entry unreachable.

Conditions:
Static arp entry exists, and there are no Self IP addresses on the same subnet as the static ARP entry. When in this condition, none of the Self IP addresses can be deleted.

Impact:
Must delete static ARP entries in order to delete Self IP addresses.

Workaround:
None.

Fix:
In this release, you can delete Self IP addresses if unrelated static ARP entries exist.


598443-1 : Temporary files from TMSH not being cleaned up intermittently.

Component: TMOS

Symptoms:
/var/tmp/tmsh and /var/system/tmp/tmsh can have left over unused directories if there was an abrupt termination wherein TMSH does not get a chance to clean up remaining directories. This script does not automatically run, but instead provides a way for you to manually clean up these scripts. To execute script run bin # ./clean_tmsh_tmp_dirs and follow the prompts.

Conditions:
This can occur if a running task creates a TMSH tmp file, then gets killed before it finishes its clean-up.

Impact:
This can cause the directories /var/tmp/tmsh and /var/system/tmp/tmsh to fill up and cause out of memory exceptions.

Workaround:
Manually delete all unused files in /var/tmp/tmsh and /var/system/tmp/tmsh.

Fix:
The BIG-IP system now contains a command ("clean_tmsh_tmp_dirs") that can be run to clean-up temporary files in /var/system/tmp/tmsh and /var/tmp/tmsh.


598437-1 : SNMP process monitoring is incorrect for tmm and bigd

Component: TMOS

Symptoms:
The default configuration for SNMP process monitoring causes an error of "Too many bigd running", and "No tmm process running".

snmpwalk -c public -v 2c localhost prErrMessage
UCD-SNMP-MIB::prErrMessage.1 = STRING: Too many bigd running (# = 2)
...
UCD-SNMP-MIB::prErrMessage.6 = STRING: No tmm process running

Conditions:
Depending on system capacity and configuration, more than one "bigd" process may be running, resulting in the incorrect report of "Too many bigd running".

The system does not properly count instances of the "tmm" process. In older releases, the system always detected a single "tmm" process, even if more than one existed. In the affected releases, no "tmm" process is detected.

Impact:
SNMP monitoring of system health incorrectly reports error conditions.

Workaround:
For the 'bigd' problem, the administrator can change the the process-monitor max-processes to allow for more instances of "bigd". For example:

(tmos)# modify sys snmp process-monitors modify { bigd { max-processes infinity } }

max-processes should be set to the same value as the sys dbvar bigdb.numprocs or "infinity" if the dbvar is set to "0", allowing bigd to dynamically adjust the number of processes.


For tmm process count

(twos)# modify sys snap process-monitors modify { tmm { process tmm.0 max-processes 1 } }

Fix:
The system now correctly counts the number of TMM process instances, which is not the same as the number of TMM threads. but is based on the hardware capabilities.

Existing/upgraded configurations need to manually adjust the bigd 'max-processes' attribute as described in the Mitigation section. New configurations will be configured appropriately.


598294-1 : BIG-IP ASM Proactive Bot Defense vulnerability CVE-2016-7472

Solution Article: K17119920


598289-4 : TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>

Component: TMOS

Symptoms:
In tmsh, when trying to add a pool member that has name in the format of <ipv4>:<number>:<service port>, tmsh reports the following error:
Unexpected Error: Syntax Error: A port number or service name is missing for "/Common/192.0.2.1:80:80". Please specify a port number or service name using the syntax "/Common/192.0.2.1:80:80.<port>".

It also corrupts bigip.conf so that it no longer loads.

Conditions:
-- Use tmsh to load configuration.
-- LTM pools have members that have names in the format of: <ipv4>:<number>:<service port>.

Impact:
TMSH fails to load system configuration file.

Workaround:
None.

Fix:
TMSH now supports pool members with names in the format of <ipv4>:<number>:<service port>, so the valid pool member passes TMSH checks without error.


598211-1 : Citrix Android Receiver 3.9 does not work through APM in StoreFront integration mode.

Component: Access Policy Manager

Symptoms:
During the logon to Citrix StoreFront through an APM virtual server, after the login page, the BIG-IP system sends the client the following error: Error 404 file or directory not found.

Conditions:
This occurs when the following conditions are met:
- Citrix Android receiver 3.9.
- APM is in integration mode with Citrix StoreFront.
- Storefront unified experience mode is enabled.

Impact:
Cannot access Citrix StoreFront unified UI through Android Receiver 3.9.

Workaround:
For StoreFront integration mode, there is an iRule that is created by the iApp that redirects the root page to the store's URI. The workaround is to add an additional redirect for the receiver_uri ending with receiver.html. The iRule below contains this workaround.
It is also recommended to delete and recreate the existing store account.

when HTTP_REQUEST {
    if { [regexp -nocase {/citrix/(.+)/receiver\.html} [HTTP::path] dummy store_name] } {
        log -noname accesscontrol.local1.debug "01490000:7: setting http path to /Citrix/$store_name/"
        HTTP::path "/Citrix/$store_name/"
    }
}

Fix:
Citrix Android Receiver 3.9 now works through APM in StoreFront integration mode.


598134-1 : Stats query may generate an error when tmm on secondary is down

Component: TMOS

Symptoms:
Querying for stats results in an error and further iControl messages are incorrect.

Conditions:
Must be on a chassis. The query must be for stats generated by tmm. A secondary tmm must be down.

Impact:
The iControl session must be restarted.

Workaround:
Ensure all tmms are up and running.

Fix:
The request is handled appropriately even if a tmm is down and no unexpected error is generated.


598110-1 : pkcs11d daemon should not show status 'up' until all connections are established with HSM and BIG-IP is ready to process traffic.

Component: Local Traffic Manager

Symptoms:
The pkcs11d daemon shows 'up' when the connections to HSM is not up and the BIG-IP system is not ready to process traffic.

Conditions:
When the connections to HSM is not up and the BIG-IP system is not ready to process traffic.

Impact:
The pkcs11d daemon shows status as 'up'. The traffic will be dropped since the connections to HSM is not up or the BIG-IP system is not ready to process traffic.

Workaround:
There is no workaround.

Fix:
This release fixes the pkcs11d thread session initialization problem.


598085-2 : Expected telemetry is not transmitted by sFlow on the standby-mode unit.

Component: TMOS

Symptoms:
The expected telemetry is not transmitted by sFlow on the standby-mode unit. In a high-availability (HA)/redundant BIG-IP configuration, standby BIG-IP units are failing to generate sFlow telemetry packets containing unit-specific data.

Conditions:
In a high-availability/redundant BIG-IP configuration with sFlow configured.

Impact:
The sFlow data being transmitted by the standby unit consists of packet samples of the HA Heartbeat traffic, and no other telemetry information.

Workaround:
None.


598052-1 : SSL Forward Proxy "Cache Certificate by Addr-Port", cache lookup fails

Component: Local Traffic Manager

Symptoms:
When enabling the SSL Forward Proxy "Cache Certificate by Addr-Port" on the client SSL profile, later flows on cached certificate lookups by "Addr-Port" do not hit the cache.

Conditions:
Enable SSL Forward Proxy and use "Cache certificate by Addr-Port".

Impact:
The client side certificate lookup failed, it may trigger the server side SSL handshake.

Fix:
With this fix, the certificate lookup by "Addr-Port" may have a cache hit.


598039-6 : MCP memory may leak when performing a wildcard query

Component: TMOS

Symptoms:
MCP's umem_alloc_80 cache (visible using tmctl -a) increases in size after certain wildcard queries. Accordingly, the MCP process shows increased memory usage.

Conditions:
Folders must be in use, and the user must execute a wildcard query for objects that are in the upper levels of the folder hierarchy (i.e. not at the very bottom of the folder tree).

Impact:
MCP loses available memory with each query. MCP could eventually run out of memory and core, resulting in an outage or failover (depending on whether or not the customer is running in a device cluster).

Workaround:
Do not perform wildcard queries.

Fix:
Stopped MCP leaking when wildcard queries are performed.


598002-10 : OpenSSL vulnerability CVE-2016-2178

Solution Article: K53084033


597978-2 : GARPs may be transmitted by active going offline

Component: Local Traffic Manager

Symptoms:
GARPs may be transmitted by the active when going offline. As the standby which takes over for the active will also transmit GARPs, it is not expected that this will cause impact.

Conditions:
Multiple traffic-groups configured and active goes offline.

Impact:
It is not expected that this will cause any impact.

Workaround:
Make the unit standby before forcing offline.


597899-1 : Disabling all pool members may not be reflected in Virtual Server status

Component: Local Traffic Manager

Symptoms:
When all pool members are set to session-disable, the expectation is that persistent connections will be drained, and the Virtual Server should not accept new incoming connections.
- Simply disabling (not forcing down) a node does not bubble up to Pool status, because it switches from Green-Enabled to Green-Disabled (staying green is seen as a non-change).
- Since the Pool enabled/disabled state is not updated, this does not bubble up to the Virtual Server, which also stays Green-Enabled.

Conditions:
-- All pool members are set to session-disable.
-- Persistent connections existing on the associated Virtual Server.
-- New connections to associated Virtual Server.
-- Viewing Virtual Server status.

Impact:
Disabling all members of a Pool may not be reflected in Virtual Server status, indicating it is Green-Enabled when in fact it has been disabled indirectly by disabling all members of the related pool.

Workaround:
N/A

Fix:
When all pool-members are disabled via GUI or tmsh, Virtual Server shows Green-Disabled (visually represented as gray) and is still able to process traffic from an existing connections but not able to accept newer traffic.

Green-Disabled status roll-up to Pool (from Pool Member / Node Address) is still necessary. But instead of marking the Virtual Server Yellow, which would stop existing traffic flows on the Virtual Server, the BIG-IP system propagate the Green-Disabled status to the Virtual Server as well.

So in the case where all the Pools associated with a Virtual Server are Green-Disabled (because all the Pool Members for all the Pools are Green-Disabled), the status of the Virtual Server will become Green-Disabled. As soon as any Pool (Pool Member) becomes Green-Enabled, the Virtual Server will also become Green-Enabled.

Note: Green-Disabled shows up as gray in the GUI.

Behavior Change:
When all pool members are set to session-disable, the virtual server state is set to disabled-by-parent, persistent connections will be drained, and the virtual server does not accept new incoming connections.


597879-1 : CDG Congestion Control can lead to instability

Component: Local Traffic Manager

Symptoms:
Debug TMM crashes when the TCP congestion window allows an abnormally high or low congestion window. You can see this by looking at the bandwidth value in "tmsh show net cmetrics" if cmetrics-cache is enabled in the TCP profile.

Conditions:
Running the Debug TMM with CDG Congestion Control.

Impact:
Traffic disrupted while tmm restarts.
In the default TMM, the allowed sending rate will be abnormally high or low.

Workaround:
Use a congestion control algorithm other than CDG.

Switch to the default TMM.

Fix:
Fixed congestion window calculation in CDG.


597835-3 : Branch parameter in inserted VIA header not consistent as per spec

Solution Article: K12228503

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This VIA header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP spec states that all messages in the same transaction should contain the same branch header. The code used to encrypt the branch field returns a different value each time.

Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.

Impact:
Some servers have code to verify the brach fields in the VIA header do not change within a transaction. These servers complain when they see the fields change.

Workaround:
None.

Fix:
The system now ensures the branch field in the via header does not change.


597828-1 : SSL forward proxy crashes in some cases

Component: Local Traffic Manager

Symptoms:
SSL forward proxy crashes when a check in the state machine is called with something other than a fwdp lookup result

Conditions:
SSL forward proxy is enabled.

Impact:
SSL forward proxy crashes sometimes.

Workaround:
None.

Fix:
Fixed a crash in the SSL forward proxy.


597797-4 : Allow users to disable enforcement of RFC 7057

Solution Article: K78449695

Component: Local Traffic Manager

Symptoms:
When RFC7057 (fallback SCSV) was implemented, some BIG-IP administrators found their SSL clients were incompatible and could no longer connect to the BIG-IP system.

Conditions:
Incompatible SSL clients were not able to connect to the the BIG-IP system.

Impact:
Service disruption.

Workaround:
There is no workaround.

Fix:
When SSL.fallback_SCSV is set to disable, the RFC 7057 implementation will be disabled, though it must be acknowledged that this introduces a security hole when negotiating SSLv3.

Behavior Change:
When RFC7057 was implemented, some BIG-IP administrators found that their SSL clients were incompatible. This change introduces a bigdb variable (SSL.fallback_SCSV) to disable this.


597729-5 : Errors logged after deleting user in GUI

Component: TMOS

Symptoms:
After deleting a user in the BIG-IP GUI (under Access Policy :: Local User DB : Manage Users), the following symptoms may potentially be observed:

1. After approximately 10 minutes, an error similar to the following may appear in the LTM log (/var/log/ltm):

mcpd[25939]: 01070418:5: connection 0x5dde19c8 (user admin) was closed with active requests

Such message may also appear in /var/log/webui.log and /var/log/tomcat/catalina.out.

2. After clicking Refresh, the GUI may not show the correct web page.

Conditions:
It is possible that this error could be encountered when deleting local users (Access Policy :: Local User DB : Manage Users), and may theoretically be encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Error messages logged.
GUI may not show the correct web page.

Workaround:
Use the CLI (tmsh) to delete local users.


597708-4 : Stats are unavailable and vCMP state and status are incorrect

Component: Local Traffic Manager

Symptoms:
Unable to retrieve statistics or statistics are all 0 (zero) when they should not be zero.

This is vCMP related.

Guest virtual-disks always show in-use even when the guest is not in the running state.

When the guest O/S is shut down, the GUI and TMSH do not show accurate information about status.

Conditions:
If a directory is removed from /shared/tmstat/snapshots merged might run at 100% CPU utilization and become unresponsive.

Impact:
No statistics are available. Some statistics, such as traffic stats from TMM, will not be updated, though they may be non-zero. Others, such as system CPU stats that are calculated by merged, will be zero. This will be evident through all management interfaces such as TMSH, TMUI, SNMP, etc.

vCMP guest O/S status is reportedly incorrectly.

Workaround:
If merged has stopped responding, restart the daemon using the following command:

bigstart restart merged

On a chassis with multiple blades or a device with vCMP guests, merged is running on each blade and on each guest. To determine which instance of merged is not responding, ssh to each blade and each vCMP guest, and run the following command to check the CPU utilization of merged:

top -p `pidof merged`

Any merged that has a CPU utilization of over 90% for more than a few seconds is potentially in this state and should be restarted.

To prevent the issue from occurring, disable tmstat snapshots using the following command:

tmsh modify sys db merged.snapshots value false.

Fix:
The merged process no longer becomes unresponsive when a directory is removed from /shared/tmstat/snapshots.


597674-1 : TunnelServer may crash due to division by zero under unknown circumstances while establishing AppTunnels.

Component: Access Policy Manager

Symptoms:
TunnelServer crashes during AppTunnel establishment. Network Access goes to 'Reconnecting' state and then to 'Disconnected' state

Conditions:
The crash happens due to division by zero operation when interval between two events equals to zero ms. This occurs rarely and it is not clear under which circumstances/conditions this occurs.

Impact:
Application Tunnel cannot be established.


597532-1 : iRule: RADIUS avp command returns a signed integer

Component: Local Traffic Manager

Symptoms:
iRules that process attribute-value pairs from RADIUS treat integers as signed when they should be treated as unsigned.

Conditions:
iRules using RADIUS::avp to retrieve data.

Impact:
iRules using the RADIUS::avp command will not work as expected.

Workaround:
The result can be cast to an unsigned integer after obtaining the value, as follows:

ltm rule radius_avp_integer {
    when CLIENT_DATA {
                set charid_integer [RADIUS::avp 26 "integer" index 0 vendor-id XXXXX vendor-type Y]
                set unsigned_charid_integer [expr {$charid_integer & 0xFFFFFFFF}]
}
}

Note that tmm internally treats avp values as signed integers so this might not completely correct the issue.

Fix:
Ensure that the system uses unsigned integers for RADIUS AVPs.


597471 : Some Alerts are sent with outdated username value

Component: Fraud Protection Services

Symptoms:
user-defined, components validation and vtrack Alerts are sent with outdated username value

Conditions:
Log in, then log in again with different user (with conditions to generate an alert)

Impact:
Alert is sent with username of the first login

Fix:
Alerts sending is blocked until after parameters processing is done


597431-2 : VPN establishment may fail when computer wakes up from sleep

Component: Access Policy Manager

Symptoms:
EdgeClient doesn't cleanup routing table before windows goes to hibernate. This may result in establishment of VPN when computer wakes up. It may also result in other network connectivity issues

Conditions:
-VPN connection is not disconnected
-Computer goes in hibernation

Impact:
Issues with Network connectivity

Workaround:
Renew DHCP lease by running
ipconfig/renew.

or

reboot the machine.


597394-2 : Improper handling of IP options

Solution Article: K46535047


597309-2 : Increase the Maximum Members Per Trunk limit to 32 or 64 for high end platforms

Component: TMOS

Symptoms:
The Maximum Members Per Trunk limits is 8 or 16 depending on platform. This is due to

1. The limitation of an SDK from a third party vendor.
2. The number of external interfaces actually provided by the platform.

Conditions:
These platform limits are on the BIG-IP 10000 appliance and B2400, B4300, and B4450 blades.

Impact:
The number of interfaces per trunk is limited to either 8 or 16.

Workaround:
None.

Fix:
New limit of 32 is implemented for the BIG-IP 10000 appliance, and on VIPRION 2400 and VIPRION 4300. New limit 64 is implemented for VIPRION 4450N.


597303 : "tmsh create net trunk" may fail

Component: TMOS

Symptoms:
When a trunk is created with "tmsh create net trunk", with LACP enabled or disabled, the addition of a trunk member may fail. When it fails, there will be log in /var/log/ltm like

Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: bs_trunk_addr_set: unit=0 Invalid parameter bs_trunk.cpp(2406)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: Trouble setting trunk 1, unit 0 bs_trunk.cpp(2591)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0011:3: SDK error Invalid parameter bs_trunk.cpp(2592)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0010:3: Trouble setting trunk: unit=0, trunk=testTrunk bs_trunk.cpp(1886)
Jun 3 13:27:15 localhost err bcm56xxd[8763]: 012c0010:3: Trouble adding interface to trunk=testTrunk bsx.c(3109)

Conditions:
The problem tends to happen when a trunk is created right after it is deleted. If you wait for over 30 seconds, it is unlikely to happen.

Impact:
A trunk can't be created, and no trunk members can be added.

Workaround:
Wait for over 30 seconds before adding back the same trunk.

Fix:
A fix is already staged, and may show up in a hot fix later.


597270-2 : tcpdump support missing for VXLAN-GPE NSH

Component: TMOS

Symptoms:
The tcpdump utility does not support VxLAN (Virtual eXtensible Local Area Network) GPE (Generic Protocol Extension) Network Service Header (NSH).

Conditions:
Running tcpdump on BIG-IP systems.

Impact:
No support for VXLAN-GPE NSH.

Workaround:
None.

Fix:
tcpdump now has support for VXLAN-GPE NSH.

Behavior Change:
tcpdump now has support for VxLAN (Virtual eXtensible Local Area Network) GPE (Generic Protocol Extension) Network Service Header (NSH).


597214-5 : Portal Access / JavaScript code which uses reserved keywords for field names in literal object definition may not work correctly

Component: Access Policy Manager

Symptoms:
JavaScript code with literal object definition containing field names equal to reserved keywords is not handled correctly by Portal Access.

Conditions:
JavaScript code with literal object definition containing fields with reserved keywords as a name, for example:

var a = { default: 1, continue: 2 };

Impact:
JavaScript code is not rewritten and may not work correctly.

Workaround:
You can use an iRule to rename field names in the original code.

Fix:
Now JavaScript with literal object definition containing reserved keywords as field names is handled correctly by Portal Access.


597176-1 : Multiple Wireshark (tshark) vulnerabilities

Solution Article: K01837042


597089-8 : Connections are terminated after 5 seconds when using ePVA full acceleration

Component: Local Traffic Manager

Symptoms:
When using a fast L4 profile with ePVA full acceleration configured, the 5-second TCP 3WHS handshake timeout is not being updated to the TCP idle timeout after the handshake is completed. The symptom is an unusually high number of connections getting reset in a short period of time.

Conditions:
It is not known all of the conditions that trigger this, but it is seen when using the fast L4 profile with pva-acceleration set to full.

Impact:
High number of connections get reset, longer than expected idling TCP connections, and potential performance issues.

Workaround:
Disabling the PVA resolves the issue.


597023-1 : NTP vulnerability CVE-2016-4954

Solution Article: K82644737


597010-1 : NTP vulnerability CVE-2016-4955

Solution Article: K03331206


596997-1 : NTP vulnerability CVE-2016-4956

Solution Article: K64505405


596814-4 : HA Failover fails in certain valid AWS configurations

Component: TMOS

Symptoms:
Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Conditions:
AWS deployments where there are multiple coincidences for the provided IP address (corresponding to other Amazon VPCs in the same Availability Zone containing unrelated instances but having the same IP address as the BIG-IP's floating IP address.

Impact:
Potential traffic disruption. Some of the floating object's IPs might not be reattached to the instance acting as the new active device.

Workaround:
Do not have AWS deployments with multiple VPCs sharing the same IP address as the BIG-IP's floating IP address.

Fix:
Failover now narrows network description by filtering with VPC id.


596809-1 : It is possible to create ssh rules with blank space for auth-info

Component: Advanced Firewall Manager

Symptoms:
In tmsh it is possible to create profile actions that contain blank spaces, such as in this example:

create security ssh profile ssh-test actions add { " " } rules add { " " { actions add { " " } identity-users add { " "} identity-groups add { " " } } } auth-info add { " " }

Conditions:
This occurs when creating profile actions.

Impact:
Actions can be created with blank spaces in them, you should be receiving a validation error. These rules also cannot be deleted.

Workaround:
Do not create profile actions with blank spaces.

Fix:
BIG-IP will now throw a validation error if you create a profile action containing only a blank space.


596685-1 : Request Log failure on request with XML format violation

Solution Article: K76841626

Component: Application Security Manager

Symptoms:
When Request Log entry with violations for XML format violation is selected, it cannot be displayed and an error is returned.

Conditions:
Request Log entry with violations for XML format violation is selected.

Impact:
Request Log entry cannot be displayed.

Workaround:
None.

Fix:
Requests with XML format violations are now displayed correctly.


596674-2 : High memory usage when using CS features with gzip HTML responses.

Component: Application Visibility and Reporting

Symptoms:
AVR use consumes a lot of memory while trying to decompress responses. This can cause tmm core during stress traffic.

Conditions:
-- Enabled Dosl7d virtual server with CS features.
-- The server is sending compressed responses.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
High memory usage no longer occurs when using CS features with gzip HTML responses.


596631-2 : SIP MRF: Wrong listener may be deleted during media deny-listener deletions, causing crash later

Component: Service Provider

Symptoms:
A SIP media flow deny-listener was to have been deleted but an unrelated listener was deleted instead due to an incorrect address/port match.

For example, when the wrongly deleted listener is later meant to be deleted, there might be a SIGFPE with assertion failure "Assertion "bound listener" failed.".

Conditions:
A SIP MRF media flow existed and was deleted.
An unrelated flow exists with an address/port with wildcards such that it includes that of the media flow.

Impact:
Later when the wrongly deleted listener is referenced, the TMM crashes.

Fix:
When a SIP media flow deny-listener is searched for deletion, an exact match is required that uniquely identifies the deny-listener, so that an unrelated listener is not deleted.


596603-2 : AWS: BIG-IP VE doesn't work with c4.8xlarge instance type.

Component: TMOS

Symptoms:
When deploying BIG-IP VE in AWS with c4.8xlarge instance type, the system never boots and remains in "Stopped" state after briefly trying to start-up.

Conditions:
BIG-IP VE is deployed with c4.8xlarge instance type in AWS.

Impact:
c4.8xlarge instance type are not supported for BIG-IP VE in AWS.

Workaround:
Choose c4.4xlarge or other instance types in AWS.

Fix:
Issue corrected so that BIG-IP VE will work with c4.8xlarge instance type AWS.


596502-1 : Unable to force Bot Defense action to Allow in iRule

Component: Application Security Manager

Symptoms:
When a request is being blocked (or challenged with CAPTCHA) due to being a suspicious browser, the action cannot be forced to allow in the iRule

Conditions:
This occurs when a bot defense action is triggered on suspicious browser, and you wish to allow the request to go through anyway and not send a RST.

Impact:
The bot defense action cannot be forced to "allow", the RST will still be sent.


596488-1 : GraphicsMagick vulnerability CVE-2016-5118.

Solution Article: K82747025


596450-1 : TMM may produce a core file after updating SSL session ticket key

Component: Local Traffic Manager

Symptoms:
When regenerating SSL session ticket key, TMM may restart unexpectedly, leaving a core file.

Conditions:
When the value of ssl.sessionticketkey.regen is reached (every 3 days by default), TMM will regenerate its SSL session ticket key. This operation may lead to an assert: "shared random data inited".

Impact:
TMM core and restart.

Workaround:
None.

Fix:
Resolved a problem that could cause TMM to restart when regenerating the SSL session ticket key


596433-3 : Virtual with lasthop configured rejects request with no route to client.

Component: Local Traffic Manager

Symptoms:
Virtual with lasthop pool configured rejects requests which are sourced from MAC address which is not configured in the lasthop pool.

Conditions:
This issue occurs when the following conditions are meet:

- Virtual with lasthop pool.
- Connection sourced from MAC address which is not configured in the lasthop pool.
- Lasthop pool member is local to TMM.
- tm.lhpnomemberaction db key is set to 2.

Impact:
Connection is erroneously reset with no route to client.

Workaround:
- Change tm.lhpnomemberaction db key to 0 or 1 (behavior change).
- Add IP address for lasthop member which client is originating from to lasthop pool.


596340-8 : F5 TLS vulnerability CVE-2016-9244

Solution Article: K05121675


596242-1 : [zxfrd] Improperly configured master name server for one zone makes DNS Express respond with previous record

Solution Article: K17065223

Component: Local Traffic Manager

Symptoms:
Improperly configured master name server for one zone prevents updates to other, properly configured zones
from propagating to tmm, thus making DNS Express respond with an old record.

Conditions:
Incorrectly configured DNS zone that cannot get updates correctly.

Impact:
DNS Express responds with previous record after zone transfer.

Workaround:
Correct the configuration on the incorrectly configured zone.

Fix:
DNS Express now responds with current record after zone transfer.


596166-1 : Cannot create email using Address Book

Component: Access Policy Manager

Symptoms:
Cannot create email using Address Book, specifically, the To, Cc, and Bcc buttons do not work.

Conditions:
Attempting to create email using Address Book.

1. Use OWA2010.
2. Navigate to the virtual server.
3. Click logon.
4. Type credentials in the Web App form, and logon to OWA.
5. Click New to create new email.
6. Click To (to open Address Book), click To, Cc, and Bcc to choose highlighted user.
7. Once address is in To field Click OK.

Impact:
Email window will be closed and New empty one is opened. Cannot use the To, Cc, and Bcc buttons to add users.

Workaround:
None.

Fix:
Now, clicking the To, Cc, and Bcc buttons opens a new message window addressed to the specified users.


596116-3 : LDAP Query does not resolve group membership, when required attribute(s) specified

Component: Access Policy Manager

Symptoms:
Corresponding session variable session.ldap.last.memberOf contains only the groups user has explicit membership.

Conditions:
This occurs when the following conditions are met:
-- When APM LDAP Query is configured with option "Fetch groups to which the user or group belong" is set to "All".
-- The Required Attribute includes the "memberOf" LDAP attribute.

Impact:
Only groups the user is a direct member of will be populated to the APM 'session.ldap.last.memberOf' variable.

Workaround:
Add the following attribute to the "Required Attributes" list:

"objectClass"

If APM is communicating via LDAP with Microsoft Active Directory, consider adding this attribute to the list:

"primaryGroupID"

Note: Adding the "primaryGroupID" attribute will cause APM to fetch all groups Microsoft Active Directory, including the primary group.

Fix:
LDAP Query now retrieves groups from the backend server in accordance with option "fetch groups to which the user or group belong". it doesn't matter if any required attribute set or not set.


596104-1 : HA trunk unavailable for vCMP guest

Solution Article: K84539934

Component: TMOS

Symptoms:
If a vCMP guest is configured with a high availability (HA) trunk with a threshold value greater than 0, the HA trunk configuration fails with a message similar to the following:

err mcpd[5926]: 01071569:3: Ha group ha_group threshold for trunk _your_trunk_name_here_ 1 is greater than the maximum number of members 0.

Conditions:
This occurs when an HA trunk is configured a vCMP guest, with a threshold value greater than 0. This may occur by any of the following means:
1) Attempting to upgrade a guest to an affected version of BIG-IP, with an HA trunk configured with a threshold value greater than 0. The upgrade fails with the indicated error message.
2) Attempting to load a UCS from a guest with an HA trunk configured with a threshold value greater than 0. The UCS load fails with the indicated error message.
3) Creating an HA group and then attempting to modify the threshold value for the HA trunk. The modify command fails with the indicated error message.

Impact:
HA trunks do not work.
You cannot upgrade the vCMP guest to an affected version of BIG-IP or load a configuration with an HA trunk configured with a threshold value greater than 0.

Workaround:
To allow the upgrade to succeed or the configuration to load, configure the HA trunk threshold to 0.

Important! This disables the HA trunk feature.

Fix:
HA trunks with a threshold value greater than 0 are supported on vCMP guests.


596083-1 : Error running custom APM Reports with "session creation time" on Viprion Platform

Component: Access Policy Manager

Symptoms:
Error is encountered when running custom APM Reports with "session creation time" on Viprion Platform

Conditions:
- On Viprion platform
- Create a APM custom report
- Select "Session creation time" field
- Run the report

Impact:
Won't be able to run custom APM report on Viprion platform


596067-2 : GUI on VIPRION hangs on secondary blade reboot

Component: TMOS

Symptoms:
After rebooting a VIPRION chassis, the GUI suddenly becomes unresponsive several minutes after the reboot.

Conditions:
It is not known exactly triggers this as it is a race condition that occurs on system start, but it is believed that Enterprise Manager making queries against the VIPRION for non-chunked statistics while the blade(s) has not fully started will trigger this condition.

Impact:
GUI becomes unresponsive

Workaround:
bigstart restart httpd will clear this condition if it occurs.


595900-4 : Cookie Signature overrides may be ignored after Signature Update

Solution Article: K11833633

Component: Application Security Manager

Symptoms:
Cookie Signature overrides may be ignored after Attack Signature Update.

Conditions:
Cookie Signature overrides are configured in the policy, and Attack Signatures are updated.

Impact:
Cookie Signature overrides are ignored.

Workaround:
Remove Cookie Signature override and re-add it.

Fix:
Cookie Signature overrides are observed correctly, even after Signature Update.


595819-1 : Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a http/2 enabled browser and HTTP/2 profile attached,

Component: Access Policy Manager

Symptoms:
Access session 'Bytes In' and 'Bytes Out' are not getting updated (stay at 0) when accessed with a HTTP/2 enabled browser and HTTP/2 profile attached.

Conditions:
This occurs when the following conditions are met:
- An HTTP/2 enabled browser is in use.
- APM and HTTP/2 are enabled on the same virtual.

Impact:
APM statistics for bytes in and out are not updated.

Workaround:
None.

Fix:
Access session 'Bytes In' and 'Bytes Out' are now getting updated when accessed with a http/2 enabled browser and HTTP/2 profile attached,


595783 : Changing console baud rate for B2100, B2150 and B2250 blades does not work

Component: TMOS

Symptoms:
Changing the console baud rate does not take effect and leaves the setting unchanged.

Conditions:
Whenever the console baud rate is changed via tmsh, GUI, or iControl on the VIPRION B2100, B2150 and B2250 blades.

Impact:
Changing the console baud rate causes the front panel display manager to restart and does not actually modify the baud rate.

Workaround:
None.

Fix:
Added needed object to global config map for VIPRION B2100, B2150 and B2250 blades so modify message no longer fail the object lookup.


595773-4 : Cancellation requests for chunked stats queries do not propagate to secondary blades

Component: TMOS

Symptoms:
Canceling a request for a chunked stats query (e.g. hitting ctrl-c during "tmsh show sys connection") does not stop data flowing from secondary blades.

Conditions:
A chassis-based system with multiple blades. Users must execute a chunked stats query (e.g. "tmsh show sys connection") and then cancel it before it finishes (e.g. with ctrl-c in tmsh).

Impact:
Unnecessary data will be sent from TMM to secondary mcpd instances, as well as from secondary mcpd instances to the primary mcpd instance. This could cause mcpd to restart unexpectedly.

Fix:
Cancellations for chunked stats queries are now propagated to secondary blades.


595712-1 : Not able to add remote user locally

Component: TMOS

Symptoms:
When a user has logged in remotely, using tmsh to add a user with the same name will fail:

01020066:3: The requested user role partition (raduser TestPartition) already exists in partition Common.

Conditions:
Remote authentication is configured and a remote user has logged in.

Impact:
Changing remote user to local fails.

Workaround:
Use "replace-all-with" for partition access:

create auth user raduser password raduser1 partition-access replace-all-with { TestPartition {role manager }}


595693 : Incorrect PVA indication on B4450 blade

Component: TMOS

Symptoms:
When you run guishell -c "select HAS_PVA, PVA_VERSION from platform" on a B4450 blade (which includes PVA), the output indicates that it does not have PVA.

Conditions:
This occurs when looking at platform information on B4450 blades.

Impact:
PVA acceleration is not detected properly

Fix:
PVA service is now indicated properly on the B4450 blade.


595605 : Upgrades from 11.6.1 or recent hotfix rollups to 12.0.0 may fail

Component: TMOS

Symptoms:
An upgrade to BIG-IP v12.0.0 will fail when all of the following conditions are met:
- AVR provisioned
- Upgrading to v12.0.0 from the following versions :
  - 11.6.1

Certain engineering hotfixes are also affected.

Conditions:
The following Engineering Hotfixes are affected.

- 11.6.0-hf5 EHF index 110 (Hotfix-BIGIP-11.6.0.5.110.429-HF5-ENG.iso)
- 11.6.0-hf5 EHF Index 214
- 11.6.0-hf5 EHF index 233
- 11.6.0-hf6 EHF index 240

11.6.1 is also affected.

Impact:
The upgrade to 12.0.0 will succeed but the configuration will fail to load.

This can be detected by running tmsh load sys config verify. You will see the following signature:

Unexpected Error: "Can't load keyword definition (analytics-report.device_group)"

Workaround:
12.1.1 is schema compatible with 11.6.1, so upgrade to 12.1.1 instead.


595394-3 : Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.

Component: TMOS

Symptoms:
Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x can result in instance becoming inaccessible.

Conditions:
11.5.x/11.6.x Hourly Billing instances with multiple NICs attached.

Impact:
User might not be able to log-in to the instance.

Workaround:
Rebooting the instance corrects the problem.

Fix:
Upgrading 11.5.x/11.6.x hourly billing instances in AWS with multiple NICs to 12.1.x works with new Hourly billing licenses.


595293-4 : Deleting GTM links could cause gtm_add to fail on new devices.

Component: Global Traffic Manager (DNS)

Symptoms:
Once links are auto-discovered, if auto discovery is disabled and the links are deleted, they could become stuck in the Server > Virtual Server list, preventing new devices from joining the sync group. If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.

Conditions:
Links are auto-discovered
Auto discovery is disabled
The links are deleted

Impact:
If gtm_add is run from a new device, the add will appear to succeed, but no GTM objects will show up on the unit.

Workaround:
None

Fix:
Cleanup all aspects of a GTM link when it is deleted.


595281-1 : TCP Analytics reports huge goodput numbers

Component: Local Traffic Manager

Symptoms:
TCP Analytics reports that 2^32 bytes have been delivered, rather than 0.

Conditions:
When the serverside connection attempt fails.

Impact:
TCP Analytics stats are inaccurate.

Fix:
Handle the failed connection case properly.


595275-5 : Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN

Component: Local Traffic Manager

Symptoms:
Virtual IP address change might cause VIP state to go from GREEN to RED to GREEN when pool goes empty.

Conditions:
This occurs when the configuration contains a pool with only one FQDN pool member.

Impact:
VIP can go briefly RED and offline.

Workaround:
Configuring a fallback static IP node or multiple FQDN pool members removes this risk.


595272-1 : Edge client may show a windows displaying plain text in some cases

Component: Access Policy Manager

Symptoms:
Under captive portal environment, sometimes edge client may show a windows with some plain text content.

Conditions:
Edge client is launched when users machine is inside captive portal network.

Impact:
User may not be able to establish VPN

Workaround:
Authenticate to captive portal using browser and Launch edge client again.


595242-1 : libxml2 vulnerabilities CVE-2016-3705

Solution Article: K54225343


595231-1 : libxml2 vulnerabilities CVE-2016-3627 and CVE-2016-3705

Solution Article: K54225343


595227-1 : SWG Custom Category: unable to have a URL in multiple custom categories

Component: Access Policy Manager

Symptoms:
When configuring a url in multiple categories you receive a validation error message:
May 19 16:13:44 bigip12 err mcpd[8992]: 010717f3:3: Custom category (/Common/category_allow_group2) has invalid URL (http://172.16.20.1/*). Reason: You cannot have the same URL in two or more custom categories. URL used in category (/Common/category_allow_group1).

Conditions:
Configuring the same URL in multiple custom categories.

Impact:
Unable to have the same URL in multiple custom categories, and therefore cannot configure the system to have a URL allowed for one group but not for another.

Workaround:
None

Fix:
Validation preventing the configuration of same URL for multiple custom categories has been fixed.


594910-1 : FPS flags no cookie when length check fails

Component: Fraud Protection Services

Symptoms:
You see No Cookie errors for validation errors other than No Cookie.

Conditions:
Malformed component validation cookie

Impact:
No Cookie errors counted when the validation error was not due to No Cookie

Workaround:
No

Fix:
Fixed an issue with No Cookie error counting.


594869-4 : AFM can log DoS attack against the internal mpi interface and not the actual interface

Component: Advanced Firewall Manager

Symptoms:
While under an attack that matches a DoS profile, BIG-IP may indicate that the interface is the internal mpi interface and not the interface that the attack is happening on.

Conditions:
This can occur in CMP-enabled systems.

Impact:
A valid DoS attack will be misreported


594642-3 : Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.

Component: Local Traffic Manager

Symptoms:
Stream filter may require large allocations by Tcl leading TMM to core on allocation failure.

Conditions:
Stream filter is active during low memory situations

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Stream may now be configured to parse xbufs in chunks. This limits the maximum amount of memory required and reduces the chance of an allocation failure.


594496-1 : PHP Vulnerability CVE-2016-4539

Solution Article: K35240323


594426-2 : Audit forwarding Radius packets may be rejected by Radius server

Component: TMOS

Symptoms:
The Accounting-Request packets are missing two required AVPs (Attribute Value Pair), Acct-Session-ID and Acct-Status-Type. Some Radius servers drop Radius Accounting-Requests which are missing these AVPs.

Conditions:
Configured to use audit forwarding with radius and audit messages are not logged on the Radius server.

Impact:
Unable to log audit messages from BIG-IP using audit forwarding.


594366-1 : Occasional crash of icrd_child when BIG-IP restarts

Solution Article: K21271097

Component: TMOS

Symptoms:
When BIG-IP restarts (bigstart restart), or when restjavad restarts (bigstart restart restjavad), there is an occasional crash of the icrd_child thread.

Conditions:
When BIG-IP restarts (bigstart restart), or when restjavad restarts. No other specific conditions.

Impact:
Occasional crash/SEGV exception.

Workaround:
Restart restjavad (bigstart restart restjavad).

Impact of workaround: The iControl REST API for making queries or modifications is temporarily unavailable while the restjavad service restarts.

Fix:
Different approach of handling thread termination is implemented. New approach correctly terminates zombie processes and does not cause SEG fault.


594302-1 : Connection hangs when processing large compressed responses from server

Component: Local Traffic Manager

Symptoms:
When large compressed responses are sent by the server, the connection hangs when trying to send decompressed content to the client.

Conditions:
An LTM policy which enforces decompression for responses is attached to the virtual server. The virtual server also has http compression profile attached to it. Server sends large compressed responses.

Impact:
Connection hangs when trying to process the compressed response in order to send decompressed content to client.

Fix:
The large compressed responses are successfully processed and no connection hangs are seen.


594288-1 : Access profile configured with SWG Transparent results in memory leak.

Component: Access Policy Manager

Symptoms:
Access profile configured with SWG Transparent results in memory leak.

Conditions:
Create an access profile of type SWG Transparent, and assign to a virtual. Run traffic through this virtual.

Impact:
TMM leaks memory.

Workaround:
None

Fix:
Fixed the memory leak caused by access filter for SWG transparent use case.


594127-2 : Pages using Angular may hang when Websafe is enabled

Component: Fraud Protection Services

Symptoms:
Pages using angular may not load correctly when Websafe "inject Javascript into page" is enabled

Conditions:
Application using Angular.js
Websafe: "inject Javascript into page" is enabled

Impact:
Page does not load fully

Fix:
Websafe no longer changes the page's "documentMode"


594075-2 : Sometimes when modifying the firewall rules, the blob does not compile and pccd restarts periodically

Component: Advanced Firewall Manager

Symptoms:
With pccd.alwaysfromscratch set to true, the blob doesn't compile and pccd restarts periodically when firewall rules are modified.

Conditions:
1. pccd.alwaysfromscratch is set to true (default value is false)
2. Modify some firewall rules.

Impact:
The blob doesn't compile and pccd keeps restarting without loading new rules.

Workaround:
Remove saved blob files in /var/pktclass/ (rm -f /var/pktclass/*) and restart pccd.


593925-1 : ssh profile should not contain rules that begin and end with spaces (cannot be deleted)

Component: Advanced Firewall Manager

Symptoms:
When attempting to delete a rule for an ssh profile and committing the changes in the GUI, you get an error: "Operation is not supported on property /security/ssh/profile/~Common~ssh-test/rules."

Conditions:
This occurs if you previously created ssh profile rules that contain spaces in them, such as this example:

create security ssh profile ssh-test actions add { " " } rules add { " " { actions add { " " } identity-users add { " "} identity-groups add { " " } } } auth-info add { " " }

Impact:
Unable to delete the rules

Fix:
You can now delete ssh profile rules that contain spaces for the rules.


593696-1 : Sync fails when deleting an ssh profile

Component: Advanced Firewall Manager

Symptoms:
After creating an ssh profile and successfully syncing it to the sync group, you later delete the profile and sync fails with this error on the target device:
"err mcpd[5178]: 01071488:3: Remote transaction for device group /Common/syncme to commit id 6 6285666289815053813 /Common/bigip2.mysite.com 0 failed with error 01071aaf:3: SSH profile: [/Common/ssh1] default actions is required and cannot be removed."

Conditions:
This is triggered when deleting an ssh profile that has been synced in a sync group. Sync group is configured for manual sync. It is not known if automatic sync also exhibits this behavior.

Impact:
Sync fails.


593530-6 : In rare cases, connections may fail to expire

Solution Article: K26430211

Component: Local Traffic Manager

Symptoms:
Connections have an idle timeout of 4294967295 seconds.

Conditions:
Any IP (ipother) profile is assigned to virtual server.

Impact:
Connections may linger.

Workaround:
None.

Fix:
Fixed idle initialization error when using Any IP (ipother) profile.


593447-1 : BIG-IP TMM iRules vulnerability CVE-2016-5024

Solution Article: K92859602


593390-4 : Profile lookup when selected via iRule ('SSL::profile') might cause memory issues.

Component: Local Traffic Manager

Symptoms:
If an iRule selects a profile using just its name, not the full path, the internal lookup might fail. This might cause a new version of the profile to be instantiated, leading to memory issues.

Conditions:
An iRule calls SSL::profile but does not supply the complete path (e.g., /Common/clientssl); rather, the iRule uses only the profile name.

Impact:
Higher memory usage than necessary.

Workaround:
Always have iRules select profiles using the complete path.

Fix:
If an iRule attempts to select a profile using only its name, the system now prepends the /Common path prior to looking it up, so there is no potential of instantiating another version of the profile, so no memory issue occurs.


593355 : FPS may erroneously flag missing cookie

Component: Fraud Protection Services

Symptoms:
You see Missing Cookie errors for validation errors other than Missing Cookie.

Conditions:
Any component validation error.

Impact:
Missing Cookie errors counted when the validation error was not due to Missing Cookie

Workaround:
No.

Fix:
Fixed an issue with Missing Cookie error counting.


593139-9 : glibc vulnerability CVE-2014-9761

Solution Article: K31211252


593137-1 : userDefined property for bot signatures is not shown in REST

Component: TMOS

Symptoms:
The user defined property of the signature is not exposed in iControl REST.

Conditions:
Attempting an iControl REST API call to see a signature.

Impact:
The userDefined field is not shown. Impacts external interfaces interacting with the BIG-IP configuration and expecting to see a field and a value there.

Workaround:
None.

Fix:
The userDefined field exists now and has a true/false values.


593078-1 : CATEGORY::filetype command may cause tmm to crash and restart

Component: Access Policy Manager

Symptoms:
If an iRule command is created using the CATEGORY::filetype command, the tmm may eventually suffer a failure, and restart.

Conditions:
This can occur when using the CATEGORY::filetype iRule under normal operation.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash in CATEGORY::filetype


593070-2 : TMM may crash with multiple IP addresses per session

Component: Policy Enforcement Manager

Symptoms:
TMM crash

Conditions:
A session with multiple IP addresses with PCRF communication for dynamic policy management may have a crash credits to a race condition.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Check for timer expiration prior to processing the timer.


592871-3 : Cavium Nitrox PX/III stuck queue diagnostics missing.

Component: Local Traffic Manager

Symptoms:
Diagnostics tool to investigate rare issue where the Cavium Nitrox PX/III crypto chip gets into a "request queue stuck" situation.

Conditions:
System with Cavium Nitrox PX/III chip(s) which includes the BIG-IP 5xxx, 7xxx, 10xxx, and 12xxx platforms as well as the VIPRIOn B2200 blade, that hits a rare issue which logs a "request queue stuck" message in /var/log/ltm.

Impact:
This tool enables F5 engineers to obtain more data about this problem to help diagnose the issue.

Workaround:
None.

Fix:
Provides a diagnostics tool. Does not directly mitigate the problem.


592870-2 : Fast successive MTU changes to IPsec tunnel interface crashes TMM

Component: TMOS

Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.

Conditions:
This occurs when quickly changing the IPsec tunnel interface MTU.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.

Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).


592868-3 : Rewrite may crash processing HTML tag with HTML entity in attribute value

Component: Access Policy Manager

Symptoms:
If HTML page contains HTML entities in attribute values, rewrite may crash processing this page.

Conditions:
HTML tag like this:
<script src="&#10;" type="text/javascript"></script>

Impact:
Web application may not work correctly.

Workaround:
In most cases HTML entities can be replaced by appropriate characters by iRule.

Fix:
Now rewrite correctly handles HTML entities in attribute values.


592854-1 : Protocol version set incorrectly on serverssl renegotiation

Component: Local Traffic Manager

Symptoms:
If the BIG-IP serverssl profile sends a new ClientHello request to renegotiate SSL, the protocol version will be set to 0. This will cause renegotiation to fail.

Conditions:
ServerSSL profile configured on a virtual server, and BIG-IP initiates a renegotiation.

Impact:
Protocol field is invalid (0), and the server will reset the connection.

Fix:
Fixed a reset issue with SSL renegotiation in the serverssl profile.


592784-2 : Compression stalls, does not recover, and compression facilities cease.

Component: Local Traffic Manager

Symptoms:
Compression stalls, does not recover, and compression facilities may cease.

Conditions:
A device error of any kind, or requests that result in the device reporting an error (for example, attempting to decompress an invalid compression stream).

Impact:
In general, compression stops altogether. Under some circumstances, compression requests may end up routed to zlib (software compression), but generally the SSL hardware accelerator card does not correctly report that it is unavailable when it stalls.

Workaround:
Select the softwareonly compression provider by running the following tmsh command: tmsh modify sys db compression.strategy value softwareonly.

Fix:
The compression device driver now attempts to recover after a failure. If it still cannot recover, new compression requests will be assigned to zlib (software) for compression.


592731-1 : Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck.

Solution Article: K34220124

Component: Local Traffic Manager

Symptoms:
Default value of device-request timeout factor might cause false alert: Hardware Error ni3-crypto request queue stuck.

Conditions:
In case of heavy SSL traffic, Cavium Nitrox SSL hardware accelerator card might need more time than the default interval to complete the encryption or decryption.

Impact:
The /var/log/ltm log contains the following message: Hardware Error(Co-Processor): n3-crypto1 request queue stuck. tmm will be in failure state.

Workaround:
Use tmsh to increase the device.request.timeoutfactor db variable to allow more time for encryption or decryption to complete. For example, to increase device.request.timeoutfactor to 200, run the following command: tmsh modify sys db device.request.timeoutfactor value 200.

To clear erroneously stuck queues, you must restart tmm or reboot the BIG-IP system.

Note: Traffic is disrupted while during restarts.

Fix:
The default value of device.request.timeoutfactor is now sufficient to allow the Cavium Nitrox SSL hardware accelerator card to complete the encryption or decryption as expected.


592716-1 : BMC timezone value was not being synchronized by BIG-IP

Component: TMOS

Symptoms:
You notice that errors on the LCD have an incorrect timestamp compared to what is reported in BIG-IP

Conditions:
This can occur when running the 12.1.1 base release on the BIG-IP i-Series platforms.

Impact:
Timestamp is reported in the wrong time zone.

Fix:
Fixed an issue with incorrect timestamp reporting on the LCD display


592699-3 : IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP performance

Component: Local Traffic Manager

Symptoms:
IPv6 data pulled from the BIG-IP system via HTTPS, SCP, SSH, DNS or SMTP might encounter significant performance impacts when initiated over a BIG-IP data port using IPv6.

Conditions:
-- Protocols: HTTPS, SCP, SSH, DNS, SMTP.
-- IPv6.
Note: Management port is not impacted.

Impact:
Performance impact pulling data over affected ports from the BIG-IP over IPv6.
BIG-IQ performance is impacted trying to manage BIG-IP devices over IPv6.

Workaround:
Disable TSO for IPv6 at the command line by running the following command: ethtool -K tmm tso off.
Note: This command must be run each time after reboot.

Fix:
The issue has been corrected, so that there is no performance impact pulling data over affected ports using HTTPS, SCP, SSH, DNS or SMTP from the BIG-IP over IPv6, and there is no BIG-IQ performance issue managing BIG-IP devices over IPv6.


592682-1 : TCP: connections may stall or be dropped

Component: Local Traffic Manager

Symptoms:
TCP connections stall or get dropped.

Conditions:
Under some network conditions especially with rateshaper enabled TCP connection could stall and ultimately get reset.

Impact:
This usually happens with rateshaper or BWC enabled. Rarely could also happen with very lossy networks.

Fix:
Properly manage re-transmissions after a tail drop by not not doing the exponential back-off. Reset the re-transmit timer for every partial ack received after a tail drop.


592497-1 : Idle timeout ineffective for FIN_WAIT_2 when server-side expired and HTTP in fallback state.

Component: Local Traffic Manager

Symptoms:
While passing normal traffic, CPU utilization of one or more tmms suddenly goes to 100% as viewed by top and remains there indefinitely.

Conditions:
Idle timeout for tcp flows in FIN_WAIT_2.

Impact:
There is a rare occurrence in which tmm might result in 100% CPU busy.

Workaround:
None.

Fix:
This release honors the idle timeout in FIN_WAIT_2 when server-side expired and HTTP in fallback state.


592485 : Linux kernel vulnerability CVE-2015-5157

Solution Article: K17326


592414-4 : IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed

Component: Access Policy Manager

Symptoms:
IE11 and Chrome throw "Access denied" during access to any generic window property after document.write() into its parent has been performed from dynamically generated child.

Conditions:
Browsers: IE11 and Chrome
When: After document.write() into its parent has been performed from dynamically generated child.

Impact:
Web application malfunction.

Workaround:
None.

Fix:
Fixed.


592363 : Remove debug output during first boot of VE

Component: TMOS

Symptoms:
There was unneeded debug output during 1st boot of VE on Cloud deployments.

Conditions:
Cloud deployment - AWS and Azure.

Impact:
Extra debug output on 1st boot.

Fix:
Debug output was removed.


592354 : Raw sockets are not enabled on Cloud platforms

Component: TMOS

Symptoms:
Cloud VMs come configured with UNIC driver instead of using raw sockets.

Conditions:
Cloud deployment - AWS and Azure.

Impact:
UNIC is used instead of raw sockets.

Workaround:
Manually disabling unic driver will force raw sockets to be used.

Fix:
Enabled raw sockets by default on Cloud deployments.


592320-5 : ePVA does not offload UDP when pva-offload-state set to establish in BIG-IP 12.1.0 and 12.1.1

Component: TMOS

Symptoms:
When a fastL4 profile's pva-offload-state set to establish (default is embryonic), the corresponding UDP virtual server using that profile won't offload UDP traffic and causes performance degradation.

Conditions:
This issue is introduced during v12.0.0 development and only impacts v12.1.0 and v12.1.1 releases.
A fastL4 UDP virtual server is using a fastL4 profile that has pva-offload-state set to establish.

Impact:
Performance degradation.

Workaround:
Use default setting for pva-offload-state of embryonic for fastL4 profile.

Fix:
With the fix in 12.1.2 and 13.0.0, ePVA will load UDP traffic when pva-offload-state set to establish.


592274-3 : RAT-Detection alerts sent with incorrect duration details

Component: Fraud Protection Services

Symptoms:
If a remote access trojan (RAT) detection alert is encountered immediately upon initialization, the timestamp of the alert will be incorrect.

Conditions:
-- Enable RAT detection.
-- RAT detection alert is countered within 5 seconds of initialization.

Impact:
Rat-detection alerts sent with incorrect duration details, and false-positives for RAT keyboard alerts.

Workaround:
None.

Fix:
When generating RAT Detected alert within 5 seconds from page load, actualCounter in alert details is lower than 5 seconds for example:
"timeToResetCounter":5000,"actualCounter":4296


592113-5 : tmm core on the standby unit with dos vectors configured

Component: Advanced Firewall Manager

Symptoms:
On the standby unit with mirrored connections configured, uninitialized dos_vectors may cause core dump

Conditions:
HA setup, mirroring enabled on a virtual that has dos vectors configured

Impact:
Traffic disrupted while tmm restarts.


592070-5 : DHCP server connFlow when created based on the DHCP client connFlow does not have the traffic group ID copied

Component: Policy Enforcement Manager

Symptoms:
Variables in the flow context when stored in the sessionDB cannot be shared since the traffic groups of the server and client flows are different.

Conditions:
DHCP virtual created in a non-local traffic group.

Impact:
Variable sharing in the TCL context will not work.

Workaround:
Modify SysDb variable "Tmm.SessionDB.match_ha_unit" to disable the use of traffic-group ID while accessing the sessionDB.

Fix:
Copy the traffic group from client to server connFlows such that both connFlows have the same traffic group.


592001-1 : CVE-2016-4073 PHP vulnerabilities

Solution Article: K64412100


591918-2 : ImageMagick vulnerability CVE-2016-3718

Solution Article: K61974123


591908-2 : ImageMagick vulnerability CVE-2016-3717

Solution Article: K29154575


591894-2 : ImageMagick vulnerability CVE-2016-3715

Solution Article: K10550253


591881-1 : ImageMagick vulnerability CVE-2016-3716

Solution Article: K25102203


591840-1 : encryption_key in access config is NULL in whitelist

Component: Access Policy Manager

Symptoms:
encryption_key in access config is NULL sometime when applying 404 whitelist action and will result in TMM crash.

Conditions:
All the following must be true:
- Access policy action resulted in a "not found".
- The session corresponding to above action must be expired.
- FIPS platform.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Data required to serve a "not found" action is retrieved and made available early so that such responses can be served correctly.


591828-4 : For unmatched connection, TCP RST may not be sent for data packet

Solution Article: K52750813

Component: Advanced Firewall Manager

Symptoms:
When TCP connection times out (no entry in 'show sys conn'), and subsequent data packet comes in (not SYN), The BIG-IP system does not send a RST to the client to reset the connection.

Conditions:
This issue occurs if AFM is provisioned. Additionally, in BIG-IP v12.1.0 and above, it occurs if ASM is provisioned (regardless of AFM provisioning).

-- Packets other than SYN with no entry in the connection table arrive.

This can occur either after a failover (when mirroring is disabled) when traffic arrives at the newly-active system, or can occur if the relevant virtual server has 'reset-on-timeout' disabled.

Impact:
Client retransmits several times and then terminates TCP connection. There is no RST sent from BIG-IP to client for unmatched connection.

Workaround:
Enable the reset on timeout option to send TCP RST to client when connection times out.

Note: This workaround does not address the circumstances where a newly-active BIG-IP system receives traffic (e.g. after a failover or system reboot).

Fix:
The BIG-IP system now sends a TCP RST for unknown connections so the clients and backend servers can start a new connection.


591806-8 : ImageMagick vulnerability CVE-2016-3714

Solution Article: K03151140


591767-8 : NTP vulnerability CVE-2016-1547

Solution Article: K11251130


591733-4 : Save on Auto-Sync is missing from the configuration utility.

Solution Article: K83175883

Component: TMOS

Symptoms:
The option to configure save-on-auto-sync is missing in the Device Management GUI.

Conditions:
Devices configured in a DSC configuration.
Automatic with Full or Incremental Sync is enabled.
You attempt to configure the save-on-auto-sync option from the GUI.

Impact:
You will need to have TMSH access to the BIG-IP system to perform this task.

Workaround:
You will need to have TMSH access to the BIG-IP system to perform this task.

Fix:
This release adds per-device-group save_on_auto_sync flag to GUI: flag now shows in GUI and correctly saves.
GUI: The "Sync Type" option in the GUI must be set to "Automatic with Full/Incremental Sync" in order for "Save on Auto-Sync" option to show.

Behavior Change:
Beginning in version 11.5.0, the /cm trust-domain 'save-on-auto-sync' attribute is no longer configured as part of the trust-domain, but is part of the configuration of a device group. With this change, the option to set that attribute becomes available in the GUI on the condition that the "Sync Type" option is set to "Automatic with Full/Incremental Sync".


591666-3 : TMM crash in DNS processing on TCP virtual with no available pool members

Component: Local Traffic Manager

Symptoms:
TMM crash when processing requests to a DNS virtual server.

Conditions:
The issue can occur if a TCP DNS virtual receives a request when no pool members are available to service the request and a DNS iRule is suspended due to previous requests.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Mitigation is to ensure at least one pool member is available whenever the DNS virtual is processing traffic, or to avoid iRule commands that can suspend processing.

Ensure datagram LB mode is enabled on UDP DNS virtuals.

Fix:
Product corrected to prevent crash when there are no available members.


591659-5 : Server shutdown is propagated to client after X-Cnection: close transformation.

Solution Article: K47203554

Component: Local Traffic Manager

Symptoms:
Server shutdown is propagated to client after X-Cnection: close transformation.

Conditions:
In OneConnect configurations, when a server's maximum number of keep-alives is exceeded, the server closes the connection between itself and the BIG-IP system. This Connection: Close is transformed to an X-Cnection: close and sent to the Client along with a TCP FIN.

Impact:
Client side connections are closed by the BIG-IP system too early, causing subsequent requests to be dropped.

Workaround:
Set the OneConnect profile "Maximum Reuse" value to 2 below the value of the pool members max keep-alive setting. This forces OneConnect to close the connection before the pool member.

Fix:
Server shutdown is no longer propagated to client after X-Cnection: close transformation, so client side connections are now kept open by the BIG-IP system as expected, and subsequent requests are no longer dropped.


591590-1 : APM policy sync results are not persisted on target devices

Component: Access Policy Manager

Symptoms:
Policy sync results, including profile, sync folder, new partition, statuses, history are not persisted on target devices after sync, when there is no LSO resolution.

Conditions:
1. Create an APM policy with no LSO to resolve, or have an APM policy that has LSO resolved by the previous sync.
2. Start a policy sync.

Impact:
Sync results including the policy profiles are not persisted, so when the BIG-IP system restarts, all the sync data will be lost.

Workaround:
Run tmsh command to save config:

tmsh save sys config

Fix:
Policy sync result will be persisted on target devices so even when those devices restart, the data will still be there.


591495-2 : VCMP guests sflow agent can crash due to duplicate vlan interface indices

Component: TMOS

Symptoms:
When a VCMP guest uses sflow, the sflow agent will crash when it tries to add a row to its internal data structure and finds the key already exists for some other entry.

Conditions:
This issue can occur on systems with VCMP guests, its occurrence is is more likely with a higher number of cores.

Impact:
sflow agent will crash.

Fix:
Make sure the allocated interface index for a vlan is not already taken by another interface object.


591476-7 : Stuck crypto queue can erroneously be reported

Solution Article: K53220379

Component: Local Traffic Manager

Symptoms:
In some cases, a stuck crypto queue can be erroneously detected on Cavium Nitrox-based (Nitrox PX and Nitrox 3). When the tmm/crypto stats are examined, they show no queued requests. The following message appears in the ltm log: Device error: crypto codec cn-crypto-0 queue is stuck. tmm crash

Conditions:
-- Running on one of the following platforms:
 + BIG-IP 800, 1600, 3600, 3900, 6900, 89xx, 2xxx, 4xxx, 5xxx, 7xxx, 10xxx, 11xxx, 12xxx, i2xxx, and i4xxx
 + VIPRION B41xx-B43xx, B21xx, and B22xx blades.
-- Performing SSL.
-- Under heavy load.

Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover. Traffic disrupted while tmm restarts.

Workaround:
Modify the crypto queue timeout value to 0 to prevent timeouts using the following command:

tmsh modify sys db crypto.queue.timeout value 0

To clear erroneously stuck queues, you must restart tmm or reboot the BIG-IP system.

Note: Traffic is disrupted while during restarts.

Fix:
The crypto driver now only examines requests in the hardware DMA ring to detect a stuck queue on Nitrox devices.


591455-7 : NTP vulnerability CVE-2016-2516

Solution Article: K24613253


591447-1 : PHP vulnerability CVE-2016-4070

Solution Article: K42065024


591438-7 : PHP vulnerability CVE-2015-8865

Solution Article: K54924436


591358-1 : Oracle Java SE vulnerability CVE-2016-3425

Solution Article: K81223200


591343-5 : SSL::sessionid output is not consistent with the sessionid field of ServerHello message.

Solution Article: K03842525

Component: Local Traffic Manager

Symptoms:
SSL::sessionid output is not consistent with the sessionid field of ServerHello message. This is mostly cosmetic, but if an iRule depends upon the outcome, the result can be unexpected.

Conditions:
This occurs when using an iRule to inspect the session ID on server-side SSL.

Impact:
The values do not match. SSL::sessionid outputs the wrong sessionid.

Workaround:
None.

Fix:
The returned session ID in both the SERVERSSL_SERVERHELLO and SERVERSSL_HANDSHAKE events is the one presented by the SSL server.


591328-7 : OpenSSL vulnerability CVE-2016-2106

Solution Article: K36488941


591325-8 : OpenSSL (May 2016) CVE-2016-2108,CVE-2016-2107,CVE-2016-2105,CVE-2016-2106,CVE-2016-2109

Solution Article: K75152412


591268-1 : VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions

Component: Access Policy Manager

Symptoms:
VS hostname is not resolvable when DNS Relay proxy is installed and running under certain conditions, it depends on client machine configuration. Symptom: negative record in windows DNS cache, can be verified by running ipconfig /displaydns

Conditions:
Specific client machine configuration

Impact:
VS hostname is not resolvable:
- 'Refresh' of webtop causes unavailable webtop
- Recurring check report may fail due to DNS resolve issue

Workaround:
* Clean windows DNS cache: ipconfig /flushdns
or
* Disable DNS Relay proxy service

Fix:
Now DNS Relay proxy service cleans up DNS cache after initialization mitigating issue described


591261 : BIG-IP VPR-B4450N shows "unknown" SNMP Object ID

Component: TMOS

Symptoms:
The BIG-IP VPR-B4450N blade does not show the correct Object ID for SNMP. An SNMP query will return "unknown".

Conditions:
This issue may occur on VIPRION B4450N blades running affected versions of BIG-IP software.

Impact:
Some network management applications may complain and fail.

Workaround:
None.

Fix:
A new SNMP Object ID is added to TMOS v12.1.1 for VPR-B4450N.


591246-1 : Unable to launch View HTML5 connections in non-zero route domain virtual servers

Component: Access Policy Manager

Symptoms:
Currently APM always attempts to uze the RTDom 0 when VMware View HTML5 client is launched.

This doesn't work with the virtual servers in non-zero route domains.

Conditions:
APM configured as a PCoIP proxy on a VS in non-zero route domain.

Impact:
You cannot use virtuals in non-zero route domains if they need VMware View HTML5 client functionality

Fix:
APM now uses the proper route domain from the virtual server to handle VMware View HTML5 client connections.


591139 : TMM QAT segfault after zlib/QAT compression conflation.

Component: Local Traffic Manager

Symptoms:
TMM can segfault during prolonged mixture of software and hardware accelerated compression.

Conditions:
Continuous and prolonged mixture of software and hardware accelerated compression.

Impact:
TMM segfaults.

Workaround:
Disable hardware accelerated compression with:

    tmsh modify sys db compression.strategy value speed

Fix:
TMM QAT compression added pointer-hardening for compression context.


591119 : OOM with session messaging may result in TMM crash

Component: TMOS

Symptoms:
Under out of memory conditions, session messaging may not initialize storage correctly, resulting in a later TMM crash.

Conditions:
Under out of memory conditions, memory allocation for session messaging fails, and storage is not initialized correctly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Reduce load on box in order to avoid OOM conditions.

Fix:
Initialize storage on memory allocation failure.


591117-3 : APM ACL construction may cause TMM to core if TMM is out of memory

Component: Access Policy Manager

Symptoms:
During ACL construction, TMM send queries regarding assigned ACL information. If the reply message contains error message of out-of-memory, TMM was not handling this error message properly, and cause TMM to core.

Conditions:
BIG-IP is extremely loaded and out of memory.

Impact:
Traffic disrupted while tmm restarts.

Fix:
When handling the error reply message of out-of-memory during ACL construction, TMM can handle it without causing TMM to crash.


591104-1 : ospfd cores due to an incorrect debug statement.

Component: TMOS

Symptoms:
ospfd cores due to an incorrect debug statement.

Conditions:
This occurs in NSSA configs when ASE OSPF debugging enabled in imish (for example, by running the command: debug ospf route ase). Affected configuration commands are (in imish):
debug ospf all.
debug ospf route.
debug ospf route ase.

Impact:
ospfd might crash, interrupting dynamic routing.

Workaround:
Do not enable debugging in ospf that includes 'route ase'.

Fix:
ospfd no longer crashes when debugging is enabled in imish.


591042-17 : OpenSSL vulnerabilities

Solution Article: K23230229


591039 : DHCP lease is saved on the Custom AMI used for auto-scaling VE

Component: TMOS

Symptoms:
When configuring the instance for auto-scaling purpose and subsequently generating the Custom/Model AMI that is used for autoscaling VEs, the new instances generated from this image, might have the old DHCP lease acquired by the custom instance before an AMI was generated from it. This can collide with the new lease that the new instances get in their boot-up.

Conditions:
This occurs when Auto-scaling VEs.

Impact:
Multiple valid DHClient leases exist, which could result dhclient in BIG-IP choosing wrong IP address for the management interface.

Workaround:
Delete the /var/lib/dhclient/dhclient.leases before shutting down the custom instance and generating a Custom/Model AMI out of it.

Fix:
Auto-scaling AMI will no longer contain a DHCP lease when they are saved.


590993 : Unable to load configs from /usr/libexec/aws/.

Component: TMOS

Symptoms:
In 12.1.0, a new tmsh object 'sys global-settings file-whitelist-path-prefix' controls the path from which config can be loaded. To be allowed as a config storage location, the path must exist in file-whitelist-path-prefix. Because /usr/libexec/ is not part of the path, loading auto-scaling and CloudWatch iCall configuration files from /usr/libexec/aws/ fails.

Conditions:
The issue occurs with AWS auto-scaling- and CloudWatch-related configuration files in TMOS v12.1.0.

Impact:
AWS auto-scaling-related automation and CloudFormation Templates (CFTs) for deploying BIG-IP will not work because 'sys global-settings file-whitelist-path-prefix' disallows /usr/libexec/aws/ is disallowed as legitimate config location.

Workaround:
To work around this, add /usr/libexec/aws/ into the 'sys global-settings file-whitelist-path-prefix'. To do so, run the following tmsh command:

tmsh modify sys global-settings file-whitelist-path-prefix "{/var/local/scf} {/tmp/} {/shared/} {/config/} {/usr/libexec/aws}".

Fix:
Starting in 12.1.0-HF1, F5 Networks has changed the paths from which configuration files related to AWS autoscaling and CloudWatch can be loaded. This necessitates an extra step in the Custom AMI generation for Auto Scaling.

Configuration files related to AWS auto scaling and CloudWatch have been moved to the /usr/share/aws/ directory. This change was made because the system no longer allows /usr/libexec/aws as a config file storage and load location.

12.1.0 and earlier Auto Scaling-related automation and CFT configurations must be modified to point to the new locations. The new locations for the Auto Scaling and CloudWatch config files are:

The new locations for these config files are:
-- /usr/share/aws/autoscale/aws-autoscale-icall-config.
-- /usr/share/aws/metrics/aws-cloudwatch-icall-metrics-config.

Behavior Change:
Starting in 12.1.0-HF1, the system has changed the paths from which configuration files related to AWS autoscaling and CloudWatch can be loaded. This necessitates an extra step in the Custom AMI generation for Auto Scaling.

Configuration files related to AWS auto scaling and CloudWatch have been moved to the /usr/share/aws/ directory. This change was made because the system no longer allows /usr/libexec/aws as a config file storage and load location.

12.1.0 and earlier Auto Scaling-related automation and CFT configurations must be modified to point to the new locations. The new locations for the Auto Scaling and CloudWatch config files are:

The new locations for these config files are:
-- /usr/share/aws/autoscale/aws-autoscale-icall-config.
-- /usr/share/aws/metrics/aws-cloudwatch-icall-metrics-config.


590992-3 : If IP address on network adapter changes but DNS remains unchanged, DNS resolution stops working

Component: Access Policy Manager

Symptoms:
- If an IP address on an interface changes after the connection to APM is established, DNS resolution stops working if the DNS on that adapter has not changed.
- DNS resolution stops working until DNS relay proxy service is restarted or stopped.

Conditions:
- Using Microsoft Windows version 10.
- Split tunneling configuration with split DNS scope.
- IP address on the network adapter changes after the connection to APM is established, but the DNS on that adapter remains unchanged.
- This might also occur when adapter 1 goes down and adapter 2 with same DNS as adapter 1 comes up.

Impact:
DNS resolution stops working until DNS relay proxy is stopped or restarted.

Workaround:
Stop or restart DNS relay proxy.

Fix:
This issue has been fixed.


590938-3 : The CMI rsync daemon may fail to start

Component: TMOS

Symptoms:
CMI starts an instance of the rsync daemon used for synchronizing file objects. If this daemon is not running, but left its PID file, then it will not restart.

Conditions:
The rsync daemon failed unexpectedly.

Impact:
Sync of file objects will fail with an error like this:

01070712:3: Caught configuration exception (0), Failed to sync files...

Workaround:
Delete the PID file, "/var/run/rsyncd-cmi.pid". Then look up the configsync-ip of the local device and run "rsync-cmi start 1.2.3.4", replacing 1.2.3.4 with the current device's configsync-ip.


590904-1 : New HA Pair created using serial cable failover only will remain Active/Active

Component: TMOS

Symptoms:
After creating a new sync-failover device group without network failover enabled, both devices remain Active.

Conditions:
Create a new sync-failover device-group without enabling network failover.

Impact:
Both device in the HA pair will be Active, which is unlikely to pass traffic successfully.

Workaround:
After adding the 2nd device to the sync-failover group, restart sod with "bigstart restart sod" on both devices.

Fix:
After creating the sync-failover group with without network failover configured, but a serial failover cable installed, one of the devices becomes Standby and the other remains Active.


590840-2 : OpenSSH vulnerability CVE-2015-8325

Solution Article: K20911042


590820-3 : Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.

Component: Access Policy Manager

Symptoms:
Applications that use appendChild() or similar JavaScript functions to build UI might experience slow performance in Microsoft Internet Explorer browser.

Conditions:
Intense usage of JavaScript methods such as: appendChild(), insertBefore(), and other, similar JavaScript methods, in a customer's web application code.

Impact:
Very low web application performance when using Microsoft Internet Explorer.

Workaround:
None.

Fix:
Applications that use appendChild() or similar JavaScript functions to build UI now experience expected performance in Microsoft Internet Explorer browser.


590805-4 : Active Rules page displays a different time zone.

Component: Advanced Firewall Manager

Symptoms:
Active Rules page displays a different time zone.

Conditions:
When Active Rules page is loaded after the BIG-IP system timezone has changed.

Impact:
GUI shows incorrect timezone.

Workaround:
Run the following command after changing BIG-IP timezone: bigstart restart tomcat.

Fix:
Active Rules page now shows the correct timezone after the BIG-IP system timezone has changed.


590795-1 : tmm crash when loading default signatures or updating classification signature

Component: Traffic Classification Engine

Symptoms:
When upgrading classification signatures or downgrading to the default signatures, tmm will crash.

Conditions:
This occurs when loading updated classification signatures on versions 12.1.0 and 12.1.1.

Impact:
tmm will crash during the load. Traffic disrupted while tmm restarts.

Fix:
Fixed a crash when loading classification signatures.


590779 : Rest API - log profile in json return does not include the partition but needs to

Component: TMOS

Symptoms:
When querying the log profile via the Rest API, the returned response does not include the partition name in FullPath.

For example, for a log profile named mySample:
https://bigip_ip/mgmt/tm/security/log/profile/~Common~mySample/application/mySample

The JSON returned will contain
    "fullPath": "testProfile",
It should contain
    "fullPath": "/Common/testProfile",

This can cause BIG-IQ to fail to sync.

Conditions:
Log profile created. This is most visible when using BIG-IQ to sync.

Impact:
Applications relying on the folder path can fail

Fix:
The Rest API will now provide the full path to the log profile.


590608-1 : Alert is not redirected to alert server when unseal fails

Component: Fraud Protection Services

Symptoms:
Alert is not redirected to the alert server when unseal fails and iRule is enabled.

Conditions:
1. Unsealing alert failure.
2. iRule enabled.

Impact:
Alert is not redirected to the alert server and FPS returns 404 response.

Workaround:
Disable iRule.

Fix:
FPS now correctly redirects the alert.


590601-2 : BIG-IP as SAML SP does not redirect users to original request URI after authentication is completed

Component: Access Policy Manager

Symptoms:
After end-user successfully performs SP initiated SAML SSO with a original request URI other then "/", SP will redirect user back to '/' as landing URI.

Conditions:
BIG-IP is used as SAML SP and no relay state is configured on either SP or IdP

Impact:
User is not redirected to original request URI.

Workaround:
Workaround provided below works when first client request to BIG-IP as SP is 'GET'. This workaround is not applicable when first client request is 'POST'.

SP object can be configured with relay state pointing to the landing URI: %{session.server.landinguri}

After successful authentication, end-user will be redirected to the landing URI (reflected back by IdP in the relay-state).

Fix:
SAML SSO requests will now be redirected to the original request URI.


590578-4 : False positive "URL error" alerts on URLs with GET parameters

Component: Fraud Protection Services

Symptoms:
False-positive URL Error alerts are sometimes generated on URLs with GET parameters.

Conditions:
Use of URLs with GET parameters.

Impact:
Unwanted alerts in alert server.

Workaround:
None

Fix:
Hash calculation is done on slightly different URL inputs, causing mismatch.


590428-1 : The "ACCESS::session create" iRule command does not work

Component: Access Policy Manager

Symptoms:
When the "ACCESS::session create" iRule command is used with an APM virtual, the command does not resume properly and causing the sessions to disconnect/hang.

Conditions:
APM virtual configured with an iRule that includes "ACCESS::session create" iRule command.

Impact:
APM virtual won't function correctly.

Workaround:
The "ACCESS::session create" iRule command should be removed from the iRule attached to the virtual.

Fix:
Updated the session DB calls to include req_id parameter so that the TCL context gets updated/saved and used upon resume.


590345-1 : ACCESS policy running iRule event agent intermittently hangs

Component: Access Policy Manager

Symptoms:
If you are using iRule event agent on the 12.1.0 release, you may see an intermittent Access Policy execution hang. The hang occurs during the execution of ACCESS::policy agent_id.

Conditions:
iRule event agent is configured.
iRule uses ACCESS_POLICY_EVENT_AGENT event
Within this event, ACCESS::policy agent_id command is used.

Impact:
Policy execution intermittently hangs.

Workaround:
Please use this command:
ACCESS::session data get {session.custom_event.id}

Fix:
A hang related to the use of ACCESS::policy agent_id has been fixed.


590211-2 : jitterentropy-rngd quietly fails to start

Component: TMOS

Symptoms:
If jitterentropy-rngd fails to start, it does so quietly during system start, causing init.d script [ OK ] when it should be [ FAILED ].

This can cause the system to hang indefinitely at boot time at the following step (the key name may vary, depending on what needs to be generated):

Generating /var/named/config/rndc.key ( 09:08:10 ) ...

Similarly, if jitterentropy-rngd fails to start but there are no keys to be generated at boot time, the system will boot successfully. However, the genkeys and genkeys-1024 processes invoked by crontab every hour might hang.

Conditions:
This can occur on any BIG-IP system if jitterentropy-rngd fails to start. The issue has been observed chiefly on vCMP guests running on VIPRION B21x0 blades.

Impact:
1) The system may fail to boot (user intervention will be required at this point to recover the system).

2) As crontab invokes the genkeys and genkeys-1024 processes every hour, these may start but never terminate (any hung processes might eventually cause increased memory and CPU utilization, potentially leading to unpredictable system failures).

Fix:
jitterentropy-rngd now starts up as expected, so no failures occur.


590122-2 : Standard TLS version rollback detection for TLSv1 or earlier might need to be relaxed to interoperate with clients that violate TLS specification.

Component: Local Traffic Manager

Symptoms:
Standard TLS rollback detection for TLSv1 or earlier clients might be too strict for clients that do not comply with RFC 2246 and later. These clients may require 'tls-rollback-bug' option set.

Conditions:
Standard behavior of TLS clients is to use ClientHello.client_version in pre-master secret (PMS).

Some clients, incorrectly, might use negotiated version in PMS.

Impact:
Failed TLS handshake.

Workaround:
None.

Fix:
Added support for tls-rollback-bug option for an SSL profile.

This release provides improved support for 'TLS rollback bug workaround' feature described on AskF5 in SSL Administration :: Additional SSL Profile Configuration Options :: Workarounds and other SSL options. (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-1-0/5.html).

Behavior Change:
This release provides improved support for 'TLS rollback bug workaround' feature described on AskF5 in SSL Administration :: Additional SSL Profile Configuration Options :: Workarounds and other SSL options. (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-13-1-0/5.html).

The value is set by the existing tls-rollback-bug option, using the command described in create /ltm profile client-ssl xxx ciphers DEFAULT options { tls-rollback-bug }.

This is an existing option.

When this option is enabled in the client SSL profile, RSA-only ciphersuites will have relaxed treatment of the version field set by the SSL/TLS client as part of the sequence of bytes encrypted to the server RSA key, called pre-master secret (PMS).

With the option enabled, PMS can contain either ClientHello.client_version, or negotiated version. Standard behavior of TLS clients is to use ClientHello.client_version in PMS.


590074-1 : Wrong value for TCP connections closed measure

Component: Application Visibility and Reporting

Symptoms:
In TCP analytics, the measure 'connections closed' displays the wrong value.

Conditions:
TMM_API debug enabled.

Impact:
Wrong value displayed.

Workaround:
Do not turn on debug printing.

Fix:
Memory corruption found and fixed. All debug printing organized together at the beginning of the function.


589661 : PS2 power supply status incorrect after removal

Component: TMOS

Symptoms:
After removing the second power supply (PS2), running system_check indicates that the power supply status is still good:

system_check -d | grep power
Chassis power supply 1: status FAN=good; VINPUT=good; VOUTPUT=good; STATUS=good
Chassis power supply 2: status VINPUT=good; VOUTPUT=good; STATUS=not present

Conditions:
This occurs on 10000-series and 12000-series platforms when removing the PS2 power supply and running system_check

Impact:
Erroneous indication that the power supply is still good

Fix:
Power supply status for PS2 is now correctly indicated when the power supply is removed.


589400-1 : With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Solution Article: K33191529

Component: Local Traffic Manager

Symptoms:
With Nagle disabled, TCP does not send all of xfrags with size greater than MSS.

Conditions:
Congestion window is small relative to message size; abc is enabled; also might manifest when serverside MTU is greater than clientside MTU.

Impact:
Additional connection latency.

Workaround:
Enabling proxy-mss on the serverside TCP profile significantly reduces incidence of this problem in observed cases.

If init-cwnd is low, raising it might also help.

Disabling abc can also reduce the problem, but might have other negative network implications.

Fix:
Incoming packets are now pulled more aggressively into the send buffer, if there are no negative implications for CPU performance.


589379-2 : ZebOS adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.

Solution Article: K20937139

Component: TMOS

Symptoms:
In a configuration with a summary route that is added to ZebOS and configured with 'not-advertise', when deleting the exactly matching route, ospfd sends LSA route with age 1, then immediately sends update with age 3600.

Conditions:
OSPF using route health injection for default route.

Impact:
No functional impact. The extraneous LSA is immediately aged out.

Workaround:
Configure a static default route in imish instead of using RHI for the default route.

Fix:
ZebOS no longer adds and deletes an extraneous LSA after deleting a route that matches a summary suppression route.


589318-1 : Clicking 'Customize All' checkbox does not work.

Component: Fraud Protection Services

Symptoms:
Clicking 'Customize All' in Safari browser does not check the checkboxes below, and the settings remain grayed out.

Conditions:
Provision and license FPS.

Impact:
FPS child profile page.

Workaround:
Use tmsh.

Fix:
Clicking 'Customize All' checkbox in Safari browser now checks the checkboxes below and changes the state of the cosponsoring settings.


589256-1 : DNSSEC NSEC3 records with different type bitmap for same name.

Solution Article: K71283501

Component: Global Traffic Manager (DNS)

Symptoms:
For a delegation from a secure zone to an insecure zone, the BIG-IP system returns different type of bitmaps in the NSEC3 record depending on the query type. This causes BIND9's validator to reject the secure delegation to the insecure zone.

Conditions:
For insecure delegations, the DNSSEC implementation does not support the DS record. Those queries are forwarded to the backend, BIND, if selected as fallback. Without ZSK/KSK for an insecure child zone, BIND responds SOA which the system dynamically signs.

Impact:
DNS lookups may fail if BIND9's validator rejects the delegation.

Workaround:
None.

Fix:
If response is a NODATA from either the proxy or a transparent cache, and the query is a DS, set the types bitmap to NS.


589223-1 : TMM crash and core dump when processing SSL protocol alert.

Component: Local Traffic Manager

Symptoms:
TMM crash and core dump when processing SSL protocol alert.

Conditions:
During SSL handshake, if the server sends protocol Alert to the BIG-IP system, TMM might crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
A problem of TMM restarting when processing SSL protocol alert has been fixed.


589083-2 : TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.

Component: TMOS

Symptoms:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation fails because of permission errors.

Using iControl, the system posts an error similar to the following: Error processing request for URI:http://localhost:8110/mgmt/tm/sys/config
{code:400,message: Can't create tmsh temp directory \"/config/.config.backup\" Permission denied, errorStack:[]}.

Using TMSH (e.g., running the command: tmsh save sys config), the system posts an error similar to the following:

Can't create tmsh temp directory "/config/.config.backup" Permission denied

Conditions:
This occurs when the following conditions are met:
-- Remote Authentication is configured.
-- User is logged in as a remote user who has the admin role.
-- Using TMSH or iControl for remotely authenticated user operations.

Impact:
Cannot save the configuration.

Workaround:
Use one of the following workarounds:
-- Use the GUI to save the configuration.
-- Have a locally authenticated user with admin role save the configuration.

Fix:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation now completes as expected, without permission errors.


589006-5 : SSL does not cancel pending sign request before the handshake times out or is canceled.

Component: Local Traffic Manager

Symptoms:
When TMM has many SSL handshake, for ephemeral key, SSL does not sign for ServerKeyExchange message. Then it is possible that sign request is pending on crypto SSL queue. Even the handshake is timeout or canceled, the sign request is still in the queue. This might cause memory accumulation.

Conditions:
When TMM has many SSL handshake, for ephemeral key, SSL should sign for ServerKeyExchange message.

Impact:
Even if the handshake times out or canceled, the sign request is still in the queue. This might cause memory accumulation.

Note: Although this issue was fixed in 11.5.4 HF3, the fix was reverted in 11.5.4 HF4, meaning that the issue is not fixed in 11.5.4 HF4.

Workaround:
None.

Fix:
SSL now cancels sign pending request before it times out or is canceled.


588959-2 : TMM may crash or behave abnormally on a Standby BIG-IP unit

Solution Article: K34453301

Component: Local Traffic Manager

Symptoms:
TMM may crash or behave abnormally on a Standby BIG-IP unit. Memory utilization before the crash can appear to be unusually high.

Conditions:
This is a rare issue, currently known to occur only in WOM or Multipath TCP (MPTCP) virtual servers configured with mirroring. Virtual servers that make use of the standard TCP profile are not affected.

Impact:
The unit is not operational until TMM has finished writing the core file to disk and restarting. If the unit was Active for a different traffic-group, traffic for that traffic-group will be disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes in the rare case of WOM or Multipath TCP (MPTCP) virtual servers configured with mirroring.


588929-2 : SCTP emits 'address conflict detected' log messages during failover

Component: TMOS

Symptoms:
The system may advertise, on the client-side, SCTP alternate addresses that are in a route-domain different from that of the virtual server.

Conditions:
Configuring an SCTP virtual server with alternate-addresses that are not in the correct route domain.

Impact:
No impact to traffic processing. Some addresses advertised may fail to respond to negotiation, but the SCTP association overall will be stable.

Workaround:
Ensure that all addresses for SCTP virtual servers are in the same route domain.

Fix:
The SCTP profile now screens alternate addresses for route domain membership before advertising them.


588888-3 : Empty URI rewriting is not done as required by browser.

Solution Article: K80124134

Component: Access Policy Manager

Symptoms:
Empty URI must be rewritten at server side and client side rewriter in the same way: as empty URI (all browsers treat this type of URI in a specific way).

Conditions:
A tag with an empty 'src' or 'href' attribute.

Impact:
Web application malfunction, such as incorrect or unexpected behavior or error messages.

Workaround:
Use an application-specific iRule that modifies the empty URI.
-- For example, for JavaScript methods such as setAttribute(), an iRule should change this:
'F5_Invoke_setAttribute(o, "src", uri)'
to this:
'(uri=="")?o.setAttribute("src", uri):F5_Invoke_setAttribute(o, "src", uri)'.

-- As another example, for JavaScript methods such as write(str), writeln(str), innerHTML=str, outerHTML=str, and similar methods, if str contains <img src="" ... >, the iRule must remove the src attribute.

Fix:
This release fixes the issue of rewriting the empty URI the same way at the server side and client side: as empty URI (all browsers treat this type of URI in a specific way).


588879-2 : apmd crash under rare conditions with LDAP

Component: Performance

Symptoms:
apmd crashes during periods of high Active Directory (AD) lookups.

Conditions:
-- APM configured to use LDAP.
-- Might be related to stress testing AD queries.

Impact:
apmd crashes, clients unable to connect.

Workaround:
None.

Fix:
apmd no longer crashes during periods of high Active Directory (AD) lookups.


588794-2 : Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements

Component: TMOS

Symptoms:
SCTP alternate addresses may be advertised on the server-side that are in a route-domain that is different from that of the virtual server.

Conditions:
Alternate-addresses are configured on an SCTP virtual server that aren't in the correct route domain.

Impact:
There is no impact to traffic processing. Alternate-addresses will be advertised even though they are not in the correct domain. Some addresses advertised may fail to respond to negotiation, but the SCTP association overall will be stable.

Workaround:
Ensure that all addresses for SCTP virtual servers are in the same route domain.

Fix:
The SCTP profile now screens alternate addresses for route domain membership before advertising them.


588771-2 : SCTP needs traffic-group validation for server-side client alternate addresses

Component: TMOS

Symptoms:
Addresses may be advertised in an SCTP INIT chunk even though they are not usable by the BIG-IP.

Conditions:
When an SCTP virtual server has server-side-multihoming enabled and the snatpool used by the virtual server contains addresses from other traffic groups, it will advertise all of the addresses from the snatpool in the INIT chunk.

Impact:
Some of the paths advertised in the SCTP association establishment creation process will be unusable. A conformant SCTP implementation on the server-side should test and disregard these paths, causing no impact to traffic.

Fix:
The SCTP filter in BIG-IP has been fixed so that all of the alternate addresses advertised during SCTP association establishment are in the same traffic group as the virtual server. Configured addresses are checked for the correct traffic group membership before being advertised.


588720-1 : Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled.

Solution Article: K44907534

Component: Local Traffic Manager

Symptoms:
Fast Forwarded UDP packets might be dropped if datagram-load-balancing is enabled.

Conditions:
-- TMM is overloaded.
-- UDP datagram load-balancing is used.

Impact:
UDP packets are dropped.

Workaround:
There is no workaround other than to disable datagram-load-balancing in the affected UDP profile. To do so, run the following command:

tmsh modify ltm profile udp <profile_name> datagram-load-balancing disabled

Fix:
The fast-forwarding mechanism now properly handle packets with invalidated flows. The packets are now sent back to the source TMM for reprocessing. The TCP and TCP4 filters are updated to properly work with the changed fast-forwarding implementation.


588686 : High-speed logging to remote logging node stops sending logs after all logging nodes go down

Component: TMOS

Symptoms:
All logging to external logging nodes (such as BIG-IQ) suddenly stop.

Conditions:
This occurs when all of the configured logging nodes go down. Even when they are brought back up, tmm will not send logs to the remote servers.

Impact:
Remote logging stops and will only resume if tmm is restarted.


588456-3 : PEM deletes existing PEM Subscriber Session after lease time expires (DHCP renewal not processed).

Solution Article: K60250444

Component: Policy Enforcement Manager

Symptoms:
When the BIG-IP system is in DHCP forwarding mode, if the giaddr field in the unicast DHCP renewal packet is set to DHCP relay agent IP address, the DHCP server sends the ACK to the renewal packet to the relay agent IP (giaddr) instead of ciaddr. BIG-IP DHCP module does not process the ACK and update the lease time, which causes PEM subscriber session to be aged out.

Conditions:
-- The BIG-IP system is configured in forwarding mode.
-- The giaddr field in the unicast DHCP renewal packet is set to the IP address of relay agent. (Typically, it is set to 0 by the DHCP client.)

Impact:
PEM Subscriber Session will age out.

Workaround:
None.

Fix:
PEM no longer deletes existing PEM Subscriber Sessions after the lease time expires, so the DHCP renewal is now processed.


588405-1 : BADOS - BIG-IP Self-protection during (D)DOS attack

Component: Anomaly Detection Services

Symptoms:
Problem: 100% accurate detection may not help to prevent an attack

It's necessary to protect BIG-IP CPU utilization during attack - for BAD actors (in addition to shunlist) and for unknown IPs.
This mechanism should allow bad actors detection and keep CPU utilization in reasonable limits.

Conditions:
High BIG-IP CPU utilization during (D)DOS attack

Impact:
Service impact due to BIG-IP CPU high utilization

Workaround:
No workaround

Fix:
Added additional CPU protection during a (D)DOS attack


588399-1 : BIG-IP CPU utilization can be high even when all bad actors are detected and mitigated

Component: Anomaly Detection Services

Symptoms:
BIG-IP CPU utilization can be excessively high even after mitigating bad actors.

Conditions:
This can occur when Bad Actor detection is used

Impact:
CPU utilization will be higher than expected.

Fix:
An issue with referencing bad actors that have been detected and affecting CPU utilization has been fixed.


588351-5 : IPv6 fragments are dropped when packet filtering is enabled.

Component: Local Traffic Manager

Symptoms:
IPv6 fragments are dropped when packet filtering is enabled.

Conditions:
Packet filtering is enabled and the system is processing IPv6 fragments.

Impact:
IPv6 fragments with a non-zero offset are lost.

Workaround:
Disable packet filtering.

Fix:
IPv6 fragments are no longer dropped when packet filtering is enabled.


588327 : Observe "err bcm56xxd' liked log from /var/log/ltm

Component: TMOS

Symptoms:
Some "err bcm56xxd" log is observed from /var/log/ltm that read "err bcm56xxd[10968]: 012c0012:3: bs_module_do_precond:No preconditioning provided for module on port 3/5.0"

Conditions:
This occurs when during system start.

Impact:
The error is benign and can be ignored.

Fix:
The "No preconditioning provided for module" message is now logged at the info level.


588289-1 : GTM is Re-ordering pools when adding pool including order designation

Component: Global Traffic Manager (DNS)

Symptoms:
GTM re-orders, including the "0" order when adding the pool with specific order designation.

Conditions:
This occurs when adding pools with a specified order.

Impact:
This changes the pool order unexpectedly which will affect Load balancing using global-availability.


588140 : Pool licensing fails in some KVM/OpenStack environments

Component: TMOS

Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the following error in /var/log/ltm: Dossier error 16.

Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.

Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.

Fix:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ in OpenStack and/or KVM environments completes with success on BIG-IQ and BIG-IP.


588115-1 : TMM may crash with traffic to floating self-ip in range overlapping route via unreachable gw

Component: Local Traffic Manager

Symptoms:
As a result of a known issue TMM may crash in some specific scenarios if there is an overlapping and more specific route to the floating self-IP range configured on the unit.

Conditions:
- Unit configured with a floating self-IP and allow-service != none.
  - More specific route exists via GW to the self-IP.
  - Configured gateway for the overlapping route is unreachable.
  - Ingress traffic to the floating self-IP.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Avoid the use of routes overlapping with configured floating self-IPs.

Fix:
TMM no longer crashes when floating self IPs are configured with more specific overlapping routes.


588089-3 : SSL resumed connections may fail during mirroring

Component: Local Traffic Manager

Symptoms:
SSL resumed connections when using SSL mirroring may fail during mirroring. This could result in SSL connections being unable to recover after failover.

Conditions:
Mirroring enabled on virtual with an associated client-ssl profile.

Impact:
SSL connections unable to recover after failover.

Workaround:
Disable session cache to prevent connections from resuming.


588087-1 : Attack prevention isn't escalating under some conditions in session opening mitigation

Component: Application Security Manager

Symptoms:
Attack is detected and isn't escalating in session opening

Conditions:
A session opening attack, challenges are being answered by the attacker.

Impact:
The attack continues.

Workaround:
Configure the attack prevention as rate limit.

Fix:
Fixed attack escalation in some cases on session opening.


588058-3 : False positive "failed to unseal" Source Integrity alerts from old versions of Internet Explorer

Component: Fraud Protection Services

Symptoms:
Large numbers of "failed to unseal" Source Integrity alerts.

Conditions:
Source integrity feature enabled. Clients using Internet Explorer 8 to 10.

Impact:
High number of false positive alerts in alert dashboard.

Workaround:
Create alert dashboard signature to ignore source integrity alerts containing "failed to unseal" and Internet Explorer 8 to 10 user agent.

Fix:
Fixed parsing in relevant browsers.


588049-1 : Improve detection of browser capabilities

Component: Application Security Manager

Symptoms:
Browsers can override native functions, and manipulate the PBD capabilities test.

Conditions:
1. Proactive Bot defense is on.
2. Attacker override its native functions.

Impact:
Malicious browsers can go undetected by PBD.

Workaround:
N/A

Fix:
Check that majority of browsers native functions are not overridden.


587966-1 : LTM FastL4 DNS virtual server: first A query dropped when A and AAAA requested at the same time with same source IP:port

Solution Article: K77283304

Component: Local Traffic Manager

Symptoms:
LTM FastL4 DNS virtual server or SNAT: first A query dropped when A and AAAA requested at the same time with same source IP:port.

Conditions:
A and AAAA DNS Query requested at the same time with the same source IP and Port.

Impact:
A Type DNS Query dropped intermittently.

Workaround:
Configure a standard virtual server with a UDP profile for the traffic instead of using FastL4 or SNAT.

Fix:
Type A requests no longer dropped when A and AAAA DNS Query requested at the same time with the same source IP and Port.


587791-1 : Set execute permission on /var/lib/waagent

Component: TMOS

Symptoms:
Due to recent changes of the build process /var/lib/waagent didn't have proper execute permission set. This caused failure in executing user custom scripts during deploying.

Conditions:
First deployment of VM in Azure, which requires executing custom scripts.

Impact:
Custom scripts cannot be executed.

Workaround:
N/A

Fix:
Properly set execute permissions to /var/lib/waagent directory.


587780 : warning: HSBe2 XLMAC initial recovery failed after 11 retries.

Component: TMOS

Symptoms:
ltm log contains multiple instances of the following message on VIPRION B4450 blades: warning: HSBe2 XLMAC initial recovery failed after 11 retries.

Conditions:
This often happens when VIPRION 4480 or 4800 chassis with B4450 blades is rebooting.

Impact:
No operation impact. This is a cosmetic message that you can safely ignore.

Workaround:
None needed. This message is cosmetic only.

Fix:
A more robust XLMAC recovery mechanism has been implemented which reduces the maximum retries to four. It does not completely eliminate this warning message (HSBe2 XLMAC initial recovery failed after 11 retries), but its frequency is greatly reduced.


587735 : False alarm on LCD indicating bad fan

Component: TMOS

Symptoms:
During some blade power ON conditions, a false alarm message is displayed on the LCD on the chassis bezel.
This alarm indicates that several chassis fans are bad, however in reality the fans are not bad.
Typically, the messages look like this:
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 2: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 3: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 4: status (0) is bad.
slot8/localhost emerg system_check[15535]: 010d0005:0: Chassis fan 5: status (0) is bad.

Conditions:
Erroneous fan warnings may occur when a blade is inserted into a VIPRION 4800 chassis.

Impact:
No functional impact. The user may experience concern over the false alarms.

Workaround:
Press green check button on the front of chassis bezel to clear the alarm.


587705-5 : Persist lookups fail for source_addr with match-across-virtuals when multiple entries exist with different pools.

Solution Article: K98547701

Component: Local Traffic Manager

Symptoms:
Persist lookups fail for source_addr with match-across-virtual servers when multiple entries exist for the client, but pointing to different pools.

Conditions:
'Match_across_virtual' enabled. Multiple persistence entries for a client address exist, and some of these persistence entries point to poolmembers from different pools. Some of these poolmembers do not belong to any of the current virtual server's pools.

Impact:
Source address persistence fails for this client, even though there is a valid persistence entry that can be used.

Workaround:
None.

Fix:
Persist lookups now succeed for source_addr with match-across-virtual servers when multiple entries exist with different pools.


587698-3 : bgpd crashes when ip extcommunity-list standard with route target(rt) and Site-of-origin (soo) parameters are configured

Component: TMOS

Symptoms:
bgpd daemon crashes

Conditions:
bgp extended-asm-cap is configured before configuring
ip extcommunity-list standard with rt and soo fields.

Impact:
bgpd daemon crashes leading to route loss and traffic loss.

Fix:
bgpd does not crash when both bgp extended-asm-cap and
ip extcommunity-list standard with rt and soo parameters are configured.


587676-2 : SMB monitor fails due to internal configuration issue

Component: Local Traffic Manager

Symptoms:
SMB monitor fails due to internal configuration issue

Conditions:
Configure the SMB monitor

Impact:
SMB monitor fails to execute

Fix:
Fixed an internal configuration issue so that the SMB monitor will load properly


587668 : LCD Checkmark button does not always bring up clearing prompt on VIPRION blades.

Component: TMOS

Symptoms:
Pressing the LCD checkmark button does not always bring up clearing prompt on VIPRION blades.

Conditions:
Pressing the LCD's checkmark button to clear an alert on VIPRION blades.

Impact:
Cannot clear the alert using the LCD.

Workaround:
Press the checkmark button followed by the left or right arrow buttons.

Fix:
In this release, unneeded LCD updates that might have clogged the message channel have been optimized, and the keypress passed along at a later time, so it is not lost. So pressing the LCD checkmark button now correctly brings up clearing prompt on VIPRION blades.


587656-2 : GTM auto discovery problem with EHF for ID574052

Component: Global Traffic Manager (DNS)

Symptoms:
After applying EHF9-685.88-ENG to CRCGTMCS101, many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.

Conditions:
After applying EHF9-685.88-ENG

Impact:
Many WideIPs such as CRT-LEGAL-SERVICE.gslb.global or OneEvent.gslb.global are unexpectedly status Checking instead of Available.

Workaround:
Skip to the next Eng HF
v11.4.1-hf10/hotfix/HF10-690.10-ENG

Fix:
This problem only occurs with the one faulty EHF9-685.88-ENG and does not occur anywhere else.


587629-2 : IP exceptions may have issues with route domain

Component: Application Security Manager

Symptoms:
The IP exception feature doesn't work as expected.

Conditions:
There are many defined same IPs but with different route domain.
There were config changes to these IPs regarding their exception properties.

Impact:
An ignored IP is not ignored etc.

Workaround:
bigstart restart asm

Fix:
Fixed an issue with IPs and route domain.


587617-1 : While adding GTM server, failure to configure new IP on existing server leads to gtmd core

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd core with SIGSEGV in selfip_needs_xlation.

Conditions:
No GTM server object configured with existent selfip.

Impact:
gtmd cores. GTM unable to respond to DNS queries. DNS traffic disrupted while gtmd restarts.

Workaround:
Configure the GTM server object with an existent selfip. For more information, see K15671: The BIG-IP GTM system must use a local self IP address to define a server to represent the BIG-IP GTM system at https://support.f5.com/csp/#/article/K15671

Fix:
gtmd will not core.


587419-1 : TMM may restart when SAML SLO is performed after APM session is closed

Component: Access Policy Manager

Symptoms:
TMM may core when user performs SAML SLO on external to BIG-IP SP/IdP, and BIG-IP's APM session is no longer valid.

Conditions:
- User initiated SAML SLO on external SAML provider, and external provider redirect users to BIG-IP with SLO request.
- User does not have a valid session on BIG-IP when SLO request is received.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable SAML SLO by removing SLO request/response URLs from configuration

Fix:
TMM will no longer restart in the case described above.


587107-3 : Allow iQuery to negotiate up to version TLS1.2

Component: Global Traffic Manager (DNS)

Symptoms:
big3d accepts only TLS1.0, and gtmd offers only TLS1.0 during iQuery SSL handshake. iQuery does not negotiate up to TLS 1.2.

Conditions:
Establishing iQuery connections.

Impact:
The older, less secure TLS1.0 version is the only possible iQuery connection.

Workaround:
None.

Fix:
big3d now accepts, and gtmd now offers up to, TLS1.2 in iQuery handshakes.

TLS1 and TLS1.1 are still accepted by both ends of the iQuery connection (gtmd and big3d) to enable older clients (gtmd) to connect to newer servers (big3d) and vice versa.

Behavior Change:
big3d now accepts TLS1.2 in iQuery handshakes, and gtmd now offers up to TLS1.2.


587106-1 : Inbound connections are reset prematurely when zombie timeout is configured.

Component: Carrier-Grade NAT

Symptoms:
When an LSN pool is configured in PBA mode with a non-zero zombie timeout, inbound connections are killed and reset prematurely, often in a matter of seconds.

Conditions:
PBA mode configured on the pool, and zombie_timeout set to a non-zero value.

Impact:
Inbound connections to PBA pools with a zombie timeout configured may not be usable.

Workaround:
None.

Fix:
Inbound connections are no longer reset when zombie_timout is configured to a non-zero value.


587077-1 : Samba vulnerabilities CVE-2015-5370 and CVE-2016-2118

Solution Article: K37603172


587016-3 : SIP monitor in TLS mode marks pool member down after positive response.

Component: Local Traffic Manager

Symptoms:
SIP monitor in TLS mode marks pool member down after positive response. The SIP monitor in TLS mode is constantly marked down.

Conditions:
SIP monitor configured in TLS mode.
Server does not send close_notify alert in response to the monitor's close_notify request.

Impact:
Unable to monitor the status of the TLS SIP server.

Workaround:
None.

Fix:
SIP monitor in TLS mode now marks pool member up after positive response. This is correct behavior.


586938-1 : Standby device will respond to the ARP of the SCTP multihoming alternate address

Solution Article: K57360106

Component: TMOS

Symptoms:
When there is a SCTP connection established, the router will request the ARP for the client-side multi-homing alternate address, but the standby device will reply to the ARP request as well.

Conditions:
When an SCTP profile has at least one alternate-address configured, and is used in an high availability (HA) scenario, this issue will manifest.

Impact:
Traffic for the alternate-addresses may be directed to the wrong device in an HA group. The multi-homing function will fail as the alternate connection cannot established on the standby device.

Workaround:
Do not use a VLAN address as an alternate address. Use only routed addresses, and route those addresses to the floating Self-IP address of the BIG-IP system.

Fix:
SCTP multihoming has been fixed to work correctly when used in a high availability setup with VLAN addresses


586887-2 : SCTP tmm crash with virtual server destination.

Solution Article: K25883308

Component: TMOS

Symptoms:
Rare configuration with SCTP can cause TMM core.

Conditions:
Complex configurations including wildcards, virtual servers and SCTP profiles.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes a rare SCTP tmm crash with virtual server destination when using complex configurations including wildcards, virtual servers and SCTP profiles.


586878-4 : During upgrade, configuration fails to load due to clientssl profile with empty cert/key configuration.

Component: TMOS

Symptoms:
During upgrade, configuration fails to load due to invalid clientssl profile cert/key configuration. The validation to verify whether at least one valid key/cert pair exists in clientssl profiles was enforced in software versions through 11.5.0. This validation was not in effect in versions 11.5.1, 11.5.2, and 11.5.3.

The lack of validation resulted in invalid clientssl profiles (those containing empty key/certs or a cert/key of 'default'). When you upgrade such a configuration to 11.5.4 or later, you will receive a validation error, and the configuration will fail to load after upgrade.

Conditions:
The issue occurs when all the below conditions are met.
1. You have a clientssl profile in a configuration from a version without validation (that is, 11.5.1, 11.5.2, or 11.5.3).
2. The clientssl profile in the configuration has an empty cert/key, or a cert/key of 'default'.
3. You upgrade to a version that has the cert/key validation (specifically, 11.5.4, 11.6.0, 11.6.1, and versions 12.1.0 and later).

Impact:
Configuration fails to load. The system posts an error message that might appear similar to one of the following:
-- 01070315:3: profile /Common/my_client_ssl requires a key Unexpected Error: Loading configuration process failed.
-- 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file.
Unexpected Error: Loading configuration process failed.

Workaround:
To workaround this situation, modify the configuration file before upgrading:
1. Check the config file /config/bigip.conf.
2. Identify the clientssl profile without a cert/key.
    For example, it might look similar to the following:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            "" { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }

   Note: The profile might have cert-key-chain name but not the cert/key. In other words, it could also appear similar to the following example:
    ltm profile client-ssl /Common/cssl_no-cert-key2 {
        app-service none
        cert none
        cert-key-chain {
            default { }
        }
        chain none
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key none
        passphrase none
    }
3. Remove the clientssl profile from /config/bigip.conf.
4. Run the command: tmsh load sys conf.
5. Re-create the clientssl profiles you need.


586738-4 : The tmm might crash with a segfault.

Component: Local Traffic Manager

Symptoms:
The tmm might crash with a segfault.

Conditions:
Using IPsec with hardware encryption.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
IPsec is configured with hardware encryption error now returns an error code when appropriate, and manages the error as expected, so tmm no longer crashes with a segfault.


586718-1 : Session variable substitutions are logged

Component: Access Policy Manager

Symptoms:
With the log level set to debug, session variable substitutions are logged, including the encrypted password if you are substituting the password variable. You may see the following logs: debug apmd[3531]: 01490000:7: Util.cpp func: "ScanReplaceSessionVar()" line: 608 Msg: data: '%{session.logon.last.password}' start_pos: 0, count: 30 on 'session.logon.last.password' with the encrypted password logged

Conditions:
APM Access Policy log level set to debug, and session variable substitution is performed.

Impact:
Session variable substitution should not be logged, even if it is secure.

Workaround:
Set log level to informational or notice for normal operations. Logging at debug level is not recommended unless absolutely needed for specific troubleshooting as it adversely affects system performance.

Fix:
Session variable substitutions are no longer logged.


586621-7 : SQL monitors 'count' config value does not work as expected.

Solution Article: K36008344

Component: Local Traffic Manager

Symptoms:
SQL monitors 'count' config value does not work as expected.

Conditions:
SQL monitor in use with the 'count' config value specified. The 'count' value is intended to record the number of times the connection to the back-end database is re-used before it is disconnected. However, the value is not correctly recording the number in this release.

Impact:
SQL monitor might use a 'count' value that is incorrect.

Workaround:
Add 101 to the desired value. For example, if the desired count is '5', use '106' instead.


586587-1 : RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms.

Component: Local Traffic Manager

Symptoms:
RatePaceMaxRate functionality does not work for the TCP flows where the round-trip time (RTT) is less than 6ms. That results in sending data at higher rates than specified Max Rate.

Conditions:
RTT is less than 6ms.

Impact:
Packet loss might happen (queue overflow) due to sending at higher data rate than the specified max rate.

Workaround:
None.

Fix:
RatePaceMaxRate works as expected, irrespective of latency.


586449-1 : Incorrect error handling in HTTP cookie results in core when TMM runs out of memory

Component: Local Traffic Manager

Symptoms:
If an under provisioned TMM runs out of memory, then this may result in allocation failures. Incorrect error handling of allocation failures in HTTP cookie code results in TMM core.

Conditions:
Cookie persistence with encryption required is enabled on the virtual. If an under provisioned TMM runs out of memory, then this may result in allocation failures.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fix error handling in HTTP cookie code. Allocation errors result in connection resets as opposed to core due to assert.


586412-2 : BGP peer-group members address-family configuration not saved to configuration

Component: TMOS

Symptoms:
Deactivation of the ipv6 address-family for an IPv6 BGP neighbor that is a member of a peer group may be removed when the configuration is reloaded or the system restarts.

Conditions:
IPv6 BGP neighbors in a peer group
Individual group members with different address-family configurations than the peer-group

Impact:
BGP behavior may change after reboot

Workaround:
If a neighbor must have different behavior than other peer group members it can be removed from the peer group and configured individually.

Fix:
BGP address-family configuration is now correctly saved and reloaded for neighbors belonging to a peer-group.


586070 : 'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Component: Advanced Firewall Manager

Symptoms:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Conditions:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Impact:
'Enabed' typo in GUI under DoS Profiles --> Application Security --> General Settings

Workaround:
N/A

Fix:
Fixed a typo in GUI


586031-1 : Configuration with LTM policy may fail to load

Solution Article: K40453207

Component: TMOS

Symptoms:
Load may fail with an error similar to the following:

01070726:3: Policy /Common/Drafts/[name] in partition Common cannot reference policy reference /Common/Drafts/[name] /Common/[virtual server name] in partition [partition].

Note: The named object is in partition Common, but the message will incorrectly specify a different partition.

Conditions:
* An LTM policy has been published.
* A draft has been created from this policy.
* The LTM policy has been associated with a virtual server.
* At least one partition other than Common has been created (the policy does not need to be in this partition).
* The system is loading the configuration from the text config files (without a binary config file), e.g., as a result of performing a software upgrade or following the directions in K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

Impact:
Configuration will fail to load.

Workaround:
Edit the configuration file to remove the draft policy (but not the published one).

Fix:
This defect has been resolved and the configuration will now load successfully.


586006-1 : Failed to retrieve CRLDP list from client certificate if DirName type is present

Component: Access Policy Manager

Symptoms:
Client certification revocation check will fail.

Conditions:
Two conditions will trigger this problem:
1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND
2. At least one DirName type CRLDP is present in the client certification and it is the first in the list.

Impact:
Users may fail access policy evaluation when client certification is used.

Workaround:
Configure an LDAP server for the CRLDP object. It need not return a valid CRL.


585905-1 : Citrix Storefront integration mode with pass-through authentication fails

Component: Access Policy Manager

Symptoms:
Citrix Storefront integration mode with pass-through authentication fails. Client fails with error message saying "Authentication service is not reachable"

Conditions:
Citrix Storefront integration mode with only pass-through authentication enabled on the Storefront.

Impact:
Could not use pass through authentication on the storefront for remote access of the store.

Workaround:
None

Fix:
Passthrough authentication could be used for remote-access of the store.


585833-3 : Qkview will abort if /shared partition has less than 2GB free space

Component: TMOS

Symptoms:
In order to inform the user that the /shared partition needed to be cleaned up, qkview was checking for at least 2GB of free space. This isn't a hard requirement to build a qkview which potentially could use much less than the 2GB limit. Additionally, some F5 VE systems are shipped with less than 2GB in /shared, thus qkviews cannot be produced.

Conditions:
The /shared partition is smaller than 2GB or has less than 2GB free.

Impact:
User is unable to create a qkview despite having enough room to build one.

Workaround:
Increase the size of /shared so that it has at least 2GB of free space. See https://support.f5.com/csp/#/article/K14952 for detailed instructions on resizing volumes.

Fix:
A warning about having less than 2GB will still be issued, but the qkview will continue to attempt to finish.


585823-1 : FW NAT translation fails if the matched FW NAT rule uses source address list and the source translation object in the rule is configured for dynamic-pat (with deterministic mode)

Component: Advanced Firewall Manager

Symptoms:
Firewall NAT translation failures are observed if the pre-translation connection matches a Firewall NAT policy rule that uses source address list to match the incoming source address and the source translation object in the rule is configured to do 'dynamic-pat' with mode = deterministic

Conditions:
Following conditions suffice for the issue:

a) FW NAT rule has source translation object of type 'dynamic-pat' and mode = deterministic

AND

b) FW NAT rule has match source address-list only (and no inline source addresses on the match side)

Impact:
Translation failure occurs as described resulting in the connection failures.

Workaround:
If a FW NAT rule has source translation object with dynamic-pat and deterministic mode, the source address(es) on the match side should be specified as inline address(es) instead of specifying the source address-list with such addresses.

Fix:
Fix involves using the addresses specified in the source address list of the FW NAT rule to match incoming connections and perform translation.


585813-3 : SIP monitor with TLS mode fails to find cert and key files.

Component: Local Traffic Manager

Symptoms:
SIP monitor with TLS enabled fails to find cert and key in filestore.

Conditions:
SIP monitor with TLS mode.

Impact:
Cannot create SIP monitor with TLS mode enabled and have the pool correctly checked.

Workaround:
Create an external monitor script to invoke the SIP monitor. Supply the correct arguments to the script.

Fix:
SIP monitor with TLS mode now finds cert and key files, so you can create SIP monitor with TLS mode enabled and have the pool correctly checked.


585807-2 : 'ICAP::method <method>' iRule is documented but is read-only

Component: Service Provider

Symptoms:
'ICAP::method' iRule function is documented as 'ICAP::method <REQMOD|RESPMOD>' which is said to get as well as set (modify) the ICAP method type in the ICAP_REQUEST event. Validation has at times rejected an argument, and at times accepted it. In fact the argument is ignored even if validation accepts it: the method type cannot be changed by the iRule. When validation rejects it, the system posts an error similar to the following: 01070151:3: Rule [/Common/icap_test] error: /Common/icap_test:2: error: [unexpected extra argument "REQMOD"][ICAP::method "REQMOD"]

Conditions:
iRule in ICAP_REQUEST event with 'ICAP::method REQMOD' or 'ICAP::method RESPMOD'.

Impact:
Users may attempt to change the method type. Usually the validator rejects it. In some versions the validator accepts it, but the methods only return the existing method type.

Workaround:
Do not attempt to change the method type with 'ICAP::method <method>'.

Fix:
ICAP::method is now documented as simply 'ICAP::method' with no argument, and it simply returns the current method type 'REQMOD' or 'RESPMOD'.


585745-2 : sod core during upgrade from 10.x to 12.x.

Component: TMOS

Symptoms:
The failover daemon (sod) may core during an upgrade, when the peer device upgrade completes and rejoins the trust.

Conditions:
Upgrading a high availability configuration from 10.x to 12.x or later.

Impact:
Corefile generated, and system will temporarily go offline, resulting in an interruption of service.

Workaround:
Upgrade multiple devices in the high availability configuration from 10.x to a supported 11.x release, and then upgrade to the desired 12.x release.

Fix:
The failover daemon (sod) no longer cores during an upgrade, when the peer device upgrade completes and rejoins the trust.


585654 : Enhanced implementation of AES in Common Criteria mode

Component: Local Traffic Manager

Symptoms:
Common Criteria (CC) mode disallows the use of dedicated BIG-IP accelerator. It can be observed that performance of the BIG-IP in CC mode may not be as fast as benchmarks for some implementations AES on CPU.

Conditions:
Common Criteria (CC) mode is enabled.

Impact:
Lower performance with CBC-based AES ciphersuites.

Fix:
Updated AES implementation may achieve higher performance of CBC-based AES ciphersuites.


585562-3 : VMware View HTML5 client shipped with Horizon 7 does not work through BIG-IP APM in Chrome/Safari

Component: Access Policy Manager

Symptoms:
When using Google Chrome or Safari (WebKit-based) browser to launch VMware View HTML5 client for Horizon 7 from APM webtop, this attempt fails with a blank screen in place of remote desktop session.

Conditions:
-- BIG-IP APM configured as PCoIP proxy for Horizon 7.
-- APM webtop in which the HTML5 client is used to launch a remote desktop.

Impact:
Cannot use HTML5 client. Only native client (Horizon View client) is available.

Workaround:
when HTTP_REQUEST {
    if { [HTTP::header "Origin"] ne "" } {
        HTTP::header remove "Origin"
    }
}

Fix:
VMware View HTML5 client shipped with Horizon 7 now work sthrough BIG-IP APM in Chrome/Safari.


585547-1 : NTP configuration items are no longer collected by qkview

Component: TMOS

Symptoms:
qkview was collecting the file "/etc/ntp/keys" which in some cases, contains secret keys used for integrity verification of NTP messages.

Conditions:
Execute qkview to collect diagnostic information.

Impact:
Possibility for keys to be exposed.

Workaround:
1. Do not execute qkview.
2. If executing qkview, do not share this file with untrusted parties.

Fix:
With this release, qkview no longer collects this file.


585485-3 : inter-ability with "delete IPSEC-SA" between AZURE, ASA, and the BIG-IP system

Component: TMOS

Symptoms:
Some IKEv1 IPsec vendor implementations (for example Cisco ASA) send a delete SPI message for an IPsec-SA and expect that the sibling IPsec-SA (the SPI in the other direction) will also be deleted by the peer.

The BIG-IP system sends and expect messages with two SPI's inside.

Conditions:
An IPsec tunnel between a BIG-IP system and some other vendor may experience this. Azure and Cisco ASA are two such vendors.

Impact:
An IPsec tunnel goes down and in some situations may not renegotiate while the BIG-IP believes that the outgoing SPI is still active. The tunnel will stay down until the lifetime of the outbound SA expires.

Workaround:
Delete the outbound SA from the BIG-IP using the tmsh command by specifying the related SA:

(tmos)# delete net ipsec ipsec-sa ?
Properties:
  "{" Optional delimiter
  dst-addr Specifies the destination address of the security associations
  spi Specifies the SPI of the security associations
  src-addr Specifies the source address of the security associations
  traffic-selector Specifies the name of the traffic selector

Fix:
The BIG-IP system will remove both SAs associated with one traffic-selector (tunnel) when the peer sends a delete SPI message.


585442-2 : Provisioning APM to 'none' creates a core file

Component: Access Policy Manager

Symptoms:
Provisioning APM level to 'none' may result in apmd creating a core file.

Conditions:
When the APM service is shut down, the apmd daemon may create a core file.

Impact:
There is no impact to functionality. Only a core file is created.

Workaround:
There is no loss in functionality.

Fix:
Provisioning APM level to 'none' no longer results in apmd creating a core file.


585424-1 : Mozilla NSS vulnerability CVE-2016-1979

Solution Article: K20145801


585412-4 : SMTPS virtual server with activation-mode allow will RST non-TLS connections with Email bodies with very long lines

Component: Local Traffic Manager

Symptoms:
Connections to a virtual server that uses an SMTPS profile may be reset with a reset cause of 'Out of memory.'

Conditions:
This might occur under the following conditions:
-- A virtual server that uses an SMTPS profile with activation-mode set to allow.
-- A client connection which does not use TLS that sends a DATA section with a text line that is longer than approximately 8192 characters.

8192 characters is an approximation for the maximum line length. The actual problem length can be affected by the MSS value and the particular way that the TCP traffic is segmented.

Impact:
The TCP connection is reset with a reset-cause of Out of memory' and the email will not be delivered.

Workaround:
None.

Fix:
A virtual server that uses an SMTPS profile with activation-mode set to allow no longer resets connections when the client does not use STARTTLS and the email body contains very long lines.


585352-2 : bruteForce record selfLink gets corrupted by change to brute force settings in GUI

Component: Application Security Manager

Symptoms:
If you update the brute force settings in the GUI, rest_uuid is updated as well, which breaks the self-link in the iControl REST API

Conditions:
Update brute force settings in GUI

Impact:
Unique record part updated

Workaround:
Update brute force settings using the REST API

Fix:
GUI is not changing rest_uuid when brute force settings are updated


585332 : Virtual Edition network settings aren't pinned correctly on startup

Component: TMOS

Symptoms:
You notice unusually high CPU utilization on Virtual Edition after upgrading to 12.1.0 when compared to a previous release (such as version 11.6.1).

Conditions:
This occurs after upgrading to 12.1.0. In Virtual Edition version 12.1.0, there is an issue where network interface IRQs don't get pinned correctly at startup.

Impact:
Since CPU0 is unusually high compared to previous releases, upgrading could put Virtual Edition into an overloaded state.

Workaround:
bigstart restart tmm will start the network interfaces and pin them to the right IRQ.

Fix:
Fixed an issue where interfaces and their IRQs were not configured correctly during system boot.


585120-1 : Memory leak in bd under rare scenario

Component: Application Security Manager

Symptoms:
Under high traffic, bd may leak memory and cause an ASM restart under certain rare conditions

Conditions:
ASM enabled and under high traffic

Impact:
Causes traffic abort while restart is happening. High swap and memory.

Workaround:
None.

Fix:
A memory leak in the bd was fixed.


585097-1 : Traffic Group score formula does not result in unique values.

Component: TMOS

Symptoms:
In certain configurations, the Traffic Group score for a particular Traffic Group can be identical across devices in a device service cluster, resulting in the Traffic Group becoming Active on more than one device simultaneously.

Conditions:
The score is derived from the management-ip and other factors. If the device management-ips are not on the same /24 subnet, the score is not guaranteed to be unique.

The score can be observed with the tmsh "run cm watch_trafficgroup_device" command, and in some versions of BIG-IP, the "show cm traffic-group" command.

Impact:
When the problem occurs, Traffic Groups will be Active on multiple devices simultaneously. The problem can affect all Traffic Groups.

Workaround:
The only solution is to change the management-ip on one of the colliding devices. The workaround is not practical with DHCP, and in many other situations.

Fix:
The Active device selection logic has been changed to deterministically choose the Active device location, even in cases with identical static scores.


585054-1 : BIG-IP imports delay violations incorrectly, causing wrong policy enforcement

Component: Application Security Manager

Symptoms:
When you import an XML file that contain references to violations in the delay blocking session tracking configuration, extra violations get added to the list.

Conditions:
This occurs when importing delay-type violations in ASM

Impact:
A very large subset of the violations is added to the policy

Fix:
BIG-IP now imports delay-type violations correctly.


584926-1 : Accelerated compression segfault when devices are all in error state.

Component: Local Traffic Manager

Symptoms:
TMM segfaults. Kernel log contains "Uncorrectable Error" and "icp_qa_al err" messages.

Conditions:
All physical or virtual devices concurrently enter error state.

Impact:
Tmm segfaults and restarts. May require a reboot.

Workaround:
Disable QAT compression using tmsh:

tmsh modify sys db compression.strategy value softwareonly

Fix:
TMM QAT compression driver will not fail if all QAT devices concurrently go down.


584921-1 : Inbound connections fail to keep port block alive

Component: Carrier-Grade NAT

Symptoms:
Connections that use a PBA port block should keep the port block from expiring. However inbound connections to a client using a port block will fail to refresh the block, causing the block to expire pre-maturely. An inbound connection can remain active while the port block has been deleted.

Conditions:
An inbound connection with no outbound connections fails to keep a port block alive, resulting in an inbound connection to a client without a corresponding port block.

Impact:
When reverse mapping an inbound connection to a subscriber (e.g. trying to find who was using an ip address/port at a particular time), customers may find no corresponding port block, or a port block belonging to another client when the reverse map is performed at a time when the connection is closed.

Workaround:
When performing a reverse map, customers should use the start time of a connection to determine which port block was in use.

Fix:
Inbound connections properly refresh the port block, preventing premature expiration of the port block.


584865-1 : Primary slot mismatch after primary cluster member leaves and then rejoins the cluster

Component: Local Traffic Manager

Symptoms:
Secondary blades in a Viprion system can disagree about the identity of the Primary blade.

Conditions:
Viprion chassis with 3 or more blades. If the primary is temporarily isolated from the other blades, a new primary will be elected. When the primary rejoins, the non-primary blades do not correctly switch back to the newly re-elected primary.

Impact:
Configuration and status may not be kept properly in sync between blades.

Fix:
Secondary blades properly identify the Primary on changes.


584670 : Output of tmsh show sys crypto master-key

Component: TMOS

Symptoms:
In this release, tmsh show sys crypto master-key has changed and will now display its output as the base 64 encoded form of a SHA512 hash.

Conditions:
You will see this when running tmsh show sys crypto master-key, or f5mku -Z, or f5mku -U

Impact:
None


584661 : Last good master key

Component: TMOS

Symptoms:
When applying a UCS file to a platform that was different from the one the UCS was taken on, for example after RMA, you get a master key decrypt error because the master key is different.

Conditions:
This can occur either when applying a UCS file to an identical platform you received as an RMA exchange, or while performing the platform-migrate command.

Impact:
UCS load fails when extracting a UCS that came from another system.

Fix:
Secure Vault now stores the last good master key, which allows you to set the master key password to be the same as the other device you are importing from, then load the UCS from the other system. If master key decryption fails, the system will load the master key that was in effect before the UCS load was initiated. If that master key matched the master key from the system where the UCS was taken then encrypted attributes in the UCS can be loaded into the configuration.


584655 : platform-migrate won't import password protected master-keys from a 10.2.4 UCS file

Component: TMOS

Symptoms:
If you run the platform-migrate command to migrate from a UCS file generated on a platform running 10.2.4, the password protected master key won't import

Conditions:
You would encounter this when doing platform migration from an older platform running 10.2.4, and using the UCS file from that platform to platform-migrate to 12.1.1. This also only occurs if your 10.2.4 UCS contains secure attributes, such as clientssl or serverssl keys and profiles

Impact:
The platform-migrate command will fail if the 10.2.4 UCS contains a password protected master key.

Fix:
The 12.1.1 release can successfully platform-migrate UCS files from a 10.2.4 configuration if some steps are taken to generate a password protected master key on the 10.2.4 release. Without these steps, this impact exists. The 10.2.4-specific solution https://support.f5.com/csp/#/article/K9420


584642-1 : Apply Policy Failure

Component: Application Security Manager

Symptoms:
Some Policies cannot be successfully applied/activated

Conditions:
Signature overrides on Content Profiles are configured

Impact:
Policy cannot be applied

Workaround:
None.

Fix:
Policies can be successfully applied.


584623-2 : Response to -list iRules command gets truncated when dealing with MX type wide IP

Component: Global Traffic Manager (DNS)

Symptoms:
GTM iRule "members" with the "-list" flag will truncate MX-type WideIP pool members when printed out to a log.

Conditions:
Use the GTM iRule "members" with the "-list" flag to print out the members of an MX WideIP pool during a DNS event.

Impact:
WideIP MX-type pool members are truncated in the log.

Workaround:
None


584583-3 : Timeout error when using the REST API to retrieve large amount of data

Solution Article: K18410170

Component: TMOS

Symptoms:
The Rest API might time out when attempting to retrieve large dataset, such as a large GTM pool list. The error signature when using the Rest API appears as follows: errorStack":["java.util.concurrent.TimeoutException: remoteSender:127.0.0.1, uri:http://localhost:8110/tm/gtm/pool, method:GET

Conditions:
Configuration containing a large number of GTM pools and pool members (numbering in the thousands).

Impact:
If using the Rest API to retrieve the pool list, you may receive timeout errors.

Workaround:
There is no workaround at this time.

Fix:
TMSH performance has been improved for this GTM case (improvement ~5-10 times), which is root case for REST failure. Timeout is no longer triggered for this amount of data.


584582-1 : JavaScript: 'baseURI' property may be handled incorrectly

Component: Access Policy Manager

Symptoms:
If generic JavaScript object has 'baseURI' property, it may be handled incorrectly via Portal Access: web application may get 'undefined' value for this property.

Conditions:
User-defined JavaScript object with 'baseURI' property.

Impact:
Web application may work incorrectly.

Workaround:
iRule can be used to remove F5_Deflate_baseURI() calls from rewritten JavaScript code.

Fix:
Now JavaScript objects with 'baseURI' property are handled correctly by Portal Access.


584545-2 : Failure to stabilize internal HiGig link will not trigger failover event

Component: Local Traffic Manager

Symptoms:
The internal HiGig interface potentially and repeatedly report FCS errors or does not become stable in rare cases.

Conditions:
The internal HiGig interfaces experiences FCS or XLMAC link failures.

Impact:
Device is left in a state where it cannot receive or pass traffic or have frame checksum errors.

Workaround:
None.

Fix:
HA failover mechanism is now activated when internal HSB ports on critical data path are consistently unstable.

Behavior Change:
There is a condition in which failures happen on the internal HiGig interfaces on the critical packet path between the HSB and the Broadcom switch, causing traffic interruption. Such failures can be inferred by HSB XLMAC instability or by observing increasing FCS errors. When these HSB XLMAC failures happened in the past, TMOS initiated a recovery mechanism by resetting the HSB MAC interface. However, if the failure persisted even after repeated recovery attempts, TMOS triggered a high availability (HA) failover event to prevent prolonged traffic disruption. The failover triggering condition is set as either the consecutive recovery attempts or consecutive FCS failure events that reach a configurable preset limit. After the HA failover was triggered, the original active unit will still keep trying to recover, and will mark itself ready if the failure condition is no longer observed. The XLMAC reset was existing behavior. The new behavior also applies to FCS failure events.


584471-1 : Priority order of clientssl profile selection of virtual server.

Solution Article: K34343741

Component: Local Traffic Manager

Symptoms:
When a SSL connection with specified server name is received in a virtual server from the client side, the BIG-IP system selects one clientssl profile for this connection based on the given server name. Currently the system matches the server name using the following rules:
(1) First try to match the server name with explicit server name configuration of the clientssl profiles.
(2) If (1) has no match, then try to match the common names of the certificates used by the clientssl profiles.
(3) If (2) has no match, then try to match the subject alternative names of the certificates used by the clientssl profiles.

The issue is, based on RFC6125, common name should be used as a 'last resort'. In other words, the third rule should be the second rule.

Conditions:
The issue occurs when all of the following conditions are met.
(1) The incoming SSL request includes SNI (server name) extension in the clienthello, used to specify its desirable SSL server.
(2) The given server name from the client side does not match any server name configured in all the clientssl profiles of the virtual server.
(3) The certificates used by the clientssl profile of the virtual server have subject alternative names (note that every certificate has common name but not necessarily subject alternative names).

Impact:
The virtual server might select a clientssl profile that is not preferred by the client side.

Workaround:
None.

Fix:
Priority order of clientssl profile selection of virtual server. The system now matches the server name using the following rules:

(1) First try to match the server name with explicit server name configuration of the clientssl profiles.
(2) If (1) has no match, then try to match the subject alternative names of the certificates used by the clientssl profiles.
(3) If (2) has no match, then try to match the common names of the certificates used by the clientssl profiles.

So the common-name match is last, which is correct according to RFC6125.

Behavior Change:
If server-name is not configured in the client SSL profile for SNI (server name) matching, SANs (subject alternative names) in the certificate will take precedence over CN (common name) in the certificate, for the SNI-matching process for client SSL profile selection.


584374-2 : iRule cmd: RESOLV::lookup causes tmm crash when resolving an IP address.

Solution Article: K67622400

Component: Global Traffic Manager (DNS)

Symptoms:
iRule command RESOLV::lookup causes tmm crash when resolving an IP address.

Conditions:
Using the RESOLV::lookup iRule command to resolve an IP address.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the RESOLV::lookup command to resolve an IP address.

Fix:
TMM no longer crashes when the iRule command RESOLV::lookup is used.


584373-2 : AD/LDAP resource group mapping table controls are not accessible sometimes

Component: Access Policy Manager

Symptoms:
AD/LDAP resource group mapping
In case of both lengthy group names and resource names edit link and control buttons could disapper under dialogue bounds

Conditions:
very long group names and resource names

Impact:
Impossible to delete and move rows in table - still possible to edit tho.

Workaround:
Spread one assign thru multiple rows

Fix:
Scroll bar is appearing when needed


584310-1 : TCP:Collect ignores the 'skip' parameter when used in serverside events

Solution Article: K83393638

Component: Local Traffic Manager

Symptoms:
When TCP::Collect is used with 'skip' and 'length' arguments in SERVER_CONNECTED, the "skip' argument does not take effect and is ignored. The Collect works, but collects only the length bytes from start.

Conditions:
TCP:Collect on server side events like SERVER_CONNECTED used with the 'skip' parameter. This is an intermittent issue that have happen only with IIS server.

Impact:
TCP:Collect collects bytes without taking into account the skip, so the bytes collected are not the correct ones.

Workaround:
None.

Fix:
The settings for TCP::Collect command skip and length arguments are now honored during packet processing.


584213-1 : Transparent HTTP profiles cannot have iRules configured

Component: Local Traffic Manager

Symptoms:
When an HTTP profile is configured in transparent mode, but has a nonexistent iRule attached to it, then tmm will crash.

Conditions:
-- There is iRule.
-- Proxy is transparent.

when HTTP_PROXY_REQUEST {
   after 1000
}

-- Change configuration from explicit to transparent while the system is processing in the after command.
-- There is then an attempt to use a configuration that does not exist.

Impact:
TMM halts and restarts. Traffic disrupted while tmm restarts.

Workaround:
This is incorrect configuration. Either detach the iRule or configure the profile in a mode other than transparent.

Fix:
Incorrectly configured proxy types from TMOS installations of earlier versions will be corrected at upgrade time. A warning will be logged that describes the change made.


584210-1 : TMM may core when running two simultaneous WebSocket collect commands

Component: Local Traffic Manager

Symptoms:
TMM may core with a SIGFPE when running two or more WebSocket collect commands in parallel.

Conditions:
-- WebSocket profile is attached to the virtual server.
-- Multiple iRules with WebSocket collect commands are attached to the virtual server.

Impact:
TMM may core with a SIGFPE resulting in loss of service.

Workaround:
Behavior is undefined when multiple collect commands are running at the same time. Rewrite iRules to have only one collect command executing at a time.

Fix:
iRule documentation was updated and WebSocket filter state machine was changed to reject multiple collect commands.


584103-2 : FPS periodic updates (cron) write errors to log

Component: Application Security Manager

Symptoms:
FPS periodic updates (run via cron) write errors to log when FPS is not provisioned.

Conditions:
FPS is not provisioned.

Impact:
Errors appears in FPS logs.


584082-3 : BD daemon crashes unexpectedly

Component: Application Security Manager

Symptoms:
bd crashes, with the following log signature immediately before the crash in /var/log/bd.log:

"IO_PLUGIN|ERR |Mar 29 20:48:02.217|17328|plugin_common.c:0085|plugin context doesn't match the argument which was originally set on it".

Conditions:
It is not known exactly what triggers this condition; it can occur intermittently during normal use of ASM.

Impact:
A bd crash, failover, traffic disturbance.

Workaround:
None.

Fix:
Fix a bd crash scenario.


584029-6 : Fragmented packets may cause tmm to core under heavy load

Component: Local Traffic Manager

Symptoms:
In rare circumstances, the Traffic Management Microkernel (TMM) process may produce a core file while processing fragmented packets.

As a result of this issue, you may encounter one or more of the following symptoms:

-- TMM generates a core file in the /shared/core directory.
-- In one of the /var/log/tmm log files, you observe an error message similar to the following example:
 notice panic: ../base/flow_fwd.c:255: Assertion "ffwd flag set" failed.
 panic: ../net/packet.c:168: Assertion "packet is locked by a driver" failed.

notice ** SIGFPE **

Conditions:
This issue occurs when all of the following conditions are met:

-- The TMM process offloads a fragmented packet by way of an ffwd operation.
-- Your BIG-IP system is under heavy load.

Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.

Workaround:
None.

Fix:
Fragmented packets no longer cause tmm to core under heavy load.


583957-6 : The TMM may hang handling pipelined HTTP requests with certain iRule commands.

Component: Local Traffic Manager

Symptoms:
Rarely, the TMM may hang during a HTTP::respond or HTTP::redirect iRule command if it is part of a pipelined HTTP request.

Conditions:
A HTTP::respond or HTTP::redirect iRule is used.
The iRule command is in an event triggered on the client-side.
A pipelined HTTP request is being handled.

Impact:
The TMM will be restarted by SOD.

Fix:
The TMM no longer hangs in rare situations when processing a pipelined HTTP request and invoking a HTTP::respond or HTTP::redirect iRule command.


583943-1 : Forward proxy does not work when netHSM is configured on TMM interfaces

Solution Article: K27491104

Component: Local Traffic Manager

Symptoms:
Forward proxy feature does not always work when netHSM is configured on TMM interfaces.

Conditions:
When netHSM device is configured on TMM interface.

Impact:
The forward proxy feature does not work. This is an intermittent issue.

Workaround:
None.

Fix:
Forward proxy now works consistently when netHSM is configured on TMM interfaces.


583936-5 : Removing ECMP route from BGP does not clear route from NSM

Component: TMOS

Symptoms:
When configured to install multiple routes into the routing table, ZebOS does not withdraw BGP routes when a neighbor is shut down and it has more than two routes already installed for the same route prefix.

Conditions:
ECMP routing must be enabled and in-use.

Impact:
ECMP routes are not properly removed from the main routing table.

Fix:
Now properly removing ECMP routes from the routing table.


583754-7 : When TMM is down, executing 'show ltm persist persist-records' results in a blank error message.

Component: TMOS

Symptoms:
Executing 'show ltm persist persist-records' results in a blank error message.

Conditions:
TMM must be down.

Impact:
Non-obvious / unhelpful error message is generated, leading to confusion.

Workaround:
N/A


583700-3 : tmm core on out of memory

Solution Article: K32784801

Component: Local Traffic Manager

Symptoms:
tmm memory increases quickly, then crashes on out-of-memory condition.

Conditions:
It is not known exactly what triggers this, but it was observed on a hardware platform processing a large number of ECDH and ECDHE ciphers.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None known.

Fix:
The system now cancels ongoing crypto requests when the handshake is dropped, preventing this error condition.


583686-2 : High ASCII meta-characters can be disallowed on UTF-8 policy via XML import

Component: Application Security Manager

Symptoms:
After importing an XML policy, you cannot view or edit policies containing high ASCII characters.

Conditions:
This occurs when importing XML policies containing high-ASCII meta-characters but high-ASCII is not allowed in a UTF-8 policy.

Impact:
Unable to view or edit the policy, and Illegal meta character in value violation is triggered


583678-1 : SSHD session.c vulnerability CVE-2016-3115

Solution Article: K93532943


583631-2 : ServerSSL ClientHello does not encode lowest supported TLS version, which might result in alerts and closed connections on older Servers.

Component: Local Traffic Manager

Symptoms:
Server SSL ClientHello does not encode lowest supported TLS version. The outer record for a ClientHello contains the same version as the ClientHello. If, for example, the ClientHello is TLS1.2, the outer record will contain TLS1.2. Older servers that do not support later TLS versions might generate an alert and close the connection.

Conditions:
A BIG-IP system with a server SSL profile that supports a TLS version higher than that of the server to which it is connecting.

Impact:
The connection fails. The system might generate an alert.

Workaround:
Force the server SSL profile to use a lower TLS version number by selecting 'No TLSv1.2' or 'No TLSv1.1' in the `options' section of the Server SSL Profile.

Fix:
When enabled by setting the db variable, 'SSL.OuterRecordTls1_0,' to, 'enable,' the outer SSL record will always contain TLS1.0. This is the default. You can use this db variable to prevent an issue in older servers that do not support TLS versions later than 1.0, in which an alert might be generated closing the connection.

Behavior Change:
Formerly, the version present in the ClientHello and the version present in the outer record would match. Now, if the sys db variable, 'SSL.OuterRecordTls1_0,' is set to 'enable' the version present in the outer record will be TLS 1.0 regardless of the version in the ClientHello. This is the default.


583516-2 : tmm ASSERT's "valid node" on Active, after timer fire..

Component: TMOS

Symptoms:
TMM crashes on ASSERT's "valid node".

Conditions:
The cause is unknown, and this happens rarely.

Impact:
tmm crash

Workaround:
no

Fix:
TMM no longer asserts on 'valid node'


583475-1 : The BIG-IP may core while recompiling LTM policies

Component: TMOS

Symptoms:
In some rare and still unknown situations the BIG-IP Mcpd process may core when creating or modifying LTM policies. While the root cause of the crash is not fully understood at this time, one of the symptoms points to a nonexistent or invalid LTM policy.

Conditions:
Creating or modifying LTM policies.

Impact:
The BIG-IP control plane services restart thus affecting both, control plane and data plane functionality.

Workaround:
A possible workaround could be to attempt re-creating the LTM policy producing the crash under a different name. Avoid any special characters (or spaces) in the name of the LTM policy.

Fix:
Not fixed yet.


583402-1 : ASM Policy Parameter's Filter: Search for at least 1 Override doesn't work

Component: Application Security Manager

Symptoms:
The 'Overridden Characters in Value' and 'Overridden Attack Signatures' filter options on the Parameters List screen doesn't work correctly. These filter options appear after you set 'Parameter Value Type' to 'User-input value' and 'Data Type' to 'Alpha-Numeric'.

Conditions:
Attempting to filter parameters by settings the 'Value Type' to 'User-input value', 'Data Type' to 'Alpha-Numeric', and searching for 'At least one' signature override.

Impact:
Search fails.

Workaround:
None.

Fix:
Searching for 'At least one' override now works correctly.


583355-1 : The TMM may crash when changing profiles associated with plugins

Component: Local Traffic Manager

Symptoms:
The TMM may crash when changing profiles associated with plugins.

Conditions:
The must be a profile associated with a plugin already on a virtual server and traffic must be running. When the profile is removed or swapped for another, the crash may occur.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
A safe way to definitely avoid a crash is to stop the plugin before making changes to its profile.


583285-5 : BIG-IP logs INVALID-SPI messages but does not remove the associated SAs.

Solution Article: K24331010

Component: TMOS

Symptoms:
The BIG-IP system logs INVALID-SPI messages but does not remove the associated Security Associations (SAs) corresponding to the message.

Note: There are three parts to this issue, as recorded in the following bugs: 569236, 583285, and 662331.

Conditions:
This can occur if an IPsec peer deletes a phase2 (IPsec) SA and does not send a 'notify delete' message to the other peer. The INVALID-SPI message is most likely to be seen when the peer deletes an SA before the SA's agreed lifetime.

Impact:
If the BIG-IP is always the Initiator, the Responder will not initiate a new tunnel if the Responder only handles responses to the BIG-IP clients' traffic. The BIG-IP system continues to use the IPsec SA it believes to be still up. When an SA expires prematurely, some IPsec peers will reject an inbound SPI packet with an ISAKMP INVALID-SPI notify message. If the INVALID-SPI message does not cause new SAs to be created, there will be a tunnel outage until the SA lifetime expires on the defunct SA held on the BIG-IP system.

Workaround:
Manually remove the invalid SA on the BIG-IP system by running the following command:
delete /net ipsec ipsec-sa spi <invalid_spi>

Fix:
Now, when the BIG-IP system receives INVALID-SPI messages, it deletes the invalid Security Association as well as logging the INVALID-SPI message, so the tunnel can initiate again.

Note: There is a three-part fix provided for this issue, as provided in the following bugs: 569236, 583285, and 662331.


583272-2 : "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth

Component: Access Policy Manager

Symptoms:
Browser shows a "corrupted connect error" when access policy runs On-Demand Cert Auth on an IPv6 virtual server.

The root cause is that in packet capture, the APM sends an HTTP 302 with invalid brackets around the hostname, like this:
Location: https://[login.example.com]/my.policy

Brackets around IPv6 addresses are for raw IPv6 addresses. They are illegal for DNS names that represent an IPv6 address.

Conditions:
IPv6 virtual server, and On-Demand Cert Auth in the access policy. Only applies if a DNS hostname is used. Raw IPv6 addresses are not affected.

Impact:
Client is unable to authenticate.

Workaround:
None.

Fix:
Clients connecting to an APM access policy with on-demand certificate authentication to an IPv6 virtual server now transmit the client certificate correctly when executing the access policy.


583177 : LCD text truncated by heartbeat icon on VIPRION

Component: TMOS

Symptoms:
while looking at informational text on the first line of the LCD display on a VIPRION, the end of the string is truncated by a heartbeat icon.

Conditions:
This occurs on platforms that display a heartbeat icon on the LCD display.

Impact:
The heartbeat icon is displayed over the last character of the string, this is cosmetic.

Fix:
In this release, longer messages on the LCD are now displayed on multiple lines.


583113-1 : NTLM Auth cannot be disabled in HTTP_PROXY_REQUEST event

Component: Access Policy Manager

Symptoms:
The following iRule did not work as expected when the access profile had an NTLM auth. The client still received a 407 prompt to enter NTLM credentials.

when HTTP_PROXY_REQUEST {
    if { [HTTP::uri] contains "disable" } {
        ACCESS::disable
    }
}

Conditions:
Access profile of an SWG type, with an NTLM auth profile attached.

Impact:
It was impossible to disable NTLM auth from the HTTP_PROXY_REQUEST event.

Workaround:
The following iRule works from HTTP_REQUEST

when HTTP_REQUEST {
    if { [HTTP::uri] contains "disable" } {
        ACCESS::disable
        ECA::disable
    }
}

Fix:
When ACCESS filter is disabled, it still processes certain messages. The logic in one of those message handlers was "if NTLM configured, then wake up the ECA plugin"

Fix changed the logic to "if NTLM configured and ACCESS filter is not disabled, then wake up the ECA plugin."


583111-1 : BGP activated for IPv4 address family even when 'no bgp default ipv4-unicast' is configured

Component: TMOS

Symptoms:
When BGP is configured with 'no bgp default ipv4-unicast,' configuring a peer-group with IPv6 members adds 'neighbor <neighbor> activate' for the IPv6 neighbors under address-family ipv4.

Conditions:
This occurs when the following conditions are met:
-- 'no bgp default ipv4-unicast' is configured in imish.
-- 'neighbor <neighbor> peer-group <peergroup>' is configured.

Impact:
Despite disabling IPv4 unicast for BGP by default, neighbors in the peer group have the IPv4 unicast address family enabled.

Workaround:
Delete the line in the configuration that was automatically added in imish in the 'router bgp' section:
no neighbor <neighbor> activate

Fix:
Configuring IPv6 members of a peer-group when 'no bgp default ipv4-unicast' no longer automatically enables IPv4 unicast for the peer-group members.


583108-1 : Zebos issue: No neighbor x.x.x.x activate in address-family IPv6 lost on reboot/restart.

Component: TMOS

Symptoms:
when a neighbor with ipv4 address is disabled in ipv6 address family, show running configuration displays that the neighbor is disabled. However, when we restart or reboot the tmrouted or bgp protocol, the neighbor is enabled again. The configuration persistence is not maintained.

Conditions:
1. disable a neighbor with ipv4 address in ipv6 address family.
2. reboot/restart tmrouted or bgp protocol

Impact:
configuration persistence is not maintained. This impacts the BIGIP upgrades as the configuration loaded is not the same as it was before the upgrade. Similarly, a restart/reboot will also have different configuration loaded than originally used. This might alter the intended behavior of the protocol that the use expects to function.

Workaround:
disable the neighbor again.

Fix:
configuration persistence is maintained for the disabled neighbor with ipv4 address in the ipv6 address family.


583024-1 : TMM restart rarely during startup

Component: Application Security Manager

Symptoms:
A TMM crashes with a core file during startup. It restarts then correctly.

Conditions:
The system starts up.

Impact:
The system startup takes longer. A core file appears. Traffic is not impacted and a failover usually doesn't occur since the system didn't reach the active state.

Workaround:
None.

Fix:
TMM no longer crashes during startup.


583010-4 : Sending a SIP invite with 'tel' URI fails with a reset

Component: Service Provider

Symptoms:
Using a 'INVITE tel:' URI results in SIP error (Illegal value).

Conditions:
Sending a SIP "INVITE tel:" to the BIG-IP system.

Impact:
'INVITE tel:' messages are not accepted by BIG-IP system.

Workaround:
None.

Fix:
'INVITE tel:' messages are now accepted by BIG-IP system.


582792-7 : iRules are not updated in transactions through TMSH or iControl

Component: TMOS

Symptoms:
Updating an iRule in a transaction via TMSH or iControl results in the iRule not being updated, but there is no error indicating this.

Conditions:
Updating an iRule in a transaction using TMSH or iControl.

Impact:
iRule is not updated, and the user is not alerted of this fact.

Workaround:
None.

Fix:
iRules modified through transactions are now updated properly.


582773-5 : DNS server for child zone can continue to resolve domain names after revoked from parent

Solution Article: K48224824


582769-1 : WebSockets frames are not forwarded with Websocket profile and ASM enabled on virtual

Solution Article: K99405272

Component: Local Traffic Manager

Symptoms:
WebSockets frames are not forwarded with WebSocket profile and ASM enabled on virtual.

Conditions:
Virtual has WebSocket profile attached to it. ASM is enabled on the virtual. WebSockets server replies with a "Connection: upgrade" header. The issue is also seen if multiple header values are present in Connection header.

Impact:
WebSockets frames are not forwarded to the pool member

Workaround:
Use a simple iRule similar to the following:

when HTTP_RESPONSE {
    if { [HTTP::status] == 101 } {
        HTTP::header replace "Connection" "Upgrade"
    }
}

Fix:
The system now accepts "Connection: UPGRADE" or "Connection: upgrade" as valid header for WebSocket handshake, and supports a comma-separated list of values for the Connection response header.


582752-3 : Macrocall could be topologically not connected with the rest of policy.

Component: Access Policy Manager

Symptoms:
It is possible to create macrocall access policy item that:

1. Belongs to policy items list.
2. Correctly connected to ending.
3. Have no incoming rules (i.e., no items pointing at it).

Conditions:
1. Create access policy with macrocall item in one of the branches.
2. Remove the item which refers to this macrocall item from AP

As a result, macrocall item remains.

Impact:
VPE fails to render this access policy.

Workaround:
Delete macrocall access policy item manually using tmsh commands.

Fix:
Any modification of access policy is not allowed if it makes any access policy item non-referenced.
At upgrade time, non-referenced access policy items are deleted. All subsequent access policy items are deleted as well. Resulting access policies can be rendered correctly by VPE. Note that only active configuration is corrected, saved configuration file (/config/bigip.conf) contains uncorrected version until any new configuration changes are done. Active configuration can be saved by explicit tmsh command ('tmsh save sys config partitions all").


582683-2 : xpath parser doesn't reset a namespace hash value between each and every scan

Component: Application Security Manager

Symptoms:
After a while the iRule event stops firing until the cbrd daemon is restarted.

Conditions:
The customer has a virtual server configured with an XML, along with an iRule that triggers on the XML_CONTENT_BASED_ROUTING event.

Impact:
XML content based routing does not work dependably.

Workaround:
N/A

Fix:
fixing xpath parer -- Restoring namespace declaration each time the xpath parser finishes to parse the document.


582629-1 : User Sessions lookups are not cleared, session stats show marked as invalid

Component: Application Visibility and Reporting

Symptoms:
AVR session statistics may be reported as excessively high, and when the sessions time out they get marked as invalid instead of being removed.

Conditions:
The exact conditions which cause this in a production configuration are unknown, as this was discovered during internal testing.

Impact:
Session statistics will report incorrectly

Fix:
An issue with session statistics not clearing after session timeout has been fixed.


582526-3 : Unable to display and edit huge policies (more than 4000 elements)

Component: Access Policy Manager

Symptoms:
It takes a very long time or is not possible to display huge policies (more than 4000 elements). VPE returns server timeout error or simple halts.

Conditions:
Huge Access Policy, for example, containing 4000 or more elements.

Impact:
Unable to edit policy because VPE times out.

Workaround:
None.

Fix:
VPE loading times for APM policies is greatly improved, so displaying very large policies (for example, 4000 elements) now completes successfully.


582487-2 : 'merged.method' set to 'slow_merge,' does not update system stats

Solution Article: K22210514

Component: Local Traffic Manager

Symptoms:
When the statistics DB variable option 'merged.method' is set to 'slow_merge,' system stats is not updated and remains zero.

Conditions:
Merged.method is set to slow_merge.

Impact:
System stats such as overall CPU usage remain at zero.

Workaround:
Set Merged.method to fast_merge.

Fix:
When the statistics DB variable option 'merged.method' is set to 'slow_merge,' system stats are not updated as expected.


582465-1 : Cannot generate key after SafeNet HSM is rebooted

Component: Local Traffic Manager

Symptoms:
After the SafeNet Hardware Security Module (HSM) is restarted, users cannot generate a new key.

Conditions:
The BIG-IP system uses the SafeNet HSM.

Impact:
HSM service is not usable even after restarting pkcs11d. Users must re-authenticate.

Workaround:
To generate a new key, after HSM finishes starting up, run the following commands:

# /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -c
# /shared/safenet/toolkit/sautil -v -s 1 -i 10:11 -o -p <hsm_partition_password>

Or, you can reinstall SafeNet client.

Fix:
After the SafeNet Hardware Security Module (HSM) is restarted, users can now generate a new key.


582374-1 : Multiple 'Loading state for virtual server' messages in admd.log

Component: Anomaly Detection Services

Symptoms:
When a dosl7d profile is configured on a BIG-IP that's in a device group and the BIG-IP is set to "Forced Offline" in the Device Management settings, admd will log multiple messages to admd.log similar to 47854390298368 Mar 22 02:38:50 [info] virtual bool CVirtualServerImpl::loadState() : Loading state for virtual server

Conditions:
- dosl7d profile attached to a virtual server
- BIG-IP is part of a DSC cluster
- a BIG-IP is forced offline in the cluster

Impact:
Excessive logging occurs to /var/log/adm/admd.log

Workaround:
None

Fix:
An issue with excessive logging to admd.log has been fixed.


582133-1 : Policy builder doesn't enable staging after policy change on "*" entities (file types, urls, etc.)

Component: Application Security Manager

Symptoms:
When conditions of "Track Site Change" settings are met the staging flag on "*" entities is supposed to be turned ON in order to learn sub-sequences of site changes without blocking traffic. However it doesn't happen. The staging flag stays OFF.

Conditions:
Staging was set OFF on "*" entity. After that conditions of "Track Site Change" settings are met.

Impact:
in a situation when the protected Web application was changed, ASM can block traffic when it should not be blocked.

Workaround:
Staging flag can be changed manually via GUI

Fix:
The problem was a sub-sequence of other code changes. The code was fixed he way it should count for "Track Site Change" conditions and change Staging flag when it is needed.


582084-1 : BWC policy in device sync groups.

Component: TMOS

Symptoms:
When there is a BWC policy created in global sync group and also a local one, then the configuration displays an error.

Conditions:
If BWC policy is created both in global sync and local.

Impact:
Configuration error, BWC policies will not be synced due to errors.

Workaround:
Ensure that BWC policy is in global sync only.

Fix:
BWC policy is now configured for device group sync only in the global group and not local.


582029-4 : AVR might report incorrect statistics when used together with other modules.

Component: Application Visibility and Reporting

Symptoms:
When AVR is assigned to a virtual server that also has APM or Behavioral DoS, it can lead to AVR getting false readings of the activity and as result report on unexpectedly large numbers.

Conditions:
AVR Module is used together with other modules, and these module affect the traffic flow.

Impact:
AVR reports incorrect statistics: unexpectedly large numbers.

Workaround:
None.

Fix:
AVR now identifies the other modules' activity and collects the activity statistics accordingly.


581991-1 : Logging filter for remote loggers doesn't work correctly with more than one logging profile

Component: Application Security Manager

Symptoms:
A logging message arrived at a remote logger while the remote logger's filter have a criteria that doesn't match.

Conditions:
More than one logging profile is attached to a virtual server, the logging profiles have different filters conditions.

Impact:
A non related messages will be presented at the remote logger

Fix:
Fixed an issue with multiple remote logging with different filters.


581945-2 : Device-group 'datasync-global-dg' becomes out-of-sync every hour

Component: TMOS

Symptoms:
The datasync-global-dg device-group may become out-of-sync unexpectedly without any user changes.

When this happens, you can manually sync the device-group, but after about an hour, the device-group becomes out-of-sync again.

Conditions:
-- This happens only in certain timezones, depending on the timezone configured on the BIG-IP system. (This issue has been seen only in relation to the Europe/London timezone.)
-- The problem starts happening about three days after the first installation of an ASM Signature Update (ASU) or FPS Engine/Signature Update.

Impact:
GUI/shell shows config-sync 'possible change conflict' or 'changes pending' in regards to the datasync-global-dg device-group.

Workaround:
There is no workaround other than manually syncing the device-group approximately every hour.

Fix:
The datasync-global-dg device-group no longer becomes out-of-sync unexpectedly and repeatedly every hour.


581921-2 : Required files under /etc/ssh are not moved during a UCS restore

Solution Article: K22327083

Component: TMOS

Symptoms:
The SSH files required for SSH sign on are not transferred when performing a UCS restore operation. Further, files are not transferred even during upgrade.

Conditions:
This can happen when performing a UCS restore operation, or when upgrading from one version to the next.

Impact:
This might impact SSH operations.

Workaround:
Add the /etc/ssh directory to the UCS backup configuration. This causes all subsequent UCS backup and restore operations will now include the /etc/ssh/ directory.

To complete this procedure, refer to K4422: Viewing and modifying the files that are configured for inclusion in a UCS archive :: https://support.f5.com/csp/article/K4422.

Fix:
The correct folder is now present when performing a UCS restore operation, so that all of the files required for the operation of SSH are transferred.


581851-2 : mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands

Solution Article: K16234725

Component: TMOS

Symptoms:
The Master Control Program Daemon (MCPD) on secondary blades may unexpectedly restart when the BIG-IP system processes multiple, concurrent TMOS Shell (tmsh) commands.

Under these circumstances, a race condition may occur and cause the mcpd process on the secondary blades to fail to correctly process concurrent updates from the primary blade.

As a result of this issue, you may encounter one or more of the following symptoms:

-- The mcpd process on secondary blades unexpectedly restarts.
-- You notice error messages in the /var/log/ltm file on the BIG-IP system that appears similar to the following example:
 + err mcpd[<PID>]: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset

 + err mcpd[<PID>]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset

-- Depending on your high availability (HA) configuration, the device may unexpectedly fail over to another system in the device group.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have a VIPRION platform or Virtual Clustered Multiprocessing (vCMP) guest configuration that uses two or more blades.
-- You attempt to run multiple, concurrent tmsh commands on the BIG-IP system. For example, you run a tmsh command to continually reset persistence records and at the same time run another tmsh command to continually reset the TCP statistics.

Impact:
The BIG-IP system may experience performance degradation when the secondary blades become unavailable while the mcpd process restarts. Depending on your HA configuration, the device may fail over.

Workaround:
None.

Fix:
This issue no longer occurs.


581840-5 : Cannot use Administrator account other than 'admin' to manage BIG-IP systems through BIG-IQ.

Solution Article: K46576869

Component: Device Management

Symptoms:
Attempting to use BIG-IQ to manage BIG-IP systems using an Administrator account named other than 'admin' can fail.

Conditions:
-- BIG-IQ managing BIG-IP systems.
-- Using an Administrator account different from 'admin',

Impact:
You cannot manage BIG-IP systems through BIG-IQ.

Workaround:
Use the 'admin' account on BIG-IQ to manage BIG-IP devices.

Fix:
Can now use an Administrator account other than 'admin' to manage BIG-IP systems through BIG-IQ.

Behavior Change:
Local requests through iControl client are now made on port 80, instead of 443.


581835-1 : Command failing: tmsh show ltm virtual vs_name detail.

Component: TMOS

Symptoms:
The following command fails: tmsh show ltm virtual vs_name detail. The system posts the following error:

01020036:3: The requested profile exchange: virtual server object (exchange_profile_name:vs_name) was not found.

Conditions:
Occurs when an APM Access Profile has an Exchange Profile attached and the access profile is then assigned to a virtual server.

Impact:
No information is displayed by the tmsh show command.

Workaround:
None.

Fix:
The tmsh show command now presents information, and 'tmsh show ltm virtual vs_name detail' shows the expected details without error.


581834-5 : Firefox signed plugin for VPN, Endpoint Check, etc

Component: Access Policy Manager

Symptoms:
clients are unable to use the Firefox plugin on Firefox version 47 and above

Conditions:
Clients using Firefox v47 and above attempting to use the Firefox plugin

Impact:
Clients will be unable to use the plugin if they are using Firefox version 47 and above

Fix:
The Firefox plugin now supports all versions.


581824-2 : "Instance not found" error when viewing the properties of GSLB monitors gateway_icmp and bigip_link.

Component: Global Traffic Manager (DNS)

Symptoms:
When you attempt to view the monitors' properties, the page throws an "Instance not found" error.

Conditions:
Viewing the GSLB Monitors tcp_half_open, gateway_icmp and bigip_link's properties page.

Impact:
You cannot view some of their monitors' properties.

Fix:
Fixed the "Instance not found" error.


581811 : The blade alarm LED may not reflect the warning that non F5 optics is used.

Component: TMOS

Symptoms:
When non F5 optics is used for front switch ports, the LCD and /var/log/ltm will display some warning message. But the alarm LED may not reflect that.

Conditions:
This is caused by a race condition. When a blade comes up and decides its role as a primary blade or a secondary blade, it will clear the alarm LED. So the last blade coming up may have its alarm LED in the right state, but the blades that came up earlier may have their alarm LEDs cleared.

Impact:
The alarm LED may not reflect the warning.

Workaround:
None.

Fix:
The problem is fixed in TMOS v12.1.1.


581746-1 : MPTCP or SSL traffic handling may cause a BIG-IP outage

Solution Article: K42175594

Component: Local Traffic Manager

Symptoms:
Occasional BIG-IP outages may occur when MPTCP or SSL traffic is being handled by a virtual server.

Conditions:
MPTCP has been enabled on a TCP profile on a virtual server, or SSL is in use.

Impact:
A system outage may occur.

Workaround:
None.

Fix:
An issue with handling of MPTCP and SSL traffic has been corrected.


581438-2 : Allow more than 16 pool members to be chosen from a pool during a single load-balancing decision.

Component: Global Traffic Manager (DNS)

Symptoms:
Prior to this, only 16 pool members could be chosen during a single load-balancing decision.

Impact:
Cannot return more than 16 pool members in a DNS response.

Fix:
GTM now allows more than 16 pool members to be returned from a pool in a DNS response. Any amount from 1 to 500 can be selected.

Behavior Change:
BIG-IP DNS GSLB now allows more than 16 pool members to be returned from a pool in a DNS response. Any amount from 1 to 500 can be selected.


581406-1 : SQL Error on Peer Device After Receiving ASM Sync in a Device Group

Component: Application Security Manager

Symptoms:
When:
1) A "Block All" Session Tracking Status exists
and
2) A full sync occurs in an ASM CMI device group (always the case in manual sync device group)

Then upon loading the full sync in the peer an SQL error will appear during the load:
"Failed on insert to PLC.PL_SESSION_AWARENESS_DATA_POINT (DBD::mysql::db do failed: Duplicate entry '<ID>' for key 'PRIMARY')"

Conditions:
1) A "Block All" Session Tracking Status exists
and
2) A full sync occurs in an ASM CMI device group (always the case in manual sync device group)

Impact:
Benign error which does not affect configuration or enforcement.

Workaround:
None

Fix:
SQL error no longer occurs on CMI Sync with Session Awareness


581315-1 : Selenium detection not blocked

Component: Application Security Manager

Symptoms:
When selenium client webdriver is detected running the Chrome browser it is not being blocked due to low score being assigned by PBD (Suspicious Browsers) mechanism.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled.

Impact:
A bot which running selenium Chrome webdriver isn't mitigated by DoSL7 PBD mechanism.

Workaround:
N/A

Fix:
Only for Desktop Google Chrome browsers, the PBD javascript code checks if a plugin called "Widevine Content Decryption Module" doesn't exists, the browser considered as running via the selenium tool and will be blocked by PBD.


581101-1 : non-admin user running list cmd: can't get object count

Component: TMOS

Symptoms:
Non-admin user running list cmd: can't get object count.

Conditions:
Login as non admin user

Impact:
Very minor
non-admin user got some restrictions to view.

Workaround:
Use admin account.

Fix:
Non admin user rights fixed.


580893-2 : Support for Single FQDN usage with Citrix Storefront Integration mode

Solution Article: K08731969

Component: Access Policy Manager

Symptoms:
Adding a new login account onto Citrix Receiver enumerates the applications and desktop. Logging off and reconnecting using the same account starts failing.

Conditions:
-- Citrix Storefront Integration mode with APM.
-- Using the same FQDN to access both Storefront as well as an APM virtual server.

Impact:
Clients are unable to connect.

Workaround:
No workaround other than using different FQDNs.

Fix:
You can now use the same FQDN to successfully access both Storefront as well as an APM virtual server.


580862-1 : Policy disabled after enabled with apply-policy via REST, asm-sync removal fixes

Component: Application Security Manager

Symptoms:
After the Apply-policy task completes successfully, there is an LTM incremental sync back from the peer unit and the policy is deactivated.

Conditions:
High availability (HA) configuration with an auto-sync failover group with ASM sync enabled.

Impact:
ASM policy is erroneously deactivated several seconds after it has been activated via the Apply-policy task.

Workaround:
Temporarily disable ASM sync on the device group.

Fix:
This release fixes the Apply-policy task so that there is no erroneous deactivation after it has completed.


580753-1 : eventd might core on transition to secondary.

Solution Article: K82583534

Component: TMOS

Symptoms:
Upon transition to secondary, eventd shuts down its consumer list. However, during this shutdown, there could still be queued events yet to be process. This leads to a race condition between processing the events and freeing the memory of the consumer.

Conditions:
This happens when eventd is being shutdown while processing events.

Impact:
Causes eventd segmentation fault and core dump

Workaround:
None.

Fix:
eventd no longer cores on transition to secondary when eventd is being shutdown while processing events.


580747-1 : libssh vulnerability CVE-2016-0739

Solution Article: K57255643


580602-1 : Configuration containing LTM nodes with IPv6 link-local addresses fail to load.

Component: TMOS

Symptoms:
As a result of a known issue a configuration containing LTM nodes with IPv6 link-local addresses may fail to load.

Conditions:
Attempt to load a configuration containing a LTM node with a IPv6 link-local address.

Impact:
Configuration fails to load.

Workaround:
Use IPv6 global addresses instead.

Fix:
The BIG-IP system now loads correctly a configuration containing a LTM node with a IPv6 linbk-local address.


580596-1 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 / TMM SSL/TLS virtual server vulnerability CVE-2016-6907

Solution Article: K14190 K39508724 K10065173


580567-1 : LDAP Query agent failed to resolve nested group membership

Component: Access Policy Manager

Symptoms:
Not all of the nested group membership are resolved for a user

Conditions:
Several conditions need to be met:
1. LDAP Query agent is configured to connect to GC (Global Catalog) in AD environment; AND
2. There are sub domains in the AD environment; AND
3. A user who is a member of a group from one of the sub domains login in.

Impact:
User authentication might fail or not getting all the assigned resources due to missing nested group membership.

Fix:
after fix, LDAP agent retrieve group from server when talking to Global Catalog


580537-1 : The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data

Component: Global Traffic Manager (DNS)

Symptoms:
The geoip_update_data script will not install a City2 GeoIP data.

Conditions:
Attempting to install the City2 GeoIP data.

Impact:
The City2 GeoIP data must be installed manually.

Workaround:
The City2 GeoIP data can be installed manually by extracting the contents of the RPM and updating the associated files. The commands are:

rpm -U <full path to the City2 GeoIP RPM file>
rm /shared/GeoIP/F5GeoIP.dat
ln -s /shared/GeoIP/F5GeoIPCity2.dat /shared/GeoIP/F5GeoIP.dat
rm /shared/GeoIP/v2/F5GeoIP.dat

Fix:
The geoip_update_data script was updated to support installing City2 GeoIP data.


580500-1 : /etc/logrotate.d/sysstat's sadf fails to read /var/log/sa6 or fails to write to /var/log/sa6, disk space is not reclaimed.

Component: TMOS

Symptoms:
/etc/logrotate.d/sysstat fails to read /var/log/sa6 or fails to write to /var/log/sa6,, diskspace in /var/log/sa6 is not rotated and disk space reclaimed.

Conditions:
/var/log/sa6 becomes corrupt or disk space becomes full in /var/log/sa6

Impact:
Disk space is not reclaimed in /var/log/sa6

Workaround:
edit /etc/logrotate.d/sysstat
Add "exit 0" after sadf line

Fix:
When /etc/logrotate.d/sysstat's sadf fails, exit cleanly
so logrotate reclaims disk space


580340-1 : OpenSSL vulnerability CVE-2016-2842

Solution Article: K52349521


580313-1 : OpenSSL vulnerability CVE-2016-0799

Solution Article: K22334603


580303-5 : When going from active to offline, tmm might send a GARP for a floating address.

Component: Local Traffic Manager

Symptoms:
When moving from active to offline, tmm might send one final GARP for a floating address from the device that is moving offline.

Conditions:
Using high availability, and switching a device from active to offline.

Impact:
The GARP from the offline device can arrive on upstream devices after the GARP from the newly active device, which might poison the address cache of the upstream device. The result is that failover takes longer, since the upstream devices must rediscover the active device.

Workaround:
Use MAC masquerading along with the floating address; the system sends a GARP for the MAC masqueraded address, which prevents the issue.

Fix:
tmm no longer sends a final GARP for a floating address immediately before going offline.


580168-4 : Information missing from ASM event logs after a switchboot and switchboot back

Component: Application Security Manager

Symptoms:
Information missing from ASM event logs after a switchboot and switchboot back

Conditions:
ASM provisioned
event logs available with violation details
install/upgrade to another volume and switchboot to it
wait for ASM to fully come up
switchboot back
event logs are still available but violation details are gone

Impact:
Information missing from ASM event logs after a switchboot and switchboot back

Workaround:
N/A

Fix:
N/A


580026-5 : HSM logging error

Solution Article: K74759095


579955-6 : BIG-IP SPDY and HTTP/2 profile vulnerability CVE-2016-7475

Solution Article: K01587042


579953 : Updated the list of Common Criteria ciphersuites

Component: Local Traffic Manager

Symptoms:
This is a continuous maintenance of the default set per certification requirements

Conditions:
These changes are only in effect when ccmode script is executed.

Impact:
Current set of ciphersuites is the following, subject to change in future releases:

AES{128,256}-{SHA,SHA256}
ECDHE-RSA-AES128-CBC-{SHA,SHA256}
ECDHE-RSA-AES256-CBC-{SHA,SHA384}
ECDHE-RSA-AES128-GCM-{SHA256,SHA384}
ECDHE-ECDSA-AES128-{SHA,SHA256}
ECDHE-ECDSA-AES256-{SHA,SHA384 }
ECDHE-ECDSA-AES128-GCM-{SHA256,SHA384}


579926-1 : HTTP starts dropping traffic for a half-closed connection when in passthrough mode

Component: Local Traffic Manager

Symptoms:
HTTP starts dropping traffic for a half-closed connection when in passthrough mode.

Conditions:
HTTP is in passthrough mode. Traffic is flowing for a half-closed connection.

Impact:
Incomplete data transfer to end-point, when the connection is half-closed and HTTP is in passthrough mode.

Workaround:
No workaround.


579917-1 : User-defined signature set cannot be created/updated with Signature Type = "All"

Component: Application Security Manager

Symptoms:
When creating a User-Defined Signature Set the Signature Type cannot be set to "All". After saving the setting, it resets back to Request.

Conditions:
Creating a new signature set with Signature Type set to "All" (the dropdown defaults to "Request" when opening the create page).

Impact:
A Custom Signature Set cannot be created for with Request and Response Signatures

Workaround:
No workaround, but can be mitigated by creating two signature sets, or using manual sets.

Fix:
Signature Type can now successfully be set to "All" Signatures


579843-1 : tmrouted may not re-announce routes after a specific succession of failover states

Component: Local Traffic Manager

Symptoms:
tmrouted does not re-announce RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.

Conditions:
- Active/Standby HA pair set up
 - Both units configured with a dynamic routing protocol and Route Health Injection enabled on one or more Virtual-Addresses.
 - Active unit has the following succession of failover states:
   Active->Offline->Online->Standby->Active

Impact:
Tmrouted may not announce the Virtual addresses when coming back to Active state after the mention succession.

Workaround:
A failover to Standby and back to Active works around the issue.
Restarting tmrouted is also an alternative option.

Fix:
tmrouted now re-announces RHI routes in a specific transition of failover states within a HA pair using dynamic routing and HA pair.


579829-7 : OpenSSL vulnerability CVE-2016-0702

Solution Article: K79215841


579760-3 : HSL::send may fail to resume after log server pool member goes down/up

Solution Article: K55703840

Component: TMOS

Symptoms:
High speed logging (HSL): asymmetric bandwidth loss might result in no bandwidth tracking.

Conditions:
This will occur if the log server pool only has a single member in it, and that member goes down and up while HSL::send is occurring during traffic processing.

Impact:
For a period of time after the logging node comes back up, HSL::send events will not be sent to the log server. Sometimes it never recovers and tmm needs to be restarted.

Workaround:
If possible, configure log server pools with multiple members to avoid this condition.


579529 : Stats file descriptors kept open in spawned child processes

Component: TMOS

Symptoms:
No known user visible impact.

Conditions:
This occurs in all multi-blade platforms where clusterd is running.

Impact:
No known user visible impact.

Workaround:
None.

Fix:
Stats file descriptors are opened so that they are closed when a child process is spawned.


579495-1 : Error when loading Upgrade UCS

Component: Application Security Manager

Symptoms:
When loading an older version UCS file while ASM is live an error may occur when processing the new configuration. You will see the following error in the asm log:

Mar 9 07:16:06 dut30 err perl[22696]: 01310011:3: ASM configuration error: event code T1499 Failed to update configuration table CONFIG_TYPE_DYNAMIC_TABLES

Conditions:
Loading an older version UCS on a live system.

Impact:
Enforcement of Allowed Methods may be incorrect

Workaround:
Restart ASM

Fix:
Configuration is correctly processed when loading a UCS file for upgrade on a live device.


579371-4 : BIG-IP may generate ARPs after transition to standby

Solution Article: K70126130

Component: Local Traffic Manager

Symptoms:
tmm generates unexpected ARPs after entering standby.

Conditions:
-- High availability configuration with a vlangroup with bridge-in-standby disabled.
-- ARP is received just before transition to standby.

Impact:
Unexpected ARP requests that might result in packet loops.

Workaround:
None.

Fix:
ARPs will no longer be proxied on vlangroups with bridge-in-standby disabled after entering standby.


579220-1 : Mozilla NSS vulnerability CVE-2016-1950

Solution Article: K91100352


579210-3 : VIPRION B4400N blades might fail to go Active under rare conditions.

Solution Article: K11418051

Component: TMOS

Symptoms:
Over extended periods of booting and rebooting a VIPRION system containing B4400N blades, a switch port connected to the HSB might fail to initialize properly. In some cases, logs indicate an occurrence of the problem in the following form: hgm_fcs_errs[higig mac #] exceeds 1000.

Conditions:
This happens under very rare conditions on B4400N blades; for example, after approximately 8-12 hours of continuous rebooting.

Impact:
When the problem is manifest, the HSB receives FCS errors at a high-frequency and does not receive any valid traffic from the port switch. The B4400N blade might be unable to go active and join the cluster.

Workaround:
To recover, reboot the system once.


579085-6 : OpenSSL vulnerability CVE-2016-0797

Solution Article: K40524634


578983-4 : glibc: Integer overflow in hcreate and hcreate_r

Solution Article: K51079478


578971-3 : When mcpd is restarted on a blade, cluster members may be temporarily marked as failed

Component: Local Traffic Manager

Symptoms:
When mcpd is restarted on a blade, the clusterd process on that blade may become blocked for some time. This may result in cluster member heartbeat timeouts, which are seen in the /var/log/ltm log file with messages that include:

"Slot 1 suffered heartbeat timeout ..."

This causes cluster members to be marked failed. The condition resolves itself within one minute, and the cluster fully recovers on its own.

Conditions:
Mcpd is restarted on a blade.

Impact:
Though all blades recover on their own, the cluster members being marked fail may result in a failover.

Workaround:
There is no workaround for this issue. It is recommended to avoid restarting mcpd on any blade belonging to the active unit of an HA group. The issue resolves itself within about a minute, and all cluster members will be marked as up again.

Fix:
The clusterd daemon has been fixed to no longer become blocked when mcpd is restarted. This prevents the cluster member heartbeat timeouts from occurring, and thus no cluster members will be marked failed.


578951-2 : TCP Fast Open connection timeout during handshake does not decrement pre_established_connections

Component: Local Traffic Manager

Symptoms:
If a TCP connection is started and contains a valid Fast Open cookie, then times out during the three-way handshake, the failure is not accounted for properly. If this occurs more than a threshold number of times, BIG-IP will stop performing TCP Fast Open.

Conditions:
A TCP connection using TCP Fast Open with a valid Fast Open cookie times out during the three-way handshake.

Impact:
Each connection that times out in this fashion decreases the number of valid pre-established connections that the BIG-IP can support. If the number of connections timed out in this fashion rises above a threshold, BIG-IP will act as if TCP Fast Open is disabled. This threshold cannot be changed.

Fix:
Decrement the pre-established connections counter when a TCP Fast Open connection times out during the initial handshake.


578573-1 : SSL Forward Proxy Forged Certificate Signature Algorithm

Component: Local Traffic Manager

Symptoms:
In SSL Forward Proxy, the signature algorithm used by the CA certificate configured on the client SSL profile can change the signature algorithm used by the server certificate.

For example, if the server certificate uses SHA1 but the CA certificate configured in client SSL profile uses SHA256, the forged certificate will use SHA256. If the server certificate uses SHA256 but the CA certificate configured in client SSL uses SHA1, the forged certificate will use SHA1.

Both scenarios are a problem for a customer.

Conditions:
when the signature algorithm of the CA certificate configured in client SSL profile differs from the signature algorithm of the server certificate.

Impact:
The signature algorithm of forged certificate may differ from the signature algorithm of the server certificate.

Workaround:
Configure the CA certificate in client SSL profile so that the signature algorithm matches that in server certificate.


578570-1 : OpenSSL Vulnerability CVE-2016-0705

Solution Article: K93122894


578564-4 : ICAP: Client RST when HTTP::respond in HTTP_RESPONSE_RELEASE after ICAP REQMOD returned HTTP response

Component: Service Provider

Symptoms:
Connection aborted with RST "ADAPT unexpected state transition (old_state 22 event 7)"

Conditions:
An HTTP virtual has a request-adapt profile.
The ICAP server returns an HTTP response for REQMOD.
An iRule executes HTTP::respond in the HTTP_RESPONSE_RELEASE event.

Impact:
HTTP::respond cannot be used to modify an HTTP response returned by an ICAP server that is modifying an HTTP request.

Fix:
HTTP::respond works as expected even on an HTTP response returned by an ICAP server after request adaption.


578551-5 : bop "network 0.0.0.0/0 route-map Default" configuration is lost after after restart/reboot

Component: TMOS

Symptoms:
network 0.0.0.0/0 route-map Default is missing in bgp after a restart/reboot

Conditions:
"network 0.0.0.0/0 route-map Default" is configured in bgp

Impact:
The bgp doesn't have the same configuration after a restart/reboot. persistence of bgp protocol is not maintained leading to unexpected behavior of bgp

Fix:
the persistence of "network 0.0.0.0/0 route-map Default" in bgp is maintained after a restart/reboot


578415-2 : Support for hardware accelerated bulk crypto SHA256 missing

Component: Local Traffic Manager

Symptoms:
Requests for bulk crypto SHA256 will be performed in software, not by the accelerator.

Conditions:
Any bulk crypto operation that uses SHA256 on the BIG-IP 1600, 3600, 5000, 6900, 7000, 8900, 10000, 11000, 11050, and 12000 platforms, and on VIPRION B2250 blades.

Impact:
The request will be completed in software which may result in increased CPU load.

Workaround:
None.

Fix:
Requests for bulk crypto operations using SHA256 will be assigned to a hardware accelerator, and no longer serviced in software.


578413-1 : Missing reference to customization-group from connectivity profile if created via portal access wizard

Component: Access Policy Manager

Symptoms:
An extra customization group is created for connectivity profile when the profile is created via portal access wizard and the configuration is reloaded.

Conditions:
Use portal access wizard to create configure objects.

Impact:
There is no functional impact since customization is not actually used for connectivity group.

Workaround:
Create configure object manually rather than via wizard.

Fix:
There will be a reference to customization group from connectivity profile when the profile is created by wizard.


578064 : tmsh show sys hardwares show "unavailable" for hard disk manufacturer on B4400/B4450 blade

Component: TMOS

Symptoms:
tmsh show sys hardware show "unavailable" for hard disk manufacturer

Conditions:
In VIPRION B4400/B4450 blades, tmsh show sys hardware always shows "unavailable" for hard disk manufacturer.

Impact:
Can't get correct hard disk manufacturer information.

Fix:
Fixed


578036-1 : incorrect crontab can cause large number of email alerts

Component: TMOS

Symptoms:
There is an incorrect crontab entry in /etc/cron.usbflush for /sbin/lsusb

Conditions:
This occurs for the usbflush entry.

Impact:
usbflush does not run, alert email is generated once per minute.

Workaround:
change /etc/cron.usbflush to use /usr/sbin/lsusb

Fix:
Fix /etc/cron.usbflush to use /usr/sbin/lsusb


577863-5 : DHCP relay not forwarding server DHCPOFFER and DHCPACK message after some time

Solution Article: K56504204

Component: Policy Enforcement Manager

Symptoms:
If the routing table on the DHCP server is misconfigured, so that the DHCP server knows how to send packets to the BIG-IP self IP address (used by the BIG-IP system DHCP relay), but does not know how to send packets to DHCP clients, DHCP clients will not receive a DHCP reply for unicast requests and will start to broadcast DHCP renewal. After a while, the BIG-IP system will stop relaying DHCPOFFER and DHCPACK back to DHCP clients altogether.

Conditions:
DHCP server unicast reply back to client is not received by client, causing DHCP client to send broadcast DHCP packets (with client's IP address as the source IP address).

Impact:
The BIG-IP system stops relaying DHCPOFFER and DHCPACK back
to DHCP clients.

Workaround:
Modify the DHCP server routing table, so that the DHCP server can deliver DHCP reply packets back to clients successfully.

Fix:
DHCP relay now continues forwarding the server DHCPOFFER and DHCPACK messages under these conditions.


577474-3 : Users with auditor role are unable to use tmsh list sys crypto cert

Solution Article: K35208043

Component: TMOS

Symptoms:
The system returns error messages after running the following command: tmsh list sys crypto cert. Error messages appear similar to the following:

-- Key management library returned bad status: -4, Invalid Parameter.
-- Unexpected Error: Can't chmod key management directory: "/var/tmp/key_mgmt", error: [1] Operation not permitted".

Conditions:
-- BIG-IP user accounts configured with the auditor role.
-- Running the command: tmsh list sys crypto cert.

Impact:
BIG-IP users with the auditor role cannot view certificates using the command: list sys crypto cert.

Workaround:
Use the following command: sys file ssl-cert

For example, use either of the following:
-- list sys file ssl-cert default.crt
-- list sys file ssl-cert

Fix:
BIG-IP users with the auditor users can now see certificates using the following command: list sys crypto cert.


576591-6 : Support for some future credit card number ranges

Component: Application Security Manager

Symptoms:
ASM does not block or mask when a specific credit card number range appears in the response.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card number with specific ranges.

Impact:
The traffic passes unmasked or unblocked to the end client.

Workaround:
A custom pattern is possible for these cases, but should be adjusted to each configuration specifically.


576478 : Enable support for the Purpose-Built DDoS Hybrid Defender Platform

Component: Advanced Firewall Manager

Symptoms:
N/A

Conditions:
Requires new DoS License

Impact:
None

Fix:
This fix adds support for recognition of a Purpose-Built DDoS Hybrid Defender license, and the necessary mechanisms to launch the DDoS Application.

Behavior Change:
There is no change in behavior to existing behavior and functionalities. However, when a DoS License is installed, the Big-IP platform takes on the role of a dedicated DoS protection device. Consequently most non-DoS related functionalities are either disabled or function in limited capacity.


576311-1 : HTTP Strict Transport Security (HSTS) configuration error when no clientssl profile is present

Solution Article: K41335027

Component: Local Traffic Manager

Symptoms:
A configuration error is encountered when creating or modifying a virtual server with HTTP profile and no "clientssl" (or derived) profile attached, when HTTP Strict Transport Security (HSTS) is enabled.

Conditions:
Creating or modifying a virtual server with HTTP profile and HTTP Strict Transport Security (HSTS) enabled, when no clientssl or derived profile is attached to the virtual server.

Impact:
Error while configuring a virtual server with HTTP profile and no "clientssl" (or derived) profile attached, when HTTP Strict Transport Security (HSTS) is enabled.

Workaround:
Add a "clientssl" (or derived) profile to the virtual server with HTTP profile and HTTP Strict Transport Security (HSTS) enabled.

Fix:
The system now provides validation of HTTP Strict Transport Security (HSTS) to require 'clientssl' (or derived) profile profile to a virtual server with HTTP profile and HTTP Strict Transport Security (HSTS) enabled.


576305-7 : Potential MCPd leak in IPSEC SPD stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IPSEC SPD stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IPSEC SPD stats.


576123-3 : ASM policies are created as inactive policies on the peer device

Solution Article: K23221623

Component: Application Security Manager

Symptoms:
ASM policies are created as inactive policies on the peer device.

Conditions:
This occurs when the following conditions are met:
-- ASM Sync is enabled on a Sync-Only auto-sync Device Group.
-- There is either no failover group, or the failover group is a manual sync group.

Impact:
ASM policies are created as inactive policies on the peer device, resulting in an inconsistency between peers.

Workaround:
You can use either of the following workarounds:
-- Set the device group with ASM sync enabled to manual sync.
-- Enable auto-sync for the failover group.

Fix:
This release fixes the ASM Synchronization mechanism so that ASM policies are correctly created on the peer device


575919-3 : Running concurrent TMSH instances can result in error in access to history file

Component: TMOS

Symptoms:
TMSH writes to the ~/.tmsh-history-username file whenever a command is issued. Running concurrent instances of TMSH can result in a race condition in writing this file.

Conditions:
Running multiple instances can cause one instance of TMSH to lock the history file while the other is trying to access it, resulting in an error.

Impact:
Updating the history file fails, so the file does not reflect the actual history of the commands that have been issued.

Workaround:
Only run a single instance of TMSH.

Fix:
Running concurrent TMSH instances no longer results in error in access to history file.


575649-5 : MCPd might leak memory in IPFIX destination stats query

Component: TMOS

Symptoms:
MCPd might leak memory in IPFIX destination stats query.

Conditions:
In some cases, querying IPFIX destination stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IPFIX destination stats.


575629-3 : NTP vulnerability: CVE-2015-8139

Solution Article: K00329831


575591-6 : Potential MCPd leak in IKE message stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IKE message stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IKE message stats.


575589-5 : Potential MCPd leak in IKE event stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying IKE event stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying IKE event stats.


575587-7 : Potential MCPd leak in BWC policy class stats query code

Component: TMOS

Symptoms:
MCPd leaks memory.

Conditions:
In some cases, querying BWC policy stats can leak memory.

Impact:
MCPd might eventually run out of memory and core.

Workaround:
None.

Fix:
This release fixes the memory leak that could occur when querying BWC policy stats.


575444-1 : Wininfo agent incorrectly reports OS version on Windows 10 in some cases

Component: Access Policy Manager

Symptoms:
If Custom Dialer client is used to establish VPN, Wininfo agent incorrectly reports OS as Win8 on Microsoft Windows 10.

This could result in VPN establishment failure.

Conditions:
Custom Dialer client is used on Windows 10
Access policy uses Wininfo agent.

Impact:
VPN cannot be established.

Workaround:
None.

Fix:
Wininfo agent now correctly reports OS version when running Custom Dialer client on Microsoft Windows 10.


575176-1 : Syn Cookie cache statistics on ePVA enabled devices is incremented with UDP traffic

Solution Article: K58275035

Component: TMOS

Symptoms:
In some scenarios UDP traffic can cause syncookie statistics to be incremented.

Conditions:
Virtual server with fastL4 profile with ePVA offload enabled.
Virtual server to handle UDP traffic.

Impact:
Statistics might be incorrectly incremented, and can lead to early syncookie activation if used in conjunction with TCP on the same virtual server.

Fix:
The BIG-IP system no longer increases Syn Cookie cache statistics on ePVA enabled devices with UDP traffic.


575170-2 : Analytics reports may not identify virtual servers correctly

Component: Application Visibility and Reporting

Symptoms:
In certain configurations, Analytics statistics on virtual server activity may not be reported correctly.

Conditions:
This occurs for virtual servers that are configured in one of these ways:

1. Two virtual servers have the same IP-Port-RouteDomain setting, but they use different protocols (such as TCP for one and UDP for the other) or different sources.

2. A virtual server is defined with a masked IP address rather than an explicit address (for example, 10.10.10.0/24).

Impact:
As a result, Analytics reports show an Aggregated Virtual Server or an incorrect one instead of displaying the correct virtual servers.

Workaround:
None.

Fix:
Correct identification of the virtual server and the activity reported in the charts is displaying to the right virtual server.


575133-1 : asm_config_server_rpc_handler_async.pl SIGSEGV and core

Component: Application Security Manager

Symptoms:
asm_config_server_rpc_handler_async.pl SIGSEGV and core

Conditions:
Import ASM XML security policy

Impact:
asm_config_server_rpc_handler_async.pl SIGSEGV and core. This occurs after the policy import completes.

Workaround:
N/A

Fix:
The asm_config_server_rpc_handler_async.pl no longer crashes upon import ASM XML security policy.


575066-1 : Management DHCP settings do not take effect

Component: TMOS

Symptoms:
Modifications to /sys management-dhcp do not take effect.

Conditions:
Custom management-dhcp settings configured.

Impact:
DHCP for management interface does not function correctly.

Workaround:
Perform the following procedure:

1. Remount /usr to be read-write.
# mount -o rw,remount /usr

2. Edit the following file, which is a symlink into /usr.
# vi /defaults/config/templates/dhcp.tmpl

3. Change this line around line 7 to add escaped quotes
   print "interface \"$mgmt_interface\" {\n";

4. Remount /usr back to read-only.
# mount -o ro,remount /usr

5. Make a change to the list of DHCP requested options.
# tmsh modify sys management-dhcp sys-mgmt-dhcp-config request-options delete { ntp-servers }

6. Verify that "eth0" is quoted in this file:
# grep interface /etc/dhclient.conf
interface "eth0" {

7. Create a symbolic link to dhclient.conf
# cd /etc/dhcp
# ln -s ../dhclient.conf .

8. Restart DHCP on the management interface.
# tmsh modify sys global-settings mgmt-dhcp disabled
# tmsh modify sys global-settings mgmt-dhcp enabled

No system reboot should be necessary.

Fix:
Management DHCP settings now take effect as expected when custom management-dhcp settings are configured.


575027-1 : Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.

Component: TMOS

Symptoms:
Tagged VLAN configurations with a cmp-hash setting for the VLAN, might result in performance issues.

Conditions:
This occurs when the following conditions are met:
1. Use of tagged VLANs in the configuration.
2. Change cmp-hash of the tagged VLAN.

Impact:
Throughput is lower than expected. Packets are not being hashed using the hash set in config. (This can be verified by looking at 'tmm/flow_redir_stat'.)

Workaround:
Use untagged VLANs and hypervisor side tagging.

Fix:
You can now use tagged VLAN configurations along with a cmp-hash setting for the VLAN, without compromising performance.


575011-1 : Memory leak. Nitrox3 Hang Detected.

Solution Article: K21137299

Component: Local Traffic Manager

Symptoms:
System exhausts available memory due to compression memory leak. Prior to running out of memory, repeatedly logs "Nitrox3 Hang Detected".

Conditions:
Compression device unavailable during creation of a new context.

Impact:
System can run out of memory.

Workaround:
Disable hardware compression using tmsh:

% tmsh modify sys db compression.strategy softwareonly

Fix:
Repaired memory leak.


574880-3 : Excessive failures observed when connection rate limit is configured on a fastl4 virtual server.

Component: Local Traffic Manager

Symptoms:
When connection rate limit is set on a fastL4 virtual server,
client connections hang with high probability.

Conditions:
Set Connection Rate Limit on a fastL4 virtual server.

Impact:
Client connections hang with high probability.

Workaround:
Do rate limiting using iRules.
https://devcentral.f5.com/articles/iruleology-table-based-rate-limiting

Fix:
Fixed Connection Rate Limiting on a fastL4 virtual server.


574526-1 : HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter

Solution Article: K55542554

Component: Local Traffic Manager

Symptoms:
HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter.

Conditions:
when http/2 or spdy is configured and client query URI contains '?' (question mark).

Impact:
No query parameter will be returned.

Workaround:
None.

Fix:
Issue fixed.


574052-4 : GTM autoconf can cause high CPU usage for gtmd

Component: Global Traffic Manager (DNS)

Symptoms:
The autoconf feature of GTM can cause high CPU utilization (~90%) under certain situations.

In large configurations of LTM vses that contain "." (dot) in the name.

Conditions:
Large configuration of LTM VS that contain "." in the name have the name converted ("." is replaced by "_") and the LTM VS name is saved to the config.

This causes the matching algorithm in autoconf to spend many CPU cycles walking the list of VS to find a match.

This problem is caused by large numbers of VSes on a GTM Server. (10k VSes on 10k Server is less of an issue
than 10k VSes on 1 GTM Server)

Impact:
CPU usage is high, which may impact monitoring and LB decisions.

Workaround:
There are some mitigations. The preferable (for performance
and stability) are listed first.

1. Rename the virtual servers on the LTM to remove the "."
   This would require deleting the GTM configuration and
   rediscovering it and recreating pools.

2. Turn off autoconf.
   Run autoconf once to populate the config, then turn it
   off.

3. Reduce the frequency of autoconf. It will still cause
   a high CPU usage scenario, but it will be less frequent.

Versions 12.0.0 and higher do not convert the "." to "_". So that problem is eliminated for new configurations.
If a customer upgrades to 12.0.0 and the config still contains VS names that were previously converted, they still may run into high CPU usage.
Upgrading to 12.0.0 alone does not fix this issue, a reconfig would be necessary.

Fix:
Change algorithm used to match LTM VS names to GTM VS to reduce linear walk of all VSes on a server.


574020-5 : Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}')

Component: Local Traffic Manager

Symptoms:
Safenet HSM installation script fails to install successfully if partition password contains special metacharacters (!#{}').

Conditions:
This issue occurs when the following conditions are met:

-- Safenet HSM installation.
-- Password contains special metacharacters (!#{}').

Impact:
Script fails to work properly, and fails to properly install/configure the HSMs, requiring manual intervention. Performing the operation manually is very complex, because the user must account for both tmsh and shell quoting, which the some user environments might not have.

Workaround:
Change password, or manually run tmsh command to define the /sys crypto fips external-hsm object (using proper shell quoting).

Fix:
Safenet HSM installation script install now completes successfully if partition password contains special metacharacters (!#{}').

Note: When using passwords with non-alphanumeric characters, make sure that they are escaped correctly, so that bash does not attempt to reinterpret or expand the password.


573764-1 : In some cases, only primary blade retains it's statistics after upgrade on multi bladed system

Component: Application Visibility and Reporting

Symptoms:
Statistics from the primary blade remain after upgrade, but not from the other blades.

Conditions:
Upgrade to new version in multi bladed system.

Impact:
Not all statistics are present after upgrade.

Workaround:
No workaround


573643-3 : flash.utils.Proxy functionality is not negotiated

Component: Access Policy Manager

Symptoms:
Access to some field names of classes inherited from flash.utils.Proxy is broken.

Conditions:
Presence of flash.utils.Proxy descendants.

Impact:
Customer application malfunction.

Workaround:
None.


573611-1 : Erroneous error message Access encountered error: ERR_NOT_FOUND may appear in APM logs

Component: Access Policy Manager

Symptoms:
When a user session times out, then subsequently attempts access using the expired session ID, APM may log a log message at "err" level similar to this:

Aug 15 14:54:25 bigip.hostname err tmm[10206]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access_session.c, Function: access_session_delete, Line:

Conditions:
User is logged into APM and session times out.

Impact:
Error log messages may be confusing to BIG-IP APM administrators. The client is able to successfully reconnect.

Fix:
Erroneous messages of "Access encountered error: ERR_NOT_FOUND" are no longer logged in the APM log.


573602-1 : FQDN pool members not shown by tmsh show ltm monitor

Component: Local Traffic Manager

Symptoms:
The tmsh 'show ltm monitor <monitor-type>' command does not display the status of FQDN pool members.

Conditions:
-- LTM monitor is assigned to FQDN pool members (including FQDN members of an LTM pool to which the monitor is assigned).
-- Running the tmsh command: show ltm monitor <monitor-type>.

Impact:
Unable to view status of FQDN pool members via the tmsh 'show ltm monitor <monitor-type>' command.

Workaround:
There is no workaround at this time.

Fix:
The status of FQDN pool members is displayed by the tmsh 'show ltm monitor <monitor-type>' command. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.


573584 : CPLD update success logs at the same error level as an update failure

Component: TMOS

Symptoms:
On booting after a successful CPLD update, you see an error in /var/log/ltm: "err chmand[4933]: 012a0003:3: CPLD not updated after previous power cycle."

Conditions:
This occurs during reboot after a successful firmware update

Impact:
The message is logged as an error, but it actually means that the CPLD version is as it is expected to be. This error can be safely ignored.

Fix:
CPLD update not required is now logged at the info level, not error.


573366-4 : parking command used in the nesting script of clientside and serverside command can cause tmm core

Component: Local Traffic Manager

Symptoms:
tmm cores in configuration using certain iRules

Conditions:
An iRule that parks the interpreter is used in the nesting script of clientside and serverside command. (e.g. when doing a table lookup).

For more information on iRule commands that park, see SOL12962: Some iRule commands temporarily suspend iRule processing, https://support.f5.com/kb/en-us/solutions/public/12000/900/sol12962.html

Impact:
Traffic disrupted while tmm restarts.

Workaround:
move the parking command outside the nesting script.


573343-1 : NTP vulnerability CVE-2015-8158

Solution Article: K01324833


573302-1 : FQDN pool member remains in disabled state after removing monitor

Component: Local Traffic Manager

Symptoms:
If an FQDN pool member has been disabled by a monitor (for example, after the monitor receives the configured recv-disable string from the node) and the monitor is then removed from the pool or member configuration, the FQDN pool member remains in a 'disabled' state (state and session-status are 'disabled') instead of changing to an 'unknown' state.

Conditions:
-- FQDN pool member is marked 'disabled' by a monitor.
-- The monitor is then removed.

Impact:
The FQDN pool member remains in a 'disabled' state and is unable to receive traffic.

Workaround:
There is no workaround at this time.

Fix:
When an FQDN pool member is marked 'disabled' by a monitor, then the monitor is removed, the FQDN pool member is updated to an 'unknown' state. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.


573075-4 : ADAPT recursive loop when handling successive iRule events

Component: Service Provider

Symptoms:
After the first iRule resumes from being parked, ADAPT attempts to process the second iRule event repeatedly.
The connection is aborted with RST cause 'ADAPT unexpected state transition'.

The adapt profile statistic 'records adapted' reaches a very high number as it counts every attempt.

Conditions:
-- A requestadapt or responseadapt profile is configured.
-- An iRule is triggered on the ADAPT_REQUEST_RESULT or ADAPT_RESPONSE_RESULT event, that parks.
-- The modified headers (from an ICAP server) arrive at the ADAPT filter while the first event is parked.
-- Any iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event does not park.

Impact:
The connection is aborted with RST cause 'ADAPT unexpected state transition'.

The 'records adapted' statistic reaches a very high number.
Eventually the TMM crashes and the BIG-IP system fails over.

Workaround:
If possible, arrange the iRules to avoid the conditions above.

In particular, if there is no better way, it is possible to avoid this if there is an iRule on the ADAPT_REQUEST_HEADERS or ADAPT_RESPONSE_HEADERS event that parks.

Fix:
ADAPT correctly processes successive iRule events exactly once for each adaptation, and the 'records adapted' statistic reports the correct number.


573031-1 : qkview may not collect certain configuration files in their entirety

Component: TMOS

Symptoms:
If the following files exceed 5M in size, they will be truncated when collected by qkview:

/config/partitions/*/bigip.conf
/config/partitions/*/BIG-IP_base.conf
/config/BIG-IP_gtm.conf

Conditions:
Any of the listed files exceeds 5 Mbytes.

Impact:
Fault diagnosis may be affected.

Workaround:
Create a qkview, and examine the qkview_run.data file. If this file indicates that any of the listed files has been truncated, manually copy that file from the BIG-IP device.


572885-1 : Policy automatic learning mode changes to manual after failover

Component: Application Security Manager

Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.

Conditions:
ASM provisioned.
Device group w/ ASM policy sync configured.
ASM Policy is in automatic learning mode.
A failover occurs.

Impact:
The policy changes from automatic learning mode to manual.

Workaround:
None.

Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.


572568-2 : Gy CCR-i requests are not being re-sent after initial configured re-transmits

Component: Policy Enforcement Manager

Symptoms:
For Gy interface, if OCS doesn't respond to the initial set of CCR-I requests as per the diameter-endpoint profile (1+ msg-max-retransmits <n>), the new set of CCR-I requests are not being generated, even after provisioning pending timeout happens.

Conditions:
This issues happens only for Gy interface and when initial set of CCR-I request doesn't get a CCA response.

Impact:
The subscriber will be left in Idle state till the default quota is breached and brought down or subscriber can reconnect once OCS CCA response is fixed.

Workaround:
Re-connect the subscriber once the CCA response is fixed in OCS

Fix:
The solution is to resend CCR-I requests once the provisioning timeout happens


572558-1 : Internet Explorer: incorrect handling of document.write() to closed document

Component: Access Policy Manager

Symptoms:
HTML page with document.write() operations inside event handlers may not be processed correctly. Internet Explorer may show error on this page.

Conditions:
HTML page with document.write() calls inside event handlers or another scripts executed after document loading.
Strings passed to document.write() function contain HTML tags with URL or another re-writable content in attributes.

Impact:
HTML page is not shown at all or works incorrectly in Internet Explorer.

Workaround:
No workaround known

Fix:
Now HTML pages with document.write() calls for closed document are handled correctly by Portal Access.


572281-5 : Variable value in the nesting script of foreach command get reset when there is parking command in the script

Component: Local Traffic Manager

Symptoms:
When there is something like the following script:

foreach a [list 1 2 3 4] {
   set a 10
   after 100
}

There is parking command, after, in the script and it runs after "set a 10", when after command returns, the value of a goes back to the initial value set in the foreach, value of 10 is lost.

Conditions:
There is parking command in the nesting script of foreach. For more information on commands that park, see K12962: Some iRule commands temporarily suspend iRule processing at https://support.f5.com/csp/#/article/K12962

Impact:
Variable values get reset.

Workaround:
Set(or set again) the variable value after the parking command.

Fix:
Will fix in later release.


572272-5 : BIG-IP - Anonymous Certificate ID Enumeration

Solution Article: K65355492


572234-2 : When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.

Component: Local Traffic Manager

Symptoms:
When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. This is the MAC address of Linux's tmm0 or tmm interface.

Conditions:
The traffic destination is the BIG-IP Linux host, e.g. big3d iQuery server.

The traffic is proxied via fastL4, e.g. ConfigSync "Local Address" is set to None.

The return route is a pool route.

The traffic is interrupted, e.g. a router between the iQuery server and the client is switched off for several seconds.

Impact:
The traffic is sourced from invalid ethernet MAC 00:98:76:54:32:10.
The iQuery connection cannot continue.

Workaround:
Increase the lasthop module's TCP idle timeout.

echo 121 > /proc/sys/net/lasthop/idle_timeout/tcp

Fix:
TCP connections no longer emit packets that have a source MAC address of 00:98:76:54:32:10.


572133-5 : tmsh save /sys ucs command sends status messages to stderr

Component: TMOS

Symptoms:
When you run the tmsh save /sys ucs command, some normal status messages are being sent to stderr instead of stdout. This will be seen if a you are watching stderr for error messages.

Conditions:
There are no conditions, every time the command is run, it will send some status type messages to stderr.

Impact:
If a script runs the command it may report that the save failed because messages were send to stderr.

Workaround:
You can ignore the message "Saving active configuration..." being sent to stderr. It is not an error.

Fix:
The command will send the status messages to stdout.


571651-3 : Reset Nitrox3 crypto accelerator queue if it becomes stuck.

Component: Local Traffic Manager

Symptoms:
Certain configuration parameters used during an SSL handshake can elicit a 'queue stuck' message from the accelerator. When this happens, the /var/log/ltm log file will contain a message similar to the following:

    'n3-cryptoX request queue stuck'.

Conditions:
The BIG-IP system uses Nitrox 3 encryption hardware to perform SSL encryption.

An SSL handshake sent to the BIG-IP system is incorrectly configured or contains bad information.

Impact:
In-flight and queued contexts for the specific accelerator are dropped. After device recovery, new requests will be accelerated.

Workaround:
Disable crypto acceleration.

Fix:
The crypto accelerator is gracefully reset when the accelerator stalls due to a misconfigured request.

Note: This issue resolution is limited to SSL handshake issues, and is not a resolution for all possible causes of a 'queue stuck' event.


571095-1 : Monitor probing to pool member stops after FQDN pool member with same IP address is deleted

Component: Local Traffic Manager

Symptoms:
If an FQDN pool member resolves to the same IP address (node) as a non-FQDN (static) pool member, and the FQDN pool/member is deleted, no further monitor probes are sent to the remaining non-FQDN (static) pool member.

Conditions:
This occurs if an FQDN pool member resolves to the same IP address (node) as an existing non-FQDN (static) pool member.

Impact:
Loss of health monitoring to remaining non-FQDN (static) pool member.

Workaround:
There is no workaround other than avoiding creating a static pool member with the same IP address that could be resolved to an FQDN name.

Fix:
An FQDN pool member and static (non-FQDN) pool member can no longer be created with the same IP address, preventing loss of monitoring of the static member of the conflicting FQDN pool member is deleted. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.


570818-4 : Address lease-pool in IKEv2 might interfere with IKEv2 negotiations.

Component: TMOS

Symptoms:
LTM IPsec IKEv2 does not support dynamic remote-address CONFIG option, but still might potentially process that information sent by third-party devices. The configuration changes from this option might affect traffic-selector selection in IKEv2 negotiations, leading to wrong matching results and failure in establishing IPsec SA.

Conditions:
Certain third-party vendor devices are the remote IKEv2 peer, for example, a CISCO APIC device.

Impact:
Failure in establishing IPsec SA.

Workaround:
None.

Fix:
Address lease-pool in IKEv2 no longer interferes with IKEv2 negotiations.


570697-1 : NTP vulnerability CVE-2015-8138

Solution Article: K71245322


570667-2 : OpenSSL vulnerabilities

Solution Article: K64009378


570570-5 : Default crypto failure action is now 'go-offline-downlinks'.

Component: Local Traffic Manager

Symptoms:
Previously, if a crypto accelerator encountered a failure, the default action was "none" or "failover". Now, the default behavior is "go-offline-downlinks".

(Note: You can find information on crypto accelerator fail-safe behavior in K16951: Overview of SSL hardware acceleration fail-safe :: https://support.f5.com/csp/article/K16951.)

Conditions:
Crypto accelerator encounters a failure and crypto.ha.action has not been changed from its default.

Impact:
If a hardware accelerator failed on a blade in a chassis, the system would failover, but if there was a second failover back to the chassis with the failed blade, SSL traffic might get dropped.

Workaround:
Set the db variable crypto.ha.action to your desired value.

Fix:
Previously, if a crypto accelerator encountered a failure, the default action was either 'none' or 'failover'. Now, the default behavior is 'go-offline-downlinks'.

Behavior Change:
The default value of the db variable crypto.ha.action has changed to 'go-offline-downlinks'. The only time this has an effect on the system is when a crypto accelerator fails. For a chassis, this value will cause the blade that had the failed crypto device to go offline, leaving the other blades to handle the load, while an appliance will failover to its standby peer. See https://support.f5.com/csp/article/K16951 for more details.


570277-1 : SafeNet client not able to establish session to all HSMs on all blades.

Solution Article: K16044231

Component: Local Traffic Manager

Symptoms:
SafeNet client not able to establish session to all HSMs on all blades.

Conditions:
When the BIG-IP chassis is used with SafeNet HSM high availability (HA), and when BIG-IP tmm interface is used.

Impact:
SafeNet HSM HA is not being used at its maximal capacity.

Workaround:
Restart pkcs11d to mitigate this issue.

Fix:
We have adjusted the startup timing of pkcs11d to wait until tmm initialization finishes. Also we added retry for pkcs11d threads when connecting to HSM.


570217-2 : BIG-IP APM now uses Airwatch v2 API to retreive device posture information

Component: Access Policy Manager

Symptoms:
Airwatch version 8.3 and above no longer use the v1 REST API. APM is not be able to retrieve device information from Airwatch MDM version 8.3 and higher and device posture checking in APM policies fails.

Conditions:
- Airwatch configured on APM
- Airwatch is upgraded to version 8.3 or higher

Impact:
BIG-IP APM is unable to retrieve device information and device posture check will fail.

Workaround:
n/a

Fix:
BIG-IP APM now utilizes the Airwatch v2 API to access device posture information.

Important: you must be using Airwatch release 8.3 and up because older releases do not support the v2 REST API end points.


570057-2 : Can't install more than 16 SafeNet HSMs in its HA group

Component: Local Traffic Manager

Symptoms:
With installation script on the BIG-IP, you can't install more than 16 SafeNet HSMs in its high availability group with versions 5.2 and 5.4.

Conditions:
Attempt to install more than 16 SafeNet HSMs.

Impact:
Installer script failure.

Workaround:
The limit is set by SafeNet. Currently, with F5-supported 5.2 and 5.4 client software, SafeNet doesn't allow more than 16 HSMs in one high availability configuration.

Fix:
Updated SafeNet installation scripts by replacing "vtl" to "lunacm" for high availability group creation and member adding operations for version 6.2.


569814-2 : iRule "nexthop IP_ADDR" rejected by validator

Solution Article: K30240351

Component: Local Traffic Manager

Symptoms:
The nexthop command allows an administrator the ability to specify a forwarding address in an iRule. The form which takes an IP address may be rejected by the validator with an error message of the form:

01070151:3: Rule [/Common/irule_example] error: Unable to find vlan, vlangroup or tunnel (10.0.0.1) referenced at line 2: [nexthop 10.0.0.1]

Conditions:
This occurs when the nexthop command contains only the IP address, for example:

when HTTP_REQUEST {
  nexthop 10.0.0.1
}

Impact:
The iRule containing the 'nexthop IP_ADDR' command cannot be associated with a virtual server.

Workaround:
The 'nexthop VLAN IP_ADDR' form of the command does pass the validator. Choose the named vlan on which IP_ADDR can be reached. For example:

    when HTTP_REQUEST {
nexthop internal 10.0.0.1
    }

Fix:
Validator now allows 'nexthop IP_ADDR' in iRules.


569563-3 : Sockets resource leak after loading complex policy

Component: Access Policy Manager

Symptoms:
File descriptors used by apmd remain unclosed (TCP and UDP) after loading a complex access policy.

After some time, the APM process file descriptor table is exhausted and no more access policies are processed.

The following error messages may be observed in the logs:

err apmd[16013]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 86 Msg: epoll_create() failed [Too many open files].

Conditions:
This can happen at the initial stage after apmd starts, or later when policies are reloaded. Although this is not directly related to log-level, this problem is easier to observe when the access control log-level is Warning or lower (Notice, Info, Debug).

File descriptors leak (remain unclosed) after loading complex policies that contain many agents.

Impact:
The APM process is unable to create new sessions, leading to an inability to process access policy operations.

Workaround:
This can happen at the initial stage after apmd starts, or later when policies are reloaded.

Current preferred workaround is to set log level to ERROR or higher and restart apmd.

When a large number of file descriptors has already been observed, the only way to close them other than disabling logging is to raise log levels to ERROR or above, and then issue the following command:

bigstart restart apmd

Note 1: Do not use sys db variables to change log level for versions 12.0.0 and later.

Note 2: Double-check log levels using the following command: tmsh list apm log-setting all-properties

Note 3: Opened file descriptors do not close until apmd is restarted.

Note 4: When in doubt (about whether file descriptors are leaking), run the following command on the BIG-IP system:

lsof -p `pidof apmd` | grep TCP; lsof -p `pidof apmd` | grep UDP. This gives you the number of open files.

- Detailed steps to change logging-level to ERROR:

Step 1. Modify access control log level using the following command: tmsh modify apm log-setting all access modify { all { log-level { access-control err } } }

Step 2. Check the log levels using the following command: tmsh list apm log-setting all-properties

Step 3. Manually restart apmd using the following command: bigstart restart apmd

Fix:
Sockets are now closed properly, so there is no longer file descriptor leakage when loading or reloading complex access policies.


569542-1 : After upgrade, user cannot upload APM Sandbox hosted-content file in a partition existing before upgrade

Component: Access Policy Manager

Symptoms:
After upgrade, an existing user-created partition will not be able to load any existing hosted-content file or upload a new one.

The issue happens because the required APM Sandbox directory w.r.t. this partition is missing after the upgrade.

01070734:3: Configuration error: Cannot create symbolic link to sandbox. Error: No such file or directory. If you have access to bash shell, try to run command: ln -s /config/filestore/files_d/p1_file_d/sandbox_file_d /var/sam/www/webtop/sandbox/files_d/p1_d/sandbox_file_d. Then try to upload file again.
Unexpected Error: Loading configuration process failed.

REPRODUCTION STEPS:
1) Before upgrade, create a partition (make sure APM is provisioned), say 'p1'.
2) Install the upgrade and reboot.
3) After upgrade, partition 'p1' is created but the required directory '/var/sam/www/webtop/sandbox/files_d/p1_d' is not created.

This can occur on upgrades from prior to 11.6.0 to 11.6.0 through 12.1.0.

Conditions:
Partition is created before the upgrade.

Impact:
Configuration load fails if the existing partition had any hosted-content file before upgrade. If it did not have any hosted-content file before upgrade, the configuration load will be successful, but the user cannot upload/create a new hosted-content file in this partition sandbox.

Workaround:
Workaround is manually create the required sandbox directory using bash command:

mkdir -p /var/sam/www/webtop/sandbox/files_d/p1_d


569467-5 : BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.

Solution Article: K11772107


569355-1 : Java vulnerabilities CVE-2015-4871 CVE-2015-7575 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494

Solution Article: K50118123


569316-1 : Core occurs on standby in MRF when routing to a route using a transport config

Component: Service Provider

Symptoms:
If routing a message to a route that uses a transport-config to define how to create an outgoing connection, the standby device will core.

Conditions:
routing a message to a route that uses a transport-config to define how to create an outgoing connection.

Impact:
The standby device will core.

Workaround:
NA

Fix:
Fix properly initializes a field on the standby.


569309-3 : Clientside HTML parser does not recognize HTML event attributes without value

Component: Access Policy Manager

Symptoms:
Assignment of a specific HTML content to tag.innerHTML might lead to a JavaScript error. This happens when one or more of tags in HTML text contain HTML event attributes without assigned values (such as <div onclick />).

Error messages similar to the following are logged in the browser JavaScript console:
Unable to get property 'charAt' of undefined or null reference.

Conditions:
Dynamically created HTML page with event attributes without values, for example:

<div onclick />

Impact:
Web application does not work when accessed through Portal Access.

Workaround:
You can use a customized iRule to handle a specific application.

Fix:
Now empty inline event handler attributes are not rewritten on the client side.


569288-6 : Different LACP key may be used in different blades in a chassis system causing trunking failures

Component: Local Traffic Manager

Symptoms:
In rare conditions, different blades in a chassis system may use different LACP keys for the same trunk in the LACP control frames. This will cause some of the LACP trunk members not able to aggregate successfully with peer switch.

Conditions:
This only happens in a chassis based system when certain race condition causes trunk id being modified after initial trunk creation.

Impact:
Non aggregated trunk members won't be able to pass traffic.

Workaround:
Restart lacpd in all the blades in the chassis by running command "clsh bigstart restart lacpd"


569195-1 : A Set-Cookie for an existing ASM cookie without value change

Solution Article: K41874435

Component: Application Security Manager

Symptoms:
A Set-Cookie command appears for an ASM cookie (TS cookie) where the value has not changed and the set-cookie command is not needed.

Conditions:
-- The policy building is automatic or manual mode.
-- Additional features may also cause TS cookie setting, but usually these will also include cookie changes.

Impact:
The unneeded cookie may disturb caching and cause additional unnecessary bandwidth consumption.

Workaround:
If possible, turn off the policy builder.

Fix:
Unneeded set cookie for an ASM cookie is not issued.


569121-1 : Advanced Detection rate limiting can be incorrect in multi-blade clusters when rate limit is low

Component: Anomaly Detection Services

Symptoms:
If you have a large CMP configuration using Advanced Detection and rate limiting with a low rate limit applied, the per-core rate limit on attack traffic can end up being lower than the desired overall rate limit.

Conditions:
This was seen during internal testing with a large number of cores (3 blades / 24 cores) and a very low rate limit applied.

Impact:
Overall rate limit is lower than expected.

Fix:
Improvements were made to rate limiting in environments with a high number of tmms


569100-1 : Virtual server using NTLM profile results in benign Tcl error

Component: TMOS

Symptoms:
Tcl error in /var/log/ltm.

Tcl error: bad option "serverside": must be require or preclude while executing "constrain NTLM require clientside {HTTP} serverside {CONNPOOL} preclude FTP

Conditions:
Virtual server using the NTLM profile. Only logged when the first virtual server is created or when TMM restarts.

Impact:
If you are using TMSH to configure virtual server and NTLM profile, validation/constraint is not performed/enforced.

Workaround:
This is a benign, cosmetic error. There should be no functional impact to the system.

Fix:
Fixed the unexpected error message encountered and added validation when creating a virtual server with an NTLM profile.


568672-1 : Down IPsec traffic-selector shows as 'up' in 'show net ipsec traffic-selector' and in GUI

Component: TMOS

Symptoms:
After an SA goes down, 'show net ipsec traffic-selector' may report that the traffic-selector is up. The Web UI also reports up.

Conditions:
This occurs if a tunnel times out and goes to the down state.

Impact:
Confusion on the true state of the tunnel.

Workaround:
None needed.

Fix:
Now, when a tunnel times out and goes to the down state, the state is shown correctly.


568545-2 : iRules commands that refer to a transport-config will fail validation

Solution Article: K17124802

Component: Service Provider

Symptoms:
If an iRule command refers to a transport-config, the iRule fails validation even if the object exists.

Conditions:
-- iRule command refers to a transport-config.
-- iRule validation occurs.

Example:
create ltm pool p1 members add { 10.2.3.4:5060 }
create ltm message-routing sip transport-config tc1 profiles add { udp sipsession }
create ltm virtual vs1 destination 10.1.1.50:5060 profiles add { udp sipsession siprouter }
create ltm rule r1
ltm rule r1 {
    when MR_INGRESS {
        MR::message route config tc1 pool p1 <==command refers to tc1 which is a transport-config object
    }
}

Impact:
Validation fails even though object exists. Unable to directly refer to a transport-config from an iRule command.

Workaround:
If the name of the transport-config is loaded into a Tcl variable, the Tcl variable can be use to indirectly refer to the transport-config object.

Fix:
iRule validation logic has been improved to check for the existence of a transport config object.


568543-4 : Syncookie mode is activated on wildcard virtuals

Component: Local Traffic Manager

Symptoms:
Syncookie mode can be activated with a wildcard virtual, even in the case where there is no SYN flood.

Conditions:
The default number of connections per second before activating syncookie mode is 1993. This value can be increased to a max of 4093. After this threshold is reached, then syncookie mode is activated. This is an insufficient maximum for wildcard virtuals, since they can have 30k+ connections per second.

Impact:
Syncookie mode is activated with high connection rates to a wildcard virtual.

Workaround:
Break up the wildcard virtual into multiple virtuals to reduce the number of connections per virtual.

Fix:
It is now possible to set the PvaSynCookies.Virtual.MaxSynCache DB variable to 64K (previous max was 4093)


567743-2 : Possible gtmd crash under certain conditions.

Solution Article: K70663134

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd core leading to a SIGSEV due to a possible race condition.

Conditions:
Due to a possible race condition that occurs under certain conditions (such as a sync event), gtmd might core.

Impact:
This event could lead to an outage.

Workaround:
None.

Fix:
The system now correctly processes this condition so that no race condition occurs.


567546-1 : Files with file names larger than 100 characters are omitted from qkview

Component: TMOS

Symptoms:
If the filename of a file being gathered by qkview happens to be larger than 100 characters, the qkview will simply not include it.

Conditions:
No conditions necessary. Any file with a name larger than 100 characters is automatically omitted.

Impact:
Files with names larger than 100 characters are being omitted from the qkview. Since UNIX files can be 256 characters long, this potentially could omit important files that could help diagnose problems.

Workaround:
One would have to rename any files with names larger than 100 characters to names with less than 100 characters.

Fix:
Qkview was fixed to not use POSIX as the tar format, but instead to use the "GNU" format which allows for up to 256 characters (the system limit). The fixed program now allows any length of characters possible.


567457-2 : TMM may crash when changing the IKE peer config.

Component: TMOS

Symptoms:
TMM might crash when changing the IKE peer config. It can happen with either IKEv1 or IKEv2 (TMM config crash).

Conditions:
This occurs when making changes to IPsec tunnels that causes the configuration to become invalid. For example, changing ISAKMP phase1 from SHA-1 to MD5 results in an invalid configuration.

Note: This occurs in the GUI only. The tmsh 'create' command does not cause this core.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use tmsh to make the affected configuration changes... this occurs in the GUI only. The tmsh 'create' command does not cause this core.

Fix:
TMM no longer crashes when changing the IKEv1 or IKEv2 peer config, even if the changes are not valid for the configuration.


567233-1 : Multiple samba vulnerabilities

Solution Article: K92616530


567177-1 : Log all attempts of key export in ltm log

Component: TMOS

Symptoms:
Attempts to export keys are not logged.

Conditions:
-- Exporting keys.
-- Viewing ltm log.

Impact:
No messages logged to indicate the export attempts.

Workaround:
None.

Fix:
iControl:
======================
When any of the following iControl functions is called (either by the GUI or directly by a system user), the system logs it in ltm log. The log will include the iControl function name, key names, and BIG-IP user name.
key_export_to_file
key_export_to_pem
export_all_to_archive_stream
export_to_archive_stream
export_all_to_archive_file
export_to_archive_file

ltm logs example:
======================
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/kc.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::key_export_to_file()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key, /Common/kc.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::key_export_to_pem()
-- info iControlPortal.cgi[26687]: Management: private key export: All keys in Default mode are being exported by user "admin" via KeyCertificate_impl::export_all_to_archive_stream()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_stream()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_file()
-- info iControlPortal.cgi[4868]: Management: private key export: All keys in Default mode are being exported by user "admin" via KeyCertificate_impl::export_all_to_archive_file()
-- info iControlPortal.cgi[4868]: Management: private key export: keys (/Common/kc.key, /Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_file()

tmsh:
======================
The only possibility for using tmsh to export a key is saving a UCS file, so that will be logged.

ltm logs example:
======================
notice tmsh[21886]: 01420012:5: private key export: All keys are being exported by user "admin" via UCS saving.


GUI:
======================
There are 3 ways that a user can get key export from GUI:
-- System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: default : Key Export
-- System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: Archive...
-- System :: Archives :: New Archive...

These are internally implemented by using iControl and tmsh calls, so they will be automatically be logged in ltm log as iControl or tmsh users.

Behavior Change:
With this change, any attempt to export key will be logged in ltm log. Logged attempts include: save a UCS file, archive key files, or export key files, using tmsh/iControl/GUI.


566576-6 : ICAP/OneConnect reuses connection while previous response is in progress

Component: Service Provider

Symptoms:
ICAP with OneConnect sometimes initiates a new ICAP request (REQMOD or RESPMOD) on the server connection while a previous response on the same connection is still being streamed from the ICAP server. This can cause the server to append the new response after the end of the previous response, in the same packet.

Conditions:
There is a 'oneconnect' profile on the internal virtual server along with the 'icap' profile.
Triggered by a disconnection of the IVS by the parent HTTP virtual server, before the ICAP transaction is complete.
This can happen for a number of reasons, such as an error in detected on the HTTP virtual server, or an HTTP::respond iRule that replaces an IVS response in progress.

Impact:
The connection used by the interrupted transaction is returned to the pool for reuse, potentially resulting in a new ICAP transaction beginning before the end of the interrupted one, and its response may be concatenated to the incomplete tail of the first one. OneConnect is unable to separate the contiguous ICAP responses whose boundary is within a packet. All the packet payload goes to the first ICAP transaction, and any payload after the terminating chunk is discarded. Thus the beginning of the second response is lost and its header parser gets confused. It keeps waiting for more data and rescanning the entire response, resulting in increasing CPU use up to 100% until the connection is aborted.

Workaround:
Remove OneConnect.

Fix:
Big-IP with ICAP and OneConnect never reuses a server connection while a previous ICAP transaction is still in progress. Whenever the IVS disconnects prior to completion of an ICAP transaction, the connection is not pooled for reuse.


566507-4 : Wrong advertised next-hop in BGP for a traffic group in Active-Active deployment

Component: TMOS

Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.

Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.

Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.

Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.

Fix:
The advertised next-hop in BGP is now the smallest floating-IP active on the current BIG-IP system. Note: The ZebOS routing protocol suite available for BIG-IP configurations does not support traffic groups, so this issue might still be seen in certain circumstances.


566342 : Cannot set 10T-FD or 10T-HD on management port

Component: Local Traffic Manager

Symptoms:
When setting the B4450 or B4300 mgmt port to 10T-FD or 10T-HD, there is no link LED. However, the peer unit shows the correct link LED for this setting.

Conditions:
B4450 or B4300 blade and you want to set 10T-FD or 10T-HD media type

Impact:
Unable to set this media type.

Fix:
The management port of B4450 and B4300 blades can now be configured with 10T-FD or 10T-HD


566071-5 : network-HSM may not be operational on secondary slots of a standby chassis.

Component: Local Traffic Manager

Symptoms:
pkcs11d may not be running on secondary slots of a chassis.

Conditions:
This might occur when the following conditions are true:
1. Network-HSM installed on BIG-IP chassis.
2. Chassis is in standby state OR Secondary slots do not have management IP configured.

Impact:
If SSL profiles are configured with keys of security-type 'nethsm' when the specified conditions are true, traffic for such profiles will fail when the affected slots process traffic.

Workaround:
Manually install netHSM on each secondary slot.

Fix:
netHSM install no longer depends on management IP of secondary slots and also successfully installs on slots of a standby chassis.


565895-1 : Multiple PCRE Vulnerabilities

Solution Article: K17235


565799-4 : CPU Usage increases when using masquerade addresses

Component: Local Traffic Manager

Symptoms:
When using masquerade addresses, CPU usage increases. This can ultimately lead to a reduction in device capacity.

Conditions:
This can occur if one or more of your traffic groups is configured to use a MAC Masquerade address.

Impact:
Possible performance degradation or reduction in capacity

Fix:
Performance of masquerade address checks is restored.


565347-2 : Rewrite engine behaves improperly in case of AS2 SWF with a badly formatted 'push' instruction

Component: Access Policy Manager

Symptoms:
Rewrite engine behaves improperly in case of AS2 SWF with a string in 'push' instruction longer than the instruction length itself.

Conditions:
Any AS2 SWF with a string in 'push' instruction longer than the instruction length.

Impact:
Rewrite coredump.

Workaround:
It can be worked around by adding an Portal Access profile resource item with Flash patcher turned off for improper SWF content.

Fix:
Completely fixed.


565137 : Pool licensing fails in some KVM/OpenStack environments.

Solution Article: K12372003

Component: TMOS

Symptoms:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ, BIG-IQ can fail. The system posts the errors such as the following:

-- In /var/log/ltm: Dossier error 16.

-- In /var/log/restjavad: Dossier validation failed. error code: 5.

Conditions:
This occurs when BIG-IQ is used to license the BIG-IP VE instance.

Impact:
From BIG-IQ, the licensing operation will appear as a successful operation, however, BIG-IP VE will not be licensed.

Workaround:
There is no workaround.

Fix:
Licensing a BIG-IP Virtual Edition (VE) from BIG-IQ in OpenStack and/or KVM environments completes with success on BIG-IQ and BIG-IP.


564876-2 : New DB variable log.lsn.comma changes CGNAT logs to CSV format

Component: Carrier-Grade NAT

Symptoms:
New CSV format that does not use quotes as delimiters was not present prior to 12.1.2.

Conditions:
Setting the DB variable log.lsn.comma

Impact:
More control of logging format via the DB variable log.lsn.comma

Workaround:
N/A

Fix:
There is a new db variable log.lsn.comma that changes CGNAT logs to a CSV format that does not use quotes as delimiters between fields. Optional IP address fields appear as zero addresses, and optional numeric fields appear as zero. This new db variable applies to all LSN modes and to all ALG logs.

Behavior Change:
There is a new db variable log.lsn.comma that changes CGNAT logs to a CSV format that does not use quotes as delimiters between fields. Optional IP address fields appear as zero addresses, and optional numeric fields appear as zero. This new db variable applies to all LSN modes and to all ALG logs.


564771-1 : cron sends purge_mysql_logs.pl email error on LTM-only device

Component: TMOS

Symptoms:
On a device provisioned with LTM only, cron may log or send an email containing the following perl error:

/etc/cron.hourly/purge_mysql_logs.pl:

Usage: $class->connect([$dsn [,$user [,$passwd [,\%attr]]]]) at /etc/cron.hourly/purge_mysql_logs.pl line 27

This script was only intended to be run with AM, ASM, or ASM provisioned and it generates an error if it is not.

Conditions:
Any device with AM, ASM, and PSM not provisioned. LTM-only devices are impacted.

Impact:
If cron can send email, it will send the perl error in the email once per hour.


564522-2 : cron is configured with MAILTO=root but mailhost defaults to 'mail'

Solution Article: K40547220

Component: TMOS

Symptoms:
The crontab and ssmtp configurations environment is MAILTO="", which means no email and it is difficult to find where the email went.

Conditions:
This exists in the default crontab and ssmtp configurations.

Impact:
- You may receive unexpected messages addressed to "root" at a host named "mail" on your network

OR

- You may encounter messages similar to the following in /var/log/maillog:

Dec 10 03:25:24 BIG-IP-1 err sSMTP[8421]: Unable to connect to "mail" port 25.
Dec 10 03:25:24 BIG-IP-1 err sSMTP[8421]: Cannot open mail:25

Workaround:
Change outbound-smtp mailhub to localhost with tmsh:

tmsh modify /sys outbound-smtp mailhub localhost

Fix:
Default mailhub has been changed to localhost. Starting in 12.0.0, MAILTO is set to root instead of "" in /etc/crontab so that the output of cron jobs can be captured. However, ssmtp is configured by default with a mailhost of 'mail', which may result in either error messages logged to /var/log/maillog or unexpected messages received on another system.


564324-2 : ASM scripts can break applications

Component: Application Security Manager

Symptoms:
ASM originated scripts are injected into places where they are not supposed to be, causing the script not to work and/or the application to break.

Conditions:
ASM is in front of a single page application, where injection is possible only for the main page. \
ASM has the CSRF or web scraping feature enabled.

Impact:
Application malfunctions, shows javascrip errors

Workaround:
Turn off the relevant feature that causes the injection.


564281-3 : TMM (debug) assert seen during Failover with Gy

Component: Policy Enforcement Manager

Symptoms:
When using the debug version of the tmm, HA fail over may cause the tmm to assert when Gy is configured.

Conditions:
Using PEM and Gy is configured.

Impact:
The TMM (debug version) may core and restart, resetting all connections.

Workaround:
Do not use the debug tmm with Gy.

Fix:
This debug assert has been changed to a debug log message.


564058-1 : AutoDoS daemon aborts intermittently after it's being up for several days

Solution Article: K91467162

Component: Advanced Firewall Manager

Symptoms:
AutoDoS daemon aborts intermittently when accessing session db api for memcache interface.

Conditions:
This happens in control plan AutoDoS daemon. This is an intermittent issue that occurs in few platforms under specific stress testing.

Impact:
Core will be seen, but the daemon will restart, and there is no loss of state.

Workaround:
No workaround.

Fix:
AutoDoS daemon no longer aborts intermittently when accessing session db api for memcache interface.


563933-4 : [DNS] dns64-additional-section-rewrite v4-only does not rewrite v4 RRs

Component: Local Traffic Manager

Symptoms:
A and AAAA RRsets in the additional section are dropped.

Conditions:
When dns64-additional-section-rewrite is 'v4-only' or 'v6-only'.

Impact:
Failure to include the additional RRs results in additional lookups by the client which could be glue records for a resolver.

Workaround:
Set dns64-additional-section-rewrite is 'any'.

Fix:
v4-only and v6-only options work as expected. Note that DNS64 prefix operations occur after all other DNS processing blocks -- including GTM.


563905-2 : Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.

Component: TMOS

Symptoms:
Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on one or more Secondary blades.

Entries similar to the following example are visible in the /var/log/ltm file:

err mcpd[10724]: 01070920:3: Application error for confpp: STDERR/STDOUT text begins Restarting syslog-ng: Shutting down syslog-ng: [FAILED] Starting syslog-ng: STDERR/STDOUT text ends ************************************************************* Nov 20 22:07:22 bigip1 confpp[20403]: reconfig command FAILURE for unix_config_syslog returned: '/etc/init.d/syslog-ng restart 2>&1' Restarting syslog-ng: Shutting down syslog-ng: [FAILED] Starting syslog-ng: [ OK ]

err mcpd[10724]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070920:3: Application error for confpp: STDERR/STDOUT text begins Restarting syslog-ng: Shutting down syslog-ng: [FAILED] Starting syslog-ng: STDERR/STDOUT text ends ************************************************************* Nov 20 22:07:22 bigip1 confpp[20403]: reconfig command FAILURE for unix_config_syslog returned: '/etc/init.d/syslog-ng restart 2>&1' Restarting syslog-ng: Shutting down syslog-ng: [FAILED] Starting syslog-ng: [ OK ]

Conditions:
-- Multi-blade VIPRION system or vCMP guest.
-- The system is rebooted.

Impact:
The blades that encounter this issue take longer to become operational, as they undergo an unnecessary MCPD restart.

Workaround:
None.

Fix:
Multi-blade systems that are rebooted no longer experience unnecessary MCPD restarts.


563727-1 : Issue a Body in Get sub violation for GET request with 'transfer-encoding: chunked'

Component: Application Security Manager

Symptoms:
A GET request without payload but with payload indication doesn't issue the body in get violation.

Conditions:
A Get request without payload arrives.
The request has a 'transfer-encoding: chunked' header although there is no payload.

Impact:
A suspicious request goes by undetected.

Workaround:
Add an iRule that removes this header from the ASM and issues a custom violation.

Fix:
A GET request without payload but with 'transfer-encoding: chunked' will issue the body in GET sub violation.


563661-2 : Datastor may crash

Component: TMOS

Symptoms:
In rare cases, datastor may crash to protect the system from corruption. After datastor restarts, tmm may crash when attempting to communicate with datastor.

Conditions:
WAM provisioned and enabled.

Impact:
Datastor and TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This issue has been fixed.


563592 : Content diagnostics and LCD

Component: TMOS

Symptoms:
While running platform_check, you notice this on the LCD:

F5 LCD Server
Clients: 0
Screens: 0

Conditions:
This occurs when running platform_check after running bigstart stop

Impact:
This is cosmetic, the LCD does not indicate that it is in diagnostic mode.

Fix:
When the LCD is unable to communicate with BIG-IP, such as during shutdown or platform_check, the LCD now displays the following:
F5 LCD Server
Host inaccessible or
in diagnostic mode


563135-3 : SWG Explicit Proxy uses incorrect port after a 407 Authentication Attempt

Component: Access Policy Manager

Symptoms:
When the SWG Explicit Proxy is configured to perform a 407 Authentication Request, if the client accesses a non-standard HTTP port (e.g. http://www.example.com:8080) the first request after authentication will fail.

Conditions:
SWG Explicit Proxy configured
HTTP 407 Authorization configured in Per-Request Policy for authentication
Client requests a non-standard HTTP port in request

Impact:
The first request after authentication will fail.

Workaround:
If the user refreshes their browser request, subsequent requests will work as expected.


562928-2 : Curl connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled

Component: TMOS

Symptoms:
Certain url connections with 'local-port' option fail sometimes over IPsec tunnels when connection.vlankeyed db variable is disabled with 'curl: (7) couldn't connect to host' error.

Conditions:
Using curl command with'--local-port' option causes the connections to fail on the BIG-IP system.

Impact:
TCP connections do not complete the three way handshake and traffic does not pass.

Workaround:
Disabling 'cmp' option in virtual server secures the traffic over IPsec tunnels.

Fix:
Using curl command with'--local-port' option no longer causes the connections to fail on the BIG-IP system.


562921-4 : Cipher 3DES and iQuery encrypting traffic between BIG-IP systems

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP systems use the iQuery protocol to securely communicate with other BIG-IP systems. The BIG-IP system supports the AES/3DES ciphers for encrypting iQuery traffic. Some of these ciphers are now considered unsecure.

Conditions:
The value is hardcoded into the product.

Note: This is completely independent of the TMM profiles or the httpd cipher values.

Impact:
There is no way to configure this; the value is hardcoded. Scanner operations performed on your configuration will report this as an unsecure cipher.

Workaround:
If you do not need iQuery at all, you can block port 4353 completely. For those who do need it, there is no workaround.

Fix:
The cipher list in use is now
"AESGCM:AES:!ADH:!AECDH:!PSK:!aECDH:!DSS:!ECDSA:!AES128:-SHA1:AES256-SHA"


562636-2 : Possible memory exhaustion in access end-user interface pages for transparent proxy/SWG cases.

Solution Article: K05489319

Component: Access Policy Manager

Symptoms:
When certain end user interface pages (e.g. 401 response) are served by the APM, these include a unique parameter in the URL. This results in the leak of objects representing caches for these pages, because their unique parameter renders caching ineffective.

Conditions:
This occurs when the following conditions are met:
-- Use of SWG in Transparent mode.
-- One of the following:
+ Use a logon page agent, an external logon page agent, or a 401 agent in the access policy.
+ Trigger an access policy evaluation when one is already in progress or when accessing a page that requires an established session.

Impact:
A memory leak in the TMM.

Workaround:
None (when the triggering conditions are encountered).

Fix:
This release corrects the possible memory exhaustion issue in access end-user interface pages for transparent proxy/SWG cases.


562267-3 : FQDN nodes do not support monitor alias destinations.

Component: Local Traffic Manager

Symptoms:
FQDN nodes do not support monitor alias destinations.

Conditions:
Configure a monitor with an alias address or port. The system will either prevent you from configuring, or the monitor will only be directed to the node address or port.

Impact:
The BIG-IP system does not send health checks to the configured monitor alias port. Monitor doesn't work as expected.

Workaround:
Depending on the functionality needed, you might be able to work around this by using an alternative configuration.

Fix:
FQDN nodes now support monitor alias destinations.


561892-2 : Kerberos cache is not cleared when Administrator password is changed in AAA AD Server

Solution Article: K08121752

Component: Access Policy Manager

Symptoms:
BIG-IP Administrator's password is changed and AD Query fails.

Conditions:
-- Administrator's password is changed for AAA AD Server.
-- Access policy applied.

Impact:
AD Query fails.

Workaround:
Remove Kerberos cache files (krb5cc_0 and krb5cc_1) manually in /var/run/apmd/krb5cc/ and all subdirectories.

Fix:
Kerberos cache is removed by apmd, if the administrator's password is changed and an access policy is applied.


561500-4 : ICAP Parsing improvement

Component: Service Provider

Symptoms:
If a malformed ICAP message is sent to the Big-IP the ICAP parser can enter a state where it consumes an increasing amount of CPU and memory.

Conditions:
A request-adapt or response-adapt profile is configured.
An ICAP message is received from an ICAP server lacking "ICAP/1.0" as initial header line.

Impact:
Memory and CPU usage increase.
Eventually the TMM may crash causing Big-IP fail-over.

Fix:
ICAP parser checks for correct initial ICAP/1.0 header line and rejects message if missing.


561444-1 : LCD might display incorrect output.

Component: TMOS

Symptoms:
Incorrect LCD display due to garbled messages received from LCD panel.

Conditions:
This occurs in various situations. Multiple messages sent to LCD and user interaction on LCD seem to reproduce the issue.

Impact:
LCD may display incorrect data.

Workaround:
The LCD usually corrects itself eventually, but to restore it immediately to a good state, run the following command: bigstart restart fpdd.

Fix:
The issue allowing garbled messages between the front panel display daemon (fpdd) and the LCD daemon (LCDd) is now prevented from happening.


561348-7 : krb5.conf file is not synchronized between blades and not backed up

Component: Access Policy Manager

Symptoms:
krb5.conf file is not in sync across all blades.
this may cause a feature (Kerberos SSO / Kerberos Auth) to not work as expected.

Conditions:
When administrator made changes to krb5.conf file manually, the configuration file is not synchronized to all blades or is lost upon upgrade.

Impact:
Kerberos Auth / Kerberos SSO does not work properly on all blades.

Workaround:
None.

Fix:
The APM code now automatically synchronizes the changes to /etc/krb5.conf file to all devices in the Failover Device group. Any change made to this file either in Active Device or Standby device will be automatically synced to other device.

In Chassis, all the Secondary blades will mirror the file on the Primary blade. Any manual change done on the Secondary blade(s) will be lost. The admin has to do the changes on Primary blade only and it will be synchronized with all others blades.

Behavior Change:
When admin modifies /etc/krb5.conf file, the changes are automatically updated on other devices in the same Failover Device group.

When admin modifies the /etc/krb5.conf file on the primary blade of the chassis, the changes are automatically updated on all secondary blades.


560471-1 : Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down

Component: Local Traffic Manager

Symptoms:
Changing the monitor configuration of a pool can cause the virtual server to be briefly logged as down.

Conditions:
Changing the monitor configuration of a pool. For example:

tmsh modify ltm pool http-pool monitor http and tcp
tmsh modify ltm pool http-pool monitor min 1 of { http tcp }

Impact:
Virtual server may be incorrectly marked down, when it should not be.

Fix:
Changing the monitor configuration of a pool no longer causes the virtual server to be marked as down.


560114-6 : Monpd is being affected by an I/O issue which makes some of its threads freeze

Component: Application Visibility and Reporting

Symptoms:
When Monpd is restarted, it starts printing non-stop error message to logs. Analytics statistics may be lost, and new data cannot be loaded. The ltm log contains this error signature - err stat_bridge_thread[8278]: monpd`ERR`date`11285` [stat_bridge_thread::validateCorrectNumberOfPartitions, ] Too many partitions (44) defined for DB table AVR_STAT_DISK_T

Conditions:
A system I/O issue (maybe caused by /var/log being full).

Impact:
AVR statistics are lost.
Monpd thread cannot load new data, and it prints non-stop error messages to the logs.

Workaround:
Run the following:

find /var/avr/loader/ -mindepth 1 -name "*" -print0 | xargs -0 rm
touch /var/avr/init_avrdb
bigstart restart monpd


560109-7 : Client capabilities failure

Solution Article: K19430431


559980-1 : Change console baud rate requires reboot to take effect

Component: TMOS

Symptoms:
When you change the console baud rate, you will see garbage characters.

Conditions:
When you make modification to the console baud rate.

Impact:
The console display has garbage characters.

Workaround:
Reboot the system.

Fix:
Console baud rate change now works.


559953-1 : tmm core on long DIAMETER::host value

Component: Service Provider

Symptoms:
tmm crashes and restarts when an iRule is accessed that contains a large DIAMETER::host value.

Conditions:
This occurs with a DIAMETER::host iRule parameter set to a very large value (2000 characters).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Limit the length of the DIAMETER::host parameter to less than 1000 characters.

Fix:
BIG-IP now limits the DIAMETER::host parameter to 1000 characters.


559837-4 : Misleading error message in catalina.out when listing certificates.

Component: TMOS

Symptoms:
GUI logs 'Table not found' in catalina.out when some exceptions are returned before/at table creation. The exceptions are the actual cause of the failure.

java.sql.SQLException: Table not found: SSL_CERTIFICATES_0_1652477104084229 in statement [DROP TABLE ssl_certificates_0_1652477104084229].

Conditions:
This occurs when listing certificates, and exceptions are returned.

Impact:
1. Throws table creation exceptions when randomly generated table name contains invalid character ('-').
2. Misleading 'Table not found" message in catalina.out.

Workaround:
Refreshing the page might fix the invalid table name issue because doing so generates a new table name. In some situations a restart of tomcat and httpd may be required.

Fix:
Errors occur when listing certificates that contain invalid characters from the randomly generated table names, so the GUI logs 'Table not found' in catalina.out when some exceptions are returned before/at table creation.


559655 : Post RMA, system does not display correct platform name regardless of license

Component: TMOS

Symptoms:
When you get an RMA and you are licensed for a 4000 and the unit received has been licensed as a 4200, you will have a difference between hardware on site and the new hardware received, regardless of what license you have.

Conditions:
Take a 4000 from manufacturing and license it for a 4200 wipe system and rebuild and license for a 4000 and tmsh show sys hardware and device groups will indicate it to be a 4200
if you have a 4200 from manufacturing and license it as a 4000 it will still indicate that it is a 4200
Affected platforms is following
2000/2200 4000/4200 5000/5200 7000/7200 10000/10200

Impact:
Confusion as to what the actual platform is


559080-5 : High Speed Logging to specific destinations stops from individual TMMs

Component: TMOS

Symptoms:
High Speed Logging to specific destinations stops from individual TMMs. The flows appear to have very large idle times. Attempts to delete the flows sets the idle time to zero, but does not kill the flow.

Conditions:
This appears to be the result of a failure on the part of the log destination (for example, a log server) wherein the server's TCP stack ACKs a FIN request from the TMM, but does not follow through with a matching FIN or RST. The logging code expects another timeout (essentially a FIN-WAIT2 timeout), but never receives one because the flow has already been marked as expired. As a result, the flow goes into a state in which it appears to be viable but is not actually delivering.

Impact:
Logs are silently lost.

Workaround:
Create an additional virtual server to act as a proxy for the log server, and sent the logs to this virtual server. This essentially uses the TMM itself as a sanitizing proxy.

Fix:
The system now resets the expire timer when it initiates the close. If the server fails to reset or complete the close, the flow is aborted on the next expiration event.


559030-1 : TMM may core during ILX RPC activity if a connflow closes before the RPC returns

Solution Article: K65244513

Component: Local Traffic Manager

Symptoms:
TMM core with plugin context refcount error.

Conditions:
-- Using ILX RPC calls.
-- Connflow closes before the RPC returns.

Note: Most likely to occur when using a low-end unit or virtual edition configuration.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
ILX plugin timeout no longer causes TMM core.


557680-4 : Fast successive MTU changes to IPsec tunnel interface crashes TMM

Component: TMOS

Symptoms:
Changing IPsec tunnel interface MTU attribute repeatedly in quick succession, TMM cores. This can occur whether or not traffic has flowed through the tunnel.

Conditions:
The issue occurs when the IPsec tunnel interface attributes has its configuration modified quickly and repeatedly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Change IPsec tunnel interface attributes at a rate of speed that allows each configuration modification to complete.

Fix:
TMM no longer cores if users quickly and repeatedly change interface attributes (for example, the MTU interface attribute).


557471-3 : LTM Policy statistics showing zeros in GUI

Component: TMOS

Symptoms:
Statistics for LTM Policies, e.g., the total count of policy action invocations and number of successful policy action invocations, are not being updated in the GUI. The GUI shows zeros for both of these stats for every LTM Policy.

Conditions:
Occurs under all conditions.

Impact:
Through the GUI, Administrators cannot see invocation counts for general troubleshooting or to determine which policies are being used.

Workaround:
To work around this issue, you can use the tmsh utility to view BIG-IP LTM traffic policy statistics. To do so, perform the following procedure:

To retrieve stats for all policies, run the following command:
# tmsh show ltm policy.

To retrieve stats for a specific policy, run the following command:
# tmsh show ltm policy <policy-name>.

Fix:
LTM Policy statistics now shows the correct values in the GUI.


557434-4 : After setting a Last Resort Pool on a Wide IP, cannot reset back to None

Component: Global Traffic Manager (DNS)

Symptoms:
After configuring a wide IP with a Last Resort Pool set to something other than None, you can no longer change the Last Resort Pool back to None.

Conditions:
Last Resort Pool is set to something other than None.

Impact:
There is no None option in TMSH or GUI.

Workaround:
Setting the Pool Name to an empty string via tmsh will set it to None.
For example
modify gtm wideip a wip.f5.com last-resort-pool a

Fix:
None options added to tmsh and GUI.


557411-1 : Full Webtop resources appear overlapping in IE11 compatibility mode

Component: Access Policy Manager

Symptoms:
Full Webtop resources appear overlapping each other in MSIE 11 in compartibility mode

Conditions:
MSIE 11, compartibility mode. Full Webtop in use

Impact:
Everything is working but the icons overlap.

Workaround:
1. modify advanced customization of apm.css

#webtop_favorites_inner_container span.favorite span.caption{
...
    <? if( $_GET['ctype'] == 'IE' && $_GET['cversion'] < 9){ ?>
    zoom: 1;
    <? }elseif( $_GET['ctype'] == 'IE' && $_GET['cversion'] == 11){ ?>
    zoom: 0;
    <? } ?>
}


2. an irule that would change apm.css to
#webtop_favorites_inner_container SPAN.favorite SPAN.caption {
...
zoom: 1; /* <--- set 0 if msie 11 in compartibility mode */
}

Fix:
Everything is back to normal


557358-5 : TMM SIGSEGV and crash when memory allocation fails.

Component: Local Traffic Manager

Symptoms:
TMM SIGSEGV and crash when memory allocation fails.

Conditions:
Although the specific conditions under which this occurs are not well understood, it appears that the issue occurs when the SSL operation detects an error and processes the connection for removal from the SSL queue. Before the connection is removed, another command attempts to remove the connection a second time, which causes the issue to occur.

Impact:
TMM SIGSEGV and crash. Traffic disrupted while tmm restarts.

Workaround:
None known at this time.

Fix:
TMM SIGSEGV and crash no longer occur when memory allocation fails due to a command attempting to remove the connection for removal from the SSL queue a second time.


557190-3 : 'packet_free: double free!' tmm core

Solution Article: K65615624


557155-8 : BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.

Solution Article: K33044393

Component: TMOS

Symptoms:
BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.

Conditions:
Sustained high packet rate with a very small payload.

Impact:
Traffic through the guest stops until the guest/BIG-IP system is reset. However, this issue is reproduced during a test that over provision a 2-vCPU guest and is unlikely to happen in normal operation.

Workaround:
Try ones of the following workarounds (first on is the most preferred and so ):
1. Increase guest memory.
2. Significantly reduce the value of the content in '/sys/module/unic/rx_queue_size'. For example running the following command substantially decreases throughput: echo 1048576 > /sys/module/unic/rx_queue_size.
3. Set panic on OOM. Try this as the last option.
   sysctl vm.panic_on_oom=1

Fix:
BIG-IP Virtual Edition becomes unresponsive under extreme load test due to kernel memory exhaustion from over-provisioning.


555039-4 : VIPRION B2100: Increase egress traffic burst tolerance for dual CoS queue configuration

Solution Article: K24458124

Component: TMOS

Symptoms:
There is a high drop counts when running tmsh show net interface, and running tmctl -a drop_reason shows that a large number of drops are due to counters.rx_cosq_drop

Smaller buffering alpha values are configured for egress buffering to allow an 8 HW CoS queue feature to correctly implement weight based egress dropping. This results in busy ports dropping more aggressively, although allowing more fair buffering amongst multiple active ports.

Conditions:
Higher traffic rates, which stress switch MMU buffering resources, might result in egress CoS queue drop on busy ports.
This affects the BIG-IP 5000- and 7000 series platforms, and VIPRION B2100, B2150, and PB200 blades.

Impact:
This results in busy ports dropping more aggressively. Note that using smaller values allows more fair buffering amongst multiple active ports, whereas higher values allow better burst absorption but less fair buffering.

Workaround:
None.

Fix:
This release uses a larger alpha value for better burst absorption when the 8 hardware CoS queue feature is not enabled.


554713-2 : Deployment failed: Failed submitting iControl REST transaction

Component: TMOS

Symptoms:
When deploying an access control policy to a sync group, you notice the following error: Deployment failed:
Failed submitting iControl REST transaction 1445978291443908: remoteSender:ip_address

Conditions:
This can happen on policy sync with a large number of ACLs.

Impact:
The system will function properly, but some transactions may take longer than expected. BIG-IQ deployment of APM access control lists is one known case to fail due to timeouts.

Workaround:
None.

Fix:
The audit log contains every database modification request message sent to mcpd. Certain messages once took an unexpectedly long time to render, which has been fixed.


553795-7 : Differing cert/key after successful config-sync

Component: TMOS

Symptoms:
1) If you change a client-ssl profile to a different cert/key, delete the original cert/key, create a new cert/key with the same name as the original one, associate the new cert/key with the original client-ssl profile, then do a config-sync, the peer system(s)' FIPS chip retains a copy of the original key.

2) If you change a client-ssl profile to a different cert/key, then create a new cert/key with a different name from the original one, associate the new cert/key with the original client-ssl profile, then do a config-sync, the config-sync operation may fail and the peer's client-ssl profile will still use the original cert/key instead of the new one.

Conditions:
1) High Availability failover systems with FIPS configured with Manual Sync.

2) High Availability failover systems without FIPS configured with Manual Sync.

Impact:
1) An abandoned FIPS key is left behind.

2) The systems may be out-of-sync, and one system's client-ssl profile uses one cert/key pair, while the other systems' same client-ssl profile uses a different cert/key pair.

Workaround:
1) For the first scenario, you can use either of the following workarounds:

-- Run an extra config-sync before the second change of the client-ssl profile.
-- Delete the FIPS key by-handle on the peer systems.

2) For the second scenario, you can use the following workaround:
-- Perform another config-sync operation in the GUI with the 'Overwrite Configuration' checkbox checked.

Note: If you also deleted your original cert/key pair, perform the following procedure:

1. Go onto the peer systems.
2. Manually delete those cert/key files that were copied during the first config-sync operation.
3. Look for the corresponding cert/key files in these two directories: /config/filestore/files_d/Common_d/certificate_d: /config/filestore/files_d/Common_d/certificate_key_d:
4. Delete the cert/key files in those directories.

Fix:
Systems now have the same cert/key after successful config-sync of High Availability configurations.


551925-3 : Misdirected UDP traffic with hardware acceleration

Component: TMOS

Symptoms:
UDP traffic might be forwarded to the wrong destination when using hardware acceleration.

Conditions:
If the UDP timeout is lower than the embedded Packet Velocity Acceleration (ePVA) aging timeout.

This occurs because UDP connections are accelerated until the ePVA aging timeout expires for the connection. If the ePVA aging timeout is greater than the UDP timeout, then TMM removes the connection from software, but the connection is still accelerated in the ePVA. Subsequent traffic then matches to the original connection, causing it to be sent to the wrong destination.

Impact:
Traffic can be sent to the wrong destination.

Workaround:
You can use either or both of the following workarounds:
-- Increase the UDP timeout (60s or more).
-- Disable UDP hardware acceleration.


551795-1 : Portal Access: corrections to CORS support for XMLHttpRequest

Component: Access Policy Manager

Symptoms:
XMLHttpRequest to external domain should fail if the server does not include 'Access-Control-Allow-Origin' header into response. Current implementation of CORS support in Portal Access does not enforce this failure.
If XMLHttpRequest to same-origin resource is redirected to external one, it has to be treated as cross-domain request. Current implementation of CORS support in Portal Access does not handle this case correctly.

Conditions:
XMLHttpRequest to external domain via Portal Access succeeds even when the server response does not include 'Access-Control-Allow-Origin' header.
XMLHttpRequest to same-origin resource succeeds via Portal Access in spite of response redirection.

Impact:
Web application may work incorrectly; some data access restrictions may not work.

Fix:
Now Portal Access supports CORS in case of response redirection for XMLHttpRequest.
CORS support enforces error in the case when 'Access-Control-Allow-Origin' header is absent in server response.


551349-5 : Non-explicit (*) IPv4 monitor destination address is converted to IPv6 on upgrade

Solution Article: K80203854

Component: TMOS

Symptoms:
A monitor destination address in the form of *:port (IPv4) is converted to *.port when upgrading from 10.2.4 to 11.5.x.

Conditions:
A monitor exists with a non-explicit address and explicit port on a BIG-IP system running 10.2.4. Then upgrade to 11.5.x (or install 10.2.4 ucs)

Impact:
Monitors appears to function normally but they will have the wrong format in the config file.

Workaround:
None.

Fix:
Determine if non-explicit (*) address is ipv4 or ipv6 based on next character to be parsed.


551208-6 : Nokia alarms are not deleted due to the outdated alert_nokia.conf.

Component: Local Traffic Manager

Symptoms:
Some of the log messages watched by alertd changed between BIG-IP software versions 10.x to versions 11.x/12.x. However, the /etc/alertd/alert_nokia.conf file has not been updated accordingly.

Conditions:
Running versions 11.x/12.x and receiving targeted messages that match the 10.x regex key fields. This occurs when the Nokia snmp alarms are enabled. See K15435 at https://support.f5.com/csp/#/article/K15435

Impact:
Matching the specific fields in the log message fails, so the corresponding alarm is not deleted from the nokia_alarm table. This might cause SNMP alerts to not be broadcast in Nokia-specific environments.

Workaround:
None.

Fix:
The log messages watched by alertd and appearing in alert_nokia.conf now match each clear event key to its corresponding error definition, so alerts are recorded correctly.


550547-2 : URL including a "token" query fails results in a connection reset

Component: Access Policy Manager

Symptoms:
Per Request Policy access to URL containing a "token" query parameter fails and results in a connection reset with the following error:

"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"

Conditions:
Configure an Explicit SWG with a PRP that includes [protocol lookup (https) + category-lookup]
It does not matter ntlm or basic auth.
This is triggered on sites that have "token" in the query parameters.

Impact:
Clients receive this response:
"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"

Workaround:
Workaround iRule:

when HTTP_REQUEST {
    if { [HTTP::query] contains "token" } {
      set fix 1
      HTTP::query [string map "token aabbcc" [HTTP::query]]
    }
}

when HTTP_REQUEST_SEND {
    if { [info exists fix] && $fix equals 1 } {
      clientside {
        HTTP::query [string map "aabbcc token" [HTTP::query]]
        unset fix
      }
    }
}

Fix:
Customization namespace for subsession state prefix with default value as "000fffff" has been added controlled via db variable "tmm.access.subsessionstateprefix" before state/token query param and validation is ensured to check for the prefix value before triggering serialize/deserialize code to avoid RST.

In case if a UCS is being restored and used for a Hotfix, the newly added DB variable may not be present in /config/Bigdb.dat file. The following information needs to be added in /config/Bigdb.dat file followed by a "bigstart restart" to ensure proper working.

#
# This string is used as the prefix for the subsession state value that is sent as
# part of the redirect URI being sent to the client.
#
[Tmm.Access.SubsessionStatePrefix]
default=000fffff
type=string
realm=local
display_name=Tmm.Access.SubsessionStatePrefix
scf_config=true
max=32


550161-4 : Networking devices might block a packet that has a TTL value higher than 230.

Component: Local Traffic Manager

Symptoms:
Some networking devices block a packet that has a TTL value higher than 230. The TTL value for the BIG-IP system is set to 255 internally and cannot be changed.

Conditions:
The issue occurs when traffic originates from the BIG-IP system (as a client).

Impact:
No access to the resources.

Workaround:
None.

Fix:
The TTL value can now be changed from the hardcoded value of 255. This supports the requirement that some networking devices have to block a packet whose TTL value is higher than 230.


549329-3 : L7 mirrored ACK from standby to active box can cause tmm core on active

Solution Article: K02020031

Component: Local Traffic Manager

Symptoms:
A spurious ACK sent to the standby unit will be mirrored over to the active unit for processing. If a matching connection on the active has not been fully initialized, tmm will crash.

Conditions:
HA active-standby configuration setup for L7 packet mirroring.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.


547479-5 : Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted

Component: TMOS

Symptoms:
TMM crashes with a subkey that has master_record field set to true.

Conditions:
Unknown.

Impact:
Traffic disrupted while tmm restarts.


547053-1 : Bad actor quarantining

Component: Anomaly Detection Services

Symptoms:
An issue was found where bad actors could be released from quarantine due to a timing issue

Conditions:
This is a timing issue related to an having unusually high number of bad actors at the same time.

Impact:
Traffic can be removed from quarantine and passed to the web server

Fix:
An issue was fixed related to bad actor quarantining


546489-1 : VMware View USB redirection stops working after client reconnect

Component: Access Policy Manager

Symptoms:
VMware View USB redirection stops working

Conditions:
VMware View client reconnects due to network interruptions

Impact:
VMware View USB redirection stops working

Fix:
VMware View USB redirection works after client reconnect


546145-1 : Creating local user for previously remote user results in incomplete user definition.

Component: TMOS

Symptoms:
Creating a local user for a user who previously authenticated using a remote mechanism (e.g. LDAP, RADIUS) results in a user who has no partition-access. Additionally, the user cannot be modified via web UI.

Conditions:
Configure remote system authentication. Create a local user for remotely authenticated user.

Impact:
User cannot authenticate. User name does not appear in User List.

Workaround:
After initial creation, modify local user via tmsh to include appropriate partition-access.


545810-3 : TMM halts and restarts

Solution Article: K14304373

Component: Local Traffic Manager

Symptoms:
TMM halts and restarts.

Conditions:
This crash can happen when passing egress traffic on LTM virtual servers that meet the following two configuration criteria:
-- The virtual server is configured with a Fast HTTP profile.

Impact:
Halt and restart of TMM. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Now the system receives only packets that it owns and can be re-used, so this issue no longer occurs.


545796-5 : [iRule] [Stats] iRule is not generating any stats for executed iRules.

Component: Local Traffic Manager

Symptoms:
iRule is not generating any stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.

Conditions:
This occurs when the following steps are taken:
1. Move/edit an iRule that is attached to a virtual server.
2. Pass traffic to the virtual server.
3. Add the iRule back to the virtual server.

Impact:
No iRule usage stats available.

Workaround:
None.

Fix:
iRule now generates stats for executed iRules when the rule is removed/edited and then re-added to the virtual server.


545450-5 : Log activation/deactivation of TM.TCPMemoryPressure

Component: Local Traffic Manager

Symptoms:
The TCP memory pressure feature allows packets to be randomly dropped when the TMM is running low on available memory. The issue is that these packets are dropped silently.

Conditions:
TM.TCPMemoryPressure set to "enable".

Impact:
Packets are dropped, where the cause of the drop cannot be easily determined.

Fix:
Logging added in /var/log/ltm for activation and deactivation of TCP memory pressure. The deactivation message also includes the number of packets and bytes dropped.


544906-2 : Issues when using remote authentication when users have different partition access on different devices

Solution Article: K07388310

Component: TMOS

Symptoms:
User validation failing when adding a partition when the [All] partition already exists, or when adding [All] partition if a specific (non-All) partition is already configured for that user.

For example, on config sync, the system might post an error similar to the following: error 01070821:3: User Restriction Error: Once configured for specific partition(s), user cannot have [all].

Conditions:
Devices configured for remote authentication.

User A on device 1 with role on all-partitions.

User A on device 2 with role restricted to a single partition.

Perform operation that involves accessing partitions on each device. For example, a config sync operation. The config sync issue occurs because one device is trying to sync an [All] partition to a peer that has a non-All partition already configured for a user.

Impact:
The system posts User Restriction Errors and operations (such as config sync) fail.

Workaround:
Switch to local authentication on device 1 to perform operations on multiple devices on which a single user has different partition access configured. After completing the operations, switch back to remote authentication on device 1.

Fix:
User authentication completes successfully for operations on multiple devices on which a single user has different partition access configured.


544477 : New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.

Component: TMOS

Symptoms:
Phone support is not available for hourly billing customers in cloud marketplaces.

Conditions:
All hourly billing VE instances in AWS Marketplace.

Impact:
Phone support is not available for hourly billing VE instances.

Fix:
New Hourly Billable VE instances in AWS and Azure register with F5 Licensing Server for Support.

Behavior Change:
Changed licensing for hourly billing instances from pre-licensed image to template reg key which must be licensed through the license server.


544033-5 : ICMP fragmentation request is ignored by BIG-IP

Solution Article: K30404012

Component: Local Traffic Manager

Symptoms:
Client sends a large ICMP Echo Request whose size exceeds the MTU of the network the packet traverses requiring the ICMP Echo Response to be fragmented. BIG-IP ignores the fragmentation request and continues sending ICMP Echo Replies that exceed the network MTU.

Conditions:
-- A large (exceeds MTU of network traversed) ICMP Echo Request is directed to a Virtual Address on the BIG-IP system.
-- ICMP Echo Reply is larger than upstream networks MTU resulting in fragmentation needed being sent to BIG-IP.

Impact:
ICMP Echo Reply is not received by the requester.

Workaround:
None.

Fix:
Client now receives correctly ICMP echo response from Virtual Address when echo request has been fragmented.


543344-3 : ACCESS iRule commands do not work reliably in HTTP_PROXY_REQUEST event

Component: Access Policy Manager

Symptoms:
When a BIG-IP system is configured with explicit HTTP proxy, an ACCESS iRule does not work reliably in HTTP_PROXY_REQUEST. The issue happens when the current ACCESS iRule searches the associated session ID from the connection itself in either of these ways:
-- The session ID is embedded in the request.
-- The connection was processed by ACCESS previously.

When neither condition is satisfied, then the current ACCESS iRule cannot find the associated session ID.

Conditions:
This occurs when the following conditions are met:

-- ACCESS iRule such as ACCESS::session data get/set.
-- ACCESS::session exists.
-- Session ID is not provided by the caller.
-- Caller expects the session ID to be resolved internally.

Impact:
Whenever ACCESS iRule commands cannot find the associated session ID, ACCESS iRule commands are processed as if the caller provided an empty session ID in its arguments. As a result, ACCESS::iRule commands return an empty result.

Workaround:
If possible, use ACCESS_ACL_ALLOWED as the event for the iRule, when the session ID is known. This would work for a BIG-IP system configured for reverse proxy or forward proxy.

Fix:
Fixed to allow ACCESS iRule commands in commands such as HTTP_PROXY_REQUEST where previously there was not enough data for them to execute.

Note: This fix is only for IP address-based sessions where the access policy is not evaluated via iRules, but in the usual method (attached to virtual server). This fix does not address the issue for NTLM-based sessions and sessions that use 'ACCESS::policy evaluate'.


543208-1 : Upgrading to v12.x or later in a sync-failover group might cause mcpd to become unresponsive.

Component: TMOS

Symptoms:
Failover event on traffic-group-1 causes mcpd to generate messages like this:

01070711:3: Caught runtime exception, Failed to collect files (Invalid IP Address: )..
01070712:3: Caught configuration exception (0), Failed to sync files..
...
0107134b:3: (Child rsync being terminated due to timeout. Total size in Kb: 0 timeout in secs: 10 start-time: Mon Aug 24 11:35:42 2015 max-end-time: Mon Aug 24 11:35:42 2015 time now: Mon Aug 24 11:35:42 2015 ) errno(0) errstr().
01070712:3: Caught configuration exception (0), Failed to sync files..

Conditions:
This occurs when the following sets of conditions are met:

Condition set 1
===============
-- Your BIG-IP high availability (HA) device group members are running BIG-IP 11.6.0 or 11.6.1.
-- You upgrade a peer HA device to BIG-IP 12.x or later.
-- After you upgrade that peer, a failover event occurs.

Condition set 2
===============
-- Your BIG-IP HA device group members are running BIG-IP 12.0.0, 12.1.0, 12.1.1, or 12.1.2.
-- You upgrade a peer HA device to BIG-IP 13.x or later.
-- After you upgrade that peer, a failover event occurs.

Note: This might be most evident with APM configurations.

Impact:
mcpd on the devices running the affected versions may become unresponsive. Upgrade fails. This is fundamentally the result of device group members running different software versions.

Workaround:
None.

Fix:
This release corrects an issue in which a group of devices in a trust domain could potentially cause mcpd to become unresponsive and log failure messages.


542817-1 : Specific numbers that are not credit card numbers are being masked as such

Solution Article: K11619228

Component: Application Security Manager

Symptoms:
ASM blocks or masks when a specific credit card number range with specific length appears in the response.

Conditions:
The Data Guard feature is turned on and set to Block, Alarm or Mask. The responses contains credit card numbers with specific ranges.

Impact:
The traffic passes masked or blocked to the end client.

Workaround:
a partial workaround is to turn off the Data Guard feature, then none of the credit cards numbers will be masked nor blocked.

Fix:
The system now correctly masks and/or blocks only relevant credit cards, specifically not masking credit card numbers starting with specific number that are in a length range.


542097-4 : Update to RHEL6 kernel

Component: TMOS

Symptoms:
Rare race condition between two (or more) threads operating on the same buffer_head/journal_head may cause a kernel panic

Conditions:
Running RHEL6 kernel under heavy disk load, more likely on a vCMP host

Impact:
Unexpected machine reboot causing loss of service

Workaround:
None.

Fix:
Redhat provided an update to RHEL6.7
F5 backported to RHEL6.4, 6.5:

jbd2: Fix oops in jbd2_journal_remove_journal_head()
jbd: Fix oops in journal_remove_journal_head()


541550-3 : Defining more than 10 remote-role groups can result in authentication failure

Component: TMOS

Symptoms:
Authentication fails, indicating the affected user is associated with an "unknown" role:

notice httpd[2112]: pam_bigip_authz: authenticated user bob with role 12345678 ([unknown]) in partition /bin/false

Conditions:
Define more than 10 remote-role groups and authenticate with a user having more than 10 roles.

Impact:
User cannot authenticate.

Workaround:
None.


541549-2 : AWS AMIs for BIG-IP VE will now have volumes set to be deleted upon instance termination.

Component: TMOS

Symptoms:
The default settings of an AMI is not to delete an attached volume of an instance when the instance is terminated. This results in extra effort to delete a volume manually after terminating the instance. If not done always, the orphaned volume causes extra bills.

Conditions:
A BIG-IP VE is launched from an AMI in the marketplace.

Impact:
Volumes attached to BIG-IP VE instances will be deleted automatically when the instance is terminated. This option is set to be default now. If you want to keep a volume even after terminating a BIG-IP VE instance, you will have to set it to not be deleted upon termination during instance launch in AWS console.

Workaround:
None.

Fix:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.

Behavior Change:
A BIG-IP VE AWS image now has the option set such that when an instance is launched out of it, that BIG-IP VE instance will have volumes which are set to be deleted upon termination by default.


541320-10 : Sync of tunnels might cause restore of deleted tunnels.

Solution Article: K50973424

Component: TMOS

Symptoms:
After a full load sync, tunnels may be spuriously added to the default route domain for the partition that contains them.

Conditions:
Viewing tunnels after a full load sync.

Impact:
This might result in a deleted tunnel being restored to the configuration.

Workaround:
None.

Fix:
Sync of tunnels no longer causes restore of deleted tunnels.


540928-1 : Memory leak due to unnecessary logging profile configuration updates.

Component: Application Security Manager

Symptoms:
There is a memory leak in ASM control plane daemons after processing many calls in a long lived process

Conditions:
A) Pool member state changes frequently.
or
B) Manual learning is enabled (versions 12.x)

Impact:
Memory consumption by ASM control plane daemons increases.

Workaround:
Restart ASM - which will cause a failover and a down time

OR just kill asm_config_server by:
-----------------------
pkill -f asm_config_server
-----------------------
which will get restarted back by ASM process watchdog in ~15 seconds and should not cause failover nor downtime.

Fix:
An async worker lifecycle was introduced so long lived processes will now dispatch a fixed number of calls to their workers before retiring them.


540872-1 : Config sync fails after creating a partition.

Component: TMOS

Symptoms:
Config sync fails after creating a partition. A config sync error similar to the following occurs:

Configuration error: Can't associate (/P1/pool1) with folder (/P1) folder does not exist

Conditions:
This error occurs when a folder is created in the same transaction that an object is also created in that folder.

This can be done either by explicitly using tmsh or iControl transaction mechanisms or through incremental sync of APM where folders get created.

Impact:
A transaction will fail or incremental sync on APM will fail on a peer.

Workaround:
In the case of transactions, create partitions and folders in a separate transaction from any object creation.

For incremental sync of APM, force a full sync by using the 'Overwrite Configuration' option in the UI.


539360 : Firmware update that includes might take over 15 minutes. Do not turn off device.

Component: TMOS

Symptoms:
On certain platforms, firmware updates might take over 15 minutes to complete. It is very important to wait until update completes. Do not turn on the device until the operation is finished.

Conditions:
This occurs on the following iSeries platforms: i2000, i4000, i5000, i7000, and i10000.

Impact:
Reboot takes a long time. The GUI posts the following message: Reboot in progress
Please do not turn off your device. Depending on your configuration, reboot time will vary, taking 5 to 20 minutes. To view reboot progress, connect to the serial port of your device or access the system hypervisor.

Workaround:
None.

Fix:
Although reboot takes a long time on the iSeries platforms, the GUI posts a message containing a time range, similar to the following message: Reboot in progress
Please do not turn off your device. Depending on your configuration, reboot time will vary, taking 5 to 20 minutes. To view reboot progress, connect to the serial port of your device or access the system hypervisor.


539093-1 : VE shows INOPERATIVE status until at least one VLAN is configured and attached to an interface.

Solution Article: K26104530

Component: TMOS

Symptoms:
Virtual Edition (VE) deployed with 1 CPU only shows INOPERATIVE status until at least one VLAN is both configured and attached to an interface.

Conditions:
Install the BIG-IP Virtual Edition software on a VM with 1 CPU (1 CPU/2048 MB RAM option available in OVA) and license, but do not create any VLANs (or create VLANs, but do not attach them to an interface).

Impact:
In the CLI, device remains in INOPERATIVE state, but shows ACTIVE in the GUI. This might cause unneeded delay trying to rectify what appears to be a license issue when there is none.

Workaround:
To work around this, configure at least one VLAN and attach it to an interface.


537553-8 : tmm might crash after modifying virtual server SSL profiles in SNI configuration

Component: Local Traffic Manager

Symptoms:
Modifying a Secure Sockets Layer (SSL) profile associated with a virtual server may result in the Traffic Management Microkernel (TMM) producing a core file. As a result of this issue, you may encounter one or more of the following symptoms:

-- BIG-IP system sends an invalid memory access segmentation fault (SIGSEGV) or floating point error (SIGFPE), signal to TMM, resulting in a stack trace that appears in the /var/log/tmm file.
-- TMM restarts and produces a core file in the /shared/core directory.
-- The BIG-IP system generates an assertion failure panic string in the /var/log/tmm file that appears similar to the following example:
panic: ../kern/umem.c:3881: Assertion "valid type" failed

Conditions:
1. LTM virtual server is configured with multiple SSL profiles, one of which is the default SNI profile.
2. A configuration change is made that affects the virtual server. Among others:
-- Configuration is reloaded either manually or automatically after config sync.
-- Change is made to any of the SSL profiles configured on the virtual server.
-- SSL profiles are added or removed from the virtual server profile list.
-- Change is made to the virtual server.
-- Virtual server is deleted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Making SSL profile configuration changes now completes successfully.


536563-7 : Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' or 'No flow found for ACK' on subsequent packets.

Component: Local Traffic Manager

Symptoms:
Incoming SYNs that match an existing connection may complete the handshake but will be RST with the cause of 'TCP 3WHS rejected' on subsequent packets.

Conditions:
This occurs when the existing connection is closing while waiting on an ACK to the last FIN.

Impact:
Unexpected RSTs (Clientside).

Workaround:
None.


534520-1 : qkview may exclude certain log files from /var/log

Component: TMOS

Symptoms:
After generating a qkview, some log files are missing.

Conditions:
This can occur intermittently while generating a qkview.

Impact:
Certain key log files that might be needed for troubleshooting are missing from the qkview.

Workaround:
None.

Fix:
After generating a qkview, all log files are now present.


534457-4 : Dynamically discovered routes might fail to remirror connections.

Component: Local Traffic Manager

Symptoms:
When using dynamic routing, it's possible that L4 connections fail to remirror after a restart on the standby device. Initial mirroring works as expected, but remirroring might not work.

Conditions:
Using dynamic routes and mirroring, and either the active or standby restarts. If the active restarts, failover completes correctly, but connections might not remirror to the previously active device after it comes back online.

Impact:
Dynamically discovered routes might fail to remirror connections. One-way failover, similar to L7 virtual servers. Initial failover works as expected; subsequent failovers might drop connections.

Workaround:
Provide a static route instead of dynamic routes.

Fix:
Remirroring L4 connections using dynamic routes works correctly. (Note that when using dynamic routes it is not guaranteed that the active and standby systems will use the same routes; if the same routing is required on both active and standby fails over, there might be some dropped connections.)


534247-1 : Issue a Body in Get sub violation for GET request with content type header

Component: Application Security Manager

Symptoms:
A GET request without payload but with payload indication doesn't issue the body in get violation.

Conditions:
A Get request without payload arrives.
The request has a content type header although there is no payload.

Impact:
A suspicious request goes by undetected.

Workaround:
Add an iRule that removes this request from the ASM and issues a custom violation.

Fix:
A GET request without payload but with content type header will issue the body in GET sub violation.


533956-3 : Portal Access: Space-like characters in EUC character sets may be handled incorrectly.

Solution Article: K30515450

Component: Access Policy Manager

Symptoms:
Extended Unix Code (EUC) character sets include several white space characters which have no ASCII equivalents. These characters are not recognized as white spaces by Portal Access. This may lead to incorrect handling of HTML pages, XML files and/or JavaScript files in these character sets.

Conditions:
- HTML page, XML file or JavaScript file in any EUC encoding scheme (EUC-JP, for example).

Impact:
Page or file in EUC encoding scheme may not be parsed correctly.

Workaround:
Use an iRule to replace non-ASCII compatible white space characters by ordinal spaces.

Fix:
Now text content using EUC character encoding schemes is handled correctly by Portal Access.


531979-6 : SSL version in the record layer of ClientHello is not set to be the lowest supported version.

Component: Local Traffic Manager

Symptoms:
In the ClientHello message, the system is now setting the SSL version in the record layer to be the same as version value of ClientHello message, which is the highest SSL version now supported.

Although RFC 5246 appendix E.1 does not give specific advice on how to set the TLS versions, the de facto standard used by all major browsers and TLS stacks is to set the ClientHello as follows:

SSL Record:
    Content Type: Handshake (22)
    Version: $LOWEST_VERSION
    Handshake Record:
        Handshake Type: Client Hello (1)
        Version: $HIGHEST_VERSION

The BIG-IP system implementation tells the SSL peer that the system supports only SSL versions from the $HIGHEST_VERSION through the $HIGHEST_VERSION instead of from the $LOWEST_VERSION through the $HIGHEST_VERSION, which effectively limits the range of SSL versions the system can negotiate with the SSL peer.

Conditions:
This issue occurs when the highest SSL version that the BIG-IP system supports does not fall into the range that an SSL peer supports.

For example, with SSL peer support configured for TLS1.0 or TLS1.1, if the BIG-IP system sets the highest SSL version to be TLS1.2, then there will be no version that the SSL peer thinks they have in common, and SSL handshake fails.

Impact:
SSL handshake fails.

Workaround:
There is no workaround for this issue.

Fix:
The SSL version in the record layer of ClientHello is now set to be the lowest supported version, which eliminates that issue that occurred when the highest SSL version that the BIG-IP system supports did not fall into the range that an SSL peer supports.


530927-8 : Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed

Component: TMOS

Symptoms:
If a trunk is created from interfaces that have lower than max speed (e.g., 100full-duplex on 1GbE links) adding a new interface fails.
When this occurs, the system posts an error similar to the following:
01070619:3: Interface 1.4 media type is incompatible with other trunk members.

Conditions:
Interfaces use a lower speed then their capacity.
Trunk is created where the highest speed of any of the members is this reduced speed.
Interface, also lowered, is added to the trunk.

Impact:
Interface cannot be added to the trunk.

Workaround:
Remove all interfaces, readd them all at the same time.

Fix:
The BIG-IP system now correctly adds interfaces to a trunk formed from interfaces running at a lowered speed.


530877-7 : TCP profile option Verified Accept might cause iRule processing to run twice in very specific circumstances.

Solution Article: K13887095

Component: Local Traffic Manager

Symptoms:
A specific combination of configuration options might cause iRule processing to run the CLIENT_ACCEPTED event twice.

If the iRule contains a suspending command, the system may eventually stop accepting connections to any TCP virtual servers with that have the Verified Accept option enabled.

Conditions:
This occurs when all of the following conditions are met:
- Standard Virtual Server is configured.
- Virtual Server is configured with a TCP profile in which Verified Accept is enabled.
- Client sends the initial data to be sent on the ACK of the three-way-handshake.

Impact:
Depending on the scenario, this might:
- Result in the specific connection being reset.
- Eventually result in TMM being unable to process any further connections to virtual servers with Verified Accept enabled.

Workaround:
You can use the following workarounds:
- Disable Verified Accept in the TCP profile.
- Modify the iRule to run the commands in the CLIENT_ACCEPTED event once, by setting a variable and checking whether the variable has been set on subsequent runs.

Fix:
The BIG-IP system now correctly processes initial data on the ACK of a three-way handshake when used with Verified Accept so iRule processing does not run the CLIENT_ACCEPTED event twice.


530775-4 : Login page may generate unexpected HTML output

Solution Article: K23734425


530530-6 : tmsh sys log filter is displayed in UTC time

Solution Article: K07298903

Component: TMOS

Symptoms:
When using the time-based log filters hour, minute, and second, tmsh returns results based on UTC time.

Conditions:
Use range filter for 'tmsh show sys log' in either of the following ways:

Filter logs by hour.
Filter logs for less than 8 hours.

Impact:
tmsh does not filter the log correctly with 'range' filter.

Workaround:
Calculate the difference between the local BIG-IP system time and UTC, or change the system time to UTC.


530266-7 : Rate limit configured on a node can be exceeded

Component: Local Traffic Manager

Symptoms:
Rate limit configured on a node is not honored and is exceeded. The excess per second can be as much as 10 (100%) when the limit is configured as 10.

Conditions:
More than 1 tmm needs to be there. Rate limit needs to be configured on the node.

Impact:
Node rate limit feature does not work as intended.

Workaround:
Rate limit can be shifted from the node to pool member and it works.


530109-3 : OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.

Component: Access Policy Manager

Symptoms:
OCSP Agent does not honor the AIA setting in the client cert even though 'Ignore AIA' option is disabled.

Conditions:
-- User certificate has AIA configured.
-- Option 'Ignore AIA' is unchecked.
-- APM is configured.

Impact:
OCSP auth might fail as wrong URL is used.

Workaround:
1. Clean URL field.
2. Uncheck option 'Ignore AIA'.

Fix:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. This is correct behavior.

Behavior Change:
If the option 'Ignore AIA' is unchecked, APM uses AIA from certificate even if URL is configured for AAA OCSP responder. To use the configured URL, the 'Ignore AIA' setting has to be checked.


528499-3 : AFM address lists are not sorted while trying to create a new rule.

Component: Advanced Firewall Manager

Symptoms:
AFM address lists are not sorted while trying to create a new rule.

Conditions:
Seen only in the rule creation page.

Impact:
AFM address lists are not sorted in the rule creation page.

Workaround:
none

Fix:
AFM address lists are now sorted in the rule creation page.


527720-1 : Rare 'No LopCmd reply match found' error in getLopReg

Component: TMOS

Symptoms:
An error message similar to the following might be logged at rare intervals while the BIG-IP system is operating normally:
warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.

This message might be followed by a log message similar to one of the following:
err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0.
err chmand[32142]: 012a0003:3: GET_STAT failure (status=0xffffffff) page=0x%20 reg=0x50.

This message might be followed by a log message similar to the following:
warning chmand[5847]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.

Conditions:
This problem might occur rarely on the BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances, and on VIPRION 2100, 2150, and 2250 blades.

Impact:
This problem might occur if the response to a request to read the status of the hardware registers for the management interface is delayed beyond the normally-expected timeout value. When this problem occurs, status of the management interface might be reported incorrectly, which might cause the management interface to flap momentarily. In this scenario, subsequent requests typically complete successfully, at which point status of the management interface is again reported normally, and expected functionality restored.

Workaround:
None.


527206-5 : Management interface may flap due to LOP sync error

Component: TMOS

Symptoms:
An error that occurs while reading the management interface registers might cause incorrect interpretation of the management interface state, which might cause the management interface to flap.
Example error sequence:
-- warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.
-- err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0 : File mgmtif/BourneMgmtIfSvc.cpp Line 357.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.
-- warning chmand[7018]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x7 expected=0x5.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is DOWN.
...
notice chmand[7018]: 012a0005:5: Interface: 2/mgmt is UP.

Conditions:
This problem might occur rarely on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades.

Impact:
The management interface on the affected blade or appliance might be down for several seconds, 15 seconds being a typical interval.

Workaround:
None.

Fix:
Rare Management interface flap due to LOP sync error no longer occurs on BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances and on VIPRION 2100, 2150, 2250 blades.


526708 : system_check shows fan=good on removed PSU of 4000 platform

Component: TMOS

Symptoms:
Running system_check on a 4000 platform with one PSU removed will still show status FAN=good; STATUS=good

Conditions:
This applies only to the BIG-IP 4000 platform.

Impact:
Fan shows status of 'good' when the PSU is removed. Reading the power supply status in the system_check output will show the PSU as down.

Fix:
If a PSU has been removed, system_check will now show status STATUS=not present


525580-1 : tmsh load sys config merge file filename.scf base command does not work as expected

Solution Article: K51013874

Component: TMOS

Symptoms:
The presence of base option indicates that only the base objects in the configuration should be considered for the save operation. The non-base objects in the configuration should be ignored.

However, this is not true for the following command:
tmsh load sys config merge file filename.scf base.

Conditions:
Running the command: tmsh load sys config merge file filename.scf base.

Impact:
This command ignores the base option. When specified with the merge option the base option is ignored. It merges the non-base configuration objects. It does not load only the base config objects as specified in the command.

Workaround:
None.

Fix:
tmsh load sys config merge file filename.scf base command now loads only the base config objects as specified in the command.


525429-11 : DTLS renegotiation sequence number compatibility

Component: Access Policy Manager

Symptoms:
OpenSSL library was modified to keep it compatible with RFC 6347 complaint DTLS server renegotiation sequence number implementation.

Conditions:
The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347.
The current APM client is compatible with old OpenSSL library, not the new OpenSSL library.

Impact:
The current APM client is not compatible with new OpenSSL libary.

Fix:
The APM client is now compatible with both the old and new OpenSSL library.


524277-2 : Missing power supplies issue warning message that should be just a notice message.

Component: TMOS

Symptoms:
Missing power supplies issue warning message in /var/log/ltm when the message should be just a notice.

Absent power supplies should be notice level, not warning level since this is a normal acceptable way of running a system.

Conditions:
Running chassis with absent power supplies, or with power not applied, will cause ltm to issue warning messages.

Impact:
Extra logging.

Workaround:
Ignore missing power supply warning messages.

Fix:
Missing power supplies issue warning message in /var/log/ltm when the message should be just a notice.

Absent power supplies should be notice level, not warning level since this is a normal acceptable way of running a system.


523814-3 : When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections

Component: Local Traffic Manager

Symptoms:
An HTTP virtual server with OneConnect and RAM Cache will not consistently keep server-side connections alive and idle (for reuse), depending on the HTTP version that the client uses.

Clients that use HTTP/1.1 will result in fewer serverside connections being reused.

Conditions:
HTTP virtual server with HTTP cache enabled (in RAM cache mode, not AAM mode) and OneConnect profile.

Alternately, an iRule that down-steps the HTTP request version to HTTP/1.0

Impact:
Increased server utilization and number of ports in use / timewait / finwait as a result of OneConnect and RAM Cache closing serverside connections more frequently than expected.

Inconsistent behavior as a result of client HTTP version.

Workaround:
An iRule can work around this issue by inserting a Connection: Keep-Alive header.


523797-2 : Upgrade: file path failure for process name attribute in snmp.

Component: TMOS

Symptoms:
The upgrade operation might fail to update the file path name for snmp.process_name, causing a validation error.

Conditions:
Upgrade from 10.x. to 11.5.1 or later.

Impact:
The upgrade operation does not remove the parent path name from process-monitors, which might cause a validation error.

Workaround:
Edit the process name path in /config/BIG-IP_sys.conf to reflect the location. For more information, see K13540: The BIG-IP system may return inaccurate results for the prTable SNMP object at https://support.f5.com/csp/article/K13540.


522302-2 : TCP Receive Window error messages are inconsistent on UI

Component: Local Traffic Manager

Symptoms:
Different invalid inputs for Receive Window resulted in inconsistent error messages in TMUI.

Conditions:
Input invalid options (e.g, -1 and 0) for TCP Receive Window in TMUI.

Impact:
User is presented with two different input ranges whereas for both invalid options one correct input range should have been present.

Workaround:
There is no workaround at this time.

Fix:
TMUI for TCP Receive Window is fixed for invalid inputs.


521370-1 : Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8

Component: Application Security Manager

Symptoms:
Auto-Detect Language policy has disallowed high ASCII meta-characters even after encoding is set to UTF-8, which results in suggestions for allowing meta-characters that cannot be accepted.

Conditions:
Auto-Detect Language policy is created, and then set to UTF-8 encoding.

Impact:
Suggestions for allowing high ASCII meta-characters cannot be accepted.

Fix:
Auto-Detect Language policy no longer contains disallowed high ASCII meta-characters.


521270-1 : Hypervisor might replace vCMP guest SYN-Cookie secrets

Component: TMOS

Symptoms:
Traffic suddenly stops passing on platforms in vCMP mode when SYN-cookie mode is triggered.

Occasionally, under HW-SYN-Cookie mode, HW-SYN-Cookie validation can fail, which triggers the software SYN-Cookie procedure, which does succeed.

Under vCMP guest, you might notice hwalgo_accept increasing under TMCTL table epva_hwvipstat. If this packet's destination is the local high-layer TCP stack, there is no functional impact. Otherwise, there might be a performance impact.

Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, which causes the connection issue.

Conditions:
vCMP provisioning setup.

Impact:
Under vCMP guest, you might notice hwalgo_accept increased under TMCTL table epva_hwvipstat, which, if under HW-SYN-Cookie mode, everything will be validated automatically by FPGA instead.

You might also notice hwalgo_invalid, if the FPGA used
the updated secret for SYN-Cookie generation from the hypervisor, and when guest and hypervisor secret index overlaps.

Even though guest and hypervisor secret index might not be the same, the history secret might be updated by hypervisor, which might trigger additional hwalgo_accept.

Under vCMP mirroring, however, the packet (failed to validate by FPGA), is sent to the remote TMM, which does not have the correct secret to validate, so the error rate could be higher.

Workaround:
On the vCMP hypervisor, run the following commands.

1. echo "EPVA::enable_secret_diag true" > /config/tmm_init.tcl.
2. bigstart restart TMM.

On a multiple blade system, you must run these commands on all blades.

Fix:
Hypervisor no longer replaces vCMP guest SYN-Cookie secrets.


521204-2 : Include default values in XML Policy Export

Component: Application Security Manager

Symptoms:
XML Policy Export does not include some entities, unless their values are different from the system's default settings.

Conditions:
-- ASM provisioned.
-- Configuration contains some entities whose values match the defaults.
-- Export security policy in XML format.

Impact:
XML Policy Export does not include those entities; it only includes entities when their values are different from the system's default settings

Workaround:
None.

Fix:
XML policy export operations now exclude defaults only when exporting a minimal XML configuration.


520877-1 : Alerts sent by the lcdwarn utility are not shown in tmsh

Component: TMOS

Symptoms:
Beginning in BIG-IP version 12.1.0, the 'tmsh show sys alert lcd' command displays the list of alerts sent to the LCD front panel display.

The command-line utility lcdwarn can be used to send alert messages to the LCD front panel display.

Alert messages sent to the LCD front panel display by the lcdwarn utility are not included in the list of alerts shown by the 'tmsh show sys alert lcd' command.

Conditions:
This occurs when using the lcdwarn utility to send alert messages to the LCD front panel display. Such messages are typically sent for testing purposes.

This problem occurs on affected BIG-IP software versions running on all BIG-IP and VIPRION hardware platforms.

Impact:
The 'tmsh show sys alert lcd' command may not include all alert messages sent to the LCD front panel display. Messages sent by the lcdwarn utility are not shown.

Workaround:
None. This is a cosmetic issue.


519612-1 : JavaScript challenge fails when coming within iframe with different domain than main page

Component: Application Security Manager

Symptoms:
The JavaScript Challenge fails when coming within an iframe that is on a different domain than the main page.

Conditions:
1. The web application uses an iframe coming from a different domain than the main page, AND
2. Any of the following options are enabled on an ASM Policy or Application DoS Profile attached to the Virtual Server which is handling the iframe:
  a. DoS Client-Side Integrity Defense Mitigation (affecting only during attack mitigation)
  b. DoS CAPTCHA Mitigation (affecting only during attack mitigation)
  c. Device-ID (fingerprint)
  d. Web Scraping Bot Detection Challenge
  e. Proactive Bot Defense (with/without "Block Suspicious Browsers")

Impact:
On the browser, the iframe will fail to load, leaving a white box, or the following message:
"Please enable browser cookies to view the page content."
There may be error messages in the browser's console.

Workaround:
It is possible to workaround the problem using Proactive Bot Defense (DoS Profile) and iRules.
This works even if the problem is in Web Scraping and DoS profile was not previously used.

The following steps must be done for the Virtual Server handling the iframe, as well as the one handling the main page.

1. Attach a DoS profile to the Virtual Server (if not already attached).
2. Disable TPS-based detection (unless already enabled, or it is desired).
3. Enable Proactive Bot Defense on the DoS profile (if not already enabled).
   a. Disable "Block Suspicious Browsers" (unless already enabled, or it is desired).
   b. Configure Cross-Domain Requests to "Allow configured domains; validate upon request".
   c. Add the domain of the main page to the Related Site Domains.
4. Attach the following iRule to the virtual server:
ltm rule rule_fix_cross_domain_challenges {
    when HTTP_REQUEST {
        set refdom ""
        regexp -nocase {^https?://([^/]*).*$} [HTTP::header referer] -> refdom
        log local0. "uri [HTTP::uri] host [HTTP::host] referer [HTTP::header referer] refdom $refdom"
        if { $refdom ne "" && $refdom ne [HTTP::host] } {
            BOTDEFENSE::cs_allowed false
        }
    }
}
NOTES:
1. The challenges must run on the main page. The following rule block could be used to force the challenges to run on a specified URL or URLs.
    when HTTP_REQUEST {
        if { [HTTP::uri] eq "/" } {
            BOTDEFENSE::cs_allowed true
        }
    }
2. If additional URLs are getting blocked or challenged as a result of Proactive Bot Defense and it is unwanted, it is possible to control them in the iRule by checking for URLs and using the "BOTDEFENSE::action allow" command.

Fix:
JavaScript challenges no longer fail when coming within an iframe on a different domain than the main page.


518201-4 : ASM policy creation fails with after upgrading

Component: Application Security Manager

Symptoms:
You cannot create an ASM security policy after upgrading to version 11.6.x. The system posts the following error message:
------------------
# tmsh create asm policy /Common/blabla active encoding utf-8
Unexpected Error: ASMConfig exception: [101] Policy 'Security Policy /Common/blabla' already exists in this policy.
------------------

It does not matter if the security policy was created at the command line or by the Configuration utility.

Conditions:
-- ASM provisioned
-- Upgrade to 11.6.x.

Impact:
ASM policies cannot be created.

Workaround:
As root user, from the command line of the affected BIG-IP system, run these exact commands (tip: you can copy and paste into the command line):
---------------------
# mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'DELETE FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)'
---------------------

IMPORTANT: This operation permanently affects the mentioned database table. It is strongly advised that you first create a backup of the running configuration by running the following command from the command line of the affected BIG-IP:
---------------------
# tmsh save sys ucs /shared/tmp/backup.ucs
---------------------

Before applying the workaround, make sure that you need one. To determine that, run the following command:
---------------------
# mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'SELECT * FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)'
---------------------
In case this query does not return any output, meaning that there is no need for the workaround.

If you need the workaround, you can use the same "SELECT *" query to validate the workaround, after it has been applied. Namely, after the workaround was applied, the "SELECT *" query should return no output.

Fix:
This version fixes ASM policy creation so that it does not fail after upgrade.


517756-6 : Existing connections can choose incorrect route when crossing non-strict route-domains

Component: Local Traffic Manager

Symptoms:
After modifying the BIG-IP system's routing table, traffic for some existing connections might be interrupted because an incorrect route starts being used.

Conditions:
After a routing table modification, routes might be reselected for a portion of connections through the BIG-IP system. When a connection crosses non-strict route-domains, the routing table from a route-domain that is different from the route-domain used during connection start-up may be used.

Impact:
This might lead to traffic following a different path to the destination and traffic interruption. New connections will work properly, this only affects existing connections.

Workaround:
None.

Fix:
Existing connections now choose the correct route when crossing non-strict route-domains.


516736-1 : URLs with backslashes in the path may not be handled correctly in Portal Access

Component: Access Policy Manager

Symptoms:
Safari, Chrome, Edge and Internet Explorer support backslashes in URL path and treat them as slashes. But Portal Access converts backslashes in URLs to slashes explicitly; this may cause unexpected results in some web applications. Note that FireFox has no such support.

Conditions:
HTML page with URL with backslashes in the path, for example:

<a href=http://some.com\some\path/file.ext>

Impact:
Web application may not work correctly.

Workaround:
In some cases it is possible to modify rewritten URLs by iRule.

Fix:
Now URLs with backslashes are supported correctly by Portal Access for all browsers except for Internet Explorer 7--9 and FireFox.


513310-1 : TMM might core when a profile is changed.

Component: Local Traffic Manager

Symptoms:
TMM might core when a profile is changed.

Conditions:
A "standard" type virtual server configured with the TCP or SCTP protocol profile, and a Persistence, Access or Auth profile. This issue might occur in either of the following scenarios:
-- Change profile on the active device.
-- Change profile on the standby device and perform a config sync to the active ones.

Impact:
TMM might core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now reinitializes the TCP proxy filter chain on profile change, so that tmm no longer cores.


513288-7 : Management traffic from nodes being health monitored might cause health monitors to fail.

Component: Local Traffic Manager

Symptoms:
Management traffic from nodes being health monitored might cause health monitors to fail.

Conditions:
Health monitor checking node_ip:port where 1024 is less than or equal to port, which is less than 65536. Node periodically connects back to management service on self IP (e.g., iControl, GUI, SSH).

Impact:
Traffic is not sent to the node while the monitor is failing.

Workaround:
None.

Fix:
Management traffic from nodes being health monitored no longer causes health monitors to fail.


511324-12 : HTTP::disable does not work after the first request/response.

Solution Article: K23159242

Component: Local Traffic Manager

Symptoms:
The HTTP::disable command does not work correctly after the first request is complete. If called during the second request (or response), then the connection is reset with an error message.

Conditions:
HTTP::disable is called in a request after the first. The pass-through data reaches the server-side before the server-side HTTP filter expects it.

Impact:
The connection is reset.

Workaround:
None.

Fix:
HTTP::disable now works correctly after the first request or response.


510631-1 : B4450 L4 No ePVA or L7 throughput lower than expected

Component: Performance

Symptoms:
L4 no ePVA and L7 performance was limited to as little as 146Gbps under some traffic conditions instead of the advertised capability of 160Gbps.

Conditions:
This occurs on the B4450 blade.

Impact:
Performance lower than expected

Fix:
Driver enhancements to 12.1.2 and 13.0 enable full 160G performance


509980-1 : Spurious HA group configuration errors can be displayed during reboot of other DSC cluster members.

Component: TMOS

Symptoms:
When a DSC cluster is configured using HA Groups, spurious HA group configuration errors can be displayed when rebooting another member of the DSC cluster.

These messages can appear in the output of the "show cm traffic-group", or on the Device Management -> Traffic Groups page.

Conditions:
HA-DSC Cluster with 2 or members. HA-Groups are configured on one or more traffic groups on all Cluster members.

A Cluster member is rebooted, and an administrator is viewing the Device Management- > Traffic Groups page, or issuing the "show cm traffic-group" .

Impact:
A message displaying that all traffic group(s) should have an HA Group configured may be incorrectly displayed. This has no affect on the operation of the system, and will clear once the cluster member has finished rebooting.

Workaround:
There is no workaround or mitigation other than upgrading to a release with the required fix.

Fix:
HA Daemon has been updated to correctly track the configuration of HA Groups on other devices during device reboots.


509858-5 : BIG-IP FastL4 profile vulnerability

Component: Local Traffic Manager

Symptoms:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html

Conditions:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html

Impact:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html

Fix:
For more information, see SOL36300805: BIG-IP FastL4 profile vulnerability, available at https://support.f5.com/kb/en-us/solutions/public/k/36/sol36300805.html


508113-3 : tmsh load sys config base merge file <filename> fails

Component: TMOS

Symptoms:
Save sys config file.

(tmos)# save sys config file demo.scf no-passphrase
Saving running configuration...
  /var/local/scf/demo.scf
  /var/local/scf/demo.scf.tar

Try to load the base configuration within this file.

(tmos)# load sys config base merge file demo.scf
Loading configuration...
  /var/local/scf/demo.scf
Syntax Error:(/var/local/scf/demo.scf at line: 6) "apm" unexpected argument

The error is from a system configuration, not user created.

apm report default-report {
    report-name sessionReports/sessionSummary
    user /Common/admin
}

Basically the configuration fails to load all components for unprovisioned modules and features.

Conditions:
Running the command: load sys config base merge file <filename> when the system contains unprovisioned modules and features.

Impact:
tmsh load sys config base merge file <filename> fails.

Workaround:
None.

Fix:
The provisioning checks were modified to let this command succeed.


507240-4 : ICMP traffic cannot be disaggregated based on IP addresses

Solution Article: K13811263

Component: TMOS

Symptoms:
ICMP traffic might not be disaggregated evenly if there is not enough entropy from the ICMP header.

Conditions:
-- ICMP traffic has low entropy in ICMP header.
-- System is configured to disaggregate traffic.

Impact:
Traffic imbalance.

Workaround:
None.

Fix:
This release supports disaggregation of ICMP traffic based on IP addresses, in addition to ICMP headers. To enable the feature, use the following commands:

In v13.x:
 tmsh modify net dag-globals icmp-hash ipicmp

In v12.x:
 tmsh modify sys db dag.icmp_hash value ipicmp

Note: This feature cannot be used if the BIG-IP system translates IP addresses for ICMP traffic.


507206-1 : Multicast Out stats always zero for management interface.

Component: TMOS

Symptoms:
Multicast Out stats are always zero for the management interface.

Conditions:
Statistics information on the management interface.

Impact:
The Multicast Out stats can help determine whether multicast network failover is working (from looking at a qkview). The missing stat might also delay or confuse other troubleshooting activities unrelated to network failover.

Workaround:
Run the following command: clsh 'ethtool -S eth0 | grep tx_mcast_packets'.


506543-5 : Disabled ephemeral pool members continue to receive new connections

Component: Local Traffic Manager

Symptoms:
Disabled ephemeral pool members continue to be selected for new connections.

Conditions:
FQDN parent node is disabled causing its derived ephemeral pool members to be marked disabled.

Impact:
Unexpected traffic load balanced to disabled pool members

Workaround:
None.

Fix:
Traffic will no longer be load balanced to disabled ephemeral pool members.


504522-2 : Trailing space present after 'tmsh ltm pool members monitor' attribute value

Component: Local Traffic Manager

Symptoms:
Values returned from the tmsh command 'ltm pool pool members monitor' have a trailing space, such as returning '/Common/myhttps ' (note the trailing-space). This trailing-space is also observed for the value returned from a REST call.

Conditions:
'tmsh' or a REST call is used to return the 'monitor' for pool members.

Impact:
Scripts or custom applications processing this returned output may wish to 'trim' whitespace on the value (as a trailing space is present); or should not assume the trailing space will be present in the future (as this behavior is not guaranteed).

Workaround:
Use a script or custom applications to 'trim' trailing whitespace for returned values.

Fix:
Values returned from the tmsh command 'ltm pool pool members monitor' no longer have a trailing space.


503842-4 : Microsoft WebService HTML component does not work after rewriting

Component: Access Policy Manager

Symptoms:
The Microsoft webservice.htc component provides JavaScript interface for SOAP services for Microsoft Internet Explorer (IE). It stops working after rewriting through reverse proxy.

Conditions:
-- Using Microsoft webservice.htc component.
-- Rewriting through reverse proxy.
-- Running IE.

Impact:
Microsoft WebService component stops working.

Workaround:
You can use the following iRule to work around this issue:
---
when HTTP_REQUEST {
  # Downgrade IE compatibility mode
  set downgrade_ie_compat 0
  if { [HTTP::path] contains "PreviewQualitySheet.aspx" } {
    set UAString [string tolower [HTTP::header User-Agent]]
    if { ! ($UAString contains "msie 8.") and ! ($UAString contains "msie 7.")} {
      set downgrade_ie_compat 8
    }
  }
  # do not rewrite WebService HTML Component
  # because IE ignores it after rewriting.
  # patching a few things manually instead
  set ms_webservice_fix 0
  if { [HTTP::uri] ends_with "webservice.htc"} {
    set ms_webservice_fix 1
    HTTP::uri "[HTTP::uri]?F5CH=I"
    if { [HTTP::version] eq "1.1" } {
      if { [HTTP::header is_keepalive] } {
        HTTP::header replace "Connection" "Keep-Alive"
      }
      HTTP::version "1.0"
    }
  }
}
when HTTP_RESPONSE {
  if { $downgrade_ie_compat > 0 && ! [HTTP::header exists X-UA-Compatible] } {
    HTTP::header replace "X-UA-Compatible" "IE=$downgrade_ie_compat"
  }
  if { $ms_webservice_fix == 1 } {
    if { [HTTP::header exists "Content-Length"] and \
        [HTTP::header "Content-Length"] > 0 and \
        [HTTP::header "Content-Length"] <= 1048576 } {
      HTTP::collect [HTTP::header Content-Length]
    } else {
      HTTP::collect 1048576
    }
  }
}
when HTTP_RESPONSE_DATA {
  if { $ms_webservice_fix == 1 } {
    set location [string first \
        {if (co.userName == null)} \
        [HTTP::payload]]
    if { $location > 0 } {
      HTTP::payload replace $location 0 {loc=F5_WrapURL(loc);}
    }
  }
  HTTP::release
}

Fix:
Microsoft WebService HTML component no longer stops working after rewriting.


501892-1 : Selenium is not detected by headless mechanism when using client version without server

Component: Application Security Manager

Symptoms:
DoSL7 Proactive Bot Defense (Block requests from suspicious browsers) detects selenium when the selenium server is running and a listener has opened on one of specific ports.

Conditions:
This occurs when ASM is provisioned with proactive bot defense enabled, when accessing the page for a first time.

Impact:
If a bot is running selenium client package only it is not being blocked by DoSL7 Proactive Bot Defense mechanism.

Workaround:
N/A

Fix:
Selenium detection mechanism has improved and if a bot uses FF or Chrome selenium driver it is detected by PBD's javascript code via checking existence of required chrome plugins and FF webdriver.


500452-8 : PB4300 blade doesn't disaggregate ESP traffic based on IP addresses in hardware

Solution Article: K28520025

Component: TMOS

Symptoms:
PB4300 blade tries to disaggregate the ESP traffic based on the IPsec ESP Security Parameter Index (SPI) value in hardware. But the blade used doesn't have that capability, which causes ESP traffic being sent to one HSB and results in throughput degradation.

Conditions:
When PB4300 receives ESP traffic.

Impact:
Throughput degradation.

Workaround:
None.

Fix:
The PB4300 blade now uses IP addresses to disaggregate ESP traffic in hardware, so throughput is no longer impacted.


495443-10 : ECDH negotiation failures logged as critical errors.

Solution Article: K16621

Component: Local Traffic Manager

Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.

Conditions:
An SSL negotiation failure involving ECDH key agreement.

Impact:
Spurious critical error logs.

Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.

Fix:
These ECDH failures are now logged as non-critical errors.


495242-3 : mcpd log messages: Failed to unpublish LOIPC object

Component: Local Traffic Manager

Symptoms:
The system posts the following error: err mcpd[7143]: 010716d6:3: Failed to unpublish LOIPC object for (loipc_name.1417443578.297505208). Call to (shm_unlink) failed with errno (2) errstr (No such file or directory).

Conditions:
This is an intermittent issue that occurs on standby systems in High Availability (HA) configurations. In this case, the system is attempting to remove a file/directory that does not exist. Either the file has already been removed or it was not created.

Impact:
This is a benign error that can be safely ignored.

Workaround:
None.

Fix:
The system now suppresses logging when attempting to delete non-existent file.


491560-1 : Using proxy for IP intelligence updates

Component: TMOS

Symptoms:
When connecting to the proxy server, the iprepd daemon doesn't send in CONNECT request the value of DB variable iprep.server but its locally resolved IP address.

Conditions:
The following DB variables are configured to use proxy:
proxy.host
proxy.port

This presents a problem when the proxy server is configured to allow only IPs that have a reverse lookup.

Impact:
When the proxy sees the traffic it denies it, because the reverse lookup for that server IP is not present.

Workaround:
Use one of the workarounds:

-- Do not use proxy.

-- Check the server IP address regularly and maintain proxy white list manually.

Fix:
Now the iprepd daemon sends CONNECT request with the value of DB variable iprep.server and lets the proxy server do the DNS lookup.


487144-2 : tmm intermittently reports that it cannot find FIPS key

Component: Global Traffic Manager (DNS)

Symptoms:
You may see the following critical error message in /var/log/ltm: "FIPS acceleration device failure: cannot locate key"

Conditions:
There is FIPS card in the BIG-IP and the key is retrieved. It is not known the exact conditions that cause this, but it seems to be related to GTM being enabled.

Impact:
SSL can not locate the key from the FIPS card, and SSL will not function properly.

Workaround:
None known, but restarting tmm or rebooting might correct the condition.

Fix:
There is now additional information in the error message that can help resolve the issue.


484542-1 : QinQ tag-mode can be set on unsupported platforms

Component: Local Traffic Manager

Symptoms:
tmsh does not validate QinQ tag-mode and allows invalid values to be set.

Conditions:
This occurs when trying to set QinQ tag-mode to values other than 'none' on unsupported platforms. Only platforms with ePVA support QinQ tagging.

Impact:
Although you can set !in! tag-mode, the configuration has no effect. There is no negative impact on system functionality.

Workaround:
Only configure QinQ tag-mode on the following platforms: BIG-IP 5050s/5250v/7050s/7250v/10050s/10250v and VIPRION B2150 SSD-based models.

Fix:
QinQ tag-mode is now properly validated when configuring a VLAN via tmsh.


483953-1 : Cached route MTUs may be set to the value of TM.MinPathMTU even if the path MTU is lower than that value.

Component: Local Traffic Manager

Symptoms:
ICMP type 3 code 4 (needsfrag) messages are elicited when TMM transmits packets at the TM.MinPathMTU size if the path MTU is lower than that value.

Conditions:
Path MTU discovery results are cached by default. If a client responds to an IP datagram with an ICMP needsfrag message with a very small MTU (smaller than the value of the TM.MinPathMTU database variable), the cached path MTU value will be set to the TM.MinPathMTU value even though this still isn't able to traverse the path.

This can affect multiple endpoints when a low MTU is advertised by an endpoint (misconfigured or malicious) behind a shared NAT address.

Impact:
TMM may use and enforce a low path MTU for clients capable of handling a higher path MTU, but may use an MTU too high to reach clients whose path MTU is lower than TM.MinPathMTU.

This metric will live for 10 minutes by default.

Workaround:
This issue has no workaround at this time.
The route metric lifetime can be lowered using route.metrics.timeout db key.

Fix:
Path MTUs lower than the value of TM.MinPathMTU will no longer be cached by TMM.


480983-4 : tmrouted daemon may core due to daemon_heartbeat

Component: TMOS

Symptoms:
In rare instances, tmrouted for dynamic routing may core with a message similar to the following: warning sod[8953]: 01140029:4: HA daemon_heartbeat tmrouted fails action is restart.

Conditions:
This is a rarely occurring issue that occurs due to timing-related interactions in dynamic routing operations.

Impact:
tmrouted cores and restarts.

Workaround:
None.

Fix:
tmrouted now operates normally under these conditions.


479471-1 : CPU statistics reported by the tmstat command may spike or go negative

Solution Article: K00342205

Component: TMOS

Symptoms:
On bladed systems, the results from the 'tmstat' and 'tmstat cpu' commands may spike high or go negative due to a issue with how per-blade statistics are collected.

Conditions:
Error in the timing of statistics collection such that display is incorrect.

Impact:
Incorrect display of CPU statistics.

Workaround:
There is no workaround.

Fix:
The CPU statistics display has been fixed.


478986 : Powered down DC PSU is treated as not-present

Component: TMOS

Symptoms:
When power is removed from the PSU but the PSU remains in the system, 'tmsh show sys hardware' reports the PSU as 'not-present'.

Conditions:
This occurs when an installed DC powered PSU loses power, and the user runs the command 'tmsh show sys hardware'.

Impact:
Only the message is incorrect. Although the PSU is present, the system cannot read its data without power, so the system marks the PSU 'not present'. Once power is restored, all information is available.

Workaround:
Plug the power cable into the PSU. The system can now detect the power supply status and read the PSU info.


474797-7 : Nitrox crypto hardware may attempt soft reset while currently resetting

Component: Local Traffic Manager

Symptoms:
Nitrox crypto hardware may attempt soft reset to clear a stuck condition while already engaged in a soft reset attempt.

Conditions:
Soft reset is needed to clear a stuck condition occurring in the timeframe during which another soft reset is occurring.

Impact:
The initial soft reset attempt does not complete as the process is restarted by the new attempt.

Workaround:
Correct the condition resulting in the need for the soft reset to clear the stuck condition or disable hardware-based crypto acceleration by setting db variable 'tmm.ssl.cn.shunt' to disable.

To disable hardware-based crypto acceleration issue the following command:

tmsh modify sys db tmm.ssl.cn.shunt value disable

Note: Disabling hardware-based crypto acceleration results in all crypto actions being processed in software, which might result in higher CPU and memory usage based on traffic patterns.

Fix:
A crypto soft reset attempt is now allowed to complete before another soft reset attempt can occur.


472860-5 : RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.

Component: Policy Enforcement Manager

Symptoms:
The RADIUS session statistics for the subscribers created with an iRule running on the RADIUS virtual server are not incremented.

Conditions:
Session created via iRule running on the RADIUS virtual server.

Impact:
RADIUS session statistics are not incremented.

Workaround:
None.

Fix:
The session statistics for sessions created by RADIUS is now incremented whenever the user runs an iRule on the RADIUS virtual server, that creates a new session.


472571-7 : Memory leak with multiple client SSL profiles.

Component: Local Traffic Manager

Symptoms:
If multiple client SSL profiles are attached to a virtual server, memory will leak each time any profile is changed.

Conditions:
Multiple client SSL profiles are attached to a virtual server.

Impact:
Memory will leak a small amount of memory.

Workaround:
None.

Fix:
Multiple client SSL profiles attached to a virtual server no longer causes memory to be leaked.


471860-10 : Disabling interface keeps DISABLED state even after enabling

Solution Article: K16209

Component: TMOS

Symptoms:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface still shows DISABLED.

Conditions:
This occurs when using both tmsh and the GUI.

Impact:
The state of the interface remains DISABLED. However, the interface passes traffic after enabling.

Workaround:
You can reboot correct the indicator.

Fix:
When you disable an interface, the state shows DISABLED. When you enable that interface, the indication for the interface now shows ENABLED.


471237-2 : BIG-IP VE instances do not work with an encrypted disk in AWS.

Solution Article: K12155235

Component: TMOS

Symptoms:
BIG-IP VE instances cannot use encrypted disks in AWS as encryption-decryption introduces some data corruption in the disk that causes failure in some of the TMOS daemons at run-time.

Conditions:
Deploy a BIG-IP VE guests in AWS with an encrypted disk.

Impact:
TMM cores at startup, and does not start.

Workaround:
Do not use encrypted disks in AWS for BIG-IP VE instances.

Fix:
BIG-IP VE instances can now work with an encrypted disk in AWS.


471029-2 : If the configuration contains a filename with the $ character, then saving the UCS fails.

Component: TMOS

Symptoms:
If the configuration contains a filename or username with the $ character, then saving the UCS fails. Examples of filenames include cm cert cache-path and cm key cache-path.

tmsh save sys ucs <ucs-id> fails for such configuration.

The error displayed appears similar to the following.:
Fatal: executing: md5sum /var/tmp/filestore_temp/files_d/Common_d/certificate_d/:Common:?><.crt_53783_1
Operation aborted.
/var/tmp/configsync.spec: Error creating package.

Conditions:
Filenames or username in configuration contain $ character. For example, cm cert cache-path or cm key cache-path.

Impact:
Saving UCS fails.

Workaround:
Do not use the $ character as part of the filenames or usernames in the configuration.


467709-1 : FQDN nodes or pool members show Green (Available) when DNS responds with NXDOMAIN

Component: Local Traffic Manager

Symptoms:
FQDN nodes and pool members show a status of Green (Available) when the DNS server responds to the FQDN name resolution query with an NXDOMAIN response.

Conditions:
This occurs when the DNS server returns an NXDOMAIN response for the configured FQDN name.

Impact:
FQDN nodes and pool members may appear to be Available when no ephemeral nodes/pool members have been created.

Workaround:
None.

Fix:
FQDN nodes and pool members show a status of Yellow (Unavailable) when the DNS server responds to the FQDN name resolution query with an NXDOMAIN response. This issue is resolved by the FQDNv2 feature re-implementation in this version of the software.

Behavior Change:
FQDN ephemeral nodes are now deleted when the DNS server responds to the FQDN name resolution query with an NXDOMAIN response. This change in behavior was introduced by the FQDNv2 feature re-implementation in this version of the software.


466068-1 : Allow setting of the AAA Radius server timeout value larger than 60 seconds

Component: Access Policy Manager

Symptoms:
Sometimes 60 sec timeout for AAA Radius server is not enough especially when users need to provide input. Following error message will be displayed when user tries to set timeout value greater than 60 :

"01090676:3: The requested timeout value (120) out of range for aaa radius server (/Common/test-radius-server). (1-60)"

Conditions:
This only occurs whenever following conditions are met:
- APM is licensed and provisioned
- AAA Radius server is configured
- Radius Auth agent is included in the access policy

Impact:
Users can not set timeout value to more than 60 sec for AAA Radius server. If response time is more than 60 sec from AAA Radius server, users may not login and access resources if two factor auth is configured.

Workaround:
There is no workaround.

Fix:
Increased the AAA Radius Server timeout range from 0-60 to 0-180.


464801-3 : Intermittent tmm core

Component: Local Traffic Manager

Symptoms:
tmm intermittently cores. Stack trace signature indicates "packet is locked by a driver"

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed an intermittent tmm core


464650-4 : Failure of mcpd with invalid authentication context.

Component: TMOS

Symptoms:
MCPd cores.

Conditions:
It is not known what triggers this core.

Impact:
Mcpd restarts

Workaround:
None.

Fix:
Failure of mcpd with invalid authentication context no longer occurs.


463314-2 : Enabling ASM AJAX blocking response page feature causing cross domain AJAX requests to fail

Component: Application Security Manager

Symptoms:
When AJAX blocking response page feature is enabled, ASM's pre-injected javascript code adds a custom header to each outgoing ajax request. Adding the header to a cross domain ajax request forces browsers to send an OPTIONS preflight request, if a back-end server doesn't not treat the pre-flight request properly, the request will fail resulting in broken functionality of a web application.

Conditions:
Provision asm, attach asm policy to a virtual server and configure Enable AJAX blocking response page feature.

Impact:
Broken cross domain ajax requests

Workaround:
Disable AJAX blocking response page feature in ASM policy.

Fix:
Avoid adding custom headers to cross domain ajax request.


463097-3 : Clock advanced messages with large amount of data maintained in DNS Express zones

Component: Local Traffic Manager

Symptoms:
Clock advanced messages with a large amount of data maintained in DNS Express (DNSX) zones, the TMM can suffer from clock advances when performing the DB reload.

Conditions:
Large enough zones into DNSX (several hundred thousand to several million records depending on hardware).

Impact:
Clock advance messages in log. No traffic can be passed for this duration. When DNS Express zones are updated, you may see messages similar to the following in the /var/log/ltm log: notice tmm[25454]: 01010029:5: Clock advanced by 121 ticks.

Workaround:
Prevent all updates to DNSX zones.

Fix:
AXFR and IXFR to DNS Express (DNSX) with large zones has been significantly improved. DNSX DB now reside in /shared to resolve DB size issues.


462043-2 : DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms

Component: Local Traffic Manager

Symptoms:
On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner'; a packets inner priority bits do not determine the CoS mapping when the incoming packet is customer-tagged and the outgoing interface is service-tagged.

Conditions:
On 5000 and C2400 platforms.

Impact:
Incorrect egress CoS queue mapping. In this case, all packets are mapped to CoS queue 0.

Workaround:
None.

Fix:
On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner', the packets are now handled as expected.


460833-5 : MCPD sync errors and restart after multiple modifications to file object in chassis

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
This symptom may occur under the following conditions:

1. Two or more VIPRION chassis are configured in a device sync group.
2. File objects (such as SSL certificates) are added/modified/deleted on one chassis in the group.
3. These changes are synchronized to other members of the device sync group.
4. While the previous changes are still being synchronized to all blades in all chassis in the device sync group, an overlapping set of file objects are added/modified/deleted on a chassis in the group (typically the same chassis as in step 2).
5. While the previous sync operation is still in progress, these subsequent changes are synchronized to other members of the device sync group.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.

Fix:
After performing one set of file-object modifications and synchronizing those changes to the HA group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing additional file-object changes.


459671-4 : iRules source different procs from different partitions and executes the incorrect proc.

Component: Local Traffic Manager

Symptoms:
iRules source different procs from different partitions and executes the incorrect proc.

Conditions:
Multiple iRule procs defined in multiple admin partitions.

Impact:
iRules "proc" lookup algorithm is not deterministic, or Virtual Servers are improperly caching and sharing the lookup results.

Workaround:
To work around this issue, ensure all iRule proc names defined in the BIG-IP configuration are unique.


456376-4 : BIG-IP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32

Solution Article: K53153545

Component: Advanced Firewall Manager

Symptoms:
The BIG-IP system does not allow IPv4-mapped-IPv6 notation (with prefix length greater than 32) in tmsh or GUI. When trying to add '::ffff:0.0.0.0/96' to an address list or directly to a rule the system posts an error: Error parsing IP address: ::ffff:0.0.0.0/96.

Conditions:
-- IPv4-mapped-IPv6 notation in the configuration.
-- Adding prefix length greater than 32.

Impact:
Cannot successfully specify an IPv4-mapped-IPv6 block to be configured in AFM firewall rule (and possibly other AFM configurations as well).

Workaround:
To drop the IPv4-mapped-IPv6 block, enable the following DoS db variable: dos.dropv4mapped.

Fix:
You can now use tmsh for IPv4-mapped-IPv6 notation with prefix length greater than 32.


455975-1 : Separate MIBS needed for tracking Access Sessions and Connectivity Sessions

Component: Access Policy Manager

Symptoms:
Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description.

Conditions:
Using SNMP MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns.

Impact:
Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description.

Workaround:
This issue has no workaround at this time.

Fix:
Access Sessions and Connectivity Sessions are now exposed correctly in SNMP MIBS.


452283-2 : An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows

Component: Local Traffic Manager

Symptoms:
An MPTCP connection that never expires can be seen using the command "tmsh show sys conn". Its idle time periodically resets to 0.

Conditions:
A virtual server is configured with a TCP profile with "Multipath TCP" enabled.
BIG-IP receives an MP_FASTCLOSE while the BIG-IP is advertising a zero window.

Impact:
A connection remains that never expires; its idle time periodically resets to 0.

Workaround:
There is no workaround at this time.

Fix:
Fixed MP_FASTCLOSE handling.


448409-1 : 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle

Solution Article: K15491

Component: TMOS

Symptoms:
The commands 'load sys config from-terminal verify' and 'load sys config file <filename> verify' causes loss of sync configuration and initiates a provisioning cycle. The 'verify' option on the 'load sys config' command is designed to ensure that a configuration (either from a file or pasted to the terminal) is valid, but not have it take effect.

Conditions:
This affects the ConfigSync communication channel if configured.

Impact:
The ConfigSync connection, including the connections to other devices, might be lost. In addition, provisioning might be impacted.

Workaround:
You can avoid this issue by using the 'load sys config from-terminal verify' and 'load sys config file <filename> verify' commands 'merge' option, which keeps the current configuration during the validation step. Once affected by this issue, the workaround is to re-load the full configuration using the following command: tmsh load sys config partitions all.

Fix:
Previously, the commands 'load sys config from-terminal verify' and 'load sys config file <filename> verify' did some operations related to sync and provisioning, though they are supposed to check only the validity of the configuration (without changing it). This has been resolved.


447565-5 : Renewing machine-account password does not update the serviceId for associated ntlm-auth.

Solution Article: K33692321

Component: Access Policy Manager

Symptoms:
Renewing machine-account password does not update the serviceId for associated ntlm-auth.

Because of this issue, you might see the following symptoms:
-- End users report that they cannot access email.
-- NTLM logons stop working for all users.
-- Log file shows errors similar to the following:
err nlad[12384]: 01620000:3: <0x566d4b90> nlclnt[71601c70a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC.

Conditions:
This occurs when the system has an NTLM machine account configured, but it is not known exactly what triggers the error. It can be triggered if the machine account credentials change, but the symptom might not show up for days since the connection can be reused.

Impact:
End users will be unable to connect.

Workaround:
Correct the problem by running the following command:
bigstart restart eca.


442231-4 : Pendsect log entries have an unexpected severity

Component: TMOS

Symptoms:
Pendsect logs non-errors with a 'warning' severity.

Conditions:
This occurs when pendsect is executed.

Impact:
Unexpected log entries. When pendsect is executed and does not find any disk errors, it logs the following at the warning level: warning pendsect[21788]: pendsect: /dev/sdb no Pending Sectors detected. This is not an error. The message is posted at the incorrect severity level and does not indicate a problem with the BIG-IP system.

Workaround:
None needed. This is cosmetic.

Fix:
Adjusted severity level of various logs generated by pendsect script, so that informational messages are not logged as warnings.


441079-2 : BIG-IP 2000/4000: Source port on NAT connections are modified when they should be preserved

Solution Article: K55242686

Component: Local Traffic Manager

Symptoms:
The BIG-IP system is modifying the source port on NAT connections.

Conditions:
This occurs when NAT is configured on the BIG-IP system. This occurs on BIG-IP 2000/4000 hardware platforms.

Impact:
This impacts any applications where the source port is expected to be preserved.

Workaround:
None.

Fix:
The source port is always preserved for NAT connections.

Behavior Change:
The source port is always preserved for NAT connections.


440620-2 : New connections may be reset when a client reuses the same port as it used for a recently closed connection

Component: Local Traffic Manager

Symptoms:
If a client reuses the same port that it used for a recently closed connection, the new connection may receive a RST in response to the client's SYN.

Conditions:
A client reuses the same port that it used for a recently closed connection. The 4-tuple of local address, local port, remote address, and remote port must be the same to trigger this issue.

Impact:
New connections reusing a 4-tuple may be reset for a brief period following a connection close.

Workaround:
Lowering the "Close Wait" and "Fin Wait 1" timeouts in the TCP profile will shorten the amount of time that a particular 4-tuple remains unusable.

Fix:
Improved abort handling to better clean up hanging connections.


436116-1 : The tcpdump utility may fail to capture packets

Component: TMOS

Symptoms:
Although packets are flowing correctly through the BIG-IP system, the tcpdump utility may capture no packets when certain command options are used.

Conditions:
This issue occurs when all of the following conditions are met:

- You configure tcpdump to listen for packets on a physical interface (e.g., -i 1.1).

- You configure tcpdump to save the packets to a file in binary format (e.g., -w /var/tmp/example.pcap).

- You configure tcpdump to produce verbose output while capturing packets (e.g., -v, -vv or -vvv).

Impact:
The tcpdump utility does not capture any packets, which may create confusion for a BIG-IP Administrator performing troubleshooting on the system. This issue does not affect the traffic-passing abilities of the system, however.

Workaround:
You can work around this issue by starting the tcpdump utility without the -v, -vv or -vvv verbose output options.


434821-1 : Remote logging of staged signatures and staged sets

Component: Application Security Manager

Symptoms:
There is no option to see matched staged signature in the remote logging

Conditions:
A user has remote logger configured. There is no configuration option to see the stage signatures.

Impact:
A user without local logger can't make good decisions about the staged signatures

Workaround:
Add a local logger

Fix:
Added staged signatures ids, names and sets to the remote logger .


434573-6 : Tmsh 'show sys hardware' displays Platform ID instead of platform name

Solution Article: K25051022

Component: TMOS

Symptoms:
While running a version of BIG-IP older than the most recent release on a new hardware platform (recently purchased or recently acquired through RMA exchange), the 'tmsh show sys hardware' command may display the Platform ID code in place of the official F5 platform name.

For example, the 'tmsh show sys hardware' command may display a Platform ID like the following:

Platform
  Name D113

instead of the official platform marketing name, such as:

Platform
  Name BIG-IP 10000F

Conditions:
This may occur if the version of BIG-IP software installed is not the most recent release, and the hardware platform is a newer variant (due to added hardware features or other manufacturing change) than was originally supported by the older BIG-IP software release.

Impact:
Custom automation scripts which depend on correctly matching F5 platform marketing names may fail to match the platform ID.

Workaround:
Update platform-identification scripts to include the relevant platform IDs among the recognized match values.

Fix:
update Hot Fix Rollups to display Platform name.


433678-2 : A monitor removed from GTM link cannot be deleted: 'monitor is in use'

Solution Article: K32401561

Component: Global Traffic Manager (DNS)

Symptoms:
A monitor removed from GTM link cannot be deleted. Attempting to delete the monitor results in an error message similar to the following: 01070083:3: Monitor /Common/custom_gtm_mon is in use.

Conditions:
Deleting a custom monitor that was formerly used by a GTM link.

1. Create a custom GTM monitor that can be used on a link.
2. Create a GTM link, and add the custom monitor to it.
3. Remove the monitor from the link.
4. Attempt to delete the monitor.

Impact:
Unable to delete monitor.

Workaround:
Reload the GTM config and delete the monitor.

Fix:
This release enables deletion of a monitor removed from GTM link, and no monitor-in-use error message is returned.


433357 : Management NIC speed reported as 'none'

Component: TMOS

Symptoms:
Sometimes,after mcpd get restarted, mcpd didn't get management port nic speed information from chmand, "tmsh show net interface" could shows the speed of mgmt interface as "none".

Conditions:
Management interface is up and then restart mcpd.

Impact:
"tmsh show net interface" commands can't show correct management speed.

Workaround:
Use "bigstart restart chmand" to restart chmand.

Fix:
Fixed.


431840-3 : Cannot add vlans to whitelist if they contain a hyphen

Component: Advanced Firewall Manager

Symptoms:
When attempting to add a vlan to the DoS protection whitelist and the vlan contains a hyphen, the following validation error is returned:

01071792:3: Vlan should be numeric form as vlan number / mask

Conditions:
Adding a vlan containing a hyphen to the whitelist

Impact:
Unable to add vlans that contain a hyphen

Workaround:
Instead of using the vlan by name, just specify the vlan tag #. Ignore the drop down menu offering the vlan names.


424542-5 : tmsh modify net interface with invalid interface name or attributes will create an interface in cluster or VE environments

Component: TMOS

Symptoms:
tmsh modify net interface commands with either invalid interface names, or invalid attribute names will appear to create new interfaces.
An invalid interface will show up in "show net interfaces"

Conditions:
Only happens on clustered or virtual environments, not on appliances.

Impact:
Cosmetic only - extraneous interfaces show up in tmsh show net interface.

Workaround:
guishell -c "delete from interface where name='12345/is_this_correct'"


423629-3 : bigd cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted

Solution Article: K08454006

Component: Local Traffic Manager

Symptoms:
bigd restarts once, and afterwards, subsequent pings from the monitor fails.

Conditions:
This can occur when assigning an ICMP monitor to a pool member, and specifying a route domain that does not exist.

Impact:
For bigd, a single restart is actually harmless. The invalid config will cause monitor failures, since the route domain no longer exists, the pool member will be marked down.

Workaround:
None.

Fix:
bigd no longer cores when route-domain tagged to a pool with monitor as gateway_ICMP is deleted.


423392-6 : tcl_platform is no longer in the static:: namespace

Component: Local Traffic Manager

Symptoms:
In previous versions of iRules, the variable tcl_platform was readable as: 'set myvar static::tcl_platform'. However with recent changes, the variable is in the global, not static namespace and should be accessed as '::tcl_platform'.

Conditions:
This occurs on pre-11.4.0 iRules that use the variable 'static::tcl_platform'.

Impact:
iRules that worked properly under earlier versions can result in runtime Tcl exceptions (disrupting traffic) after an upgrade to v11.4.0 or later, if those iRules reference static::tcl_platform.

Workaround:
To map tcl_platform into the static namespace in an iRule, use the following: when RULE_INIT { upvar #0 tcl_platform static::tcl_platform }. Or you can use ::tcl_platform instead of static::tcl_platform. Note: The latter workaround might demote a virtual server from CMP. For more information, see K14544: The tcl_platform iRules variable is not in the static:: namespace, available here: https://support.f5.com/csp/#/article/K14544.


421797-3 : ePVA continues to accelerate IP Forwarding VS traffic even in Standby

Component: TMOS

Symptoms:
When the active BIG-IP unit in a redundant configuration becomes the standby unit after a failover event, the traffic sent to the virtual servers with hardware acceleration enabled will continue to be accelerated by the ePVA hardware on the original active unit (current standby unit). These offloaded flows will eventually be evicted after the failover switch period (16 second by default) though, and it does not affect the new active unit (original standby unit) to offload the flows to hardware for acceleration. As a result, accelerated traffic can still be observed on the standby unit.

Conditions:
When a failover event happens in a redundant configuration with virtual servers that have hardware acceleration enabled.

Impact:
No performance impact or traffic interruption. You might observe unexpected traffic on standby unit.

Workaround:
None. This is a cosmetic issue.

Fix:
The standby unit now evicts the accelerated flows from the ePVA hardware after the failover event. This is correct behavior.


419741-3 : Rare crash with vip-targeting-vip and stale connections on VIPRION platforms

Component: Local Traffic Manager

Symptoms:
Rare TMM crash bug with vip-targeting-vip. Core analysis is typically necessary to determine whether this bug is the cause.

Conditions:
Triggering this bug is difficult and seems to require vip-targeting-vip (e.g., use of the 'virtual' command in an iRule) and more than one blade.

Impact:
In rare situations, the TMM crashes.

Workaround:
None. This occurs rarely, and the system recovers automatically. Although this workaround has not be verified, in situations where virtual A targets virtual B via the 'virtual' command, it should be sufficient for virtual A to have shorter timeouts than virtual B.


418349-2 : Update/overwrite of FIPS keys error

Component: TMOS

Symptoms:
After deleting and re-creating a FIPS key, sync to other devices fails and /var/log/ltm gives the following error:

crit tmm[10817]: 01260010:2: FIPS acceleration device failure: fips_poll_completed_reqs: req: 78 status: 0x40000116 : ERR_HSM_ERROR

Note that this error is logged on any FIPS-related error, it might be this issue if you were attempting to replace FIPS keys with an identical name on devices in a device group.

Conditions:
This can occur on FIPS-enabled devices in a device group when a FIPS key is deleted and an identically-named FIPS key is added.

Impact:
Sync of the FIPS key fails.

Workaround:
If you are encountering this, you can do the following workaround.

Impact of workaround: this should have no negative impact to the system since your objective is to replace the FIPS keys.

- Detach all keys/certs from all SSL Profiles and delete all keys via script on the standby System
- Run “tmsh show sys crypto fips” and verify all keys have been deleted
- Run a configsync with override and verify the sync has been carried out successfully.


418009 : Hardware data display inaccuracies

Component: TMOS

Symptoms:
Sensor location fields show truncated. The Part Number and the PCA titles appear to be not right for some platforms because of the specific nature of the titles.

Conditions:
When displaying the hardware details you could see the problems in the sensor data and in the Hardware Version Information. This appears when running the command tmsh show sys hardware

Impact:
Missing sensor location data, and inaccuracy when naming the titles of the hardware characteristics.

Fix:
Fixed the truncation problem for the sensor location increasing the size of the data used for retrieving it; and used Part Number and PCA to have generic titles that apply to all platforms.


412817-3 : BIG-IP system unreachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.

Component: TMOS

Symptoms:
The BIG-IP system is unreachable for IPv6 traffic via PCI pass-through interfaces, because current ixgbevf drivers do not support multicast receive.

Conditions:
When configured to see IPv6 traffic on a PCI pass-through interface, the BIG-IP guest is not able to see this traffic.

Impact:
PCI pass-through interfaces are unable to see IPv6 traffic.

Workaround:
None.

Fix:
BIG-IP system is now reachable for IPv6 traffic via PCI pass-through interfaces as current ixgbevf drivers do not support multicast receive.


401815-1 : BIG-IP system may reset the egress IP ToS to zero when load balancing SIP traffic

Component: Service Provider

Symptoms:
The BIG-IP system resets the egress IP ToS to zero (0). As a result of this issue, you may encounter the following symptoms:

-- A packet capture on the affected traffic shows the DSCP value in the DS field is set to zero for SIP packets egressing from the BIG-IP system.
-- Traffic priority failure for SIP traffic egressing from the BIG-IP system, which may also cause voice quality degradation.

Conditions:
This issue occurs when all of the following conditions are met:

-- A virtual server is configured with both a SIP and UDP profile.
-- The IP ToS setting in the UDP profile is set to Pass Through.

The IP ToS setting controls the Differentiated Services Code Point (DSCP) values of the Differentiated Services (DS) field in the IP header. This information is used in Quality of Service (QoS) configurations to give specific traffic priority on the network. By resetting the DSCP values to zero, the SIP traffic egressing from the BIG-IP system does not receive the expected priority while traversing through the network.

Impact:
SIP traffic egressing the BIG-IP system does not receive the expected priority. This issue may cause voice quality degradation.

Workaround:
To work around this issue, you can use the following iRule to preserve the DSCP values when passing through the BIG-IP system:

when CLIENT_ACCEPTED {
   set client_tos [IP::tos]
}
when SERVER_CONNECTED {
  IP::tos $client_tos
}

Fix:
The BIG-IP system now propagates the ToS bit from ingress flow to the egress flow.


400778 : Message: err chmand[5011]: 012a0003:3: Physical disk CF1/HD1 not found for logical disk delete

Component: TMOS

Symptoms:
On a VIPRION system during failover in which the blade transitioning from secondary to primary, log messages make it appear that chmand is looking to delete logical disks on CF1 and HD1.

Conditions:
This occurs on VIPRION systems.

Impact:
The ltm log displays messages: -- err chmand[6909]: 012a0003:3: Physical disk CF1 not found for logical disk delete'. -- err chmand[6909]: 012a0003:3: Physical disk HD1 not found for logical disk delete'.

Workaround:
None. These messages are benign and you can safely ignore them.


400550 : LCD listener error during shutdown

Component: TMOS

Symptoms:
During shutdown you see this error message: 012a0004:4: LCD listener write to LCDd exception: Psuedo Terminal: File I/O Error [Bad file descriptor] at PseudoTermDev.cpp:93

Conditions:
This can occur when shutting down a blade on a VIPRION 4400 platform.

Impact:
This occurs on shutdown and is cosmetic, and can be ignored.

Workaround:
None.

Fix:
The system now detects and handles the interruption during shutdown, to exit cleanly without error messages.


393270-1 : Configuration utility may become non-responsive or fail to load.

Component: TMOS

Symptoms:
While doing normal operations via the configuration utility, the status indicators may become non-responsive or fail to load, the GUI could become very sluggish, and you could be unable to load the GUI, or you could be taken to the license activation screen.

Conditions:
This has been reported most frequently when deleting local users (Access Policy :: Local User DB : Manage Users), but has been encountered in other ways. The issue might require deleting a user and then remaining on the Manage Users page until an internal timeout of approximately 10 minutes passes.

Impact:
Unable to log into the GUI or GUI shows blank page

Workaround:
Run the command 'bigstart restart tomcat' or reboot the BIG-IP system.

Fix:
Configuration utility now responds as expected when deleting local users (Access Policy :: Local User DB : Manage Users), or under other conditions in which an internal timeout results in GUI non-responsiveness because of an incomplete transaction close.


392121-3 : TMSH Command to retrieve the memory consumption of the bd process

Component: Application Security Manager

Symptoms:
There is no tmsh commands to retrieve the memory consumption of the bd process.

Conditions:
tmsh commands don't show bd process memory usage.

Impact:
Difficult to diagnose memory consumption issues.

Workaround:
Review messages individually in /var/log/ts/bd.log.

### For ASM bd current memory consumption use the following grep command

cat /ts/log/bd.log | grep "UMU: total"
UMU: total 106 ( 0M) VM (1639M) RSS (164M) SWAP ( 0M) trans 0
UMU: total 106 ( 0M) VM (1639M) RSS (163M) SWAP ( 0M) trans 0
UMU: total 5 ( 0M) VM (1612M) RSS (163M) SWAP ( 0M) trans 0

### For XML memory consumption in bd process do the following on a big-ip.

*WARNING*: The following steps enable debug prints to the bd.log it may cause to an excessive io, handle with care on production boxes.

1. add the following 3 lines the /etc/ts/bd/logger.cfg

MODULE=BD_XML;
LOG_LEVEL=TS_INFO | TS_DEBUG;
FILE = 2;

2. Run a CLI tool.
/usr/share/ts/bin/set_active.pl --update_logger_cfg

To stop the debug prints, remove the 3 mentioned lines from the logger.cfg file and run the CLI tool again.

Fix:
The following command now reports memory consumption of the bd process:
tmctl asm_memory_util_stats

For specific fields -s option can be used, for example:
tmctl asm_memory_util_stats -s total_xml_mem_used,total_xml_max_mem


389484-6 : OAM reporting Access Server down with JDK version 1.6.0_27 or later

Component: Access Policy Manager

Symptoms:
Cannot connect to Access Server.

When running eamtest tool to check the functionality between OAM and the access server are working correctly, the following error is seen:

Preparing to connect to Access Server. Please wait.

Access Server you specified is currently down. Please check your Access Server.oamconfig[2368]: Could not configure OAM

Conditions:
The problem occurs only when OAM server is installed with JDK version 1.6.0_27 or later.

Impact:
Cannot connect to backend OAM server using BIG-IP AccessGate.

Workaround:
Install older version of JDK than v1.6.0_27.

Fix:
Applied OAM ASDK patch given by Oracle, so OAM no longer reports Access Server down with JDK version 1.6.0_27 or later.


386517-1 : Multidomain SSO requires a default pool be configured

Component: Access Policy Manager

Symptoms:
When configuring multidomain SSO, a pool must be assigned to the virtual, even if one is not being used. A typical symptom of not assigning the pool is that after logon, the user will be redirected back to another logon page.

Conditions:
Any use case of multidomain SSO where there is no pool configured on the virtual servers, and there is not a webtop assigned.

Impact:
There are two known use cases where this is commonly encountered. 1) LTM + Secure Connectivity virtuals do not usually have a default pool configured.
2) The pool is being configured through an iRule

Workaround:
When configuring multidomain SSO, always assign a default pool to the virtual server.

Fix:
Some of the logic in ACCESS was updated to add consideration of dynamic pool assignments (eg. iRules) in addition to the default pool. Default pool is no longer needed for multidomain SSO.


371164-1 : BIG-IP sends ND probes for all masquerading MAC addresses on all VLANs, so MAC might associated with multiple VLANs.

Component: Local Traffic Manager

Symptoms:
Since traffic groups are not bound to any specific VLAN, so Neighbor Discovery (ND) for link-local addresses go out on all VLANs. This occurs because traffic groups are not bound to any particular VLAN or interface. Since MAC is bound to the traffic group, it is not bounded to particular VLAN either.

Conditions:
Using MAC masquerade addresses on VLANs. TMM creates new link-local address for each masquerading MAC. Thus, the same link-local address might be used on all interfaces, which means that the system might use the same MAC on different VLANs.

For example, in the following configuration, you might expect that traffic-group-1 and MAC 02:23:e9:74:e2:c4 are bound only to VLAN Internal. However, you can create another self IP address, assign it to different VLANs or route domains, and have them be part of the same traffic group. A traffic group is about availability and not about routing or partitioning.


Configuration
===========
net self 10.10.10.10%1 {
    address 10.10.10.10%1/23
    allow-service {
        default
    }
    floating enabled
    traffic-group traffic-group-1
    unit 1
    vlan Internal
}.

Impact:
Although this is intended functionality, some users might not expect the behavior. BIG-IP sends ND probes for all masquerading addresses on all VLANs. Although switches typically build up forwarding tables per VLAN, there are some switches that might not correctly, which results in failure to forward packets as expected. That might impact other traffic, including IPv4.

Workaround:
Set the db variable tm.macmasqaddr_per_vlan to True. This ensures that a single source MAC is associated with a single VLAN ID, and is guaranteed to be unique per VLAN.


370131-4 : Loading UCS with low GTM Autoconf Delay drops pool Members from config

Component: Global Traffic Manager (DNS)

Symptoms:
Pool members loaded from the UCS are not in the configuration. If there are objects dependent on them, this may prevent the GTM config from loading completely.

Conditions:
GTM and LTM are enabled, Autoconf Delay is very low, there are GTM autoconfigured pool members from LTM virtual servers, and subsequently a UCS is loaded.

Impact:
GTM config loaded from the UCS might be overwritten and Pool Members might be lost from it.

Workaround:
bigstart stop gtmd during UCS load, or set the autoconf delay to be much higher than the time required to load the UCS.

Fix:
Loading UCS with low GTM Autoconf Delay now completes correctly.


367226-4 : Outgoing RIP advertisements may have incorrect source port

Component: Local Traffic Manager

Symptoms:
TMM may change the source port of RIP packets send by ripd to something other than 520. Neighbor routers will not accept these packets and RIP routing will not work.

If the TMM instance handling the outgoing packet would not be selected to handle return traffic by the hashing algorithm in use, the source port of the traffic will be modified so the hashing algorithm returns the same TMM instance.

Conditions:
Multiple TMM instances, RIP routing configured.

Impact:
Dynamic routing using RIP will not work if the traffic hash of the packets does not match the TMM handling the outgoing traffic.

Fix:
TMM no longer modifies the source port of RIP traffic.


366695-1 : Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed

Component: Global Traffic Manager (DNS)

Symptoms:
A "Manager" role has the ability to create/modify/delete GTM data centers, links, servers, prober pools, and topology objects from TMSH, but they do not have this permission in the database, so they get an error.

Conditions:
Someone of "Manager" roll attempts to create/modify/delete a GTM datacenter, link, server, prober-pools, or topology objects.

Impact:
Error message thrown

Workaround:
Error thrown is correct, but user's shouldn't be able to even get this far in tmsh.

Fix:
Removed Manager's ability to create/modify/delete GTM data centers, links, servers, prober-pools, and topology objects. This was already prevented through validation code, but now TMSH users only have access to view these objects.


355806-7 : Starting mcpd manually at the command line interferes with running mcpd

Component: TMOS

Symptoms:
Starting mcpd at the command line while mcpd is running causes issues.

Conditions:
Having a running mcpd and executing mcpd at the command line.

Impact:
Various issues on the system, such as some utilities may no longer interact with mcpd, etc.

Workaround:
Don't try to use the mcpd directly.

Fix:
You are now told the PID of the current mcpd and the executed command will exit abnormally.


353229-2 : Buffer overflows in DIAMETER

Solution Article: K54130510


352957-4 : Route lookup after change in route table on established flow ignores pool members

Solution Article: K03005026

Component: Local Traffic Manager

Symptoms:
Established flows via Virtual Servers with iRules using the 'nexthop vlan addr' command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail after a route table change, even if the change does not affect any of the addresses used in the flow.

Conditions:
An iRule with 'nexthop vlan addr' on the CLIENT_ACCEPTED state is added to a virtual server with pool members and the address in the nexthop command is different from the gateway.

Impact:
A flow established before a route table change may fail if the destination was set in an iRule using 'nexthop'. New flows established after the route table change work as expected.

Workaround:
Modify iRule to fire 'nexthop' on every client packet. If the flow has been modified due to a route change, then the next client packet that fires 'nexthop' will correct it.

Fix:
The nexthop for established flows, set using "nexthop vlan addr" in an iRule for CLIENT_ACCEPTED state, does not change when there are changes in the route table. This is correct behavior.


273104-2 : Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps

Component: Local Traffic Manager

Symptoms:
Nmap can be used to determine the uptime of a BIG-IP by sampling timestamps and their update frequency.

Conditions:
Always.

Impact:
Nmap can be used to determine the uptime of a BIG-IP by sampling timestamps and their update frequency.

Fix:
Each TCP connection starts with a random Timestamp. Disabled by default. Sys db tm.tcpsendrandomtimestamp can be used to enable/disable TCP random Timestamp.


251162-3 : The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name

Solution Article: K11564

Component: Local Traffic Manager

Symptoms:
If you apply a custom HTTP profile to a virtual server, and the maximum header size defined in the profile is exceeded, the BIG-IP system lists the wrong profile name in the corresponding log message. Instead of logging the profile name associated with the virtual server, the BIG-IP system logs the profile name as http.

For example:

tmm1[5133]: 011f0005:3: HTTP header (34083) exceeded maximum allowed size of 32768 (Client side: vip=http_10.1.0.30 profile=http pool=apache2)

Conditions:
-- You apply a custom HTTP profile to a virtual server.
-- The maximum header size defined in the profile is exceeded.

Impact:
The BIG-IP system lists the wrong profile name in the corresponding log message. This is a cosmetic error, as the correct profile is affected. Only its name is incorrectly reported.

Workaround:
None.


248914-4 : ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address

Solution Article: K00612197

Component: Local Traffic Manager

Symptoms:
When self IP or virtual addresses are configured on a vlangroup, ARP replies for that address will have the locally administered bit set in the ARP payload, but the source MAC of the frame will have this bit clear.

Conditions:
vlangroup in translucent mode with self IP and/or virtual addresses configured.

Impact:
This may cause destination lookup failures on the layer 2 network.

Workaround:
Use transparent mode instead of translucent mode on the vlangroup.

Fix:
ARP and NDP replies sent from the BIG-IP to a vlangroup use the vlangroup MAC address as the layer 2 source address.


246726-1 : System continues to process virtual server traffic after disabling virtual address

Solution Article: K8940

Component: Local Traffic Manager

Symptoms:
A virtual address is defined as the IP address with which you associate one or more virtual servers. A virtual server is represented by an IP address and a service. The BIG-IP system continues to process traffic for virtual servers after disabling the related virtual address.

Conditions:
When a virtual address is disabled in LTM, TMM still processes traffic for the virtual IP addresses on that virtual address. For example, if you define virtual servers of 10.10.10.2:80, and 10.10.10.2:443 on the BIG-IP system, then 10.10.10.2 is the virtual address. If you disable the virtual address of 10.10.10.2, the BIG-IP system continues to process traffic for the virtual servers.

Impact:
Traffic is still processed.

Workaround:
Disable virtual servers instead. For more information, see SOL8940: The BIG-IP system processes traffic for virtual servers after disabling the virtual address, available here: https://support.f5.com/csp/#/article/K8940

Fix:
When disabling a VIP in LTM the VIP no longer passes traffic. This is correct behavior.

Behavior Change:
When disabling a VIP in LTM the VIP no longer passes traffic.


238444-3 : An L4 ACL has no effect when a layered virtual server is used.

Solution Article: K14219

Component: Access Policy Manager

Symptoms:
A layer 4 ACL is not applied to the network access tunnel. As a result of this issue, you may encounter the following symptoms:

-- Unexpected network traffic may be allowed to pass.
-- Expected network traffic may be blocked.

Conditions:
This issue occurs when the following conditions are met:

-- The APM virtual server is targeting a layered virtual server, such as an SSO layered virtual server.
-- The referenced BIG-IP APM access policy is configured with a layer 4 ACL.
-- When an ACL is applied to a BIG-IP APM access policy, the access policy dynamically creates an internal layered virtual server that is used to apply the ACL. However, if the BIG-IP APM virtual server targets a layered virtual server, such as an SSO layered virtual server, traffic bypasses the dynamically-created internal layered virtual server and the ACL is not applied.

Impact:
Access control using a layer 4 ACL will not work. This may allow unwanted traffic to pass, or can block valid traffic.

Workaround:
None. However, a layer 7 ACL may be implemented if the network traffic is HTTP.

Fix:
With this fix, an admin needs to perform below tasks:

1. Create an iRule similar to the following:

when CLIENT_ACCEPTED {
        ACL::eval
}

2. Attach this iRule to admin-defined layered virtual servers.


225634-1 : The rate class feature does not honor the Burst Size setting.

Component: Local Traffic Manager

Symptoms:
The rate class feature does not honor a Burst Size setting other than the default of 0 (zero).

The Burst Size setting is intended to specify the maximum number of bytes that traffic is allowed to burst beyond the base rate configured for the rate class. When the burst rate is set to zero, no bursting is allowed.

Conditions:
When using a non-default Burst Size setting for a single rate class, the setting does not have the intended effect of allowing traffic to burst beyond the base rate configured for the rate class. When using a non-default Burst Size setting for a rate class referencing a hierarchical rate class (a child class referencing a parent class), traffic processed by the rate class may cause TMM to panic and generate a core file.

Impact:
Traffic does not burst beyond the base rate configured for the rate class. In the case of hierarchical rate classes, the BIG-IP may temporarily fail to process traffic.

Workaround:
To work around this issue, you can disable the Burst Size setting by changing the value to zero. To do so, perform the following procedure:

Impact of workaround: None.

1. Log in to the Configuration utility.
2. Click Network.
3. Click Rate Shaping.
4. Click the appropriate rate class.
5. Change the Burst Size to 0.
6. Click Update.

Fix:
The fix for this issue results in disabling the burst feature temporarily.

Note: Neither the GUI nor tmsh prevent you from configuring the burst feature, but the settings have no effect.

Behavior Change:
The burst feature is now disabled for rate shaping. Although you can configure the burst size setting, it has no effect.


222034-4 : HTTP::respond in LB_FAILED with large header/body might result in truncated response

Component: Local Traffic Manager

Symptoms:
If HTTP::respond is called in LB_FAILED with large headers and/or body, the response might be truncated. The Content-Length header value is correct; it is the content itself that is truncated.

Conditions:
This issue occurs when all of the following conditions are met: -- HTTP::respond is used in the LB_FAILED event to return a large response. -- No other TCP data has been sent to the client.

Impact:
The response sent by the BIG-IP system will be truncated. For example, with slow-start enabled, and no data sent to the client yet, the response will be truncated after two packets. Other TCP profile configurations will truncate at different points.

Workaround:
To work around this issue modify the iRule. For example, instead of directly using HTTP::Respond inside of an LB_FAILED event, perform a 302 Redirect to another URI, which can then be handled by an unaffected event. For more information, see K9456: Using the HTTP::respond iRule command in the LB_FAILED event may result in truncated responses, available here: https://support.f5.com/csp/#/article/K9456.



Known Issues in BIG-IP v12.1.x


TMOS Issues

ID Number Severity Solution Article(s) Description
694897-4 1-Blocking   Unsupported Copper SFP can trigger a crash on i4x00 platforms.
652223-1 1-Blocking K50325308 BWC: Non-TCP data going through Category can make policy active
603093 1-Blocking   AC Power Supply output DC LED does not turn off when the input power is cut-off to it in redundant system
810593-5 2-Critical   Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade
792285-4 2-Critical   TMM crashes if the queuing message to all HSL pool members fails
789973 2-Critical   Tmm crash while using IPsec
780817-3 2-Critical   TMM can crash on certain vCMP hosts after modifications to VLANs and guests.
780437-5 2-Critical   Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
777993-4 2-Critical   Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same
770953-5 2-Critical   'smbclient' executable does not work
770741 2-Critical   NIC Tx Engine hang causing ixgbevf interface (SR-IOV) flipping
769817-5 2-Critical   BFD fails to propagate sessions state change during blade restart
767013-5 2-Critical   Reboot when B2150 and B2250 blades' HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch
758929 2-Critical   Bcm56xxd MIIM bus access failure after TMM crash
756830-3 2-Critical   BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
755549 2-Critical   TMM crash and core
746464-4 2-Critical   MCPD sync errors and restart after multiple modifications to file object in chassis
743271-2 2-Critical   Querying vCMP Health Status May Show Stale Statistics
743082-3 2-Critical   Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members
737322-1 2-Critical   tmm may crash at startup if the configuration load fails
737055-3 2-Critical   Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy
724556-1 2-Critical   icrd_child spawns more than maximum allowed times (zombie processes)
711683-4 2-Critical   bcm56xxd crash with empty trunk in QinQ VLAN
708968-4 2-Critical   OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address
703669-3 2-Critical   Eventd restarts on NULL pointer access
693246-1 2-Critical   SOD may send SIGABRT to TMM when TMM has not reported its heartbeat for a long enough period of time.
680556-2 2-Critical   Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
673147-1 2-Critical K01350083 Virtual server configuration incorrectly allows mutually exclusive iSession and OneConnect profiles.
667114-1 2-Critical K32622880 TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.
648270-4 2-Critical   mcpd can crash if viewing a fast-growing log file through the GUI
644135 2-Critical K53342451 12.1.1-hf1 does not support module tuning for Finisar 100G LR4 optics
621260-5 2-Critical   mcpd core on iControl REST reference to non-existing pool
613542-2 2-Critical K81463390 tmm core while running the iRule STATS:: command
608511-2 2-Critical K22141268 Message router profile is not inheriting the traffic-group from the parent folder
811053-5 3-Major   REBOOT REQUIRED prompt appears after failover and clsh reboot
809657-5 3-Major   HA Group score not computed correctly for an unmonitored pool when mcpd starts
809509-3 3-Major   Resource Admin User unable to download UCS using Rest API.
808277-1 3-Major   Root's crontab file may become empty
806881-4 3-Major   Loading the configuration may not set the virtual server enabled status correctly
804477-1 3-Major   Log HSB registers when parts of the device becomes unresponsive
803833-1 3-Major   On Upgrade or UCS Restore Decryption of the sym-unit-key Field for vCMP Guest Fails
802493-1 3-Major   Hardware syncookies on some hardware platforms may retrieve the wrong mss
800185-1 3-Major   Saving large config into UCS may fail
795685-4 3-Major   Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer
794501-5 3-Major   Duplicate if_indexes and OIDs between interfaces and tunnels
791061-4 3-Major   Config load in /Common removes routing protocols from other partitions
788645 3-Major   BGP does not function on static interfaces with vlan names longer than 16 characters.
788577-2 3-Major   BFD sessions may be reset after CMP state change
788557-2 3-Major   BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior
783985 3-Major   Grub boot entries not updated on i2600 from iControl SOAP set_boot_location call
783113-2 3-Major   BGP sessions remain down upon new primary slot election
782613-2 3-Major   Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp
776081 3-Major   The F5-BIGIP-SYSTEM-MIB::sysInterfaceMediaActiveSpeed values are not meaningful on a VE
773577-4 3-Major   SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted
772497-2 3-Major   When BIG-IP is configured to use a proxy server, updatecheck fails
769029-3 3-Major   Non-admin users fail to create tmp dir under /var/system/tmp/tmsh
767305-4 3-Major   If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried
765969-4 3-Major   Not able to get HSB register dump from hsb_snapshot on B4450 blade
764873-5 3-Major   An accelerated flow transmits packets to a dated, down pool member.
762073-3 3-Major   Continuous TMM restarts when HSB drops off the PCI bus
761833 3-Major   PostgreSQL database disk usage over 2GB without AFM
760950-1 3-Major   Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment
760439-1 3-Major   After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status
760259-1 3-Major   Qkview silently fails to capture qkviews from other blades
760222-4 3-Major   SCP fails unexpected when FIPS mode is enabled
757709 3-Major   Routing daemon NSM cores if any of interface indexes of VLANs, Tunnels or VLAN Groups are identical to loopback and tmm interfaces of Route Domains where these VLANs, Tunnels or VLAN Groups are located
757520 3-Major   After a software upgrade, the BIG-IP system does not use the correct hostname for logging.
755976 3-Major   ZebOS might miss kernel routes after mcpd deamon restart
754460 3-Major   No failover on HA Dual Chassis setup using HA score
754132-1 3-Major   A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command
753860-2 3-Major   Virtual server config changes causing incorrect route injection.
753423-3 3-Major   Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation
753001-4 3-Major   mcpd can be killed if the configuration contains a very high number of nested references
752994-4 3-Major   Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod
751409-4 3-Major   MCP Validation does not detect when virtual servers differ only by overlapping VLANs
751024-1 3-Major   i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd
751021-4 3-Major   One or more TMM instances may be left without dynamic routes.
749785-3 3-Major   nsm can become unresponsive when processing recursive routes
748608 3-Major   IPsec / ESP traffic pinned to TMM 0 for SP-Dag on 4000s/4200v, 2000s/2200v platforms
748323 3-Major   It is possible for the archive.tm2 file to not get cleaned up
747799-3 3-Major   'Unable to load the certificate file' error and configuration-load failure upgrading from 11.5.4-HF2 to a later version, due to empty cert/key in client SSL profile
746657-4 3-Major   tmsh help for FQDN node or pool member shows incorrect default for fqdn interval
745309 3-Major   Self IP route is not updated in a routing table if there is more than one route with the same destination signature
744913 3-Major   Tmm may be killed during snapshot creation on VMware ESXi
744520-4 3-Major   virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface
744252-4 3-Major   BGP route map community value: either component cannot be set to 65535
743895 3-Major   Upgrades from 10.2.x fail due to empty virtual address lines in the configuration
743132-3 3-Major   mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile
742877 3-Major   tmm may fail a heartbeat on VE if unscheduled by busy hypervisor
742753-1 3-Major   Accessing the BIG-IP system's WebUI via special proxy solutions may fail
741902-4 3-Major   sod does not validate message length vs. received packet length
740517-4 3-Major   Application Editor users are unable to edit HTTPS Monitors via the Web UI
740203 3-Major   Installing a certificate or key may fail for a remote user
740135-4 3-Major   Traffic Group ha-order list does not load correctly after reset to default configuration
739872-3 3-Major   The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover
739820-4 3-Major   Validation does not reject IPv6 address for TACACS auth configuration
739533-3 3-Major   In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config
739118-4 3-Major   Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
738943-1 3-Major   imish command hangs when ospfd is enabled
738543-1 3-Major   Dynamic route with recursive nexthop might cause tmrouted restart
738359 3-Major   Log output does not reflect BIG-IP system timezone setting
737901-1 3-Major   Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode
737536-5 3-Major   Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
737346-4 3-Major   After entering username and before password, the logging on user's failure count is incremented.
733585-2 3-Major   Merged can use %100 of CPU if all stats snapshot files are in the future
727467-3 3-Major   Some iSeries appliances can experience traffic disruption when the HA peer is upgraded from 12.1.3 and earlier to 13.1.0 or later.
727297-4 3-Major   GUI TACACS+ remote server list should accept hostname
727191-4 3-Major   Invalid arguments to run sys failover do not return an error
726416-1 3-Major   Physical disk HD1 not found for logical disk create
726174 3-Major   Slow response times when expandSubcollections set to true
725791-3 3-Major   Potential HW/HSB issue detected
725620 3-Major   Corrupted HSB RQM configuration causes HSB receive failures on 5000s/5200v, 5050s/5250v/5250v-F platforms
725427 3-Major   OPT-0036-01 does not report DDM tx power alarms or tx power warnings
724706 3-Major   iControl REST statistics request causes CPU spike
724109-5 3-Major   Manual config-sync fails after pool with FQDN pool members is deleted
723579-3 3-Major   OSPF routes missing
722380-3 3-Major   The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.
721740-3 3-Major   CPU stats are not correctly recorded when snapshot files have timestamps in the future
721020-4 3-Major   Changes to the master key are reverted after full sync
720569-2 3-Major   BIG-IP Source IP cmp-hash setting is distributing traffic unequally
718800-3 3-Major   Cannot set a password to the current value of its encrypted password
715061-1 3-Major   vCMP: tmm core in guest when stopping vCMP guest from host
714626-1 3-Major K30491022 When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.
713708-3 3-Major   Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI
712266-2 3-Major   Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware
712033-1 3-Major   When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name
711879 3-Major   Web GUI can sometime display the wrong cert and key for a GTM monitor that has the same name as some LTM monitor.
711158-1 3-Major K25280801 Admin user roles automatically demoted to guest
710841 3-Major   12.1.3.3 feature refinement might be lost after upgrade
710039 3-Major   Merging config may not report syslog configuration errors
709559-3 3-Major   LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name
708803 3-Major   Remote admin user with misconfigured partition fallback to "All"
707320-1 3-Major   Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs
702310-2 3-Major   The ':l' and ':h' options are not available on the tmm interface in tcpdump
701722-2 3-Major   Potential mcpd memory leak for signed iRules
701341-2 3-Major K52941103 If /config/BigDB.dat is empty, mcpd continuously restarts
700897-3 3-Major   sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG
700794-2 3-Major   Cannot replace a FIPS key with another FIPS key via tmsh
700426-2 3-Major K58033284 Switching partitions while viewing objects in GUI can result in empty list
700250-1 3-Major K59327012 qkviews for secondary blade appear to be corrupt
699091-1 3-Major   SELinux denies console access for remote users.
698933-3 3-Major   Setting metric-type via ospf redistribute command may not work correctly
698844 3-Major   LCD splash screen may display incorrect platform name on iSeries appliance
698619-1 3-Major   Disable port bridging on HSB ports for non-vCMP systems
698599 3-Major   Cave Creek Crypto HW accelerated SSL traffic may encounter errors and performance problems.
698597 3-Major K10300436 BIG-IP fails to go active after cryptographic hardware has recovered from a failure
698594 3-Major K53752362 Cave Creek Crypto hardware reports a false positive of a stuck queue state
698462 3-Major   TCP timestamp rewrite mode not working on the client side of ePVA offloaded connections
698429-3 3-Major   Misleading log error message: Store Read invalid store addr 0x3800, len 10
698038 3-Major K05730807 TACACS+ system auth file descriptor leaks when servers are unreachable
698034-2 3-Major   PKCS12 file imported via Configuration utility into folder is placed at partition root
698013-4 3-Major K27216452 TACACS+ system auth and file descriptors leak
696731-1 3-Major K94062594 The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled
695090 3-Major   In rare situations hardware syncookies may be sent for a L7 virtual server when hardware syncookie protection is disabled
693578-1 3-Major   switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0
693563-3 3-Major K22942093 No warning when LDAP is configured with SSL but with a client certificate with no matching key
692753-3 3-Major   shutting down trap not sent when shutdown -r or shutdown -h issued from shell
691749-3 3-Major   Delete sys connection operations cannot be part of TMSH transactions
690890-3 3-Major   Running sod manually can cause issues/failover
689779 3-Major   VE HyperV packet drops under load due to interrupt distribution
689567-3 3-Major   Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned
688406-3 3-Major K14513346 HA-Group Score showing 0
687617-3 3-Major   DHCP request-options when set to "none" are reset to defaults when loading the config.
687172 3-Major   Pools do not appear as expected after deploying iApp via iWorkflow
687115-1 3-Major   SNMP performance can be impacted by a long list of allowed-addresses
686816-3 3-Major   Link from iApps Components page to Policy Rules invalid
686626-2 3-Major   The BIG-IP system may connect to an OCSP server using an unexpected source IP address
684096-1 3-Major   stats self-link might include the oid twice
683135-4 3-Major   Hardware syncookies number for virtual server stats is unrealistically high
681782-4 3-Major   Unicast IP address can be configured in a failover multicast configuration
681009-2 3-Major   Large configurations can cause memory exhaustion during live-install
680917-2 3-Major   Invalid monitor rule instance identifier
679605-1 3-Major   Device groups with no members will cause upgrade to fail
679027 3-Major   Rare memory corruption in tmrouted while license is being reset
678456-2 3-Major   ZebOS BGP peer-group configuration not fixed up on upgrade
677485-2 3-Major   Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error
676442-2 3-Major K37113440 Changes to RADIUS remote authentication may not fully sync
675742 3-Major   Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores
675298-1 3-Major   F5 MIB value types changed to become RFC compliant
674997 3-Major   It is not possible to use tmsh to change the password for 'admin' after configuring Remote-APM Based Auth on the BIG-IP system.
674957-1 3-Major   If a certificate is stored in DER format, exporting it using the GUI corrupts the output.
674328-3 3-Major   Multicast UDP from BIG-IP may have incorrect checksums
673952 3-Major   1NIC VE in HA device-group shows 'Changes Pending' after reboot
673640 3-Major   Log messages for virtual server status changes are not immediately logged.
673241 3-Major   Platform AC power supply faults when subjected to temperature above 50C (122F) at low input voltage.
672063-1 3-Major K38335326 Misconfigured GRE tunnel and route objects may cause an ill-formed routing loop inside the TMM, resulting in a TMM crash.
671553-2 3-Major   iCall scripts may make statistics request before the system is ready
671372-2 3-Major K01930721 When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.
671261-2 3-Major K32306231 MCP does not recognize 'Notify Status to Virtual Address' when using 'Selective' setting of ICMP Echo
671236-2 3-Major K27343382 BGP local-as command may not work when applied to peer-group
671178 3-Major K20274760 Date/time change after configuring HA may impair configuration sync
669585-3 3-Major   The tmsh sys log filter is unable to display information in uncompressed log files.
669241-1 3-Major   Cannot create stateless virtual servers with ip-protocol set to 'gre'.
667618-2 3-Major   Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
667476 3-Major   Upgrade and config load can fail if a data group record of type string contains a tab character
667082-2 3-Major   Dynamic Routing ZebOS using ip ospf <IP> message-digest-key command may fail.
666117-4 3-Major   Network failover without a management address causes active-active after unit1 reboot
660895-2 3-Major   TMM can crash if TMM count is greater than licensed throughput
658850 3-Major   Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP
658036-2 3-Major K04651090 Honoring negotiated MSS for TCP segmentation
657912-1 3-Major   PIM can be configured to use a floating self IP address
657834-2 3-Major K45005512 Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
657727-2 3-Major K39694060 Running tcpdump from TMSH cannot capture the local "tmm" interface
653928 3-Major   On a BIG-IP system with DHCP enabled, 'tmsh load sys config default' consistently fails after 'tmsh load sys config' has failed with Conflicting configuration error.
651136-2 3-Major K36893451 ReqLog profile on FTP virtual server with default profile can result in service disruption.
648873-3 3-Major K93513131 Traffic-group failover-objects cannot be retrieved via iControl REST
648621-1 3-Major   SCTP: Multihome connections may not expire
648316-3 3-Major K10776106 Flows using DEFLATE decompresion can generate error message during flow tear-down.
647834-4 3-Major   Failover DB variables do not correctly implement 'reset-to-default'
647151-1 3-Major   CPU overtemp condition threshold is 75C
645206-4 3-Major K23105004 Missing cipher suites in outgoing LDAP TLS ClientHello
644979-2 3-Major   Errors not logged from hourly 1k key generation cron job
643799-1 3-Major   Deleting a partition may cause a sync validation error
643459-3 3-Major K81809012 Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy
642422-2 3-Major   BFD may not remove dependant static routes when peer sends BFD Admin-Down
641582-1 3-Major   Rarely, an HSB transmitter failure occurs
641543-1 3-Major   bindRequest timeout value for LDAP Authentication for remote users is set to 10s and cannot be controlled.
641450 3-Major K30053855 A transaction that deletes and recreates a virtual may result in an invalid configuration
641001 3-Major   BWC: dynamic policy category sees lower bandwidth than expected in Congested policies
640054-1 3-Major   Selective ICMP-echo behavior is inconsistent, depending on where the virtual address is disabled
639774-5 3-Major K30598276 mysqld.err rollover log files are not collected by qkview
638089-1 3-Major   LACP and CMP state simultaneous fail on A112 and A113 platform
637979-1 3-Major   IPsec over isession not working
637279 3-Major   Pool member discovery/autoscale does not work in eu-central-1 (Germany) region of AWS.
633824-2 3-Major K39319200 Cannot add pool members containing a colon in the node name
633172 3-Major K12473201 External LDAP user with Administrator role may fail to import key file when using iControl REST crypto command
632825-5 3-Major   bcm56xxd crash following 'silent' port-mirror configuration failure
632204-1 3-Major K22568472 Local Traffic Policies rule page is incorrectly showing all partition's objects in 'Forward traffic' actions
631046 3-Major   Unable to generate a FIPS key using the GUI
629834-4 3-Major   istatsd high CPU utilization with large number of entries
627760-3 3-Major   gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
626589-6 3-Major K73230273 iControl-SOAP prints beyond log buffer
626226-1 3-Major   Large SSL certificate bundle export by GUI silently fails
625901-1 3-Major   SNAT pools allow members in different partitions to be assigned, but this causes a load failure
625215-1 3-Major   unic: flow redirects for non-default cmp-hash on untagged VLANs
624626-3 3-Major   Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility
624580-1 3-Major K37147352 BigDB.dat may become truncated
623488-4 3-Major   Custom adaptive reaper settings may be lost at upgrade time
623371-1 3-Major   After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed
623367-1 3-Major K57879554 When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key.
623265-4 3-Major K15645547 UCS upgrade from v10.x to v11.4.x or later incorrectly retains v10.x ca-bundle.crt
620969-3 3-Major   iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards.
620954-3 3-Major   Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable
620311-1 3-Major   GUI Failover Unicast Address information incorrect
619419 3-Major   Workaround for Software Installation Failures in TMUI
618982-1 3-Major   IPSEC + chassis behavior for case secondary blades on-off switch.
618319-5 3-Major K58255321 HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked
618137-1 3-Major   Native IXLV: New tagged VLAN does not work after several restarts of tmm
617875-1 3-Major   vCMP guest may fail to start due to not enough hugepages
617643-1 3-Major   iControl.ForceSessions enabled results in GUI error on certain pages
614808-1 3-Major   Running qkview with option -c (--complete) fails if there is an encrypted key
614648-1 3-Major   Unable to upload software image larger than 2GB using the GUI
614493-1 3-Major   BIG-IP reset on ePVA accelerated flow may contain stale TCP window information.
612086-3 3-Major K32857340 Virtual server CPU stats can be above 100%
612083 3-Major   Following an AC power cycle, the System Event Log may list HW, PCIe or DMI errors.
609200-2 3-Major   Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.
609186-5 3-Major   TMM or MCP might core while getting connections via iControl.
606330-4 3-Major   The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family.
606032 3-Major   Network Failover-based HA in AWS may fail
605891-1 3-Major   Enable ASM option disappears from L7 policy actions
605840-5 3-Major   HSB receive failure lockup due to unreceived loopback packets
605800-3 3-Major   Web GUI submits changes to multiple pool members as separate transactions
605675-1 3-Major   Sync requests can be generated faster than they can be handled
603772-1 3-Major   Floating tunnels with names more than 15 characters may cause issues during config-sync.
602193-4 3-Major   iControl REST call to get certificate fails if
601414-5 3-Major   Combined use of session and table irule commands can result in intermittent session lookup failures
600944-1 3-Major   tmsh does not reset route domain to 0 after cd /Common and loading bash
600732-2 3-Major   IKEv1 racoon daemon dangling pointer from phase-one SA to deleted peer description
598650-1 3-Major   apache-ssl-cert objects do not support certificate bundles
597818-2 3-Major   Unable to configure IPsec NAT-T to "force"
597564-3 3-Major   'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items
596826-5 3-Major   Don't set the mirroring address to a floating self IP address
596815-1 3-Major   System DNS nameserver and search order configuration does not always sync to peers
596020-3 3-Major   Devices in a device-group may report out-of-sync after one of the devices is rebooted
595868-1 3-Major   HSB TX HGM lockup on 3900, 8900, and 10000-series platforms.
595617-1 3-Major K40420553 Modifying an IPsec tunnel and IPsec plus IKE SA does not remove the remote SA.
595317-4 3-Major   Forwarding address for Type 7 in ospfv3 is not updated in the database
593845-3 3-Major K24093205 VE interface limit
593361-1 3-Major   The malformed MAC for inner pkt with dummy MAC for NSH with VXLAN-GPE.
591708-1 3-Major   HSB may drop off of PCI bus
591305-4 3-Major   Audit log messages with "user unknown" appear on install
589856-2 3-Major   IControl REST : possible to get duplicate transaction IDs when transactions are created by multiple clients
588646-1 3-Major   Use of Standard access list remarks in imish may causes later entries to fail on add
588028-1 3-Major   Clearing alerts from the LCD while the host is down will re-display the alerts on the LCD when the host comes up
587821-5 3-Major K91818030 vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
584041 3-Major   forward slash '/' is used in the description field, admin user will be demoted to guest.
580499-2 3-Major K34082034 Configuring alternate admin user fails on multi-blade VIPRION chassis if default admin on primary is disabled.
579035-5 3-Major K46145454 Config sync error when a key with passphrase is converted into FIPS.
575368-5 3-Major   Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card
571333-8 3-Major K36155089 fastL4 TCP handshake timeout not honored for offloaded flows
570845-3 3-Major K00334323 Configuration infrastructure should reject invalid 'None' option for IKE Peer Phase 1 Perfect Forward Secrecy
569968 3-Major   snmpd core during startup
569859-2 3-Major   Password policy enforcement for root user when mcpd is not available
569331-3 3-Major   Recovery from Amazon Network Failure may associate some virtual addresses to the standby BIG-IP
569281-6 3-Major K33242855 L2 loop on the BIG-IP system's management port network might cause VIPRION to reboot
567490-2 3-Major   db.proxy.__iter__ value is overwritten if it's manually set
544568-5 3-Major   Flows for a FastL4 profile that are forwarded may now be accelerated.
535122-8 3-Major   [tmsh/iCRD/GUI] Do not automatically add extensions to SSL key/cert/crl/csr file objects
528295-6 3-Major K40735404 Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.
524193-5 3-Major   Multiple Source addresses are not allowed on a TMSH SNMP community
524123-1 3-Major   iRule ISTATS::remove does not work
516167-2 3-Major K21382264 TMSH listing with wildcards prevents the child object from being displayed
509497-1 3-Major   VCMP guests on a specific host may be restarted when that host system experiences large date/time changes
499348-5 3-Major   System statistics may fail to update, or report negative deltas due to delayed stats merging
489499-3 3-Major   chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd
469366-3 3-Major K16237 ConfigSync might fail with modified system-supplied profiles
455066-2 3-Major   Read-only account can save system config
438574-1 3-Major   Web UI: iSession Profile properties page displays incorrect parent profile name.
375434-6 3-Major   HSB lockup might occur when TMM tries unsuccessfully to reset HSB.
291256-5 3-Major   Changing 'Minimum Length' and 'Required Characters' might result in an error
247527-2 3-Major K14890 Mgmt interface cannot be disabled via tmsh
224665-2 3-Major K12711 Proxy Exclusion List setting is not aware of administrative partitions
810377 4-Minor   Provide a full reset to factory defaults, as if the device was just out-of-the-box
805325-5 4-Minor   tmsh help text contains a reference to bigpipe, which is no longer supported
761981 4-Minor   information in snmpd.conf files may be overwritten
761084-2 4-Minor   Custom monitor fields appear editable for Auditor, Operator, or Guest
759852-3 4-Minor   SNMP configuration for trap destinations can cause a warning in the log
750413 4-Minor   UTF-8 character in subject of a certificate used for iQuery cannot be removed
746152-4 4-Minor   Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column
743815-4 4-Minor   vCMP guest observes connflow reset when a CMP state change occurs.
740957 4-Minor   'fips_get_key_attr(): mod_err = 0xa9' message seen in /var/log/ltm
740461 4-Minor   Certificate or key upload in the GUI may occasionally fail with 'General database error"
724994-1 4-Minor   API requests with 'expandSubcollections=true' are very slow
723988-3 4-Minor   IKEv1 phase2 key length can be changed during SA negotiation
723111 4-Minor   mailx is blocked by SELinux Policy
722647-1 4-Minor   The configuration of some of the Nokia alerts is incorrect
721526-1 4-Minor   tcpdump fails to write verbose packet data to file
719770-4 4-Minor   tmctl -H -V and -l options without values crashed
719241 4-Minor   Using custom DNS servers on the Azure VNet with the missing 168.63.129.16 causes Waagent provisioning failure.
713947-3 4-Minor   stpd repeatedly logs "hal sendMessage failed"
713183 4-Minor   Malformed JSON files may be present on vCMP host
713138 4-Minor   TMUI ILX Editor inserts an unnecessary linefeed
713134-3 4-Minor   Small tmctl memory leak when viewing stats for snapshot files
712241-1 4-Minor   A vCMP guest may not provide guest health stats to the vCMP host
710410-1 4-Minor   TMM hardware accelerated compression not registering for all compression levels.
708415 4-Minor   Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled
706106-1 4-Minor   PUT request sent to ltm/virtual failed because of ip-protocol property value any
703509-1 4-Minor   Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled
702615-1 4-Minor   During reboot to another volume, the GUI login page becomes prematurely available
698991 4-Minor K64258832 CPU utilization on i850 is not a reliable indicator of system capacity
697766-3 4-Minor   Cisco IOS XR ISIS routers may report 'Authentication TLV not found'
696363 4-Minor   Unable to create SNMP trap in the GUI
692172-2 4-Minor   rewrite profile causes "No available pool member" failures when connection limit reached
691491-3 4-Minor K13841403 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
690781 4-Minor   VIPRION systems with B2100 or B2150 blades cannot run four 1-slot 8-core vCMP guests
689147-1 4-Minor   Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
687343-3 4-Minor   Running 'load sys config merge verify' will add new users to the PostGres database
685582-5 4-Minor   Incorrect output of b64 unit key hash by command f5mku -f
685233-2 4-Minor K13125441 tmctl -d blade command does not work in an SNMP custom MIB
683029-2 4-Minor   Sync of virtual address and self IP traffic groups only happens in one direction
678117-1 4-Minor   'Can't create a home directory' logged for remote users on secondary blades after configsync
675368-2 4-Minor   Unable to reorder rules when one of the rule names contain % or /
673573 4-Minor   tmsh logs boost assertion when running child process and reaches idle-timeout
671025 4-Minor   File descriptor exhaustion can occur when state-mirroring peer-address is misconfigured
670691 4-Minor K02331705 Unable to list ntlm profile in different root folder or partition
663911-2 4-Minor   When running out of memory, MCP can report an incorrect allocation size
660760-1 4-Minor K75105750 DNS graphs fail to display in the GUI
659888-1 4-Minor   Profiles with names that contain percentage signs cannot be accessed in TMUI
658943 4-Minor   Errors when platform-migrate loading UCS using trunks on vCMP guest
655484-1 4-Minor K69912019 GUI LTM Pool Statistics Page running out of memory with large number of Pools
650019-2 4-Minor   The commented-out sample functions in audit_forwarder.tcl are incorrect
647812-3 4-Minor   /tmp/wccp.log file grows unbounded
640863-2 4-Minor K29231946 Disabling partition selector in DNS Resolver's Forward Zones
640489 4-Minor K53571714 iSeries LCD alerts screen returns to splash screen intermittently
638960-2 4-Minor   A subset of the BIG-IP default profiles can be incorrectly deleted
638893-1 4-Minor   Reference to SOL14556 instead of K14556 in tmsh modify net interface X.X media command
636823-3 4-Minor   Node name and node address
636164 4-Minor   Remote IP not working in IE 8
636163 4-Minor   Certificate Key Chain not working in IE 8
636031-4 4-Minor K23313837 GUI LTM Monitor Configuration String adding CR for type Oracle
634014 4-Minor   Absolute timers may fire one second early during the leap second event
633495 4-Minor   Cannot switch between partitions in Local Traffic :: Policies
630795-1 4-Minor   No guestagentd entry in merged.conf
627221-1 4-Minor   iControl SOAP doesn't support displaying all possible media options for interfaces
626279-1 4-Minor   After reboot LCD reports "unit going standby" even if it has gone active.
625428-1 4-Minor   SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit
624909-2 4-Minor   Static route create validation is less stringent than static route delete validation
623536-2 4-Minor   SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent
623313 4-Minor   After upgrade from 10.2.x, tmsh and GUI do not report the default SNMP community source if it's the default.
620522-1 4-Minor   Some expected command output are missing in qkview
618889-1 4-Minor   Clicking the policies list tab does not refresh the policies list on click.
611054-1 4-Minor   Network failover "enable" setting is sometimes ignored on chassis systems
606799-1 4-Minor K16703796 GUI total number of records not correctly initialized with search string on several pages.
591732-2 4-Minor   Local password policy not enforced when auth source is set to a remote type.
590415-1 4-Minor   Partition can be removed when remote role info entries refer to it
589862-6 4-Minor   HA Grioup percent-up display value is truncated, not rounded
587804-1 4-Minor   Symmetric Unit Key decrypt failure on base load
586348-1 4-Minor   Network Map Pool Member Parent Node Name display and Pool Member hyperlink
584788-1 4-Minor   Directed failover of HA pair using only hardwire failover will fail
584504-2 4-Minor K36912228 Allowing non-English characters on login screen
583777-5 4-Minor K33230520 [TMSH] sys crypto cert missing tab completion function
583084-5 4-Minor K15101680 iControl produces 404 error while creating records successfully
582595-2 4-Minor K52029952 default-node-monitor is reset to none for HA configuration.
582127-1 4-Minor K55138704 VE OVA logrotate max-file-size too big for /var/log partition size
581865-2 4-Minor K11053914 6900, 8900, 8950, or 11050 platforms missing swap storage
571727-1 4-Minor K52707821 'force-full-load-push' is not tab expandable
571017-1 4-Minor   Extra log messages seen on optics removal.
565755 4-Minor   Dashboard does not work when custom port is used for management port.
514703-1 4-Minor   gtm listener cannot be listed across partitions
501258-2 4-Minor   Unable to modify 'gtm region region-members' via iControl REST
484683-4 4-Minor K84174454 Certificate_summary is not created at peer when the chain certificate is synced to HA peer.
479262-4 4-Minor   'readPowerSupplyRegister error' in LTM log
476544-2 4-Minor   mcpd core during sync
769145-4 5-Cosmetic   Syncookie threshold warning is logged when the threshold is disabled
713519-3 5-Cosmetic   Enabling MCP Audit logging does not produce log entry for audit logging change
679431-3 5-Cosmetic   In routing module the 'sh ipv6 interface <interface> brief' command may not show header
676395-1 5-Cosmetic   Syslog messages seen with error code while viewing ssl certificate detail with debug turned on.
653273 5-Cosmetic   "Unexpected Error" showing traffic-selector default-traffic-selector
633568 5-Cosmetic   Pool statistics page doesn't show all pool members in IE8 with compatibility view
617578-2 5-Cosmetic   Inconsistent info between tmsh and WebUI for profile radiusLB-subscriber-aware
617161-1 5-Cosmetic   Cosmetic: duplicated partition names in the 'Resource Management' window when assigning iRules to Virtual Servers.
603092-5 5-Cosmetic   "displayservicenames" does not apply to show ltm pool members
602390-2 5-Cosmetic K87506901 Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.
594228-2 5-Cosmetic   Resetting mgmt interface statistics doesn't work on VE or VCMP
590399-1 5-Cosmetic K11304001 Unnecessary logging during startup: 'Unable to connect to MCPD' and Errdefsd is starting'.
571634-1 5-Cosmetic   tmstat CPU values can be incorrect
570013 5-Cosmetic   TCP Analytics Profile section in virtual server UI has erroneous caption
542347-2 5-Cosmetic   Denied message in audit log on first time boot
396273-2 5-Cosmetic   Error message in dmesg and kern.log: vpd r/w failed


Local Traffic Manager Issues

ID Number Severity Solution Article(s) Description
757510-4 2-Critical   Class name mismatch is not caught
757441-1 2-Critical   Specific sequence of packets causes Fast Open to be effectively disabled
747617-4 2-Critical   TMM core when processing invalid timer
745589-3 2-Critical   In very rare situations, some filters may cause data-corruption.
743950-3 2-Critical   TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled
724906-2 2-Critical   sasp_gwm monitor leaks memory over time
722893-7 2-Critical   TMM can restart without a stack trace or core file after becoming disconnected from MCPD.
721571-3 2-Critical   State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade
706505-1 2-Critical   iRule table lookup command may crash tmm when used in FLOW_INIT
683454 2-Critical K99294671 HTTP::header command may crash TMM on an erroneous argument
673095 2-Critical   Loading UCS with QinQ VLANs fails 'Can't free vlan entry, can't find vlan with oid'
670893-1 2-Critical   Sensitive monitor parameters recorded in monitor logs
663925-5 2-Critical   Virtual server state not updated with pool- or node-based connection limiting
662296-1 2-Critical   Under heavy traffic load tcpdump -i 0.0 can impact the VIPRION management cluster IP address
639764-2 2-Critical   Crash when searching external data-groups with records that do not have values
634369-2 2-Critical   Bigd crash (SIGABRT) while running iControl REST scripts against monitor configuration with FQDN nodes
618463-2 2-Critical   artificial low route mtu can cause SIGSEV core from monitor traffic
615303-2 2-Critical K47381511 bigd crash with Tcl monitors
603690-2 2-Critical K82210057 CPU Saver option not working while the 'latency' compression provider selection algorithm is in use.
586862-2 2-Critical K30859144 Tcl evaluation outside of an iRule can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule.
801329 3-Major   When OneConnect profile is used, pool selection might be pinned to one pool
796993-2 3-Major   Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs
795933-5 3-Major   A pool member's cur_sessions stat may incorrectly not decrease for certain configurations
794505-1 3-Major   OSPFv3 IPv4 address family route-map filtering does not work
793669-3 3-Major   FQDN ephemeral pool members on HA pair doesn't get properly synced of the new session value
790205-1 3-Major   Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core
785509 3-Major   Modifying fields such as chain, trusted certificate authorities in client SSL profile, and/or chain in cert-key-chain belonging to the same client SSL profile might not be reflected in TMM
785481-5 3-Major   A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached
784565-5 3-Major   VLAN groups are incompatible with fast-forwarded flows
783145-1 3-Major   Pool gets disabled when one of its pool member with monitor session is disabled
770477-4 3-Major   SSL aborted when client_hello includes both renegotiation info extension and SCSV
766169-1 3-Major   Replacing all VALN interfaces resets VLAN MTU to a default value
760050-5 3-Major   cwnd warning message in log
758437-3 3-Major   SYN w/ data disrupts stat collection in Fast L4
758436-5 3-Major   Optimistic ACKs degrade Fast L4 statistics
757505-1 3-Major   peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket
757029-5 3-Major   Ephemeral pool members may not be created after config load or reboot
756812 3-Major   Nitrox 3 instruction/request logger may fail due to SELinux permission error
756647-4 3-Major   Global SNAT connections do not reset upon timeout.
756313-5 3-Major   SSL monitor continues to mark pool member down after restoring services
755997-3 3-Major   Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address
755791-5 3-Major   UDP monitor not behaving properly on different ICMP reject codes.
755727-4 3-Major   Ephemeral pool members not created after DNS flap and address record changes
755631-4 3-Major   UDP / DNS monitor marking node down
755250 3-Major   Clock advanced messages when modifying a virtual server with 1000 SSL profiles
754604-1 3-Major   iRule : [string first] returns incorrect results when string2 contains null
754349-1 3-Major   FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4
753805-2 3-Major   BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.
753526-4 3-Major   IP::addr iRule command does not allow single digit mask
752530-4 3-Major   TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.
752334-4 3-Major   Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation
752078-3 3-Major   Header Field Value String Corruption
751427 3-Major   LTM policy rule condition does not match server-name in ssl-extension
751036-4 3-Major   Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
750473-2 3-Major   VA status change while 'disabled' are not taken into account after being 'enabled' again
750204-1 3-Major   Add support for P-521 curve in the X.509 chain to SSL LTM
750200-4 3-Major   DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
747077-2 3-Major   Potential crash in TMM when updating pool members
746355 3-Major   A client SSL handshake fails when client hello extension contains only unsupported groups
745663-1 3-Major   During CMP forward, nexthop data may miss at large packet split
743900-4 3-Major   Custom DIAMETER monitor requests do not have their 'request' flag set
743896 3-Major   Gratuitous ARP not sent on interface up
742838-4 3-Major   A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition
741345 3-Major   Adaptive monitor gateway_icmp does not function correctly with two nodes
738450-4 3-Major   Parsing pool members as variables with IP tuple syntax
734692-1 3-Major   Incorrect prefix of ICMP error messages in NAT64
726734-2 3-Major   DAGv2 port lookup stringent may fail
726319-3 3-Major   'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses
725592 3-Major   Outgoing RIP advertisements may have incorrect source port
723306-5 3-Major   Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
723112-4 3-Major   LTM policies does not work if a condition has more than 127 matches
722707-1 3-Major   mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
720440 3-Major   Radius monitor marks pool members down after 6 seconds
718867-3 3-Major   tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades
717346-4 3-Major K13040347 [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
716952-3 3-Major   With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete.
716492-1 3-Major K59332523 Rateshaper stalls when TSO packet length exceeds max ceiling.
715756-3 3-Major   Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only
714503-3 3-Major   When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl
714495-3 3-Major   When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"
714384-5 3-Major   DHCP traffic may not be forwarded when BWC is configured
713585-1 3-Major K31544054 When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long
712489-3 3-Major   TMM crashes with message 'bad transition'
710996-1 3-Major   VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP
709963-4 3-Major   Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
709837-3 3-Major   Cookie persistence profile may be configured with invalid parameter combination.
707691-2 3-Major   BIG-IP handles some pathmtu messages incorrectly
704764-2 3-Major   SASP monitor marks members down with non-default route domains
704450-2 3-Major   bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
703266-3 3-Major   Potential MCP memory leak in LTM policy compile code
702439-3 3-Major K04964898 Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset
701690-3 3-Major K53819652 Fragmented ICMP forwarded with incorrect icmp checksum
701033-1 3-Major   Tcl actions not run if conditions have overlapping IP ranges
700639 3-Major   The default value for the syncookie threshold is not set to the correct value
696755-2 3-Major   HTTP/2 may truncate a response body when served from cache
695707-3 3-Major   BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection
695109-3 3-Major K15047377 Changes to fallback persistence profiles attached to a Virtual server are not effective
691992 3-Major   MSTP: CIST bridge priority changes after adjusting the MSTI priority.
691785-3 3-Major   The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes
690778-3 3-Major K53531153 Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule
690316 3-Major   Software syncookies are sent for FastL4 virtual server with software syncookies disabled
689361-3 3-Major   Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)
688570-3 3-Major   BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes
687887-4 3-Major   Unexpected result from multiple changes to a monitor-related object in a single transaction
687807-3 3-Major   The presence of a file with the suffix '.crt.csr' in folder /config/ssl/ssl.csr/ causes a GUI exception
687044-2 3-Major   tcp-half-open monitors might mark a node up in error
686563-3 3-Major   WMI monitor on invalid node never transitions to DOWN
686547-3 3-Major   WMI monitor sends logging data for credentials when no credentials specified
686101-3 3-Major K73346501 Creating a pool with a new node always assigns the partition of the pool to that node.
686059-1 3-Major   FDB entries for existing VLANs may be flushed when creating a new VLAN.
683706-1 3-Major   Pool member status remains 'checking' when manually forced down at creation
683061-2 3-Major   Rapid creation/update/deletion of the same external datagroup may cause core
681673-2 3-Major   tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results
679613-2 3-Major K23531420 i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'
678450-3 3-Major   No 'F5RST port in use' sent when new connection arrives to port in use with strict preserve.
678066 3-Major   LTM Policy Tcl-enabled values require 'tcl:' prefix
677841-1 3-Major   Server SSL TLS session reuse with changed SNI uses incorrect session ID
677666-3 3-Major   /var/tmstat/blades/scripts segment grows in size.
677442 3-Major   During bulk crypto processing for SSL traffic, tmm might restart in rare cases.
676643 3-Major   FTP passive monitor uses IP address from PASV (not monitor destination)
675911 3-Major K13272442 Different sections of the WebUI can report incorrect CPU utilization
674459 3-Major   Users are not expected to change security.commoncriteria DB variable through TMSH
670520-3 3-Major   FastL4 not sending keepalive at proper interval when other side gets response
670258-2 3-Major   Multicast pings not forwarded by TMM
666889-1 3-Major K25769531 Deleting virtual server may cause tmm to segfault
666127-1 3-Major   Flows are incorrectly processed on a standby system.
664000 3-Major   TMM restart/core possible if key/cert is modified while SSL handshakes are ongoing
660807 3-Major   Clientside command with parking command crashes TMM
660119-1 3-Major K36005385 Monitor configured with timeout large enough that the timeout plus interval is greater than 86400 seconds, the service may be incorrectly marked down.
655767-3 3-Major   MCPD does not prevent deleting an iRule that contains in-use procedures
655724-3 3-Major K15695 MSRDP persistence does not work across route domains.
654981-2 3-Major   Local Traffic Policies operating in First Match mode do not stop executing after the first matched rule if this has no action
653228-2 3-Major K34312110 SNAT does not work properly on FTP VIP2VIP
653137-1 3-Major K24159492 Virtual flaps when FQDN node and pool configured with autopopulate
652370-1 3-Major   The persist cookie insert iRule command may leak memory
649897 3-Major   Using the REST API, making a change to an FQDN pool causes the pool member availability to become unknown.
649275-2 3-Major   RSASSA-PSS client certificates support in Client SSL
646440 3-Major   TMSH allows mirror for persistence even when no mirroring configuration exists
645674-2 3-Major   'bigd' message send to 'mcpd' failure is not logged
645635-2 3-Major   Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests
643860-4 3-Major K41573401 Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly
643041-4 3-Major K64451315 Less than optimal interaction between OneConnect and proxy MSS
642786-3 3-Major K01833444 TMM may drop tunneled traffic when the sys db variable 'connection.vlankeyed' is set to 'disable'.
640395-1 3-Major K26144701 When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly
637613-3 3-Major K24133500 Cluster blade being disabled immediately returns to enabled/green
633464-2 3-Major   Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.
633110-2 3-Major K09293022 Literal tab character in monitor send/receive string causes config load failure, unknown property
632604-1 3-Major   SSL::sessionid iRule command returns incorrect result
632553-2 3-Major   DHCP: OFFER packets from server are intermittently dropped
630257-1 3-Major   Monitor send/receive strings cannot end with trailing single-backslash
628696-1 3-Major   Under rare circumstances, all blades in cluster claim not primary during start up
624917 3-Major   First few handshakes fail after chassis/appliance reboot when using HSM
624044-1 3-Major K42806722 LTM Monitor custom recv/send/recv-disable parameters have backslash at the end may fail to load
623084-2 3-Major   mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp
622870 3-Major   When using a Thales key, SSL handshake failed after restarting pkcs11d
620556-1 3-Major   Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule
620053-1 3-Major   Gratuitous ARPs may be transmitted by active unit being forced offline
618131-1 3-Major   Latency for Thales key population to the secondary slot after reboot
618104-1 3-Major   Connection Using TCP::collect iRule May Not Close
614410-3 3-Major   Unexpected handling of TCP timestamps in HA configuration
613483-2 3-Major K18133264 Some SSL certificate SHA verification fails for different SHA prefix used by crypto codec.
611652-3 3-Major   iRule script validation presents incorrect warning for 'HTTP::cookie cookie-name' command.
610682-2 3-Major   LTM Policy action to reset connection only works for requests
607166-1 3-Major   Hidden directories and files are not synchronized to secondary blades
605175-1 3-Major   Backslashes in monitor send and receive strings
604811-3 3-Major   Under certain conditions TMM may crash while processing OneConnect traffic
601189-2 3-Major   The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode
598204-3 3-Major K54284420 In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.
597253-1 3-Major   HTTP::respond Tcl command may incorrectly identify parameters as iFiles
596278 3-Major   ILX workspace created by iApp made from template not deleted when iApp deleted
595921-1 3-Major   VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.
594751-3 3-Major K90535529 LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN
590156-3 3-Major   Connections to an APM virtual server may be reset and fail on appliance and VE platforms.
586660-1 3-Major   HTTP/2 and RAM Cache are not compatible.
585248-1 3-Major   Resetting crypto client statistics can crash TMM and disrupt traffic handling.
584948-5 3-Major   Safenet HSM integration failing after it completes.
584414 3-Major   Deleting persistence-records via tmsh may result in persistence being created to different nodes
582331-1 3-Major   Maximum connections is not accurate when TMM load is uneven
582234-6 3-Major   When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.
582207-7 3-Major   MSS may exceed MTU when using HW syncookies
579252-3 3-Major   Traffic can be directed to a less specific virtual during virtual modification
575642-1 3-Major   rst_cause of "Internal error"
572142-2 3-Major   Config sync peer may fail to monitor newly added pool member after it is added via sync
557322-1 3-Major   Sensitive monitor parameters recorded in bigd and monitor logs
542104-2 3-Major K33458192 In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.
537209-5 3-Major   Fastl4 profile sends RST packet when idle timeout value set to 'immediate'
516307-2 3-Major K35152864 Multiple Relay in DHCP relay is not working.
516280-4 3-Major   bigd process uses a large percentage of CPU
510395-5 3-Major K17485 Disabling some events while in the event, then running some commands can cause tmm to core.
505037-2 3-Major K01993279 Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop
499404-7 3-Major K15457342 FastL4 does not honor the MSS override value in the FastL4 profile with syncookies
486735-5 3-Major   Maximum connections is not accurate when TMM load is uneven
451627-2 3-Major   If key associated with monitor is stored in external hsm, monitor fails.
433572-4 3-Major   DTLS does not work with rfcdtls cipher on the B2250 blade
431480-1 3-Major K17297 Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
409340-1 3-Major K63086108 https/ssl monitor closes immediately (rather than awaiting remote close-notify)
405898-2 3-Major   If the OSPF derived MTU is different from the path MTU, OSPF may not function as expected
374067-7 3-Major K14098 Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections
369640-1 3-Major K17195 Folder path objects in iRules can have only a single context per script
801705-1 4-Minor   When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC
773253-1 4-Minor   The BIG-IP may send VLAN failsafe probes from a disabled blade
772297-4 4-Minor   LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade
769309-4 4-Minor   DB monitor reconnects to server on every probe when count = 0
763197-1 4-Minor   Flows not mirrored on wildcard Virtual Server with opaque VLAN group
761913-1 4-Minor   iRule checksum created in GUI might cause config load failure in tmsh
760683-3 4-Minor   RST from non-floating self-ip may use floating self-ip source mac-address
757777-1 4-Minor   bigtcp does not issue a RST in all circumstances
747628-4 4-Minor   BIG-IP sends spurious ICMP PMTU message to server
746077-2 4-Minor   If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified
743116-1 4-Minor   Chunked responses may be incorrectly handled by HTTP/2
738045-2 4-Minor   HTTP filter complains about invalid action in the LTM log file.
724746-2 4-Minor   Incorrect RST message after 'reject' command
722534-4 4-Minor   load sys config merge not supported for iRulesLX
699076-3 4-Minor   URI::path iRules command warns end and start values equal
697626 4-Minor   iRules LX: Cannot modify workspace imported by "Import From Workspace"
693966-2 4-Minor   TCP sndpack not reset along with other tcp profile stats
693901-3 4-Minor   Active FTP data connection may change source port on client-side
689231 4-Minor   MSSQL filter assumes 64-bit token done row count field
688557-3 4-Minor K50462482 Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'
688542-1 4-Minor   SASP GWM monitor always sets No Change / No Send Flag in Set LB State Request
680680-2 4-Minor   The POP3 monitor used to send STAT command on v10.x, but now sends LIST command
677270-2 4-Minor K76116244 Trailing comments in iRules are removed from the config when entered/loaded in TMSH
665777 4-Minor   TMM0 on the secondary blade sends out extra ARP replies
664596-1 4-Minor   One LTM policy causes a different policy to not execute
652577-2 4-Minor   Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address
651005-3 4-Minor   FTP data connection may use incorrect auto-lasthop settings.
646495-2 4-Minor   BIG-IP may send oversized TCP segments on traffic it originates
640704 4-Minor K20418658 A BIG-IP HA pair upgraded directly from 10.2.x to 12.1.x may lose the primary and secondary mirror IP addresses
636348-3 4-Minor   BIG-IP systems configured for high availability (HA) and System Gateway Failsafe may fail to load their configuration after device trust is reset.
635871-1 4-Minor   tmsh validation of hash persistence timeout setting is incorrect
632901-1 4-Minor K03112333 JET documentation incorrect for RESOLV::lookup
622876-1 4-Minor   Certificate serial number is not displayed properly in OCSP Stapling logs.
621843-1 4-Minor   the ipother proxy is sending icmp error messages to the wrong side
603380-6 4-Minor   Very large number of log messages in /var/log/ltm with ICMP unreachable packets.
599048-1 4-Minor   BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option
594547 4-Minor   LTM policy TCP address selector offers only the condition 'match any of'
594064-2 4-Minor K57004151 tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.
593396-5 4-Minor   Stateless virtual servers may not work correctly with route pools or ECMP routes
592620-1 4-Minor   iRule validation does not catch incorrect 'after' syntax
586138-1 4-Minor K84112154 Inconsistent display of route-domain information in administrative partitions.
584772 4-Minor   ssldump may crash when decrypting bad records
571622-1 4-Minor   'Exceeding pool member limit' error with FQDN pool members and non-LTM license
564634-5 4-Minor   Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool
552988-2 4-Minor   Cannot enable MPTCP on some profiles in GUI.
544958-4 4-Minor   Monitors packets are sent even when pool member is 'Forced Offline'.
539026-5 4-Minor   Stats refinements for reporting Unhandled Query Actions :: Drops
477992-3 4-Minor K07450534 Instance-specific monitor logging fails for pool members created in iApps
474901-1 4-Minor   Profiles with a large number of regexps can cause excessive memory usage.
470807-3 4-Minor   iRule data-groups are not checked for existence
222409-6 4-Minor K9952 The HTTP::path iRule command may return more information than expected
687579 5-Cosmetic   TMSH incorrectly allows settings snat-translation ip-idle-timeout to zero.
567330-1 5-Cosmetic   tmsh show sys memory on secondaries will generate innocuous error


Performance Issues

ID Number Severity Solution Article(s) Description
632838-1 3-Major   Deterministic NAT performance may be degraded
567513-4 3-Major   Erroneous syncookie flag in HSB return descriptor causes the BIG-IP system to pass through the ACK packets after the session is closed.
616021-1 4-Minor K93089152 Name Validation missing for some GTM objects


Global Traffic Manager (DNS) Issues

ID Number Severity Solution Article(s) Description
722741-4 2-Critical   Damaged tmm dns db file causes zxfrd/tmm core
685915-1 2-Critical   Allow unsigned DNS notifies if a DNS express zone's target server has no TSIG key configured
675731-2 2-Critical   Certain types of GTM Pools not displaying while listing WideIPs
264701-1 2-Critical   GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608)
799657-1 3-Major   Name validation missing control characters for some GTM objects
760615-5 3-Major   Virtual Server discovery may not work after a GTM device is removed from the sync group
756177-3 3-Major   GTM marks pool members down across datacenters
754901-4 3-Major   Frequent zone update notifications may cause TMM to restart
749222-4 3-Major   dname compression offset overflow causes bad compression pointer
744787-1 3-Major   Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias
739553-4 3-Major   Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
737529-1 3-Major   [GTM] load or save configs removes backslash \ from GTM pool member name
723095-1 3-Major   Add record type breaks commands 'modify gtm pool type all'; errors on nonexistent pool
716701-2 3-Major K43005133 iControl REST: Unable to create Topology when STATE name contains space
714507-4 3-Major   [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server
712500-2 3-Major   Unhandled Query Action Drops Stat does not increment after transparent cache miss
708421-1 3-Major K52142743 DNS::question 'set' options are applied to packet, but not to already parsed dns_msg
704198-1 3-Major K29403988 Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance
704176-1 3-Major K22540391 Monitor instances may not get deleted during configuration merge load
702457-3 3-Major   DNS Cache connections remain open indefinitely
701232-1 3-Major   Two-way iQuery connections fail to get established between GTM devices with the same address on different networks connected through address translation
699512-3 3-Major   DNS request can be dropped when queued in parallel with another request
698211-3 3-Major K35504512 DNS express response to non-existent record is NOERROR instead of NXDOMAIN.
689583-3 3-Major   Running big3d from the command line with arguments other than '-v' or '-version' may cause a GTM disruption.
689117-1 3-Major   Transfer Complete log message now includes the SOA Serial number
688335-3 3-Major K00502202 big3d may restart in a loop on secondary blades of a chassis system
679316-1 3-Major   iQuery connections reset during SSL renegotiation
659930-1 3-Major   Enterprise Manager may receive malformed data if there are multiple monitors on a pool
523198-1 3-Major   DNS resolver multiplexing might cause unexpected behaviors
517609-3 3-Major K77005041 GTM Monitor Needs Special Escape Character Treatment
222220-1 3-Major   Distributed application statistics
790113-5 4-Minor   Cannot remove all wide IPs from GTM distributed application via iControl REST
752216-3 4-Minor K33587043 DNS queries without the RD bit set may generate responses with the RD bit set
740284-3 4-Minor   Virtual servers 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'
717113-1 4-Minor   It is possible to add the same GSLB Pool monitor multiple times
688266-3 4-Minor   big3d and big3d_install use different logics to determine which version of big3d is newer
674754-2 4-Minor   ZoneRunner: GUI "Email Contact" field silently ignores invalid char '@' in Email Contact
666258-2 4-Minor   GTM/DNS manual resume pool member not saved to config when disabled
665117-2 4-Minor K33318158 DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping
648806-1 4-Minor   Invalid "with the first highest ratio counter" logging for pool member ratio load balance
588229-1 5-Cosmetic   DNS protocol default profiles can be deleted after being modified.


Application Security Manager Issues

ID Number Severity Solution Article(s) Description
662308-1 2-Critical   BD core
636669-3 2-Critical K37300224 bd log are full of 'Can't run patterns' messages
612584-1 2-Critical K34500121 Server side blocking/asm cookie setting may not work under some circumstances
809125-4 3-Major   CSRF false positive
797813-1 3-Major   TMM memory grows on custom bot signature with empty domain
793149-1 3-Major   Adding the Strict-transport-Policy header to internal responses
785529-4 3-Major   ASM unable to handle ICAP responses which length is greater then 10K
783505-1 3-Major   ASU is very slow on device with hundreds of policies due to table checksums
781605-2 3-Major   Fix RFC issue with the multipart parser
781021-4 3-Major   ASM modifies cookie header causing it to be non-compliant with RFC6265
765809 3-Major   Memory increases for the bd daemon on cluster environment primary blade
764373-5 3-Major   'Modified domain cookie' violation with multiple enforced domain cookies with different paths
751710-1 3-Major   False positive cookie hijacking violation
746682 3-Major   ASM unable to display *any* event logs, unless they are searched for by support ID
718232-1 3-Major   Some FTP servers may cause false positive for ftp_security
711818-1 3-Major   Connection might get reset when coming to virtual server with offload iRule
701025-1 3-Major   BD restart on a device where 'provision.tmmcountactual' is set to a non-default value
694934-3 3-Major   bd crashes on a very specific and rare scenario
689982-1 3-Major   FTP Protocol Security breaks FTP connection
678322 3-Major   Missing Response Page for 'Login' is not populated upon upgrade
674256-3 3-Major K60745057 False positive cookie hijacking violation
670501-5 3-Major K85074430 ASM policies are either not (fully) created or not (fully) deleted on the HA peer device
660326-2 3-Major   Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.
657531-2 3-Major K02310615 High memory usage when using the ICAP server
636412-1 3-Major   ASM start process fail with 'Protobuf message exceeds max defined size' on machines with thousands of ASM configuration entities
633454-1 3-Major   Older versions of Chrome get blocked when Proactive Bot Defense is enabled.
631715-1 3-Major   ASM::disable does not disable client side challenges
625108-1 3-Major   Learn flags of subviolations are incorrectly updated when all violations are updated by REST
590851-4 3-Major   "never log" IPs are still reported to AVR
574113-2 3-Major   Block All - Session Tracking Status is not persisted across an auto-sync device group
761091 4-Minor   Missing charset specification in response page after upgrade
759008 4-Minor   DoSL7 site_severity always equals "1" in remote log
755005-4 4-Minor   Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
747905 4-Minor   'Illegal Query String Length' violation displays wrong length
747760 4-Minor   Attack Signatures page: filter applied by another user may replace currently applied filter
747560-2 4-Minor   ASM REST: Unable to download Whitehat vulnerabilities
734241 4-Minor   'Detection Evasion' violations might not report violation details in their reports or in the GUI
720588 4-Minor   Pages not loading correctly when AJAX response page is enabled
720581-3 4-Minor   Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files
708576-1 4-Minor   Errors related to dosl7d_tcpdumps_cleaner appearing in email every hour
706930 4-Minor   "Enforce Ready" button has no effect for Signatures for Inactive Policy
702350 4-Minor   FingerPrint JS might be injected although it is disabled in all ASM features, and no DoS
700989-2 4-Minor   Better detecting browser extentsions
699898-3 4-Minor   Wrong policy version time in policy created after synchronization between active and stand by machines.
698917 4-Minor   Unexpected additional policy is created while creating a policy from a template via REST
688833-2 4-Minor   Inconsistent XFF field in ASM log depending violation category
640751-2 4-Minor   No PCRE Validation Performed For Regular Expression Parameters
627144 4-Minor   Two users cannot create policies at the same time.
623779-2 4-Minor   Adding a client side challenge whitelist URL wildcard list
618693-3 4-Minor   Web Scraping session_opening_anomaly reports the wrong route domain for the source IP
618503-1 4-Minor   Irrelevant fields visible in Logging profile
513887-8 4-Minor   The audit logs report that there is an unsuccessful attempt to install a mysql user on the system


Application Visibility and Reporting Issues

ID Number Severity Solution Article(s) Description
740086-2 3-Major   AVR report ignore partitions for Admin users
713283-2 3-Major   Missing transaction count in = application security report under view by IP Intelligence
707204 3-Major   If the system has more than 264 analytics profiles, the upgrade fails.
703196-3 3-Major   Reports for AVR are missing data
702933 3-Major   Loading UCS with different provisioning can cause a single TMM crash
700035-3 3-Major   /var/log/avr/monpd.disk.provision not rotate
688813-1 3-Major K23345645 Some ASM tables can massively grow in size.
683177-2 3-Major   Can't drilldown or filter by 'Client Countries'
665425-3 3-Major K24182390 AVR Max metrics shows wrong values
654915-3 3-Major   Traffic Capturing: Pool member that has a special name (internal activity) should be exported with its name, not an IP address
652222-1 3-Major   Sending scheduled-reports will fail due to lack of backend support
636104-2 3-Major   If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.
605414-1 3-Major K23230852 Mysqld and bcm56xxd seem to run at 100% on vCMP host.
600634-2 3-Major   Schedule-reports can break the upgrade process
588626 3-Major   Analytics alerts: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member).
493524 3-Major   ASM attack appear ongoing forever if restarting dosl7d during an attack
473755-1 3-Major   It's possible to exhaust monpd's Thrift server connections by simply not closing the connection on the client side
754330 4-Minor   Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected


Access Policy Manager Issues

ID Number Severity Solution Article(s) Description
803509 2-Critical   MCPD memory leak on standby BIG-IP with APM license
708005-3 2-Critical K12423316 Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources
701944-2 2-Critical K42284762 machine certificate check crash for 'match issuer' configuration on macOS Sierra 10.12.6
670367-2 2-Critical K39391280 On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation.
668849-1 2-Critical   Upgrade failure for apm-log-setting objects
660826-1 2-Critical   BIG-IQ Deployment fails with customization-templates
658103 2-Critical K00652162 TMM core while adding logging action to APM SWG
647590-2 2-Critical   Apmd crashes with segmentation fault when trying to load access policy
633349-3 2-Critical K86613330 localdbmgr hangs and eventually crashes
618637-1 2-Critical   Sometimes f5fpc cannot establish Network Access connection and incorrectly reports 'Session timed out' error
614364-1 2-Critical   Linux client NA components cannot be installed neither using sudo password nor root password
582440-4 2-Critical   Linux client does not restore route to the default GW on Ubuntu 15.10
574318-3 2-Critical   Unable to resume session when switching to Protected Workspace
750823-4 3-Major   Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
750631-3 3-Major   There may be a latency between session termination and deletion of its associated IP address mapping
748632 3-Major   APM Endpoint inspection fails on macOS Mojave
747337 3-Major   AAA CRLDP configurations configured using the 'No Server' option may be rendered incorrectly while using IE v11
746771-2 3-Major   APMD recreates config snapshots for all access profiles every minute
744316-3 3-Major   Config sync of APM policy fails with Cannot update_indexes validation error.
711056-3 3-Major   License check VPE expression fails when access profile name contains dots
710044-1 3-Major   Portal Access: same-origin AJAX request may fail in some case.
707953-1 3-Major   Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page
697590-5 3-Major   APM iRule ACCESS::session remove fails outside of Access events
695985-1 3-Major   Access HUD filter has URL length limit (4096 bytes)
687213-1 3-Major   When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED
686206-1 3-Major   Machine Info agent does not collect complete information on disconnected network adapters
685862-2 3-Major   BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message
682751-5 3-Major   Kerberos keytab file content may be visible.
679735-1 3-Major   Multidomain SSO infinite redirects from session ID parameters
677646-1 3-Major K62171231 System cannot boot up due to prior aborted installation
676854-1 3-Major   CRL Authentication agent will hang waiting on unresponsive authentication server.
676300-7 3-Major K04551025 EPSEC binaries may fail to upgrade in some cases
670456-3 3-Major   Flash AS3 mx.core::CrossDomainRSLItem() wrapper issue with arguments number
667518 3-Major   SSO Configurations update is failing from UI
658278-3 3-Major   Network Access configuration with Layered-VS does not work with Edge Client
640924-1 3-Major   On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly
632958-2 3-Major   APM MIB gauges not reset on standby device
625165-2 3-Major   Routes added by 'Allow local DNS servers' are not removed even if these DNS servers are no longer among client's local DNS servers.
621158-1 3-Major   F5vpn does not close upon closing session
619667-1 3-Major K34751151 Allow Local DNS Servers is not honored on Mac OS X
617629-1 3-Major   Same report is downloaded repeatedly after user clicks on "export csv" and then click on another tab
614072-1 3-Major   Source Address Translation to SNAT pool breaks SWG explicit use case for IP based session.
611485-1 3-Major   APM AAA RADIUS server address cannot be a multicast IPv6 address.
610077-2 3-Major   Access Policy Manager CRL cache is locked out for CRLDP authentication
609043-1 3-Major   When BIG-IP processes SAML Single logout request/response, tmm cores intermittently.
605018-2 3-Major K47516511 Citrix StoreFront integration mode with pass through authentication fails for browser access
600985-4 3-Major   Network access tunnel data stalls
600872-1 3-Major   Access session inactivity expiration time not updated when accessed with http/2 enabled browsers on Windows platforms.
592591-2 3-Major   Deleting/Modifying access profile prompts for apply access policy for other untouched access profiles
591060-1 3-Major   APMD high CPU utilization
582606-1 3-Major   IPv6 downloads stall when NA IPv4&IPv6 is used.
578989-5 3-Major   Maximum request body size is limited to 25 MB
572519-1 3-Major   More than one header name/value pair not accepted by ACCESS::respond
571503-1 3-Major   Windows Edge client cannot detect local LAN in some cases
560601-1 3-Major   HTML5 File API and MediaSource URLs are blocked in Portal Access
559402-4 3-Major   Client initiated form based SSO fails when username and password not replaced correctly while posting the form
559082-2 3-Major   Tunnel details are not shown for MAC Edge client
554504 3-Major   Client OS version not logged in Browser/OS Reports for iOS client devices
552444-1 3-Major   Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD
547692-3 3-Major   Firewall-blocked KPASSWD service does not cause domain join operation to fail
541622-2 3-Major   APD/APMD Crashes While Verifying CAPTCHA
535119-1 3-Major   APM log tables initial rotation in MySQL may be wrong
534187-2 3-Major   Passphrase protected signing keys are not supported by SAML IDP/SP
530092-2 3-Major   AD/LDAP groupmapping is overencoding group names with backslashes
527119-4 3-Major   Iframe document body could be null after iframe creation in rewritten document.
526519-1 3-Major   APM sessiondump command can produce binary data
525378 3-Major   iRule commands do not validate session scope
509596-1 3-Major K44043455 iFrames with 'javascript:' scheme in SRC may not work
494135-1 3-Major K43101043 HTML Event handlers may not work if 'eval' is redefined
482625-1 3-Major   Pages with utf-8 Content-Type and utf-16 META tag do not render
450136-3 3-Major   Occasionally customers see chunk boundaries as part of HTTP response
435419-4 3-Major K10402225 Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.
417819-2 3-Major K69046914 APM - when Edge Clients, some JS contents are different causing warning
414713-1 3-Major   Hosted Content connected object import issues
369407-3 3-Major   Access policy objects are created inconsistently depending on whether created using wizard or manually.
362511 3-Major K52162658 HTML entities in inline CSS style attributes may cause incorrect rewriting of URLs
734595-1 4-Minor   sp-connector is not being deleted together with profile
712321 4-Minor   Missing reference to customization-group from connectivity profile if created via network access wizard
708176 4-Minor   SNMP OIDs (NA throughput) incorrect when compression is disable
686718 4-Minor   VPN tunnel adapter stays up in some cases
666497-2 4-Minor   Some of the Korean translations in Windows Edge Client were incorrect
627384-1 4-Minor   eamtest tool fails with Segmentation fault after initialization.
619099 4-Minor   'General Database Error' while changing the Admin UI authentication type
612758-1 4-Minor K46453748 Exception within function F5_Inflate_innerHTML.
611327-1 4-Minor K35559723 Using an established app tunnel may display a Java exception error message.
610436-3 4-Minor K13222132 DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10.
608453-1 4-Minor   Shrink/Expand imgs of Webtop Section is customizable
607684 4-Minor   tmsh provides option to delete all URLs from a custom category, which is not possible
604050 4-Minor   Failed to get master key (ERR_NOT_FOUND) in apm log on first boot
589367-2 4-Minor   Some Edge Client's German translations are incorrect
579652-1 4-Minor   Multidomain SSO Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed.
567503-1 4-Minor K03293396 ACCESS::remove can result in confusing ERR_NOT_FOUND logs
563651-2 4-Minor   Web application does not work/works intermittently via Portal Access after upgrading BIG-IP to any new version.
523158-1 4-Minor   In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails
510034-2 4-Minor   Access Policy memory is not cleared between access policy executions
496621-1 4-Minor   Portal Access incorectly rewrites expressions with JavaScript typeof operator


WebAccelerator Issues

ID Number Severity Solution Article(s) Description
701977-3 3-Major   Non-URL encoded links to CSS files are not stripped from the response during concatenation
621284-5 3-Major   Incorrect TMSH help text for the 'max-response' RAMCACHE attribute
751383-3 4-Minor   Invalidation trigger parameter values are limited to 256 bytes
748031-4 4-Minor   Invalidation trigger parameter containing reserved XML characters does not create invalidation rule
686318 4-Minor   Inter TMM Caching Delay
674992-3 4-Minor   AAM traffic report's time period doesn't always apply
467589-4 4-Minor   Default cron script /usr/share/mysql/purge_mysql_logs.pl throws error.


Service Provider Issues

ID Number Severity Solution Article(s) Description
745397-4 2-Critical   Virtual server configured with FIX profile can leak memory.
689343-3 2-Critical   Diameter persistence entries with bi-directional flag created with 10 sec timeout
811745-5 3-Major   Failover between clustered DIAMETER devices can cause mirror connections to be disconnected
804313-5 3-Major   MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.
790949-5 3-Major   MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior.
759077-6 3-Major   MRF SIP filter queue sizes not configurable
755630-3 3-Major   MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes
755311-4 3-Major   No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down
754617-3 3-Major   iRule 'DIAMETER::avp read' command does not work with 'source' option
753501-4 3-Major   iRule commands (such as relate_server) do not work with MRP SIP
751179-4 3-Major   MRF: Race condition may create to many outgoing connections to a peer
749603-4 3-Major   MRF SIP ALG: Potential to end wrong call when BYE received
749528-4 3-Major   IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap
748253-4 3-Major   Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
747995-1 3-Major   MBLB SIP dropping packets with unknown methods
747187-4 3-Major   SIP falsely detects media flow collision when SDP is in both 183 and 200 response
746731-4 3-Major   BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
745404-3 3-Major   MRF SIP ALG does not reparse SDP payload if replaced
744275-4 3-Major   BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
742829-4 3-Major   SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0
741951-3 3-Major   Multiple extensions in SIP NOTIFY request cause message to be dropped.
738070-3 3-Major   Persist value for the RADIUS Framed-IP-Address attribute is not correct
727288-4 3-Major   Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC
698911 3-Major   Periodically SIP requests are not sent to the server
691048-3 3-Major K34553736 Support DIAMETER Experimental-Result AVP response
676709-2 3-Major K37604585 Diameter virtual server has different behavior of connection-prime when persistence is on/off
669978-4 3-Major K15204204 SIP monitor - Via header's branch parameter collision.
651886-1 3-Major   Certain FIX messages are dropped
647158-3 3-Major K76581555 Internal virtual server inherits CMP hash mode from parent virtual server
642211-2 3-Major   Warning logged when GENERICMESSAGE::message drop iRule command used
612143-2 3-Major   Potential tmm core when two connections add the same persistence record simultaneously.
583101-2 3-Major   ADAPT::result bypass after continue causes bad state transition
788513-5 4-Minor   Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log
747909-2 4-Minor   GTPv2 MEI and Serving-Network fields decoded incorrectly
600431-6 4-Minor   DIAMETER::avp data get "id" ip4|ip6 errors on valid AVP


Advanced Firewall Manager Issues

ID Number Severity Solution Article(s) Description
717909-2 2-Critical   tmm can abort on sPVA flush if the HSB flush does not succeed
713629-1 2-Critical   Applying firewall policy to self-ip can cause tmm crash
697265 2-Critical   MCP cores when importing a configuration with 12000 nested address lists and auto-sync enabled.
685820-1 2-Critical   Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not
632839 2-Critical   UDP Flood does not get detected if the vector limits are infinite
622204-1 2-Critical K14141640 If a virtual server's name has a "." in it then a DoS profile cannot be attached to it
620844-1 2-Critical   DoS: tmm core after delete packet type from Device Sweep vector
726154-1 3-Major   TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies
703165 3-Major   shared memory leakage
693515 3-Major   A '+' character in a log profile name causes import to fail
679722-2 3-Major   Configuration sync failure involving self IP references
677302 3-Major   Unable to save descriptions for firewall objects
663946-2 3-Major   VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
651169-3 3-Major   The Dashboard does not show an alert when a power supply is unplugged
632723-1 3-Major K05079458 tmm core with remote logging pool in non-zero route domain
627447 3-Major   Sync fails after firewall policy deletion
613844 3-Major   iApp may fail to install if AFM is provisioned
592819-2 3-Major   Enabling of whitelists on a protected object requires disabling DoS protection support in hardware
592211-1 3-Major   Stress CPU on BIG-IP will also take into the packets dropped by hardware.
591505-1 3-Major   Policy may become unsyncable after changing contexts
581668 3-Major   DNS/SIP whitelisted packets not reported
714704 4-Minor   ICMP unreachable messages sent only from active to standby
701555-3 4-Minor   DNS Security Logs report Drop action for unhandled rejected DNS queries
632246-1 4-Minor   Configuring pvasyncookies db variable does not persist over reboots or to non-primary blades.
568458 5-Cosmetic   DoS vectors must be enabled in both DoS Profile and Device Configuration


Policy Enforcement Manager Issues

ID Number Severity Solution Article(s) Description
760518-2 2-Critical   PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement
750491-1 2-Critical   PEM Once-Every content insertion action may insert more than once during an interval
750490-1 2-Critical   PEM content insertion action may insert more than once with Once-Every method
740228-3 2-Critical   TMM crash while sending a DHCP Lease Query to a DHCP server
726665-1 2-Critical   tmm core dump due to SEGFAULT
676491-2 2-Critical   BIG-IP as a DHCP relay while in a DHCP relay chain will use its self-IP as the relay agent.
797949-1 3-Major   PEM::subscriber delete can leak a connection
756311-2 3-Major   High CPU during erroneous deletion
753163-1 3-Major   PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days
753014-2 3-Major   PEM iRule action with RULE_INIT event fails to attach to PEM policy
747065-1 3-Major   PEM iRule burst of session ADDs leads to missing sessions
726011-1 3-Major   PEM transaction-enabled policy action lookup optimization to be controlled by a sys db
670994-2 3-Major   There is no validation for IP address on the ip-address-list for static subscriber
640548-1 3-Major   In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked.
624187-1 3-Major   Relocate TUC AVP to group AVP USU
564431-3 4-Minor   Lines without EOL characters cause "tmsh load pem subscriber file" and GUI import to fail


Carrier-Grade NAT Issues

ID Number Severity Solution Article(s) Description
723658 2-Critical   TMM core when processing an unexpected remote session DB response.
722919 3-Major   Memory leak when using SP-DAG and a small LSN pool.
751232 4-Minor   LSN pool real-time stats are not persisted over reboot
721579-1 4-Minor   LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing
667295-1 4-Minor K51601122 'RTSP::header exists' iRule command always returns True


Fraud Protection Services Issues

ID Number Severity Solution Article(s) Description
695401 3-Major   QS user defined alerts may not be sent if there is no URL with qs configured on FPS profile
680298 3-Major   FPS may introduce latency even for unprotected pages
674297-1 3-Major   Custom headers are removed on cross-origin requests
660759-4 3-Major   Cookie hash persistence sends alerts to application server.
652530 4-Minor   Parameter names are case sensitive in Internet Explorer 9 only


Anomaly Detection Services Issues

ID Number Severity Solution Article(s) Description
743464 3-Major   DoSL7 attack is not detected when using multiple profiles with Behavioral Detection
617324-2 3-Major   Service health calculation creates unjustified CPU utilization
653573 4-Minor   ADMd not cleaning up child rsync processes


Traffic Classification Engine Issues

ID Number Severity Solution Article(s) Description
785605-1 3-Major   Traffic Intelligence Feed Lists are not usable if created on Standby unit in Traffic Group
649441-2 3-Major   Classification memory allocation
741994 4-Minor   Cleanup Webroot database files when database fail to download
674795-1 4-Minor   tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours.


Device Management Issues

ID Number Severity Solution Article(s) Description
760752 3-Major   Internal sync-change conflict after update to local users table
667661-4 3-Major K69015104 Adding HA devices to Access Group in BIG-IQ fails with error : 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'
627341-1 3-Major   TMUI loginProviderName is invalid when requesting a REST token
688177-2 4-Minor   Local user with Administrator role may be changed to Guest role after BIG-IP software upgrade
619397 4-Minor K04055706 LCD shows error screen on boot or after license expires


iApp Technology Issues

ID Number Severity Solution Article(s) Description
758520 2-Critical   Deploying the f5_microsoft_exchange_2010_2013 template generates erroneous APM policy customization-group.

 

Known Issue details for BIG-IP v12.1.x

811745-5 : Failover between clustered DIAMETER devices can cause mirror connections to be disconnected

Component: Service Provider

Symptoms:
When using DIAMETER with certain settings, a failover might cause mirror connections to get disconnected.

Conditions:
-- Two or more BIG-IP systems in a high availability (HA) configuration.
-- Aggressive settings for the DIAMETER watchdog timeout and max failures.

Impact:
Loss of mirroring between BIG-IP systems.

Workaround:
None.


811053-5 : REBOOT REQUIRED prompt appears after failover and clsh reboot

Component: TMOS

Symptoms:
In rare circumstances, when a reboot immediately follows a VIPRION blade failover, a REBOOT REQUIRED prompt will appear on one blade after the system starts up again.

Conditions:
This issue can be created by doing the following:
- using a VIPRION system with at least 2 blades running
- AAM is not provisioned
- reset the primary blade
- immediately following the blade reset, run 'clsh reboot' on a secondary blade.

Impact:
Following the clsh reboot, the REBOOT REQUIRED prompt appears on one blade:
[root@vip4480-r44-s18:/S2-yellow-S::REBOOT REQUIRED:Standalone] config #

Any blade with this prompt must be rebooted again.

Workaround:
None currently known.


810593-5 : Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade

Component: TMOS

Symptoms:
VCMP guests go to 'INOPERATIVE' after upgrade.

Conditions:
-- Upgrading the host from v12.1.4.1.
-- Upgrading the host from v13.1.1.5 and all intervening versions up to, but not including, v13.1.3.

Impact:
VCMP guests at state 'INOPERATIVE' and do not pass traffic.

Workaround:
None.


810377 : Provide a full reset to factory defaults, as if the device was just out-of-the-box

Component: TMOS

Symptoms:
Currently we are using the image2disk(--format) option to
reset the big-ip to factory defaults. but however executing the image2disk directly against a /shared/images ISO (e.g. image2disk --nvlicenseok --nosaveconfig --setdefault --reboot --format=volumes /shared/images/BIGIP-11.5.0.iso), has resulted in an appliance or a blade requiring a USB installation.

Conditions:
Resizing logical volumes from their installed defaults, increasing the disk space for /usr) can prevent the installation of the software upon reboot.

Impact:
Sometimes running image2disk directly against a /shared/images ISO resulted in an appliance or a blade requiring a USB installation.

Workaround:
create a logical volume and copy the iso to the newly created logical volume and run the image2disk against the newly created logical volume.

# lvcreate -L 2g -n install vg-db-hda
# mkfs.ext3 /dev/vg-db-hda/install
# mkdir /install
# mount -t ext3 /dev/vg-db-hda/install /install
# cp /shared/images/BIGIP-11.5.0.iso /install
# image2disk --nvlicenseok --nosaveconfig --setdefault --reboot --format=volumes /install/BIGIP-11.5.0.iso


809657-5 : HA Group score not computed correctly for an unmonitored pool when mcpd starts

Component: TMOS

Symptoms:
When mcpd starts up, unmonitored pools in an high availability (HA) froup do not contribute to the HA froup's score.

Conditions:
- HA froup configured with at least one pool.
- At least one of the pools assigned to the HA group is not using monitoring.
- mcpd is starting up (due to bigstart restart, or a reboot, etc.).

Impact:
Incorrect HA Group score.

Workaround:
Remove the unmonitored pools from the HA froup and re-add them.


809509-3 : Resource Admin User unable to download UCS using Rest API.

Component: TMOS

Symptoms:
Resource Admin User cannot download UCS file using REST API. The system returns a message:
Authorization failed

Conditions:
-- BIG-IP user with Resource Administrator role.
-- Try to Download UCS file using REST API.

Impact:
Resource Administrator user cannot download UCS file using REST API.

Workaround:
The Resource Administrator user can use the GUI to download the file.


809125-4 : CSRF false positive

Component: Application Security Manager

Symptoms:
A CSRF false-positive violation.

Conditions:
CSRF enforcing security policy.

This is a very rare scenario, but it happens due to a specific parameter in the request, so the false-positive might repeat itself many times for the same configuration.

Impact:
False-positive Blocking / Violation

Workaround:
If this happens change the csrf parameter and restart the asm daemon:

1. Change the csrf parameter name internal parameter:
/usr/share/ts/bin/add_del_internal add csrf_token_name <string different than csrt>

2. Restart the asm daemon:
restart asm


808277-1 : Root's crontab file may become empty

Component: TMOS

Symptoms:
Under low-disk conditions for the /var/ filesystem, BIG-IP system processes may incorrectly update root's crontab file (/var/spool/cron/root). This results in the file contents being removed; i.e., the file is empty.

Conditions:
Low disk space on the /var filesystem.

Impact:
System and user entries in root's crontab file stop executing.

Workaround:
None.


806881-4 : Loading the configuration may not set the virtual server enabled status correctly

Component: TMOS

Symptoms:
When loading the configuration, if the virtual address is disabled but the virtual server is enabled, the virtual server may still pass traffic.

Conditions:
-- Loading the configuration.
-- A virtual server's virtual address is disabled.

Impact:
Virtual servers unexpectedly process traffic.

Workaround:
Manually re-enable and disable the virtual address.


805325-5 : tmsh help text contains a reference to bigpipe, which is no longer supported

Component: TMOS

Symptoms:
The 'sys httpd ssl-certkeyfile' tmsh help text contains a reference to bigpipe, which is no longer supported.

Conditions:
Viewing tmsh help for 'sys httpd ssl-certkeyfile'.

Impact:
Incorrect reference to bigpipe.

Workaround:
You can use the following command sequence to change the key:
modify httpd { ssl-certfile [string] ssl-certkeyfile [string] }


804477-1 : Log HSB registers when parts of the device becomes unresponsive

Component: TMOS

Symptoms:
Part of the HSB becomes unresponsive and there is no logging of additional registers to assist in diagnosing the failure.

Conditions:
It is unknown under what conditions the HSB becomes unresponsive.

Impact:
Limited visibility into the HSB state when it becomes unresponsive.

Workaround:
None.


804313-5 : MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded.

Component: Service Provider

Symptoms:
The mirrored-message-sweeper-interval configuration option has no effect on the BIG-IP.

Conditions:
MRF in use, high availability configured, and a SIP profile is configured to use a specific Mirrored Message Sweeper Interval setting.

Impact:
On a system under high load, the next active device in a high availability (HA) pair could run out of memory.

Workaround:
None


803833-1 : On Upgrade or UCS Restore Decryption of the sym-unit-key Field for vCMP Guest Fails

Component: TMOS

Symptoms:
An upgrade or UCS restore fails with an error message:

err mcpd[1001]: 01071769:3: Decryption of the field (sym_unit_key) for object (<guest name>) failed.

Conditions:
-- An upgrade or UCS restore of the vCMP host.
-- Having a vCMP guest's sym-unit-key field populated.
-- Having changed the host's master key.

Impact:
The upgrade or UCS restore fails with an MCPD error.

Workaround:
Comment out the sym-unit-key field and load the configuration.


803509 : MCPD memory leak on standby BIG-IP with APM license

Component: Access Policy Manager

Symptoms:
MCPD may leak memory on the standby BIG-IP system in a high availability (HA) configuration if there are many updates for customization groups.

Conditions:
- BIG-IP HA configuration.
- APM-enabled configuration.
- Many APM configuration changes related to customization, such as creation / modification of interactive Access Policy agents (message boxes, logon pages, etc.).

Impact:
MCPD may leak memory and may be restarted by system monitoring process. This may affect all active sessions.

Workaround:
None.


802493-1 : Hardware syncookies on some hardware platforms may retrieve the wrong mss

Component: TMOS

Symptoms:
When hardware syncookie is activated, the system may retrieve the wrong mss value for the flow. This impacts all BIG-IP hardware platforms except BIG-IP 2000/4000.

Conditions:
-- Using any BIG-IP platform except BIG-IP 2000/4000.
-- Hardware syncookies used.

Impact:
Incorrect mss retrieved.

Workaround:
Use software syncookies and disable hardware syncookie protection.


801705-1 : When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC

Component: Local Traffic Manager

Symptoms:
The 'HTTP::cookie attribute' irule command allows manipulation of Cookie or Set-Cookie headers in HTTP requests or responses. When this command is used to insert a cookie attribute, it appends the attribute (and a possible value) to the header without a leading space character. A leading space character is a requirement per RFC 6265. When such a header is formed with iRule command 'HTTP::cookie insert' or 'HTTP::cookie attribute insert', the leading space is not provided, violating the RFC.

Conditions:
-- A virtual server with HTTP profile is configured.
-- There is an iRule generating or updating a cookie header with 'HTTP::cookie insert' or 'HTTP::cookie attribute insert' command.

Impact:
There is no space preceding the attribute. RFC is violated.

Workaround:
When inserting a cookie attribute with iRule command, add a leading space to the name of attribute to be inserted.


801329 : When OneConnect profile is used, pool selection might be pinned to one pool

Component: Local Traffic Manager

Symptoms:
Pool selection is pinned to one pool.

Conditions:
-- OneConnect profile is used on a virtual server that is passing traffic.
-- The pool for the virtual server is changed.

Impact:
Traffic is not distributed to the other pool.

Workaround:
None.


800185-1 : Saving large config into UCS may fail

Component: TMOS

Symptoms:
When saving a very large config into UCS file, you encounter an error:

# tmsh save /sys ucs my_ucs
Saving active configuration...
Can't fork at /usr/local/bin/im line 305.
/var/tmp/configsync.spec: Error creating package

Conditions:
Large BIG-IP configuration (e.g., 500 MB, or 8 million lines of text).

Impact:
The operation might consume as much as 1 GB of RAM, so the UCS may not get saved correctly.

Workaround:
None.


799657-1 : Name validation missing control characters for some GTM objects

Component: Global Traffic Manager (DNS)

Symptoms:
The BIG-IP system fails to prevent control characters from being embedded within GTM object names. Once the objects exist in the configuration, big3d fails to mark the resource up due to XML parsing error.

The following GTM objects are susceptible to this control character issue:
- gtm datacenter
- gtm prober-pool
- gtm device
- gtm application
- gtm region entry
- gtm virtual server
- gtm server
- gtm link
- gtm pool

Conditions:
A GTM object with a control character in the name.

Impact:
The resource whose name having those control characters will not be marked up with big3d error messages:

warning big3d[5729]: 012b2004:4: XML parsing error not well-formed (invalid token) at line 21.

Workaround:
Remove control characters prior to creating GTM objects.


797949-1 : PEM::subscriber delete can leak a connection

Component: Policy Enforcement Manager

Symptoms:
Using the PEM::subscriber delete iRule command can lead to a leaked connection.

Conditions:
PEM::subscriber delete is used.

Impact:
Connections which cannot be freed.

Workaround:
None.


797813-1 : TMM memory grows on custom bot signature with empty domain

Component: Application Security Manager

Symptoms:
The TMM memory of type 'mco db' can grow to its maximum, which can reach over a 1 GB of RAM, when creating a custom bot signature with an empty string.

Conditions:
Creating a custom DoS Bot Signature object with a domain name of an empty string ("").

Impact:
Unnecessary growth of TMM memory.

Workaround:
It is redundant and invalid to define a bot signature with an empty domain name. Removing the empty domain name from the signature and restarting tmm prevents this issue.


796993-2 : Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs

Component: Local Traffic Manager

Symptoms:
When a pool contains FQDN nodes as pool members, pool member state changes messages are not logged in /var/log/ltm.

Conditions:
- Create a pool with fqdn node as it pool members
- Apply monitor to it
- Monitor marks the pool member up/down based on reachability

Impact:
- Status message is not updated in /var/log/ltm logs.
- There is no functional impact.


795933-5 : A pool member's cur_sessions stat may incorrectly not decrease for certain configurations

Component: Local Traffic Manager

Symptoms:
Under certain conditions, a pool member's cur_sessions stat may increase, but not decrease when it should.

Conditions:
- The virtual server using the pool has an iRule attached that references global variables.
- The virtual server using the pool has an ASM security policy attached to it.
- Traffic flows to the pool member.

Impact:
Incorrect stats.


795685-4 : Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer

Component: TMOS

Symptoms:
If BIG IP receives a BGP notification for OUT_OF_RESOURCES from its BGP peer, then displaying the peer information on BIG IP is causing the bgpd crash (show ip bgp neighbor).

Conditions:
Receive a BGP notification for OUT_OF_RESOURCES from its BGP peer and then try to display the BGP peer information.

Impact:
bgdp crashes


794505-1 : OSPFv3 IPv4 address family route-map filtering does not work

Component: Local Traffic Manager

Symptoms:
Filtering IPv4 routes using route-map does not work. All the IPv4 redistributed routes fail to redistribute if the route-map is attached to the OSPFv3 IPv4 address-family.

Conditions:
1. Configure two OSPF sessions, one for the IPv4 address-family and the other for the IPv6 address family.
2. Redistribute kernel routes.
3. Check routes are propagated.
4. Add a route map to allow any IPv4 kernel route matching IP address.

Impact:
All routes fail to propagate and show that the IPv6 OSPF database external is empty. All IPv4 routes are blocked to redistribute instead of the routes mentioned in the route-map/prefix-list.

Workaround:
None.


794501-5 : Duplicate if_indexes and OIDs between interfaces and tunnels

Component: TMOS

Symptoms:
In certain instances, having a configuration with both tunnels and interfaces can result in duplicate if_indexes between a tunnel and an interface, which also results in duplicate OIDs for SNMP.

Conditions:
There is no completely predictable trigger, but at a minimum, a configuration with at least one interface and at least one tunnel is needed.

Impact:
Duplicate if_indexes and duplicate OIDs. SNMP logs error messages:

# tmsh list net interface all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net vlan all -hidden all-properties | egrep "(^net)|(if-index)"; tmsh list net tunnel all-properties | egrep "(^net)|(if-index)"
net interface 0.10 {
    if-index 64 <-------------------------------
net interface mgmt {
    if-index 32
net vlan external {
    if-index 96
net vlan internal {
    if-index 112
net vlan test {
    if-index 128
net vlan tmm_bp {
    if-index 48
net tunnels tunnel http-tunnel {
    if-index 64 <-------------------------------
net tunnels tunnel socks-tunnel {
    if-index 80


# snmpwalk -c public -v 2c localhost >/dev/null; tail /var/log/ltm

-- notice sod[4258]: 010c0044:5: Command: running disable zrd bigstart.
-- notice zxfrd[6556]: 01530007:5: /usr/bin/zxfrd started
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID ZXFRD_Publisher and filterType 1024
-- info bigd[11158]: 0114002b:6: HA daemon_heartbeat bigd enabled.
-- info cbrd[6106]: 0114002b:6: HA daemon_heartbeat cbrd enabled.
-- notice mcpd[3931]: 01070404:5: Add a new Publication for publisherID cbrd and filterType 1152921504606846976
-- info runsm1_named[6104]: 0114002b:6: HA proc_running named enabled.
=========================

-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if.c:374
-- warning snmpd[5413]: 010e0999:4: Duplicate oid index found: bigip_if_x.c:289

Workaround:
No workaround currently known.


793669-3 : FQDN ephemeral pool members on HA pair doesn't get properly synced of the new session value

Component: Local Traffic Manager

Symptoms:
On a high availability (HA) paired device group configuration, where there are FQDN nodes as pool members in a pool, when the pool member is enabled or disabled on one device, and with config-sync, the other device does not fully update the peer. The template node gets updated with the new value, but the ephemeral pool member retains the old value.

Conditions:
Steps to Reproduce:
1. Configure HA, specifically a Device group (e.g., Failover) with two BIG-IP systems.
2. Create an HTTP pool (TEST_FQDN_POOL) and FQDN Pool Member on both systems.
3. Wait for the FQDN pool member to report as AVAIL_GREEN and the ephemeral node as AVAIL_BLUE on both systems.
4. Tmsh login to any of the systems.
5. Run the command:
tmsh run cm config-sync to-group Failover
6. Run the command:
tmsh modify ltm pool TEST_FQDN_POOL members modify { example.com:http { session user-disabled } }
7. Run the command:
tmsh run cm config-sync force-full-load-push to-group Failover

Impact:
FQDN pool member enabling/disabling is not being fully propagated to the other device after config-sync.

Workaround:
None.


793149-1 : Adding the Strict-transport-Policy header to internal responses

Component: Application Security Manager

Symptoms:
Some applications requires the Strict-transport-Policy header to appear in all responses. BIG-IP internal responses do not add this header.

Conditions:
- ASM is provisioned with CAPTCHA/CSI challenge enabled
or
- DoS is provisioned with CAPTCHA/CSI enabled
or
- Bot Defense is provisioned with CAPTCHA mitigation/Browser JS verification/Device ID collection is enabled.

Impact:
Responses arrives to the browser without the Strict-transport-Policy header.

Workaround:
Create an iRule to add the header to the response.


792285-4 : TMM crashes if the queuing message to all HSL pool members fails

Component: TMOS

Symptoms:
When a system uses a High Speed Logging (HSL) configuration with the HSL pool, TMM is crashing if the queuing message to all HSL pool members fails.

Conditions:
-- Two-member pool configured as remote-high-speed-log destination.
-- Data-Plane logging using for example but not limited to: iRule HSL::send.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.


791061-4 : Config load in /Common removes routing protocols from other partitions

Component: TMOS

Symptoms:
While loading the /Common partition, config routing protocols on other partition route-domains will be removed.

Conditions:
-- Configure route-domains on other partitions with routing-protocols.
-- Load the /Common partition config alone.

Impact:
Routing protocols config from other partitions are removed.

Workaround:
Reload the config with the command:
load sys config partitions all


790949-5 : MRF Router Profile parameters 'Maximum Pending Bytes' and 'Maximum Pending Messages' Do Not Match Behavior.

Component: Service Provider

Symptoms:
Default values differ between tmsh and GUI documentation, and actual behavior. The special value 0 is documented to either disable the respective limit or apply a default value. Actual behavior for 0 is to silently apply internal default values of 32768 bytes and 256 messages, regardless of the protocol. These defaults might not match the profile default values for a given MRF protocol such as Diameter, SIP, or MQTT.

For some protocols such as Diameter, there is no validation of whether the maximum pending messages value falls within the acceptable range of 1-65535, and values outside that range are silently truncated to 16-bits and then 0 is treated according to the actual behavior described above.

Some documented and actual default values have changed across releases.

Conditions:
An MRF router profile is configured with the 'Maximum Pending Bytes' or 'Maximum Pending Messages' parameter set to a non-default value or 0.

Affected MRF router profiles are: 'diameter', 'sip', 'mqtt' and 'generic'.

Impact:
Depending on the protocol, the limits might not take effect as configured.

Incorrect documentation and/or lack of validation could lead to configuring an invalid value.

Workaround:
None.


790205-1 : Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core

Component: Local Traffic Manager

Symptoms:
TMM cores when adding a route (either statically or dynamically) to a child route domain.

Conditions:
Adding a more-specific route to a child domain that overrides a route in the default domain.

Impact:
TMM cores. A failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.


790113-5 : Cannot remove all wide IPs from GTM distributed application via iControl REST

Component: Global Traffic Manager (DNS)

Symptoms:
The following tmsh command allows you to delete all wide IPs using an 'all' specifier:

modify gtm distributed-app da1 wideips delete { all }

There is no equivalent iControl REST operation to do this.

Conditions:
This can be encountered while trying to delete all wide IPs from a distributed application via iControl REST.

Impact:
iControl REST calls that should allow you to remove all wide IPs from a GTM distribution application return an error, leaving you unable to complete the task via iControl REST.

Workaround:
You can use one of the following workarounds:

-- Use the WebUI.

-- Use the tmsh utility, for example:
tmsh modify gtm distributed-app da1 wideips delete { all }

-- Invoke tmsh from within the bash iControl REST endpoint, for exmaple:
curl -u username:password -s -H 'Content-Type: application/json' -X POST -d "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'tmsh modify gtm distributed-app da1 wideips delete { all }'\"}" https://<IP>/mgmt/tm/util/bash


789973 : Tmm crash while using IPsec

Component: TMOS

Symptoms:
Tmm crashes.

Conditions:
-- Passing IPsec traffic.
-- One of the BIG-IP IKEv2 peers is running version 12.x.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


788645 : BGP does not function on static interfaces with vlan names longer than 16 characters.

Component: TMOS

Symptoms:
If a VLAN, VLAN group, or tunnel has a name with more than 15 characters, BGP does not function properly on that interface.

Conditions:
-- BGP Dynamic routing in use.
-- Interface name greater than 15 characters.

Impact:
BGP Dynamic Routing is not working.

Workaround:
1. Rename the interface using 15 or fewer characters.
2. Remove Static Binding and Bind to all interfaces.


788577-2 : BFD sessions may be reset after CMP state change

Component: TMOS

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.

It might also lead to a situation where the BFD session is deleted and immediately recreated.

This problem occurs rarely and only on a chassis with more than one blade.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.

Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.

This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There are two workarounds, although the latter is probably impractical:

-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.


788557-2 : BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior

Component: TMOS

Symptoms:
GRST - BGP graceful reset.

The problem occurs when the routing daemon bgpd restarts/starts (e.g., by terminating the bgpd daemon) its distribution of a process and is not supported. Another way we've found is to call "bigstart restart" command on a primary blade on chassis with more than one blade.

After the new primary blade takes over, BGP and BFD sessions are recreated at around the 'graceful restart' timeout interval.

Conditions:
-- BGP and BFD are configured.
-- BGP router's 'graceful restart' option is configured, enabled (set to 120 by default).
-- The bgpd daemon is terminated.

Another way to trigger the issue is to run 'bigstart restart' on a primary blade on a chassis with more than one blade.

Impact:
If BGP peering is reset, it causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocol from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.


In most cases, unexpected routing decisions come from networks learnt by affected routing protocol when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system, typically, the routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
None.


788513-5 : Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log

Component: Service Provider

Symptoms:
A configuration warning is produced when the RADIUS avp command is used with a variable instead of a constant, for example:

 warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:integer"102 45][RADIUS::avp replace USER-NAME $custom_name]

This appears to be benign, as the configuration loads successfully, and the script works as expected.

Conditions:
Using:
RADIUS::avp replace USER-NAME $custom_name

Instead of:
RADIUS::avp replace USER-NAME "static value"

Impact:
Incorrect warning in log. You can ignore these messages, as the configuration loads successfully, and the script works as expected.

Workaround:
This warning is benign, as the configuration loads successfully, and script works as expected.


785605-1 : Traffic Intelligence Feed Lists are not usable if created on Standby unit in Traffic Group

Component: Traffic Classification Engine

Symptoms:
If Feed List is created on Standby unit, it will not be synchronized to other units in Traffic Group, and will become unusable.

Conditions:
-- Create Feed List on a Standby unit.
-- Attempt to use URLCAT with Custom DB.

Impact:
URL Categorization based on Custom DB does not work.

Workaround:
Create Feed List on the Active unit and synchronize to Standby.


785529-4 : ASM unable to handle ICAP responses which length is greater then 10K

Component: Application Security Manager

Symptoms:
ASM drops ICAP and HTTP connections when a multipart request arrives to the ASM enforcer and then forwarded to the ICAP server for virus inspection, and the ICAP server replies with a large (greater then 10 KB) response.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Antivirus service IP and port defined in the BIG-IP GUI under Options :: Integrated Services.
-- Antivirus protection enabled in the ASM policy.

Impact:
ASM drops ICAP and HTTP connections.

Workaround:
Configure the ICAP server to send back responses smaller than 10 KB.


785509 : Modifying fields such as chain, trusted certificate authorities in client SSL profile, and/or chain in cert-key-chain belonging to the same client SSL profile might not be reflected in TMM

Component: Local Traffic Manager

Symptoms:
Modifying fields such as chain, trusted certificate authorities, and others, in client SSL profile, or chain in cert-key-chain belonging to the same client SSL profile, might not be reflected in TMM.

Conditions:
Modifying fields such as chain, trusted certificate authorities in client SSL profile or chain in cert-key-chain belonging to the same client SSL profile.

Impact:
Even after modifying trusted certificate authorities, chain, or other fields, those changes might not be reflected in the actual configuration in TMM.

Workaround:
Following workarounds may be applied:

1. Update the client SSL profile again.
2. Restart TMM.
3. Restart mcpd.


785481-5 : A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached

Component: Local Traffic Manager

Symptoms:
Setting the DB variable tm.rejectunmatched to 'false' causes the BIG-IP system to not send RSTs when there is a match but the connection is rejected due to connection limits.

Conditions:
- tm.rejectunmatched is set to 'false'.
- A packet is matching a BIG-IP object.
- The packet is to be rejected because of connection limits.

Impact:
Reset packets are not sent back to clients when they should be.

Workaround:
None.


784565-5 : VLAN groups are incompatible with fast-forwarded flows

Component: Local Traffic Manager

Symptoms:
Traffic flowing through VLAN groups may get fast-forwarded to another TMM, which might cause that connection to be reset with reason 'Unable to select local port'.

Conditions:
-- Using VLAN groups.
-- Flows are fast-forwarded to other TMMs.

Impact:
Some connections may fail.

Workaround:
None.


783985 : Grub boot entries not updated on i2600 from iControl SOAP set_boot_location call

Component: TMOS

Symptoms:
After calling iControl SOAP System::SoftwareManagement::set_boot_location, the switchboot information correctly shows that the volume should be changed, but grub still shows the current active volume to be unchanged. Upon reboot, the system boots into the unchanged default volume.

The system records the following when the iControl call is made/var/log/messages :

warning grub_default: unkeyed boot entry found (BIG-IP 12.1.2 Build 0.0.249 <HD1.1>); assigning st.u0
M

Conditions:
This occurs on BIG-IP iSeries platforms:
1. iControl SOAP system::SoftwareManagement::set_boot_location
2. Check grub_default -l

Impact:
Unable to upgrade systems via iControl SOAP due to the inability to reboot into the newly installed software.

Workaround:
The following iControlREST call works correctly:

curl -k -u<username>:<passwd> https://<IP-addr>/mgmt/tm/sys -X POST -H "Content-type: application/json" -d '{"command":"reboot", "volume":"<volume>"}'
{"kind":"tm:sys:rebootstate","command":"reboot","volume":"<volume>"}


783505-1 : ASU is very slow on device with hundreds of policies due to table checksums

Component: Application Security Manager

Symptoms:
ASU is very slow on devices with hundreds of policies due to table checksums.

Conditions:
-- There are hundreds of ASM policies on the device.
-- ASU is performed.
-- 'DoTableChecksums' is set to 1.

Impact:
The ASU process takes hours to complete.

Workaround:
In the configuration file /etc/ts/dcc/prepare_policy.cfg, set 'DoTableChecksums' to 0.


783145-1 : Pool gets disabled when one of its pool member with monitor session is disabled

Component: Local Traffic Manager

Symptoms:
A pool which has at least two pool members and one of its pool members associated with a monitor is disabled, the entire pool gets marked disabled-by-parent.

Conditions:
-- Monitor assigned to a single pool member.
-- That member is manually disabled.

Impact:
The pool status for the entire pool is marked disabled-by-parent.

Workaround:
None.


783113-2 : BGP sessions remain down upon new primary slot election

Component: TMOS

Symptoms:
BGP flapping after new primary slot election.

Conditions:
--- A BFD session is processed on a secondary blade. (It can be identified by running tcpdump.)

-- After a primary blade reset/reboot, the BFD session should be processed by the same tmm on the same blade, which was secondary before the primary blade reset/reboot.

-- The BFD session creation should happens approximately in 30 seconds after the reset/reboot.

Impact:
BGP goes down. BGP flaps cause route-dampening to kick-in on the BGP neighbors.

Workaround:
There is no workaround, but you can stabilize the BIG-IP system after the issue occurs by restarting the tmrouted daemon. To do so, issue the following command:
 bigstart restart tmrouted


782613-2 : Security firewall policy in an iApp not deleted on config sync peer with the rest of a deleted iApp

Component: TMOS

Symptoms:
If a security firewall policy is part of an iApp inside a folder created by that iApp, then when the iApp is deleted, any config sync peer will not delete the policy when it deletes the rest of the iApp.

Conditions:
-- iApp with folder and security firewall policy is deleted.
-- High availability (HA) config sync configuration.

Impact:
The security policy is gone on the system where the iApp was initially deleted, but the peer still has that object, and it can't be deleted because it's part of an iApp.

Workaround:
None.


781605-2 : Fix RFC issue with the multipart parser

Component: Application Security Manager

Symptoms:
false positive or false negative attack signature match on multipart payload.

Conditions:
very specific parsing issue.

Impact:
A parameter specific excluded signature may be matched or un-matched.

Workaround:
N/A


781021-4 : ASM modifies cookie header causing it to be non-compliant with RFC6265

Component: Application Security Manager

Symptoms:
When ASM strips the cookie header from the ASM cookies, it leaves the cookie header in a way that is not compliant with RFC6265 on two aspects:
1. No space after the semicolon
2. A cookie with no value is sent without the equals sign

Conditions:
-- ASM Security Policy is used
-- Request includes an ASM cookie

Impact:
Some web servers may refuse to handle non-compliant Cookie headers, causing the application flow to break.

Workaround:
Disable the cookie stripping by modifying the DB variable as follows:
tmsh modify sys db asm.strip_asm_cookies value false


780817-3 : TMM can crash on certain vCMP hosts after modifications to VLANs and guests.

Component: TMOS

Symptoms:
TMM crashes and produces a core file. TMM logs show the crash was of type SIGFPE, with the following panic message:

notice panic: ../base/vcmp.c:608: Assertion "guest has vlan ref" failed.

Conditions:
-- The vCMP host is a platform with more than one tmm process per blade or appliance.

  + VIPRION B4300, B4340, and B44xx blades.
  + BIG-IP iSeries i15x00 platforms

-- A VLAN is assigned to a vCMP guest.
-- The TAG of the VLAN is modified.
-- The VLAN is removed from the vCMP guest.

Impact:
While TMM crashes and restarts on the host, traffic is disrupted on all the guests running on that system.

Guests part of a redundant pair may fail over.

Workaround:
None.


780437-5 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.

Component: TMOS

Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.

As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.

The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.

Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.

Symptoms for this issue include:

-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.

-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.

-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):

qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img

qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img

-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:

info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]

Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.

-- Large configuration with many guests.

-- The VIPRION chassis is rebooted.

-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.

Impact:
-- Loss of entire configuration on previously working vCMP guests.

-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.

-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.

Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.

If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.


777993-4 : Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same

Component: TMOS

Symptoms:
Egress TCP/UDP traffic with same L4 source port and destination port to an external trunk is pinned to one link only.

Conditions:
This happens on BIG-IP hardware platforms with broadcom switch chip, so BIG-IP 2000/4000 and i2000/i4000 series are not impacted.

Impact:
Performance degradation as only a portion of the trunk bandwidth is utilized.

Workaround:
None.


776081 : The F5-BIGIP-SYSTEM-MIB::sysInterfaceMediaActiveSpeed values are not meaningful on a VE

Component: TMOS

Symptoms:
The MIB variable sysInterfaceMediaActiveSpeed is reported correctly on the BIG-IP hardware systems. However, on BIG-IP Virtual Edition (VE) configurations, the values are incorrectly reported. It may be reported as a 10 or as a 0 (zero), both of which are incorrect.

Conditions:
Querying the F5-BIGIP-SYSTEM-MIB::sysInterfaceMediaActiveSpeed variable on a VE-based BIG-IP running 12.x, or earlier, software.

Impact:
This may be confusing when looking at the sysInterface information with SNMP.

Workaround:
None.


773577-4 : SNMPv3: When a security-name and a username are the same but have different passwords, traps are not properly crafted

Component: TMOS

Symptoms:
On an SNMPv3 configuration, when a security-name and a username are the same but have different passwords, traps are not properly crafted.

Conditions:
security-name is the same as an SNMPv3 username.

Impact:
SNMP traps cannot be decoded

Workaround:
Delete or rename user.


773253-1 : The BIG-IP may send VLAN failsafe probes from a disabled blade

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends multicast ping from a disabled blade. tmm core

Conditions:
-- There is one or more blades disabled on the VIPRION platform.
-- VLAN failsafe is enabled on one or more VLANs.
-- the VLAN failsafe-action is set to 'failover'.
-- There is more than one blade installed in the chassis or vCMP guest.

Impact:
The BIG-IP system sends unexpected multicast ping requests from a disabled blade.

Workaround:
To mitigate this issue, restart tmm on the disabled blade. This causes tmm to stop sending the multicast traffic.

Impact of workaround: Traffic disrupted while tmm restarts.


772497-2 : When BIG-IP is configured to use a proxy server, updatecheck fails

Component: TMOS

Symptoms:
Executing Update Check fails when run on a BIG-IP system that is behind a proxy server.

Conditions:
-- A proxy server is configured on the BIG-IP system using proxy.host db variable (and associated port, protocol, etc.).
-- You run Update Check.

Impact:
The Update Check fails to connect because the script resolves the IP address prior to sending the request to the proxy server.

Workaround:
You can use either of the following workarounds:

I
=======
Modify the /usr/bin/updatecheck script to not resolve the service ip for callhome.f5.com. To do so, remove the script text 'PeerAddr => $service_ip,' from lines 336,337:

1. Locate the following section in the script:
 @LWP::Protocol::http::EXTRA_SOCK_OPTS = ( PeerAddr => $service_ip,
     SSL_hostname => $service_name,

2. Update the script to remove the content 'PeerAddr => $service_ip,', so that it looks like the following example:
 @LWP::Protocol::http::EXTRA_SOCK_OPTS = ( SSL_hostname => $service_name,


II
=======
As an alternative, use a sed command, as follows:
1. Remount /usr as rw.
2. Run the following command:
 # sed -e "s/PeerAddr => $service_ip,//" -i /usr/bin/updatecheck


772297-4 : LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade

Component: Local Traffic Manager

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
LLDP-related options under 'tmsh net interface' for that secondary blade are reset to default.

Workaround:
Run 'tmsh load sys config' on the primary blade, and the LLDP-settings will reapply to the interfaces.


770953-5 : 'smbclient' executable does not work

Component: TMOS

Symptoms:
Service Message Block (SMB) monitor is not functional.

Conditions:
This occurs under all conditions.

Impact:
SMB monitors fail. This occurs because the 'smbclient' executable is not functional.

Workaround:
None.


770741 : NIC Tx Engine hang causing ixgbevf interface (SR-IOV) flipping

Component: TMOS

Symptoms:
NIC Tx Engine hang is a rarely occurring issue for which there are no known scenarios. In cases in which it occurs, an adapter reset is required to recover the system without reboot. The driver is currently not resetting the adapter, and the issue remains until reboot of system.

Conditions:
-- Running BIG-IP Virtual Edition (VE).
-- No specific conditions. This is a rarely occurring issue.

Impact:
Traffic loss and overall system functionality is impacted, which sometimes it leads to kernel panic.

Workaround:
No known workaround. You must reboot VE could recover the interface to normal functioning.


770477-4 : SSL aborted when client_hello includes both renegotiation info extension and SCSV

Component: Local Traffic Manager

Symptoms:
Client SSL reports an error and terminates handshake.

Conditions:
Initial client_hello message includes both signaling mechanism for secure renegotiation: empty renegotiation_info extension and TLS_EMPTY_RENEGOTIATION_INFO_SCSV.

Impact:
Unable to connect with SSL.

Workaround:
None.


769817-5 : BFD fails to propagate sessions state change during blade restart

Component: TMOS

Symptoms:
BFD fails to propagate sessions state change during blade restart.

Conditions:
-- On a chassis with multiple blades, several routing protocol sessions are established, (e.g., BGP sessions).
-- BFD sessions are configured for each BGP session to sustain fast failover of BGP sessions.
-- There is a BGP session that can be established only via specific blade and the corresponding BFD session of this BGP session is processed on the same blade.
-- This blade is restarted (e.g., using the bladectl command) or experienced a blade failure.

Impact:
The BFD session remains in the BFD sessions table and remains there until BGP session is timed out by hold the timer (90 seconds, by default). Dynamic routes, which are learnt via affected BGP session, remain in the routing table until the hold time is reached.

Workaround:
Change BGP hold time to reasonable lower value.


769309-4 : DB monitor reconnects to server on every probe when count = 0

Component: Local Traffic Manager

Symptoms:
When using an LTM database monitor configured with the default 'count' value of 0 (zero), the database monitor reconnects to the monitored server (pool member) to perform each health monitor probe, then closes the connection once the probe is complete.

Conditions:
This occurs when using one of the LTM mssql, mysql, oracle or postgresql monitor types is configured with the default 'count' value of 0 (zero).

Impact:
Connections to the monitored database server are opened and closed for each periodic health monitor probe.

Workaround:
Configure the 'count' value for the monitor to some non-zero value (such as 100) to allow the network connection to the database server to remain open for the specified number of monitor probes before it is closed and a new network connection is created.


769145-4 : Syncookie threshold warning is logged when the threshold is disabled

Component: TMOS

Symptoms:
Setting connection.syncookies.threshold to zero disables the threshold, but the system still reports log messages similar to:

warning tmm3[18189]: 01010055:4: Syncookie embryonic connection counter 38 exceeded sys threshold 0

Conditions:
Setting connection.syncookies.threshold to zero.

Impact:
Warnings that do not provide valid information. If the threshold value is a non-zero value, it does indicate an issue. However, this message is benign when the end of the message reads 'exceeded sys threshold 0'.

Workaround:
None.


769029-3 : Non-admin users fail to create tmp dir under /var/system/tmp/tmsh

Component: TMOS

Symptoms:
The cron.daily/tmpwatch script deletes the /var/system/tmp/tmsh directory. After some time, the tmsh directory is created again as part of another cron job.

During the interval, if a non-admin accesses tmsh, tmsh creates the /tmp/tmsh directory with that user's permissions, which creates issues for subsequently non-admin user logons.

Conditions:
Try to access the tmsh from non-admin users when /var/system/tmp/tmsh is deleted.

Impact:
The first non-admin user can access tmsh. Other, subsequent non-admin users receive the following error:

01420006:3: Can't create temp directory, /var/system/tmp/tmsh/SKrmSB, errno 13] Permission denied.

After some time this /var/system/tmp/tmsh permission is updated automatically.

Workaround:
So that the script does not remove tmsh directory, but deletes 1-day old tmp files under /var/system/tmp/tmsh, update the last line of /etc/cron.daily/tmpwatch as follows:

tmpwatch --nodirs 1d /var/system/tmp


767305-4 : If the mcpd daemon is restarted by itself, some SNMP OIDs fail to return data the first time they are queried

Component: TMOS

Symptoms:
Upon querying a sysTmmStat* SNMP OID (for example, sysTmmStatTmUsageRatio5s), you find your SNMP client returns an error message similar to the following example:

No Such Instance currently exists at this OID

The very next time you query that same SNMP OID (or any other sysTmmStat* SNMP OID), you find they all work as expected and return the correct result.

Conditions:
This issue occurs after restarting only the mcpd daemon, i.e., running bigstart restart mcpd.

Impact:
All sysTmmStat* SNMP OIDs do not work until one of them is queried at least once, and the query is allowed to fail. After that, all sysTmmStat* SNMP OIDs work as expected.

Workaround:
Restart all services together, i.e., running the command: bigstart restart.

Should the mcpd daemon happen to be restarted on its own, you can simply ignore the error message and allow your SNMP polling station to fail a single polling cycle.

If you want to ensure that this issue does not occur, for example, so that your SNMP polling station does not generate unnecessary alarms, do not restart the mcpd daemon on its own, but rather restart all services together by running the following command:

bigstart restart


767013-5 : Reboot when B2150 and B2250 blades' HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch

Component: TMOS

Symptoms:
In a rare scenario, the HSB sends a large amount and continuous pause frames to the Broadcom switch, which indicates that the HSB is in a bad state.

Conditions:
This happens when there is heavy traffic load on VIPRION B2150 and B2250 blades. The root cause of that is still under investigation. It happens extreme rarely.

Impact:
Reboot the BIG-IP system.

Workaround:
None.


766169-1 : Replacing all VALN interfaces resets VLAN MTU to a default value

Component: Local Traffic Manager

Symptoms:
When the last physical interface is removed from a VLAN, VLAN's MTU is reset to default value of 1500. However when replacing all interfaces belonging to a VLAN with a new ones (e.g., with a command 'tmsh modify net vlan [name] interfaces replace-all-with {...}'), even if it does not look like removing all interfaces, it is actually done by removing all interfaces immediately followed by adding new ones. Because all interfaces are removed first, the VLAN MTU is reset to the default value even if the original value is perfectly valid for newly added interfaces. As it is done automatically inside TMM, it is not reflected in the configuration. TMSH and Configuration Utility continue to report original value.

Conditions:
Issue is visible only when removing or replacing all interfaces in a VLAN which has MTU value different than default 1500. Added interfaces must also have MTU values larger than 1500.

Impact:
VLAN MTU is set to 1500 despite Configuration Utility and TMSH still reporting original value.

Workaround:
There are two workarounds:

-- Reset desired MTU value after each operation of replacing all interfaces in a VLAN.
-- Avoid replace-all-with operation by adding new interfaces before removing unneeded ones.


765969-4 : Not able to get HSB register dump from hsb_snapshot on B4450 blade

Component: TMOS

Symptoms:
Running hsb_snapshot tool fails on B4450 blades with the following message:
Too many rows in tmm/hsb_internal_pde_info table

Conditions:
When vCMP is provisioned on VIPRION B4450 blades.

Impact:
HSB register dump is not available in hsb_snapshot orQkview for diagnostic purpose.

Workaround:
None.


765809 : Memory increases for the bd daemon on cluster environment primary blade

Component: Application Security Manager

Symptoms:
BD memory increases. The increased memory is seen as a very large number in the last column of the bd.log files UMU prints.

Conditions:
-- ASM provisioned on cluster environment.
-- ASM policy attached to a virtual.
-- Brute force protection configured.

Impact:
Memory increase; swap usage.

Workaround:
None.


764873-5 : An accelerated flow transmits packets to a dated, down pool member.

Component: TMOS

Symptoms:
Normally, when a pool member becomes unavailable, the flow is redirected towards another available pool member. However, an accelerated flow can continue to send traffic to the dated pool member rather than the updated one.

Conditions:
A flow changes the pool member it goes to while the flow is accelerated.

Impact:
The traffic continues to target the dated pool member that is not available.

Workaround:
Disable HW acceleration.

Or on BIG-IP v14.1.0 and later, if a pool member goes away, run the following command to flush all accelerated flow to be handled correctly by software:
tmsh modify sys conn flow-accel-type software-only


764373-5 : 'Modified domain cookie' violation with multiple enforced domain cookies with different paths

Component: Application Security Manager

Symptoms:
When the server sends enforced cookies with the same name for different paths, a false-positive 'Modified domain cookie' violation is reported.

Conditions:
Server sends enforced cookies with the same name but with different paths.

Impact:
A valid request might be rejected.

Workaround:
None.


763197-1 : Flows not mirrored on wildcard Virtual Server with opaque VLAN group

Component: Local Traffic Manager

Symptoms:
In an high availability (HA) configuration using an opaque VLAN group and a default (wildcard, 0.0.0.0/0) virtual server configured for connection mirroring, the standby device does not create the mirrored connection.

Conditions:
-- VLAN group configured and set to opaque.
-- db vlangroup.forwarding.override is set to 'disable'.
-- Default virtual server configured for all ports (destination 0.0.0.0/0 :0) with connection mirroring.

Impact:
In the event of a failover, connections that are expected to be mirrored will fail, which can cause traffic loss and client disruption.

Workaround:
None.


762073-3 : Continuous TMM restarts when HSB drops off the PCI bus

Component: TMOS

Symptoms:
In the unlikely event that HSB drops off the PCI bus, TMM continuously restarts until the BIG-IP system is rebooted.

Conditions:
The conditions under which the issue occurs are unknown, but it is a rarely occurring issue.

Impact:
Repeated TMM restarts. Traffic disrupted until you reboot the BIG-IP system. The HSB reappears and is functional after reboot.

Workaround:
Manually reboot the BIG-IP system.


761981 : information in snmpd.conf files may be overwritten

Component: TMOS

Symptoms:
During daemon startup, the snmpd daemon zeroes out sensitive data in the snmpd.conf files. This is done so that passwords are not available to be read on disk. This can cause problems when other daemons using the net-snmp shared libraries access snmpd.conf files for data that they need during startup.

Conditions:
Depending upon the startup sequence, a daemon may need data from snmpd.conf files.

Impact:
Daemons usually start in an orderly fashion and usually do not conflict with each other. However, it is possible that they could fail to load correctly due to the zeroing out of data.

Workaround:
Use tmsh to configure SNMP users.


761913-1 : iRule checksum created in GUI might cause config load failure in tmsh

Component: Local Traffic Manager

Symptoms:
tmsh config load may fail and issue the message indicating mismatching checksum, similar to the following:

01071493:3: iRule (/Common/pool_select_rule) content does not match the checksum.
Unexpected Error: Loading configuration process failed.

Conditions:
-- Select a new or existing iRule on the Local Traffic :: iRules :: iRules List page, and click 'Add Checksum".

-- SSH into the BIG-IP system and run the following command:
   tmsh load sys config

Impact:
tmsh config load fails.

Workaround:
Do not add checksums to iRules you create in the GUI.


761833 : PostgreSQL database disk usage over 2GB without AFM

Component: TMOS

Symptoms:
PostgreSQL uses a large amount of disk when AFM is licensed.

Conditions:
AFM being licensed but not in use.

Impact:
Increase in database file size.

Workaround:
Follow the procedure to dump/load the database.

The dump-load procedure used as follows:

1. pg_dumpall -U postgres |gzip -1v >/shared/tmp/pgdump$(date +%s).gz
2. bigstart stop pgadmind
3. rm -rf /var/local/pgsql/
4. bigstart start pgadmind
5. sleep 3; while pidof initdb; do sleep 1; done; sleep 3
6. zcat /shared/tmp/pgdump$(date +%s).gz|psql -U postgres template1
7. bigstart restart pgadmind


761091 : Missing charset specification in response page after upgrade

Component: Application Security Manager

Symptoms:
Blocking response pages are missing charset specification after upgrade, and appear garbled for non-UTF-8 policies.

Conditions:
-- A blocking response page is configured with non-UTF-8 characters.
-- ASM is upgraded.

Impact:
Blocking response pages appear garbled.

Workaround:
To workaround this issue, follow this procedure:

1. Change the policy to transparent and save.
2. Change it back to blocking and save.
4. Apply policy.

Now the response page now appears correctly.


761084-2 : Custom monitor fields appear editable for Auditor, Operator, or Guest

Component: TMOS

Symptoms:
Mozilla Firefox browser shows custom monitor fields editable for Auditor, Operator, or Guest role users.

Conditions:
You can experience this issue by following these steps:

1. Create custom monitor (e.g., http, mysql, tcp).
2. Use FireFox browser to logon to the BIG-IP system Configuration utility with a user role that is Auditor, Operator, or Guest.
3. Access the custom monitor. Note that Send String, Receive String, and Receive Disable String are all grayed out.
4. Click the browser Back button.
5. Click the browser Forward button.

Impact:
Send String, Receive String, and Receive Disable String are now editable fields. Although the Auditor, Operator, or Guest. user can edit the fields, the Update button is still grayed out, so any entry is not saved.

Workaround:
None.


760950-1 : Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment

Component: TMOS

Symptoms:
The advertised next-hop is a floating-IP of the active traffic-group on a peer BIG-IP system, although it should be the floating-IP of the traffic-group active on the current BIG-IP system.

Note: A previous bug had this same symptom, but was due to a different root cause.

Conditions:
-- In a BIG-IP high availability (HA) configuration.
-- The HA configuration is Active-Active topology.
-- There are multiple traffic-groups, in which each device is active for one traffic-group.

Impact:
An incorrect next-hop in BGP is advertised for a traffic group in Active-Active deployment. Traffic for relevant advertised routes might go to a standby device.

Workaround:
Configure the floating address of a traffic group as the next-hop in its route-map.


760752 : Internal sync-change conflict after update to local users table

Component: Device Management

Symptoms:
-- 'top' shows java and mcpd becomes CPU intensive.
-- /var/log/audit shows many 'modify { user_role_partition { user_role_partition_user ...'
-- /var/log/restjavad-audit.0.log shows many REST API calls to 'http://localhost:8100/mgmt/shared/gossip' from the peer.

Conditions:
-- Create a new admin user with bash access on a device.
-- Running v12.1.4.

Impact:
High CPU usage (Java and mcpd) on control and analysis plane.

Workaround:
To work around this issue, follow these steps:

1. Sync from the device where the user was created.
2. Run the following command on all devices:
tmsh restart sys service restjavad

Although Java and mcpd will still show high CPU usage even after restart, waiting a few minutes enables the processes to return to normal.


760683-3 : RST from non-floating self-ip may use floating self-ip source mac-address

Component: Local Traffic Manager

Symptoms:
A RST from non-floating self-ip may use floating self-ip source mac-address when AFM or ASM is enabled.

Conditions:
-- AFM or ASM is enabled.
-- RST generated from non-floating self-ip address.

Impact:
An L2 switch may update the fwd table incorrectly.

Workaround:
None.


760615-5 : Virtual Server discovery may not work after a GTM device is removed from the sync group

Component: Global Traffic Manager (DNS)

Symptoms:
LTM configuration does not auto-discover GTM-configured virtual servers.

Conditions:
-- GTM is deprovisioned on one or more GTM sync group members, or the sync group is reconfigured on one or more members.

-- Those devices remain present in the GTM configuration as 'gtm server' objects.

-- iQuery is connected to those members.

Impact:
Virtual servers are not discovered or added automatically.

Workaround:
You can use either of the following workarounds:

-- Manually add the desired GTM server virtual servers.

-- Delete the 'gtm server' objects that represent the devices that are no longer part of the GTM sync group. These can then be recreated if the devices are operating as LTM-configured devices.


760518-2 : PEM flow filter with DSCP attribute optimizes traffic resulting in some PEM action enforcement

Component: Policy Enforcement Manager

Symptoms:
Some PEM action enforcement does not work with flow filter with PEM attribute set.

Conditions:
Flow filter has the Differentiated Services Code Point (DSCP) attribute set

Impact:
Some PEM actions such as http-redirect do not perform as expected.

Workaround:
Set the DSCP to the default value


760439-1 : After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status

Component: TMOS

Symptoms:
After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status (e.g., transitions to standby or active).

Conditions:
Installing UCS that was taken in forced-offline state on clean installed unit.

Impact:
Unit may become active/standby before intended (e.g., during maintenance).

Workaround:
After installing the UCS, ensure that the unit is in forced-offline state as intended. If not in forced-offline state, force the unit offline before proceeding.


760259-1 : Qkview silently fails to capture qkviews from other blades

Component: TMOS

Symptoms:
When capturing a qkview on a chassis, there are no warnings provided if the qkview utility is run to gather a qkview from other blades.

Conditions:
-- On a chassis system, rename/move the qkview binary from a given blade.

-- Execute qkview on another blade, verify that no warnings or errors are produced.

Impact:
There is no warning that the qkview failed for a given blade.

Workaround:
There is no workaround other than running the qkview on the actual blade.


760222-4 : SCP fails unexpected when FIPS mode is enabled

Component: TMOS

Symptoms:
Secure Copy (scp) to some locations fails with the following message:
Path not allowed.

Conditions:
-- FIPS mode is enabled.
-- Copying a file to a restricted location using SCP.

Impact:
Cannot use SCP to copy to restricted locations on the BIG-IP system.

Workaround:
None.


760050-5 : cwnd warning message in log

Component: Local Traffic Manager

Symptoms:
The following benign message appears in the log: cwnd too low.

Conditions:
The TCP congestion window has dropped below one Maximum Segment Size, which should not happen.

Impact:
None. TCP resets the congestion window to 1 MSS.

Workaround:
This message does not indicate a functional issue, so you can safely ignore this message. There is no action to take, but the presence of the message can be useful information for debugging other TCP problems.


759852-3 : SNMP configuration for trap destinations can cause a warning in the log

Component: TMOS

Symptoms:
The snmpd configuration parameters can cause net-snmp to issue a warning about deprecated syntax.

Conditions:
The use of a sys snmp command similar to the following to modify the snmpd.conf file:
sys snmp v2-traps { TRAP1 { host 1.2.3.4 community somestring } }

Impact:
net-snmp issues a warning that the syntax has been deprecated and reports a warning message in the log.

Workaround:
None.


759077-6 : MRF SIP filter queue sizes not configurable

Component: Service Provider

Symptoms:
The ingress and egress queues of the MRF SIP filter have fixed sizes that cannot be configured.

Conditions:
If the hard-coded queue size of 512 messages or 65535 bytes are exceeded, the filter enables its flow control logic.

Impact:
Messages may be dropped.

Workaround:
None.


759008 : DoSL7 site_severity always equals "1" in remote log

Component: Application Security Manager

Symptoms:
Log always shows site_severity as '1'.

Conditions:
- Enable DoSL7.
- Configure remote logger.
- Send traffic.

Impact:
Logged DoSL7 attack severity shows as '1'.

Workaround:
None.


758929 : Bcm56xxd MIIM bus access failure after TMM crash

Component: TMOS

Symptoms:
Bcm56xxd daemon running on B4300 blade might experience MIIM bus access failure after a tmm crash. The system posts
a message similar to the following in the ltm log:

info bcm56xxd: 012c0016:6: MiimTimeOut:soc_miim_write, timeout (id=0xc9 addr=0x1f data=0x0000)

Conditions:
-- TMM crash.
-- VIPRION b4300 blade.

Impact:
The affected B4300 blade fails to pass traffic. If configured for high availability (HA), failover occurs.

Workaround:
Reboot the affected B4300 blade.


758520 : Deploying the f5_microsoft_exchange_2010_2013 template generates erroneous APM policy customization-group.

Component: iApp Technology

Symptoms:
There is an erroneously named APM policy customization-group after importing a BIG-IP system into BIG-IQ, where the BIG-IP system already has a deployed iApp based on the f5_microsoft_exchange_2010_2013 template:

[ERROR]... Missing cache path for Kind: tm:apm:policy:customization-group:templates:templatesstate, Object:
/Common/Exchange_2013_internal.APM.app/logon.inc.

Conditions:
-- The BIG-IP system has a deployed iApp based on the f5_microsoft_exchange_2010_2013 template (f5.microsoft_exchange_2010_2013_cas.v1.6.2).
-- Importing the BIG-IP system into the BIG-IQ for managing.

Impact:
The resulting configuration contains an incorrectly named APM policy customization-group.

For example, the group name is:
/Common/Exchange_2013_internal.APM.app/exch_custom_logon:logon.inc

The name should be:
/Common/Exchange_2013_internal.APM.app/exch_custom_logon_ag:logon.inc"

Specifically, the '_ag' suffix on the first part of the filename is missing.

Workaround:
You have two options:

-- Modify the bigip.conf file by searching to 'app-service /Common/Exchange_2013_internal.APM.app/Exchange_2013_internal.APM' and changing 'app:exch_custom_logon' to 'app:exch_custom_logon_ag'.

-- Upgrade to the latest Exchange iApp and iApp deployed to BIQ-IQ with version 6.1.0-0.0.1224.0.


758437-3 : SYN w/ data disrupts stat collection in Fast L4

Component: Local Traffic Manager

Symptoms:
Fast L4 analytics reports very large integers for goodput.

Conditions:
BIG-IP receives SYNs with attached data.

Impact:
Goodput data is unreliable.

Workaround:
None.


758436-5 : Optimistic ACKs degrade Fast L4 statistics

Component: Local Traffic Manager

Symptoms:
Fast L4 Analytics reports very large integers for goodput.

Conditions:
Endpoints send ACKs for data that has not been sent.

Impact:
Goodput statistics are not usable in certain data sets.

Workaround:
None.


757777-1 : bigtcp does not issue a RST in all circumstances

Component: Local Traffic Manager

Symptoms:
bigtcp does not issue a TCP reset, e.g. when using the iRule reject command on CLIENT_ACCEPTED

Conditions:
bigtcp in use, tcp connection, connection ungracefully shut down via a 'reject' command in an iRule

Impact:
TCP RST is not sent, and the SYN is silently dropped.

Workaround:
none


757709 : Routing daemon NSM cores if any of interface indexes of VLANs, Tunnels or VLAN Groups are identical to loopback and tmm interfaces of Route Domains where these VLANs, Tunnels or VLAN Groups are located

Component: TMOS

Symptoms:
Routing daemon NSM crashes and generates a core file, then the watchdog daemon, tmrouted notices that NSM is down and restarts it, then NSM crashes and generates a core file and everything starts all over again.

Conditions:
This very rare situation occurs when there is a BIG-IP system with the following routing configuration:

-- At least one Route Domain on a BIG-IP has the tmm and loopback interfaces generated (when Route Domain was created) in such way that one of their internal interface indexes (ifindex) is the same as the ifindex of the suspected object, in this example, it's a VLAN.

-- The suspected Route Domain has a routing protocol enabled.

-- The suspected object, VLAN, is added to the suspected Route Domain.

In general, this rarely occurring issue occurs in response to the way route domains and VLANs are organized on the BIG-IP system and how they interact with each other in NSM, and how a collision occurs.

Impact:
Routing Daemon NSM crashes and generates a core file.

Workaround:
Reboot the BIG-IP system.

If this does not resolve the issue, you must re-create all VLANs.


757520 : After a software upgrade, the BIG-IP system does not use the correct hostname for logging.

Component: TMOS

Symptoms:
After performing a regular software upgrade during which the configuration was rolled forward, the log messages for all daemons except tmm on the upgraded unit, report the default hostname (i.e., localhost) instead of the hostname assigned to the BIG-IP system.

Conditions:
Performing a software upgrade to BIG-IP version 11.5.6, 11.5.7, 11.5.8, or 12.1.4 while rolling forward the existing configuration.

This can also happen when you first set up remote syslog on a new LTM on an affected version.

Impact:
There is no impact to the BIG-IP system itself. However, a BIG-IP Administrator may wrongly assume that the configuration failed to load the configuration due to the default hostname being visible in the logs.

This is not the case; the BIG-IP system correctly loads the configuration post-upgrade. If you are concentrating logs to an external server this may make it difficult to determine where some logs originated.

Workaround:
To work around this issue, run the following command:

bigstart restart syslog-ng

Note: This issue occurs only the very first time one of the affected versions is booted. Once the issue has been worked around once, the issue does not recur. Therefore, this workaround can be considered permanent.


757510-4 : Class name mismatch is not caught

Component: Local Traffic Manager

Symptoms:
The datagroup referenced in irule is different from data group definition and the error is not caught at validation. During config load, you see this error:

01070151:3: Rule [/Common/myrule] error: Unable to find value_list

Conditions:
The datagroup referenced in an iRule is different from data group definition.

Impact:
The error is not caught at validation, and TMM errors out at run time.

Workaround:
Use the right name.

Note: The name is case sensitive.


757505-1 : peer-cert-mode set to 'always' does not work when client-ssl is enabled with session-ticket

Component: Local Traffic Manager

Symptoms:
When a session is restored using a session-ticket, the peer-cert-mode setting is not acknowledged.

Conditions:
-- Session tickets are enabled.
-- The peer-cert-mode in the client SSL profile is set to `always'.
-- A session is restored using a ticket.

Impact:
The SSL client is validated only once, instead of each time.

Workaround:
Disable session ticket.


757441-1 : Specific sequence of packets causes Fast Open to be effectively disabled

Component: Local Traffic Manager

Symptoms:
You see this warning in the logs:

warning tmm[21063]: 01010055:4: Syncookie embryonic connection counter -1 exceeded sys threshold 64000.

Conditions:
-- TCP Fast Open and ECN are both enabled.
-- There are multiple RST segments from the receive window received in SYN_RECEIVED state.

Impact:
TCP Fast open is disabled, as the pre_established_connections becomes very large (greater than a threshold).

Workaround:
TCP ECN option can be disabled.


757029-5 : Ephemeral pool members may not be created after config load or reboot

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP system reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:

-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.

The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.

As a result, some pools may not have any active pool members, and do not pass traffic.

This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes:

tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.


756830-3 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'

Component: TMOS

Symptoms:
The BIG-IP system may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'.

Conditions:
Connections match a virtual server that has following settings:

- Connection mirroring is enabled.
- Source Port set to 'Preserve Strict'.

In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'.

Impact:
Source translation may fail on BIG-IP system, leading to client connection failures.

Workaround:
You can try either of the following:

-- Do not use the Source Port setting of 'Preserve Strict'.

-- Disable connection mirroring on the virtual server.


756812 : Nitrox 3 instruction/request logger may fail due to SELinux permission error

Component: Local Traffic Manager

Symptoms:
When the tmm Nitrox 3 queue stuck problem is encountered, the Nitrox 3 code tries to log the instruction/request, but it may fail due to SELinux permissions error.

The system posts messages in /var/log/ltm similar to the following:

-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 00:09.7, discarded 54).
-- crit tmm1[21300]: 01010025:2: Device error: n3-compress0 Failed to open instruction log file '/shared/nitroxdiag/instrlog/tmm01_00:09.7_inst.log' err=2.

Conditions:
-- tmm Nitrox 3 queue stuck problem is encountered.
-- The Nitrox 3 code tries to log the instruction/request.

Impact:
Error messages occur, and the tmm Nitrox 3 code cannot log the instruction/request.

Workaround:
None.


756647-4 : Global SNAT connections do not reset upon timeout.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not send reset packets when a connection times out.

Conditions:
BIG-IP configured with global SNAT.

Impact:
Client or server might unnecessarily keep the connection open.

Workaround:
You can use either of the following workarounds:

-- Use forwarding virtual server with snatpool instead of global SNAT.

-- Modify tmm_base.tcl as follows:
profile bigproto _bigproto {
    reset_on_timeout enable
}


756313-5 : SSL monitor continues to mark pool member down after restoring services

Component: Local Traffic Manager

Symptoms:
After an HTTPS monitor fails, it never resumes probing. No ClientHello is sent, just 3WHS and then 4-way closure. The pool member remains down.

Conditions:
-- The cipherlist for the monitor is not using TLSv1 (e.g., contains -TLSv1 or !TLSv1).
-- The pool member is marked down.

Impact:
Services are not automatically restored by the health monitor.

Workaround:
To restore the state of the member, remove it, and add it back to the pool.


756311-2 : High CPU during erroneous deletion

Component: Policy Enforcement Manager

Symptoms:
The utilization of some CPUs in the system starts going up and remains so for a long time. Might see messages similar tot he following in tmm logs:

-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.10.10%0-4a89723e; Instance ID mismatch ERR_OK for subscriber id 310012348494 with 10.1.10.10-0-4a8987ea.

-- notice PEM: spm_subs_id_consistency_check_cb: Session 10.1.18.10%0-4a8b850c; Look up returned err ERR_OK for subscriber id 3101512411557

Conditions:
The exact conditions under which this occurs are unknown. One potential trigger is CDP flap.

Impact:
TMM may need to be restarted if the CPU usage does not subside. Traffic disrupted while tmm restarts.

Workaround:
Try deleting all subscribers from the CLI.


756177-3 : GTM marks pool members down across datacenters

Component: Global Traffic Manager (DNS)

Symptoms:
GTM pool members are marked down even though the monitored resource is available.

GTM debug logs indicate that each GTM is relying on the other GTM to conduct probing:

debug gtmd[13166]: 011ae039:7: Check probing of IP:Port in DC /Common/dc1.
debug gtmd[13166]: 011ae03a:7: Will not probe in DC /Common/dc1 because will be done by other GTM (/Common/gtm2).
---
debug gtmd[7991]: 011ae039:7: Check probing of IP:Port in DC /Common/dc2.
debug gtmd[7991]: 011ae03a:7: Will not probe in DC /Common/dc2 because will be done by other GTM (/Common/gtm1).

Conditions:
-- GTM configured in different data centers.
-- GTM pool configured with a single monitor, and the monitor uses an alias address that can be pinged from both data centers.
-- GTM pool members configured from different data centers.

Impact:
Pool members are marked down.

Workaround:
Instead of a single monitor, use a monitor created specifically for each data center.


755997-3 : Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address

Component: Local Traffic Manager

Symptoms:
When IPsec traffic is processed by a FastL4 profile, which is not related to an IPsec listener, and is send out via a gateway pool or a dynamic route, the source address of this traffic can be erroneously changed to 127.0.0.x.

Conditions:
-- IPsec traffic is processed by a FastL4 profile, which is not related to an IPSEC listener.
-- The traffic is sent out via a gateway pool or a dynamic route.

Impact:
The incorrect source address is used.

Workaround:
None.


755976 : ZebOS might miss kernel routes after mcpd deamon restart

Component: TMOS

Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).

One of the most common scenario is a device reboot.

Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.

Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.

Workaround:
There are several workarounds; here are two:

-- Restart the tmrouted daemon:
bigstart restart tmrouted

-- Recreate the affected virtual address.


755791-5 : UDP monitor not behaving properly on different ICMP reject codes.

Component: Local Traffic Manager

Symptoms:
Unexpected or improper pool/node member status.

Conditions:
The BIG-IP system receives the ICMP rejection code as icmp-net/host-unreachable.

Impact:
The monitor might consider a server available when some type of ICMP rejection has been received that is not port unreachable.

Workaround:
You can use either of the following workarounds:
-- Use UDP monitors configured with a receive string.
-- Do not use UDP monitors.


755727-4 : Ephemeral pool members not created after DNS flap and address record changes

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.

Once this condition occurs, ephemeral pool members are no longer created for a given FQDN name in the affected pool.

Conditions:
This issue may occur under rare timing conditions when the following factors are present:

-- Using FQDN nodes/pool members.
-- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted.
-- There is a temporary loss of connectivity to/responsiveness from the DNS server.

Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool become unavailable and stop passing traffic.

Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by either of the following actions:

1. Restart the dynconfd daemon:
bigstart restart dynconfd

2. Delete and re-create the FQDN template pool member using the following two commands:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }


To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.


755631-4 : UDP / DNS monitor marking node down

Component: Local Traffic Manager

Symptoms:
The UDP / DNS monitor marks nodes down.

Conditions:
-- UDP or DNS monitor configured.
-- Interval is multiple of timeout.
-- The response is delayed by over one interval.

Impact:
Pool member is marked down.

Workaround:
Increase the interval to be greater than the response time of the server.


755630-3 : MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes

Component: Service Provider

Symptoms:
The media flows get terminated after the UDP idle timeout expires on a Standby device.

Conditions:
-- High availability (HA) configuration.
-- SIP media calls on a SIP-ALG with SNAT feature enabled.

Impact:
SIP calls fail to deliver media when HA failover occurs.

Workaround:
Partial mitigation is to set the UDP idle timeout to a higher value.


755549 : TMM crash and core

Component: TMOS

Symptoms:
TMM crashes and generates a core file under unknown conditions.

Conditions:
The conditions required for this issue to occur are not well understood, but might be related to a MCP message handling failure (during virtual server creation) in an AAM with LTM configuration.

The issue might be related to an unsupported configuration, as follows:
The BIG-IP system does not prevent you from configuring a server-side iSession profile and a OneConnect profile on the same virtual server. This is not a valid configuration, however. Virtual server configuration should allow either a server-side iSession profile or a OneConnect profile, but not both.

Impact:
TMM crash and core. Traffic disrupted while tmm restarts.

Workaround:
Correct the misconfiguration (specifically, OneConnect and iSession being mutually exclusive features), and try the operation again.


755311-4 : No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down

Component: Service Provider

Symptoms:
When TMM is shutting down with active DIAMETER connections, it does not send out any Disconnect-Peer-Request messages to its DIAMETER pool members.

Conditions:
- DIAMETER in use.
- Active connections from the BIG-IP system to its DIAMETER pool members.
- TMM is shutting down.

Impact:
The remote server is not notified of the change in DIAMETER peer status.

Workaround:
None.


755250 : Clock advanced messages when modifying a virtual server with 1000 SSL profiles

Component: Local Traffic Manager

Symptoms:
The system posts clock advanced messages when modifying a virtual server. You might also experience an Active/Active situation because tmm might be too busy to send high availability (HA) packets. The messages appear similar to the following:

notice tmm1[12549]: 01010029:5: Clock advanced by 556 ticks

Conditions:
-- Virtual server has 1000 or more SSL profiles defined.
-- A client SSL profile gets its defaults from another profile.
-- You change the cipher settings in that other profile.

Impact:
The system logs clock advanced messages, and sod kills tmm when you run the following command: tmsh load sys config Traffic disrupted while tmm restarts.

Workaround:
To work around this, do the following:
-- Remove some of the SSL profiles from the virtual server.
-- Reset the cipher settings to default.


755005-4 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations

Component: Application Security Manager

Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.

Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.

Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.

Workaround:
None.


754901-4 : Frequent zone update notifications may cause TMM to restart

Component: Global Traffic Manager (DNS)

Symptoms:
When there are frequent zone update notifications, the watchdog for TMM may trip and TMM crash/restarts. There may also be 'clock advanced' messages in /var/log/ltm.

Conditions:
- Using DNS express.
- DNS zone with allow notify.
- Frequent zone NOTIFY messages resulting in zone transfers.

Impact:
TMM restart potentially resulting in failing or impacting services. Traffic disrupted while tmm restarts.

Workaround:
None.


754617-3 : iRule 'DIAMETER::avp read' command does not work with 'source' option

Component: Service Provider

Symptoms:
Configuring a 'source' option with the iRule 'DIAMETER::avp read' command does not work.

The operation posts a TCL error in /var/log/ltm logs:
err tmm3[11998]: 01220001:3: TCL error: /Common/part1 <MR_INGRESS> - Illegal value (line 1) error Illegal value invoked from within "DIAMETER::avp read 444 source [DIAMETER::avp data get 443 grouped]".

Conditions:
Using the 'DIAMETER::avp read' iRule command with a 'source' option.

Impact:
'DIAMETER::avp read' does not work with the 'source' option.

Workaround:
Use 'DIAMETER::avp get data' with the 'source' option, and re-create the header part when needed.


754604-1 : iRule : [string first] returns incorrect results when string2 contains null

Component: Local Traffic Manager

Symptoms:
In an iRule such as 'string first $string1 $string2' returns incorrect results when $string2 contains a null byte and $string1 is not found within $string2. Performing the same search in tclsh, the expected -1 (not found) result is returned.

Conditions:
-- 'string first $string1 $string2' iRule.
-- string2 in an iRule contains a null byte.

Impact:
Operation does not return the expected -1 (not found) result, but instead returns an unexpected, random result.

Workaround:
None.


754460 : No failover on HA Dual Chassis setup using HA score

Component: TMOS

Symptoms:
On a high availability (HA) set up of two chassis, an HA failover does not occur, despite HA score on Standby being greater than Active.

Conditions:
-- Multiple blades disabled.
-- Both active and standby chassis have same HA score.
-- Enabling blades on standby chassis.

Impact:
Although enabling blades on the standby chassis causes a higher HA score on the standby (which should cause a failover to occur), HA state remains the same on both chassis. HA failover is not occurring using HA score calculation.

Workaround:
None.


754349-1 : FTP connections to virtual server drop when both sides of data channel are offloaded via FastL4

Component: Local Traffic Manager

Symptoms:
FTP uploads that are offloaded on both sides drop after the idle timeout period, even though data is flowing.

Conditions:
-- FTP virtual server set up with a standard profile and FastL4 offloading.
-- Attempt a file upload to the virtual server where both client and server side of the data channel are offloaded.

Impact:
Dropped connections; data loss.

Workaround:
You can do either of the following:
-- Enable Inherit Parent Profile on the FTP profile.
-- Turn off FastL4 offloading.


754330 : Monpd might load many CSV files such that stats for AVR are not loaded to the database as quickly as expected

Component: Application Visibility and Reporting

Symptoms:
Monpd attempts to load a batch of CSV files that exceed the partition threshold. This might cause Monpd to falsely detect a corrupted database.

Conditions:
-- Monpd is down for a given interval, and needs to load a batch of CSV files.
-- Monpd gets lower priority for CPU and does not manage loading CSV files within a specific timeframe.
-- Some of the reports are more demanding than others, and create CSV files more often, which makes it harder for Monpd to load efficiently.

Impact:
Stats for AVR might not be loaded to the database within an expected interval.

Workaround:
None.


754132-1 : A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command

Component: TMOS

Symptoms:
A default route is not propagated in Network Layer Reachability Information (NLRI) by a routing framework on a command: 'clear ip bgp <neighbor router-id> soft out'.

-- Enter to imi(Integrated Management Interface) shell.
[root@hostname:Active:Standalone] config # imish
hostname[0]>

-- Issue a command inside imish. 10.0.0.4 is neighbor BGP router-id.
hostname[0]>clear ip bgp 10.0.0.4 soft out

Conditions:
-- There is a BIG-IP system with the following routing configuration:

imish output:
hostname[0]#sh run
!
no service password-encryption
!
interface lo
!
... <skip other default information, like interfaces.>
!
router bgp 1
 bgp router-id 10.17.0.3
 bgp graceful-restart restart-time 120
 neighbor 10.17.0.4 remote-as 1
!

-- There is a default route, which is advertised by this BGP configuration. Here is one way to check it:

hostname[0]:sh ip ospf database
... <skip less important info>
                AS External Link States

Link ID ADV Router Age Seq# CkSum Route Tag
0.0.0.0 10.17.0.3 273 0x80000002 0x5c4e E2 0.0.0.0/0 0

The 'clear ip bgp 10.17.0.4 soft out' command is issued, and there is no NLRI with a default route generated. You can confirm that by running tcpdump and reading what is in the generated Link-state advertisement (LSA), messages or by watching OSPF debug logs.

Note: The source from which you gather the default route and advertise it to the neighbors does not matter. It might be the usual BGP route learned from another router, a locally created route, or it might be configured by 'neighbor <neighbor router-id> default-originate'.

Impact:
A default-route is not propagated in NLRI by 'soft out' request, even with default-originate configured.

Workaround:
There is no specific workaround for 'clear ip bgp <neighbor router-id> soft out' command, but if you want to make routing protocol propagate a NLRI with a default route, you can do either of the following:

-- Remove the default route from advertised routes. This workaround is configuration-specific, so there there are no common steps.
  + If you have default-originate configured for your neighbor, then delete that part of the configuration and re-add it.
  + If you create a default route as a static route, recreate it.
  + And so on.

The idea is to remove a root of default route generation and then add it back.

-- Run a 'soft in' command from your neighbor. If a neighbor you want to propagate a NLRI is a BIG-IP device, or is capable of running this type of command, you can issue a imish command on the neighbor:

# neighbor-hostname[0]: clear ip bgp <neighbor router-id> soft in

Note: This time, the 'soft in' command requests the NLRIs.


753860-2 : Virtual server config changes causing incorrect route injection.

Component: TMOS

Symptoms:
Updating the virtual server to use a different virtual address (VADDR) does not work as expected. The old VADDR route should remove and inject the new route for the new virtual address. Instead, it injects incorrect routes into the routing protocols.

Conditions:
-- Change the VADDR on a virtual server.
-- Set route-advertisement on both VADDRs.

Impact:
Incorrect routes are injected into routing protocols.

Workaround:
None.


753805-2 : BIG-IP system failed to advertise virtual address even after the virtual address was in Available state.

Component: Local Traffic Manager

Symptoms:
After failover, a longer time than expected for the virtual server to become available.

Conditions:
-- There is a configuration difference in the pool members before and after the configuration synchronization.
-- Probe status is also different.

Impact:
Virtual server takes longer than expected to become available.

Workaround:
Run full sync (force-full-load-push) from the active BIG-IP system to solve this issue.


753526-4 : IP::addr iRule command does not allow single digit mask

Component: Local Traffic Manager

Symptoms:
When plain literal IP address and mask are used in IP::addr command, the validation fails if the mask is single digit.

Conditions:
The address mask is single digit.

Impact:
Validation fails.

Workaround:
Assign address/mask to a variable and use the variable in the command.


753501-4 : iRule commands (such as relate_server) do not work with MRP SIP

Component: Service Provider

Symptoms:
Some iRule commands (such as relate_server) fail when used in conjunction with Message Routing Protocol (MRP) SIP configurations using message routing transport.

Conditions:
-- MRP SIP configuration uses transport-config.
-- iRule command 'relate_server' is configured on the corresponding virtual server.

Impact:
iRule commands such as relate_server cannot be used with MRF SIP.

Workaround:
None.


753423-3 : Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation

Component: TMOS

Symptoms:
working-mbr-count not showing correct number of interfaces.

Conditions:
Slot got disabled and re-enabled immediately.

Impact:
Interfaces may be removed from an aggregation permanently.

Workaround:
Disable and re-enable the slot with time gap of one second.


753163-1 : PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days

Component: Policy Enforcement Manager

Symptoms:
No connection request with PCRF/OCS if high availability (HA) failover occurs after 26 days. tmm crash

Conditions:
-- Using PEM.
-- HA failover occurs after 26 days.

Impact:
PEM does send the reconnect request within the configured reconnect, so there is no connection initiated with PCRF/OCS.

Workaround:
To restart the connection, restart tmm restart using the following command:
tmm restart

Note: Traffic disrupted while tmm restarts.


753014-2 : PEM iRule action with RULE_INIT event fails to attach to PEM policy

Component: Policy Enforcement Manager

Symptoms:
PEM iRule action with RULE_INIT event fails to attach to PEM policy.

Conditions:
Attaching PEM policy with PEM iRule action that contains a RULE_INIT event.

Impact:
PEM fails to update the new iRule action.

Workaround:
Force mcpd to reload the BIG-IP configuration.

To do so, follow the steps in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.


753001-4 : mcpd can be killed if the configuration contains a very high number of nested references

Component: TMOS

Symptoms:
mcpd can be killed by sod if the configuration contains a very high number of nested references. This results in a core file due to a SIGABRT signal.

Conditions:
A very high number of nested configuration references (such as SSL certificate file objects).

Impact:
Failover or outage (if not HA). The system sends no traffic or status while mcpd restarts.

Workaround:
None.


752994-4 : Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod

Component: TMOS

Symptoms:
With a large number of client SSL profiles, combined with shallow nesting of these profiles, all referring to a single SSL certificate file object, mcpd can take a lot of time to process an update to that certificate. It is possible this amount of time will be longer than sod's threshold, and cause it to kill mcpd.

Conditions:
- A large number (hundreds or thousands) of client SSL profiles that have a shallow nesting structure and all point back to a single SSL certificate file object.
- Happens when the SSL certificate is updated.

Impact:
sod kills mcpd, which causes a failover (when high availability (HA) is configured) or an outage (when there is no HA configured).

Workaround:
None.


752530-4 : TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.

Component: Local Traffic Manager

Symptoms:
Fast L4 TCP Analytics reports incorrect goodput when server sequence number and the TMM generated sequence number are different.

Conditions:
This occurs when either of the following conditions are met:

-- tcp-generate-isn is set in the Fast L4 profile.
-- SYN cookie is active.

Impact:
The GUI page Statistics :: Analytics :: TCP :: Goodput page displays incorrect goodput values.

Workaround:
None.


752334-4 : Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation

Component: Local Traffic Manager

Symptoms:
When Fast L4 receives out of order TCP packets, TCP analytics may compute wrong goodput value.

Conditions:
When FAST L4 receives out-of-order packets.

Impact:
Fast L4 reports an incorrect goodput value for the connection.

Workaround:
None.


752216-3 : DNS queries without the RD bit set may generate responses with the RD bit set

Solution Article: K33587043

Component: Global Traffic Manager (DNS)

Symptoms:
If the BIG-IP system is configured to use forward zones, responses to DNS queries may include the RD bit, even if RD bit is not set on the query.

Conditions:
-- Forward zone is configured.
-- Processing a query without the RD bit.

Impact:
Some responses to DNS queries may include the RD bit, even thought the RD bit is not set on the query. This is cosmetic, but some DNS tools may report this as an RFC violation.

Workaround:
None.


752078-3 : Header Field Value String Corruption

Component: Local Traffic Manager

Symptoms:
This is specific to HTTP/2.

In some rare cases, the header field value string can have one or more of its prefix characters removed by the BIG-IP system.

Conditions:
-- The header field value string is exceptionally long, and has embedded whitespace characters.
-- HTTP/2 is used.

Impact:
A header such as:
x-info: very_long_string that has whitespace characters

may be sent to the client as:
x-info: ery_long_string that has whitespace characters

Workaround:
None.


751710-1 : False positive cookie hijacking violation

Component: Application Security Manager

Symptoms:
A false positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
N/A


751427 : LTM policy rule condition does not match server-name in ssl-extension

Component: Local Traffic Manager

Symptoms:
An LTM policy that attempts to match the server name of an SSL extension does not get executed, even though the server name in the client hello packet is a match for the condition.

Conditions:
Using an LTM policy that has a rule which has a condition that attempts to match on the server name of the an SSL extension.

Impact:
The LTM policy is not executed.

Workaround:
An iRule may be used instead.


751409-4 : MCP Validation does not detect when virtual servers differ only by overlapping VLANs

Component: TMOS

Symptoms:
It is possible to configure two virtual servers with the same address, port, and route domain, and have them overlap only in VLANs. MCP does not detect the overlap.

Errors like this may be seen in the ltm log:

err tmm1[29243]: 01010009:3: Failed to bind to address

Conditions:
Two (or more) virtual servers with the same address, port, and route domain, and have them overlap only in VLANs

Impact:
Traffic does not get routed properly.

Workaround:
There is no workaround other than ensuring that virtual servers that have the same address, port, and route domain have no overlap of VLANs.


751383-3 : Invalidation trigger parameter values are limited to 256 bytes

Component: WebAccelerator

Symptoms:
Invalidation trigger parameter values are limited to a internal representation of 256 bytes. The values are escaped for regex matching, so the effective value size from the user perspective can be somewhat smaller than 256 bytes. Oversize values result in invalidation of all content on the target policy node.

Conditions:
-- AAM policy with invalidation trigger.
-- Invalidation trigger request with parameter value larger than 256 bytes.

Impact:
All content on target policy node is invalidated rather than the specific content targeted.

Workaround:
None.


751232 : LSN pool real-time stats are not persisted over reboot

Component: Carrier-Grade NAT

Symptoms:
After rebooting a VIPRION device or blade for which Port Block Allocation (PBA) is done, the PBA allocation is persisted, but the stats are not.

Conditions:
Reboot the VIPRION device or a blade

Impact:
LSN pool real-time stats are not persisted over reboot. The stats are not consistent with the connection DB.

Workaround:
There is no direct workaround, but you can make the stats consistent by deleting the PBA allocation or wait for it to age out of the LSN DB. Subsequent PBA allocations will be reflected correctly in the stats and will be consistent with the LSN DB.


751179-4 : MRF: Race condition may create to many outgoing connections to a peer

Component: Service Provider

Symptoms:
If two different connections attempt to create an outgoing connection to a peer at the same time, multiple connections may be created, even if the peer object is configured for one connection per peer. This is due to a race condition in message routing framework during connection creation.

Conditions:
-- Two different connections attempt to create an outgoing connection to a peer at the same time.
-- The peer is configured for one connection per peer.

Impact:
More than one connection to a peer is created.

Workaround:
None.


751036-4 : Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone

Component: Local Traffic Manager

Symptoms:
Virtual server status becomes unavailable when the connections are over the rate limit, and stays unavailable when the number of connections fall below the limit.

Conditions:
-- The connections are over the rate limit, making the virtual server status unavailable.
-- The number of connections fall below the limit.

Impact:
Virtual server status reports unavailable, even though it should be available.

Workaround:
This problem does not impact virtual server processing traffic. It simply reports the wrong status.


751024-1 : i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd

Component: TMOS

Symptoms:
Messages similar to the following appear in /var/log/ltm:

info bcm56xxd: 012c0012:6: I2C muxes are not cleared. Problem with mux 224:

Conditions:
-- i5000/i7000/i10000 platforms.
-- May be caused by a defective optic, rebooting/upgrading BIG-IP, removing and reinserting optics.

Impact:
Changes in optic state may be ignored while I2C bus is unavailable.

Workaround:
For each SFP, perform the following procedure:

1. Unplug the optic.
2. Wait 10 seconds.
3. Plug optic back in.

Note: This message might be caused by a defective optic. If error messages stop when one optic is removed, and error messages resume when the optic is inserted, replace that optic.


751021-4 : One or more TMM instances may be left without dynamic routes.

Component: TMOS

Symptoms:
Inspecting the BIG-IP's routing table (for instance, using tmsh or ZebOS commands) shows that dynamic routes have been learnt correctly and should be in effect.

However, while passing traffic through the system, you experience intermittent failures. Further investigation reveals that the failures are limited to one or more TMM instances (all other TMM instances are processing traffic correctly). The situation does not self-recover and the system remains in this state indefinitely.

An example of a traffic failure can be a client connection reset with cause 'No route to host'. If the client retries the same request, and this hits a different TMM instance, the request might succeed.

Conditions:
This issue is known to occur when all of the following conditions are met:

- The system is a multi-blade VIPRION or vCMP cluster.

- The system just underwent an event such as a software upgrade, a reboot of one or more blades, a restart of the services on one or more blades, etc.

Impact:
Traffic fails intermittently, with errors that point to lack of routes to certain destinations.

Workaround:
You can try to temporarily resolve the issue by restarting the tmrouted daemon on all blades. To do so, run the following command:

# clsh "bigstart restart tmrouted"

However, there is no strict guarantee this will resolve the issue, given the nature of the issue.

Alternatively, you could temporarily replace the dynamic routes with static routes.


750823-4 : Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD

Component: Access Policy Manager

Symptoms:
Memory usage in TMM keeps going up.

Conditions:
Access::policy evaluate command fails with error message in /var/log/ltm:

TCL error: ... - Failed to forward request to apmd.

Impact:
Memory leaks in TMM, which cause a TMM crash eventually.

Workaround:
Limit the amount of data that will be forwarded to APMD.


750631-3 : There may be a latency between session termination and deletion of its associated IP address mapping

Component: Access Policy Manager

Symptoms:
In SWG, if a new request from a client executes iRule command "ACCESS::session exists" when the session has expired previously, the command will return false. However, if command "ACCESS::session create" is executed following the exist command, the session ID of the previous session may be returned.

Conditions:
In SWG, if a new request from a client IP comes into the system right after its previous session has expired.

Impact:
The Access filter will determine that the session ID is stale and, therefore, will redirect the client to /my.policy


750491-1 : PEM Once-Every content insertion action may insert more than once during an interval

Component: Policy Enforcement Manager

Symptoms:
Successful PEM content insertion accounting is lost during re-evaluation, resulting in more insertions per insertion interval.

Conditions:
During re-evaluation to update the existing flow.

Impact:
More than expected Insert content action with Once-Every method of insert content action

Workaround:
None.


750490-1 : PEM content insertion action may insert more than once with Once-Every method

Component: Policy Enforcement Manager

Symptoms:
PEM content insertion action data is being reset even if there is no PEM policy update.

Conditions:
During re-evaluation to update the existing flow.

Impact:
More than expected Insert content action with Once-Every method of insert content action.

Workaround:
None.


750473-2 : VA status change while 'disabled' are not taken into account after being 'enabled' again

Component: Local Traffic Manager

Symptoms:
The virtual-address network is not advertised with route-advertisement enabled.

Conditions:
1. Using a virtual-address with route advertisement enabled.
2. Disable virtual-address while state is down.
3. Enable virtual-address after state comes up.

Impact:
No route-advertisement of the virtual-address.

Workaround:
Toggle the route-advertisement for virtual-address.


750413 : UTF-8 character in subject of a certificate used for iQuery cannot be removed

Component: TMOS

Symptoms:
If certificate subject which is added to 'Trusted Device Certificates' or 'Trusted Server Certificates' contains UTF-8 characters, it cannot be removed via GUI or edited via TMSH. When removing such a certificate GUI posts the following error:

Key management library returned bad status: -2, Not Found.

Conditions:
-- Using a certificate with UTF-8 character in its subject.
-- The cert is in 'Trusted Device Certificates' or 'Trusted Server Certificates'.
-- Try to remove this certificate.

Impact:
Certificates from 'Trusted Device Certificates' or 'Trusted Server Certificates' are not editable via TMSH. The only way of removing them is to edit /config/big3d/client.crt or /config/gtm/server.crt

Workaround:
Edit /config/big3d/client.crt or /config/gtm/server.crt to remove the certificates containing the UTF-8 character in subject of a certificate.


750204-1 : Add support for P-521 curve in the X.509 chain to SSL LTM

Component: Local Traffic Manager

Symptoms:
SSL is unable to verify certificate signed with EC P-521 key.

Conditions:
N/A

Impact:
Client/server authentication (X.509 signature verification) will failed when using certificate signed with EC P-521 key.

Workaround:
Client/server has to use certificate signed with supported EC curve (P-256/P-384).


750200-4 : DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode

Component: Local Traffic Manager

Symptoms:
DHCP requests from the client are sent only to the first member in the DHCP server pool.

Conditions:
- BIG-IP system configured as a DHCP Relay.
- DHCP server pool contains more than one DHCP server.

Impact:
- DHCP server load balancing is not achieved.
- If the first DHCP server in the DHCP server pool does not respond or is unreachable, the DHCP client will not be assigned an IP address.

Workaround:
None.


749785-3 : nsm can become unresponsive when processing recursive routes

Component: TMOS

Symptoms:
imish hangs, and the BIG-IP Network Services Module (nsm) daemon consuming 100% CPU.

Conditions:
-- Dynamic routing enabled
-- Processing recursive routes from a BGP peer with different prefixlen values.

Impact:
Dynamic routing, and services using dynamic routes do not operate. nsm does not recover and must be restarted.

Workaround:
None.


749603-4 : MRF SIP ALG: Potential to end wrong call when BYE received

Component: Service Provider

Symptoms:
When a BYE is received, the media flows for a different call might be closed in error.

Conditions:
If the hash of the call-id (masked to 12 bits) matches the hash of another's call-id.

Impact:
The media flows for both calls will be closed when one receives a BYE command. A call may be incorrectly terminated early.

Workaround:
None.


749528-4 : IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap

Component: Service Provider

Symptoms:
Under certain conditions the wrong self-IP can be selected as a source address for connections from an Internal Virtual Server to remote servers.

Conditions:
- Using an Internal Virtual Server (IVS).
- The VLAN being used to connect from the IVS to the server does not have a floating self-IP configured.
- At least one other VLAN has a floating self-IP configured.
- The primary virtual server that connects to the IVS is using SNAT automap.

Impact:
IVS traffic might not be routed properly.

Workaround:
- Configure a floating self-IP on the IVS server side VLAN.
or
- Use a SNAT pool instead of automap.


749222-4 : dname compression offset overflow causes bad compression pointer

Component: Global Traffic Manager (DNS)

Symptoms:
DNS requests receive error response:
-- Got bad packet: bad compression pointer.
-- Got bad packet: bad label type.

Conditions:
When the DNS response is large enough so that dname redirects to an offset larger than 0x3f ff.

Impact:
DNS response is malformed. Because the DNS record is corrupted, zone transfer fails.

Workaround:
None.


748632 : APM Endpoint inspection fails on macOS Mojave

Component: Access Policy Manager

Symptoms:
When there are two or more endpoint checks that require OPSWAT libraries, the endpoint checks fail on macOS Mojave.

Conditions:
Access Policy profile with two or more endpoint checks such as AntVirus, Firewall, System Patch.

Impact:
Network Access (VPN) is denied.


748608 : IPsec / ESP traffic pinned to TMM 0 for SP-Dag on 4000s/4200v, 2000s/2200v platforms

Component: TMOS

Symptoms:
Traffic pinned to TMM 0 using Source/Destination Disaggregation (SP-DAG) on 4000s/4200v, 2000s/2200v platforms.

Conditions:
-- IPsec / ESP packets.
-- SP-DAG configured.
-- Using 4000s/4200v, 2000s/2200v platforms.

Impact:
Traffic disaggregation does not operate as expected. Traffic pinned to TMM 0.

Workaround:
None.


748323 : It is possible for the archive.tm2 file to not get cleaned up

Component: TMOS

Symptoms:
The istats daemon maintains a file (/var/tmstat2/blade/archive.tm2) that is used to track the addition and deletion of dynamic statistics. It is possible for this file to grow so large that it causes the istats daemon to use too much CPU.

Conditions:
This rarely happens, but it is due to loss of state, such that stale statistics are maintained when they should have been deleted.

Impact:
The istats daemon can use too much of the control plane CPU in this error condition.

Workaround:
Remove the /var/tmstat2/archive.tm2 file. The system recovers after one cycle of processing the archive file.


748253-4 : Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection

Component: Service Provider

Symptoms:
Depending on the DIAMETER settings of the BIG-IP system, there can be a race condition in a mirrored device cluster where the standby BIG-IP system resets its mirror connection to the active device.

Conditions:
-- MRF DIAMETER in use.
-- The DIAMETER session profile on the BIG-IP system is configured to use a non-zero watchdog timeout.
-- The DIAMETER session profile on the BIG-IP system is configured to use Reset on Timeout.
-- This is more likely to happen if (in the DIAMETER session profile) the Maximum Watchdog Failures is set to 1, and the Watchdog Timeout is configured to be the same value as the remote DIAMETER system.

Impact:
The standby is no longer mirroring the active system, and gets out of sync with it. There may be connections lost if a failover occurs.

Workaround:
To mitigate this issue:

1. Configure the Maximum Watchdog Failures to a value greater than 1.
2. Configure the Watchdog Timeout as something different from the same timeout on the remote peer, preferably to something that will have little overlap (i.e., the two timers should fire at the exact same time very infrequently).


748031-4 : Invalidation trigger parameter containing reserved XML characters does not create invalidation rule

Component: WebAccelerator

Symptoms:
If a parameter value for an invalidation trigger contains reserved XML characters, compilation of the resulting invalidation rule fails due to the reserved characters not being escaped.

Conditions:
- AAM policy with invalidation trigger defined
- trigger request with parameter value(s) containing reserved XML characters

Impact:
The invalidation rule requested by the trigger request is not created. Content is not invalidated as expected.

Workaround:
No workaround exists.


747995-1 : MBLB SIP dropping packets with unknown methods

Component: Service Provider

Symptoms:
Traffic sent to a MBLB SIP LB is dropped if the SIP method is unknown.

Conditions:
Packets encountered SIP methods not already known to the BIG-IP system.

Impact:
Packet is dropped.

Workaround:
None.


747909-2 : GTPv2 MEI and Serving-Network fields decoded incorrectly

Component: Service Provider

Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.

Conditions:
Processing GTP traffic with iRules.

Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.

Workaround:
No workaround.


747905 : 'Illegal Query String Length' violation displays wrong length

Component: Application Security Manager

Symptoms:
When the system decodes a query string that exceeds the allowed query string length, the system reports the incorrect 'Illegal Query String Length' violation string length.

Conditions:
-- 'Illegal Query String Length' violation is encountered.
-- The query string is decoded and reported.

Impact:
The system reports the decoded character count rather than bytes. For example, for a Detected Query String Length = 3391, the system posts a Detected Query String Length = 1995.

Workaround:
None.


747799-3 : 'Unable to load the certificate file' error and configuration-load failure upgrading from 11.5.4-HF2 to a later version, due to empty cert/key in client SSL profile

Component: TMOS

Symptoms:
During upgrade, the configuration fails to load due to an invalid client SSL profile cert/key configuration. The system posts an error: Unable to load the certificate file.

This occurs as a result of an invalid configuration that can be created as a result of a bug (614675) that exists in 11.5.4-HF2 (and only in 11.5.4-HF2). Because of the bug, it is possible to create a client SSL profile with an empty cert-key-chain, as shown in the following example:

 ltm profile client-ssl /Common/cssl {
     app-service none
     cert none
     cert-key-chain {
         "" { } <=============== empty cert-key-chain
         defualt_rsa_ckc { <==== typo: 'defualt'
             cert /Common/default.crt
             key /Common/default.key
         }
     }
     key none
 }

Note: This upgrade failure has an unique symptom: the typo 'defualt_rsa_ckc'. However, the name has no specific negative impact; the issue is with the empty cert-key-chain.

After upgrading such a configuration from 11.5.4-HF2 to any later version of the software, the system posts a validation error, and the configuration fails to load.

Conditions:
The issue occurs when all the following conditions are met:

-- You are using 11.5.4-HF2.
-- The 11.5.4-HF2 configuration contains an invalid client SSL profile (i.e., a client SSL profile containing an empty cert-key-chain).
-- You upgrade to any software version later than 11.5.4-HF2.

Impact:
After upgrade, the configuration fails to load. The system posts an error message similar to the following:

-- "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- Loading schema version: 11.5.4 Loading schema version: 13.1.0.8 01071ac9:3: Unable to load the certificate file () - error:2006D080:BIO routines:BIO_new_file:no such file. Unexpected Error: Loading configuration process failed.

Workaround:
You can fix the profile configuration in /config/bigip.conf either before the upgrade (in 11.5.4-HF2), or after the upgrade failure.

To do so:
1. Replace 'cert none' with a cert name, such as /Common/default.crt.
2. Replace 'key none' with a key name, such as /Common/default.key.
3. Remove the entire line containing the following: "" { }.
4. Correct the spelling of 'defualt' to 'default'. Although there are no negative consequences of this typo, it is still a good idea.

The new profile should appear similar to the following:

   ltm profile client-ssl /Common/cssl {
       app-service none
       cert /Common/default.crt
       chain none
       cert-key-chain {
           default_rsa_ckc {
               cert /Common/default.crt
               key /Common/default.key
           }
       }
       key /Common/default.key
   }


747760 : Attack Signatures page: filter applied by another user may replace currently applied filter

Component: Application Security Manager

Symptoms:
If user switches between different policies in the Policy Attack Signature page, and at the same time another user changes Policy Attack Signature properties on the same page, after policy is changes - filter applied by second user is applied for the first user.

Conditions:
2 different users work on the Policy Attack Signature page simultaneously

Impact:
Incorrect filter applied at some scenarios, which may be confusing for user


747628-4 : BIG-IP sends spurious ICMP PMTU message to server

Component: Local Traffic Manager

Symptoms:
After negotiating an MSS in the TCP handshake, the BIG-IP system then sends an ICMP PMTU message because the packet is too large.

Conditions:
-- The server side allows timestamps and the client side does not negotiate them.

-- The client-side MTU is lower than the server-side MTU.

-- There is no ICMP message on the client-side connection.

Impact:
Unnecessary retransmission by server; suboptimal xfrag sizes (and possibly packet sizes).

Workaround:
Disable timestamps or proxy-mss on the server-side TCP profile.


747617-4 : TMM core when processing invalid timer

Component: Local Traffic Manager

Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.

Conditions:
SSLO is configured and passing traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround


747560-2 : ASM REST: Unable to download Whitehat vulnerabilities

Component: Application Security Manager

Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.

Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.

Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.

Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.


747337 : AAA CRLDP configurations configured using the 'No Server' option may be rendered incorrectly while using IE v11

Component: Access Policy Manager

Symptoms:
When a user tries to see a AAA CRLP server which has been configured with a 'No Server' option, the server connection shows up as Direct when it is in fact 'No Server'. This is not the case in other browsers, such as Google Chrome v69 or Mozilla Firefox v57. They show the configured object value correctly for the AAA CRLP Server, which is 'No Server'.

Conditions:
Using the Microsoft Internet Explorer (IE) browser v11.

Impact:
Inaccurate configuration information shown for the server connection.

Workaround:
Use Firefox version 57 or Chrome version 69.

Alternatively, view the correct value using the following tmsh command:
tmsh list apm aaa crldp all-properties


747187-4 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response

Component: Service Provider

Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.

Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.

Impact:
Media does not flow on pinholes for which a collision was detected and reported.

Workaround:
None


747077-2 : Potential crash in TMM when updating pool members

Component: Local Traffic Manager

Symptoms:
In very rare cases, TMM can crash while updating pool members.

Conditions:
The conditions that lead to this are not known.

Impact:
TMM crashes, which can cause a failover or outage.

Workaround:
There is no workaround.


747065-1 : PEM iRule burst of session ADDs leads to missing sessions

Component: Policy Enforcement Manager

Symptoms:
Some PEM sessions that were originally added, later disappear and cannot be added back.

Conditions:
-- Subscriber addition is done by iRule on UDP virtual servers.
-- The sessions are added in a burst.
-- A small fraction of such sessions cannot be added back after delete.

Impact:
Policies available in the missing session cannot be accessed.

Workaround:
Add a delay of at least a few milliseconds between adding multiple session with same subscriber-id and IP address.


746771-2 : APMD recreates config snapshots for all access profiles every minute

Component: Access Policy Manager

Symptoms:
When the access profile configurations in APMD and MCPD are out of sync, APMD detects that the config snapshot for one access profile is missing. This triggers AMPD to recreates the config snapshots for all access profiles. The detect-recreate cycle repeats every minute, posting log messages:

-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
...

-- err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

-- notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.

Conditions:
The conditions under which the access profile configurations in APMD and MCPD become out of sync is unknown.

Impact:
TMM memory usage increases due to excessive config snapshots being created.

Workaround:
Restart APMD to clear the APMD and MCPD out-of-sync condition.


746731-4 : BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set

Component: Service Provider

Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.

Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Firmware-Revision AVP.

Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.

Workaround:
Configure an iRule in the MRF transport-config, for example:

ltm rule workaround {
    when DIAMETER_EGRESS {
        if {[serverside] && [DIAMETER::command] == "257" } {
            DIAMETER::avp flags set 267 0
        }
    }
}


746682 : ASM unable to display *any* event logs, unless they are searched for by support ID

Component: Application Security Manager

Symptoms:
After an upgrade, ASM is unable to display *any* event logs, unless they are searched for by support ID.

Conditions:
Either the numerical value returned from this query:
   mysql> SELECT request_log_id FROM PRX.REQUEST_LOG_CLEARED;

Or the numerical value returned from this query:
   mysql> SELECT MAX(request_log_id) FROM PRX.REQUEST_LOG_PROPERTIES WHERE flg_is_deleted = 1;

Are larger than the numerical value returned from this query:
   mysql> SELECT MAX(id) FROM PRX.REQUEST_LOG;

Impact:
ASM is unable to display *any* event logs, unless they are searched for by support ID.

Workaround:
mysql> UPDATE PRX.REQUEST_LOG_CLEARED SET PRX.REQUEST_LOG_CLEARED.request_log_id = (SELECT MAX(PRX.REQUEST_LOG.id) FROM PRX.REQUEST_LOG);

mysql> DELETE FROM PRX.REQUEST_LOG_PROPERTIES WHERE PRX.REQUEST_LOG_PROPERTIES.request_log_id NOT IN (SELECT PRX.REQUEST_LOG.id FROM PRX.REQUEST_LOG);


746657-4 : tmsh help for FQDN node or pool member shows incorrect default for fqdn interval

Component: TMOS

Symptoms:
The tmsh help text for LTM nodes and pools shows the incorrect default for the FQDN 'interval' value.

The default is indicated as the TTL, whereas the actual default value is 3600 seconds (1 hour).

The configured value is displayed correctly if the node or pool is displayed using the 'all-properties' keyword.

Conditions:
This occurs when viewing tmsh help text.

Impact:
FQDN nodes and pool members may be created with a different FQDN refresh interval than intended.

Workaround:
When creating an FQDN node or pool member, specify the desired FQDN 'interval' value (either TTL, or the desired number of seconds).


746464-4 : MCPD sync errors and restart after multiple modifications to file object in chassis

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
This can be encountered when rapidly making changes to files such as creating and then deleting them while the config sync of the file creation is still in progress.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.


746355 : A client SSL handshake fails when client hello extension contains only unsupported groups

Component: Local Traffic Manager

Symptoms:
If the supported groups extension in the client hello contains only groups that are not supported by the BIG-IP system, the handshake fails.

Conditions:
-- (ec)dhe ciphers are used.
-- The supported groups extension does not contain any groups supported by the BIG-IP system.

Impact:
Client connections to the BIG-IP system fail.

Workaround:
There is no workaround other than not configuring (ec)dhe ciphers.


746152-4 : Bogus numbers in hsbe2_internal_pde_ring table's rqm_dma_drp_pkts column

Component: TMOS

Symptoms:
The DMA drop packet and bytes registers (rqm_dma_drp_pkts and rqm_dma_drp_bytes in tmm/hsbe2_internal_pde_ring
table) can have huge numbers, which appear to be close to multiples of 4G (2^32). The count reported in the register from hsb_snapshot shows very small number:

from tmm/hsbe2_internal_pde_ring

name active bus rqm_dma_drp_pkts rqm_dma_drp_bytes
---------------- ------ --- ---------------- -----------------

lbb0_pde1_ring2 1 2 17179869185 4398046511186
lbb0_pde1_ring3 1 2 8589934597 2199023256108
lbb0_pde2_ring0 1 2 0 0
lbb0_pde2_ring1 1 2 0 0
lbb0_pde2_ring2 1 2 8589934592 2199023255552
lbb0_pde2_ring3 1 2 0 0
lbb0_pde3_ring0 1 2 0 0
lbb0_pde3_ring1 1 2 0 0
lbb0_pde3_ring2 1 2 8589934592 2199023255552
lbb0_pde3_ring3 1 2 0 0
lbb0_pde4_ring0 1 2 0 0
lbb0_pde4_ring1 1 2 0 0
lbb0_pde4_ring2 1 2 8589934592 2199023255552
lbb0_pde4_ring3 1 2 0 0

lbb1_pde1_ring1 1 3 0 0
lbb1_pde1_ring2 1 3 4294967298 1099511627952



From hsb_snapshot for pde1's ring 0 to ring 3:

50430: 00000000 rqm_dma_drp_pkt_cnt_4
50530: 00000000 rqm_dma_drp_pkt_cnt_5
50630: 00000001 rqm_dma_drp_pkt_cnt_6
50730: 00000005 rqm_dma_drp_pkt_cnt_7

Conditions:
The register reads sometimes return a 0 value.

Impact:
The DMA drop stats are not accurate

Workaround:
Restart tmm can reset the stats, but it will disrupt traffic.


746077-2 : If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified

Component: Local Traffic Manager

Symptoms:
DHCP-RELAY overwrites the 'giaddr' field containing a non-zero value. This violates RFC 1542.

Conditions:
DHCP-RELAY processing a message with the 'giaddr' field containing a non-zero value,

Impact:
RFC 1542 violation

Workaround:
None.


745663-1 : During CMP forward, nexthop data may miss at large packet split

Component: Local Traffic Manager

Symptoms:
At splitting large package, nexthop data is used for the first small packet but missed in the subsequent packets.

Conditions:
CMP forward of host LRO packet (e.g., FTP data-channel)

Impact:
heavy packet loss, re-transmissions and delays


745589-3 : In very rare situations, some filters may cause data-corruption.

Component: Local Traffic Manager

Symptoms:
In very rare situations, an internal data-moving function may cause corruption.

Filters that use the affected functionality are:
HTTP2, Sip, Sipmsg, MQTTsession, serdes_diameter, FTP.

Conditions:
The affected filters are used, and some very rare situation occurs.

Impact:
This may cause silent data corruption, or a TMM crash.

Workaround:
There is no workaround at this time.


745404-3 : MRF SIP ALG does not reparse SDP payload if replaced

Component: Service Provider

Symptoms:
When a SIP message is loaded, the SDP is parsed. If modified or replaced, the system does not reparse the modified payload.

Conditions:
This occurs internally while processing SDP in a SIP message.

Impact:
Changes to the SDP are ignored when creating media pinhole flows

Workaround:
None.


745397-4 : Virtual server configured with FIX profile can leak memory.

Component: Service Provider

Symptoms:
System memory increases with each transmitted FIX message. tmm crash.

Conditions:
-- Virtual server configured with a FIX profile.
-- FIX profile specifies a message-log-publisher.

Impact:
Memory leak. Specifically, in the xdata cache. Potential traffic disruption while tmm restarts.

Workaround:
If possible, discontinue use of message logging functionality. Removing the message-log-publisher from the FIX profile stops xdata growth.


745309 : Self IP route is not updated in a routing table if there is more than one route with the same destination signature

Component: TMOS

Symptoms:
When Self IP address is added/updated via tmsh, Configuration utility, or "tmsh load sys config merge" command, BIG-IP routing daemon updates routing information in the routing table. If Dynamic Routing is configured on BIG-IP and affected Self IP route has the same destination as routes, gathered from routing protocols, then on adding or changing this Self IP address, the corresponding route from routing table has to be updated, usually it means that a new route is added to the routing table and the old one is removed, but a new route is added and then gets deleted from the routing table instead of old one.

Conditions:
1) There is a route in the routing table with the same destination signature as a Self IP address' route we are planning to add or update. Usually this situation occurs when Dynamic Routing is configured on BIG-IP and a dynamic route is added to the routing table.
2) The Self IP is added or updated.

Impact:
The routing information isn't updated. The Self IP route isn't involved in routing decisions and therefore traffic, which has to use Self IP route for routing, uses out of date, incorrect routing information and is sent to a wrong destination.

Workaround:
There is no workaround at this time.


744913 : Tmm may be killed during snapshot creation on VMware ESXi

Component: TMOS

Symptoms:
tmm is sometimes killed by sod during snapshot creation when running on VMware ESXi.

Conditions:
An attempt to snapshot a running BIG-IP guest is made. This can cause the instance to be descheduled by the host upon which it is running which prevents tmm from touching its watchdog. Upon being scheduled to run, if sod runs before tmm can update the watchdog, it will kill tmm. A message indicating that tmm did not run for an extended period of time may be logged such as:

01010029:5: Clock advanced by 40124 ticks

This message indicates generally that tmm did not run and can indicate other types of issues as well.

Impact:
Traffic processing can be severely impacted while the snapshot operation is proceeding regardless of whether tmm restarts or not. If tmm is restarted, production traffic will not be processed until it is finished restarting.

Workaround:
There is no workaround at this time.


744787-1 : Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias

Component: Global Traffic Manager (DNS)

Symptoms:
WideIP alias will be replaced.

Conditions:
There is an existing alias for a WideIP and adding the same alias for another WideIP.

Impact:
The previous WideIP will be replaced.

Workaround:
Avoid adding existing WideIP for other WideIP.


744520-4 : virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface

Component: TMOS

Symptoms:
virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface.

Conditions:
Virtual server with pem profile and Vxlan-GRE tunnel interface.

Impact:
Traffic drop.

Workaround:
There is no workaround.


744316-3 : Config sync of APM policy fails with Cannot update_indexes validation error.

Component: Access Policy Manager

Symptoms:
Config sync operation fails for APM policy when policy item of same name points to different agent on source and target

The system posts errors similar to the following:

Sync error on rfang-vemgmt.lab.labnet.com: Load failed from /Common/rfang-ve-3mgmt.lab.labnet.com 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (access_policy_item_agent) object ID (/Common/resm_act_message_box_1 /Common/resm_act_message_box_ag_1). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:access_policy_item_agent status:13)"

Conditions:
This occurs in the following scenario:

1. Configure a failover device group containing two BIG-IP systems.
2. Create an APM access profile on one unit.
  + Launch VPE for the policy.
  + Add a macro.
  + In macro add an agent, e.g., Message box.
  + Add macro to the main policy.
3. Initiate config sync to another device.
4. On one BIG-IP system, add another Message box agent using the same macro. On the other BIG-IP system, make a copy of the access profile.
5. On either BIG-IP system, initiate another config sync operation.

Impact:
Unable to sync configuration in a failover device group.

Workaround:
You can work around this using the following procedure:

1. On the device receiving the config sync, delete the APM policies that contain the referenced APM policy items.
2. Perform an overwrite-config-sync operation from the sending device to this device.


744275-4 : BIG-IP system sends Product-Name AVP in CER with Mandatory bit set

Component: Service Provider

Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.

Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Product-Name AVP.

Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.

Workaround:
Configure an iRule in the MRF transport-config, for example:

ltm rule workaround {
    when DIAMETER_EGRESS {
        if {[serverside] && [DIAMETER::command] == "257" } {
            DIAMETER::avp flags set 269 0
        }
    }
}


744252-4 : BGP route map community value: either component cannot be set to 65535

Component: TMOS

Symptoms:
The community value for BGP route map entries should allow values of 1-65535 for both components, but it is not allowing 65535 for either component.

Conditions:
-- Using BGP route map community values.
-- Attempting to set one or both components to 65535.

Impact:
Unable to use the full range of BGP route map community values

Workaround:
There is no workaround at this time.


743950-3 : TMM crashes due to memory leak found during SSL OCSP with C3D feature enabled

Component: Local Traffic Manager

Symptoms:
TMM raises a segmentation violation and restarts.

Conditions:
-- Set up client-side and server-side SSL with:
  + Client Certificate Constrained Delegation (C3D) enabled.
  + OCSP enabled.

-- Supply SSL traffic.

Impact:
Memory leaks when traffic is supplied. When traffic intensifies, more memory leaks occur, and eventually, tmm raises a segmentation fault, crashes, and restarts itself. All SSL connections get terminated. Traffic disrupted while tmm restarts.

Workaround:
Disable C3D.


743900-4 : Custom DIAMETER monitor requests do not have their 'request' flag set

Component: Local Traffic Manager

Symptoms:
Using the technique detailed in the Article: K14536: Customizing the BIG-IP Diameter monitor https://support.f5.com/csp/article/K14536 to create custom DIAMETER monitor requests fails for any request that uses the numeric form of a DIAMETER command code, because the 'request' flag is not set in the DIAMETER packet.

Conditions:
-- Using custom DIAMETER monitor requests.
-- Using numeric DIAMETER command codes.

Impact:
The monitor probes fail because the BIG-IP system does not set the DIAMETER 'request' flag for requests it sends when using a numeric value for the command code, so the DIAMETER server thinks it is a response

Workaround:
None.


743896 : Gratuitous ARP not sent on interface up

Component: Local Traffic Manager

Symptoms:
Gratuitous ARP not seen when an interface comes up: different behavior depending on software version.

On BIG-IP software version 11.6.x and on BIG-IP Virtual Edition (VE), version 13.1.x, when interface is UP, after 3 seconds, the BIG-IP system sends GARP out.

On version 12.1.2,the BIG-IP system does not send GARP upon interface UP.

Conditions:
The interface transition from DOWN to UP state.

Impact:
No GARP for self-ip addresses on interfaces.

Workaround:
None.


743895 : Upgrades from 10.2.x fail due to empty virtual address lines in the configuration

Component: TMOS

Symptoms:
In 10.2.x it is possible to have 'empty' virtual address lines in the configuration like this:

virtual address 10.10.10.10 {}

Lines such as these cause failures when upgrading to any version of BIG-IP software that includes the functionality to to add 'arp disable' to virtual addresses that do not have an explicit configuration for their ARP setting. This functionality is present beginning with software version 11.5.0.

Conditions:
-- 'Empty' virtual address lines in the configuration.
-- Upgrading to a version of BIG-IP software that includes the functionality to to add 'arp disable' to virtual addresses that do not have an explicit configuration for their ARP setting.

Impact:
The upgrade fails without a clear error message.

Workaround:
Upgrade to 11.5.0 first, and then upgrade to the desired version.


743815-4 : vCMP guest observes connflow reset when a CMP state change occurs.

Component: TMOS

Symptoms:
There is a connflow reset when a CMP state change occurs on a vCMP guest. The system posts log messages similar to the following: CMP Forwarder expiration.

Conditions:
-- vCMP configured.
-- Associated virtual server has a FastL4 profile with loose init and loose close enabled.

Impact:
This might interrupt a long-lived flow and eventually cause an outage.

Workaround:
None.


743464 : DoSL7 attack is not detected when using multiple profiles with Behavioral Detection

Component: Anomaly Detection Services

Symptoms:
Setting up multiple DoS Application Profiles on the same Virtual Server via either iRules or LTM Policies causes DoSL7 attacks to not be detected or mitigated, if one of the profiles has Behavioral Detection enabled.

Conditions:
-- Multiple DoS profiles are configured on a single Virtual Server, either using the iRule DOSL7::enable command, or LTM Policies controlling the DoS profile.
-- One of the DoS profiles on the Virtual Server has Behavioral Detection enabled, even if the Stress-Based Operation Mode is set to Off.

Impact:
DoSL7 attacks are not detected and not mitigated, with no indication that they are not.

Workaround:
Disable Behavioral Detection on all of the DoS profiles that are directly or indirectly associated with the Virtual Server. If Stress-Based Operation Mode is set to Off, then you might need to temporarily set Stress-Based to Transparent, disable the Behavioral checkboxes, and then set Stress-Based Operation mode back to Off.


743271-2 : Querying vCMP Health Status May Show Stale Statistics

Component: TMOS

Symptoms:
Stale statistics collected while the guest was running a pre-13.1.0 version may periodically be seen when querying vCMP health status in the Configuration Utility or via tmsh show vcmp health commands.

Conditions:
This issue may be seen when all of the following conditions are met:

- the vCMP guest is deployed on more than one blade
- the vCMP guest is upgraded from a pre-13.1.0 release to 13.1.0 or above

Impact:
Health status is not always accurately reported

Workaround:
The issue may be resolved by setting the guest status temporarily to configured and then back to deployed.


743132-3 : mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile

Component: TMOS

Symptoms:
On a chassis platform, if 'tmsh modify sys httpd ssl-certificate' is run immediately after creating a new certificate file, it's possible for mcpd to restart on the secondary blades. This happens when it takes longer for csyncd to copy the new certificate file to the other blades than it takes mcpd to send the modify message to the other blades.

Conditions:
Chassis platform with multiple blades.
Setting the httpd ssl-certificate to a new file.

Impact:
mcpd stops on secondary blades, causing those blades to go offline for a short time while mcpd and other daemons restart.

Workaround:
When setting the httpd ssl-certificate to a new file, wait a few seconds after creating the file before issuing the tmsh modify command.


743116-1 : Chunked responses may be incorrectly handled by HTTP/2

Component: Local Traffic Manager

Symptoms:
When a chunked HTTP response is serialized by HTTP/2, the chunking headers should be removed. This does not occur in some cases.

Conditions:
The HTTP/2 filter is used. Some other profiles are used on the same virtual. (In particular, the request logging profile triggers this issue.)

Impact:
The HTTP/2 payload will include chunking headers, corrupting it.

Workaround:
An iRule may be used to detect a HTTP/2 client, and forcibly turn on unchunking in the HTTP_RESPONSE event.

Example:

ltm rule unchunk_http2 {
when HTTP_REQUEST {
        set is_http2 [HTTP2::active]
    }
when HTTP_RESPONSE {
        if { $is_http2 } {
            HTTP::payload unchunk
        }
    }
}


743082-3 : Upgrades to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 from pre-12.1.3 can cause configurations to fail with GTM Pool Members

Component: TMOS

Symptoms:
Upgrading to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2 might result a configuration that fails to load due to a stray colon-character that gets added to the configuration file.

Conditions:
-- Upgrade from pre-12.1.3 to 13.1.1.2, 14.0.0, 14.0.0.1, or 14.0.0.2.
-- GTM Pool Members.

Impact:
Configuration fails to load.

Workaround:
Remove stray colon-character from bigip_gtm.conf.


742877 : tmm may fail a heartbeat on VE if unscheduled by busy hypervisor

Component: TMOS

Symptoms:
Tmm is killed by sod and restarts after failing to send a heartbeat message.

Conditions:
BIG-IP Virtual Edition (VE) running on a busy host system.

Impact:
tmm restarts and recovers. Traffic disrupted while tmm restarts.

Workaround:
None.


742838-4 : A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition

Component: Local Traffic Manager

Symptoms:
If you have a published policy in /Common that is in use by a virtual server in a different partition, if you try to create and modify a draft of the existing policy, you will get an error like this:

"01070726:3: Policy /Common/Drafts/test-policy in partition Common cannot reference policy reference /Common/Drafts/test-policy /test/test-vs in partition test"

This happens in both the GUI and TMSH.

Conditions:
-- A published policy exists in /Common.
-- The published policy is attached to a virtual server in a different partition.
-- Attempt to create and modify a draft of the policy.

Impact:
Inability to edit the published policy.

Workaround:
None.


742829-4 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0

Component: Service Provider

Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.

Conditions:
RTP media port defined in the SIP message is set to 0.

Impact:
Improper media channel creation.

Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.


742753-1 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail

Component: TMOS

Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.

Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:

- Remove the Referer header.

- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.

Impact:
Users cannot log on to the BIG-IP system's WebUI.

Workaround:
As a workaround, you can do any of the following things:

- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).

- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).

- Modify the proxy solution so that it inserts compatible Referer and Host headers.


741994 : Cleanup Webroot database files when database fail to download

Component: Traffic Classification Engine

Symptoms:
/var partition gets full when the temporary files are not deleted.

Conditions:
When the update process of the wr_urldb encounters errors, the temporary (downloaded/created) files do not appear to be deleted, and /var directory fills with them.

Impact:
/var partition may get full.

Workaround:
Empty /var/wr_urldb/bcdatabase, and restart wr_urldbd to re-download the new database file.


741951-3 : Multiple extensions in SIP NOTIFY request cause message to be dropped.

Component: Service Provider

Symptoms:
When SIP NOTIFY messages are sent with a request URI that contains multiple client extensions, the system does not forward the message as expected.

Conditions:
SIP NOTIFY messages sent with a request URI that contains multiple client extensions.

Impact:
NOTIFY message is not forwarded.

Workaround:
None.


741902-4 : sod does not validate message length vs. received packet length

Component: TMOS

Symptoms:
sod may crash or produce unexpected behavior.

Conditions:
If a malformed network failover packet is received by sod, it may cause an invalid memory access.

Impact:
sod may crash, causing a failover.

Workaround:
None.


741345 : Adaptive monitor gateway_icmp does not function correctly with two nodes

Component: Local Traffic Manager

Symptoms:
An adaptive gateway-icmp monitor attached to two nodes, and configured with an even interval value (such as '2' or '4' seconds) may cause the node to be marked 'down' even when that node is available.

Conditions:
-- An adaptive gateway-icmp monitor is applied to two nodes.
-- The value configured is an even interval number (such as '2' or '4' seconds).
-- The associated node is available.

Impact:
A node associated with the gateway-icmp monitor might be marked 'down', when it should be marked 'up'.

Workaround:
You can use either of the following workarounds:

-- Configure an interval with an odd number of seconds (such as '3' or '5' seconds).

-- Create a separate adaptive gateway-icmp monitor for each node.


740957 : 'fips_get_key_attr(): mod_err = 0xa9' message seen in /var/log/ltm

Component: TMOS

Symptoms:
When a newly created FIPS key with long name (greater than 32 characters) gets synced over an FIPS high availability (HA) setup, the daemon.log shows that the name gets truncated:
key_label '/Common/testtmsh.with.long.name.and.config.sync.ran.with.TMSH.version1' exceed max len of 32, truncating to 'nfig.sync.ran.with.TMSH.version1).

And the ltm log shows the following message:
fips_get_key_attr(): mod_err = 0xa9.

Conditions:
The issue is intermittent.
-- HA setup with FIPS.
-- Perform a config sync operation after creating FIPS keys with names longer than 32 characters.

Impact:
The newly created FIPS key's name gets truncated to 32 characters. The truncated FIPS key is config-sync'd to the peer system, however, so there is no other impact.

Workaround:
There is no workaround, limit FIPS key names to 32 characters or fewer to prevent truncating.


740517-4 : Application Editor users are unable to edit HTTPS Monitors via the Web UI

Component: TMOS

Symptoms:
A user with Application Editor role cannot modify an HTTPS Monitor via the GUI. The user is sent the the following, misleading and incorrect error message: Access Denied: user does not have delete access to object (ssl_cert_monitor_param)

Conditions:
The logged in GUI user must be an Application Editor role for the partition containing the HTTPS Monitor

Impact:
The user must use TMSH to modify an HTTPS Monitor.

Workaround:
Run the following tmsh command: modify ltm monitor https"\


740461 : Certificate or key upload in the GUI may occasionally fail with 'General database error"

Component: TMOS

Symptoms:
When uploading an SSL certificate or key via the TMUI, the upload might occasionally fail with a 'General database error.'

The /var/log/webui.log shows an error similar to the following:
-- ERROR [TP-Processor2] ssl_certificate.SSLCertificateImportHandler:importCertificateToMcpd - /shared/tmp/upload__36aadee9_16539dee776__8000_00001003.tmp (No such file or directory).

This issue occurs rarely and is intermittent.

Conditions:
Uploading an SSL certificate or key via the GUI.

Impact:
Upload via the GUI fails.

Workaround:
Retry the upload.


740284-3 : Virtual servers 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'

Component: Global Traffic Manager (DNS)

Symptoms:
Virtual servers on generic-hosts may be marked as Yellow, with a message of 'In Maintenance Mode' or 'VS limit(s) exceeded on GTM'.

Conditions:
The conditions under which this occurs are not known.

Impact:
Virtual server is marked Yellow erroneously 'In Maintenance Mode'.

Workaround:
Use any of the following to reset the condition:

-- Restart gtmd by issuing the following command:
bigstart restart gtmd

-- Restart the system.

-- Remove any monitors from the affected server, save the configuration, and then add any required monitors.

-- Delete the affected server from the configuration and recreate it.


740228-3 : TMM crash while sending a DHCP Lease Query to a DHCP server

Component: Policy Enforcement Manager

Symptoms:
TMM crashes.

Conditions:
- DHCP Lease Query is enabled on the BIG-IP system.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


740203 : Installing a certificate or key may fail for a remote user

Component: TMOS

Symptoms:
iControl REST may return an error to a remote user attempting to install an SSL key or certificate. The same install process runs successfully for a local user.

Conditions:
-- Use a remotely authenticated user, such as via Active Directory (AD), with the admin role assigned to the user.
-- Using iControl REST, upload an SSL certificate (and/or key) to the BIG-IP system and attempt to install the certificate (and/or key).

Impact:
Inability to install a certificate.

Workaround:
If the request to install the certificate fails, change the permissions (chmod 640) on the .key and .crt files to 640.


740135-4 : Traffic Group ha-order list does not load correctly after reset to default configuration

Component: TMOS

Symptoms:
After resetting the BIG-IP configuration to default (i.e., 'tmsh load sys config default'), if a configuration is loaded where the name of the self-device changes, this may cause the self-device to be removed from any traffic group HA Order lists.

Conditions:
-- Must be loading a configuration after resetting to default.
-- Must have at least one traffic group using the 'HA Order' Failover Method.

Impact:
Incorrect HA configuration.

Workaround:
Reload the configuration a second time.


740086-2 : AVR report ignore partitions for Admin users

Component: Application Visibility and Reporting

Symptoms:
The behavior of AVR's reporting feature changed after an upgrade.

Reports generated for specific partition include data from all partitions.

Conditions:
-- Users with Admin role.
-- AVR provisioned.
-- AVR profile configured and attached to a virtual server.
-- User with Admin role creates Scheduled Reports or uses GUI to view AVR reports.

Impact:
AVR GUI pages or Scheduled Reports defined for one partition include AVR data from other partitions.

Workaround:
One workaround is to have non-Admin users generate reports.

For non-Admin users, the partition is honored.


739872-3 : The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover

Component: TMOS

Symptoms:
Running the 'load sys config verify' command for a configuration that would alter the high availability (HA) Group score for a Traffic Group can cause the HA group score to be updated.

Conditions:
Run 'load sys config verify' with configuration data that affects a Traffic Group's HA Group score.

Impact:
Unintended failover.

Workaround:
None.


739820-4 : Validation does not reject IPv6 address for TACACS auth configuration

Component: TMOS

Symptoms:
TACACS authentication does not support IPv6 address for the authentication server, but both GUI and TMSH allow IPv6 addresses to be configured for TACACS. Such configurations may result in failed logins with messages in /var/log/secure like

Aug 8 10:47:39 gtm-13108-174 err httpd[5948]: pam_tacplus: skip invalid server: 2001::1001:1001 (invalid port: no digits)

Conditions:
Use the GUI or TMSH to create or modify a TACACS server

Impact:
Remote authentication will fail unless a second server is configured with IPv4 address.

Workaround:
Do not configure IPv6 address for TACACS server


739553-4 : Setting large number for Wide IP Persistence TTL breaks Wide IP persistence

Component: Global Traffic Manager (DNS)

Symptoms:
Wide IP persistence is not working. Previous Wide IP persistence records are cleared.

Conditions:
This occurs when the Wide IP Persistence TTL plus the persist-record creation time is greater than 4294967295.

Impact:
Wide IP persistence does not work.

Workaround:
There is no workaround other than not setting Wide IP Persistence TTL to a number greater than 4294967295.


739533-3 : In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config

Component: TMOS

Symptoms:
If mcpd loses connection with a peer in the middle of a config sync operation when a large file is being transferred, the temporary copy of that file in /config/filestore/.snapshots_d/ might not be deleted. If this happens enough times with large enough files, those temporary files might fill the /config filesystem.

Conditions:
-- A config sync of a large file is happening.
-- The mcp connection between peers is lost.

Impact:
When that happens, the temporary files that should be deleted, might not be. This is not a problem until the issue has occurred many times, leaving many temporary files, at which point /config can run out of space. /config may get to 100% full. Having /config at 100% full might cause config sync to fail, prevent configuration changes, and other issues.

Workaround:
Delete all files in /config/filestore/.snapshots_d that are more than an hour old.


739118-4 : Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration

Component: TMOS

Symptoms:
Changing existing self IP addresses in bigip_base.conf file directly. After uploading the changed configuration file, BIG-IP routing service provides out of date Self IP route information to dependent services.

Conditions:
- Self IP address is configured on the BIG-IP system.
- Manually change the IP address of a self IP in bigip_base.conf file.
- Load changed configuration via tmsh.

Impact:
Different services have different route information:
-- tmsh table - has the old route.
-- Dynamic routing - hHas the old and new routes.
-- Kernel table - has the new route.

Workaround:
There are two workarounds, preventive and corrective.
Preventive:
Do not manually change self IP addresses in bigip_base.conf file. It is not recommended way to add/change BIG-IP configuration. Use GUI or tmsh instead.

Corrective:
If changed configuration is uploaded. In GUI or tmsh, delete changed self IP address, and then create a self IP address with old IP address and delete it as well. Now, all affected routes are removed.


738943-1 : imish command hangs when ospfd is enabled

Component: TMOS

Symptoms:
- dynamic routing enabled
- ospfd protocol enabled
- imish hangs

Conditions:
- running imish command

Impact:
ability to show dynamic routing state using imish

Workaround:
restart ospfd daemon


738543-1 : Dynamic route with recursive nexthop might cause tmrouted restart

Component: TMOS

Symptoms:
tmrouted restart.

Conditions:
- Dynamic routing enabled.
- Routing update with recursive nexthop.

Impact:
Stability of the dynamic routing daemons. TMM cannot learn or advertise routes while the daemon restarts.

Workaround:
There is no workaround other than not exporting routes with recursive nexthop.


738450-4 : Parsing pool members as variables with IP tuple syntax

Component: Local Traffic Manager

Symptoms:
There is a config loading warning at tmsh similar to the following: unexpected end of arguments;expected argument spec:PORT.

Conditions:
Tcl variable is used for the IP tuple instead of a plain value.

Impact:
iRule LB::reselect command may not recognize an IP tuple when it is a variable. tmsh warning shows.

Note: There is no warning in the GUI.

Workaround:
Use plain value instead of variable.


738359 : Log output does not reflect BIG-IP system timezone setting

Component: TMOS

Symptoms:
Running the command 'tmsh show sys log' for any module in a specified range displays results according to the UTC timezone, despite the setting on the BIG-IP system.

Conditions:
-- Run the following command:
tmsh show sys log <any_module> range <range options>
-- View the output.

Impact:
Log filtering may not return results because of the difference between timezone settings.

Workaround:
Set timezone to UTC setting.


738070-3 : Persist value for the RADIUS Framed-IP-Address attribute is not correct

Component: Service Provider

Symptoms:
Using the RADIUS Framed-IP-Address attribute as a persistence value does not work correctly.

Conditions:
Using RADIUS and persisting on the Framed-IP Address attribute (RADIUS AVP 8).

Impact:
RADIUS requests may not get persisted to the servers they should be.

Workaround:
Use an iRule to persist instead, e.g.:

ltm rule radius-persistence {
    when CLIENT_DATA {
    persist uie [RADIUS::avp 8]
}
}


738045-2 : HTTP filter complains about invalid action in the LTM log file.

Component: Local Traffic Manager

Symptoms:
Payload data is collected at the HTTP_REQUEST event and finishes collecting (HTTP::release) when the NAME_RESOLVED event occurs. On releasing, data is forwarded to the serverside, triggering the HTTP_REQUEST_SEND event.
 
When trying to raise HTTP_REQUEST_SEND, the iRule queues it and returns IN_PROGRESS, because the system is already in the process of running TCLRULE_NAME_RESOLVED. (Nested iRules: TCLRULE_NAME_RESOLVED -> TCLRULE_HTTP_REQUEST_SEND)

Due to the IN_PROGRESS status, tcp_proxy skips forwarding HUDCTL_REQUEST to the serverside, but not the subsequent payload. So the HTTP filter considers this an invalid action.

Conditions:
-- Standard virtual server with iRules attached (for example, using the following configuration for a virtual server):

when HTTP_REQUEST {
    HTTP::collect
    NAME::lookup @10.0.66.222 'f5.com'
}
when NAME_RESOLVED {
    HTTP::release
}
when HTTP_REQUEST_SEND {
        log local0. "Entering HTTP_REQUEST_SEND"
}

-- Client sends two HTTP Post requests.
-- After the first request, the second connection is kept alive (for example, by using HTTP header Connection) so that the second request can reuse the same connection.

Impact:
The second request gets reset, and the system logs errors in the LTM log file.

Workaround:
To avoid nested iRules in this instance, simply remove the HTTP_REQUEST_SEND from the iRule.


737901-1 : Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode

Component: TMOS

Symptoms:
On iSeries platforms, when a VLAN is attached to a vCMP guest, the management MAC address and the host VLAN MAC address will be the same.

Conditions:
-- Creating a VLAN on the host and attaching it to a vCMP guest.
-- iSeries platforms.

Impact:
The management MAC address is the same as the Host VLAN MAC address, resulting in the same MAC being used for the VLAN traffic originating from the vCMP Host along with the Host's mgmt Interface traffic, potentially resulting in issues relating to the inability to differentiate traffic to mgmt port or traffic ports.

Workaround:
There is no workaround at this time.


737536-5 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.

Component: TMOS

Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|

Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.

Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:

OSPF router config examples:
***
OSPF 1:
!router ospf 1
 ospf router-id 10.13.0.7
 redistribute ospf
 network 10.13.0.0/16 area 0.0.0.1
 default-information originate

OSPF 2:
router ospf 1
 ospf router-id 10.14.0.5
 redistribute ospf
 network 10.14.0.0/16 area 0.0.0.1

BIG-IP system:
router ospf 1
 ospf router-id 10.13.0.2
 network 10.13.0.0/16 area 0.0.0.1
router ospf 2
 ospf router-id 10.14.0.9
 network 10.14.0.0/16 area 0.0.0.1
***

-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.

# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
 ospf router-id 10.13.0.2
 network 10.13.0.0/16 area 0.0.0.1
router ospf 2
 ospf router-id 10.14.0.9
 network 10.14.0.0/16 area 0.0.0.1
 default-information originate

Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.

Workaround:
None.


737529-1 : [GTM] load or save configs removes backslash \ from GTM pool member name

Component: Global Traffic Manager (DNS)

Symptoms:
GTM config fails to load, and posts an error similar to the following:

Syntax Error:(/config/bigip_gtm.conf at line: 47) the "create" command does not accept wildcard configuration identifiers

Conditions:
GTM server virtual server name contains a backslash (\) character.

Impact:
GTM config fails to load.

Workaround:
Edit bigip_gtm.conf manually and add the \ character.

Important: The system removes the \ (which results in further validation failures) in response to any of the following actions:
-- Load the GTM config.
-- Make changes to the GTM config, and you or the system saves it.
-- cpcfg operation.
-- Upgrade the system.


737346-4 : After entering username and before password, the logging on user's failure count is incremented.

Component: TMOS

Symptoms:
Listing login failures (i.e., using the following command: 'tmsh show auth login-failures') shows a failed login for the user who is currently logging in via console or SSH.

Conditions:
-- A user is logging in via console or SSH.
-- Between the time the system presents the password prompt and the user enters the password.

Note: This does not apply to GUI or iControl REST logins.

Impact:
If many logins for the same user get to this state simultaneously, it may be enough to exceed a specified lockout threshold, locking the user out.

Workaround:
There is no workaround other than using the GUI or iControl REST to log in to the system.


737322-1 : tmm may crash at startup if the configuration load fails

Component: TMOS

Symptoms:
Under certain circumstances, tmm may crash at startup if the configuration load fails.

Conditions:
This might occur after a configuration loading failure during startup, when TMM might take longer than usual to be ready.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


737055-3 : Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy

Component: TMOS

Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you cannot login to the Configuration Utility. Instead the system presents a blank page, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP system.

Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.

Impact:
You are unable to login to the Configuration Utility.

Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP system in the Referer header.


734692-1 : Incorrect prefix of ICMP error messages in NAT64

Component: Local Traffic Manager

Symptoms:
When ICMPv4 error messages are returned for NAT64 connections, the source address of the ICMPv6-translated error message uses ::ffff as the IPv6 prefix, creating an IPv4-mapped IPv6 address.

Conditions:
-- NAT64 enabled.
-- ICMPv4 error messages are returned from IPv4 hosts and routers.

Impact:
The ICMP error messages cannot be routed to the client and are dropped by intermediate routers. This can prevent clients from properly detecting errors such as unreachable hosts and networks. This causes failures in utilities such as ping and traceroute.

Workaround:
There is no workaround at this time.


734595-1 : sp-connector is not being deleted together with profile

Component: Access Policy Manager

Symptoms:
If a profile is connected to an SSO SAML IdP configuration with an SP connector, the sp-connector is not available for delete when the profile is deleted.

Conditions:
-- Profile is connected to an SSO SAML IdP configuration with an SP connector.
-- Deleting the profile and attempting to delete the sp-connector.

Impact:
The SP connector is not listed for delete when the profile is deleted.

Workaround:
To delete the SP connector, run the following command:
tmsh delete apm sso saml-sp-connector NAME


734241 : 'Detection Evasion' violations might not report violation details in their reports or in the GUI

Component: Application Security Manager

Symptoms:
Evasion technique details are not presented in the request log.

Conditions:
This occurs in either of the following scenarios:

-- Many evasion techniques occur in a single request.

-- The evasion techniques that occur are not set as enabled in the policy configuration.

Impact:
'Detection Evasion' attacks are reported the logs, but there are no violation details to help clarify what actually triggered.

Workaround:
None.


733585-2 : Merged can use %100 of CPU if all stats snapshot files are in the future

Component: TMOS

Symptoms:
Merged uses %100 of CPU if it cannot remove the oldest snapshot file, due to all snapshot files having timestamps in the future.

Conditions:
All stats snapshot file having timestamps in the future, release has the fix for issue 721740, but not this issue.

Impact:
Merged using %100 of the CPU.

Workaround:
Remove snapshot stats files that have timestamps in the future and restart merged.


727467-3 : Some iSeries appliances can experience traffic disruption when the HA peer is upgraded from 12.1.3 and earlier to 13.1.0 or later.

Component: TMOS

Symptoms:
-- CPU core 0 can be seen utilizing 100% CPU.
-- Other even cores may show a 40% increase in CPU usage.
-- Pool monitors are seen flapping in /var/log/ltm.
-- System posts the following messages:
   + In /var/log/ltm:
     - err tmm4[21025]: 01340004:3: HA Connection detected dissimilar peer: local npgs 1, remote npgs 1, local npus 8, remote npus 8, local pg 0, remote pg 0, local pu 4, remote pu 0. Connection will be aborted.
    + In /var/log/tmm:
      - notice DAGLIB: Invalid table size 12
      - notice DAG: Failed to consume DAG data

Conditions:
-- Active unit on a pre-12.1.3.1 release.
-- Standby peer upgraded to a 13.1.0 or later release.
-- Device is an iSeries device (i5600 or later).

Important: This issue may also affect iSeries HA peers on the same software version if the devices do not share the same model number.

Note: Although this also occurs when upgrading to 12.1.3.8 and 13.0.x, the issue is not as severe.

Impact:
- High CPU usage.
- Traffic disruption.

Workaround:
Minimize impact on affected active devices by keeping the upgraded post-13.1.0 unit offline as long as possible before going directly to Active.

For example, on a 12.1.3 unit to be upgraded (pre-upgrade):
-- Run the following command: tmsh run sys failover offline persist
-- Run the following command: tmsh save sys config
-- Upgrade to 13.1.0.8.
-- Unit comes back up on 13.1.0.8 as 'Forced Offline' and does not communicate with the active unit running 12.1.3 at all.
-- Set up HA group and make sure the 12.1.3 Active unit's HA score is lower than 13.1.0.8.
-- To cause the 13.1.0.8 unit to go directly to Active and take over traffic, run the following command on the unit running 13.1.0.8:
tmsh run sys failover online

At this point, the 12.1.3 unit starts to show symptoms of this issue, however, because it is no longer processing traffic, there is no cause for concern.


727297-4 : GUI TACACS+ remote server list should accept hostname

Component: TMOS

Symptoms:
Cannot add hostnames to the Remote - TACACS+ server list in the GUI.

Conditions:
-- On the System :: Users : Authentication page with Remote - TACACS+ specified.
-- Add hostname to the server list.

Impact:
Validation does not accept a hostname. Cannot add hostname as a server.

Workaround:
Use tmsh to add a hostname.


727288-4 : Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC

Component: Service Provider

Symptoms:
Diameter message routing framework sends Capabilities-Exchange-Request (CER)/Device-Watchdog-Request (DWR) with hop-by-hop (h2h) ID and end-to-end (e2e) ID set to 0 as the server.

Conditions:
Diameter Message Routing Framework (MRF) in use

Impact:
The BIG-IP system sends CER and DWR to remote peers.
However, the BIG-IP system sends e2e=0 and h2h=0 as the server ID in the CER and DWR requests. This does not comply with RFC 6733 (https://tools.ietf.org/html/rfc6733).

Workaround:
Use an DIAMETER_EGRESS iRule event to change the hop-by-hop ID and end-to-end server ID.


727191-4 : Invalid arguments to run sys failover do not return an error

Component: TMOS

Symptoms:
If an invalid device name is used in the sys failover command, the device name reject is logged in /var/log/ltm and failover does not occur. No error or failure message is displayed on the command line.

Note: In prior versions, the system incorrectly performed a force-to-standby operation (no 'device' specified), rather than a directed failover operation (failover to specified 'device'). Although this resulted in the active device becoming standby, it did not cause the system to choose the (nonexistent) device specified.

Conditions:
Run a tmsh command similar to the following:
sys failover standby traffic-group traffic-group-1 device invalid_name

Impact:
Since no failover occurs and no error/warning is returned, this may result in some confusion.

Workaround:
There is no workaround.


726734-2 : DAGv2 port lookup stringent may fail

Component: Local Traffic Manager

Symptoms:
Under certain circumstances tmm might not be able to find a local port, and the connection may fail. This happens, for example, for active FTP with mirroring enabled.

Conditions:
Active FTP with mirroring enabled.

Impact:
Connection cannot get established.

Workaround:
There is no workaround other than to disable mirroring.


726665-1 : tmm core dump due to SEGFAULT

Component: Policy Enforcement Manager

Symptoms:
tmm core dump due to SEGFAULT.

Conditions:
System under load in network. Other conditions required to recreate this are unknown, but indicated a potential memory-handling issue.

Impact:
The blade reboots resulting in failover. Traffic disrupted while tmm restarts.

Workaround:
None.


726416-1 : Physical disk HD1 not found for logical disk create

Component: TMOS

Symptoms:
The blade error 'Physical disk HD1 not found for logical disk create' occurred preceding a CPU reboot on a VIPRION 2250 blade.

/var/log/ltm shows messages similar to the following:

-- debug chmand[3370]: 012a0007:7: mcp_logical_disk mcp_create received
-- debug chmand[3370]: 012a0007:7: logical_disk create received: name[HD1] media[general_use_ssd]
-- err chmand[3370]: 012a0003:3: Physical disk HD1 not found for logical disk create
-- debug chmand[3370]: 012a0007:7: other mcp_create (tag=8124) messages
-- debug chmand[3370]: 012a0007:7: mcp_physical_disk mcp_create received
-- debug chmand[3370]: 012a0007:7: physical_disk create received: serial number[BTDV466121NK840JVN] name[HD1]

Notice that physical_disk HD1 was created right after logical_disk HD1 was created. BIG-IP system operations expect the reverse, i.e., physical_disk HD1 should be created first.

Note: These messages are visible only when you have the sys db log.libhal.level set to DEBUG and run the following command:

tmsh modify sys db log.libhal.level value "Debug"

Conditions:
The exact conditions that result in this issue are still being investigated.

Impact:
This occurs because the Logical disk was created before the physical one. The system posts the following error:
err chmand[3370]: 012a0003:3: Physical disk HD1 not found for logical disk create.

The system is forced to reboot. Traffic disrupted while the system restarts.

Workaround:
There is no workaround.


726319-3 : 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses

Component: Local Traffic Manager

Symptoms:
When FQDN nodes and pool members are used in LTM pools, a message similar to the following may be logged if the DNS server returns a different set of IP address records to resolve the FQDN name:

err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.

Conditions:
This message may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name, and new ephemeral pool members are created corresponding to the new IP addresses.

This may occur intermittently depending on timing conditions.

Impact:
These log messages are cosmetic and do not indicate any impact to traffic or BIG-IP operations.

Workaround:
None.


726174 : Slow response times when expandSubcollections set to true

Component: TMOS

Symptoms:
A query for virtual servers with expandSubcollections set to true may exhibit slow response to the caller.

Conditions:
-- icrd logging enabled.
-- Using the 'expandSubcollections=true' option in the REST query.

Impact:
Slow response times may impact usability, and the query may time out.

Workaround:
A refined query for specific entities may improve the performance time.


726154-1 : TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies

Component: Advanced Firewall Manager

Symptoms:
TMM might restart when changing firewall or NAT configurations on a virtual server with the same name as a route-domain.

Conditions:
- There is a virtual server and a route-domain that have the same name in the configuration.
- A firewall or NAT policy is being attached or removed from one or both of the virtual server or route-domain.

Impact:
TMM might halt and traffic processing temporarily ceases. TMM restarts and traffic processing resumes.

Workaround:
There is no workaround other than not to use the same name for virtual server and route-domain objects.


726011-1 : PEM transaction-enabled policy action lookup optimization to be controlled by a sys db

Component: Policy Enforcement Manager

Symptoms:
There is no way to disable optimization if time-based actions are enabled in the PEM policy and a statistical transaction-based action enforcement is desired.

Conditions:
If the PEM classification tokens do not change.

Impact:
Time-based actions such as insert content may not get applied to such flows.

Workaround:
None.


725791-3 : Potential HW/HSB issue detected

Component: TMOS

Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.

With a burst of CRC errors in the SRAM for ePVA transformation cache, it does not trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This occurs because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.

In these cases, there might be the following messages in /var/log/tmm*:

  Device error: hsb_lbb* tre2_crc_errs count *

Conditions:
Traffic is offloaded to HSB hardware for acceleration.

Impact:
Hardware accelerated traffic drop.

Workaround:
Switch traffic to software acceleration.


725620 : Corrupted HSB RQM configuration causes HSB receive failures on 5000s/5200v, 5050s/5250v/5250v-F platforms

Component: TMOS

Symptoms:
In rarely occurring cases, HSB RQM queues configuration becomes corrupted, which leads to HSB receive failures. In some cases, all queues above 64 are all disabled, although the lower queues are configured and enabled with no packet drop. In some other cases, all queues are disabled.

Conditions:
-- Using 5000s/5200v, 5050s/5250v/5250v-F platforms.
-- Specific conditions under which this occurs have not been reproduced.

Impact:
The receive failure leads to HSB lockup, and will impact traffic.

Workaround:
Reboot to recover, or disable ePVA to avoid lockup at the cost of some performance degradation.


725592 : Outgoing RIP advertisements may have incorrect source port

Component: Local Traffic Manager

Symptoms:
TMM may change the source port of Routing Information Protocol (RIP) packets send by ripd to something other than port 520. Neighbor routers will not accept these packets and RIP routing will not work.

If the TMM instance handling the outgoing packet would not be selected to handle return traffic by the hashing algorithm in use, the source port of the traffic will be modified so the hashing algorithm returns the same TMM instance.

Conditions:
-- Multiple TMM instances.
-- RIP routing configured.
-- After reboot.

Impact:
Dynamic routing using RIP does not work if the traffic hash of the packets does not match the TMM handling the outgoing traffic.

Workaround:
Delete the sys connection for RIP; the new connection is expected to use the correct port.


725427 : OPT-0036-01 does not report DDM tx power alarms or tx power warnings

Component: TMOS

Symptoms:
The OPT-0036 optic does not report Tx alarms or warnings. The optic does report transmit power readings, but does not generate warnings or alarms if the transmit readings are outside the threshold ranges. OPT-0036-01 does not support SFF-8636.

Conditions:
-- Hardware using this optic:
    - vendor-oui 00176a
    - vendor-partnum OPT-0036
    - vendor-revision 01
-- DDM is enabled.

Impact:
OPT-0036-01 does not report DDM transmit alarms or warnings.

Workaround:
DDM Receive power alarms and warnings are correctly reported. You can view the transmit power readings and thresholds to manually determine if the power is outside the DDM transmit threshold values.

Note: When the OPT-0036 is disabled, the transmit laser is disabled and the transmit power is 0mW.


724994-1 : API requests with 'expandSubcollections=true' are very slow

Component: TMOS

Symptoms:
Submitting an iControl REST query using the option 'expandedSubcollections=true' takes significantly longer to return than one without that option. For example, the command 'https://localhost/mgmt/tm/ltm/virtual?expandSubcollections=true' takes significantly longer than the command 'https://localhost/mgmt/tm/ltm/virtual'.

Conditions:
Submitting a query using expandedSubcollections=true.

Impact:
The response takes significantly longer to return

Workaround:
The additional processing time occurs because the 'expandedSubCollections' parameter fetches all the related associated elements. You can use the following alternative to retrieve the virtual configuration:

1. Run the following query:
GET mgmt/tm/ltm/virtual

2. Obtain the list of virtual servers by:
   2a. parsing either the selfLink or the fullPath properties in the response items array, where the response is from step 1.
   2b. writing an iControlLX worker that does this.

Note: Writing a worker abstracts the parsing logic into a user-defined endpoint. It provides API access to the data.

3. Iterate over the virtual servers querying each with the option 'expandSubcollections=true'.


724906-2 : sasp_gwm monitor leaks memory over time

Component: Local Traffic Manager

Symptoms:
The Server/Application State Protocol (SASP) monitor, sasp_gwm memory usage slowly increases over time.

Conditions:
The Server/Application State Protocol (SASP) monitor is configured.
The leakage occurs during normal operation of the monitor and is not tied to any specific user or traffic action.

Impact:
sasp_gwm grows over time and eventually the system may be pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.

Workaround:
Periodic restarts of sasp_gwm processes avoids the growth affecting the system.


724746-2 : Incorrect RST message after 'reject' command

Component: Local Traffic Manager

Symptoms:
BIG-IP sends RST containing "Internal error in tcpproxy invalid state for repick" instead of correct "iRule execution (reject command)".

Conditions:
Virtual Server with a HTTP profile, and an iRule using 'reject' command.

Impact:
Investigating RST causes may be confusing.

Workaround:
There is no workaround at this time.


724706 : iControl REST statistics request causes CPU spike

Component: TMOS

Symptoms:
BIG-IQ makes iControl REST requests to BIG-IP systems to get statistics. Regardless of the page size setting, the request causes the CPU to spike to 100% utilization.

Conditions:
An iControl REST API request from a BIG-IQ device for a few stats for an object on a BIG-IP system.

Note: A request for a single statistic usually does not cause a spike.

Impact:
Frequent requests by BIG-IQ for stats causes repeated spikes.

Workaround:
None.


724556-1 : icrd_child spawns more than maximum allowed times (zombie processes)

Component: TMOS

Symptoms:
icrd_child is issued a SIGTERM. The SIGTERM might not succeed in destroying the process, especially if the system is under a lot of load. This leads to zombie processes.

Conditions:
-- The icrd_child process is issued a SIGTERM that does not successfully destroy the icrd_child process.
-- System under heavy load.

Impact:
There are zombie icrd_child processes consuming memory.

Workaround:
Restart the system.


724109-5 : Manual config-sync fails after pool with FQDN pool members is deleted

Component: TMOS

Symptoms:
If a user, deletes a fqdn pool on one BIG-IP in a cluster and then run a manual config sync with another BIG-IP, the change fails to sync with the other BIG-IPs in the cluster.

Conditions:
- Create fqdn pool in one BIG-IP
- Save sys config
- Run config sync
- Delete fqdn pool
- Save sys config
- Run config sync manually

Result: After deleting fqdn pool in BIG-IP and config sync with another BIG-IP, Manual config sync failed. Still, we can see the deleted fqdn pool in another BIG-IP

Impact:
FQDN pool delete failed in another BIG-IP and manual config sync operation is failed.

Workaround:
The workaround for this issue is to use auto-sync.


723988-3 : IKEv1 phase2 key length can be changed during SA negotiation

Component: TMOS

Symptoms:
Using IKEv1, if phase2 key length does not agree on both sides, a responder accepts whatever the initiator proposes as key length, but only after an initiator is authenticated. This results in key length downgrade or upgrade at a trusted peer's request, because the IKEv1 daemon was configured to obey the other peer's key length request.

Conditions:
The value of the ike-phase2-encrypt-algorithm on both sides agree on the encryption algorithm, but differ in key length. For example, if the initiator picks AES128 when the responder expects AES256.

Impact:
The responder accepts AES128 anyway. Although phase1 key length must be an exact match, when phase2 key length does not match, this allows an initiating peer to change the key length a responder uses, thus changing the strength configured by that responder.

Workaround:
No workaround is known at this time.


723658 : TMM core when processing an unexpected remote session DB response.

Component: Carrier-Grade NAT

Symptoms:
Using CGNAT or FW-NAT on a cluster may cause a TMM core if there are intra-cluster communication issues that cause CMP state transitions.

The system writes messages to /var/log/tmm* similar to the following:

   notice CDP: exceeded 1/2 timeout for PG 1
   notice CDP: PG 1 timed out
   notice CDP: New pending state 0f -> 0d
   notice Immediately transitioning dissaggregator to state 0xd
   notice cmp state: 0xd
   notice CDP: New pending state 0d -> 0f
   ...
   notice cmp state: 0xf
   notice CDP: exceeded 1/2 timeout for PG 1

Conditions:
-- A LSN pool or FW-NAT source translation that has persistence enabled.
-- Intra-cluster communication issues that cause CMP state transitions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


723579-3 : OSPF routes missing

Component: TMOS

Symptoms:
When newer link-state advertisement (LSA) (with greater seq) comes in, the Open Shortest Path First (OSPF) discards the old one by marking it DISCARD. The SPF calculation function suspends the calculation every 100 vertexes. If the discard happens during such a suspend, then after the calculation resumes, the discarded LSAs are ignored,n which can cause route unreachable, and eventually route withdraws.

Conditions:
A very large number (~500, beyond best practices) of routers in a single OSPF area.

Impact:
Intermittent route flaps occur that might cause unreachable destination or increased network traffic due to the non-optimal route choice.

Workaround:
There is no workaround.


723306-5 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition

Component: Local Traffic Manager

Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:

    01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.

Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.

Impact:
Inability to load config, with created internal virtual server.

Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on a different partition.


723112-4 : LTM policies does not work if a condition has more than 127 matches

Component: Local Traffic Manager

Symptoms:
LTM policies do not work if number of matches for a particular condition exceeds 127.

Conditions:
LTM policy that has a condition with more than 127 matches.

Impact:
LTM policy does not match the expected condition.

Workaround:
There is no workaround at this time.


723111 : mailx is blocked by SELinux Policy

Component: TMOS

Symptoms:
The mail command is not functional with the SELinux Policy.

Conditions:
Using mailx to send mail.

Impact:
Cannot use mailx to send mail. This is a function of the SELinux Policy, which does not allow execution of the mailx commands.

Workaround:
To work around this issue, you can configure the BIG-IP system to communicate with an SMTP mail server using the method appropriate for your BIG-IP version. For specific procedures, see K3667: Configuring alerts to send email notifications :: https://support.f5.com/csp/article/K3667.


723095-1 : Add record type breaks commands 'modify gtm pool type all'; errors on nonexistent pool

Component: Global Traffic Manager (DNS)

Symptoms:
tmsh command returns an error similar to the following message:
01070227:3: Pool Member references a nonexistent Pool (/Common/poolname of type NAPTR)

Conditions:
Changing the record type on GTM pool members by running the following command: tmsh modify gtm pool type all members add.

Impact:
Unable to add pool members quickly to all pools of the same type.

Workaround:
There is no workaround at this time.


722919 : Memory leak when using SP-DAG and a small LSN pool.

Component: Carrier-Grade NAT

Symptoms:
High memory usage by objects of type cmp. Using SP-DAG and a small Large Scale NAT (LSN) pool, some TMMs may not have any local translation addresses. If connections are routed out a VLAN that has cmp-hash src-ip, a small amount of memory may be leaked.

Conditions:
-- Using SP-DAG.
-- Using small LSN pools.
-- Having TMMs that do not not have any local translation addresses.
-- Connections are routed out a VLAN that has cmp-hash src-ip.

Impact:
A small amount of memory may be leaked. The aggressive sweeper might kill connections. TMM may crash. Traffic disrupted while tmm restarts.

Workaround:
Using the default DAG with small LSN Pools gives all TMMs local translation endpoints.

To prevent the leak, allow only VLANs with cmp-hash dst-ip in the LSN pool egress interface list.


722893-7 : TMM can restart without a stack trace or core file after becoming disconnected from MCPD.

Component: Local Traffic Manager

Symptoms:
The TMM - Host interface may stall when the kernel memory is fragmented, causing TMM and MCPD to become disconnected with one another.

MCPD logs 'Removed publication with publisher id TMM<x>' and TMM restarts cleanly.

TMM often logs '01010020:2: MCP Connection aborted, exiting' after a delay of seconds to minutes or more with a timestamp at time of event.

If this issue occurs during early TMM startup, then TMM logs 'MCP connection expired early in startup; retrying'.

Note that it is possible for TMM not to be able to properly restart after encountering this issue until the underlying memory condition has cleared. This can potentially carry on indefinitely.

Conditions:
This occurs when the following conditions are met:
-- Linux kernel memory fragmentation exists.
-- Another operation is occurring, including (among others):
  + Config-Sync with full reload is initiated.
  + Running tcpdump.

Impact:
The system will be inoperative and unable to pass traffic while TMM restarts. A redundant system will fail over to its peer.

Workaround:
If TMM fails to properly start for a prolonged period of time as a result of this issue, you can try to recover the system by restarting TMM (bigstart restart tmm), restarting the services (bigstart restart), or rebooting the system (reboot).

IMPORTANT: This is not a permanent workaround, just a way to temporarily recover the system until you can upgrade to a version of the software that contains a fix for this issue.


722741-4 : Damaged tmm dns db file causes zxfrd/tmm core

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd/tmm cores on startup.

Conditions:
Damaged tmm dns db file.

Impact:
System remains in a tmm-restart loop caused by tmm opening a corrupted tmmdns.bin on startup and segfaulting. Traffic disrupted while tmm restarts.

Workaround:
Delete the damaged db files.


722707-1 : mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall

Component: Local Traffic Manager

Symptoms:
The 'debug' log for a 'mysql' monitor may incorrectly report data being received from the database when network routing is configured to drop packets from that database, causing confusion when diagnosing packet traffic. This might be stimulated by configuring the firewall to enable traffic to/from the 'mysql' database, and then (after the 'mysql' monitor successfully connecting with the database) changing firewall rules to drop packets returned *from* the database.

Conditions:
-- A 'mysql' monitor successfully connects to the 'MySql' database.
2. Once connection is established, firewall rules are changed to 'DROP' packets returned from the 'MySQL' database, resulting in several entries in the 'mysql' monitor 'debug' log that incorrectly suggest packets were received from the 'MySQL' database.

Impact:
Several log entries may be made in the 'mysql' debug log suggesting packets were received from the 'MySQL' database (after a previous successful database probe connection), when in fact those packets were dropped due to changes in the firewall rules. These log entries may confuse debugging scenarios, but will typically self-correct (such as after three log message entries).

Workaround:
When configuring network traffic for 'MySQL' database resources, ensure symmetry for traffic handling (either bi-directional packet routing between 'bigd' and the 'MySQL' database is supported, or neither 'send' nor 'receive' packet routing to the 'MySQL' database is supported).


722647-1 : The configuration of some of the Nokia alerts is incorrect

Component: TMOS

Symptoms:
The categories for perceived severity in the alert_nokia.conf file are 0-4, 10-11, but there is an entry in the file with a value of 6.

Conditions:
-- Traps are enabled to support SNMP alerts in the Nokia NetAct format, e.g., using the following command:
tmsh modify sys db alertd.nokia.alarm value enable
-- The values in the alert_nokia.conf file are applied.

Impact:
Some of the values are incorrect. Handling of the trap/clear for the mislabeled trap is incorrect.

Workaround:
Edit the alert_nokia.conf file and restart the alert daemon.


722534-4 : load sys config merge not supported for iRulesLX

Component: Local Traffic Manager

Symptoms:
iRulesLX configurations are (for the most part) contained in the file system, rather than the 'traditional' BIG-IP config files. An attempt to merge configurations containing iRulesLX using the tmsh command 'load sys config merge' options fails with an error similar to the following:

# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ilx plugin test-plugin {
  from-workspace test-ws
}
Validating configuration...
Unexpected Error: "basic_string::at"

Conditions:
The configuration being merged contains iRulesLX.

Impact:
The merge will fail with the error: Unexpected Error: "basic_string::at". The previous configuration will continue to work.

Workaround:
There is no workaround at this time for merging iRulesLX configuration. If the iRulesLX configuration is removed from the configuration to be merged, the merge will work.


722380-3 : The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.

Component: TMOS

Symptoms:
On platforms with HSB, if an HSB lockup occurs, then TMM panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. In certain cases, the reboot occurs before the core file is fully written, resulting in a truncated core.

Conditions:
-- Any platform with HSB.
-- An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.

Impact:
The reboot happens after the core dump begins before it completes, resulting in a truncated core dump, which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.

Workaround:
None.


721740-3 : CPU stats are not correctly recorded when snapshot files have timestamps in the future

Component: TMOS

Symptoms:
One symptom is that a message similar to the following comes out in the log files frequently.

May 24 16:31:53 lusia_60.F5.COM warning merged[6940]: 011b0914:4: No individual CPU information is available.

Merged CPU stats will be 0.

Conditions:
If all of the snapshot stats files have timestamps in the future, CPU stats will not be correctly merged.

Impact:
Frequent error messages in the logs, and incorrect merged CPU stats.

Workaround:
Remove all of the stats snapshot files that have timestamps in the future and restart merged.


721579-1 : LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing

Component: Carrier-Grade NAT

Symptoms:
When checking persistence TTL by using 'lsndb list all', TTL for 'LSN Persistence Entries' and Age for 'LSN Inbound Mapping Entries' are reset once at around the halfway point of the persistence timeout, even though there is no traffic.

Conditions:
-- LSN with persistence timeout configured.
-- Using the following command: lsndb list all.

Impact:
lsndb shows misleading stats.

Workaround:
There is no workaround at this time.


721571-3 : State Mirroring between BIG-IP 12.1.3.* and 13.* or 14.* systems may cause TMM core on standby system during upgrade

Component: Local Traffic Manager

Symptoms:
BIG-IP devices running 12.1.3.x (12.1.3 or a 12.1.3 point release) and 13.x or 14.x software versions in a high-availability (HA) configuration with state mirroring enabled may cause a standby system to produce a TMM core file.

Conditions:
-- The high availability (HA) configuration is one of the following:
+ The active system is running v12.1.3.x, and the standby system is running v13.x or v14.x, as a result of an in-progress upgrade.
+ The active system is running v13.x or v14.x and the standby system is running v12.1.3.x.
-- State mirroring configured on two or more BIG-IP systems (state mirroring is enabled by default).
-- For VIPRION clusters or VIPRION-based vCMP guests, the systems are configured to mirror 'Between Clusters'.

Impact:
TMM may crash on a standby system during upgrade.

This issue should not disrupt traffic, because the TMM is coring only on the standby unit.

Workaround:
To workaround this issue, disable State Mirroring prior to upgrading, and re-enable it once both devices are running v13.x or v14.x, or complete the upgrade of both devices to v13.x or v14.x.

1. You can disable mirroring using either the GUI or the command line.

1a. In the GUI: -- Set the Primary and Secondary Local Mirror Address configurations to 'None' under Device Management :: Devices :: [Self] device :: Mirroring Configuration.

1b. From the command-line: -- Run the following command:
tmsh modify cm device <name-of-self-device> mirror-ip any6 mirror-secondary-ip any6 && tmsh save sys config

Important: This action results in connection state loss on failover.

2. Once all devices are running the same software version, re-enable state mirroring by re-adding the device mirror IP addresses removed previously.

Note: F5 recommends that BIG-IP systems in HA configurations run with the same software version on all devices.


721526-1 : tcpdump fails to write verbose packet data to file

Component: TMOS

Symptoms:
On some BIG-IP platforms, tcpdump is unable to write verbose packet data to a file (e.g., 'tcpdump -nni 2.1:nn -e -vvv -s 0 -w /tmp/dump.pcap').

Conditions:
Use tcpdump with -w and -v options on a front panel interface that is actively sending/receiving traffic.

This occurs on the following hardware:

-- BIG-IP 5000,7000, 10000, i5000, i7000, i10000, i11000, and i15000 platforms.
-- VIPRION B4400, B4300, B2200, and B2100 blades.

Impact:
Cannot use tcpdump to write verbose packet data to file.

Workaround:
There is no workaround at this time.


721020-4 : Changes to the master key are reverted after full sync

Component: TMOS

Symptoms:
Changing the master key on a device that is in a device cluster are reverted when performing a full sync of any device-group. The master key is reset to its previous value.

Conditions:
-- The BIG-IP system is in a device cluster.
-- You change the master key from within TMSH.

Impact:
Subsequent configuration loads fail on the device.

Workaround:
There is no workaround.


720588 : Pages not loading correctly when AJAX response page is enabled

Component: Application Security Manager

Symptoms:
Enabling AJAX response page may prevent assets from loading properly due to a conflict with back-end JavaScript.

Browser console shows errors such as:
Uncaught TypeError: Cannot read property 'readyState' of undefined.

Conditions:
-- AJAX response page is enabled.
-- Back-end JavaScript conflicts with ASM JavaScript.

Impact:
Content within pages may fail to load.

Workaround:
None.


720581-3 : Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files

Component: Application Security Manager

Symptoms:
When using Policy Merge to add an XML Profile from policy A to policy B, if there are any Schema files (such as xsd or wsdl) associated with the profile, then the XML Profile added to policy B erroneously points to the file that is in policy A and does not create a new reference within policy B.

Conditions:
Policy Merge is used to add an XML Policy that contains a schema file from one policy to another.

Impact:
-- The reference to an object in another policy breaks BIG-IQ discovery.
-- The policy is not consistent after export/import.

Workaround:
None.


720569-2 : BIG-IP Source IP cmp-hash setting is distributing traffic unequally

Component: TMOS

Symptoms:
After a period of time, Inet port exhaustion error messages begin to be reported, and traffic starts to fail:
crit tmm1[17985]: 01010201:2: Inet port exhaustion on <ip_address> to <ip_address>.

Conditions:
1. BIG-IP system uses sock or virtIO drivers; cmp-hash is src-ip.
2. Both VLANs are set to Source Address CMP Hash configuration.
3. Pool members are distributed to different TMM cores based on the VLAN configuration.
4. Traffic is load balanced to the pool member mapped to the other core.

Impact:
The system reports Inet port exhaustion error messages, and traffic starts to fail.

Workaround:
None.


720440 : Radius monitor marks pool members down after 6 seconds

Component: Local Traffic Manager

Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.

Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.

Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.

Workaround:
There is no workaround at this time.


719770-4 : tmctl -H -V and -l options without values crashed

Component: TMOS

Symptoms:
When the -H, -V or -l options were passed to tmctl without a following value, then tmctl crashed.

Conditions:
Use one of these options without the required value.

Impact:
Core file. No other impact.

Workaround:
Be sure to pass the required value with these options.


719241 : Using custom DNS servers on the Azure VNet with the missing 168.63.129.16 causes Waagent provisioning failure.

Component: TMOS

Symptoms:
During the BIG-IP system boot-up, waagent is unable to get a response from the intended wire server endpoint, which stops it from running custom script extensions. This happens because of the missing route to the Azure virtual public IP address of 168.63.129.16.

The var/log/waagent.log contains error messages similar to the following:
-- INFO Protocol endpoint not found: WireProtocol, [ProtocolError] [Wireserver Exception] [HttpError] [HTTP Failed] GET http://n.n.n.n,n.n.n.n/?comp=versions -- IOError [Errno -3] Temporary failure in name resolution -- 6 attempts made

Conditions:
-- BIG-IP system is deployed in Azure VNet with a custom DNS server.
-- The DHCP server has assigned a classless-static-route in its dhclient lease (/var/lib/dhclient/dhclient.leases) which contains a custom route to 168.63.129.16.

Impact:
waagent custom script extensions do not complete, failing the BIG-IP provisioning that waagent intends to perform during startup.

Workaround:
Add 168.63.129.16 route on mgmt interface during BIG-IP system initialization to facilitate correct waagent custom script extension execution.


718867-3 : tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades

Component: Local Traffic Manager

Symptoms:
The db variable 'tmm.umem_reap_aggrlevel' (to set the memory-usage level at which aggressive connection-reaping begins) does not persist across upgrades; on upgrade it will be reset to its default value (80%).

Conditions:
-- The db variable 'tmm.umem_reap_aggrlevel' is set to a custom value (specifically, not '80').
-- The BIG-IP system is upgraded.

Impact:
The value for 'tmm.umem_reap_aggrlevel' has reset to '80', its default value.

Workaround:
Reset the variable's custom value after upgrade.


718800-3 : Cannot set a password to the current value of its encrypted password

Component: TMOS

Symptoms:
Attempting to set a password to the current value of its encrypted password silently fails without changing the password. For example, running the following tmsh command sets the encrypted password to the value 'password':

modify auth user <username> encrypted-password password

Attempting to set the password to 'password' using the command does not report an error, but does not change the password (meaning that encrypted password remains 'password'):

modify auth user <username> password password

Conditions:
Changing a password to the value of encrypted-password.

Impact:
Difficult to recover from this situation because trying to simply change the password to the correct value doesnot work.

(It is likely this initially happened by accident: attempting to set 'password', but setting 'encrypted-password' instead.)

Workaround:
First, change the password to something else. Then, change it back to the correct value.


718232-1 : Some FTP servers may cause false positive for ftp_security

Component: Application Security Manager

Symptoms:
A login might get rejected after a lower number of failed logins than is configured for 'Maximum Username Login Retries'. BIG-IP system posts the following error message: 530 Too many failed login attempts by the user.

Conditions:
-- The server sends unexpected ingresses that are rejected.
-- There is a value specified for 'Maximum Username Login Retries'.

Impact:
A legitimate user might be rejected and have to wait until the configured 'Re-enable login' time.

Workaround:
There is no workaround at this time.


717909-2 : tmm can abort on sPVA flush if the HSB flush does not succeed

Component: Advanced Firewall Manager

Symptoms:
When the BIG-IP system comes up, or when tmm/dwbld/iprepd restarts, tmm does a flush of sPVA. If the operation does not succeed, the system can wait for 10 seconds, which might cause an abort due to heartbeat failure. tmm crash

Conditions:
-- BIG-IP system comes up, or tmm/dwbld/iprepd restart.
-- HSB flush does not succeed within ~3 seconds (it is supposed to succeed within ~3 seconds unless something is wrong with the HSB).

Impact:
tmm will have to be restarted. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


717346-4 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total

Solution Article: K13040347

Component: Local Traffic Manager

Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.

Conditions:
Rarely occurring, unstable network could be one of the reasons.

Impact:
Cannot use stats for troubleshooting.

Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket


717113-1 : It is possible to add the same GSLB Pool monitor multiple times

Component: Global Traffic Manager (DNS)

Symptoms:
After adding a monitor in the Web GUI and updating, the monitor does not get removed from the Available list and can be added again.

Conditions:
This issue affects the GSLB Pool create and properties pages.

Impact:
The impact is only for those adding the monitor. No extra system resources are used when adding multiple identical monitors to a pool.

Workaround:
None.


716952-3 : With TCP Nagle enabled, SSL filter will hold the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message until the last data packet offload process complete.

Component: Local Traffic Manager

Symptoms:
When TCP Nagle enabled, the data sent from server is handled by the SSL filter to offload data processing. The SSL filter forwards the HUDCTL_REQUEST_DONE/HUDCTL_RESPONSE_DONE message to TCP4 filter. Because Nagle is enabled, this leaves the last offloaded packet 'stuck' in the TCP4 filter.

Conditions:
-- Nagle is enabled.
-- SSL filter is in the chain.

Impact:
The last data packet waits until all other packets have been ACKd.

Workaround:
None.


716701-2 : iControl REST: Unable to create Topology when STATE name contains space

Solution Article: K43005133

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use iControl REST to create topology records when whitespace exist in a STATE name.

Conditions:
STATE name contains a space (e.g., New Mexico).

Impact:
Unable to create a topology record using iControl REST.

Workaround:
Use TMSH with quotes or escaping to create topology records for a STATE with whitespace in the name.


716492-1 : Rateshaper stalls when TSO packet length exceeds max ceiling.

Solution Article: K59332523

Component: Local Traffic Manager

Symptoms:
If a TCP Segmentation Offload (TSO) packet length exceeds the rateshaper's max ceiling, it causes the flow to stall.

Conditions:
TSO packet length exceeds the rateshaper's configured max ceiling.

Impact:
The flow stalls. Subsequent flows cannot go to the rateshaper from that particular tmm.

Workaround:
If you are running BIG-IP software v12.1.3.2 (or later) or v13.1.0(.x), you can use the following workaround:

There is a sys db variable called 'rateshaper.cmpdivide', which is enabled by default. When enabled, the system internally divides the bandwidth (rate/ceiling/burst) between the available tmm cores. If this issue occurs, set 'rateshaper.cmpdivide' to enabled.

There is no workaround for other versions.


715756-3 : Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only

Component: Local Traffic Manager

Symptoms:
When filesystems critical to TMOS functional operation are mounted read-only, clusterd on that blade should trigger a primary election if it was primary. Either way, the cluster should be informed of this critical error state.

Conditions:
A critical filesystem (e.g., '/', '/var', '/var/run', '/config', '/shared') has been mounted read-only.

Impact:
The blade with read-only filesystems and degraded functionality might stay primary and claim to be passing traffic.

Workaround:
There is no workaround other than to avoid mounting filesystems read-only on a BIG-IP system.


715061-1 : vCMP: tmm core in guest when stopping vCMP guest from host

Component: TMOS

Symptoms:
A tmm core in the guest on the primary blade, not the secondary blade, after the guest is disabled on the hypervisor.

Conditions:
-- A cross-blade vCMP guest.
-- Guest is disabled on the hypervisor.

Impact:
Because the guest is in the process of being disabled, there is no impact on traffic, however, the core file may take up space on the guest on the primary blade.

Workaround:
To mitigate the disk problem, manually delete the core file.


714704 : ICMP unreachable messages sent only from active to standby

Component: Advanced Firewall Manager

Symptoms:
When the self IP has a firewall rule to reject ICMP unreachable, the system will be sent from active to standby and not from standby to active.

This is correct behavior, but v13.x might show ICMP unreachable messages sent from standby to active along with those from active to standby.

Conditions:
-- AFM firewall rule is applied to the self IP as reject ICMP unreachable messages.
-- Active/standby high availability (HA) cluster.

Impact:
No functional impact. ICMP unreachable messages not showing has no effect on BIG-IP system functionality.

Note: If there is a firewall to block traffic on self IPs, but still want ICMP unreachable messages, that configuration is not valid, and HA will not work.

Workaround:
There is no workaround.


714626-1 : When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.

Solution Article: K30491022

Component: TMOS

Symptoms:
When the BIG-IP system is behind a proxy server, the licensing process does not work, despite having set the db variables for proxy.host, proxy.port, proxy.protocol, etc.

Conditions:
-- The BIG-IP system is behind a proxy server that gates internet access.
-- Attempting to license (or revoke the license of) the BIG-IP system is not possible using GUI or tmsh since communications with the license server will fail.

Impact:
Cannot license, reactivate license, or revoke the license of the BIG-IP system.

Workaround:
Instead of using GUI or tmsh, run the following command, substituting your proxy specification for <proxy> and your license registration key for <reg-key>:

/usr/local/bin/SOAPLicenseClient --proxy <proxy> --basekey <reg-key> --certupdatecheck


714507-4 : [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server

Component: Global Traffic Manager (DNS)

Symptoms:
GTM pool member dependency cannot be listed correctly using the following command:
# tmsh list gtm pool

Conditions:
-- Virtual server dependency in GTM server.
-- Running the command: tmsh list gtm pool.

Impact:
1. Pool member dependencies are not listed.
2. Pool member dependency information is missing when saving config:
    # tmsh save sys config gtm-only

Workaround:
List specific gtm pools instead by running a command similar to the following:
# tmsh list gtm pool a p1


714503-3 : When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl

Component: Local Traffic Manager

Symptoms:
When using the GUI to create a new iRulesLX rule with the extension .tcl as part of the rule name, the GUI will append another .tcl at the end of the file. This is problematic when attempting to view the iRule in the iRulesLX workspace (at Local Traffic :: iRules : LX Workspaces :: <workspace name>).

Conditions:
-- Creating a new iRulesLX iRule in the GUI.
-- Adding the extension .tcl.

Impact:
Cannot view or delete the iRule from the iRulesLX GUI.

Workaround:
Do not name rules with the .tcl extension. The system will do that for you.


714495-3 : When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"

Component: Local Traffic Manager

Symptoms:
When using TMSH to create a new iRulesLX rule with the extension '.tcl' as part of the rule name, TMSH will append another '.tcl' at the end of the file. This is problematic when attempting to view the iRule in the GUI (in the iRulesLX workspace at Local Traffic :: iRules : LX Workspaces :: <workspace name>).

Conditions:
Creating a new iRulesLX iRule in TMSH.

Impact:
Cannot view or delete the iRule from the iRulesLX GUI.

Workaround:
Do not name rules with the '.tcl' extension.


714384-5 : DHCP traffic may not be forwarded when BWC is configured

Component: Local Traffic Manager

Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.

Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.

Impact:
DHCP traffic may not be forwarded.

Workaround:
There is no workaround other than to remove the BWC policy.


713947-3 : stpd repeatedly logs "hal sendMessage failed"

Component: TMOS

Symptoms:
On non-primary clustered blades in a BIG-IP chassis environment, stpd may repeatedly log "hal sendMessage failed"

Conditions:
Two or more blades clustered in a chassis with STP enabled on one or more ports.

Impact:
All BIG-IP blades

Workaround:
No workaround except to ignore log messages - they are spurious and have no ill effect on the system besides log spam.


713708-3 : Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI

Component: TMOS

Symptoms:
On the BIG-IP GUI, under System :: Software Management :: Update Check, after pressing 'Check now', the 'Available Update' shows a long string 'OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install' instead of the EPSEC version, e.g.: epsec-1.0.0-679.0.

Conditions:
-- Under System :: Software Management :: Update Check.
-- Press 'Check now'.

Impact:
Cannot determine what version is available by viewing 'Available Update'. Although this is how all the other updates work, it can result in a confusing BIG-IP user experience.

Workaround:
To have the browser show the link's destination address, view the browser's status fields while hovering the cursor over the following link text: OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install.


713629-1 : Applying firewall policy to self-ip can cause tmm crash

Component: Advanced Firewall Manager

Symptoms:
Applying a firewall policy to a self-ip can cause a tmm crash. This is due to an uninitialized local variable that cause memory corruption on a stat memory location.

Conditions:
No specific condition for this to happen. This can happen in any config. However, it should be a vary rare occurrence.

Impact:
Temporary traffic disruption while tmm restarts.

Workaround:
There is no workaround. Tmm should recover automatically and function normally.


713585-1 : When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long

Solution Article: K31544054

Component: Local Traffic Manager

Symptoms:
Config load could be very long and CPU usage very high.

Conditions:
There are many iRule and they are installed on many virtual servers.

Impact:
BIG-IP system performance could be degraded during the load and may cause system lock up.

Workaround:
Run "tmsh modify sys db rule.validation value syntax", this causes iRule validation to check iRule syntax only; the semantic checks will not be performed.


713519-3 : Enabling MCP Audit logging does not produce log entry for audit logging change

Component: TMOS

Symptoms:
When you enable MCP audit logging, the action of changing the audit logging entry is not logged. All actions after the configuration change are logged.

Conditions:
This occurs when enabling MCP audit logging.

Impact:
The audit logging change itself is not logged in the audit logs.

Workaround:
None.


713283-2 : Missing transaction count in = application security report under view by IP Intelligence

Component: Application Visibility and Reporting

Symptoms:
Transactions without an IP reputation threat are not listed on application security reports under viewed by IP Intelligence.

Conditions:
-- All transactions without an IP reputation threat.
-- Application security reports.

Impact:
Transaction count statistics are missing.

Workaround:
None.


713183 : Malformed JSON files may be present on vCMP host

Component: TMOS

Symptoms:
Malformed JSON files may be present on vCMP host.

Conditions:
All needed conditions are not yet defined.

- vCMP is provisioned.
- Guests are deployed.
- Software versions later than 11.6.0 for both guest/host may be affected.

Impact:
Some vCMP guests may not show up in the output of the command:
 tmsh show vcmp health

In addition, there might be files present named using the following structure:
 /var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.

There is no functional impact to the guests or to the host, other than these lost tables, which are provided as a convenience to the vCMP host administrator.

Workaround:
None.


713138 : TMUI ILX Editor inserts an unnecessary linefeed

Component: TMOS

Symptoms:
If you use the TMUI edit for ILX, the system will append a linefeed character every time you save. This is not usually apparent, but if you edit the file, then delete your changes, and then save it, it will still register as changed.

A message indicates the need to refresh the workspace, and the actual content of the file will change, but not the functionality.

Conditions:
Edit a workspace file in ILX via the TMUI editor (i.e., the GUI).

Impact:
File contents can change unexpectedly and have needless characters at the end.

Workaround:
Use TMSH or a different editor, that is not TMUI, to change those files.


713134-3 : Small tmctl memory leak when viewing stats for snapshot files

Component: TMOS

Symptoms:
When viewing statistics for snapshot files, tmctl leaks a small amount of memory and displays the message:

tmctl: BUG: tmstat_dealloc invoked on a handle with rows outstanding; release all rows before calling tmstat_dealloc at <address>

Conditions:
Using tmctl to view statistics of snapshot files, for example:
tmctl -D /shared/tmstat/snapshots memory_usage_stat -s time,name,allocated,max_allocated name=access

Impact:
Errors written to output when running tmctl. The leak itself is very small and is only for tmctl (i.e., it does not have a cumulative, detrimental effect on the system that a TMM or MCP leak might).

Workaround:
None.


712500-2 : Unhandled Query Action Drops Stat does not increment after transparent cache miss

Component: Global Traffic Manager (DNS)

Symptoms:
After a transparent cache miss, if the LTM DNS profile has Unhandled Query Action set to Drop, the request is dropped without incrementing the Unhandled Query Action Drops stat.

Conditions:
LTM DNS profile with a Transparent Cache and Unhandled Query Action set to Drop.

Impact:
Inaccurate statistics for the Unhandled Query Action Drops

Workaround:
None.


712489-3 : TMM crashes with message 'bad transition'

Component: Local Traffic Manager

Symptoms:
TMM crashes under a set of conditions in which the system detects an internal inconsistency. The system posts an error similar to the following in the LTM and TMM logs:
crit tmm[18755]: 01010289:2: Oops @ 0x2285e10:5157: bad transition

Conditions:
Conditions that cause this to happen are not predictable, but these might make it more likely:
-- FastL4 virtual server and HTTP are configured
-- db variable tmm.oops set to 'panic'.
-- Client sends three GET requests at once, and then closes the connection after a few seconds.
-- The server sends a partial 'Connection: close' response.

Impact:
TMM crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.


712321 : Missing reference to customization-group from connectivity profile if created via network access wizard

Component: Access Policy Manager

Symptoms:
Connectivity profile generated from the use of network access wizard will not contain a reference to a customization-group.

Conditions:
Use network access wizard to create configure objects.

Impact:
There is no functional impact since customization is not actually used for connectivity group.

Workaround:
Configure the connectivity profile object manually from tmui (GUI) or tmsh (command line) rather than via wizard. Replace the connectivity profile created from the virtual server within the virtual server with the manually created connectivity profile.


712266-2 : Decompression of large buffer might fail with comp_code=11 with Nitrox 3 hardware

Component: TMOS

Symptoms:
Messages like the following may show up in /var/log/ltm:

-- crit tmm5[28908]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=11): ctx dropped.

This occurs because the decompression of large compressed data failed.

Conditions:
This issue occurs when compressed data cannot be decompressed in a single request to the Nitrox 3 hardware accelerator.

Impact:
Requests fail with a connection reset.

Workaround:
Use zlib software decompression.


712241-1 : A vCMP guest may not provide guest health stats to the vCMP host

Component: TMOS

Symptoms:
A vCMP guest usually provides the vCMP host with some guest health statistics as a convenience to the vCMP host administrator. These stats are:
-- mgmt/tm/sys/ha-status
-- mgmt/tm/sys/software/status
-- mgmt/tm/sys/software/provision

These tables are created by the host when host vcmpd queries the guest over the vmchannel using REST.

These RESTful queries may sometimes fail, causing the queried vCMP guest to be omitted in the display of the output of the following command: $ tmsh show vcmp guest

Conditions:
-- vCMP provisioned.
-- Guests are deployed.
-- Host vcmpd queries the guest over the vmchannel using REST.

Impact:
There is no functional impact to the guests or to the host, other than these lost tables.

-- Some vCMP guests may not show up in the output of the following command: tmsh show vcmp health
-- Some guests may appear with the wrong status in the GUI. Such as being grey when it should be green.
-- Files containing guest information, kept in:
/var/run/vcmpd/<guestname>/json/(sys-ha-status.json|sys-provision.json|sys-software.json) may be missing from that directory.
-- There might be files present there named using the following structure:
 /var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.

Workaround:
There is no workaround at this time.


712033-1 : When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name

Component: TMOS

Symptoms:
When you make a REST request to association list in /stats you get a duplicate name in the selfLink after members in both the entries and the selfLink, e.g.:

# restcurl -X GET -u admin /tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats
{
  "kind": "tm:ltm:pool:members:membersstats",
  "generation": 3,
  "selfLink": "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats?ver\u003d14.0.0",
  "entries": {
    "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/~Common~node1:8105/stats": {

Conditions:
When making a REST request to an object in /stats that is an association list.

Impact:
The selfLink has a duplicate name. SelfLinks for associations do not work.

Workaround:
None.


711879 : Web GUI can sometime display the wrong cert and key for a GTM monitor that has the same name as some LTM monitor.

Component: TMOS

Symptoms:
The web GUI displays an incorrect value for cert and key for a GTM monitor.

Conditions:
The GTM monitor has the same name as an LTM monitor.

Impact:
Incorrect data can be presented regarding the GTM monitor's cert and key.

Workaround:
Use TMSH to display the correct cert and key.


711818-1 : Connection might get reset when coming to virtual server with offload iRule

Component: Application Security Manager

Symptoms:
When IN_DOSL7_ATTACK event is triggered, and iRule has an async command in it, events might be released out of order, causing connection RST.

Conditions:
1. Have DoS profile with iRule turned on.
2. iRule is async (such as wait, DNS resolving, etc.).
3. Send POST request.

Impact:
Connection receives a RST.

Workaround:
There is no workaround at this time.


711683-4 : bcm56xxd crash with empty trunk in QinQ VLAN

Component: TMOS

Symptoms:
When an empty trunk (no members) is configured 'tagged' in a QinQ VLAN, bcm56xxd will continuously crash.

Conditions:
Trunk with no members, configured as 'tagged' in a QinQ VLAN.

Impact:
bcm56xxd continuously crashes.

Workaround:
Use either of the following workarounds:
-- Add members to the trunk.

-- Remove the trunk from the QinQ VLAN.


711158-1 : Admin user roles automatically demoted to guest

Solution Article: K25280801

Component: TMOS

Symptoms:
Newly created admin users are immediately demoted to guest.

Conditions:
-- A sync-failover device group exists.

-- The REST framework's 'gossip' mechanism is configured.

-- Create a new admin user using a command similar to the following: tmsh create auth user test123 password **** partition-access add { all-partitions { role admin } }

Note: Correct REST framework 'gossip' mechanism configuration should occur automatically, but might not be ready. You can confirm whether this is the case by running the following command: restcurl shared/resolver/device-groups/tm-shared-all-BIG-IPs/devices. The output must show all your devices, and show that they all have the same 'version' and the same 'restFrameworkVersion'.

Impact:
In a few seconds, the newly created admin user account reverts to a guest role. User does not have the expected admin access.

Workaround:
On the primary BIG-IP system, do the following:

1. Disable failover by running the following command:
restcurl -X PATCH tm/shared/bigip-failover-state -d '{"isEnabled": false}'

2. Clear REST devices from the device group by running the following command:
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-BIG-IPs/devices


711056-3 : License check VPE expression fails when access profile name contains dots

Component: Access Policy Manager

Symptoms:
License Check Agent always flows down fallback branch. Logs show the following pattern:

-- err apmd[13738]: 01490190:3: /Common/my.profile.name:Common:2a392ccd: Key 'tmm.profilelicense./Common/my.profile.name#' was not found in MEMCACHED.

-- err apmd[13738]: 01490086:3: /Common/my.profile.name:Common:2a392ccd: Rule evaluation failed with error: can't use empty string as operand of "-"

Conditions:
-- Access profile contains '.' (dot) characters in its name.
-- License Check agent is used in the VPE to check against profile license.

Impact:
License check always fails, resulting in denied logon.

Workaround:
Use a different policy name without '.' characters.


710996-1 : VIPRION outgoing management IPv6 traffic from primary blade uses the cluster member IP

Component: Local Traffic Manager

Symptoms:
The behavior of outgoing IPv6 management and IPv4 management traffic from the primary blade differs:
IPv4 traffic is sourced from the cluster IP
IPv6 traffic is sourced from the cluster member IP

Conditions:
IPv6 configured on the 'cluster' address and 'cluster member' address.

Impact:
The blade IP address, rather than the cluster floating IP, will be used as the source IP when querying the RADIUS server for remote-auth login against the management port.

Workaround:
There is no workaround at this time.


710841 : 12.1.3.3 feature refinement might be lost after upgrade

Component: TMOS

Symptoms:
If you upgrade from 12.1.3.3 (or later) to 13.1.0 or 13.1.0.1, you will lose the VE-specific 12.1.3.3 feature refinements you gained.

Conditions:
Upgrade from 12.1.3.3 (or later) to 13.0.x, 13.1.0, or 13.1.0.1.

Impact:
Feature refinement provided in 12.1.3.3 will be lost after upgrade. Other functionality is unaffected.

Workaround:
Only upgrade from 12.1.3.3 or later to 13.1.0.2 or later.


710410-1 : TMM hardware accelerated compression not registering for all compression levels.

Component: TMOS

Symptoms:
DEFLATE/gzip compression levels other than level 1 bypass the hardware accelerator and are serviced in software, resulting in higher CPU utilization and slower compression times.

Conditions:
-- Compression requests for DEFLATE/gzip levels other than level 1.
-- BIG-IP devices using Cave Creek SSL hardware acceleration.

Impact:
Compression requests serviced by software are scheduled on local CPUs. During heavy compression traffic, overall system traffic flow may be reduced. Compression requests serviced in software may take significantly longer to complete.

Workaround:
None.


710044-1 : Portal Access: same-origin AJAX request may fail in some case.

Component: Access Policy Manager

Symptoms:
If base URL for current HTML page contains default port number, same-origin AJAX request from this page may fail via Portal Access.

Conditions:
- HTML page with explicit default port in base URL, for example:
  <base href='https://some.com:443/path/'>

- Same-origin AJAX request from this page, for example:
  var xhr = new XMLHttpRequest;
  xhr.open('GET', 'some.file');

Impact:
Web application may not work correctly.

Workaround:
It is possible to use iRule to remove default port number from encoded back-end host definition in Portal Access requests, for example:

when RULE_INIT {
  # hex-encoded string for 'https://some.com'
  set ::encoded_backend {68747470733a2f2f736f6d652e636f6d}
  # '3a343433' is hex-encoded form for ':443'
  set ::pattern "/f5-w-${encoded_backend}3a343433\$"
  set ::remove_end [ expr { [ string length $::pattern ] - 2 } ]
  set ::remove_start [ expr {$::remove_end - 7} ]
}

when HTTP_REQUEST {
  if { [HTTP::path] starts_with "$::pattern" } {
    set path [ string replace [HTTP::path] $::remove_start $::remove_end "" ]
    HTTP::path "$path"
  }
}


710039 : Merging config may not report syslog configuration errors

Component: TMOS

Symptoms:
A 'load sys config verify merge' may return successfully, but 'load sys config merge' without the 'verify' argument might fail.

Conditions:
Running the 'load sys config merge' without the 'verify' argument.

Impact:
False positive might be received in response to a successful config verify. However, the syslog system is not actually configured during a 'verify', so it does not report errors.

Workaround:
None.


709963-4 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.

Component: Local Traffic Manager

Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.

Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.

Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.

Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.


709837-3 : Cookie persistence profile may be configured with invalid parameter combination.

Component: Local Traffic Manager

Symptoms:
Configuring Cookie persistence profile via TMSH or iControl REST allows invalid parameter combinations.

Conditions:
Cookie persistence profile is configured via TMSH or iControl REST. TMUI is not affected.

Impact:
Invalid parameters for any method type of a Cookie persistence profile are ignored by TMM, no functional impact.

Workaround:
Use only the allowed parameters of each method type when Cookie persistence is configured via TMSH or iControl REST.


709559-3 : LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name

Component: TMOS

Symptoms:
Loading configuration fails on upgrade

Conditions:
Must have a profile named "/Common/ssh" and must be upgrading to v12.1.2

Impact:
The system won't be functional

Workaround:
Delete or rename "/Common/ssh"


708968-4 : OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address

Component: TMOS

Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not created in TMM when passed from Dynamic Routing protocols like OSPFv3.

Conditions:
- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.

Impact:
- Route entry is not created in TMM, packets addressed to such a destination might not be delivered at all or might not be delivered using the most efficient route.
- Connection between TMM and tmrouted is restarted that is a small performance overhead.

Workaround:
- If possible IPv4 address or IPv4-compatible IPv6 address should be passed instead of IPv4-mapped IPv6 address, however this depends on other routers.


708803 : Remote admin user with misconfigured partition fallback to "All"

Component: TMOS

Symptoms:
When remote role groups are used to set user role and partition from the remote authentication server, and the server is configured to set a user to Administrator role with access to a particular partition, the user instead receives Administrator role on all partitions. Users with Administrator role on the BIG-IP are required to have all partition access.

Conditions:
Remote authentication with remote role groups. Remote authentication server configured to set a user to Administrator role with access to a particular partition.

Impact:
Administrator users have access to all partitions.

Workaround:
Change configuration on remote authentication server. Users with Administrator role need all partition access. Users who must be restricted to a particular partition should be given a more restrictive role.


708576-1 : Errors related to dosl7d_tcpdumps_cleaner appearing in email every hour

Component: Application Security Manager

Symptoms:
Errors may be sent in system emails once an hour due to a runtime error in the dosl7d_tcpdumps_cleaner which is run in an hourly cron job.

Here is an example of such an email:

From: root (Cron Daemon)
To: root
Subject: Cron <root@servername> run-parts /etc/cron.hourly
Content-Type: text/plain; charset=UTF-8
Auto-Submitted: auto-generated
X-Cron-Env: <LANG=en_US.UTF-8>
X-Cron-Env: <SHELL=/bin/bash>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <MAILTO=root>
X-Cron-Env: <HOME=/>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>

/etc/cron.hourly/dosl7d_tcpdumps_cleaner:

Use of uninitialized value $s in division (/) at /etc/cron.hourly/dosl7d_tcpdumps_cleaner line 111.

Conditions:
- The administrator configures the BIG-IP system to deliver locally generated email messages, or the administrator checks local emails to root, on the BIG-IP.
- The hardware supports RAID, even if RAID is not configured.

Impact:
- Email messages with errors being sent once an hour.
- DoSL7 tcpdump files may not be automatically cleaned if used in the DoS profile.

Workaround:
None


708421-1 : DNS::question 'set' options are applied to packet, but not to already parsed dns_msg

Solution Article: K52142743

Component: Global Traffic Manager (DNS)

Symptoms:
For certain types of iRules, using the DNS command DNS::question for type AAAA, when the DNS transparent cache is involved in the filter, the type can be reverted.

Conditions:
-- DNS transparent cache.

-- Using an iRule similar to the following:
when DNS_REQUEST {
   DNS::question type AAAA
}

Impact:
When the packet goes to the pool, the type is reverted.

Workaround:
Enable gslb or dnsx on the profile.


708415 : Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled

Component: TMOS

Symptoms:
When setting the flow control value of an interface with a copper SFP to any value other than 'none' and the link partner has flow control disabled on their end, the interface stats will not reflect the configured flow control setting. This is because the interface stats reflect the negotiated link state rather than the advertised capabilities.

Conditions:
BIG-IP device is using copper SFPs.
-- Flow control is enabled on an interface.
-- That interface is connected to another device where flow control has not been enabled.

For example, an administrator might perform the following on a BIG-IP system with a copper SFP on interface 1.1:

# modify net interface 1.1 flow-control tx-rx

# show net interface 1.1 all-properties

Under the 'Flow Ctrl' column of the interface properties, the value will indicate 'none' even though the interface was configured to enable transmit and receive flow control. This is because the column does not indicate the advertised capabilities but rather the negotiated property of the link.

Impact:
There is no functional impact, as flow control cannot be performed until both link partners agree to support it.

Workaround:
Flow control must be enabled on the remote device and the link must be re-negotiated, in order for the flow control configuration to take effect and be reflected in the interface properties of the link.


708176 : SNMP OIDs (NA throughput) incorrect when compression is disable

Component: Access Policy Manager

Symptoms:
SNMP OIDs related to Network Access VPN tunnel or connectivity traffic are not updated if compression is not enabled. However, the definitions for connectivity traffic make it seem like they should be updated.

Conditions:
1. Create an access policy with Network Access resource (no compression enabled). Also, connectivity profile with no compression.
2. Assign this to a virtual server.
3. Establish a VPN tunnel, and download a large file.
4. Compare the SNMP OID values before and after this large file download via VPN tunnel.

Impact:
Confusion and graphs that don't seem to show the expected traffic.

Workaround:
Turn on compression to see the stats updated.


708005-3 : Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources

Solution Article: K12423316

Component: Access Policy Manager

Symptoms:
When using VMware View HTML5 client, end users are able to authenticate and see available View resources on the APM webtop. However, any attempt to launch the resource (desktop or application) in HTML5 mode momentarily appears to function, but then redirects to the initial APM login page.

Conditions:
This occurs when the following conditions are met:
-- BIG-IP APM is protecting VMware Horizon View 7.4 resources.
-- End user tries to launch a View resource from the APM webtop using the Horizon View HTML5 client.

Impact:
End user cannot launch VMware View resources with View HTML5 client.

Workaround:
You can use the following workarounds:

-- If you are already running Horizon 7.4, use native View clients instead.

-- If you have not upgraded to Horizon 7.4, stay on an older Horizon release until this issue is resolved.

-- If you are running BIG-IP APM release 13.1.0, you can add the following iRule to the virtual server that handles HTML5 client connections:

when HTTP_REQUEST {
    if { ([info exists tmm_apm_view_uuid]) &&
         ([HTTP::method] == "GET") &&
         ([HTTP::uri] ends_with "/portal/webclient/sessiondata")} {
        HTTP::cookie remove "sessionDataServiceId"
    }
}

when HTTP_RESPONSE {
    if { ([info exists tmm_apm_view_uuid]) } {
        set cookieNames [HTTP::cookie names]
        foreach aCookie $cookieNames {
            set path [HTTP::cookie path $aCookie]
            if {[string length $path] > 0} {
                HTTP::cookie path $aCookie "/f5vdifwd/vmview/$tmm_apm_view_uuid$path"
            }
        }
    }
}

Important:
-- After applying the iRule and before attempting a connection, be sure to clear all cache and cookies from the client systems. Otherwise, the test operation may need to be executed before exhibiting successful behavior.
-- The iRule workaround is for BIG-IP APM release 13.1.0. It is not supported for older BIG-IP releases.


707953-1 : Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page

Component: Access Policy Manager

Symptoms:
APM and APM Lite licenses are not distinguishable from the Provisioning UI: they both show as Licensed but APM lite only includes licenses for 10 sessions.

Conditions:
Viewing APM and APM Lite licenses in the GUI.

Impact:
Cannot distinguish the difference in types of licenses.

Workaround:
Check license file and verify what type of apm license is enabled: mod_apm (Full APM) or mod_apml (APM Lite).


707691-2 : BIG-IP handles some pathmtu messages incorrectly

Component: Local Traffic Manager

Symptoms:
FastL4 virtual servers incorrectly handle some pathmtu messages, such as ICMPv4 unreachable/fragmentation needed and ICMPv6 packet too big.

Conditions:
This occurs when the following conditions are true:
-- The client sends a window scaling factor greater than 0 (zero).
-- The server sends a window scaling factor equal to 0 (zero).
-- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).

Impact:
pmtu message is erroneously ignored.

Workaround:
There is no workaround at this time.


707320-1 : Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs

Component: TMOS

Symptoms:
A pre-12.0.0 WideIP with ipv6-no-error-response enabled and a IPv4 last-resort-pool will only spawn an A-type WideIP after the upgrade

Conditions:
Pre-12.0.0 WideIP with an IPv4 last-resort-pool and ipv6-no-error-response enabled.

Impact:
Loss of the AAAA-type WideIP configuration item

Workaround:
There is no workaround at this time.


707204 : If the system has more than 264 analytics profiles, the upgrade fails.

Component: Application Visibility and Reporting

Symptoms:
If the system is upgraded from version 11.5.4-hf2, 11.6.0-hf4 and has more then 264 analytics profiles, the upgrade will fail.

Conditions:
1. The system has more than 264 different analytics profiles.
2. Upgrade from version 11.5.4-hf2,hhf3... or from version 11.6.0-hf4,hf5...

Impact:
The upgrade will fail.

Workaround:
Delete/reduce the number of analytics profiles before the upgrade.


706930 : "Enforce Ready" button has no effect for Signatures for Inactive Policy

Component: Application Security Manager

Symptoms:
The "Enforce Ready" button has no effect for Signatures on Inactive Policies.

Conditions:
The user accesses "Enforcement Readiness" page for an Inactive Policy.

Impact:
Pressing "Enforce Ready" button has no effect.

Workaround:
Signature Staging can be disabled from "Application Security > Attack Signatures" page, or via REST.


706505-1 : iRule table lookup command may crash tmm when used in FLOW_INIT

Component: Local Traffic Manager

Symptoms:
iRule table lookup command may crash tmm when used in FLOW_INIT.

Conditions:
iRule table lookup command is used in FLOW_INIT.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use table lookup in the events after the flow is constructed.


706106-1 : PUT request sent to ltm/virtual failed because of ip-protocol property value any

Component: TMOS

Symptoms:
PUT request to ltm/virtual fails unexpectedly because ip-protocol property value any

Conditions:
When sending PUT request to ltm/virtual

Impact:
PUT request modifies properties that user includes in the request and resets the rest of property value to default.

Default ip-protocol property value could be 'any', 'ip' or 'hopopt'

Workaround:
Using PATCH request


704764-2 : SASP monitor marks members down with non-default route domains

Component: Local Traffic Manager

Symptoms:
The LTM SASP monitor marks pool members down, whose address include non-default route domains.

Conditions:
1. Using the SASP health monitor to monitor a pool or pool member.
2. The address of the pool member includes a non-default route domain, such as:

ltm pool rd_test {
    members {
        test_1:http {
            address 12.34.56.78%99
        }
    }
    monitor my_sasp
}

Impact:
Pool members with non-default route domains will never be marked up by the SASP monitor.

Workaround:
Do not specify non-default route domains in the addresses of pool members monitored by the SASP health monitor.

The SASP protocol does not support the use of route domains in member addresses. Thus, the SASP GWM (Global Workload Manager) will ignore route domain information included in the member addresses when registered by the SASP monitor in BIG-IP, and will report the status of members using addresses without route domains.

Therefore, even with a fixed version of the SASP monitor, BIG-IP LTM administrators must be careful to avoid configuring multiple pool members with the same address except for different route domains, to be monitored by the SASP monitor. If case of such a configuration error, the status of the member reported by the SASP GWM may not accurately reflect the status of one or more of the pool members with matching IP addresses.


704450-2 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration

Component: Local Traffic Manager

Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').

Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.

Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.

Workaround:
Reduce the load on the system.


704198-1 : Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance

Solution Article: K29403988

Component: Global Traffic Manager (DNS)

Symptoms:
Orphaned monitor_instance records in mcpd. Secondary blade restarting in a loop.

Conditions:
Modify the monitor for GTM objects using tmsh with replace-all-with.

Impact:
There is an leaked/extra monitor instance. Restarting the secondary slot results in a restart loop.

Workaround:
Impact of workaround: Might change the primary slot.

Restart services using the following command:
# bigstart restart


704176-1 : Monitor instances may not get deleted during configuration merge load

Solution Article: K22540391

Component: Global Traffic Manager (DNS)

Symptoms:
Orphaned monitor_instance records in mcpd. Secondary blade restarting in a loop.

-- err mcpd[8982]: 01020036:3: The requested monitor instance (/Common/bigip 10.10.9.39 443 gtm-vs) was not found.
-- err mcpd[8982]: 01070734:3: Configuration error: Configuration from primary failed validation: 01020036:3: The requested monitor instance (/Common/bigip 10.10.9.39 443 gtm-vs) was not found.... failed validation with error 16908342.

Conditions:
Merge a GTM config file to update a virtual server's monitor.

Impact:
There is a leaked/extra monitor instance. Restarting secondary slot will result in a restart loop.

Workaround:
Remove the MCPD binary database on the Primary blade and restart services:
# touch /service/mcpd/forceload
# bigstart restart

Note: This might change the primary slot.


703669-3 : Eventd restarts on NULL pointer access

Component: TMOS

Symptoms:
The loop that reads /config/eventd.xml to load configuration data processes data in 1024-byte chunks. If the size of the file is a multiple of 1024 bytes, the end of file condition that terminates the file read does not occur until the subsequent read. The subsequent read returns zero (0) bytes and passes an empty buffer to the parser, which causes eventd to restart repeatedly.

Conditions:
The length of the file /config/eventd.xml is a multiple of 1024 bytes.

Impact:
Causes eventd to crash.

Workaround:
To work around the problem, insert whitespace in /config/eventd.xml to pad the file to a size that is not a multiple of 1024 bytes.


703509-1 : Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled

Component: TMOS

Symptoms:
Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled.

...notice tmsh[32418]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
...notice tmsh[32418]: 01420003:5: The current session has been terminated.
...err tmsh[32417]: 01420006:3: Project-Id-Version: f5_tmsh 9.7.0 POT-Creation-Date: 2008-05-13 16:18-0700 PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE Last-Translator: F5 Networks <support@f5.com> Language-Team: LANGUAGE <en@li.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit
...err tmsh[32415]: 01420006:3: UCS saving process failed.

Conditions:
The default admin account is disabled, using an alternate user that has the administrator role.

Impact:
User is unable to save the configuration.

Workaround:
A user with the administrator role can save the config.
The root user can save the config.


703266-3 : Potential MCP memory leak in LTM policy compile code

Component: Local Traffic Manager

Symptoms:
Failure in processing LTM policy may result in MCP memory leak

Conditions:
When Centralized Policy Management (CPM) fails to process LTM policy

Impact:
MCP memory leak

Workaround:
There is no workaround at this time.


703196-3 : Reports for AVR are missing data

Component: Application Visibility and Reporting

Symptoms:
Some data collected by AVR is missing on some aggregation levels and thus missing from the reports.

Conditions:
Using AVR statistics.

Impact:
Expected AVR statistics may be missing.

Workaround:
Run the following shell command on BIG-IP:

sed -i "s|\(\s\)*SET\ p_aggr_to_ts.*$|$1$(grep "SET p_aggr_to_ts" /var/avr/avr_srv_code.sql | sed 's/truncate(/CEILING/' | sed 's/,0)//')|" /var/avr/avr_srv_code.sql


703165 : shared memory leakage

Component: Advanced Firewall Manager

Symptoms:
Processes that require shared memory to operate are failing (e.g. pabnagd).

Conditions:
Many shmem segments allocated and used by tmm.

Impact:
Potential failures in any process that requires shared memory segments, causing lack of services such as learning (bd+pabnagd), request logging (pabnagd+asm-config), etc.

Workaround:
There is no workaround at this time.


702933 : Loading UCS with different provisioning can cause a single TMM crash

Component: Application Visibility and Reporting

Symptoms:
Saving a UCS file on one system and loading it on another that has different provisioning, can lead to TMM crash.

Note: The crash will take place only once and the next process of TMM that will be automatically restarted will work without problems.

Conditions:
-- Save a UCS on a system that has AVR or ASM with DoS configured.
-- Load the UCS on a system that does not have AVR nor ASM provisioned.

Impact:
When the system restarts after loading the UCS, TMM can crash but second process of TMM will work fine.

There is no actual impact, since the system is not operational anyway during UCS load, it only takes more time to bring the system to active state after loading the UCS.

Workaround:
When loading a UCS that was saved on a system that had AVR or ASM, make sure the same modules are provisioned first, and then load the UCS.


702615-1 : During reboot to another volume, the GUI login page becomes prematurely available

Component: TMOS

Symptoms:
Less than a minute after a reboot to another volume is initiated from the GUI, the GUI reports that the reboot is complete and displays the login page. Normally, a reboot takes about 5 minutes.

Conditions:
User initiates a reboot to another volume from the GUI.

Impact:
Misleading information is shown in the GUI. The GUI reports that the reboot is completed and displays the login prompts. However this is not correct because the reboot is still in progress.

Workaround:
Check the reboot status from the console or simply wait about 5 minutes before attempting to login to the system again.


702457-3 : DNS Cache connections remain open indefinitely

Component: Global Traffic Manager (DNS)

Symptoms:
Resize / Clearing the DNS cache while a lot of traffic is running can cause numerous connections to remain open indefinitely. tmm crash

Conditions:
Resize / Clear the DNS Cache while it is resolving connections.

Impact:
Connections remain open forever, using up memory

Workaround:
If you are encountering this, you can remove these connections by restarting tmm:

tmsh restart sys service tmm

Impact of workaround: Traffic disrupted while tmm restarts.


702439-3 : Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset

Solution Article: K04964898

Component: Local Traffic Manager

Symptoms:
If the HTTP/2 configuration header_table_size is changed from the default value of 4096, then streams will be reset with a RST_STREAM error.

Conditions:
The header_table_size field in the HTTP/2 profile is changed from the default.

Impact:
HTTP/2 connections will be unusable.

Workaround:
Set the header table size argument back to its default.


702350 : FingerPrint JS might be injected although it is disabled in all ASM features, and no DoS

Component: Application Security Manager

Symptoms:
Fingerprinting is injected while no ASM feature using it is asking for it.

Conditions:
-- Web-scraping is configured in the policy history.
-- Policy iss configured using REST.

Impact:
FingerPrint JS is injected for each request.

Workaround:
1. Turn on Bot detection and click Save.
2. Turn off Bot detection, FP flag, and suspicious clients detection, and click Save.
3. Apply Policy.


702310-2 : The ':l' and ':h' options are not available on the tmm interface in tcpdump

Component: TMOS

Symptoms:
The ':l' and ':h' options are not available on the tmm interface in tcpdump.

Conditions:
Running tcpdump.

Impact:
Packet capture on the tmm interface from the Linux side or the host side of tmm interface is not possible.

Workaround:
There is no workaround at this time.


701977-3 : Non-URL encoded links to CSS files are not stripped from the response during concatenation

Component: WebAccelerator

Symptoms:
Non-URL encoded links to CSS files are not stripped from the response during concatenation.

Conditions:
White space in the URLs.

Impact:
As above.

Workaround:
No workaround at this time.


701944-2 : machine certificate check crash for 'match issuer' configuration on macOS Sierra 10.12.6

Solution Article: K42284762

Component: Access Policy Manager

Symptoms:
Machine certificate check crashes a Mac BIG-IP Edge Client running on macOS Sierra 10.12.6 (16G29) when 'match issuer' is specified in the configuration.

Conditions:
- Machine certificate check configured for with 'match issuer' configuration.
- macOS Sierra 10.12.6 (16G29).
- BIG-IP Edge client.
- F5 EPI.

Impact:
Machine certificate check does not pass because Edge client crashes.

Workaround:
None.


701722-2 : Potential mcpd memory leak for signed iRules

Component: TMOS

Symptoms:
There is an MCP memory leak that occurs when th message "Signature encryption failed" is seen in /var/log/ltm.

Conditions:
Signing of iRules must be in use. Signature encryption must be problematic.

Impact:
MCP leak memory.

Workaround:
Resolve the signature encryption issue.


701690-3 : Fragmented ICMP forwarded with incorrect icmp checksum

Solution Article: K53819652

Component: Local Traffic Manager

Symptoms:
Large fragmented ICMP packets that traverse the BIG-IP might have their source or destination IP addresses changed and transmitted with the checksum incorrectly calculated.

Conditions:
A FastL4 virtual server able to transmit ICMP frames (ip-protocol ICMP or any), or SNAT/NAT only when a fragmented ICMP packet is received and is expected to be passed through the virtual server (or SNAT or NAT).

Impact:
Large ICMP echo packets (greater than MTU) will be dropped by the recipient due to the checksum error. No echo response will be seen.

Workaround:
Turn on IP fragment reassembly on the FastL4 profile associated with the virtual server.


701555-3 : DNS Security Logs report Drop action for unhandled rejected DNS queries

Component: Advanced Firewall Manager

Symptoms:
DNS Security Logs report Drop action for unhandled rejected DNS queries.

Conditions:
DNS profile set unhandled-query-action reject.

Impact:
Incorrect event log. This is an incorrectly logged event and doe not indicate an issue with the system

Workaround:
None.


701341-2 : If /config/BigDB.dat is empty, mcpd continuously restarts

Solution Article: K52941103

Component: TMOS

Symptoms:
If another issue causes /config/BigDB.dat to be empty, mcpd will fail to start up.

Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.

Impact:
The system will fail to start up, and mcpd will continually restart.

Workaround:
Remove this empty file. (If BigDB.dat is nonexistent, the issue will not occur.)


701232-1 : Two-way iQuery connections fail to get established between GTM devices with the same address on different networks connected through address translation

Component: Global Traffic Manager (DNS)

Symptoms:
Two GTM devices that have the same local IP address are not able to establish an iQuery connection, even when a translated address is configured.

Conditions:
This condition may occur if two GTM servers have the same self IP address on separate networks that are attempting to use address translation to establish a connection.

Impact:
When one or more GTM devices attempt to establish an iQuery connection to another device, it actually establishes a connection with itself instead of the other device.

Workaround:
To resolve the issue,
1. Configure the devices to have different self IP addresses.
2. Change the addresses and translated addresses of the corresponding GTM servers to match the new configuration using the following example command:
tmsh modify gtm server <server_name> addresses ...


701033-1 : Tcl actions not run if conditions have overlapping IP ranges

Component: Local Traffic Manager

Symptoms:
Overlapping CIDR subnets in rule's condition cause unexpected result.

Conditions:
-- LTM policy with more than one IP-address-based condition.
-- The IP address ranges overlap.
-- An associated action that invokes a Tcl command.

Impact:
Tcl action is not run.

Workaround:
None.


701025-1 : BD restart on a device where 'provision.tmmcountactual' is set to a non-default value

Component: Application Security Manager

Symptoms:
BD restarts with this error:
    Plugin configuration load timeout. Exiting.

Conditions:
The db variable 'provision.tmmcountactual' is set to a number lower than the actual CPU count.

Impact:
BD restarts continuously.

Workaround:
You can use any of these workarounds:
-- In the GUI, set 'RWThreads' under Security :: Options : Application Security : Advanced Configuration : System Variables.

-- Use the 'add_del_internal' utility:
----------------------
# /usr/share/ts/bin/add_del_internal
USAGE:
/usr/share/ts/bin/add_del_internal add <param_name> <param_value> [--default <default_value>]
/usr/share/ts/bin/add_del_internal update <param_name> <param_value> [--default <default_value>]
/usr/share/ts/bin/add_del_internal delete <param_name>
----------------------

-- Set the bd internal parameter num_rw_threads to the amount of plugin channels that TMM expects.

-- Revert 'provision.tmmcountactual' sys db to the default value.


700989-2 : Better detecting browser extentsions

Component: Application Security Manager

Symptoms:
Browser extensions are not always detected

Conditions:
enabling "Web Scraping -> Suspicious Clients -> Detect browsers with Scraping Extensions", and choosing disallowed extensions.

Impact:
Browsers with disallowed extensions are not blocked.

Workaround:
None.


700897-3 : sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG

Component: TMOS

Symptoms:
sod consumes excessive amount of CPU time, and the traffic-group Active and Next-Active locations do not stabilize.

Conditions:
When the number of devices in the failover device group or the number of traffic groups is large. The limit varies by platform capacity, but any Device Service Cluster with more than 4 devices or more than 32 traffic groups can experience this issue.

Impact:
If the Active location is unstable, traffic will not be processed correctly. Excessive CPU consumption and network traffic interferes with other control plane functions including the UI.

Workaround:
There is no workaround at this time.


700794-2 : Cannot replace a FIPS key with another FIPS key via tmsh

Component: TMOS

Symptoms:
If you try to replace an existing FIPS key using "tmsh install sys crypto key" the command fails with "is already FIPS". This can also occur when issuing the commands via the REST API.

Conditions:
If a FIPS key already created/installed via tmsh, it can not be replaced or overwritten via "tmsh install sys crypto" command.

Impact:
Fail to overwrite a FIPS key with another FIPS key via tmsh


700639 : The default value for the syncookie threshold is not set to the correct value

Component: Local Traffic Manager

Symptoms:
The default value for connection.syncookies.threshold should be set to 64000. Instead, this value defaults to 16384.

Conditions:
This issue may be encountered when a virtual server uses syncookies.

Impact:
The connection.syncookies.threshold value will be lower than intended, possibly resulting in lower performance.

Workaround:
Use tmsh to manually set the threshold value:
# tmsh modify sys db connection.syncookies.threshold value 64000


700426-2 : Switching partitions while viewing objects in GUI can result in empty list

Solution Article: K58033284

Component: TMOS

Symptoms:
In LTM Pool List, Node List, and Address Translations pages, switching partitions while viewing objects in the GUI can result in empty list.

Conditions:
This issue is present when all of the following conditions are met:
-- One partition contains multiple pages of objects.
-- The page count in one partition is greater than the page count in another.
-- The active page number is greater than 1.
-- You switch to a partition whose max number of pages is lower than the active page number.

For example, in the GUI:
1. Create two non-Common partitions.
2. In one partition, create enough pools so that they do not fit on one page.
3. In the second partition, create only enough pools for one page.
4. On the Local Traffic :: Pools list page in the first partition, navigate to the second page of objects.
5. Switch to the other partition.
6. Note that the displayed page contains no objects.

Impact:
The list of pools is empty despite the fact that there are pools available.

Workaround:
Return to the first page of objects before switching to any other partition.


700250-1 : qkviews for secondary blade appear to be corrupt

Solution Article: K59327012

Component: TMOS

Symptoms:
Normally, a qkview created on a multi-blade system will include a qkview for every blade on the system. Those qkview files have an error that makes the tar-ball appear corrupt.

Conditions:
Running a qkview on a system with blades.
Attempt to access the tar-ball using the following command: tar -tvzf 127.3.0.2.qkview | tail.

Impact:
The system posts the following messages:
    gzip: stdin: unexpected end of file
    tar: Child returned status 1
    tar: Error is not recoverable: exiting now


Confuses troubleshooters into thinking that the blade qkview files are corrupt, which they are not.

Workaround:
None.


700035-3 : /var/log/avr/monpd.disk.provision not rotate

Component: Application Visibility and Reporting

Symptoms:
the log file may fill-up /var partition

Conditions:
there is no special condition for this issue - if the log is big it won't rotate

Impact:
the log file may fill-up /var partition

Workaround:
1. gzip /var/log/avr/monpd.disk.provision
2. touch /var/log/avr/monpd.disk.provision


699898-3 : Wrong policy version time in policy created after synchronization between active and stand by machines.

Component: Application Security Manager

Symptoms:
After synchronization, the policy version time in the policy created on the standby BIG-IP system is different from the policy version time on the original policy on the active BIG-IP system.

Conditions:
Synchronizing the new policies on the active system with new policies on the standby system.

Impact:
Policy version timestamp on standby system is not synchronized properly.

Workaround:
Run full synchronization again from active system to the group.


699512-3 : DNS request can be dropped when queued in parallel with another request

Component: Global Traffic Manager (DNS)

Symptoms:
DNS requests can be dropped.

Conditions:
1. When two DNS requests are received in quick succession with matching IP/Port pairs.
2. The UDP DNS virtual does not use datagram LB mode.

Impact:
DNS requests may be dropped.

Workaround:
Configure the virtual server for UDP profile with datagram LB mode enabled.


699091-1 : SELinux denies console access for remote users.

Component: TMOS

Symptoms:
SELinux denies console access for remote users if they are attempting to log in for the first time. This occurs because the user has not logged in before, so no entries exist for them in the userrolepartitions file.

Conditions:
-- Remote authentication is enabled.
-- BIG-IP system user attempts to log in to the console as their first login.

Impact:
Certain remote users may not be able to log in to the console.

Workaround:
Login as a remote user using SSH or the GUI.


699076-3 : URI::path iRules command warns end and start values equal

Component: Local Traffic Manager

Symptoms:
URI::path iRules command warns end and start values equal

Conditions:
The end and start values equal

Impact:
Warning message shows in console.

Workaround:
Ignore the warning.


698991 : CPU utilization on i850 is not a reliable indicator of system capacity

Solution Article: K64258832

Component: TMOS

Symptoms:
Unlike previous platforms, the i850 may report between 50-70% CPU utilization when at full capacity. The specific number is workload dependent, and therefore should not be used as an indicator of system headroom for sizing purposes.

Conditions:
Running BIG-IP software on an i850.

Impact:
Confusion of actual capacity usage.

Workaround:
Refer to the BIG-IP stats and published capabilities to determine utilized capacity under a specific workload.


698933-3 : Setting metric-type via ospf redistribute command may not work correctly

Component: TMOS

Symptoms:
When using a dynamic routing configuration, where an OSPF process redistributes routes setting a metric-type from another OSPF process the metric type is not changed.

Conditions:
Dynamic routing configuration with 2 or more OSPF processes redistributing routes using the "redistribute ospf <other process number> metric-type <type>"

Impact:
Metric type is not changed.

Workaround:
Change metric-type using a route-map applied to the redistribute command.


698917 : Unexpected additional policy is created while creating a policy from a template via REST

Component: Application Security Manager

Symptoms:
An unexpected additional policy is created while creating a policy from a template via REST while modifying other attributes.

Conditions:
The user creates a policy from a template via REST while modifying other attributes.

Impact:
An unexpected additional policy is created.

Workaround:
Use the import-policy task to create a new policy from a template in REST. Alternatively, if using the /policies endpoint, create the policy with just the name and template, and make any other changes as a separate update afterwards.


698911 : Periodically SIP requests are not sent to the server

Component: Service Provider

Symptoms:
When rate-limiting is configured on the virtual server and/or pool using a SIP profile, periodically SIP requests may not be forwarded to the server despite rate being under limit.

Conditions:
SIP profile associated with virtual server and rate-limit configured.

Impact:
SIP requests may not be forwarded to the server.

Workaround:
There is no workaround other than disabling rate-limiting.


698844 : LCD splash screen may display incorrect platform name on iSeries appliance

Component: TMOS

Symptoms:
The LCD on an iSeries appliance may show the incorrect platform name after a license is applied.

Conditions:
The platform name may be incorrect on the LCD until the first reboot.

Impact:
Display only, no functional impact

Workaround:
Use "tmsh show sys hardware" to see the correct platform name.


698619-1 : Disable port bridging on HSB ports for non-vCMP systems

Component: TMOS

Symptoms:
Internal packets flooded on internal switch interfaces by the HSB can be bridged back to the HSB on BIG-IP 5000/7000 and VIPRION B2100 blades configured to enable port bridging by the switch.

Conditions:
-- Packets being flooded from the HSB to VLAN members when adding/deleting VLANs.
-- Non-vCMP systems.
-- Virtual server configured for Direct Server Return (DSR or nPath Routing).

Impact:
This can result in packet flooding back to the HSB and potential network saturation.

Workaround:
None.


698599 : Cave Creek Crypto HW accelerated SSL traffic may encounter errors and performance problems.

Component: TMOS

Symptoms:
Cave Creek Hardware-accelerated Secure Sockets Layer (SSL) traffic may encounter errors and performance problems.

The BIG-IP system may experience SSL connection failures or reduced performance.

Following logs show an example of errors seen:
/var/log/ltm
-- crit tmm3[11707]: 01010025:2: Device error: crypto codec qa-crypto3-3 queue is stuck.
-- warning tmm3[11707]: 01260009:4: Connection error: ssl_basic_rx:1015: decrypt request error (20)

Conditions:
This issue occurs when all of the following conditions are met:
-- Your BIG-IP system uses Cave Creek SSL hardware acceleration.
-- You are experiencing a high SSL traffic load.

Impact:
The BIG-IP system may experience SSL connection failures or reduced performance.

Workaround:
To work around this issue, you can increase the crypto.queue.timeout database key. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure should not have a negative impact on your system. This procedure will mitigate future occurrences. A reboot of the BIG-IP system is required to clear a currently occurring condition.

1. Log in to the Traffic Management Shell (tmsh) as an administrative user.
2. Run the following command: modify /sys db crypto.queue.timeout value 300
3. Reboot the BIG-IP system.


698597 : BIG-IP fails to go active after cryptographic hardware has recovered from a failure

Solution Article: K10300436

Component: TMOS

Symptoms:
A BIG-IP system might not become active after a crypto-failsafe condition even after it has recovered from a cryptographic hardware failure.

As a result of this issue, you might see output of the tmsh show sys ha-status command similar to the following example:

Feature Key Action Fail Feature Take Client Proc Timeout
crypto-failsafe qa-crypto3-3 failover yes yes yes 0 tmm3 0

The /var/log/ltm file contains messages similar to the following examples:
-- crit tmm[9184]: 01010025:2: Device error: crypto codec cn-crypto-0 queue is stuck.
-- notice sod[8874]: 01140029:5: HA crypto_failsafe_t cn-crypto-0 fails action is failover.

Conditions:
This issue occurs when all of the following conditions are met:

-- Using BIG-IP 2000/2200, 4000/4200, or i2600/i2800 platforms.
-- The crypto-failsafe action is set to failover.
-- The failsafe condition is triggered.
-- The cryptographic hardware has recovered from its failure.

Impact:
The BIG-IP system stays down, even after the cryptographic hardware has recovered. When the system is in this condition, traffic is not being processed.

Workaround:
When your BIG-IP system is in this state, you can recover by restarting the Traffic Management Microkernel (TMM) process. To do so, perform the following procedure:

Impact of workaround: Because so there is no traffic being passed, there is no traffic impact to performing this procedure.

1. Log in to the Traffic Management Shell (tmsh) by running the following command:
tmsh
2. Restart TMM by running the following command:
restart /sys service tmm

Note: There is no way to easily determine whether the cryptographic hardware has recovered from the failure. Unfortunately, therefore, performing this mitigation step might not return the BIG-IP system to an active state. There are other issues with similar symptoms. If your system is experiencing one of those issues instead, this mitigation step will not produce successful results.

Here are three other Known Issues that produce almost exactly the same error messages, but involve different configurations. You might find additional assistance here::
  + K53752362: The BIG-IP system may erroneously detect a stuck crypto queue in Cave Creek devices :: https://support.f5.com/csp/article/K53752362
  + K53220379: The BIG-IP system may erroneously detect a stuck crypto queue :: https://support.f5.com/csp/article/K53220379
  + K16632: A vCMP host may stop processing SSL and HTTP compressed traffic for a vCMP guest due to a worker-lite system timeout :: https://support.f5.com/csp/article/K16632


698594 : Cave Creek Crypto hardware reports a false positive of a stuck queue state

Solution Article: K53752362

Component: TMOS

Symptoms:
In some cases, a stuck crypto queue may be erroneously detected on Cave Creek-based systems. This includes BIG-IP 2x00, 4x00, i850, i2x00, i4x00, and HRC-i2800.

The system writes messages similar to the following example to the /var/log/ltm file:

crit tmm3[11707]: 01010025:2: Device error: crypto codec qa-crypto3-3 queue is stuck.
warning sod[4949]: 01140029:4: HA crypto_failsafe_t qa-crypto3-3 fails action is failover.

Conditions:
This issue occurs when all of the following conditions are met:
- Your BIG-IP system uses the Cave Creek encryption hardware.
- You are making use of hardware-based SSL encryption.
- The BIG-IP system is under heavy load.

Impact:
The system reports device errors in logs, and takes crypto high availability (HA) action, possibly resulting in failover.

Workaround:
To work around this issue, you can modify the crypto queue timeout value. To do so, perform the following procedure.

Impact of workaround: Performing the following procedure should not have a negative impact on your system.

1. Log in to the BIG-IP system as an administrative user.

2. Log in to the Traffic Management Shell (tmsh) by running the following command:
tmsh

3. To change the crypto queue timeout value, run the following command:
modify /sys db crypto.queue.timeout value 300

4. Save the change by running the following command:
save sys config

Increasing the crypto queue timeout gives the hardware enough time to process all queued request.


698462 : TCP timestamp rewrite mode not working on the client side of ePVA offloaded connections

Component: TMOS

Symptoms:
When the tcp-timestamp-mode is set to 'rewrite', not the default 'preserve', the client side TSecr is not set correctly for the FIN packets. When the flow is evicted due to FIN processing in ePVA, the process copies the timestamp from the server sending the FIN/ACK. This unexpected behavior causes the TCP client to halt at the FIN-WAIT-2 because the client thinks the FIN/ACK from the BIG-IP system includes illegitimate timestamp options, and drops it.

Conditions:
-- tcp-timestamp-mode is set to 'rewrite'.
-- FastL4 profile.
-- Systems with ePVA feature support.

Impact:
TCP client cannot handle the FIN packets properly, causing connection issues.

Workaround:
Use the default 'preserve' mode for FastL4 profiles.


698429-3 : Misleading log error message: Store Read invalid store addr 0x3800, len 10

Component: TMOS

Symptoms:
On rare occasions, messages like these can appear in /var/log/ltm:

Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash computed from read key:9d:e6:90:...
Oct 20 14:21:04 localhost err mcpd[4139]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Symmmetric Unit Key decrypt
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071027:5: Master key OpenSSL error: 1506270960:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:587:
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Attempting Master Key migration to new unit key.
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning mcpd[4139]: 012a0004:4: halStorageRead: unable to read storage on this platform.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Cannot open unit key store
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Reloading the RSA unit to support config roll forward.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...

These messages are due to a transient failure reading the system's unit key from the virtual EEPROM on a vCMP guest. The error handling from this failure causes misleading messages, but it does successfully read the unit key during this error recovery.

Conditions:
These messages can only happen on a vCMP guest with SecureVault, and are very rare.

Impact:
None. These messages do not indicate an actual problem with the system.


698211-3 : DNS express response to non-existent record is NOERROR instead of NXDOMAIN.

Solution Article: K35504512

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS express response to a non-existent record is NOERROR instead of NXDOMAIN.

Conditions:
Delete a wildcard resource record to the related DNS express zone.

Impact:
DNS returns the incorrect response.

Workaround:
Delete the old db files: /var/db/tmmdns.bin and /var/db/zxfrd.bin, and then restart zxfrd.


698038 : TACACS+ system auth file descriptor leaks when servers are unreachable

Solution Article: K05730807

Component: TMOS

Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure):
-- httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files].
-- httpd[###]: PAM audit_open() failed: Too many open files
-- Other errors that refer to 'Too many open files'.

This might eventually lead to lack of HTTP-based access to the BIG-IP system.

Conditions:
-- Remote system authentication configured to use TACACS+.
-- Connections to one or more of the configured TACACS+ servers fails.
-- Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST. -- Repeated automated access using iControl is the fastest route.

Impact:
Depending on the number of connection failures, the open files limit of the web server process might be exceeded and new connections to the web server will fail.

Administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.

Workaround:
To prevent the issue, remove unreachable TACACS+ servers from the tacacs configuration, or restart the httpd process as necessary.

To recover if logins via remotely authenticated accounts are no longer possible, restart the httpd process.


698034-2 : PKCS12 file imported via Configuration utility into folder is placed at partition root

Component: TMOS

Symptoms:
When importing a certificate (cert) using the GUI Configuration utility, you can specify a partition folder, and the system imports the cert into that partition folder. However, specifying a partition folder when importing a PKCS12 cert imports it to the root partition folder, Common.

Conditions:
Login to GUI:
 - Navigate to:
System :: Certificate Management : Traffic Certificate Management : SSL Certificate List.

 - Click Import:
Select 'PKCS'.

 - Give the cert a name:
sync_group/pk12gui

Impact:
PKCS12 files imported using the GUI Configuration utility are placed at root partition folder, Common, rather than the partition folder.

Workaround:
You can use either workaround:
-- Once the PKCS12 file has been imported, export the cert and key, and then re-import into the partition folder.

-- Import PKCS12 file using TMSH.


698013-4 : TACACS+ system auth and file descriptors leak

Solution Article: K27216452

Component: TMOS

Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure):

-- httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files].
-- httpd[###]: PAM audit_open() failed: Too many open files
-- Other errors that refer to 'Too many open files'.

This might eventually lead to lack of HTTP-based access to the BIG-IP system.

Conditions:
-- Remote system authentication configured to use TACACS+.
-- Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST.
-- Repeated automated access using iControl is the fastest route.

Impact:
In some circumstances, the leak might accumulate to the point that no file descriptors are available and administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.

Workaround:
Workaround options:
1. Use only SSH for administrative access.
2. Restart httpd as needed.


697766-3 : Cisco IOS XR ISIS routers may report 'Authentication TLV not found'

Component: TMOS

Symptoms:
When peering with ISIS to Cisco IOS XR routers, messages similar to the following may be seen

isis[1003]: %ROUTING-ISIS-5-AUTH_FAILURE_DROP : Dropped L2 LSP from TenGigE0/0/0/1 SNPA 0001.47fd.a801 due to authentication TLV not found.

Conditions:
The BIG-IP system is configured for dynamic routing using the ISIS protocol, and is peered with an IOS XR router, or with another BIG-IP system running software older than than version 11.6.1.

In addition, authentication needs to be configured, and a value needs to be set for lsp-refresh-interval, or for max-lsp-lifetime. For example:


   router isis isisrouter
   is-type level-2-only
   authentication mode md5
   authentication key-chain keychain-isis
   lsp-refresh-interval 5
   max-lsp-lifetime 65535
   net 49.8002.00c1.0000.0000.f523.00

Impact:
This is a cosmetic issue. Routing is not impacted. LSPs containing actual routing information do contain the Auth TLV, as expected.

Workaround:
None.


697626 : iRules LX: Cannot modify workspace imported by "Import From Workspace"

Component: Local Traffic Manager

Symptoms:
The permissions of an iRules LX workspace copy created from the "Import..." "From Workspace" are set to 775 (drwxr-xr-x) for directories and 444 (-r--r--r--) for files including the node and tcl code files. This causes the "Could not save file: <file>" error upon modification of the code.

Conditions:
Attempting to modify imported workspace.

Impact:
Cannot save changes.

Workaround:
A. Create an "archive file" first and use it for importing.
B. After creating a copy using "From Workspace", run chmod command to add +w to the group and others: e.g., chmod -R g+w,o+w <Workspacename>.


697590-5 : APM iRule ACCESS::session remove fails outside of Access events

Component: Access Policy Manager

Symptoms:
ACCESS::session remove fails

Conditions:
iRule calling ACCESS::session remove outside of Access events.

Impact:
APM iRule ACCESS::session remove fails to remove session

Workaround:
Use "ACCESS::session modify" and set the timeout/lifetime to something small, like 1 second. This should cause the session to be deleted due to timeout almost immediately, but note that it will show up in logs as timeout.


697265 : MCP cores when importing a configuration with 12000 nested address lists and auto-sync enabled.

Component: Advanced Firewall Manager

Symptoms:
MCP cores when importing a configuration with 12000 nested address lists and auto-sync enabled.

/var/log/ltm contains messages similar to the following:
-- err clusterd[7274]: 013a0004:3: IO error on recv from mcpd - connection lost
-- info sod[7953]: 010c0009:6: Lost connection to mcpd - reestablishing.
-- notice chmand[7594]: 012a0005:5: resetting chmand services
-- err snmpd[7952]: 010e0001:3: Cannot communicate with MCPD server.
-- err mysqlhad[7596]: 014e0006:3: MCP Failure: 1.
-- err zxfrd[7962]: 0153e0f7:3: Lost connection to mcpd.
-- err tmrouted[6299]: 01910013:3: FATAL error: 6 irrecoverable MCP I/O error (Unknown error 16908291).
-- err alertd[7280]: 01100042:3: Failed with MCPD at: MCP msg receive (16908291).
-- err alertd[7280]: 01100042:3: Failed with MCPD at: Socket read (16908291).

Conditions:
-- AFM configuration.
-- Devices in a device group trust configuration.
-- Device group configured with Autosync enabled.
-- Importing a configuration with a very large number of nested address lists (for example, 12000 nested address lists).

Impact:
mcpd cores.

Workaround:
Split the configuration into smaller chunks (e.g., 1000 address lists each) and load them one at a time.


696755-2 : HTTP/2 may truncate a response body when served from cache

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide a client-side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached on the BIG-IP system with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag, causing the client to ignore the rest of the response body.

Conditions:
BIG-IP system has a virtual server for which HTTP/2 and Web Acceleration profiles are configured.

Impact:
Some clients' browsers do not retry a resource, causing incorrect rendering of an HTML page.

Workaround:
Adding the following iRule causes the body to be displayed:

when HTTP_RESPONSE_RELEASE {
    set con_len [string trim [HTTP::header value Content-Length]]
    HTTP::header remove Content-Length
    HTTP::header insert Content-Length "$con_len"
}


696731-1 : The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled

Solution Article: K94062594

Component: TMOS

Symptoms:
The standard LinkUp/LinkDown traps are issued when a port's status changes; that is, the link goes up or down. Additionally, the network manager can administratively enable and disable ports. For some platforms, there is no reliably issued standard LinkUp/LinkDown trap when a port is administratively enabled/disabled.

Conditions:
Administrative disabling an interface on BIG-IP

Impact:
May issue only the F5 Link change trap and not the additional standard MIB trap. The standard LinkUp/LinkDown traps may not be issued.

Workaround:
Use the F5-proprietary MIB: 1.3.6.1.4.1.3375.2.4.0.37 F5-BIG-IP-COMMON-MIB::BIG-IPExternalLinkChange trap to track administrative changes to links.


696363 : Unable to create SNMP trap in the GUI

Component: TMOS

Symptoms:
Trying to create a SNMP trap may fail in the GUI with the following error message: An error has occurred while trying to process your request.

Conditions:
-- Trap destinations are configured using the GUI: When trap destinations are configured in the GUI, the trap name is generated using the destination IP address.
-- Traps of the same destination address were previously created and deleted.

Impact:
GUI parameter checking does not work as expected. BIG-IP Administrator is unable to create a SNMP trap session.

Workaround:
To work around this issue when using the GUI, remove all traps that have the same destination address as the new one that failed. Then re-add your destination.

Tip: You can use tmsh to create/delete/modify SNMP traps, which enables viewing of the generated names, making it easier to understand what error has occurred.


695985-1 : Access HUD filter has URL length limit (4096 bytes)

Component: Access Policy Manager

Symptoms:
Access HUD filter cannot process a URL if it is longer than 4096 bytes.

Conditions:
Any URL with a request consisting of more than 4096 bytes.

Impact:
The URL cannot be processed, and client gets a RST.

Workaround:
None.


695707-3 : BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection

Component: Local Traffic Manager

Symptoms:
BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection.

Conditions:
Close an MPTCP connection.

Impact:
If a DATA_ACK is not received for the DATA_FIN, the connection will stall until it times out.

Workaround:
There is no workaround at this time.


695401 : QS user defined alerts may not be sent if there is no URL with qs configured on FPS profile

Component: Fraud Protection Services

Symptoms:
when FPS signature update defines a URL with a query string, and defines a custom alert for that URL, the alert will not be sent if there is no URL with a query string configured on the FPS profile.

Conditions:
1. Custom alert for a URL with query string.
2. There are. no URLs with query string configured on FPS profile

Impact:
System does not send alert.

Workaround:
Define a URL (potentially a placeholder URL) with query string on FPS profile.


695109-3 : Changes to fallback persistence profiles attached to a Virtual server are not effective

Solution Article: K15047377

Component: Local Traffic Manager

Symptoms:
Changes to fallback persistence profiles attached to a Virtual server may not be effective.

Conditions:
-- Virtual server configured with persistence and a fallback persistence profile.
-- Changes made to the fallback persistence profile.

Impact:
Changes to the fallback persistence profile are not effective with new connections until a change is made to the virtual server or TMM is restarted.

Workaround:
Make a simple change, for instance to the description field, to the virtual servers that have the changed fallback persistence profile configured.


695090 : In rare situations hardware syncookies may be sent for a L7 virtual server when hardware syncookie protection is disabled

Component: TMOS

Symptoms:
In rare situations, hardware syncookies may be sent for the traffic received on a L7 virtual server even though hardware syncookie protection is disabled on the virtual server.

Conditions:
It is unknown what triggers this error condition at this point.

Impact:
Some of the TCP options are not supported under hardware syncookie protection mode.

Workaround:
There is no workaround at this time.


694934-3 : bd crashes on a very specific and rare scenario

Component: Application Security Manager

Symptoms:
When the system is configured in a specific way and the request sender responds incorrectly, bd crashes.

Conditions:
This rarely encountered crash occurs when there is a very specific BIG-IP system configuration, and ICAP is configured but not responding.

Impact:
bd crashes.

Workaround:
None.


694897-4 : Unsupported Copper SFP can trigger a crash on i4x00 platforms.

Component: TMOS

Symptoms:
PFMAND can crash when an unsupported Proline Copper SFP is inserted in the 1G interfaces.

Conditions:
-- Using Proline CuSFP, Part number FCLF8521P2BTLTAA.
-- Inserted into 1 GB interfaces.
-- On i4x00 platforms.

Impact:
PFMAND cores.

Workaround:
Use only F5 branded Copper SFPs


693966-2 : TCP sndpack not reset along with other tcp profile stats

Component: Local Traffic Manager

Symptoms:
TCP sndpack stat added is not being properly reset when a tmsh reset-stats command is issued.

Conditions:
When tmsh reset-stats command is issued.
-- tmsh reset-stats /ltm profile tcp <profile-name>

Impact:
TCP sndpack stat doesn't reset when tmsh reset-stats command is issued.

Workaround:
There is no workaround.


693901-3 : Active FTP data connection may change source port on client-side

Component: Local Traffic Manager

Symptoms:
The active FTP data connection on the client-side may use source port other than what was configured in the 'Data Port' parameter of the FTP profile.

Conditions:
FTP profile is attached to a virtual server and the 'Data Port' parameter is either left as default (20) or defined as a specific value.

Impact:
Active FTP data connection may be blocked by firewalls that expect a pre-defined source port.

Workaround:
None.


693578-1 : switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0

Component: TMOS

Symptoms:
switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0

Conditions:
None

Impact:
switch/color_policer tmctl table is not available in 12.1.0 - 13.1.0

Workaround:
None


693563-3 : No warning when LDAP is configured with SSL but with a client certificate with no matching key

Solution Article: K22942093

Component: TMOS

Symptoms:
When LDAP auth is configured with SSL:

- Authentication attempts fail
- Packet captures between the BIG-IP system and the LDAP server show the BIG-IP system sending FIN after TCP handshake.

Conditions:
LDAP auth is configured with SSL with client cert set but no matching key.

Impact:
LDAP auth fails. There is no warning that the auth failed.

Workaround:
Configure a key that matches the specified client certificate.


693515 : A '+' character in a log profile name causes import to fail

Component: Advanced Firewall Manager

Symptoms:
When there is a '+' character in log profile name, importing the module on BIG-IQ fails as '+' is treated as a reserved character.

Impact:
Import fails due to reserved character

Workaround:
Do not use '+' in the name.


693246-1 : SOD may send SIGABRT to TMM when TMM has not reported its heartbeat for a long enough period of time.

Component: TMOS

Symptoms:
This seems to happen very infrequently. Symptoms vary from a simple TMM restart up to a blade reset. LTM log will show a sod message complaining about TMM heartbeats, followed later by SIGABRT messages from TMM.

Conditions:
TMM has not reported its heartbeat for a long enough period of time. The specific circumstances are unknown, but the issue has been seen with moderate-to-heavy system loads.

Impact:
Interruptions in data path processing. The interruption can be short for a simple TMM restart, longer for a full blade restart. Though these events altogether are rare, when they happen, it appears the simple TMM restart is more common than the blade restart.

Workaround:
None.


692753-3 : shutting down trap not sent when shutdown -r or shutdown -h issued from shell

Component: TMOS

Symptoms:
Shutting down trap not sent when shutdown -r or shutdown -h issued from shell.

Conditions:
When user access the linux shell and issues "shutdown -h" or "shutdown -r", the BIG-IP does not send shutting down trap.

Impact:
None.
Since this is user triggered command, the user is aware of the shutdown event, so the lack of trap is not critical.

Workaround:
None


692172-2 : rewrite profile causes "No available pool member" failures when connection limit reached

Component: TMOS

Symptoms:
ltm rewrite profile (with mode uri-translation) can cause connections on ltm forwarding virtual server to be terminated with reason "No available pool member".

Conditions:
Virtual server configured with ltm rewrite profile. Default pool has request queuing enabled and connection limits configured for all its nodes.

Impact:
When the connection limit is reached, further connections are terminated with "No available pool member" cause instead of being queued.

Workaround:
An iRule which selects default pool on HTTP_REQUEST:

when HTTP_REQUEST priority 1000 {
    pool [LB::server pool]
}


691992 : MSTP: CIST bridge priority changes after adjusting the MSTI priority.

Component: Local Traffic Manager

Symptoms:
Changing the priority of a non-zero region MSTP instance results in BPDUs advertising a change to the CIST Bridge Priority, but not for the expected MSTID instance.

Conditions:
Issue a STP MSTID priority modify request.

Impact:
Changing the MSTID priority for forcing the BIG-IP system to become the root bridge, does not work as expected.

Note: F5 Networks recommends against having the BIG-IP system become the root bridge.

Workaround:
After modifying the MSTID priority, also restart the STP daemon (stpd) to have the BPDUs advertising the expected CIST/MSTID priorities.


691785-3 : The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes

Component: Local Traffic Manager

Symptoms:
The bcm570x driver will cause TMM to core with the log message:

panic: ifoutput: packet_data_compact failed to reduce pkt size below 4.

Conditions:
-- Running on a platform that uses the bcm570x driver (BIG-IP 800, 1600, 3600).
-- A packet larger than 6144 bytes is transmitted from the BIG-IP system.

Impact:
TMM core. Failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.


691749-3 : Delete sys connection operations cannot be part of TMSH transactions

Component: TMOS

Symptoms:
TMSH operations that delete sys connection cannot be part of transactions. Once the TMSH transaction is submitted, TMSH freezes up if a 'delete sys connection ...' command is included.

Conditions:
Include delete sys connection operations in TMSH transactions.

Impact:
TMSH freezes up and transactions do not complete.

Workaround:
Only use tmsh delete sys connection outside of TMSH transactions.


691491-3 : 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces

Solution Article: K13841403

Component: TMOS

Symptoms:
2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces

Conditions:
-- 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms.
-- SNMP query of network interfaces via OID sysIfxStatHighSpeed.

Impact:
Value returned for 10G/40G/100G interfaces may be incorrect.

Workaround:
Use OID sysInterfaceMediaActiveSpeed.


691048-3 : Support DIAMETER Experimental-Result AVP response

Solution Article: K34553736

Component: Service Provider

Symptoms:
When the Diameter server returns an answer message with an Experimental-Result AVP, but doesn't have Result-Code AVP inside, then the server side flow is aborted.

Conditions:
Diameter answer message doesn't have Result-Code AVP available, but with Experimental-Result AVP.

Impact:
The server side flow is aborted.

Workaround:
Use iRule to insert Result-Code AVP in all Diameter answer messages.


690890-3 : Running sod manually can cause issues/failover

Component: TMOS

Symptoms:
If multiple instances of the system failover daemon are executed, improper behavior results. The system failover daemon is run internally by the system service manager (bigstart). When accidentally or intentionally executing the command 'sod', the second running instance will disrupt the failover system.

Conditions:
Accidentally or intentionally executing the command 'sod'.

Impact:
System might failover, reboot, or perform other undesirable actions that result in traffic interruption.

Workaround:
Do not attempt to invoke the 'sod' daemon directly. There is no use case for executing 'sod' directly, it is managed by 'bigstart'.


690781 : VIPRION systems with B2100 or B2150 blades cannot run four 1-slot 8-core vCMP guests

Component: TMOS

Symptoms:
VIPRION systems equipped with B2100 or B2150 blades cannot run four 1-slot 8-core vCMP guests.

The system will allow all four guests to created, but the one deployed last will not work correctly.

Specifically, the guest deployed last will fail to access TMM networks.

Additionally, the hypervisor will log messages similar to the following example to the /var/log/ltm file:

 info bcm56xxd[13741]: 012c0016:6: FP(unit 0) Error: Group (6) no room.
 err bcm56xxd[13741]: 012c0011:3: entry create failed: SDK error No resources for operation bs_field.cpp(447)
 err bcm56xxd[13741]: 012c0011:3: geteid_qualify_egress failed: SDK error No resources for operation bs_field.cpp(2009)
 err bcm56xxd[13741]: 012c0011:3: program dest mod/port rule failed: SDK error No resources for operation bs_vtrunk.cpp(5353)
 err bcm56xxd[13741]: 012c0011:3: vdag class L4 redirect failed: SDK error No resources for operation bs_vtrunk.cpp(3261)

Conditions:
This issue occurs when the following conditions are met:

- A C2400 VIPRION chassis is equipped with four B2100 or B2150 blades.

- A vCMP configuration consisting of four 1-slot 8-core guests was put in place (in other words, four full-blade guests).

Impact:
One guest does not function properly as it cannot access TMM networks. All traffic fails to pass.

Workaround:
This issue is caused by a hardware limitation on B2100 and B2150 blades preventing this specific vCMP configuration from instantiating correctly.

As a workaround, you must specify different vCMP guest sizes.

For instance, you could use one of the following configurations:

- Four 2-slot 4-core vCMP guests (although not the same, this yields the same total number of TMM instances as the affected vCMP configuration).

- Three 1-slot 8-core vCMP guests and two 1-slot 4-core vCMP guests (for example, you might use the smaller vCMP guests for development and staging purposes, leaving the full-blade guests for production).


690778-3 : Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule

Solution Article: K53531153

Component: Local Traffic Manager

Symptoms:
Memory leak; the memory_usage_stat cur_allocs will increase each time the iRule is invoked.

Conditions:
This occurs when using an iRule that calls the STREAM::replace command more than once in the iRule's STREAM_MATCHED event.

Impact:
Memory leak; eventually the system will run out of memory and TMM will restart (causing a failover or outage). Traffic disrupted while tmm restarts.

Workaround:
Change the way the iRule is written so that the STREAM::replace command is not called more than once in the iRule's STREAM_MATCHED event.


690316 : Software syncookies are sent for FastL4 virtual server with software syncookies disabled

Component: Local Traffic Manager

Symptoms:
If a virtual server using FastL4 is configured with software SYN cookies disabled and global hardware SYN cookies disabled using the pvasyncookies.enabled DB setting, then software SYN cookies may still be sent if a SYN flood occurs on the VIP.

This can be observed by seeing that the virtual server went into syncookie mode in the LTM logfile.

Conditions:
If the FastL4 profile has software-syn-cookie disabled, hardware-syn-cookie enabled, and the pvasyncookies.enabled db setting is set to false.

Impact:
The VIP enters SYN cookie mode.

Workaround:
Both hardware-syn-cookie and software-syn-cookie should be disabled in the FastL4 profile.


689982-1 : FTP Protocol Security breaks FTP connection

Component: Application Security Manager

Symptoms:
FTP Protocol Security breaks FTP connection.

Conditions:
-- ASM provisioned
-- FTP profile (Local Traffic :: Profiles : Services : FTP) with 'Protocol Security' enabled is assigned to a virtual server.

Impact:
-- RST on transaction.
-- bd PLUGIN_TAG_ABORT messages in mpidump.

Workaround:
Create and use a custom "FTP Security Profile" instead of the system default one.

1. Navigate to Security :: Protocol Security : Security Profiles : FTP.
2. Create a custom FTP Security Profile alongside the system default named 'ftp_security'.
3. Navigate to Security :: Protocol Security : Profiles Assignment : FTP.
4. From the Assigned Security Profile drop-down menu, choose the newly created custom FTP Security Profile, instead of the pre-selected system default 'ftp_security'.


689779 : VE HyperV packet drops under load due to interrupt distribution

Component: TMOS

Symptoms:
A small number of dropped inbound packets to the BIG-IP system while under load.
 
Network captures on a virtual port mirror show that the packets are making it to the BIG-IP VE, but the packets are not seen by tmm or Linux by tcpdumping on 0.0, 1.1, or eth1.

Conditions:
HyperV Virtual Edition (VE) v12.1.x or earlier.

Impact:
Performance and network degradation due to packet loss.

Workaround:
None.


689583-3 : Running big3d from the command line with arguments other than '-v' or '-version' may cause a GTM disruption.

Component: Global Traffic Manager (DNS)

Symptoms:
Running big3d from the command line with arguments other than '-v' or '-version' might cause a GTM disruption. When viewing /var/log/gtm, you might see messages similar to the following:
 notice big3d[4131]: 012b0020:5: Executable /shared/bin/big3d timestamp is newer than (or the same as) /usr/sbin/big3d.
 notice big3d[4137]: 012b0018:5: Respawning to run /shared/bin/big3d.
 err big3d[4026]: 012b1015:3: Error 'Address already in use' attempting to bind to socket.

Conditions:
This occurs when attempting to get the big3d version and accidentally typing an invalid or nonsense argument or a valid argument that does not immediately cause big3d to exit. Here are some examples (note the double-dash in the first example):
 big3d --version
 big3d
 big3d -xyz
 big3d -d

Impact:
GTM server goes red momentarily.

Workaround:
There is no workaround other than not specifying an invalid or nonsense argument or a valid argument that does not immediately cause big3d to exit.


689567-3 : Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned

Component: TMOS

Symptoms:
Several pages in the Acceleration tab (e.g., Acceleration :: Quick Start : Symmetric Properties) display a warning message that directs you to provision AAM in order to access WOM utilities. These pages are visible even if it is impossible for you to provision AAM, which is confusing.

Conditions:
You have an iSeries platform with no AAM license.

Impact:
The impact is cosmetic only. The page is confusing because it suggests that AAM can be provisioned without the proper license (e.g., that WOM/AAM can be set up with only an LTM license), which it cannot. You can safely ignore the warning messages.

Workaround:
No workaround at this time.


689361-3 : Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)

Component: Local Traffic Manager

Symptoms:
It is possible for an overwrite-configsync to change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device.

Conditions:
Two pool members are monitored; and one references a node not responding to ICMP requests; and a gateway_icmp monitor is on both nodes; and an overwrite-configsync is initiated from a paired device, where the node does respond to ICMP requests from that paired device.

Impact:
The overwrite-configsync causes the 'unchecked' monitor to transition to 'up', when it should remain 'unchecked' for the device to which the node does not respond to ICMP requests.

Workaround:
Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node will not respond to ICMP requests.


689343-3 : Diameter persistence entries with bi-directional flag created with 10 sec timeout

Component: Service Provider

Symptoms:
Diameter persistence entries have timeout value less than 10 seconds, although the configured persistence timeout is 120 seconds

Conditions:
When Diameter custom persistence "DIAMETER::persist key 1" bi-directional iRule is used.

Impact:
The persist timeout is less than 10 seconds, thus subsequent requests will be dispatched to other pool member.

Workaround:
Don't use bi-directional persistence iRule. Use AVP persistence type with session-id as the persist key.


689231 : MSSQL filter assumes 64-bit token done row count field

Component: Local Traffic Manager

Symptoms:
Virtual server with MSSQL profile gets tds internal error (Out of bounds) error message. This occurs when the row count of token done is not 64-bit, in which case the connection will be closed with a reset.

Conditions:
-- This occurs using the MSSQL profile for the virtual server.
-- Pool member is running Microsoft SQL Server 2016 with TDS version is 7.1 or earlier.

Impact:
Get reset cause: Packet capture RST cause: [23db241:1807] tds internal error (Out of bounds).

Unable to use TDS 7.1 or earlier with MSSQL filter.

Workaround:
Use TDS 7.2 or later. TDS 7.2 and later use 64-bit row count field for token done.


689147-1 : Confusing log messages on certain user/role/partition misconfiguration when using remote role groups

Component: TMOS

Symptoms:
When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful.

Errors similar to the following appear in /var/log/ltm:

-- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition.
-- Input error: invalid remote user credentials, partition does not exist, broken-partition

Errors similar to the following appear in /var/log/secure:

tac_authen_pap_read: invalid reply content, incorrect key?

Conditions:
Using remote role groups to set user/role/partition information for remote users, and either of the following:
-- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.)
-- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system.

Impact:
The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.

Workaround:
Check /var/log/ltm for more specific error messages.


689117-1 : Transfer Complete log message now includes the SOA Serial number

Component: Global Traffic Manager (DNS)

Symptoms:
It was hard to track the serial numbers of completed xfers.

Conditions:
When an AXFR or IXFR completes, the log message does not indicate what serial number was transferred.

Impact:
If there are many, frequent updates to the master zone, it can be difficult to track what serial number(s) have already been transferred from the master server to the DNS Express server.

Workaround:
None.


688833-2 : Inconsistent XFF field in ASM log depending violation category

Component: Application Security Manager

Symptoms:
Depending on the violation category, the xff ip field is reported as 'xff_ip' and sometimes as 'xff ip'.

Conditions:
Viewing the XFF results in ASM log.

Impact:
This might cause problems with the syslog filters configured on the remote loggers.

Workaround:
Put in the rules that the client is using both 'xff ip' and 'xff_ip'.


688813-1 : Some ASM tables can massively grow in size.

Solution Article: K23345645

Component: Application Visibility and Reporting

Symptoms:
/var/lib/mysql mount point gets full.

Conditions:
Many combinations of IP addresses, Device IDs (and other ASM dimensions) in traffic over very long period of time (potentially weeks/months).

Impact:
While other dimensions are being collapsed correctly, the Device ID field is not being collapsed causing the growth in size.
-- High disk usage.
-- Frequent need to clear AVR data.

Workaround:
Manually delete AVR mysql partitions located in /var/lib/mysql/AVR.


688570-3 : BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes

Component: Local Traffic Manager

Symptoms:
After an MPTCP connection closes properly, the BIG-IP will occasionally start sending MP_FASTCLOSE.

Conditions:
An MPTCP connection is closed.

Impact:
The MPTCP connection on the remote device is closed, but the connection on the BIG-IP remains open until the fastclose retransmission times out.

Workaround:
There is no workaround at this time.


688557-3 : Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'

Solution Article: K50462482

Component: Local Traffic Manager

Symptoms:
The description of the 'mode' parameter shown by tmsh help for the ltm sasp monitor indicates that the default value for the 'mode' parameter is 'pull' (where the load balancer sends Get Weight Requests to the GWM).
As of BIG-IP v13.0.0 and v12.1.2-hf1, the default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
This is a change from prior versions of BIG-IP, where the default value for the 'mode' parameter was 'pull'.

Conditions:
The incorrect description appears when issuing the 'tmsh help ltm monitor sasp' command on BIG-IP v13.0.0, v12.1.2-hf1, and later.

Impact:
Incorrect information about the default value for the 'mode' parameter for the ltm sasp monitor.

Workaround:
The default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).


688542-1 : SASP GWM monitor always sets No Change / No Send Flag in Set LB State Request

Component: Local Traffic Manager

Symptoms:
The version of the SASP monitor requests updates only from the SASP GWM (Global Workload Manager) for members whose state has changed from what the GWM last reported. The previous version of the SASP monitor requested periodic updates for all members monitored by the GWM.

Conditions:
Running the version of the SASP (Server/Application State Protocol) monitor included in post-12.1.2 BIG-IP software.

Note: This behavior does not occur with previous versions of the SASP monitor, included in pre-12.1.2 versions of BIG-IP software.

Impact:
This change in behavior from the previous SASP monitor implementation has not been confirmed to cause any observable symptoms. If any symptoms are observed which are suspected to be the result of this change, a support request should be opened with F5 support for further investigation.

Workaround:
None.


688406-3 : HA-Group Score showing 0

Solution Article: K14513346

Component: TMOS

Symptoms:
The 'show sys ha-group' command incorrectly displays a "0" for the total score even if the pools/trunks/clusters components have non-zero scores.

Conditions:
If the sys ha-group object is not currently assigned to any traffic-group.

Impact:
The total score is not calculated. An incorrect score value is displayed.

Workaround:
Refer to the component Score Contributions displayed using the following command: show sys ha-group detail.


688335-3 : big3d may restart in a loop on secondary blades of a chassis system

Solution Article: K00502202

Component: Global Traffic Manager (DNS)

Symptoms:
After big3d_install is run against a target system, and this target system is a multi-blade chassis, the big3d utility may begin restarting in a loop on all secondary blades of the target system. The primary blade is not affected, where big3d continues to run stable.

Conditions:
The following conditions are required to encounter this issue:

-- The big3d_install utility is used against a target system.
-- The target system is a multi-blade chassis.
-- The big3d_install utility picks the iQuery installation method (and not the SSH one).
-- The big3d_install utility incorrectly determines that the local version of the big3d utility should be copied to the remote system.

Impact:
big3d does not typically do anything on secondary blades, so this issue should have no immediate material impact.

However, should the cluster elect a new primary blade, and should big3d still be restarting on that blade, this could cause iQuery communication failures between that system and remote BIG-IP systems.

Workaround:
To stop secondary blades from restarting, manually restart big3d on the primary blade using the following command:
 bigstart restart big3d

To prevent this issue from happening, you can run the big3d_install by specifying that the SSH installation method be used using the following command:
 big3d_install -use_ssh <target IP>


688266-3 : big3d and big3d_install use different logics to determine which version of big3d is newer

Component: Global Traffic Manager (DNS)

Symptoms:
The big3d_install utility includes logic to determine whether the local system should copy its version of the big3d daemon to the remote system specified by the user.

This logic is incorrect and may result in the local copy of the big3d daemon being unnecessarily copied to the remote system or not copied when actually necessary.

Conditions:
A user runs the big3d_install utility.

Impact:
If the local big3d daemon was unnecessarily copied over to the remote system, there is no tangible impact (other than the fact big3d restarts on the remote system, which is expected). Eventually, the remote system restores and uses its version of the big3d daemon.

If the local big3d daemon was not copied over when it should have been, then the remote system may continue to run an older version of the big3d daemon, which may impede iQuery communication.

Workaround:
If the local big3d daemon was unnecessarily copied over to the remote system, you do not need to perform any remedial action. The remote system will automatically resolve this situation by restoring the intended (i.e., newer) big3d version.

If the local big3d daemon was not copied over when it should have been, you can invoke the big3d_install utility using the -f argument, which forces an install of the big3d daemon regardless of the local and remote versions.


688177-2 : Local user with Administrator role may be changed to Guest role after BIG-IP software upgrade

Component: Device Management

Symptoms:
Following a BIG-IP software upgrade (for example, from version 11.5.4 to version 11.6.1), local users with Administrator role may be changed to Guest role.

Conditions:
The BIG-IP configuration includes one or more local accounts with Administrator role (other than the 'admin' user).

Please note that this issue does not occur on every upgrade, but has roughly a 10% probability of occurring.

Impact:
Administrator users other than 'admin' have no access after the upgrade.

The 'admin' user has to change the role of affected users from Guest back to Administrator after the upgrade.

Workaround:
The 'admin' user has to change the role of affected users from Guest back to Administrator after the upgrade.


687887-4 : Unexpected result from multiple changes to a monitor-related object in a single transaction

Component: Local Traffic Manager

Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction will attempt to 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.

Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object, such as (delete, create, modify).

Impact:
The monitor-related object may be unchanged; or monitoring may stop for that object.

Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').


687807-3 : The presence of a file with the suffix '.crt.csr' in folder /config/ssl/ssl.csr/ causes a GUI exception

Component: Local Traffic Manager

Symptoms:
When there is a file named *.crt.csr in folder /config/ssl/ssl.csr/, the GUI posts an error on page: System :: Device Certificates : Device Certificate :: Device Certificate: An error has occurred while trying to process your request.

Conditions:
The presence of a file with the suffix '.crt.csr' in folder /config/ssl/ssl.csr/.

Impact:
-- Using iCRD with 'sys crypto' fails.
-- The BIG-IP GUI exhibits the following behavior:
   + Inconsistently manages those files improperly.
   + May return errors on System :: Device Certificates : Device Certificate :: Device Certificate (e.g., 'An error has occurred while trying to process your request.').
   + May confuse objects (e.g., 'web-server.crt' and 'web-server.crt.csr').
   + GUI cannot create an archive (System :: File Management : SSL Certificate List :: Archive) containing these files, and reports an error.

Workaround:
Rename the csr file suffix from '.crt.csr' to '.csr'.


687617-3 : DHCP request-options when set to "none" are reset to defaults when loading the config.

Component: TMOS

Symptoms:
Config load resets the request-option in "tmsh sys management-dhcp" to its default value when they are set to "none" in configuration.

Conditions:
- A config load in which request-option in "tmsh sys management-dhcp" is set to "none".

Impact:
User configuration is reverted as a side-effect of config load.

Workaround:
request-option specify the minimal set of configuration that DHCP server must provide as part of the lease. Setting it to "none" defeats the whole purpose of DHCP. It's better to set it to a minimal value like "routers, subnet-mask" in order to have management connectivity.


687579 : TMSH incorrectly allows settings snat-translation ip-idle-timeout to zero.

Component: Local Traffic Manager

Symptoms:
The configuration setting ' ip-idle-timeout' on the snat-translation object allows zero as a possible value.

Conditions:
Entering the following tmsh command:
tmsh create ltm snat-translation <snat-address> ip-idle-timeout 0

Impact:
The configuration will be invalid. This may cause issues with upgrades and the BIG-IP may not pass traffic correctly or as expected.

Workaround:
Do not set the snat-translation ip-idle-timeout to 0 using tmsh.


687343-3 : Running 'load sys config merge verify' will add new users to the PostGres database

Component: TMOS

Symptoms:
Running 'load sys config merge verify' will add new users to the PostGres database. The system posts an error similar to the following:

010719a2:3: PostgreSQL database error: ERROR: duplicate key value violates unique constraint "auth_user_pkey"
DETAIL: Key (name)=(admin1) already exists.

Conditions:
Issue occurs only under the following conditions:
-- 'load config merge verify' of configurations including user definition.
-- Attempt to create user with same name using 'load config merge', 'create user', or GUI options.

Impact:
It is not possible to use the verify argument when using 'load sys config merge' with configurations containing user definitions.

'verify' argument to 'load sys config' does not prevent or rollback side effects

Workaround:
Manually remove the user data from the PSQL database; from a bash prompt:

psql -U postgres

\c tmdb
DELETE FROM auth_user WHERE name='admin1';
DROP OWNED BY admin1;
DROP ROLE admin1;
DROP SCHEMA admin1 CASCADE;
\q


687213-1 : When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED

Component: Access Policy Manager

Symptoms:
When access to APM is denied, Edge Client goes into ALWAYS_DISCONNECTED mode. Hence, it does not retry to establish VPN tunnel.

Conditions:
-- Edge Client installed in ALWAYS_CONNECTED mode (locked client).
-- Access to APM is denied.

Impact:
No VPN tunnel is established, even if APM becomes accessible momentarily.

Workaround:
None.


687172 : Pools do not appear as expected after deploying iApp via iWorkflow

Component: TMOS

Symptoms:
Only two of three pools are visible in the iApp view on the BIG-IP system after deploying via iWorflow 2.2, though the pool can be found as expected in the Pools view.

Conditions:
-- After deploying via iWorflow 2.2.
-- Using iApp to view configured pools.

Impact:
Unreliable query response can result in unexpected behavior.

Workaround:
Do not rely on the iApps Component View, but inspect
BIG-IP (management GUI) Local Traffic pages such as
Local Traffic :: Pools : Pool List or examine the
/config/bigip.conf file to ascertain whether a desired
BIG-IP configuration has been created.


687115-1 : SNMP performance can be impacted by a long list of allowed-addresses

Component: TMOS

Symptoms:
If the SNMP configuration includes a long list of allowed-addresses in the configuration then it can impact SNMP performance.

Conditions:
-- The SNMP daemon consults a system file to determine whether a request can be serviced.

-- There is a long list of allowed addresses in the configuration.

Impact:
Potentially slow SNMP response.

Workaround:
Make the list of allowed addresses be the minimum set of your clients.


687044-2 : tcp-half-open monitors might mark a node up in error

Component: Local Traffic Manager

Symptoms:
The tcp-half-open monitor might mark a node or pool member up when it is actually down, when multiple transparent monitors within multiple 'bigd' processes probe the same IP-address/port.

Conditions:
All of the following are true:
-- There are multiple bigd processes running on the BIG-IP system.
-- There are multiple tcp-half-open monitors configured to monitor the same IP address.
-- One or more of the monitored objects are up and one or more of the monitored objects are down.

Impact:
The BIG-IP system might occasionally have an incorrect node or pool-member status, where future probes may fix an incorrect status.

Workaround:
You can use any of the following workarounds:

-- Configure bigd to run in single process mode by running the following command:
   tmsh modify sys db bigd.numprocs value 1

-- Use a tcp monitor in place of the tcp-half-open monitor.

-- Configure each transparent monitor for different polling cycles to reduce the probability that an 'up' response from the IP address/port is mistakenly viewed as a response to another monitor that is currently 'down'.


686816-3 : Link from iApps Components page to Policy Rules invalid

Component: TMOS

Symptoms:
In an application that contains a Local Traffic policy, the link from the Components page to the Rule will not be valid.

Conditions:
-- Application creates or contains a Local Traffic Policy.
-- Click the link from the iApps Components page to the Policy Rules page.

Impact:
Cannot navigate to the policy rule directly from the Components page.

Workaround:
Click on the Policy within the Components page to navigate to the Rule from that page.


686718 : VPN tunnel adapter stays up in some cases

Component: Access Policy Manager

Symptoms:
In some cases, the VPN tunnel adapter created by the VPN client stays up even when the tunnel is disconnected.

Conditions:
-- Application launch on VPN establishment is configured on APM.
-- Launched application is not closed.

Impact:
This is a cosmetic issue with no functionality impact. Subsequent launch of VPN creates a new tunnel adapter.

Workaround:
Close the launched application.


686626-2 : The BIG-IP system may connect to an OCSP server using an unexpected source IP address

Component: TMOS

Symptoms:
BIG-IP systems configured to perform OCSP Stapling may connect to an OCSP server using an unexpected source IP address.

The source IP address picked by the BIG-IP system may be something that doesn't exist at all in its configuration.

Additionally, the source IP address picked by the BIG-IP system may appear corrupted or invalid to an Administrator (for example: 0.0.0.112).

Conditions:
Required configuration:

1) The BIG-IP system is running a version prior to 13.0.0.

2) The BIG-IP system is deployed as an IPv4/IPv6 multihoming device.

3) The DNS Resolver used by the OCSP Stapling configuration belongs to a non-0 route domain.

4) The virtual servers performing OCSP Stapling belong to a non-0 route domain different than the one used by the DNS Resolver.

5) Virtual servers using OCSP Stapling include both IPv4 and IPv6 destinations.

6) The OCSP server FQDN resolves to an A record.

With these conditions in place, the issue occurs when a client attempts a connection to one of the OCSP Stapling-enabled IPv6 virtual servers, and this needs to connect to an IPv4 OCSP server.

The source IP address used by the BIG-IP system will be an IPv4 address containing the last 4 bytes of an IPv6 Self-IP address configured on the BIG-IP system.

Impact:
The BIG-IP system fails to perform OCSP Stapling, and the unusual traffic may trigger alarms on your network.

The actual impact is limited, as clients who request validation of the certificate status and do not get it should be able to perform it on their own.

Workaround:
Where possible, you can work around this issue by re-configuring the BIG-IP system so that some of the conditions required for this issue to occur no longer apply.


686563-3 : WMI monitor on invalid node never transitions to DOWN

Component: Local Traffic Manager

Symptoms:
A WMI monitor configured for an invalid node defaults to 'UP', and never transitions to 'DOWN'. Upon loading a configuration, a node defaults to 'UP' as an initial probe is sent based on the monitor configuration, and the node is then marked 'DOWN' as probes timeout or monitor responses indicate an error. However, an WMI monitor probe sent to a non-existent node is not detected as an error, and that node may persist in an 'UP' state (not transitioning to 'DOWN' as expected, such as after expiration of the configured monitor timeout).

Conditions:
WMI monitor is configured for an invalid node address, or for a node address on which no WMI service is running.

Impact:
The node persists in an 'UP' state, even though no WMI service is available, or that node does not exist.

Workaround:
An additional node monitor can be created to confirm the node is available (which may be a partial solution in some configurations). Using a non-WMI monitor (such as TCP) to probe availability of the WMI service on the target node may be possible in other scenarios.


686547-3 : WMI monitor sends logging data for credentials when no credentials specified

Component: Local Traffic Manager

Symptoms:
A properly configured WMI monitor requires username and password credentials; but when these are omitted from the configuration, logging data is sent in place of the username and password (with the monitored object likely being marked 'down'). Because username/password credentials are required, the monitor should have been identified as wrongly configured before the monitor is marked down.

Conditions:
A WMI monitor is configured without including the required username/password credentials.

Impact:
The monitored object will be marked 'down'.

Workaround:
Configure the WMI monitor to include the username/password credentials.


686318 : Inter TMM Caching Delay

Component: WebAccelerator

Symptoms:
In some rare circumstances on VE instances, the transmission of updated cache information from TMM to TMM can be delayed.

Conditions:
VE instances.

Impact:
Different TMM hot content caches may serve different versions of the same document from cache.

Workaround:
None


686206-1 : Machine Info agent does not collect complete information on disconnected network adapters

Component: Access Policy Manager

Symptoms:
On Mac OS X, the BIG-IP APM Machine Info agent does not collect information for disconnected network adapters.

On Microsoft Windows, the BIG-IP APM Machine Info agent does not collect the MAC address of disconnected network adapters.

Conditions:
Machine info agent is configured in the access policy.

Impact:
Access policy evaluation may yield incorrect results if a access policy node depends on this information.

Workaround:
There is no workaround at this time.


686101-3 : Creating a pool with a new node always assigns the partition of the pool to that node.

Solution Article: K73346501

Component: Local Traffic Manager

Symptoms:
When creating a node while creating a pool, the partition of the node is set to the one of the pool regardless of what was expected. For example, after running the command below, the new node will be assigned to differentpartition:
root@(v13)(Active)(/differentpartition)(tmos)# create ltm pool my_pool2 members add { /Common/172.16.199.33:0 }

Conditions:
Creating a node while creating a pool in a partition different from the node.

Impact:
The node is displayed in the wrong partition.

Workaround:
Create a node separately and then add it to the pool.


686059-1 : FDB entries for existing VLANs may be flushed when creating a new VLAN.

Component: Local Traffic Manager

Symptoms:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN.

Conditions:
- Creating a new VLAN with existing VLANs using trunk members. - STP is enabled on its trunk member.

Impact:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN. This will result in potential network saturation.

Workaround:
To avoid the FDB flushing on trunk member interfaces of existing, unrelated VLANs, ensure that STP is disabled on its trunk member.


685915-1 : Allow unsigned DNS notifies if a DNS express zone's target server has no TSIG key configured

Component: Global Traffic Manager (DNS)

Symptoms:
If a DNS Express zone that has Verify Notify TSIG checked gets a notify with no TSIG at all, unsigned notifies are not processed.

Conditions:
Unigned notify is received when Verify Notify TSIG is checked.

Impact:
Unsigned notifies are not processed

Workaround:
There is no workaround at this time.


685862-2 : BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML IdP, and signing is configured, BIG-IP will sign the message by configured signing key, and include last certificate from the configured signing certificate chain in the SAML protocol message. Expected behavior is to include first certificate from the configured signing certificate chain.
The same applies to SAML SP generating SLO request/response messages.

Conditions:
All of the following:
- BIG-IP is used as SAML IdP or SAML as SP with SLO configured.
- BIG-IP generates signed SAML response containing assertion or SLO request/response
- Configured on BIG-IP signing certificate is a security chain and not a single certificate

Impact:
Impact is based on the SAML implementation on the receiving end of message sent by BIG-IP.
Some implementation may drop signed SAML message if last certificate from the bundle is included in the message. Other implementations will accept such signed messages. Note that signing operation itself is performed correctly by BIG-IP using configured signing certificate, and digital signature will contain correct value.

Workaround:
Instead of using signing certificate chain, change BIG-IP SAML IdP/SP configured signing certificate to refer to a standalone signing certificate (single X509 object) by extracting first certificate from the chain.


685820-1 : Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not

Component: Advanced Firewall Manager

Symptoms:
If ASM licensed and provisioned, but AFM is not licensed/provisioned, active connections are silently dropped after HA-failover.

In earlier versions, active connections were reset after HA-failover if only ASM was licensed/provisioned. When AFM is also licensed/provisioned, existing active connections were always silently dropped after HA-failover.

Conditions:
-- ASM licensed and provisioned, but AFM is not licensed/provisioned.
-- HA-failover occurs.

Impact:
ASM client connections are not reset, but are silently dropped after HA-failover event.

Workaround:
None.


685582-5 : Incorrect output of b64 unit key hash by command f5mku -f

Component: TMOS

Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.

Conditions:
Viewing output of 'f5mku -f' command.

Impact:
Inconsistent output of the b64 unit key.

Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:

 f5mku -vf

For example:

# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...


685233-2 : tmctl -d blade command does not work in an SNMP custom MIB

Solution Article: K13125441

Component: TMOS

Symptoms:
tmctl -d blade commands run in an SNMP custom MIB fail.

Conditions:
-- Using an SNMP custom MIB.
-- Running tmctl -d blade commands.

Impact:
Unable to configure a custom MIB to gather data via a tmctl -d blade command.

Workaround:
Instead of tmctl -d blade, use the following command:
 tmctl -d /var/tmstat/blade.


684096-1 : stats self-link might include the oid twice

Component: TMOS

Symptoms:
The object ID might be erroneously embedded in the self-link twice.

Conditions:
query for stats such as https://<host>/mgmt/tm/ltm/pool/p1/stats

Impact:
incorrect self-link returned

Workaround:
be mindful when parsing the self-link


683706-1 : Pool member status remains 'checking' when manually forced down at creation

Component: Local Traffic Manager

Symptoms:
When a pool member is created with an associated monitor, and initially forced offline (e.g., '{session user-disabled state user-down}'), that pool member status remains in 'checking'. By default, the pool member status initializes to 'checking' until the first monitor probe confirms the pool member is available. However, by creating-and-forcing-offline the pool member, no monitoring is performed and the status remains in 'checking'.

Conditions:
Pool member is created with an associated monitor, and that pool member is simultaneously forced offline.

Example: create ltm pool test1 members add { 10.1.108.2:80 { session user-disabled state user-down } } monitor http

Impact:
Pool member remains offline as directed, but pool member status indicates 'checking' rather than 'user-down'.

Workaround:
Create the pool member with associated monitor, and in a separate step, force the pool member offline.


683454 : HTTP::header command may crash TMM on an erroneous argument

Solution Article: K99294671

Component: Local Traffic Manager

Symptoms:
An iRule command 'HTTP::header insert' or 'HTTP::header remove' allows manipulation of HTTP headers. The iRule accepts arguments that might result in an error if they have an invalid format. TMM generates an internal Tcl error for the argument but continues to process the command. This might cause TMM to crash.

Conditions:
-- iRule is associated with a virtual server.
-- The iRule contains either or both of the 'HTTP::header insert' and 'HTTP::header remove' commands.
-- An argument in the command generates a Tcl error.

Impact:
TMM crashes causing failover and possible disruption in processing traffic.

Workaround:
Sanitize arguments for the command to prevent TCL error.


683177-2 : Can't drilldown or filter by 'Client Countries'

Component: Application Visibility and Reporting

Symptoms:
When drilling down or filtering by 'Client Countries' (Security :: Reporting : Application : Charts) there is an error in the GUI.

Conditions:
-- ASM is provisioned.
-- Attempt to drill down or filter by 'Client Countries'.

Impact:
Internal Error is displayed in the GUI.

Workaround:
1. Edit file: /etc/avr/monpd/monp_asm_entities.cfg.
2. Delete line 171: (dim_authz_filter=vip_crc).
3. Issue the command: bigstart restart monpd.


683135-4 : Hardware syncookies number for virtual server stats is unrealistically high

Component: TMOS

Symptoms:
In some situations 'tmsh show ltm virtual' shows unrealistically high hardware (HW) syncookie numbers.

These unrealistically high HW syncookie stats cause AFM DoS TCP synflood vector to have high numbers, and that can cause TCP synflood vector to drop packets in HW based on the configured rate-limit for that vector.

Conditions:
Virtual server with hardware syncookie protection enabled.

Impact:
Stats issue. Can have impact to traffic if AFM TCP Synflood vector is enabled in mitigation mode.

Workaround:
Disable the TCP Synflood vector in mitigate mode.

Since Syncookie is already providing protection, the TCP Synflood option should be enabled only in detect-only mode, if at all.


683061-2 : Rapid creation/update/deletion of the same external datagroup may cause core

Component: Local Traffic Manager

Symptoms:
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued.
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued for update.
-- err tmm[15187]: 01010258:3: External Datagroup (/Common/Datagroup_1) creation failed: initial load error, deleting.

Conditions:
Using external datagroup, rapidly creating updating and then deleting it.

Impact:
TMM fails

Workaround:
Allow TMM enough time to finish processing external data-group before starting another operation. Depending on the size of the datagroup anywhere from 1s to 10s or more may be needed. The LTM log can be examined for the create/finished message to help determine how much wait time is required.


683029-2 : Sync of virtual address and self IP traffic groups only happens in one direction

Component: TMOS

Symptoms:
If you have a virtual address and a self IP that both listen on the same IP address, changing the traffic group of the self IP will make an equivalent change to the traffic group of the virtual address. However, this does not work in reverse. Changing the traffic group of the virtual address will not cause a change of the traffic group of the self IP.

Conditions:
You have a virtual address and a self IP that both listen on the same IP address. (The subnet mask need not be the same.)

Impact:
This is by design, but is counterintuitive, and there is no warning message that this is the case. Setting the traffic group on both objects will always work properly.

Workaround:
Care should be taken to ensure that the desired traffic group is set on both objects.


682751-5 : Kerberos keytab file content may be visible.

Component: Access Policy Manager

Symptoms:
Kerberos keytab file content may be visible.

Conditions:
Import a Kerberos keytab file.

From the command line, check the file permissions. It is readable.

Impact:
keytab is similar to a private key file and should not be readable.

Workaround:
Use chmod to change the keytab file permission manually so that it is not world-readable.


681782-4 : Unicast IP address can be configured in a failover multicast configuration

Component: TMOS

Symptoms:
Failover multicast configuration does not work when configured with a unicast IP address. Although this is an invalid configuration, the system does not prevent it.

Conditions:
Specify a unicast IP address under 'Failover Multicast Configuration' for network failover in high availability configurations.

Impact:
Failover multicast configuration does not work.

Workaround:
Specify a multicast IP address under 'Failover Multicast Configuration' for network failover.


681673-2 : tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results

Component: Local Traffic Manager

Symptoms:
TMSH does not block modify FDB commands that add a multicast MAC addresses.

Conditions:
This occurs when the following is configured using tmsh commands when the mac-address is multicast:
 fdb vlan <vlan> records add {<mac-address> {interface <slot>/<port>}}.

Impact:
There is not enough information to map the outgoing MAC address to a multi-cast group, and therefore it gets a default entry added that has no ports mapped. The result is that the frame will not go out the interface indicated in the tmsh command yet no warning is provided.

Workaround:
None.


681009-2 : Large configurations can cause memory exhaustion during live-install

Component: TMOS

Symptoms:
system memory can be exhausted and the kernel will kill processes as a result.

Conditions:
During live-install, if configuration roll-forward is enabled, and the compressed configuration size is of a similar order of magnitude as total system memory.

Impact:
The kernel will kill any number of processes; any/all critical applications could become non-functional.

Workaround:
Make sure there are no un-intended large files included in the configuration. Any file stored under /config is considered part of the configuration.

If the configuration is, as intended, on the same order of magnitude as total system memory, do not roll it forward as part of live install. Instead, save it manually and restore it after rebooting to the new software.

to turn off config roll forward; setdb liveinstall.saveconfig disable

to save/restore configuration manually; see
https://support.f5.com/csp/article/K13132


680917-2 : Invalid monitor rule instance identifier

Component: TMOS

Symptoms:
iApp triggers an error while attempting to change server properties for pool members. The error reads "Invalid monitor rule instance identifier"

Conditions:
While changing the server properties associated with the pool members through iApp.

Impact:
Will not be able to change the server properties using iApp.


680680-2 : The POP3 monitor used to send STAT command on v10.x, but now sends LIST command

Component: Local Traffic Manager

Symptoms:
in BIG-IP version 10.x, the POP3 monitor sent STAT command (which returned a count of messages in the mailbox). Now, the monitor sends the LIST command (which returns a list of messages and their sizes).

Conditions:
POP3 monitor set up on a mailbox.

Impact:
If the polled mailbox used in the monitoring has a huge amount of messages, the STAT command might fail to return results in time.

Workaround:
1. Create a mail account that does not receive many emails.
2. Make sure that the mailbox is nearly empty all the time (copy /dev/null periodically to the mailbox file).


680556-2 : Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted

Component: TMOS

Symptoms:
TMM crashes with a subkey that has master_record field set to true.

Conditions:
The specific conditions under which this occurs are not known.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


680298 : FPS may introduce latency even for unprotected pages

Component: Fraud Protection Services

Symptoms:
Depending on TCP profile parameters, FPS may introduce latency even for unprotected pages due to re-chunking of response.

The latency introduction may arise when re-chunking causes a small TCP segment that the BIG-IP system's TCP stack or upstream device chooses to buffer (for example, due to Nagle's algorithm)

Conditions:
1. FPS attached to virtual server.
2. TCP profile parameters (Nagle's Algorithm, MSS, etc.).
3. Chunked response from server.

Impact:
FPS unprotected pages may suffer 10's to 100's ms latency

Workaround:
Experience shows that disabling Nagle's Algorithm (for example) might overcome FPS latency, but it should be noted that this sort of mitigation should be carefully examined as it is influenced by many parameters (traffic patterns, other TCP profile parameters, SSL profile, etc.).


679735-1 : Multidomain SSO infinite redirects from session ID parameters

Component: Access Policy Manager

Symptoms:
If an application uses a URL parameter of 'sid', 'sess', or 'S', the APM can enter an infinite redirect loop.

In a packet capture, the policy completes on the auth virtual server. After policy completion, the client is redirected back to the resource virtual server. The resource virtual server cannot find the session, and redirects back to the auth virtual server. This begins the infinite loop of redirecting between resource and auth virtual servers.

Conditions:
Application with URL paramater containing 'sid', 'sess', or 'S' while using multidomain SSO.

Impact:
Applications that use 'sid', 'sess', or 'S' parameters cannot be fronted by an APM.

Workaround:
None.


679722-2 : Configuration sync failure involving self IP references

Component: Advanced Firewall Manager

Symptoms:
Configuration sync fails, generating an error similar to the following:

Caught configuration exception (0), Values (self-IP) specified for self IP (<name>): foreign key index (fw_enforced_policy_FK) do not point at an item that exists in the database..

Conditions:
-- There is another object, such as a firewall policy, that references a self IP address.
-- The self IP address is non-syncable; that is, its traffic group is set to 'traffic-group-local-only'.

Impact:
Sync operation fails.

Workaround:
Set the self IP address' traffic group to a value other than 'traffic-group-local-only', and then force a full load push from the first device.


679613-2 : i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'

Solution Article: K23531420

Component: Local Traffic Manager

Symptoms:
When an interface is associated with a VLAN whose tag value is '1', traffic is incorrectly sent out as untagged.

Conditions:
1. Create a VLAN with a tag value of '1'.
2. Associate an interface with the VLAN whose value is '1'.
3. Send traffic out that interface.

Impact:
Incorrect routing/switching of traffic.

Workaround:
Use VLANs with a tag value different from '1'.


679605-1 : Device groups with no members will cause upgrade to fail

Component: TMOS

Symptoms:
An empty device group will fail upgrade with this error message:

Syntax Error:(/config/bigip_base.conf at line: 37) "save-on-auto-sync" unexpected argument

Conditions:
This only affects systems with empty device groups.

Impact:
Configuration will fail to load after the upgrade.

Workaround:
Remove the empty device group before upgrading. An empty device group has no effect on the system, so this is a safe action to take.


679431-3 : In routing module the 'sh ipv6 interface <interface> brief' command may not show header

Component: TMOS

Symptoms:
In the BIG-IP Advanced Routing module the 'sh ipv6 interface <interface> brief' command does not show header

Conditions:
- Advanced Routing module licensed and configured
- From within imish shell, run the command 'sh ipv6 interface <interface> brief'.

Impact:
The header is not shown.

Workaround:
Run the equivalent command without indicating the interface:
sh ipv6 interface brief


679316-1 : iQuery connections reset during SSL renegotiation

Component: Global Traffic Manager (DNS)

Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record

Conditions:
This occurs when a system tries to send data over the iQuery connection while the two endpoints are performing SSL renegotiation.

Note: iQuery connections automatically perform SSL renegotiation every 24 hours.

Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.

Note: This is a subtly different issue from the one (with a very similar error, 140940F5 vs 140940E5) described in Bug ID 477240: iQuery connection resets every 24 hours :: https://cdn.f5.com/product/bugtracker/ID477240.html (K16185: BIG-IP GTM iQuery connections may be reset during SSL key renegotiation :: https://support.f5.com/csp/article/K16185).

This issue occurs even in versions where ID477240 is fixed. There is no fix for this specific trigger of the same message.

Workaround:
There is no workaround at this time.


679027 : Rare memory corruption in tmrouted while license is being reset

Component: TMOS

Symptoms:
tmrouted core due to memory corruption while license is being reset.

Conditions:
Rarely, when license file is being reset, tmrouted could core.

Impact:
restart of tmrouted daemon


678456-2 : ZebOS BGP peer-group configuration not fixed up on upgrade

Component: TMOS

Symptoms:
ZebOS BGP configuration failed to load from upgrade to 13.0.0.

Conditions:
When configuration specifies neighbor peer-group inside the address-family clause

Impact:
loading of ZebOS configuration after upgrade

Workaround:
Modify the ZebOS configuration to put the neighbor peer-group clause outside of the address-family clause


678450-3 : No 'F5RST port in use' sent when new connection arrives to port in use with strict preserve.

Component: Local Traffic Manager

Symptoms:
When 'Source Port: Preserve Strict' option is configured in performance L4 virtual servers, the 'F5RST port in use' packet is not sent, and connection hangs until timeout.

Conditions:
-- Connect to client and launch:
 # nc -p 8080 -v 10.10.10.40 80
-- Connect to client2 and launch:
 # nc -p 8080 -v 10.10.10.40 80
-- Modify virtual server vs_web type on LTM and repeat.

When the virtual server is standard "F5RST port in use" is sent. When the virtual server is performance L4 is not.

Impact:
Connection hangs. No increase for port-in-use stats when using the following commands:
 tmsh show /net rst-cause.

Workaround:
None.


678322 : Missing Response Page for 'Login' is not populated upon upgrade

Component: Application Security Manager

Symptoms:
In a rare case, an error appears due to missing 'Login' Response Page when viewing Response Pages in ASM policy.

Conditions:
An ASM policy is missing a record for 'Login' Response Page. It's not clear how this condition was caused.

Impact:
An error appears:

Could not retrieve Login Page Response; Error: Could not get the ResponsePage 'Persistent Flow Response Page Properties', No matching record was found.

Workaround:
Missing Response Page can be added using this query:

mysql> INSERT IGNORE INTO PL_ALTERNATE_RESPONSES (policy_id, cause, response_type, alternate_response_header, alternate_response_content, redirect_url, ajax_action_type, ajax_redirect_url, ajax_popup_message, ajax_custom_content, rest_uuid) SELECT p.id as policy_id, cause, response_type, alternate_response_header, alternate_response_content, redirect_url, ajax_action_type, ajax_redirect_url, ajax_popup_message, ajax_custom_content, rp.rest_uuid
FROM PL_POLICIES p JOIN PL_ALTERNATE_RESPONSE_DEFAULTS rp where rp.flg_load_defaults = 1;


678117-1 : 'Can't create a home directory' logged for remote users on secondary blades after configsync

Component: TMOS

Symptoms:
When a remotely authenticated user logs in, a new entry is created in /config/bigip/auth/userrolepartitions. During config sync operations, the secondary blade of the device receiving the config, logs the following errors:

-- err mcpd[7575]: 01070261:3: Can't create a home directory for username /home/<username> (Failed opening home directory: /home/<username> - No such file or directory)

There is no /home/<username> on the device used as the source of the config sync.

The error message is logged on the secondary blade (of the target system) but not the primary one.

Conditions:
1. Remote user username in /config/bigip/auth/userrolepartitions.
2. No home directory for the remote user in /home/.

Impact:
There is no apparent impact beyond the error message, which sounds quite serious, but has no functional impact.

Workaround:
Create local user account for remote authenticated users.

To do so using the GUI, navigate to System :: Users : User List, and click Create.


678066 : LTM Policy Tcl-enabled values require 'tcl:' prefix

Component: Local Traffic Manager

Symptoms:
Prior to BIG-IP v12.1.0, LTM Policy implicitly allowed certain fields to contain Tcl expressions, which would be evaluated and used at runtime. Version 12.1.0 expanded the number of LTM Policy action fields that allow Tcl expressions, and also added the restriction that these fields must begin with the 4-character prefix tcl: to differentiate between a Tcl runtime expansion and a simple text string.

Conditions:
Pre-v12.1.0 LTM Policy containing an action that has a Tcl expression in one of the following actions, and does not begin with 'tcl:' prefix
   http-uri - value
            - path
            - query string
or
   http-reply - location

Impact:
The migration process, which should find this situation and automatically correct it, can miss in certain cases, leaving a configuration that may fail validation and not load.

Workaround:
Edit configuration file, manually add the 'tcl:' (without the quotes) prefix for the following actions:
 http-uri plus value/path/query
 http-reply plus location


677841-1 : Server SSL TLS session reuse with changed SNI uses incorrect session ID

Component: Local Traffic Manager

Symptoms:
If an iRule changes the SNI then the wrong session ID will be retrieved (using the original SNI).

Conditions:
Occurs when SNI is being modified by an iRule to an SNI that is different from the one specified in the server SSL profile.

Impact:
Connection may be rejected by the client if checking at the client occurs (Apache commonly does this). If the client finds that the SNI does not match the SNI in the session information, the connection may be rejected.

Workaround:
Disable SSL session cache. This has the side effect of reducing performance.


677666-3 : /var/tmstat/blades/scripts segment grows in size.

Component: Local Traffic Manager

Symptoms:
Over time the /var/tmstat/blade/scripts file size grows. This can eventually lead to the system no longer providing up-to-date statistics.

Conditions:
-- Using istats.
-- Deleting configurations.
-- Using ASM.

Impact:
Virtual size of merged process grows linearly with /var/tmstat/blades/scripts segment. This could lead to out-of-memory condition as well as out-of-date statistics.

Workaround:
No known workarounds.


677646-1 : System cannot boot up due to prior aborted installation

Solution Article: K62171231

Component: Access Policy Manager

Symptoms:
System stuck at boot up and never comes up.

Conditions:
Running the rpm command was aborted.

Impact:
BIG-IP system not operational.

Workaround:
Run the following command to remove the extraneous files:

rm -f /shared/lib/rpm/__db.??? && shutdown -r now


677485-2 : Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error

Component: TMOS

Symptoms:
After initially configuring a DSC cluster, iControl-REST on BIG-IP systems might fail to decrypt the secure values due to a stale BIG-IP master key in its cache, and returns the secure values encrypted by the BIG-IP master key. BIG-IQ is unable to decrypt these secure values and fails to discover the BIG-IP system.

Conditions:
-- DSC cluster.
-- iControl REST.
-- BIG-IP system with stale BIG-IP master key in its cache.
-- BIG-IQ attempts to decrypt the secure values.

Impact:
Discovery fails due to secure value decryption error.

Workaround:
Restart iControl-REST server on the BIG-IP system.

On BIG-IP v12.0.0 and later:
-- In TMSH, run the following command:
restart sys service restjavad
-- On the console, run the following command:
bigstart restart restjavad

On BIG-IP v11.x.x:
-- In TMSH, run the following command:
restart sys service icrd
-- On the console, run the following command:
bigstart restart icrd


677442 : During bulk crypto processing for SSL traffic, tmm might restart in rare cases.

Component: Local Traffic Manager

Symptoms:
Processing bulk crypto traffic may cause tmm to crash and restart.

Conditions:
When processing bulk crypto requests handled by the Nitrox-based accelerators, a rare memory-corruption condition might occur. Specific circumstances that trigger the corruption are not known.

Impact:
Segmentation fault and core dump. Traffic disrupted while tmm restarts.

Workaround:
None.


677302 : Unable to save descriptions for firewall objects

Component: Advanced Firewall Manager

Symptoms:
System erases Description field of Address list/Port list objects when the object is modified.

Conditions:
-- Modifying an address/port definition for Address Lists or Port Lists/
-- Object contains a defined Description.

Impact:
Save operation erases Description.

Workaround:
Use tmsh to modify objects.


677270-2 : Trailing comments in iRules are removed from the config when entered/loaded in TMSH

Solution Article: K76116244

Component: Local Traffic Manager

Symptoms:
Comments at the bottom of an iRule (outside of any event stanza) end up missing from the config.

Conditions:
-- Merging an iRule in a config file in TMSH or entering the iRule manually in TMSH.
-- iRule comments are outside of any event stanza.

Impact:
Trailing comments in iRules are lost.

Workaround:
Use one or both of the following workarounds:

-- Make sure comments are inside of an event stanza.
-- Enter the iRule using the web GUI.


676854-1 : CRL Authentication agent will hang waiting on unresponsive authentication server.

Component: Access Policy Manager

Symptoms:
Some authentication requests never complete. APMD responsiveness degrades over time and eventually restarts.

Conditions:
The CRL Authentication server must be alive enough to accept connections but busy enough to drop requests without closing connections.

Impact:
APMD responsiveness degrades over time, usually weeks, before eventually restarting.

Workaround:
Restarting the CRL Authentication server usually releases the waiting threads and restores APMD responsiveness.
Using a BIG-IP monitor for the CRL backend can detect the issue and allow recovery before the need for APMD to restart.


676709-2 : Diameter virtual server has different behavior of connection-prime when persistence is on/off

Solution Article: K37604585

Component: Service Provider

Symptoms:
When using an Diameter MBLB profile with per-AVP persistence enabled and connection priming enabled, not all pool members may have a connection established as part of priming.

Conditions:
-- Diameter MBLB profile.
-- Per-AVP persistence enabled.
-- Connection priming enabled.

Impact:
It is possible that not all pool members will have a connection established as part of priming.

Workaround:
None.


676643 : FTP passive monitor uses IP address from PASV (not monitor destination)

Component: Local Traffic Manager

Symptoms:
A curl-based Tcl monitor for an FTP passive monitor uses the IP address from the FTP PASV command, rather then the IP address from the monitor destination. This is different from legacy behavior, which ignored the IP address obtained in the PASV command (to always establish a data connection to the IP address defined in the monitor destination). FTP passive monitors reliant upon the legacy behavior may stop working (with the pool member always being marked 'down').

Conditions:
FTP monitor is configured for passive, where the FTP PASV command provides an IP address.

Impact:
This new behavior is correct (the FTP passive monitor should use the IP address from the PASV command). However, configurations assuming legacy behavior to ignore the IP address in the PASV command and instead rely upon the IP address in the monitor destination may stop working (with the pool member always being marked 'down').

Workaround:
This behavior is correct, but to avoid using the IP address in the PASV command, configure the FTP monitor for active mode.


676491-2 : BIG-IP as a DHCP relay while in a DHCP relay chain will use its self-IP as the relay agent.

Component: Policy Enforcement Manager

Symptoms:
DHCP request is relayed to backend DHCP servers with Self-IP as relay agent instead of DHCP Virtual IP in case of Relay Chaining.

DHCP server will not be able to use the giaddr field to make a subnet determination while providing an IP address to a client.

Conditions:
DHCP relay chain, BIG-IP should be the relay agent right before the pool of DHCP servers.

Impact:
In a DHCP relay chain, BIG-IP does not relay agent right before the pool of DHCP servers.

Workaround:
1. The relay chain should be used across a single subnet if the DHCP server uses the giaddr to determine subnets for the clients.

2. If the use case is to load balance across multiple DHCP servers and the 3rd part DHCP relay cannot do so, LTM load balancing can be used.


676442-2 : Changes to RADIUS remote authentication may not fully sync

Solution Article: K37113440

Component: TMOS

Symptoms:
With multiple devices in a sync group, changes to remote authentication (for example, changes made using commands such as: tmsh modify auth radius system-auth servers replace-all-with { AAA_a AAA_b } ) will be effective on the device where the change was made.

And although the changes are synced to tmsh config on the other devices in the group, the changes are not effective on those devices, as may be observed by checking that the changes do not appear in /config/bigip/auth/pam.d/system-auth and /config/bigip/auth/pam.d/radius/system-auth.conf.

Conditions:
Devices in a sync group that will sync system-auth config.

Impact:
Changes to RADIUS authentication will not be effective throughout the device group.

Workaround:
After syncing RADIUS changes, run the following command on all devices:
 tmsh save sys config && tmsh load sys config.


676395-1 : Syslog messages seen with error code while viewing ssl certificate detail with debug turned on.

Component: TMOS

Symptoms:
Log message starting with 'Filemap returns Error 1 for file' gets logged into syslog while viewing certificate details.

Conditions:
1. Turn on debug using the following command:
 tmsh modify sys syslog daemon-from debug
2. Go to Certificate Management and navigate to view certificate details.

Impact:
No known impact other than the logged message.

Workaround:
Turn off debug using the following command:
 tmsh modify sys syslog daemon-from notice


676300-7 : EPSEC binaries may fail to upgrade in some cases

Solution Article: K04551025

Component: Access Policy Manager

Symptoms:
Windows client may fail to upgrade endpoint security package in some cases. This happens due to a corrupted registration of old endpoint security components.

Conditions:
Corrupted registry entry related to endpoint security components.

Impact:
Client may not be able to upgrade to latest endpoint package hosted on APM.

Workaround:
Remove the following registry keys from the registry:

Note: Use extra care editing the registry. Only remove the following keys, and no others.


"HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_CLASSES_ROOT\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_CLASSES_ROOT\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_CLASSES_ROOT\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_CLASSES_ROOT\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"


"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"


"HKCU\SOFTWARE\Classes\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKCU\SOFTWARE\Classes\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKCU\SOFTWARE\Classes\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKCU\SOFTWARE\Classes\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKCU\SOFTWARE\Classes\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKCU\SOFTWARE\Classes\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"


675911 : Different sections of the WebUI can report incorrect CPU utilization

Solution Article: K13272442

Component: Local Traffic Manager

Symptoms:
The following sections of the WebUI can report incorrect (i.e. higher than expected) CPU utilization:

- The "download history" option found in the Flash dashboard

- Statistics › Performance › Traffic Report (section introduced in version 12.1.0)

Values such as 33%, 66% and 99% may appear in these sections despite the system being potentially completely idle.

Conditions:
HT-Split is enabled (this is the default for platforms that support it).

Impact:
Incorrect CPU utilization is reported by multiple sections of the WebUI, which can confuse BIG-IP Administrators and cause unnecessary alarm.

Workaround:
You can obtain CPU history through various other means. One way is to use the sar utility.

In 12.x and 13.x:
  sar -f /var/log/sa6/sa
or for older data
  sar -f /var/log/sa6/sa.1
The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.

In 11.x:
  sar -f /var/log/sa/sa
or for older data
  sar -f /var/log/sa/sa.1
The oldest data is found compressed in /var/log/sa and must be gunzipped before use.

Live CPU utilization also can be obtained through various other means. Including: the Performance Graphs, SNMP polling, iControl polling, various command-line utilities such as top, etc.


675742 : Hardware-to-VE-platform-migrate of a UCS may fail with an error on db variable license.maxcores

Component: TMOS

Symptoms:
Using the platform-migrate option to load a UCS from a different platform may show this error from loaddb:

01080023:3: Error return while getting reply from mcpd: 0x107178a, 0107178a:3: Modifying license.maxcores to a value other than 8 is not allowed.

The UCS loads successfully, other than the DB variable, but this error message is printed and the DB variables are not loaded.

Conditions:
-- Migrating a UCS from physical platform hardware to a Virtual Edition (VE) configuration.

-- License has an attribute limiting the maximum number of cores, and the incoming UCS has a value of the DB variable 'license.maxcores' that contradicts this.

Impact:
The DB variable file fails to load, generating the error message, but that does not stop the loading of the regular configuration files in BIG-IP*.conf.

Workaround:
The 'license.maxcores' value is ignored on hardware devices, so set it to 8 before saving the UCS.


675731-2 : Certain types of GTM Pools not displaying while listing WideIPs

Component: Global Traffic Manager (DNS)

Symptoms:
If you have a CNAME Pool and an AAAA, MX, NAPTR, or SRV pool in the same WideIP, running a 'list' command in TMSH shows only the CNAME pool.

Conditions:
-- A WideIP with a CNAME-type pool and an AAAA-, MX-, NAPTR-, or SRV-type pool.
-- Running a 'list' command in TMSH.

Impact:
Unable to properly view full configuration through TMSH.

Workaround:
None.


675368-2 : Unable to reorder rules when one of the rule names contain % or /

Component: TMOS

Symptoms:
Unable to reorder rules when one of the rule names contain % or /

Conditions:
One of the rule names contain % or /

Impact:
The rules cannot be reordered

Workaround:
Rename rules to make sure they don't contain % or /


675298-1 : F5 MIB value types changed to become RFC compliant

Component: TMOS

Symptoms:
In BIG-IP Version 12.1.2 several F5 MIB variables changed from 64-bit counter types to 32-bit gauge types. This change was made to make the MIBs RFC compliant. In a mixed environment, where some BIG-IPs are running 11.x and some running 12.x this can cause problems with the management station. If the management station cannot load MIBs dependent upon BIG-IP version then those variables can cause errors to be reported on the management station due to type mismatch.

Conditions:
An environment where a management station is managing BIG-IP systems with a mix of version 11.x and 12.x. The station may import a MIB version whose types do not match the MIBs on the BIG-IP system with regards to the type changes made in version 12.x.

Impact:
The management station reports errors due to type mismatch for some variables.

Workaround:
None.


674997 : It is not possible to use tmsh to change the password for 'admin' after configuring Remote-APM Based Auth on the BIG-IP system.

Component: TMOS

Symptoms:
With APM-based system authentication, using tmsh to make changes to the password for user 'admin' will apparently succeed, but the password will be unchanged.

Conditions:
-- APM-based system authentication configured.
-- Using tmsh to make changes to the password for user 'admin'.

Impact:
Unable to change password for default system account.

Workaround:
Switch to local system authentication, change the password for 'admin', then switch back to remote authentication.


674992-3 : AAM traffic report's time period doesn't always apply

Component: WebAccelerator

Symptoms:
AAM traffic report's time period doesn't always apply.

Conditions:
Select a time period on the AAM traffic report page other than last hour.

Impact:
The table and graph still display last hour data.


674957-1 : If a certificate is stored in DER format, exporting it using the GUI corrupts the output.

Component: TMOS

Symptoms:
When a certificate stored in DER format is exported, all bytes with values larger than 0x7E are replaced with 0x3F, and there is one more byte added (0x0a) at the end of the binary file.

Conditions:
Using the GUI to export a certificate stored in DER format.

Impact:
Corrupted certificate.

Workaround:
You will need to use openssl to create a copy of the certificate in .pem or .der format. For example, to export the der certificate myder.crt to a mycert.pem certificate in .pem format, run the following command:

openssl x509 -out mycert.pem -in /config/filestore/files_d/Common_d/certificate_d/\:Common\:myder.crt_75978_1 -inform der

Note: This works for system users who can access the bash command, specifically, those with the administrator role.


674795-1 : tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds, when it should be hours.

Component: Traffic Classification Engine

Symptoms:
tmsh help/man page incorrectly state that the urldb feedlist polling interval is in seconds. In fact, it is in hours.

Conditions:
-- Viewing tmsh help/man page.
-- Searching for urldb feedlist polling interval.

Impact:
Note that the interval described is in hours instead of seconds.

Workaround:
None.


674754-2 : ZoneRunner: GUI "Email Contact" field silently ignores invalid char '@' in Email Contact

Component: Global Traffic Manager (DNS)

Symptoms:
Changing the email address in ZoneRunner and using a '@' character does not work. System validation catches that the '@' is invalid, but the operation fails silently, and the new email address is not stored.

Note. The '@' character is invalid for the email field because it has other uses in zone files. A dot should be used instead of '@'.

Conditions:
Zone already exists in ZoneRunner.
Trying to update it with a new email address.

Impact:
Confusion as to why the GUI is ignoring the new email address they entered.

Workaround:
The '@' (at sign) character is invalid for ZoneRunner email fields because it has other uses in zone files. Use a '.' (dot, or period) character instead of '@'.


674459 : Users are not expected to change security.commoncriteria DB variable through TMSH

Component: Local Traffic Manager

Symptoms:
Changing the security.commoncriteria db variable to true, and then attempting to change it back to false through TMSH causes validation errors related to SSHD configuration. Users are not expected to change this value without using the ccmode script.

Conditions:
Changing the security.commoncriteria db variable to true, and then back to false.

Impact:
Validation errors. The BIG-IP system remains stuck in Common Criteria mode when it is not desired.

Workaround:
None.


674328-3 : Multicast UDP from BIG-IP may have incorrect checksums

Component: TMOS

Symptoms:
BIG-IP may transmit UDP datagrams with a bad checksum.

Conditions:
Outgoing link-local multicast UDP traffic from the Linux host, such as RIP.

Impact:
Packets may be dropped by adjacent devices.

Workaround:
Disable checksum offloading on the virtual NIC for affected VLANS, e.g. "ethtool --offload vlan1274 rx on tx off"


674297-1 : Custom headers are removed on cross-origin requests

Component: Fraud Protection Services

Symptoms:
Custom headers are removed on cross-origin requests.

Conditions:
A cross domain FPS request uses the FPS custom header. For example: AJAX encryption from one domain to another.

Impact:
The request will be blocked, FPS functionality breaks.

Workaround:
For HOST <HOST NAME> and FPS custom header <HEADER NAME>, a variant of the following iRule can be used:


when HTTP_REQUEST {
    if {[HTTP::method] equals "OPTIONS" && [HTTP::host] equals "<HOST NAME>"} {
       set modify_allowed_headers 1
    }
}

when HTTP_RESPONSE {
    if { [info exists modify_allowed_headers] && $modify_allowed_headers equals "1"} {
        if { [HTTP::header exists "Access-Control-Allow-Headers"] } {
            set hdr [HTTP::header value "Access-Control-Allow-Headers"]
            append hdr ", <HEADER NAME>"
            HTTP::header replace Access-Control-Allow-Headers $hdr
        }
    }
}


674256-3 : False positive cookie hijacking violation

Solution Article: K60745057

Component: Application Security Manager

Symptoms:
A false positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
Cookie hijacking violation when the device ID feature is turned off is almost never relevant, as it should be able to detect only cases where some of the TS cookies were taken. The suggestion is to turn off this violation.


673952 : 1NIC VE in HA device-group shows 'Changes Pending' after reboot

Component: TMOS

Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:

 notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
 notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all

Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.

Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.
If the VE is part of an HA device-group, then this will result in a commit id update and the units will show 'Changes pending'.

Workaround:
None.


673640 : Log messages for virtual server status changes are not immediately logged.

Component: TMOS

Symptoms:
Log messages for virtual server status changes are not immediately logged.

Conditions:
-- Virtual server status due to lasthop-pool going down or coming back up.
-- Viewing associated logs.

Impact:
No status-change messages are present.

Workaround:
None.


673573 : tmsh logs boost assertion when running child process and reaches idle-timeout

Component: TMOS

Symptoms:
An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running.

The errors in /var/log/ltm begin with the following text:
    'boost assertion failed'

Conditions:
-- tmsh command reaches idle timeout.
-- Spawned sub-process is still running.

Impact:
Although the wording indicates a failure, the message is benign and you can safely ignore it.

Workaround:
None.


673241 : Platform AC power supply faults when subjected to temperature above 50C (122F) at low input voltage.

Component: TMOS

Symptoms:
BIG-IP i15600, i15800 appliances utilizing a single 1500W AC power supply (PWR-0341-XX) shut down and trigger a fault.

Conditions:
This occurs when all of the following conditions are met:
-- PWR-0341-XX Single Supply.
-- input voltage is less than or equal to 100VAC.
-- System is is drawing maximum power (greater than 1000W).
-- Inlet temperature of the power supply is greater than 50C (122F).

Impact:
The power supply shuts down to protect itself. This results in appliance shutdown.

Workaround:
You can avoid this issue by doing any of the following:
-- Installing two PSUs in the unit.
-- Ensuring that input voltage is above 100VAC.
-- Operating the system at a temperature lower than 50C (122F).


673147-1 : Virtual server configuration incorrectly allows mutually exclusive iSession and OneConnect profiles.

Solution Article: K01350083

Component: TMOS

Symptoms:
The system does not prevent you from configuring a server-side iSession profile and a OneConnect profile on the same virtual server. This is not a valid configuration. Virtual server configuration should allow either a server-side iSession profile or a OneConnect profile, but not both. Although the virtual server configuration completes, three errors are logged to /var/log/tmm:

1) notice ISESSION: 172.27.114.10.443 ! 172.27.14.10.43321: connection error: isession_setup_ssl:1645: server-side SSL hudfilter replacement failed: ERR_NOT_FOUND

2) notice hudchain contains precluded serverside filter: CONNPOOL

3) notice MCP message handling failed in 0x898c80 (16977920): Jul 7 12:34:19 - MCP Message:
notice create {
notice virtual_server_profile {
notice virtual_server_profile_vs_name "/Common/http_optimize_client"
notice virtual_server_profile_profile_name "/Common/oneconnect"
notice virtual_server_profile_object_id 159423
notice virtual_server_profile_profile_class_id profile_connpool
notice virtual_server_profile_profile_type 13
notice virtual_server_profile_profile_context 0
notice virtual_server_profile_partition_id "Common"
notice virtual_server_profile_leaf_name "http_optimize_client"
notice virtual_server_profile_folder_name "/Common"
notice virtual_server_profile_transaction_id 62
notice }
notice }

Loading a configuration containing a virtual server with both a server-side iSession profile and a OneConnect profile succeeds, but logs a mutually exclusive profile error:
    notice hudchain contains precluded serverside filter: CONNPOOL

Conditions:
Three conditions must be satisfied.
1) The BIG-IP has AAM licensed.
2) A server-side iSession profile is added to a virtual server.
3) A OneConnect profile is added to the same virtual server.
Conditions 2 and 3 can be done in either order.

Impact:
OneConnect and iSession are mutually exclusive features, because both implement connection pooling. Configuring
a virtual server with both server-side iSession and
OneConnect profiles will break connection pooling, causing
connections associated the virtual server to hang.

Workaround:
Avoid configuring both server-side iSession and a OneConnect profiles on the same virtual server, as this is never a valid configuration.


673095 : Loading UCS with QinQ VLANs fails 'Can't free vlan entry, can't find vlan with oid'

Component: Local Traffic Manager

Symptoms:
Unable to load a UCS due to a VLAN validation error.

Conditions:
QinQ VLANs saved in a UCS file.

Impact:
Unable to reload the saved config.

Workaround:
Before loading the config, use tmsh to delete all VLANs. Then config will load successfully.


672063-1 : Misconfigured GRE tunnel and route objects may cause an ill-formed routing loop inside the TMM, resulting in a TMM crash.

Solution Article: K38335326

Component: TMOS

Symptoms:
Misconfigured GRE tunnel and route objects on the BIG-IP system might cause an ill-formed routing loop inside the TMM, resulting in a TMM crash.

The following is an example to illustrate how misconfiguration can lead to an ill-formed routing loop inside the TMM.

net tunnels tunnel gre1 {
    if-index 5472
    local-address 10.10.0.1
    mtu 1400
    profile gre
    remote-address 10.20.0.1
}

net self 10.9.0.1/24 {
    address 10.9.0.1/24
    traffic-group traffic-group-local-only
    vlan gre1
}

net route 10.20.0.0/24 {
    interface /Common/gre1
    network 10.20.0.0/24
}

In the above example, if a packet is destined for the network 10.20.0.0/24, the packet is sent over the GRE tunnel for encapsulation. After encapsulation, the destination address of the encapsulated packet is 10.20.0.1 (i.e., tunnel's remote-address) which matches the configured route again. As a result, the encapsulated packet is fed to the tunnel again and this process repeats to form a routing loop inside the TMM.

Conditions:
Misconfigured GRE tunnel and route objects, leading to an ill-formed routing loop inside the TMM. Please refer to the above example for an illustration.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
This issue is caused by misconfiguration which can be avoided. The recommendation is to examine the configuration, making sure that it does not lead to an ill-formed routing loop inside the TMM.


671553-2 : iCall scripts may make statistics request before the system is ready

Component: TMOS

Symptoms:
iCall scripts may make statistics requests before statsd (a necessary service for stats collection) is ready.

Conditions:
Early during startup.

Impact:
The Tcl script may generate an error and stop working.

Workaround:
Use Tcl's 'catch' command to detect and handle the error.


671372-2 : When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.

Solution Article: K01930721

Component: TMOS

Symptoms:
When creating a pool and modifying all of its members in a single transaction, the pool will be created but the members will not be modified.

Conditions:
-- Creating a pool.
-- Modifying all of its members in a single tmsh transaction.

Impact:
The pool will be created but the members will not be modified.

Workaround:
Create a pool in one transaction; followed by modifying members in another transaction.


671261-2 : MCP does not recognize 'Notify Status to Virtual Address' when using 'Selective' setting of ICMP Echo

Solution Article: K32306231

Component: TMOS

Symptoms:
When selecting 'Notify Status to Virtual Address' on a virtual server, and using the 'Selective' setting of ICMP Echo for a corresponding virtual address, MCP does not recognize that this setting has changed and does not modify the ICMP echo settings of the virtual address accordingly. The previous setting will continue to take effect until another (unrelated) change is made to the virtual address.

Conditions:
The 'Selective' setting of ICMP Echo is used for a virtual address, and the user selects 'Notify Status to Virtual Address' on a virtual server associated with that address.

Impact:
The previous setting will continue to take effect, until an (unrelated) change is made to the virtual address, at which point the new setting will take effect.

Workaround:
After changing the 'Notify Status to Virtual Address' on a virtual server (where 'Selective' setting of ICMP Echo is used for the corresponding virtual address), make another change to the virtual address to cause the new setting to take effect.


671236-2 : BGP local-as command may not work when applied to peer-group

Solution Article: K27343382

Component: TMOS

Symptoms:
Using the BGP level command neighbor <peer-group> local-as <AS> might fail to apply on peers in the peer group.

Conditions:
Applying the BGP local-as command to a peer group.
For instance:
  neighbor <peer-group> local-as <AS>.

Impact:
The command fails to apply, and the actual local AS sent to the peer is that of the BGP process and not the one specified in the command.

Workaround:
Apply the BGP local-as directly to the peer, not the peer-group.


671178 : Date/time change after configuring HA may impair configuration sync

Solution Article: K20274760

Component: TMOS

Symptoms:
Configuration not syncing among units in high availability (HA) group.

Conditions:
Date/time is set to an earlier date/time after HA is already configured.

Note: Changes are synced as expected when changing date/time to a later value; only setting to a earlier one results in this issue.

Impact:
-- Configuration changes are not recognized, and changes are not synced, however, system sync status incorrectly reports as 'in-sync'.

-- The 'Time Since Last Sync' displayed when running 'tmsh show /cm device-group' is negative. Note: This is only a cosmetic issue and has no effect on the system.

Workaround:
Note: Devices should be configured with NTP.

To restore consistency to the group, you can do one of the following:
-- Reset the time to be consistent with peers and make another config change.
-- Make a change on the peer device with the farthest future system time.
-- Force a sync to another device with the farthest future system time using a command similar to the following:
 tmsh modify cm device-group <device group name> devices modify { <sync-to-device-name> { set-sync-leader } }.


671025 : File descriptor exhaustion can occur when state-mirroring peer-address is misconfigured

Component: TMOS

Symptoms:
devmgmtd exhausting file descriptors when state-mirroring peer-address is misconfigured:
err devmgmtd[8301]: 015a0000:3: [evConnMgr.tcc:29 evIncomingConn] Incoming connection failed: Too many open files

Conditions:
State-mirroring peer-address is misconfigured or configured to a self-ip with port lockdown misconfigured.

Impact:
devmgmtd has too many open files causing iControl issues as it is unable to communicate with devmgmtd.

Workaround:
None.


670994-2 : There is no validation for IP address on the ip-address-list for static subscriber

Component: Policy Enforcement Manager

Symptoms:
You can add IP address for a static subscriber with a subnet mask, and the system creates a subscriber by discarding the subnet mask without any error message.

Conditions:
This occurs when you add a ip address with a subnet mask to the ip address list for a static subscriber.

Impact:
An invalid ip address is added without warning or error.


670893-1 : Sensitive monitor parameters recorded in monitor logs

Component: Local Traffic Manager

Symptoms:
When monitor instance logging or monitor debug logging is enabled for certain monitor types, the resulting monitor instance logs may contain sensitive parameters from the monitor configuration, including:
- user-account password
- radius/diameter secret
- snmp community string

Conditions:
This may occur under the following conditions:

1. LTM monitor type is one of the following:
ldap
mssql
mysql
nntp
oracle
postgresql
radius
radius-accounting
smb
snmp-dca
snmp-dca-base
wap

On BIG-IP versions prior to v11.6.0, the LTM monitor type is one of the above, or one of the following:
ftp
imap
pop3
smtp


2. Monitor instance logging or monitor debug logging is enabled by one of the following methods:

a. Monitor instance logging is enabled by setting the 'logging' element to 'enabled' for an LTM node or pool member using the monitor.

b. Monitor debug logging is enabled by setting the 'debug' element to 'yes' for an applicable LTM monitor.

Impact:
The user-account password, radius/diameter secret, or snmp community string configured in the LTM health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors.

Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected LTM monitor types.

2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes, remove the resulting log files from the BIG-IP system after troubleshooting is completed.


670691 : Unable to list ntlm profile in different root folder or partition

Solution Article: K02331705

Component: TMOS

Symptoms:
Unable to list NTLM profiles when they are in a different root folder or partition than the currently active folder or partition.

Conditions:
This occurs when attempting to list a partition that exists in another folder or partition.

For example:
-- The active folder or partition is /Common.
-- The NTLM profile 'my_ntlm' exists in the '/NTLM_Profile' folder or partition.
-- You run a command similar to the following to show details of an NTLM profile: list ltm profile ntlm /NTLM_Profile/my_ntlm.

Impact:
Unable to display NTLM profiles that reside outside of the active folder or partition. The system posts error messages similar to the following:

Error in ntlm: "/NTLM_Profile/my_ntlm" not found.
01020036:3: The requested Config Instance ( /NTLM_Profile/my_ntlm) was not found.

Workaround:
Change folders or partition before listing NTLM profiles.


670520-3 : FastL4 not sending keepalive at proper interval when other side gets response

Component: Local Traffic Manager

Symptoms:
FastL4 not sending keepalive at proper interval when other side gets response. With FastL4, when a response to an LTM-initiated keepalive is received from a device on one side is received, it is forwarded to the other.

It appears that causes a keepalive to not be sent on that other side. The keepalive interval is 20 seconds. If the LTM is scheduled to send a keepalive to the server, but receives a keepalive response on the client side, before it sends the serverside keepalive, the client side keepalive response is forwarded, but the actual keepalive is not sent to the server.

Conditions:
FastL4 and keepalive.

Impact:
Potential for failure as in FastL4: the timeout timer is not updated unless a response is returned. Since the LTM does not send the keepalive, there is not going to be a response for that interval.

Workaround:
None.


670501-5 : ASM policies are either not (fully) created or not (fully) deleted on the HA peer device

Solution Article: K85074430

Component: Application Security Manager

Symptoms:
Policies are either not (fully) created or not (fully) deleted on the peer device

Conditions:
-- Device Service Clustering configured.
-- High availability (HA) configuration with Sync-Only (no failover) device group (Auto, incremental) with ASM sync enabled.
-- Create/delete active/inactive ASM policies via TMSH/GUI.

Impact:
Policies are either not created/deleted, or not fully created/deleted.

Note: Fully created and fully deleted meaning that the following commands agree with each other:
   # tmsh list asm policy one-line all-properties
   # tmsh list asm policy one-line

Workaround:
Issue a forced full sync from the originating device to the device group.


670456-3 : Flash AS3 mx.core::CrossDomainRSLItem() wrapper issue with arguments number

Component: Access Policy Manager

Symptoms:
Flash AS3 mx.core::CrossDomainRSLItem() wrapper fails when being called with a number of arguments different than 7.

Conditions:
Any flash that have a call of mx.core::CrossDomainRSLItem() with a number of arguments different than 7.

Impact:
Flash application malfunction.


670367-2 : On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation.

Solution Article: K39391280

Component: Access Policy Manager

Symptoms:
On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation.

The limit of customization group object that the BIG-IP Virtual Edition (VE) can load is approximately 13 KB.

Conditions:
Large number of policies (thousands) and customization objects (tens of thousands).

Impact:
Unable to load configuration.

Workaround:
Turn off watchdog for mcpd via tmsh using the following command:
tmsh modify sys daemon-ha mcpd heartbeat disabled

Important! Remember to re-enable tmsh watchdog after the config loads successfully. To do so, run the following command:
tmsh modify sys daemon-ha mcpd heartbeat enabled


670258-2 : Multicast pings not forwarded by TMM

Component: Local Traffic Manager

Symptoms:
When multicast routing is configured, ICMP or ICMP6 pings are not forwarded by TMM even though UDP and other protocol traffic to the same group addresses works.

Conditions:
Multicast routing configured, VIP configured to forward ICMP traffic.

Impact:
Multicast group addresses cannot be reached with ICMP or ICMP6 echo requests.

Workaround:
n/a


669978-4 : SIP monitor - Via header's branch parameter collision.

Solution Article: K15204204

Component: Service Provider

Symptoms:
When there is a failover in a high availability (HA) setup with SIP monitors, the SIP backend servers start flapping on both units. The reason this occurs is that after the failover, the two BIG-IP systems send SIP monitoring messages to the pool members with the same branch parameter on their Via headers. The backend server internal logic gets confused by the request coming from LB2 because it uses the same branch parameters of the request coming from LB1.

Conditions:
SIP branch hash string length is small enough that when sufficient SIP monitor messages were inundated, possible branch collision.

Impact:
This causes the backend server erroneously to send a response message to LB1 instead of LB2.

Workaround:
None.


669585-3 : The tmsh sys log filter is unable to display information in uncompressed log files.

Component: TMOS

Symptoms:
You notice missing log information when reviewing system logs using the tmsh show sys log command.

Conditions:
One or more of the BIG-IP sytem backup log files, designated with .1, .2, etc are not compressed.
Note: Backup log files should end with the .gz extension. For example, ltm.1.gz.
You use the tmsh show sys log command to view log information for one or more days in the past.

Impact:
Unable to view the full range of backup log information.

Workaround:
To log in to the Advanced shell (bash).
To ensure all backup logs for a particular log type are compressed, use the following command syntax:

gzip /var/log/<log>.*

For example, to compress the full set of backup logs for the ltm log type, type the following command:

Note: The following message is expected if the log file is already compressed: gzip: /var/log/<log>.gz already has .gz suffix -- unchanged'

gzip /var/log/ltm.*


669241-1 : Cannot create stateless virtual servers with ip-protocol set to 'gre'.

Component: TMOS

Symptoms:
Stateless virtual servers can be used only for UDP traffic.

Conditions:
Attempt to create a stateless virtual server with ip-protocol set to 'gre'.

Impact:
Operation does not succeed. Cannot create stateless virtual servers with ip-protocol set to 'gre'.

Workaround:
None.


668849-1 : Upgrade failure for apm-log-setting objects

Component: Access Policy Manager

Symptoms:
After upgrade to 13.1.0, the configuration will fail to load with error: 01070734:3: Configuration error: In apm log-config (/p1/f1/sso-log-setting-Critical) there can only be one instance of access log configuration
Unexpected Error: Loading configuration process failed.

Conditions:
If before upgrade, you have sso form-basedv2 object or saml sso config objects in your configuration

Impact:
mcpd will fail to start

Workaround:
manually edit the bigip.conf and remove all the sso form-basedv2 objects and saml sso config objects and then do tmsh load sys config


667661-4 : Adding HA devices to Access Group in BIG-IQ fails with error : 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'

Solution Article: K69015104

Component: Device Management

Symptoms:
Adding a secondary HA device to Access Group fails with error 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'.

Conditions:
Fails when adding a HA device to Access Group.

Impact:
Device cannot be added to Access Group.

Workaround:
None.


667618-2 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts

Component: TMOS

Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection will continue to be unsupported until the machine exit hardware SYN cookies.

Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.

Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.

Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options will not be taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.

Note that if no good traffic hits the virtual server, syncookies will also fail to deactivate, but will do so once both good traffic has been seen, and the attack has ended.

Workaround:
There is no workaround at this time.


667518 : SSO Configurations update is failing from UI

Component: Access Policy Manager

Symptoms:
SSO Configurations update is failing from the GUI.

Conditions:
While creating SSO form with SSO configuration, Update is failing with UI Javascript error.

Impact:
From UI user not able to update the SSO Configurations, with SSO Form creation.

Workaround:
Create separate SSO form and assign to SSO configuration. Or use TMSH to create both.


667476 : Upgrade and config load can fail if a data group record of type string contains a tab character

Component: TMOS

Symptoms:
When a datagroup record is of type 'string' and contains a tab (\t) the record loads but when the configuration is saved the record is not save with enclosing quotes.

Conditions:
-- Data group whose type is string.
-- Record entry that contains a tab character along with other non-whitespace characters.

Note: If other whitespace characters are present the string will have enclosing quotes and this issue will occur.

Impact:
Saved config does not load when running the command: tmsh load /sys config.

Upgrade fails to load the configuration.

Workaround:
In order to either load the configuration or upgrade, you must manually edit the bigip.conf file and enclose the string in quotation marks, as shown in the following example:

Existing config
==================
ltm data-group internal /Common/sample_dg {
  records {
    entry1 {
      data /BIG-IP BAD
    ...

Modified config:
ltm data-group internal /Common/sample_dg {
  records {
    entry1 {
      data "/BIG-IP BAD"
   ...


667295-1 : 'RTSP::header exists' iRule command always returns True

Solution Article: K51601122

Component: Carrier-Grade NAT

Symptoms:
Using the 'RTSP::header exists' command in an iRule returns true even if the header is not present.

Conditions:
Using the 'RTSP::header exists' command in an iRule, e.g., [RTSP::header exists "Transmitting"].

Impact:
Returns 1 (TRUE) even if the header is not present. Should return 2 (ERR_NOT_FOUND) on failure.

Workaround:
None.


667114-1 : TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.

Solution Article: K32622880

Component: TMOS

Symptoms:
TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.

Conditions:
-- BWC policy applied.
-- TCP traffic passes through the IP forwarding or L2 forwarding virtual server.

Impact:
Lower throughput than expected.

Workaround:
When using BWC, use a proxy virtual server instead of IP forwarding or L2 forwarding virtual servers.


667082-2 : Dynamic Routing ZebOS using ip ospf <IP> message-digest-key command may fail.

Component: TMOS

Symptoms:
Failure occurs when attempting to configure or load OSPF configurations in imish using an interface-level command similar to the following:
ip ospf <IP> message-digest-key <key index> md5 <password>.

Conditions:
This occurs when using the following command:
ip ospf <IP> message-digest-key.

Impact:
The command causes an error and cannot be used or loaded. This may cause OSPFv2 adjacencies to fail.

Workaround:
If possible, use the non-IP version of the interface-level command, similar to the following:
ip ospf message-digest-key <key index> md5 <password>.


666889-1 : Deleting virtual server may cause tmm to segfault

Solution Article: K25769531

Component: Local Traffic Manager

Symptoms:
Deleting virtual server may cause tmm to segfault.

Conditions:
-- Virtual server is rate-limited.
-- In-progress connections exist.
-- Virtual server is deleted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


666497-2 : Some of the Korean translations in Windows Edge Client were incorrect

Component: Access Policy Manager

Symptoms:
Some of the Korean translations in Microsoft Windows Edge Client's main windows are incorrect.

Conditions:
User uses Edge Client application on Windows.

Impact:
Confusion due to inaccurate translation.

Workaround:
None.


666258-2 : GTM/DNS manual resume pool member not saved to config when disabled

Component: Global Traffic Manager (DNS)

Symptoms:
manual-resume disabled pool member becomes available after reboot.

Conditions:
GTM pool is configured with manual-resume enabled and its pool member was once unavailable.

Impact:
Unexpected available pool member which should be disabled.

Workaround:
After the pool member becomes disabled, manually run:
# tmsh save sys config gtm-only


666127-1 : Flows are incorrectly processed on a standby system.

Component: Local Traffic Manager

Symptoms:
Standby system incorrectly processes flows, even if there is no other traffic group active on that system.

Conditions:
-- Spanning is enabled for a virtual address.
-- No other traffic group active on a standby system.

Impact:
Flows are incorrectly processed.

Workaround:
None.


666117-4 : Network failover without a management address causes active-active after unit1 reboot

Component: TMOS

Symptoms:
An appliance in a Device Service Cluster may erroneously claim Active status when it is rebooted. This results in an Active/Active situation, which may resolve itself by causing a failover.

Conditions:
Device Service Cluster with only self-ips configured for the failover network.

Impact:
Unexpected failover may cause traffic interruption.

Workaround:
Configuring multiple redundant network failover paths, including the management network will reduce the possibility of this problem.


665777 : TMM0 on the secondary blade sends out extra ARP replies

Component: Local Traffic Manager

Symptoms:
TMM0 on the secondary blade can send out more than one ARP reply when it receives an ARP request.

Conditions:
ARP request is received by TMM0 on the secondary blade.

Impact:
The BIG-IP system sends out extra ARP replies.

Workaround:
None.


665425-3 : AVR Max metrics shows wrong values

Solution Article: K24182390

Component: Application Visibility and Reporting

Symptoms:
In the AVR HTTP Page, metrics Max TPS and Max Throughput display incorrect values.

Conditions:
The root-cause is 32bit overflow, so the incorrect values are displayed when there are high volumes of traffic.

Impact:
Displayed metrics do not correctly show activity.

Workaround:
There is no workaround at this time.


665117-2 : DNS configured with 2 Generic hosts for different DataCenters, with same monitors, servers status flapping

Solution Article: K33318158

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Server status flapping from red-green-red.

Conditions:
-- Two generic hosts in two different DataCenters;
-- Two generic hosts are not available through DNS;
-- Same monitor with available alias IP/port configured.

Impact:
Server status flaps from red to green and back.

Workaround:
Check Transparent for these monitors.


664596-1 : One LTM policy causes a different policy to not execute

Component: Local Traffic Manager

Symptoms:
Under certain circumstances, the presence of one LTM policy will preclude another LTM policy from running.

Conditions:
Two policies present on a virtual server, one policy with a condition at HTTP_RESPONSE time will prevent a policy that unconditionally acts at HTTP_REQUEST time.

Impact:
Expected LTM policy does not run.

Workaround:
None.


664000 : TMM restart/core possible if key/cert is modified while SSL handshakes are ongoing

Component: Local Traffic Manager

Symptoms:
Dynamic configuration changes with live traffic may have or cause complicated issue or unpredictable behaviors. TMM might restart and generate a core file when modifying key/cert on a profile while ongoing SSL handshakes are using it. System posts messages similar to the following:

-- crit tmm3[13499]: 01010260:2: Hardware Error(Co-Processor): cn3 request queue stuck
-- warning sod[6005]: 01140029:4: HA crypto_failsafe_t cn-crypto-3 fails action is failover.

Conditions:
The key/cert on a profile is modified while ongoing SSL handshakes are holding it.

In one case, OCSP was removed from all the SSL profiles at some point after the handshake started, so the handshake picked up the new profile without refreshing or invalidating the handshake's copy of the key_cert.

Impact:
Normal functionality might be disrupted. Traffic disrupted while tmm restarts.

Note: There is no support currently for dynamic profile configuration changes while there are ongoing connections using the profile.

Workaround:
Do not try to modify key/certs on a profile while there are a lot of ongoing connections using it.


663946-2 : VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments

Component: Advanced Firewall Manager

Symptoms:
When DNS is under load greater than the AFM-configured rate limit, certain IPv4 packets are categorized as IPv6 atomic fragments and may be dropped due to rate limits.

Conditions:
-- AFM enabled.
-- DNS load greater than AFM-configured rate limit for IPv6 atomic fragments (default 10 KB).

Impact:
May result in lower than expected DNS load test results.

Workaround:
Use either of the following workarounds:
-- Disable AFM.
-- Increase detection limit for IPv6 atomic fragments under AFM.

Note: For AFM HW DoS protection, the host and vCMP guest must be the same version, disable hardware DoS checking on the vCMP guest to prevent this issue. To do so, set sys db dos.forceswdos to 'true'.


663925-5 : Virtual server state not updated with pool- or node-based connection limiting

Component: Local Traffic Manager

Symptoms:
Rate- or connection-limited pool members and nodes do not immediately affect virtual server status.

Conditions:
The connection count reaches the configured connection limit.

Impact:
Virtual server is not automatically disabled when connection limit is reached and does not return from the unavailable state after connections decrease.

Workaround:
None.


663911-2 : When running out of memory, MCP can report an incorrect allocation size

Component: TMOS

Symptoms:
If MCP runs out of memory, it may attempt to log how much memory it was allocating when this happened, with a message similar to the following:

Failed to allocate memory for size 260 at clone_message:952.

The memory size indicated in the message may be incorrect.

Conditions:
MCP runs out of memory while attempting an allocation.

Impact:
Misleading logs that make it more difficult to troubleshoot mcpd memory issues.

Workaround:
None.


662308-1 : BD core

Component: Application Security Manager

Symptoms:
BD process crashes and produces a core file; traffic disturbance.

Conditions:
BD threads access the data structure, and in a rare circumstance, one thread touches while the other is processing data.

Note: This issue very timing sensitive to occur so it is unlikely to occur in normal operating conditions.

Impact:
Memory corruption on one of the internal data structures. Traffic disrupted while bd restarts.

Workaround:
None.


662296-1 : Under heavy traffic load tcpdump -i 0.0 can impact the VIPRION management cluster IP address

Component: Local Traffic Manager

Symptoms:
Management connectivity loss over the management cluster IP address. This is caused by a secondary blade temporarily taking over the cluster primary due to starvation of clusterd on the blade running tcpdump.

Conditions:
-- A multi-bladed configuration with full traffic load.
-- Run tcpdump -i 0.0.

Impact:
Loss of connectivity to the cluster floating IP address. The /var/log/ltm clusterd shows timeouts and temporary change of primaryship.

Workaround:
Mitigation:
-- Judicious use of tcpdump -i 0.0.

Workaround:
-- Kill tcpdump from the SSH session to the slot IP address directly or using the console.
-- Restart tmm to fix the issue with MPI stream connection loss.


660895-2 : TMM can crash if TMM count is greater than licensed throughput

Component: TMOS

Symptoms:
The rate shaper used for BIG-IP virtual Edition (VE) divides the total licensed throughput amongst the running TMMs to determine a per-TMM throughput. If the TMM count is greater than the licensed throughput, then this causes a 0-per-tmm throughput limit, which is unfortunately used as a divisor later in rate shaper operations, and which might result in an eventual divide-by-zero error and a crash. This might repeat indefinitely.

Conditions:
Install a license on a VE with a bandwidth limit where the number of megabits per second (Mbps) is less than the number of TMM instances (typically, the number of CPU cores), for example, Use a 2 Mbps license and configure 4 CPUs on a VE system.

Note: This has been observed on evaluation licenses, but might be possible in other circumstances.

Impact:
Traffic is disrupted while TMM restarts, potentially repeatedly.

Workaround:
Change the number of vCPUs available to the BIG-IP guest to be less than the licensed throughput.


660826-1 : BIG-IQ Deployment fails with customization-templates

Component: Access Policy Manager

Symptoms:
BIG-IQ involving multiple commands in a transaction to modify customization group fails.

Conditions:
Simulation by tmsh for what's done in BIG-IQ:

1) Add a log-on agent in your policy.

2) Edit the log-on agent customization (Advanced Customication: logon.inc and view.inc both)
This should create two customization templates.

3) Make a backup of the customization template files in some folder (/tmp). For example: To copy logon.inc and view.inc for logon agent in sjc-access policy?(sjc-access_act_logon_page_ag) below cp statements worked.

cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:logon.inc_74991_2 /tmp/logon.inc
:Common:sjc-access_act_logon_page_ag::logon.inc_74991_2

cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:view.inc_74991_2 /tmp/view.inc

4) tmsh

5) create /cli transaction

6) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { logon.inc { local-path /tmp/logon.inc } }

7) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { view.inc { local-path /tmp/view.inc } }

8) submit /cli transaction

Impact:
BIG IQ operation failed with scenario involving change to customization group.

Workaround:
There is no workaround.


660807 : Clientside command with parking command crashes TMM

Component: Local Traffic Manager

Symptoms:
iRule parking command 'table lookup' inside clientside crashes TMM.

Conditions:
iRule parking command 'table lookup' inside clientside.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
If possible, move the parking command outside clientside/serverside.


660760-1 : DNS graphs fail to display in the GUI

Solution Article: K75105750

Component: TMOS

Symptoms:
Can no longer view the DNS graphs in the GUI after upgrading from an earlier release. The system reports the following error in the GUI when visiting GUI Statistic :: Performance :: DNS: Error trying to access the database.

Conditions:
This occurs when the BIG-IP system is licensed for the GTM module (mod_gtm) instead of the DNS module (mod_dnsgtm). This might occur in the case where the system is upgraded from an earlier release such as v10.2.4 (where the module was GTM) to a later release such as v12.1.1 (where the module is DNS).

Impact:
Accessing the DNS graphs in the GUI fails.

Workaround:
None.


660759-4 : Cookie hash persistence sends alerts to application server.

Component: Fraud Protection Services

Symptoms:
When Persistence cookie insert is enabled with a non-default cookie name, the cookie might be overwritten after an alert is handled.

Conditions:
-- Persistence profile in their virtual server.
-- Profile relies on cookie hash persistence.
-- Non-default Cookie name used for cookie persistence.

(Default cookie naming strategy appends Pool Name, which results in two cookies set with different names and different values, leaving the application pool persistence cookie unmodified.)

Impact:
Sends alerts to application server. Traffic might be sent to wrong pool member.

Workaround:
Use an iRule similar to the following to remove persistence cookie in case of alerts:

ltm rule /Common/cookie_persist_exclude_alerts {
    when HTTP_REQUEST {
    
    #enable the usual persistence cookie profile.

    if { [HTTP::path] eq "/<alert-path>/" } {
        persist none
    }
}
}


660326-2 : Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.

Component: Application Security Manager

Symptoms:
Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.

Conditions:
-- Websecurity profile assigned to a virtual server.
-- ASM not provisioned.
-- Upgrade to v12.1.0 or later.

Impact:
Upgrade fails.

Note: Although this is an invalid configuration, upgrade should not fail.

Workaround:
There are two workarounds.
-- Provision ASM.
-- Remove all websecurity profiles (and LTM policies that control ASM) from all virtual servers

Note: The first workaround must be done before the update. The second can be done before the upgrade, or by editing the config files and re-loading config (first base, then all) using the following command:

tmsh -c 'load sys config partitions all base; load sys config partitions all'


660119-1 : Monitor configured with timeout large enough that the timeout plus interval is greater than 86400 seconds, the service may be incorrectly marked down.

Solution Article: K36005385

Component: Local Traffic Manager

Symptoms:
When the monitor is configured with a timeout large enough that the timeout plus interval is greater than 86400 seconds, the service may be incorrectly marked down.

Conditions:
Monitor configured with timeout plus interval larger than 86400.

Impact:
Periodically service taken offline which may result in persistence issues or impact service availability.

Workaround:
Reduce the monitor's timeout to less than (86400 - interval).


659930-1 : Enterprise Manager may receive malformed data if there are multiple monitors on a pool

Component: Global Traffic Manager (DNS)

Symptoms:
Enterprise Manager (EM) may receive malformed data if there are multiple monitors on a pool. big3d returns malformed xml. Messages similar to the following appear in /var/log/em:
 Could not parse xml for device.

Conditions:
-- Flapping pool monitor has more than two HTTP-type monitors.
-- iControl data returned from big3d LTM is malformed xml.

Impact:
Malformed data causes EM to not be able to gather stats from big3d.

Workaround:
None.


659888-1 : Profiles with names that contain percentage signs cannot be accessed in TMUI

Component: TMOS

Symptoms:
Clicking profiles on the list page in the Configuration Utility (GUI) with names that contain a percentage sign does not take you to the profile page.

Conditions:
-- Clicking profile names with percentage signs.
-- The profiles list page in the GUI.

Impact:
The profile pages cannot be accessed from the profiles list page in the GUI.

Workaround:
Use tmsh or rename your profiles so their name does not include a percentage sign.


658943 : Errors when platform-migrate loading UCS using trunks on vCMP guest

Component: TMOS

Symptoms:
During platform migration from a physical BIG-IP system to a BIG-IP vCMP guest, the load fails with one of these messages:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.

01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.

Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest.

Impact:
The platform migration fails and the configuration does not load.

Workaround:
You can use either of the following Workarounds:

-- Remove all trunks from the source configuration prior to generation of the UCS.

-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.


658850 : Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP

Component: TMOS

Symptoms:
When you load a UCS file using the platform-migrate parameter, the mgmt-dhcp value (enabled, disabled, or unset) will overwrite the value on the destination. Depending on the effect, this could change the destination's management IP and default management route.

If the UCS does not have mgmt-dhcp explicitly written out, note that its value is treated as the default for the local system, which varies by the type of system. On Virtual Edition (VE) platforms, the default is to enable DHCP. On all other platforms, the default is to disable DHCP.

Conditions:
This occurs when loading a UCS using the platform-migrate parameter:
tmsh load sys ucs <ucs_file_from_another_system> platform-migrate

Impact:
Changing the mgmt-dhcp value on the destination can result in management changing from statically configured to DHCP or DHCP to statically configured. This can result in loss of management access to the device, requiring in-band or console access.

Workaround:
If you want to reset the target device to use a static IP, run the following commands after loading the UCS with the platform-migrate command:

tmsh modify sys global-settings mgmt-dhcp disabled
tmsh create sys management-ip <ip>/<mask>
tmsh delete sys management-route default
tmsh create sys management-route default gateway <ip>


658278-3 : Network Access configuration with Layered-VS does not work with Edge Client

Component: Access Policy Manager

Symptoms:
When Network Access is configured in virtual server-to-virtual server targeting, the Edge client cannot connect.

Conditions:
Network Access is configured as follows :
-- The external-client-facing virtual server has the SSL profile attached.
-- The internal virtual server has the Access profile and connectivity profile attached.
-- The external-client-facing virtual server has an iRule that forwards the HTTP requests to the internal virtual server.

Impact:
When Edge client connects, the external-client-facing virtual server issues a request for '/pre/config.php?version=2.0', and the Edge client hangs.

Workaround:
None.


658103 : TMM core while adding logging action to APM SWG

Solution Article: K00652162

Component: Access Policy Manager

Symptoms:
TMM core while adding logging action to APM SWG.

Conditions:
-- Use of an application lookup perflow variable (perflow.application_lookup.result.*) in an SWG per-request Logging Agent.
-- No Application Lookup Agent found prior in the chain.

For example
- The following example will crash:
    start : logging : allow

- The following will succeed:
    start : application lookup : logging : allow

Impact:
TMM core. Traffic disrupted while tmm restarts.

Workaround:
There are two possible workarounds:

-- Remove the applicable perflow variables from the logging agent.
-- Add an application lookup before trying to log application lookup perflow variables.


658036-2 : Honoring negotiated MSS for TCP segmentation

Solution Article: K04651090

Component: TMOS

Symptoms:
Following are the symptoms:

1. When the BIG-IP system's MTUs are larger than the smallest MTU in the end-to-end path:
-- The BIG-IP system does not mark coalesced packets larger than egress MSS but smaller than egress MTU in the BIG-IP system for segmentation. Therefore, the BIG-IP system receives 'ICMP fragmentation needed' messages from an intermediate router which drops the packets when the Don't Fragment (DF) bit is set in IP header.

2. When the BIG-IP system's MTUs are less than 1500:
-- On ingress, the BIG-IP system rejects coalesced packets larger than ingress MTU and less than 1500 and having DF bit set in IP header. the BIG-IP system sends 'ICMP fragmentation needed' message to sender.

Conditions:
* Generic Receive Offload (GRO) and Large Receive Offload (LRO) for data plane interfaces are supported and enabled (both in host and guest).

* Packets are sent with DF bit set.

* For #1:
-- FastL4 profile in use.
-- The BIG-IP system's VLAN MTUs are larger than the smallest MTU in the end-to-end path.

* For #2:
-- The BIG-IP system's MTUs are set to a value that is less than 1500.
-- The packets' DF bits are set.

Impact:
No traffic or very low throughput.

Workaround:
Disable LRO and GRO for data plane interfaces using the following command:

tmsh modify sys db tm.tcplargereceiveoffload value disable.

Note: For KVM virtio devices, LRO/GRO need to be turned off in host NIC.


657912-1 : PIM can be configured to use a floating self IP address

Component: TMOS

Symptoms:
Using PIM-Sparse Mode for multicast traffic with BGP for unicast routing/reverse path filtering may prevent PIM neighbor routers from switching from the RPT to the SPT.

Conditions:
-- PIM-Sparse Mode.
-- BGP.
-- Floating self IP address.

Impact:
Routers upstream and including BIG-IP will never receive PIM JOIN messages from the rendezvous point, which is required for traffic to switch from the RPT to the SPT. The sender's DR may continue to send traffic to the RP in register messages indefinitely.

Workaround:
Remove the floating self IP address from the traffic group or select a routing protocol that does not use it, such as OSPF.


657834-2 : Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent

Solution Article: K45005512

Component: TMOS

Symptoms:
When using OSPF with high load and network recalculation there is a possibility of a race condition that can lead to additional OSPF retransmissions being sent out. This might also cause SNMP traps to be sent, if configured on the system.

Conditions:
-- OSPF routing protocol configured.
-- System configured to send SNMP traps.
-- OSPF instability/networking flaps.

Note: The greater the number of routes flapping, the more likely to see the condition.

Impact:
There is no impact on the OSPF processing itself. The additional traffic does not cause failing adjacencies or loss of routing information.

However, this might cause many additional OSPF related traps to be sent, which might cause additional load on the external network monitoring system.

Workaround:
While this does not have a direct workaround, you may want to investigate the cause of the network/OSPF instability that causes the additional retransmissions.


657727-2 : Running tcpdump from TMSH cannot capture the local "tmm" interface

Solution Article: K39694060

Component: TMOS

Symptoms:
Cannot run tcpdump against the "tmm" interface. System posts errors similar to the following:
tcpdump: pcap_loop: Device /Common/tmm not found
tcpdump: ioctl: No such device

This occurs because the 'tmm0' interface was renamed to 'tmm' beginning in v12.1.0, but the libbigpacket conditional logic to handle "special device names" still references 'tmm0'.

Conditions:
-- When running tmsh, an environment variable ("TMOS_PATH") is set.
-- The user logs in to the CLI with a default shell of tmsh (either as configured, or with a role assigned via remote-roles), or tries to run tcpdump via tmsh.

Impact:
Cannot run tcpdump on the 'tmm' internal interface.

Workaround:
Unset the 'TMOS_PATH' environment variable before running tcpdump.


657531-2 : High memory usage when using the ICAP server

Solution Article: K02310615

Component: Application Security Manager

Symptoms:
High UMU memory when using the ICAP server.

Conditions:
-- ICAP is in use.
-- There are long requests (requests longer than 128 KB) that should get to the ICAP server.

Impact:
UMU memory goes up.

Workaround:
-- Decrease the max concurrent long requests.
-- Decrease the size for the long requests buffer size.
-- Make sure the ICAP server is up and running and responding quickly (the issue will be more visible when the ICAP server is lagging).


655767-3 : MCPD does not prevent deleting an iRule that contains in-use procedures

Component: Local Traffic Manager

Symptoms:
If an iRule that is attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error.

MCPD contains validation that should prevent a user from deleting an iRule that is currently in use by a virtual server, e.g.:

    01070265:3: The rule (/Common/rule_uses_procs) cannot be deleted because it is in use by a virtual server (/Common/vs_http).

However, if an iRule attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error. This results in a configuration that will subsequently fail to load (during a config load, MCPD validation will catch this), or will fail if a full configuration sync is performed.

Conditions:
Must be using iRules that call into other iRules.

Impact:
System gets into a state where traffic may fail unexpectedly, and subsequent reboots, configuration loads, upgrades, or configuration sync operations will fail.

Workaround:
None. Use caution when deleting iRules, especially iRules that call into other iRules.


655724-3 : MSRDP persistence does not work across route domains.

Solution Article: K15695

Component: Local Traffic Manager

Symptoms:
MSRDP persistence doesn't work with non-default route domains.

Conditions:
Configure a virtual server with a MSRDP persistence profile and a pool using a non-default route domain.

Impact:
MSRDP persistence does not work.

Workaround:
Implement MSRDP persistence using iRules.


655484-1 : GUI LTM Pool Statistics Page running out of memory with large number of Pools

Solution Article: K69912019

Component: TMOS

Symptoms:
When there is a large number of configured Pools, it can adversely affect Pool Statistics Page display, causing an Out of Memory error.

Conditions:
Configure 2200 or more pools, and go to the Pool Statistics page.

Impact:
The page does not display because it causes Tomcat to run out of memory and restart automatically.

Workaround:
You can increase the memory allocated to Tomcat. For more information, see K9719: Error Message: java.lang.OutOfMemoryError, available at https://support.f5.com/csp/article/K9719


654981-2 : Local Traffic Policies operating in First Match mode do not stop executing after the first matched rule if this has no action

Component: Local Traffic Manager

Symptoms:
Local Traffic Policies configured for First Match mode may not stop executing after the first matched rule.

Conditions:
This happens when the first matched rule has no action (i.e. is set to ignore).

Impact:
This may cause Local Traffic Policies to execute an unintended action.

Workaround:
Rework the rules in your affected Local Traffic Policies so that every rule has at least one associated action.


654915-3 : Traffic Capturing: Pool member that has a special name (internal activity) should be exported with its name, not an IP address

Component: Application Visibility and Reporting

Symptoms:
For traffic capturing, if a pool member is assigned a special name (e.g., 'for internal activity'), the external AVR log will report the internal IP address instead of the pool member name.

Conditions:
1. Assign name to internal pool member.
2. Enable HTTP traffic capturing.
3. Allow AVR to collect HTTP statistics.
4. View pool member name in external AVR log.

Impact:
External log reports internal IP address instead of pool member name.

Workaround:
There is no workaround at this time.


653928 : On a BIG-IP system with DHCP enabled, 'tmsh load sys config default' consistently fails after 'tmsh load sys config' has failed with Conflicting configuration error.

Component: TMOS

Symptoms:
On a BIG-IP system with DHCP enabled, 'tmsh load sys config default' consistently fails after 'tmsh load sys config' has failed due to an incorrect configuration. The system posts a Conflicting configuration message in response to the error.

Conditions:
There are multiple ways to encounter this:

-- The BIG-IP system has a working configuration and is running normally. If the configuration becomes invalid, due to hardware configuration changes, a configuration mistake, or a typo in one of the configuration files, the MCPD never reaches the running state due to the configuration load error.

-- If the BIG-IP system is managed by a BIG-IQ device, and the BIG-IQ device revokes the BIG-IP system's license, the configuration load might start failing if the BIG-IP system's configuration contains advanced features that require an active license.

Impact:
If the misconfiguration occurs during a upgrade from 10.2.4 to 12.1.x, the operation fails with the DHCP error.

In these cases, when you try to load the default configuration through 'tmsh load sys config default', the configuration load fails with this error:

/Common/management-ip: Conflicting configuration. Management-ip can't be created manually while DHCP is enabled. Within tmsh run 'modify sys global-settings mgmt-dhcp disabled' before manually changing the management-ip.

MCPD never reaches the running state and the BIG-IP system does not function as expected.

Workaround:
Once this problem occurs, there is no way to force 'load sys config default' without first resolving the 'base config load failure' mcpd status, which requires repairing the configuration errors that caused the initial base configuration load failure.

To do so, review the log files to determine the specific misconfiguration and remove it from the corresponding configuration file. Then try the configuration load operation again.


653573 : ADMd not cleaning up child rsync processes

Component: Anomaly Detection Services

Symptoms:
ADMd daemon on the device is spinning up rsync processes and not cleaning them up properly, which can result in zombie processes.

Conditions:
The rsync process ends via exit (which might occur if there is an issue with the process).

Impact:
Although there is no technical impact, there are many zombie processes left behind.

Workaround:
Restart admd to remove all existing rsync zombies:
bigstart restart admd


653273 : "Unexpected Error" showing traffic-selector default-traffic-selector

Component: TMOS

Symptoms:
Running this tmsh command results in "Unexpected error":
tmsh show net ipsec ipsec-sa traffic-selector default-traffic-selector-interface

Conditions:
This occurs when running tmsh show net ipsec ipsec-sa traffic-selector default-traffic-selector-interface

Impact:
The result is not return, the only output is "unexpected error".


653228-2 : SNAT does not work properly on FTP VIP2VIP

Solution Article: K34312110

Component: Local Traffic Manager

Symptoms:
SNAT does not work properly on FTP VIP2VIP.

Conditions:
-- FTP communicates VIP2VIP to second virtual server.
-- SNAT is configured on second virtual server.

Impact:
SNAT does not work properly on FTP VIP2VIP on data channel.

Workaround:
Do not configure SNAT on second virtual server.


653137-1 : Virtual flaps when FQDN node and pool configured with autopopulate

Solution Article: K24159492

Component: Local Traffic Manager

Symptoms:
Virtual address status flaps (RED :: BLUE :: DOWN :: UNCHECKED) when the FQDN node and pool are configured with autopopulate enabled, and the FQDN DNS response returns the same addresses.

Conditions:
-- FQDN node and pool are configured with autopopulate enabled.
-- FQDN DNS response returns the same addresses.

Impact:
The virtual server becomes unavailable, and later switches to unchecked.

Workaround:
None.


652577-2 : Changes to MAC Masquerading may cause the Standby unit not reach the floating Self-IP address

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, changes to the MAC Masquerading setting of a traffic group may cause the Standby unit to be unable to reach the floating Self-IP.

Conditions:
- HA pair
 - Traffic-group with a MAC set in the MAC Masquerading setting.
 - Floating Self-IP using the above traffic-group
 - Make a change to the MAC Masquerading MAC address on the Active unit.
 - Run a config-sync from Active to Standby

Impact:
Standby unit is unable to reach the floating Self-IP address.
No external or internet facing traffic will be affected.

Workaround:
Reboot or restart TMM.


652530 : Parameter names are case sensitive in Internet Explorer 9 only

Component: Fraud Protection Services

Symptoms:
Mis-configured parameter names with incorrect case will work as if they were configured correctly in all browsers except for Internet Explorer 9

Conditions:
Parameter names configured in the wrong case

Impact:
Encryption and data integrity features will appear to work as expected in all browsers except Internet Explorer 9.

In Internet Explorer 9, encryption and data integrity will not be activated on the misconfigured parameter.

Workaround:
Reconfigure the parameter name to use the correct case.


652370-1 : The persist cookie insert iRule command may leak memory

Component: Local Traffic Manager

Symptoms:
In some situations, the persist cookie insert iRule command may leak memory for the cookie name.

Conditions:
The persist cookie insert iRule command is used.

Impact:
Eventually, the TMM will run out of memory due to the leak.


652223-1 : BWC: Non-TCP data going through Category can make policy active

Solution Article: K50325308

Component: TMOS

Symptoms:
When category is set at lower rate than 100% of the user rate, and traffic going through the category is non-TCP, and the amount of data is 150% of the instance rate, then that can create policy to be active, lowering the overall bandwidth.

Conditions:
This occurs when all of the following conditions are met:
-- Category rate is less than max-user-rate
-- Traffic is non-TCP data.
-- Amount of data passing is 150% of max-user-rate.

Impact:
BWC dynamic policy cannot achieve 100% of max-rate.

Workaround:
Increase the max-rate of any dynamic policy, and add an additional static policy set to the max-rate expected from the dynamic policy.

Note: There is no actual fix for this issue except for not using UDP traffic in categories, if the amount of traffic on that UDP category is expected to exceed 150%, or over to the maximum fair rate provided by the BWC instance. Note that the PEM subscriber and BWC instance have 1-1 relationship.


652222-1 : Sending scheduled-reports will fail due to lack of backend support

Component: Application Visibility and Reporting

Symptoms:
Using the scheduled report from GUI fails and causes some orphan file descriptors every time scheduled report runs.

Conditions:
Using the scheduled report from GUI.

Impact:
Scheduled-reports won't work and cause the system to have more orphan opened file-descriptors every time it tries to send the report.

Workaround:
None.


651886-1 : Certain FIX messages are dropped

Component: Service Provider

Symptoms:
When a FIX message is received with a length, checksum, or message type field containing leading zeros, the message may be dropped.

Conditions:
This bug affects all FIX messages having a length (tag 9), checksum (tag 10) or message type (tag 35) field that contains at least one leading zero. Certain third-party FIX protocol implementations are known to insert leading zeros in these fields.

Impact:
FIX messages from these products cannot be processed by the FIX profile in BIG-IP.


651169-3 : The Dashboard does not show an alert when a power supply is unplugged

Component: Advanced Firewall Manager

Symptoms:
The TMUI Dashboard's alert panel will not show any warning if the cord to one of the power supplies is unplugged.

Conditions:
One of the power supplies is unplugged.

Impact:
Watching the Dashboard will not alert the administrator to an unplugged power supply.

Workaround:
None.


651136-2 : ReqLog profile on FTP virtual server with default profile can result in service disruption.

Solution Article: K36893451

Component: TMOS

Symptoms:
When FTP's control channel and data channel arrive on different TMMs, ReqLog profile may fail to identify data channel's listener.

Conditions:
Default inherit FTP profile virtual server configured with ReqLog profile.

Impact:
Service disruption, fail-over event.

Workaround:
Create non-inheriting FTP profile for FTP virtual server with ReqLog profile.


651005-3 : FTP data connection may use incorrect auto-lasthop settings.

Component: Local Traffic Manager

Symptoms:
Due to known issue FTP data connection may fail to use auto-lasthop settings configured on the virtual server and use a value configured on VLAN level instead.

Conditions:
With the configuration below, FTP data connection will fail to use auto-lasthop:
(1)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'enable'

(2)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'disable'
- Virtual server auto-lasthop set to 'enable'

With the configuration below, FTP data connection will improperly use the auto-lasthop:
(1)
- Global auto-lasthop set to 'enable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'disable'

(2)
- VLAN auto-lasthop set to 'enable'
- Virtual server auto-lasthop set to 'disable'

Impact:
FTP data connection may fail to be established.

Workaround:
Use routing instead of auto-lasthop.
(or) Enable auto-lasthop on VLAN level.


650019-2 : The commented-out sample functions in audit_forwarder.tcl are incorrect

Component: TMOS

Symptoms:
The commented-out sample "Transform" functions in audit_forwarder.tcl are not correct and should not be used.

Conditions:
Attempting to write your own Transform function in audit_forwarder.tcl using the examples.

Impact:
The Transform function may not work if the examples are followed.

Workaround:
Use the default Transform function as a starting point instead of one of the examples.


649897 : Using the REST API, making a change to an FQDN pool causes the pool member availability to become unknown.

Component: Local Traffic Manager

Symptoms:
Using iControl REST, making a change to an FQDN pool member causes the pool member availability to become 'unknown'.

Conditions:
Using iControl REST, modify an existing pool member configured with an FQDN name.

Note: This issue does not affect pool members configured to point directly at an IP address.

Impact:
The pool member status will show 'unknown'.

Workaround:
None.


649441-2 : Classification memory allocation

Component: Traffic Classification Engine

Symptoms:
Classification library ('CE') allocates an extra 2 KB of memory per flow and never used it.

Conditions:
Classification and HTTP profile attached to Virtual Server.

Impact:
High memory footprint for heavily loaded systems.

Workaround:
Install latest Classification Update Package ('IM Package').


649275-2 : RSASSA-PSS client certificates support in Client SSL

Component: Local Traffic Manager

Symptoms:
Client certificate verification in BIG-IP v11.6.0 through 13.1.0 does not support client certificates that are signed using the RSASSA-PSS signature algorithm. Validation of such client certificates will fail.

Conditions:
- Client certificate signed with RSASSA-PSS algorithm.
- Client Certificate is set to 'Required' in Client SSL profile.
- Running any version from BIG-IP v11.6.0 through 13.1.0.

Impact:
SSL connections using client PSS certificates are rejected.

Workaround:
None.


648873-3 : Traffic-group failover-objects cannot be retrieved via iControl REST

Solution Article: K93513131

Component: TMOS

Symptoms:
When issuing a GET you get the following error message:
List property is not implemented! Detail [cm traffic-group failover-objects {...}].

(The ... represents the data that was presented as a list property.)

Conditions:
Trying to use iControl REST for getting failover-objects associated to floating traffic-groups

Impact:
No access to list of failover-objects associated to an specific floating traffic-group via the iControl REST interface

Workaround:
Use a different user interface (tmsh or GUI).


648806-1 : Invalid "with the first highest ratio counter" logging for pool member ratio load balance

Component: Global Traffic Manager (DNS)

Symptoms:
Invalid value for "with the first highest ratio counter" for wideip load balancing decision is logged.

Conditions:
Enabled logging for wideip load balancing decision.

Impact:
Invalid value is logged for "with the first highest ratio counter".


648621-1 : SCTP: Multihome connections may not expire

Component: TMOS

Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.

Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.

Impact:
The multi-homing connections won't be expired.

Workaround:
Don't manually deleted the multi-homing connections.


648316-3 : Flows using DEFLATE decompresion can generate error message during flow tear-down.

Solution Article: K10776106

Component: TMOS

Symptoms:
Repeated entries in the ltm log will show a completion-code error (comp_code=4) as in the following:

  Zip engine ctx eviction (comp_code=4): ctx dropped.

Conditions:
The problem occurs when a flow that requests DEFLATE decompression is terminated when the compression engine is still in the middle of working on an incomplete DEFLATE block.

Impact:
False errors can appear:
  o In fields of tmctl rst_cause_stat table, false stats counters will increment for compression and packet errors.
  o Log entries with the "Zip engine... (comp_code=4)" appear in ltm log.

Monitors observing the ltm log or stats in the tmctl rst_cause_stat table will see false positives.

Workaround:
Disable hardware acceleration.


648270-4 : mcpd can crash if viewing a fast-growing log file through the GUI

Component: TMOS

Symptoms:
If the GUI tries to display a log file that is actively growing by thousands of log entries per second, the GUI might hang, and mcpd could run out of memory and crash.

Conditions:
The GUI tries to display a log file that is actively growing by thousands of log entries per second.

Impact:
mcpd crashes, and it and tmm restart. Traffic disrupted while tmm restarts.

Workaround:
Do not use the GUI to view a log file that is growing by thousands of log entries per second.


647834-4 : Failover DB variables do not correctly implement 'reset-to-default'

Component: TMOS

Symptoms:
When the 'modify sys db' command option 'reset-to-default' is issued, the new value does not take effect, even though 'list sys db' displays the desired value.

Conditions:
This is known to affect at least the following failover-related DB variables:

log.failover.level
failover.nettimeoutsec
failover.debug
failover.usetty01
failover.rebootviasod
failover.packetcheck
failover.packetchecklog
failover.secure
mysqlhad.heartbeattimeout
mysqlhad.debug
mysqldfailure.enabled
mysqldfailure.haaction.primary
mysqldfailure.haaction.secondary

Impact:
The configuration change does not take effect.

Workaround:
Explicitly set the DB variable to the desired value.


647812-3 : /tmp/wccp.log file grows unbounded

Component: TMOS

Symptoms:
WCCP uses /tmp/wccp.log as output for Diagnostic information,
independent of log level or db key. This file can grow unbounded if there are never any WCCP packets sent. If packets are sent the file is cleaned up automatically.

Conditions:
This can occur if WCCP is configured but never goes beyond negotiation.

Impact:
/tmp/wccp.log grows unbounded, filling up the disk.


647590-2 : Apmd crashes with segmentation fault when trying to load access policy

Component: Access Policy Manager

Symptoms:
Rarely, apmd restarts when trying to re-load an access policy.

Conditions:
This occurs when some of the policy items are modified while apmd is trying to re-load the access policy.

Impact:
The apmd process restarts.

Workaround:
None.


647158-3 : Internal virtual server inherits CMP hash mode from parent virtual server

Solution Article: K76581555

Component: Service Provider

Symptoms:
An internal virtual server might behave in unexpected ways, such as abort a client connection before connecting to the server.

Conditions:
Virtual server with request-adapt or response-adapt profile and a vlan with 'cmp-hash' mode 'src-ip'.
Internal virtual server without a VLAN or 'cmp-hash' setting.

Impact:
The internal virtual server might sometimes abort when attempting to make a connection to the server. This occurs after a successful load-balance pick indicated by the LB_SELECTED event, but before a TCP SYN packet is sent to the server. As a result the parent virtual performs the service-down-action configured in the request-adapt or response-adapt profile.

Workaround:
If possible, do not use the cmp-hash mode 'src-ip'.


647151-1 : CPU overtemp condition threshold is 75C

Component: TMOS

Symptoms:
A CPU overtemp condition is logged when a B4450 CPU reaches 75C.

Conditions:
CPU temperature is only 75C and ambient temperature in the blade is in the normal range.

Impact:
Since the temperature threshold is set too low, the warning does not indicate an actual problem.

Workaround:
None.


646495-2 : BIG-IP may send oversized TCP segments on traffic it originates

Component: Local Traffic Manager

Symptoms:
Traffic from the Linux host on BIG-IP may send TCP segments larger than the advertised TCP MSS of a remote host.

Conditions:
Received TCP MSS (plus protocol overhead) smaller than configured MTU of interface.
Linux host sending large TCP segments, such as SNMP getbulk replies.

Impact:
TMM may send traffic to a TCP host that exceeds the host's advertised MTU.

Workaround:
disable segmentation offload for the vnic


646440 : TMSH allows mirror for persistence even when no mirroring configuration exists

Component: Local Traffic Manager

Symptoms:
When Mirroring is not configured in a high-availability (HA) configuration, the Configuration Utility (GUI) correctly hides the 'mirror' option for Persistence profile. However, Persistence Mirroring can still be enabled via TMSH.

Conditions:
-- Mirroring is configured in an HA configuration.
-- Persistence profile.
-- Using TMSH.

Impact:
A memory leak and degraded performance can occur when:

-- The Mirroring option of a Persistence profile is enabled.
-- Mirroring in the HA environment is not configured.

Workaround:
Always use the Configuration Utility (GUI) to configure Persistence profiles.

If you encounter this issue, complete the following procedure to locate Persistence profiles with Mirroring enabled, and then disable Mirroring for those profiles:

1. Access the BIG-IP Bash prompt.

2. List the Persistence profiles with the following command:
      tmsh list ltm persistence

3. Examine the Persistence profiles to identify the ones with 'mirror enabled'.

4. Disable Mirroring for each Persistence profile, using a command similar to the following:
tmsh modify ltm persistence <persistence_type> <profile_name> mirror disabled

5. Save the changes to the Persistence profiles:
tmsh save sys config


645674-2 : 'bigd' message send to 'mcpd' failure is not logged

Component: Local Traffic Manager

Symptoms:
A bigd message to mcpd notifying of monitor status change may fail to be sent, without log notification, when the message is too large.

Conditions:
A message sent from bigd to mcpd that is too large (e.g., because of the unbounded accumulation of HTTP/1.1 200 codes with unique values).

Impact:
Mcpd is not notified of the monitor status change, and the missing message is not logged. The monitor reflects an incorrect status until a future status change triggers a successful notification-message to be sent from bigd to mcpd.

Workaround:
Diagnosis of an incorrect monitor status may identify this issue, but no direct workaround is available.

The issue of the too-large bigd message is described in ID 645197, and involves the accumulation of unique HTTP/1.1 200 codes (indicating monitor success) without a monitor status-change for extended time (days or weeks). When a monitor status change finally occurs, bigd cannot notify mcpd because the message is too big. Thus, there is no indication of the monitor-status change. The secondary issue, here, is that there is no log message indicating the status-change-message-send failure.


645635-2 : Sflow may use 0.0.0.0 as Agent Address in 2 core vCMP guests

Component: Local Traffic Manager

Symptoms:
VCMP clusters without configured slot-specific management-ip addresses will report 0.0.0.0 for: sFlow (Agent Address), High Speed Logging (in certain log messages), and IPFIX (domain ID).

When creating VCMP guests, the cluster's floating IP address is configured on the host using a command of the form: 'tmsh modify vcmp guest guest0 management-ip 10.1.2.3/24'; however, this will leave the slot-specific management IP address unconfigured. In this case, the affected services (sFlow, HSL, and IPFIX) will report 0.0.0.0 as their management IP address.

Conditions:
- vCMP guest deployed on a chassis with only Cluster IP set, and no individual blade IP addresses configured.
- sflow and/or HSL and/or IPFIX configured.

Impact:
sflow, HSL, and IPFIX may incorrectly use 0.0.0.0 when identifying the BIG-IP system by management IP address. For sFlow, this is the default Agent Address. For HSL, certain log messages which identify the origin BIG-IP system by its management IP address will use this default value. For IPFIX, the domain ID will use this default value.

Workaround:
Configure cluster blade IP addresses. For example, to set the slot-specific management IP address on a VCMP guest which runs on a single slot, use a command similar to the following:

tmsh modify sys cluster default members { 1 { address 10.1.2.3 } }


645206-4 : Missing cipher suites in outgoing LDAP TLS ClientHello

Solution Article: K23105004

Component: TMOS

Symptoms:
BIG-IP drops all SHA256 and SHA384 ciphers in the advertised ciphers list in the Client Hello when initiating LDAP/TLS with a pool member (in the case of a monitor). The same behavior is also seen for BIG-IP system auth via LDAP or AD when TLS is used.

Conditions:
You have LDAP servers requiring SHA256 and SHA384 ciphers for LDAP/TLS authentication.

Impact:
Servers requiring SHA for LDAP/TLS authentication will no longer be able to authenticate. This could suddenly break LDAP auth if you are upgrading from version 11.x where SHA256 and SHA384 existed.

Workaround:
Configure LDAP servers not to be dependent on SHA256 and SHA384 ciphers.


644979-2 : Errors not logged from hourly 1k key generation cron job

Component: TMOS

Symptoms:
Errors from the 1k key generation hourly cron job do not get logged as intended from the hourly 1024-bit key generation task.

Conditions:
This occurs during hourly generation of ephemeral keys.

Impact:
Errors from the 1k key generation hourly cron job do not get logged, and hourly generation of ephemeral keys fails.

Workaround:
Change "loggcercmd" to "loggercmd" in /etc/cron.hourly/genkeys-1024.


644135 : 12.1.1-hf1 does not support module tuning for Finisar 100G LR4 optics

Solution Article: K53342451

Component: TMOS

Symptoms:
12.1.1-hf1 only supports module tuning for Source Photonics 100G LR4 optics. It does not support Finisar 100G LR4 optics via f5optics.

Conditions:
This is relevant only if you are running 12.1.1-hf1, and are using Finisar 100G optics.

Impact:
FCS errors may be observed on interfaces using Finisar 100G LR4 optics.

Workaround:
The only workaround is to update the software you are running with an engineering hotfix or software version that supports module tuning for Finisar 100G LR4 optics.

Note: This issue applies only to 12.1.1-hf1. This issue is addressed in other versions using a mechanism different from 12.1.1-hf1. For version 12.1.1-hf1, there is an engineering hotfix available to support Finisar 100G LR4 optics.


643860-4 : Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly

Solution Article: K41573401

Component: Local Traffic Manager

Symptoms:
There is no indication that mcpd has restarted, but the system logs messages similar to the following:

-- In /var/log/tmm:
  notice MCP connection expired early in startup; retrying.

In/var/log/ltm:
  mcpd[5747]: 01070406:5: Removed publication with publisher id TMM1.

Conditions:
The file /dev/vnic is opened by something other than BIG-IP programs.

Impact:
The TMM processes will restart and fail to come up properly.

Workaround:
To recover, reboot the system.

Note: Do not perform file open operations on /dev/vnic. There is no need to.


643799-1 : Deleting a partition may cause a sync validation error

Component: TMOS

Symptoms:
Deleting a partition may cause the sync to peers to fail.

For example, on BIG-IP1:

tmsh delete auth partition P1
tmsh show cm sync-status
     Sync Summary
     Status Sync Failed
     Summary A validation error occurred while syncing to a remote device
     Details DG1: Sync error on BIG-IP2: Load failed from BIG-IP1 01070829:5: Input error: Invalid partition ID request, partition does not exist (P1)

Conditions:
Two or more BIG-IPs in a DSC device group, say DG1. A partition (P1) is created where the root partition folder (/P1) or a subfolder is assigned to DG1.

Objects have also been configured in the folder and the user deletes the partition, which will cause the folder and its contents to be deleted.

Impact:
The sync of this change may fail on peers.

Workaround:
Disable auto-sync on the device group if it's enabled, delete the partition on all of the peers, and re-enable auto-sync.


643459-3 : Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy

Solution Article: K81809012

Component: TMOS

Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you are not able to log in to the Configuration Utility. Instead you will see a login error, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP.

Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.

Impact:
You are unable to login to the Configuration Utility.

Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP in the Referer header.


643041-4 : Less than optimal interaction between OneConnect and proxy MSS

Solution Article: K64451315

Component: Local Traffic Manager

Symptoms:
When a client with low MSS is the first to establish a OneConnect flow pair and proxy MSS is enabled, the serverside will share the same low MSS. Successive connections from full-MSS clients may utilize this server-side flow, resulting in suboptimal throughput.

Conditions:
Configure a virtual server with both OneConnect and proxy MSS. Note: Proxy MSS is enabled by default beginning with v12.1.0.

Impact:
Decreased throughput, possible congestion due to small segments.

Workaround:
In some instances, it may be sufficient to disable proxy MSS. This too has the potential to increase segment count and decrease throughput.


642786-3 : TMM may drop tunneled traffic when the sys db variable 'connection.vlankeyed' is set to 'disable'.

Solution Article: K01833444

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may drop tunneled traffic destined for it, even though the corresponding tunnel is created correctly.

Conditions:
The local-address of a tunnel is resided in a non-default route-domain and the sys db variable 'connection.vlankeyed' is set to 'disable'. Note that the default setting of that sys db variable is 'enable'.

Impact:
The BIG-IP system may drop tunneled traffic.

Workaround:
None.


642422-2 : BFD may not remove dependant static routes when peer sends BFD Admin-Down

Component: TMOS

Symptoms:
As a result of a known issue, the BFD feature used in an Dynamic routing configuration, may not remove static routes when configured to be dependant on the liveliness of the BFD peer.

Conditions:
- BFD configured and up.
- Static route configured and dependant on the BFD status of the BFD peer.
- BFD peer enters maintenance mode by user configuration, setting the BFD session to admin-down.

Impact:
Static route may not be removed on BFD session configured by peer to be and traffic may still be routed.


642211-2 : Warning logged when GENERICMESSAGE::message drop iRule command used

Component: Service Provider

Symptoms:
When submitting an iRule script using GENERICMESSAGE::message drop iRule command, a warning message is returned.

Conditions:
This occurs when saving an iRule that contains GENERICMESSAGE::message drop.

Impact:
A warning message is returned.

Workaround:
NA


641582-1 : Rarely, an HSB transmitter failure occurs

Component: TMOS

Symptoms:
A very rare HSB transmitter failure occurs. This is indicated by the following message in the tmm logs:
panic: hsb interface 1 DMA lockup on transmitter failure.

Conditions:
Although the exact conditions for this issue are unknown, this might be related to a 5250 platform or to a configuration containing a vCMP guest.

Impact:
Reboot of the unit.

Workaround:
None.

Note: Although there is no workaround, beginning in v13.0.0, there is an internal counter that tracks occurrences of these types of HSB transmitter failures, which enables better understanding of the issue and a more thorough investigation into its cause.


641543-1 : bindRequest timeout value for LDAP Authentication for remote users is set to 10s and cannot be controlled.

Component: TMOS

Symptoms:
If you have a custom bind-timeout value set for ldap system-auth, the custom value is honored for anonymous users but is ignored for explicit users.

Conditions:
ldap auth configured for remote authentication, and a custom bind timeout value is specified.

Impact:
The default timeout value of 10 seconds will be enforced for ldap auth.

Workaround:
None.


641450 : A transaction that deletes and recreates a virtual may result in an invalid configuration

Solution Article: K30053855

Component: TMOS

Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.

Config load error:
    01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.

Configuration-change-time error in /var/log/ltm:
    err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>

Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).

Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.

Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
   1. Delete virtual server.
   2. Create virtual server (with an empty profile list).
   3. Modify the virtual server's profile list.


641001 : BWC: dynamic policy category sees lower bandwidth than expected in Congested policies

Component: TMOS

Symptoms:
When BWC policy is configured with category that is configured at lower rate than max-user-rate, when the system is congested, the system might experience lower bandwidth and is not able to fill the pipe.

Conditions:
BWC dynamic policy configured with category.
The number of sessions created is greater than max-rate/max-user-rate, utilizing all the policies.


For example: max-rate=10mbps, max user rate=5mbps, cat rate=3mbps.

Impact:
Lower bandwidth is seen.

Workaround:
Configure categories at the same rate as that of max-user-rate.


640924-1 : On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly

Component: Access Policy Manager

Symptoms:
On macOS Sierra (10.12) LED icons on Edge client's main UI, the buttons (Auto-Connect, Connect, Disconnect) are scaled incorrectly.

Conditions:
macOS Sierra (10.12.x) and Edge client application.

Impact:
This is a display issue only. There is no functional impact to the system.

Workaround:
None.


640863-2 : Disabling partition selector in DNS Resolver's Forward Zones

Solution Article: K29231946

Component: TMOS

Symptoms:
The partition selector is enabled in DNS Resolver's Forward Zones.

Conditions:
Having Forward Zones in DNS Resolvers inside different partitions.

Impact:
Changing the partition in the Forward Zones page may error out.

Workaround:
Change the partition in the DNS Resolver List or use tmsh.


640751-2 : No PCRE Validation Performed For Regular Expression Parameters

Component: Application Security Manager

Symptoms:
If a Parameter is configured to match a specified regular expression, but the regular expression is misconfigured, there is no error presented to the user, and there is no regexp enforcement for the parameter.

The following log can be observed in bd.log
"PCRE compilation failed at offset 12: PCRE does not support \L, \l, \N, \U, or \u"

Conditions:
A non-PCRE regular expression is configured for a Parameter.

Impact:
No Regular Expression enforcement is performed.


640704 : A BIG-IP HA pair upgraded directly from 10.2.x to 12.1.x may lose the primary and secondary mirror IP addresses

Solution Article: K20418658

Component: Local Traffic Manager

Symptoms:
When upgrading a BIG-IP HA pair directly from version 10.2.x to version 12.1.x, the devices may fail to retain their primary and secondary mirror IP addresses after the upgrade.

Conditions:
This will only occur during a direct upgrade from 10.2.x to 12.1.x. This will not occur, for instance, when upgrading to 12.0.x.

Impact:
The devices will not be performing any mirroring after the upgrade to version 12.1.x as a result of this issue.

Workaround:
You can work around this issue by either:

A) Performing an intermediate upgrade to BIG-IP version 12.0.x first.

or

B) Manually reconfiguring the mirror IP addresses after the devices have been upgraded to 12.1.x (for more information on how to do so, refer to K13478: Overview of connection and persistence mirroring (11.x - 12.x) https://support.f5.com/csp/article/K13478).


640548-1 : In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked.

Component: Policy Enforcement Manager

Symptoms:
In Gy delayed binding mode, CCR-Us triggered by concurrent flows are blocked and PEM doesn't do re-try.

Conditions:
In Gy delayed binding mode, concurrent flows hits another rating group before the CCA-I for the first rating groups comes back.

Impact:
Quota management service will not be active for those concurrent flows.


640489 : iSeries LCD alerts screen returns to splash screen intermittently

Solution Article: K53571714

Component: TMOS

Symptoms:
If there is a pending alert and the LCD remains on the alerts screen for an extended period of time, when you attempt to view the alerts for a particular severity (critical, error, warning, etc), the system re-directs to the splash screen instead of to the screen with a list of alerts.

Conditions:
-- An alert is pending.
-- The LCD remains on the alerts screen for a long time (e.g., 1-2 minutes).
-- Navigate to one of the alert levels to view the pending alerts.
-- The LCD displays the splash screen instead of a list of alerts.

Impact:
The system returns to the splash screen instead of a list of alerts.

Workaround:
Navigate back to the alerts screen and select an alert severity to get a list of alerts.


640395-1 : When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly

Solution Article: K26144701

Component: Local Traffic Manager

Symptoms:
When upgrading from 10.x to version 12.1.0 or later, a network virtual address that had ARP disabled will not have spanning automatically enabled.

Conditions:
Upgrading from 10.x to 12.1.0 or later. Must have a network virtual address configured with ARP disabled when upgrading.

Impact:
If you are not actually using the spanning feature, there is no impact.

If you are using the spanning feature, it will no longer work until it is explicitly enabled. This can result in the loss of traffic, as the upstream router will be sending packets to standby systems that will now refuse to process that traffic.

Workaround:
Upgrade to an intermediate version that implements the explicit ICMP-Echo setting for virtual addresses (e.g. 11.x) and then upgrade to the desired version.

Alternatively, you can manually set the spanning property on their virtual addresses as desired (after the upgrade).


640054-1 : Selective ICMP-echo behavior is inconsistent, depending on where the virtual address is disabled

Component: TMOS

Symptoms:
When a virtual address is using selective ICMP-echo and the virtual address is disabled, it will sometimes respond to ICMP echo requests, and sometimes not.

Conditions:
The difference appears to depend on where the virtual address is disabled.

1) If the virtual address is disabled in the virtual address settings page in the GUI: [Local Traffic :: Virtual Servers : Virtual Address List :: <address>] it stops responding to pings.

2) If the virtual address is disabled on the virtual address list page in the GUI: [Local Traffic :: Virtual Servers : Virtual Address List] it responds to pings.

3) If the virtual address is disabled with TMSH: 'modify ltm virtual-address <address> enabled no' it responds to pings.

In addition, on a BIG-IP Virtual Edition (VE), case #1 also responds to pings.

Impact:
The ICMP echo behavior is different depending on where the virtual address is disabled.

Workaround:
None.


639774-5 : mysqld.err rollover log files are not collected by qkview

Solution Article: K30598276

Component: TMOS

Symptoms:
Only the file /var/lib/mysql/mysqld.err is collected in qkview without truncation rules normally used for log files. Also, the mysqld.err.1 and mysqld.err.2.gz, etc are not collected at all.

Conditions:
This occurs when generating a qkview.

Impact:
You cannot see other mysqld.err rollover files in the qkview, and since the one mysqld.err file might be huge (larger than 2 GB) the output of qkview will be unusable.

Workaround:
The missing files must be manually copied into the qkview output. If the mysqld.err is greater than 2 GB in size, it must first be truncated to smaller than 2 GB.


639764-2 : Crash when searching external data-groups with records that do not have values

Component: Local Traffic Manager

Symptoms:
The TMM may crash when search through an external data-group that has at least one value with empty value.

Conditions:
For example, this occurs if data-group is defined as follows:
the key for network 10.40.0.0/13 has no value:
network 10.0.0.0/9 := "network 10.0.0.0/9",
network 10.40.0.0/13,
network 10.10.0.0/17 := "network 10.10.0.0/17",

A search in the data-group above with -value or -element options where at least one of the result records has no value will most likely result in a TMM crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Make sure that every record in the external data-groups has a value.


638960-2 : A subset of the BIG-IP default profiles can be incorrectly deleted

Component: TMOS

Symptoms:
On the BIG-IP system, default profiles should not be deletable. However, the system incorrectly allows a subset of them to be deleted. Known affected profiles include all default persistence and http profiles.

Conditions:
The issue occurs when someone attempts to delete a susceptible profile via TMSH, iControl SOAP or iControl REST. The issue does not occur when using the WebUI (where susceptible profiles are not selectable for deletion).

Impact:
If a default profile is missing from the configuration, several issues may arise. For instance, the configuration may fail to load or save, and the WebUI may fail to display certain screens.


638893-1 : Reference to SOL14556 instead of K14556 in tmsh modify net interface X.X media command

Component: TMOS

Symptoms:
Error message references solution number instead of Knowledgebase number:
 err mcpd[6492]: 01071ab6:3: The requested media 100TX-FD for interface 1.0 is invalid. Valid settings are: auto, 1000T-FD. Please see SOL14556 for details.

Conditions:
Incorrectly configure net interface media, e.g.,
modify net interface 1.0 media 100TX-FD.

Impact:
Posted message references SOL14556. The Ask F5 site now uses K numbers instead of SOL numbers. At some point, the previously used SOL numbers might no longer redirect, and the information originally in that article would be lost.

Workaround:
View knowledgebase article K14556: Copper 1 Gbps modules configured with media other than the 'auto' setting may not function, https://support.f5.com/csp/article/K14556.


638089-1 : LACP and CMP state simultaneous fail on A112 and A113 platform

Component: TMOS

Symptoms:
An internal traffic stoppage occurs and causes LACP ACTIVE trunk members to go down, and CMP state changes for the HOST and VCMP guests (if configured) on the impacted blade. The tmctl detailed statistics show sustained TX pause generated by HSB on one or more links and matching RX Pause received in interface_stat (on 4.1, 4.2, 4.3).

Conditions:
This happens when an internal FPGA device runs into a bad state under heavy traffic load. The root cause of that is still under investigation. It happens extreme rarely.

Impact:
Traffic no longer functions on the blade where stoppage occurs.

Workaround:
Reboot blade.


637979-1 : IPsec over isession not working

Component: TMOS

Symptoms:
User cannot send IPsec encrypted application data traffic through a secured iSession connection, just by configuring symmetric optimization to use IPsec for IP encapsulation.

Conditions:
Configure IPSec with iSession through the Quick Start screen and/or under the "Local Endpoint" configuration. Do not create any new IKE peers or traffic selectors.

Impact:
User is unable to send encrypted traffic using IPsec over the tunnel without additional configuration required for a typical IPSec setup.

Workaround:
Configuration needed for a typical IPsec setup should be made explicitly.
isession encapsulation should be set to "none", and proper IKE-peer, IPsec policy, and traffic selectors should be configured to capture isession traffic between the isession endpoints.

BIG-IP1 GUI:
[Local Endpoint]
Acceleration->Symmetric Optimization : Local Endpoint->Properties
WAN Self IP Address: <BIG-IP1-local-endpoint-ipaddress>
IP Encapsulation Type: None

[Remote Endpoint]
Acceleration > Symmetric Optimization : Remote Endpoints >New Remote Endpoint...
IP Address: <BIG-IP2-local-endpoint-ipaddress>

[IKE peer]
Network->IPsec : IKE Peers->New IKE Peer...
Remote Address: <BIG-IP2-local-endpoint-ipaddress>
Version: Version1
Presented ID Value: <BIG-IP1-local-endpoint-ipaddress>
Verified ID Value: <BIG-IP2-local-endpoint-ipaddress>

[IPsec policy]
Network->IPsec : IPsec Policies->New IPsec Policy…
Name:<isession_policy_name>
Mode: Tunnel
Tunnel Local Address: <BIG-IP1-local-endpoint-ipaddress>
Tunnel Remote Address: <BIG-IP2-local-endpoint-ipaddress>

[Traffic selector]
Network ->IPsec : Traffic Selectors ->New Traffic Selector...
IPsec Policy Name: <isession_policy_name>
Source IP Address: <BIG-IP1-local-endpoint-ipaddress>
Destination IP Address: <BIG-IP2-local-endpoint-ipaddress>

BIG-IP2 GUI: Analogous--just swap the local and remote endpoint addresses where they appear above


637613-3 : Cluster blade being disabled immediately returns to enabled/green

Solution Article: K24133500

Component: Local Traffic Manager

Symptoms:
In some scenarios, disabling a blade will result in the blade immediately returning to online.

Conditions:
This can occur intermittently under these conditions:

- 2 chassis in an HA pair configured with min-up-members (for example, 2 chassis, 2 blades each, and min-up-members=2)
- You disable a primary blade on the active unit, causing the cluster to failover due to insufficient min-up-members.

Impact:
Disabling the primary blade fails and it remains the primary blade with a status of online.

Workaround:
This is an intermittent issue, and re-trying may work. If it does not, you can configure min-up-members to a lower value or disable it completely while you are disabling the primary blade. The issue is triggered when the act of disabling the primary blade would cause the number of members to drop below min-up-members.


637279 : Pool member discovery/autoscale does not work in eu-central-1 (Germany) region of AWS.

Component: TMOS

Symptoms:
Pool member discovery does not work and produces the following error: as-describe-auto-scaling-groups: Refused: The security token included in the request is invalid.

Conditions:
This occurs in the eu-central-1 region only. Does not apply for failover. Note: This error might happen even when correct IAM credentials are specified.

Impact:
Pool member discovery cannot be run in eu-central-1 region.

Workaround:
Create autoscale configuration in regions other than eu-central-1.


636823-3 : Node name and node address

Component: TMOS

Symptoms:
If you create a node with a name that is an IP address but the IP address is different than the name, it can produce an error when adding the node to a pool.

Conditions:
This can occur if the node name is, for example, /Common/10.10.10.10 and the IP address is 10.10.10.10%1

Impact:
When you attempt to add the node to a pool, an error will occur:

Node name /Common/10.10.10.10 encodes IP address 10.10.10.10 which differs from supplied address field 10.10.10.10%1

Workaround:
If you set the node name to an IP address it must be identical to the actual IP address.


636669-3 : bd log are full of 'Can't run patterns' messages

Solution Article: K37300224

Component: Application Security Manager

Symptoms:
The bd log are getting filled up with 'Can't run patterns' messages. A core might occur due to the i/o outage. General traffic disturbance/slowness might occur.

Conditions:
Configuration change that relates to attack patterns happens while there is heavy traffic.

Impact:
Potential traffic outage/slowness. 'Can't run patterns' messages filling up the bd log file.

Workaround:
None.


636412-1 : ASM start process fail with 'Protobuf message exceeds max defined size' on machines with thousands of ASM configuration entities

Component: Application Security Manager

Symptoms:
ASM start process fails on machines with thousands of ASM configuration entities.

The log file contains error messages similar to the following:
Protobuf message exceeds max defined size. Table: CONFIG_TYPE_DYNAMIC_TABLES.

Conditions:
Issue is very rarely reproducible and requires thousands of ASM policy entities on the machine.

Impact:
ASM may report legitimate request traffic as a violation.

Workaround:
There is no workaround at this time.


636348-3 : BIG-IP systems configured for high availability (HA) and System Gateway Failsafe may fail to load their configuration after device trust is reset.

Component: Local Traffic Manager

Symptoms:
In the /var/log/ltm file you may observe an error message similar to the following example

01071837:3: The pool (/Common/http_pool) contains a reference to a gateway failsafe device (/Common/bigip1.f5.com), which does not exist on the system. Please specify a valid device for this configuration. Unexpected Error: Loading configuration process failed.

Conditions:
This issue occurs when all the following conditions are met:

-You have multiple BIG-IP systems in a High Availability (HA) configuration.
-You have configured System Gateway Failsafe
-You reset device trust
-You attempt to reload the configuration or reboot the device before recreating the device trust

Impact:
Configuration may fail to load

Workaround:
Remove Gateway Failsafe before resetting device trust


636164 : Remote IP not working in IE 8

Component: TMOS

Symptoms:
Adding a Remote IP in System :: Logs : Configuration : Remote Logging has no effect in Microsoft Internet Explorer (IE) version 8.

Conditions:
Using IE 8.

Impact:
Remote IP does not work.

Workaround:
BIG-IP version 12.x and later do not support IE 8. Use a later version of IE, or use another browser.


636163 : Certificate Key Chain not working in IE 8

Component: TMOS

Symptoms:
Certificate Key Chain not working in Microsoft Internet Explorer (IE) version 8.

Conditions:
Using IE 8.

Impact:
Certificate Key Chain does not work.

Workaround:
BIG-IP version 12.1.0 and later do not support IE 8. Use a later version of IE, or use another browser.


636104-2 : If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.

Component: Application Visibility and Reporting

Symptoms:
You are unable to see the pool member under the HTTP "pool" dimension.

Conditions:
Pool member is defined with port 0 and traffic is being sent to e.g. port 80.

Impact:
Not seeing the pool member under the HTTP "pool" dimension.

Workaround:
You can define a temporary pool member with the port that is being used (e.g. 80) and delete it after that.
But once defined once, it will go to the DB and will be shown from that point.
This is a partial workaround since it needs to be done for every port that is being used in traffic.


636031-4 : GUI LTM Monitor Configuration String adding CR for type Oracle

Solution Article: K23313837

Component: TMOS

Symptoms:
If the value entered in for the Configuration String textbox wraps in the GUI, a CR character is added to the configuration file.

Conditions:
Create or edit an LTM Monitor type Oracle. Enter a value in the Configuration String textbox so that it wraps to the next line. Click Finish/Update.

Impact:
The /config/bigip.conf file contains CR characters in the file.

Workaround:
Manually edit the /config/bigip.conf file and remove the CR characters.


635871-1 : tmsh validation of hash persistence timeout setting is incorrect

Component: Local Traffic Manager

Symptoms:
The permitted hash persistence timeout value is a range from 1 - 4294967295. But in tmsh you can set the value to 0 without error

Conditions:
This occurs when running the following tmsh command:
tmsh modify ltm persistence hash <profile_name> timeout <number>
where <number> = 0

The GUI will report a validation error if you try to set it to 0 in the GUI.

Impact:
The value of 0 will be saved but the minimum value should be 1.

Workaround:
If you accidentally set a timeout to 0 you can set it back to the correct range using the following tmsh command:
tmsh modify ltm persistence hash <profile>name> timeout <1-4294967295>


634369-2 : Bigd crash (SIGABRT) while running iControl REST scripts against monitor configuration with FQDN nodes

Component: Local Traffic Manager

Symptoms:
Bigd crash (SIGABRT) while running iControl REST scripts against monitor configurations with FQDN nodes.

Conditions:
-- Bigd configured with FQDN nodes.
-- iControl REST calls are used to interact with system.

Impact:
Bigd crashes and restarts. Monitoring correctly resumes after the restart period.

Workaround:
None.


634014 : Absolute timers may fire one second early during the leap second event

Component: TMOS

Symptoms:
Absolute timers that expire at midnight UTC may fire one second early when the leap second is inserted.

Conditions:
This occurs if an absolute timer is used to trigger a task, and the leap second occurs during the timer window. For example if an absolute timer of 60 seconds is scheduled and the leap second event occurs midway through that interval, the event will appear to fire one second earlier than expected.

Impact:
Impact to applications unknown. The system stays stable, and a timer may be fired off earlier than expected

Workaround:
None.


633824-2 : Cannot add pool members containing a colon in the node name

Solution Article: K39319200

Component: TMOS

Symptoms:
You are allowed to create nodes that contain a colon in the node name. If you later try to add the named node (e.g. 10.1.20.10:80), adding the node will fail and you will get an error similar to the following:

0107003a:3: Pool member node (/Common/10.1.20.10) and existing node (/Common/10.1.20.10:80) cannot use the same IP Address (10.1.20.10).

Conditions:
This occurs when attempting to add a node to a pool where the node name contains a colon in it

Impact:
You are unable to add the node to the pool and will get a validation error.

Workaround:
First rename the node to not contain a colon in it, then you can add the node to the pool without error.


633568 : Pool statistics page doesn't show all pool members in IE8 with compatibility view

Component: TMOS

Symptoms:
While accessing the pool statistics page with IE8 with compatibility view mode, pool member expand/collapse icons do not work properly. Specifically, one of the pool members is displayed as blank.

Conditions:
This occurs when accessing the BIG-IP GUI using IE8; navigate to Statistics :: Module Statistics : Local Traffic. Select "Pool" and press "collapse (plus)" icon to expand pool members.

Impact:
You will see that one pool member will displayed as blank row.


633495 : Cannot switch between partitions in Local Traffic :: Policies

Component: TMOS

Symptoms:
When you are in the Local Traffic :: Policies page, you are unable to change partitions.

Conditions:
This occurs when multiple admin partitions exist and there are policies in each partition, and you wish to change partitions.

Impact:
You are unable to change partitions from the Local Traffic :: Policies page.

Workaround:
Change to another page in the GUI and change the partition, then visit the Policies page again.


633464-2 : Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.

Component: Local Traffic Manager

Symptoms:
Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.

Conditions:
HTTP/2 profile is attached to the virtual. Content-length header is sent by the server.

Impact:
If a client application requires the content length for HTTP/2, the application does not function as expected.

Workaround:
None.


633454-1 : Older versions of Chrome get blocked when Proactive Bot Defense is enabled.

Component: Application Security Manager

Symptoms:
Older versions of Chrome get blocked when Proactive Bot Defense is enabled.

Conditions:
-- Versions of Chrome older than version 53.
-- Proactive Bot Defense is enabled.

Impact:
Browser gets blocked.

Workaround:
Use one of the following workarounds:

-- Use a version of Chrome that is version 53 or later.
-- Use a different browser.


633349-3 : localdbmgr hangs and eventually crashes

Solution Article: K86613330

Component: Access Policy Manager

Symptoms:
localdbmgr hangs, consumes a lot of CPU and eventually crashes due to a rare condition where the program's execution halts, upon logging configuration changes.

Conditions:
Rare condition upon changing log settings configuration, or when localdbmgr process loads existing log config settings upon start / restart.

Impact:
localdbmgr hangs, consume a lot of CPU and will eventually crash.

Workaround:
localdbmgr should restart and recover from this crash. If it doesn't, perform a "bigstart restart localdbmgr"


633172 : External LDAP user with Administrator role may fail to import key file when using iControl REST crypto command

Solution Article: K12473201

Component: TMOS

Symptoms:
The REST call to install a key from a local file fails when the user is external (e.g., LDAP), even when its role is Administrator.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is configured to allow access to external LDAP users.
-- The external LDAP user is assigned an Administrator role.
-- The external LDAP user uses the tm/sys/crypto/key iControl REST command to import a key from a local file.

For example, you use the tm/sys/crypto/key iControl REST command with external LDAP user f5user that is assigned with the Administrator role, as follows:

restcurl -u f5user:f5user -X POST https://localhost/tm/sys/crypto/key -d '{"command":"install","name":"/Common/my-key.key","from-local-file":"/var/config/rest/downloads/my_key.key"}'

Impact:
Key install operation fails.

Workaround:
To work around this issue, you can use the sys/file/ssl-key iControl REST command to import a key file instead. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure should not have a negative impact on your system.

Log in to the command line on the system from which you want to import the key file.
Note: The system must be able to support the command line version of the curl command.

Import the key file using the following command syntax:
curl -k -u <username:password> -H "Content-Type: application/json" -X POST https://<BIG-IP device>/tm/sys/file/ssl-key/ -d '{"name":"<key file name>","source-path":"<full path to key file>"}'

For example:

curl -k -u f5user:f5user -H "Content-Type: application/json" -X POST https://localhost/tm/sys/file/ssl-key/ -d '{"name":"f5user1.key","source-path":"file:///shared/my_key.key"}'

Note: Ensure that the key file name includes the file suffix, as the tm/sys/file/ssl-key iControl REST command does not automatically append .key in the key name.


633110-2 : Literal tab character in monitor send/receive string causes config load failure, unknown property

Solution Article: K09293022

Component: Local Traffic Manager

Symptoms:
BIG-IP allows you to paste in monitor send or receive strings that contains tabs, but the tabs do not get quoted when it gets saved to the configuration. This will cause the configuration load to fail, with this error signature:

Loading configuration...
  /config/bigip_base.conf
  /config/bigip_user.conf
  /config/bigip.conf
Syntax Error:(/config/bigip.conf at line: <line>) "<text>" unknown property

Conditions:
This can occur if you copy/paste a monitor send or receive string and paste it into the send/recv string field in tmsh or the GUI.

Impact:
The monitor will not work as expected, and subsequent config loads will fail on unknown property.

Workaround:
Since you are still able to use the BIG-IP GUI, you can update the monitor send or receive string using \t to represent the tab, and save the changes.


632958-2 : APM MIB gauges not reset on standby device

Component: Access Policy Manager

Symptoms:
The following MIB gauges are not reset after the device transitions from active to standby:

F5-BIG-IP-APM-MIB::apmAccessStatCurrentActiveSessions
F5-BIG-IP-APM-MIB::apmAccessStatCurrentEndedSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentActiveSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentPendingSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentCompletedSessions

Conditions:
After failover happens

Impact:
Since these gauges represent current session counts, administrator may not be able to identify the active device by looking at these gauges.


632901-1 : JET documentation incorrect for RESOLV::lookup

Solution Article: K03112333

Component: Local Traffic Manager

Symptoms:
JET documentation for the iRule command RESOLV::lookup contains a description of a bug where PTR records are not being cached. The documentation includes a workaround for this bug. However, the bug no longer exists.

Conditions:
tmsh help ltm rule command RESOLV::lookup | grep "Note: The results" -A6

Impact:
Jet documentation mentions a resolution to a bug that no longer exists.

Workaround:
None. This is a cosmetic issue that you can safely ignore.


632839 : UDP Flood does not get detected if the vector limits are infinite

Component: Advanced Firewall Manager

Symptoms:
If the UDP_flood AFM DoS vector is configured as 'infinite' for both detection-threshold-pps and default-internal-rate-limit then it will not get detected. Even per-virtual server and Sweep/Flood will not detect UDP_Flood. If they are not infinite, they should work as expected, and the default value for detection-threshold-pps is 400000.

Conditions:
-- Settings of 'infinite' for UDP_flood device-dos vector.
-- Running v12.1.1, 12.1.2, or 12.1.3.

Impact:
You might expect UDP_flood vector to be detected at the per-virtual server and Sweep/Flood level, but if it is configured at infinite at the global device level, then it will not be detected at any level at all.

Workaround:
To enable the system to detect UDP_Flood at the various levels, set the global device-dos level for UDP_flood to be 4294967294 (1 less than MAX_UINT32).

Note: With this workaround, the system still cannot detect UDP_flood vector still at the global device-level because the number is too high.


632838-1 : Deterministic NAT performance may be degraded

Component: Performance

Symptoms:
Deterministic NAT performance may be degraded compared to performance in 12.1.x.

Conditions:
Deterministic NAT configuration in use in version 13.0.

Impact:
CPU utilization will be higher, and the system may pass traffic with less speed.

Workaround:
Enable the db variable pva.fwdaccel to see DNAT performance improve with a fastL4 profile.


632825-5 : bcm56xxd crash following 'silent' port-mirror configuration failure

Component: TMOS

Symptoms:
A port-mirror configuration can fail 'silently', that is, no error from MCPD yet the following is logged in /var/log/ltm:

err bcm56xxd: 012c0011:3: Trunk port trouble with bcm_mirror_port_set() Entry exists bs_mirror.c(598).
err bcm56xxd: 012c0010:3: Trouble committing mirror settings to hardware: 0:21 bs_mirror.c(671).
err bcm56xxd: 012c0010:3: Trouble setting port mirror from 2.1 to 2.6 bsx.c(5173).

Once this happens, any subsequent port-mirror configuration will result in a deadlock condition and SOD will restart bcm56xxd.

If the port-mirror interfaces are part of a trunk, any trunk configuration will cause this condition. For example, adding a vCMP guest.

Conditions:
Prior 'silent' port-mirror configuration error followed by a subsequent port-mirror configuration command.

Impact:
bcm56xxd continuously restarts until the bad port-mirror configuration is removed.

Workaround:
None.


632723-1 : tmm core with remote logging pool in non-zero route domain

Solution Article: K05079458

Component: Advanced Firewall Manager

Symptoms:
tmm cores every minute with a security log profile set to send log messages to pool members in a different route domain.

Conditions:
Remote logging pool configured, and the pool members are in a non-zero route domain that is different than that of the forwarding virtual.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure the logging pool members are in the zero route domain.


632604-1 : SSL::sessionid iRule command returns incorrect result

Component: Local Traffic Manager

Symptoms:
SSL::sessionid iRule command returns incorrect result

Conditions:
An iRule is used to retrieve the session ID.

Impact:
The session ID might not be reliable.

Workaround:
None.


632553-2 : DHCP: OFFER packets from server are intermittently dropped

Component: Local Traffic Manager

Symptoms:
With a DHCP relay virtual server, OFFER packets from DHCP server are intermittently not forwarded to the client and dropped on BIG-IP.

Conditions:
It is not known exactly what triggers this condition, but it occurs intermittently when the DHCP relay virtual server is in use.

Impact:
Client machines joining the network do not receive DHCP OFFER messages.

Workaround:
Enforce that the serverside flow is getting deleted, e.g. if dhcp server 10.0.66.222 is broken, issue the following tmsh command:

tmsh delete sys connection ss-server-addr 10.0.66.222 cs-server-port 67


632246-1 : Configuring pvasyncookies db variable does not persist over reboots or to non-primary blades.

Component: Advanced Firewall Manager

Symptoms:
pvasyncookies db variable does not disable/enable HW syn-cookies on secondary blades, and does not persist across MCPD restart/reboot.

Conditions:
Non-default setting for the pvasyncookies db variable.

Impact:
Setting does not persist across MCPD restart/reboot.

Workaround:
None.


632204-1 : Local Traffic Policies rule page is incorrectly showing all partition's objects in 'Forward traffic' actions

Solution Article: K22568472

Component: TMOS

Symptoms:
When creating an LTM policy rule action 'Forward Traffic' and selecting from a list of pools or virtual servers, objects from partitions other than the current partition and the Common partition show up.

Conditions:
This occurs on the LTM policy rule creation page within a specific partition, and there are objects of the same type in other partitions.

Impact:
Users without access to the associated partition receive an error when selecting an object from that partition and clicking submit.

Workaround:
Do not select objects other than the ones in the current or Common partition from a dropdown.


631715-1 : ASM::disable does not disable client side challenges

Component: Application Security Manager

Symptoms:
ASM::disable command was run but a challenge was still sent.

Conditions:
irule with ASM::disable. CS or DID challenge is configured.

Impact:
An unexpected JS challenge arrives

Workaround:
N/A


631046 : Unable to generate a FIPS key using the GUI

Component: TMOS

Symptoms:
While generating a FIPS key from the BIG-IP GUI, you get the following error:
Key management library returned bad status: -4, FIPS security is not licensed, FIPS key security type is not allowed.

Generating a FIPS key from tmsh works properly.

Conditions:
This occurs on FIPS-licensed 12.1.1 HF1 and HF2, when using the GUI to generate the FIPS key.

Impact:
Unable to generate a FIPS key using the GUI.

Workaround:
Use the following tmsh command to generate a FIPS key:
tmsh create sys crypto key <key_object_name> security-type fips.


630795-1 : No guestagentd entry in merged.conf

Component: TMOS

Symptoms:
There is no entry in guestagentd in merged.conf. This results in this error in the ltm log whenever merged starts up:

"Process managed by runsv is not in /config/merged.conf: guestagentd"

Conditions:
This is encountered whenever merged starts.

Impact:
In addition, for stats purposes, the proc_stat and plane_proc_stat tables are affected. If the pid changes (for whatever reason) BIG-IP will not have the assignments to the right process information.

Workaround:
Add guestagentd entry to merged.conf


630257-1 : Monitor send/receive strings cannot end with trailing single-backslash

Component: Local Traffic Manager

Symptoms:
A monitor with a 'send' or 'receive' string is not supported with a single trailing backslash, such as "GET /\r\n\" (note the single-trailing backslash that "escapes" the trailing double-quotes).

Conditions:
A monitor 'send' or 'receive' string ends with a single trailing backslash; and the configuration is saved, and then a load is attempted.

Impact:
When configuration is saved and then loaded, the single-trailing backslash will escape the trailing double-quotes and the configuration will fail to load.

Workaround:
A double-trailing backslash is supported, where the trailing double-quotes will not be escaped, for example:
 "GET /\\r\\n"


629834-4 : istatsd high CPU utilization with large number of entries

Component: TMOS

Symptoms:
With a large number of istats entries, statsd uses a large amount of CPU time to process istats.

Conditions:
This occurs when there is a large number of istats entries in iRules.

Impact:
istats processing is slow. CPU utilization by istatsd is high.

Workaround:
Reduce the number of istats entries. Periodically purge the the istats entries if possible.


628696-1 : Under rare circumstances, all blades in cluster claim not primary during start up

Component: Local Traffic Manager

Symptoms:
All blades in cluster claim not primary during startup

Conditions:
during TMM startup

Impact:
The cluster (even if standalone) appears Standby, and ready-for-world is never reached.

Workaround:
Restart tmm on primary blade


627760-3 : gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card

Component: TMOS

Symptoms:
When running gtm_add from one BIG-IP system to another, if the system being added already has the same DNSSEC key (dictated by DNSSEC key name), and you synchronize the FIPS card, then the FIPS card is wiped out (as expected), but the key is not re-added.

Conditions:
-- There is an existing DNSSEC key on one system.
-- A second system has a DNSSEC key of the same name.
-- Run gtm_add, with instructions to synchronize FIPS cards.

Impact:
No DNSSEC key of that name is present on FIPS card.

Workaround:
None.


627447 : Sync fails after firewall policy deletion

Component: Advanced Firewall Manager

Symptoms:
When deleting a firewall policy and then creating a new one, sync to standby fails.

Conditions:
Delete firewall policy then create a new one. Sync to Standby.

Impact:
Sync fails.

Workaround:
None.


627384-1 : eamtest tool fails with Segmentation fault after initialization.

Component: Access Policy Manager

Symptoms:
Tests done with eamtest tool fail with Segmentation fault after initialization.

Conditions:
Run eamtest tool.

Impact:
eamtest tool fails, which affects troubleshooting using the tool.

Workaround:
Run eamtest with LD_PRELOAD=libeam_asdk_preload.so prefix.


627341-1 : TMUI loginProviderName is invalid when requesting a REST token

Component: Device Management

Symptoms:
Requests for X-F5-Auth-Token fail when a TMUI view is loaded that requires a X-F5-Auth-Token used for REST requests.

Conditions:
On startup if the tmos login provider takes too long to become available it will cause the login provider to be unavailable, and requests for auth tokens will fail. This is a race condition and happens intermittently. Typically on lower end devices.

Impact:
GUI cannot retrieve F5-Auth-Token for REST requests

Workaround:
bigstart restart restjavad


627221-1 : iControl SOAP doesn't support displaying all possible media options for interfaces

Component: TMOS

Symptoms:
Newer media options would erroneously be displayed as MT_AUTO from iControl SOAP.

If the media option is considered internal; iControl SOAP will still display the specific type if available in its list. This has been changed to display MT_NONE for those options.

Conditions:
Platforms that support the missing interfaces in the iControl SOAP will not get the right info vi iControl SOAP.
Specifically those that support MEDIA_40000_FDX and MEDIA_40000_LR4_FDX.

Affected Platforms:
A108
A112
D112
D113

Impact:
Information Mismatch


627144 : Two users cannot create policies at the same time.

Component: Application Security Manager

Symptoms:
Two users cannot create policies at the same time.

Conditions:
-- Two users with admin authority are logged onto the GUI.
-- Both begin creating separate ASM policies with distinct options.
For instance:
- User 'wafadmin1' logs in first.
- User 'wafadmin2' logs in second.
- Both are creating policies.
- When wafadmin2 submits the policy, it's being overwritten by policy details given by wafadmin1.
- Only user wafadmin1 can de-activate a policy; for other users the option itself is grayed out.

Impact:
Policy from one user can overwrite another's. Can also affect who can de-activate a policy.

Workaround:
Have only one user at a time create/modify/delete policies.


626589-6 : iControl-SOAP prints beyond log buffer

Solution Article: K73230273

Component: TMOS

Symptoms:
When trace logging is turned on, iControl SOAP can potentially print text beyond its log buffer.

Conditions:
Logging for iControl SOAP is turned on with trace level.

Impact:
iControl-SOAP can print out garbage log to /var/log/ltm and can potentially lead to instability with reading beyond a buffer.

Workaround:
Do not enable logging with trace level, which is not turned on by default.


626279-1 : After reboot LCD reports "unit going standby" even if it has gone active.

Component: TMOS

Symptoms:
After a reboot, the LCD and the tmsh show sys alert command reports "unit going standby" even though the device has become active.

Conditions:
This can occur intermittently on system startup.

Impact:
LCD and tmsh show sys alert erroneously report "unit going standby". The /var/log/ltm log will have messages from sod indicating that it has become active.


626226-1 : Large SSL certificate bundle export by GUI silently fails

Component: TMOS

Symptoms:
GUI SSL certificate bundle export silently fails if the size of the certificate bundle is greater than approximately 1824 KB.

Conditions:
1. Import a certificate whose size is greater than 1823 KB.
2. Try to Export that certificate using the GUI.

Impact:
Unable to download large SSL certificate.

Workaround:
You can export the large SSL Certificate bundle as 'Archive' using the following procedure:

1. Navigate to System :: File Management : SSL Certificate List.
2. Click 'Archive.
3. Download the large SSL Certificate bundle.


625901-1 : SNAT pools allow members in different partitions to be assigned, but this causes a load failure

Component: TMOS

Symptoms:
SNAT pools allow members in different partitions to be assigned, but this is prohibited at load time.

Conditions:
The SNAT pool is in a partition different from that of the member you are trying to add to it.

Impact:
Load will fail with an error like the following:

01070726:3: SNAT pool translation address /p1/mysnatpool /p2/1.2.3.4%5 in partition PARE cannot reference SNAT Translation /p2/1.2.3.4%5 in partition p2

Workaround:
Use a SNAT pool member in the same partition.


625428-1 : SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit

Component: TMOS

Symptoms:
The F5 BIG-IP local mib has the wrong value definitions for
F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit
allowed(0),disallowed(1)
instead of
disabled(0),enabled(1)

Conditions:
This occurs on any platform that supports this MIB field and has LTM Pool configurations.

Impact:
Information mismatch


625215-1 : unic: flow redirects for non-default cmp-hash on untagged VLANs

Component: TMOS

Symptoms:
-- Low throughput.
-- Flow re-directs in tmstat.

Conditions:
-- Untagged VLAN is in use
-- A non-default cmp hash, such as src-ip or dst-ip, is in use.

Impact:
Performance degradation.

Workaround:
None.


625165-2 : Routes added by 'Allow local DNS servers' are not removed even if these DNS servers are no longer among client's local DNS servers.

Component: Access Policy Manager

Symptoms:
-Routes to local DNS that get added due to 'allow local DNS' option in Network Access config do not get removed once network changes after VPN is established.

Conditions:
- 'Allow local DNS' option is selected in Network Access config.
- BIG-IP administrator changes the network configuration after VPN is connected.

Impact:
If the BIG-IP administrator changes the network after a VPN is connected, and if DNS servers have changed, then routes to old DNS servers (which may or may not be reachable) will be left in the routing table.

Workaround:
None.


625108-1 : Learn flags of subviolations are incorrectly updated when all violations are updated by REST

Component: Application Security Manager

Symptoms:
When the learn flags of all violations are updated by REST PATCH, the learn flags of all subviolations are incorrectly updated as well.

Conditions:
The learn flags of all violations are updated in a single REST PATCH operation.

Impact:
The learn flags of all subviolations are incorrectly updated as well.

Workaround:
You can use either of the following workarounds:

-- Update violations in individual REST operations.
-- Update the subviolations after the violation update.


624917 : First few handshakes fail after chassis/appliance reboot when using HSM

Component: Local Traffic Manager

Symptoms:
After rebooting with an HSM configured, you notice the first few handshakes fail, with the following error signature in /var/log/ltm:

warning tmm3[13085]: 01260009:4: Connection error: info tmm3[13085]: 01260013:6: ssl_hs_vfy_sign_srvkeyxchg:9921: sign_srvkeyxchg (80)
1260013:6: SSL Handshake failed for TCP <src> -> <dest>

Conditions:
This occurs on the first few connections after reboot when an HSM is configured, and seems to occur if the device does not immediately pass traffic after reboot.

Impact:
The initial SSL connections will fail, then normal operation will resume.

Workaround:
None.


624909-2 : Static route create validation is less stringent than static route delete validation

Component: TMOS

Symptoms:
When creating a static route the BIG-IP ensures that there is a self-IP on the same interface, but does not check to make sure that there is a self-IP on the same interface that uses the same IP protocol (IPv4 vs. IPv6). If the route is created with only self-IPs that use different IP protocols, then the system will not allow you to delete any self-IPs on the same interface as the static route.

Conditions:
Using a static route that has one IP protocol on a given interface along with self-IPs that, while on the same interface, use a different IP protocol.

Impact:
Unable to delete certain self-IPs.

Workaround:
In order to delete the self-IPs you can either:

1) Delete the static route.
or
2) Create a self-IP on the same interface and using the IP protocol as the static route.


624626-3 : Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility

Component: TMOS

Symptoms:
You cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility, which returns an error message similar to the following example:

01020036:3: The requested Certificate File (/Common/example.crt) was not found

Conditions:
The presence of SSL certificates and keys created without the .crt and .key extensions. This might have happened, for example, if the SSL certificates and keys were created using the tmsh utility.

Impact:
Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility.

Workaround:
You can use the tmsh utility to delete affected SSL certificates and keys. You would use commands similar to the following example:

tmsh delete sys crypto cert example
tmsh delete sys crypto key example


624580-1 : BigDB.dat may become truncated

Solution Article: K37147352

Component: TMOS

Symptoms:
BigDB.dat may become truncated.

Conditions:
The conditions under which this occurs are not well understood.

Impact:
Tomcat and possibly mcpd may restart due to having incorrectly generated configuration.

Workaround:
None.


624187-1 : Relocate TUC AVP to group AVP USU

Component: Policy Enforcement Manager

Symptoms:
Current implementation sends Traffic Change Usage (TCU) in MSCC at the same level as USU.

Conditions:
Anytime there is a TCU.

Impact:
Interoperability with ZTE OCS, which requires it as a child USU (Used-Service-Unit)


624044-1 : LTM Monitor custom recv/send/recv-disable parameters have backslash at the end may fail to load

Solution Article: K42806722

Component: Local Traffic Manager

Symptoms:
If LTM monitor configuration parameters have custom strings that end with backslash, the saved configuration will fail to load.

Conditions:
Any of the "recv", "send", or "recv-disable" parameters having a backslash at the end, and the configuration is saved.

Impact:
The new configuration fails upon reload.

Workaround:
Do not end custom strings with backslashes. If config contains monitor configuration with custom strings that end with backslash. config can be cleaned with following process:
  tmsh save sys ucs K42806722_before
 find /config/ -type f -name "bigip.conf" -exec sed -i 's/\(\(send\|recv\).*\)\\"$/\1"/g' {} +
  tmsh load /sys config


623779-2 : Adding a client side challenge whitelist URL wildcard list

Component: Application Security Manager

Symptoms:
There is no way to tell that a URL wildcard is always qualified for client side challenges. Thus dynamic URLs system can't use the CS defense to dos attack or the proactive bot defense.

Conditions:
dynamic URLs are running in a dos attack and the system has cs mitigation enabled.

Impact:
the cs mitigation is not effective and the dos mitigation moves to the rate limit.

Workaround:
N/A


623536-2 : SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent

Component: TMOS

Symptoms:
Due to a syntax issue in /etc/alert/alertd.conf, SNMP traps sent for notifying RSTs sent due to maintenance mode on are not being sent.

Conditions:
Reset cause logging and maintenance mode are enabled
Snmp trap destination is configured and routable

Impact:
snmp traps are not sent

Workaround:
Adding custom trap in /config/user_alert.conf with escaped characters will workaround the issue:

alert BIGIP_IP_REJECT_MAINT_MODE_FIX "RST sent from (.*) Maintenance mode \(all VIP\/SNAT\/Proxy connections disabled\)" {
   snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.34"
}


623488-4 : Custom adaptive reaper settings may be lost at upgrade time

Component: TMOS

Symptoms:
Beginning in 11.6.0, the adaptive-reaper was changed to use the default-eviction policy. The configuration migration script does not migrate the adaptive-reaper settings, so after upgrade the reaper settings are reset to their default.

Conditions:
Upgrade from 10.x to 11.6.0 or later.

Impact:
Settings may be unexpectedly changed as part of upgrade.

Workaround:
Inspect the values after upgrade and reconfigure them.


623371-1 : After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed

Component: TMOS

Symptoms:
When attempting to ssh in as a nonexistent user using SSH keypair, the connection closes.

Conditions:
1. Configure SSH keypair for passwordless login.
2. Set auth source to a remote type such as RADIUS, TACACS+, LDAP, Active Directory.
3. Set auth source back to local.
4. Attempt to ssh to BIG-IP using keypair as a user that does not exist in the BIG-IP local user directory.

Impact:
User does not see expected password prompt.

This can be used to check which usernames are valid on the BIG-IP system, but it requires SSH keys.

Workaround:
None known.


623367-1 : When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key.

Solution Article: K57879554

Component: TMOS

Symptoms:
Able to login to BIG-IP using root's keypair as a user which does not exist on either the BIG-IP or the RADIUS server.

Conditions:
1. Configure SSH keypair for passwordless login on the BIG-IP system.
2. Enable RADIUS auth on the BIG-IP system.
3. Attempt to ssh in to the BIG-IP as a user which does not exist on either the BIG-IP or the RADIUS server, using the keypair.

Impact:
With root SSH keys, can login as nonexistent user.

Workaround:
Set the default remote role to something other than admin.


623313 : After upgrade from 10.2.x, tmsh and GUI do not report the default SNMP community source if it's the default.

Component: TMOS

Symptoms:
After upgrade from 10.2.x, tmsh and GUI do not report the default SNMP community source if it's the default. For example, in response to the 'tmsh list sys snmp' command, output in 10.2.x contains the following strings:
community-name public
source default

in 12.1.x, the output does not contain the string 'source default', only the string 'community-name public'.

Conditions:
Upgrade from 10.2.x.

Impact:
Cannot determine the SNMP community name if it is the default.

Workaround:
None.


623265-4 : UCS upgrade from v10.x to v11.4.x or later incorrectly retains v10.x ca-bundle.crt

Solution Article: K15645547

Component: TMOS

Symptoms:
Inconsistent CA certificate chain creation, or certificate validation/verification when verification occurs against /config/ssl/ssl.crt/ca-bundle.crt.

Conditions:
A system is upgraded from v10.x to v11.x/v12.x, or a v10.x UCS is restored onto a v11.x/v12.x system.

Impact:
Inconsistent ca-bundle.crt upgrade/UCS load handling can lead to odd / non-deterministic behavior between devices, even an HA pair / cluster of devices. Non-determinism increases because ca-bundle.crt does not ConfigSync (and appears not to sync across blades in a chassis).

For example, on one device, the BIG-IP system might construct and send a full certificate chain in an SSL Server Hello, when ca-bundle.crt is specified as a Client SSL profile's 'chain', but on its peer, if the peer is using an older/inconsistent ca-bundle, the peer might be unable to construct a full certificate chain.

Workaround:
On every device affected by this, or on every blade in a VIPRION system affected by this:

1. Update /config/ssl/ssl.crt/ca-bundle.crt with the version that ships with this software version:
   cp /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt

2. Reboot the system and clear the MCPD binary database. Refer to AskF5 article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030), but essentially:
    touch /service/mcpd/forceload && reboot

3. After reboot, verify that the two files match (they should have the same checksum):
   md5sum /usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup /config/ssl/ssl.crt/ca-bundle.crt


623084-2 : mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp

Component: Local Traffic Manager

Symptoms:
mcpd fails to load the configuration if a pre-11.6.0 configuration has a DHCP virtual server configured using any profile that is not /Common/udp.

The following messages appears in /var/log/ltm:

01070095:3: Virtual server /Common/dhcp_relay-p-rd101 lists incompatible profiles.

This is because the profile in this case is /Common/fastL4 and is not 'converted' to a DHCP profile.

Conditions:
-- A pre 11.6.0.
-- DHCP-type virtual server configured with a profile other than /Common/udp.
-- Upgrade to 11.6.0 or later.

Impact:
mcpd fails to load the configuration. The BIG-IP system will not be operational until the configuration is changed and loaded.

Workaround:
Before the upgrade, change the profile to /Common/udp.

If you have already upgraded, manually change the bigip.conf file and load the config using the following command: tmsh load /sys config


622876-1 : Certificate serial number is not displayed properly in OCSP Stapling logs.

Component: Local Traffic Manager

Symptoms:
The certificate serial number is not displayed properly in OCSP Stapling logs.

Conditions:
These logs are seen when there are any errors when fetching and validating an OCSP response, and/or when SSL debug logs are enabled.

Impact:
Certificate serial number is not displayed properly.

Workaround:
None.


622870 : When using a Thales key, SSL handshake failed after restarting pkcs11d

Component: Local Traffic Manager

Symptoms:
With a Thales key, SSL handshake failed after restarting pkcs11d daemon.

Conditions:
Thales netHSM is used and pkcs11d daemon is restarted.

Impact:
SSL traffic is failed.

Workaround:
bigstart restart tmm

after

bigstart restart pkcs11d


622204-1 : If a virtual server's name has a "." in it then a DoS profile cannot be attached to it

Solution Article: K14141640

Component: Advanced Firewall Manager

Symptoms:
For virtual servers with a . (dot, or period) in the name and a DoS profile attached, a crash might occur when attacks are detected/stopped.

Conditions:
Virtual server with a name that includes a . and an attached DoS profile, and then a DoS attack is detected.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove the . in the virtual server name.


621843-1 : the ipother proxy is sending icmp error messages to the wrong side

Component: Local Traffic Manager

Symptoms:
the ipother proxy error handling sends ICMP error messages down the wrong side of the proxy. when a client-side error occurs, the error message is being sent to the server side

Conditions:
error handling of the ipother proxy

Impact:
ICMP error messages show up on the wrong side

Workaround:
no workaround


621284-5 : Incorrect TMSH help text for the 'max-response' RAMCACHE attribute

Component: WebAccelerator

Symptoms:
The TMSH help text for the 'max-response' RAMCACHE attribute incorrectly states that for the default value of 0 (zero) unlimited cache entries are allowed. In reality the number of cache entries is limited to 10.

Conditions:
Invoking the TMSH man/help page on RAMCACHE.

Impact:
Incorrect TMSH help text

Workaround:
N/A


621260-5 : mcpd core on iControl REST reference to non-existing pool

Component: TMOS

Symptoms:
MCPd cores when attempting to create a pool and a monitor reference by using a REST call such as:

curl -u admin:admin -H "Content-Type: application/json" -X POST http://localhost:8100/tm/ltm/pool -d'{"name":"test_pool","monitor":" "}'

Conditions:
The monitor reference in the REST call must be comprised of a single space character.

Impact:
MCPd restarts, causing many of the system daemons to restart as well.

Workaround:
Don't use spaces in the monitor reference name.


621158-1 : F5vpn does not close upon closing session

Component: Access Policy Manager

Symptoms:
F5vpn does not close upon closing session.

Conditions:
-- With Network Access started and connected to BIG-IP using browser.
-- Clicking 'Logout' button on webtop.

Impact:
Session closes. Network Access window does not close, but instead remains in disconnected state.

Workaround:
None.


620969-3 : iControl doesn't give correct valid key sizes for FIPS keys on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards.

Component: TMOS

Symptoms:
Using the get_valid_key_sizes() for querying the valid key sizes, 1024 is returned, which is not valid when the FIPS firmware is version 2.2 or above.

Conditions:
FIPS firmware is version 2.2 or above.

Impact:
Unsupported key-size is returned.


620954-3 : Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable

Component: TMOS

Symptoms:
Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:
 PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.

Conditions:
High concurrent authentication attempts may trigger this issue. For example, open a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), then close the connection. If done frequently enough, there is an occasional authentication failure.

Impact:
This intermittent authentication failure results in users not being able to login.

Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to log in again.


620844-1 : DoS: tmm core after delete packet type from Device Sweep vector

Component: Advanced Firewall Manager

Symptoms:
During the config change of Sweep vector, when all tmm threads delete the rate tracker, a race condition might occur that could prevent the tracker from being deleted. As a result, some tmm threads might see the new instance, which causes the tmm thread to abort.

Conditions:
This potential race condition occurs after delete packet type from Device Sweep vector.

Impact:
tmm thread might abort if a race condition occurs. Traffic disrupted while tmm restarts.

Workaround:
None.


620556-1 : Fragmented packets on clone pool for L7 virtual server targeting another L7 virtual server through iRule

Component: Local Traffic Manager

Symptoms:
Fragmented packets may be transmited to clone pool members of virtual server, which is also forwarding its traffic to another virtual server.

Conditions:
One virtual server should be configured to forward traffic to another one using iRule, i. e.

when CLIENT_ACCEPTED {
  virtual another_virtual
}

This forwarding virtual should also have clone pool configured.

Impact:
Fragmented packet are transmitted to pool members, which affects performance and may trigger some intrusion detection systems.


620522-1 : Some expected command output are missing in qkview

Component: TMOS

Symptoms:
Some commands are not executed and output are not collected by qkview.

Conditions:
If total execution time of all commands is exceeding 360 seconds.

Impact:
Missing command output in qkview tar file.

Workaround:
Missing commands need to be executed manually to share output with F5 support.


620311-1 : GUI Failover Unicast Address information incorrect

Component: TMOS

Symptoms:
In the GUI, the Failover Unicast Address information for the peer device shows the Management IP of the local device, instead of the peer's Management address.

Conditions:
Failover Device group with failover unicast addresses configured with management addresses.

Impact:
GUI displays incorrect address. *Mgmt addresses listed incorrectly show local mgmt addresses in the following locations:
-- Device management :: Devices :: <peer device>
-- Device Connectivity: Failover Unicast Configuration

Workaround:
None.


620053-1 : Gratuitous ARPs may be transmitted by active unit being forced offline

Component: Local Traffic Manager

Symptoms:
When cluster's active is forced offline, the non-primary blades may send gratuitous ARPs.

Conditions:
Cluster's active blade is forced offline.

Impact:
Potential impact to traffic if the gratuitous ARPs of the blade which goes offline is received before the unit taking over as primary, or if gratuitous ARPs are rate-limited on upstream or downstream devices.

Workaround:
Failover the cluster before forcing offline or configuring MAC masquerading.


619667-1 : Allow Local DNS Servers is not honored on Mac OS X

Solution Article: K34751151

Component: Access Policy Manager

Symptoms:
In some cases of split tunnel local DNS resolution on client does not work.
Its "emulated" full tunnel mode i.e. split tunnel and IPv4 LAN address space of 0.0.0.0/0.0.0.0 and don't allow local subnet access.

Conditions:
Configure Allow Local DNS Servers is not honored on Mac OS X.
Configure split tunnel and IPv4 LAN address space of 0.0.0.0/0.0.0.0.
Disable local subnet access.
System has only one physical adapter (ethernet or wifi) available for networking.

Impact:
DNS resolution fails for some split tunnel deployment cases.

Workaround:
Specify "*" in DNS included address space to forward all DNS traffic over the tunnel.


619419 : Workaround for Software Installation Failures in TMUI

Component: TMOS

Symptoms:
A software installation fails for one of several reasons (unsupported software versions, lack of disk space, etc). This failure leaves the software volume in a state where future installations cannot be completed.

Conditions:
Software installation fails.

Impact:
You cannot install software on the failed volume. You will see "Previous installation not complete" message if you attempt to install software on this failed volume.

Workaround:
1. Installation fails.
2. Navigate to System >> Disk Management. Click on HD1 (for example)
3. Under Contained Software Volumes, you can see the reason for failure on the failed volume.
4. Select the failed volume and click Delete. Confirm you want to delete the failed volume.
5. Once the volume is deleted successfully, return to System >> Software Management : Image List
6. Select a valid image and click the Install button.
7. Under Volume Set Name enter a valid name and click the Install button.


619397 : LCD shows error screen on boot or after license expires

Solution Article: K04055706

Component: Device Management

Symptoms:
The LCD on BIG-IP iSeries appliances may display an error screen.

Conditions:
This occurs if the appliance has just finished booting, or if the license has just expired.

Impact:
This may cause an unexpected error and subsequent navigation back to the LCD splash page.

Workaround:
Wait one minute and try to navigate the LCD screens again. If the system has already been licensed and is in the 'Active' state, subsequent attempts should work.


619099 : 'General Database Error' while changing the Admin UI authentication type

Component: Access Policy Manager

Symptoms:
Failed to choose Authentication type from Local to other BIG-IP-supported authentication type.

Conditions:
-- User Directory is Remote - APM Based.
-- Authentication Type is RADIUS, AD, LDAP or TACACS+.
-- All needed information about the AAA Server is specified.

Impact:
GUI error: 'General Database Error'.

Workaround:
None.


618982-1 : IPSEC + chassis behavior for case secondary blades on-off switch.

Component: TMOS

Symptoms:
After cmp_state change (secondary blade restart), some flows will fail

Conditions:
Adding-removing blades causes DAG flow redistribution and redistribution IKE/IPSEC SA's and IPSEC data flows between existing blades. It makes some flows interrupted and IPSEC peer disconnect.

Impact:
Some users may lose their connections and have difficulty restoring them.

Workaround:
None


618889-1 : Clicking the policies list tab does not refresh the policies list on click.

Component: TMOS

Symptoms:
Clicking the policies list tab does not refresh the policies list on click.

Conditions:
This occurs on the policy list page

Impact:
If the policy list changed, the updates will not be displayed.

Workaround:
Refresh the browser or click the menu Local Traffic > Policy List in order to refresh the page


618693-3 : Web Scraping session_opening_anomaly reports the wrong route domain for the source IP

Component: Application Security Manager

Symptoms:
When generating a web scraping attack of session opening anomaly type, there is an attack start/end event shown in the /var/log/asm and GUI: Security :: Event Logs : Application : Web Scraping Statistics. The event has a "source ip" field which should come along with the route domain. In the case of "session opening anomaly" the route domain is always zero. (For example: 127.0.0.1%0). Even there is a non-zero route domain configured.

Conditions:
Route domain is configured and a web scraping attack event triggers.

Impact:
Incorrect route domain field is shown in the GUI and /var/log/asm.

Workaround:
None. This is a cosmetic error. The system uses the correct route domain


618637-1 : Sometimes f5fpc cannot establish Network Access connection and incorrectly reports 'Session timed out' error

Component: Access Policy Manager

Symptoms:
Sometimes f5fpc cannot establish Network Access connection. Successfully established Network Access connection and subsequent login retries will fail with 'Session timed out' error.

Conditions:
This intermittent issue might occur after there has been a successfully established Network Access connection, and a user retries to login once or multiple times.

Impact:
Network Access cannot be established and 'Session timed out' error is presented to the user.

Workaround:
1) Find all processes with regex f5std, svpn and manually kill them.
2) Restart host OS.


618503-1 : Irrelevant fields visible in Logging profile

Component: Application Security Manager

Symptoms:
When switching from logging format 'BIGIQ' to logging format 'Key-Value Pairs' in Application Security logging profiles, 'Maximum Request Size' and 'Maximum Query String Size' properties are not removed.

Conditions:
Switch from logging format 'BIGIQ' to logging format 'Key-Value Pairs' in Application Security logging profiles.

Impact:
Irrelevant fields visible.

Workaround:
None.


618463-2 : artificial low route mtu can cause SIGSEV core from monitor traffic

Component: Local Traffic Manager

Symptoms:
When configuring a monitor instance targeting an address reachable via a route with an artificially low route mtu, tmm can crash repeatedly.

Conditions:
see above

Impact:
Traffic disrupted while tmm restarts.

Workaround:
configure correct MTU


618319-5 : HA pair goes Active/Active, and reports peer as 'offline' if network-failover service is blocked

Solution Article: K58255321

Component: TMOS

Symptoms:
All members of a Sync/Failover Device Group report 'Active' for all traffic-groups, and 'Offline' for all peers. Configuration sync works appropriately.

Conditions:
This can occur if the network failover configuration is incorrect. Each device should have multiple network failover addresses (either unicast or multicast) configured, and any self-IPs configured as unicast addresses must not block the configured unicast UDP source-port (default value: 1026).

If this port is blocked, the devices cannot exchange failover status information.

Impact:
When devices cannot reach the failover address of their peer devices, failover traffic is not processed correctly and the device become active for all traffic groups. This results in duplicate IP addresses on the network for the objects in the traffic groups, which causes a disruption of service.

Workaround:
Ensure that the 'allow-service' parameter for the self-IP address includes the configured network-failover port.

Normally this is done with 'allow-service { default }' if using the default default-list, or an explicit entry can be used with 'allow-service { udp:1026 }'.


618137-1 : Native IXLV: New tagged VLAN does not work after several restarts of tmm

Component: TMOS

Symptoms:
Traffic does not pass for newly added tagged VLANs.

Conditions:
1. Native IXLV devices (Intel X710/XL710/XXV710 family) NICs are in use.
2. Tagged VLAN in use.
3. TMM is restarted several times.
4. A new tagged VLAN is added.

Impact:
The BIG-IP system does not send/receive traffic for tagged VLANs.

Workaround:
To work around this, do the following:

1. Stop the BIG-IP guest.
2. Re-load the i40e driver on the hypervisor host using the following command: rmmod i40e; modprobe i40e.
3. Start the BIG-IP guest.


618131-1 : Latency for Thales key population to the secondary slot after reboot

Component: Local Traffic Manager

Symptoms:
It may take a significant amount of time for the Thales key to populate from the primary slot to the secondary slot after a reboot. The latency can be a few minutes.

Conditions:
This occurs for Thales netHSM installed on Chassis.

Impact:
The key can't be found at secondary slot and the ssl traffic may fail.

Workaround:
If SSL handshakes fail on secondary blades for newly created Thales keys, you may check secondary blades with
 
    nfkminfo -l
 
to see if the file is there. If not the file can be synchronized with rfs-sync --U.


618104-1 : Connection Using TCP::collect iRule May Not Close

Component: Local Traffic Manager

Symptoms:
The BIG-IP never sends a TCP FIN in response to a client FIN.

Conditions:
A finite TCP::collect iRule is in progress.

This is repeatable in the debug kernel; in the default kernel, there has to be execution delay in a CLIENT_DATA iRule.

Impact:
The connection does not close until the sweeper causes a RST.

Workaround:
Adding a TCP::close command to a CLIENT_DATA iRule may work.


617875-1 : vCMP guest may fail to start due to not enough hugepages

Component: TMOS

Symptoms:
In rare cases, when there are many vCMP guests, the last one may fail to start because there are not enough hugepages. The shortfall is between 5 and 20 hugepages. Occasionally, that lack is sufficient to prevent the last guest from starting.

Conditions:
The circumstances under which this occurs are not known, but appears related to a race condition related to memory handling.

Impact:
vCMP guest fails to start.

Workaround:
Once in this state, restarting the host system clears the condition.

Note: Restarting the vCMP guests does not clear the condition.


617643-1 : iControl.ForceSessions enabled results in GUI error on certain pages

Component: TMOS

Symptoms:
GUI pages display 'An error has occurred while trying to process your request.'

Conditions:
Visiting pages related to PKI (cert/key), SNMP, AFM or licensing tasks when iControl.ForceSessions is enabled.

Impact:
Unable to use GUI for certain tasks when iControl.ForceSessions is enabled.

Workaround:
Use shell for related administrative tasks or if feature is not used, disable with the following command:

tmsh# modify sys db icontrol.forcesessions value disable


617629-1 : Same report is downloaded repeatedly after user clicks on "export csv" and then click on another tab

Component: Access Policy Manager

Symptoms:
If you click on the "export csv" button and then switch to another report, the same csv file will be download again when you click on the tab of another report.

Conditions:
Creating multiple reports in Access Report page and clicking on the "export csv" button in one report.

Impact:
Same file will be downloaded repeatedly.

Workaround:
Refresh the page before switching to another report.


617578-2 : Inconsistent info between tmsh and WebUI for profile radiusLB-subscriber-aware

Component: TMOS

Symptoms:
On a BIG-IP provisioned with LTM only, the radius profile called radiusLB-subscriber-aware displays inconsistent information between tmsh and configuration utility

Conditions:
This occurs when looking at the radiusLB-subscriber-aware profile in both tmsh and the GUI.

Impact:
On a device that does not have PEM licensed:
root@(v12)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# list ltm profile radius radiusLB-subscriber-aware
ltm profile radius radiusLB-subscriber-aware {
    app-service none
    defaults-from radiusLB
}

However, viewing the profile in the configuration utility Local Traffic :: Profiles : Services : RADIUS : radiusLB-subscriber-aware
Settings field Custom checkbox
Persist Attribute disabled
Subscriber Discovery enabled
Client Spec disabled
Protocol Profile(_sys_radius_proto_imsi) enabled

On a device which does not PEM licensed, the Protocol profile should be set to None but shows as enabled.


617324-2 : Service health calculation creates unjustified CPU utilization

Component: Anomaly Detection Services

Symptoms:
When ASM provisioned service health is calculated and published to all VSs with security profile, even if stress-based detection is not configured

Conditions:
AFM provisioned and configured hundreds of VSs with security profile

Impact:
High CPU utilization

Workaround:
No


617161-1 : Cosmetic: duplicated partition names in the 'Resource Management' window when assigning iRules to Virtual Servers.

Component: TMOS

Symptoms:
There is a cosmetic issue that results in duplicated partition names in the 'Resource Management' window when assigning iRules to Virtual Servers (in Local Traffic :: Virtual Servers : Virtual Server List :: Virtual_Server_name).

Conditions:
1) Go to Local Traffic :: Virtual Servers : Virtual Server List : Virtual_Server_name : Resources : Manage iRules.
2) Move any two available iRules (created in Common partition) left to the 'Enabled' column.
3) Select the bottom iRule from the 'Enabled' column and click the 'Up' button.
4) Add an additional iRule (created in Common partition) to the 'Enabled' column.

Impact:
Instead of showing all iRules under one partition name (Common), the system is duplicating the partition name.

Workaround:
None. This is cosmetic.


616021-1 : Name Validation missing for some GTM objects

Solution Article: K93089152

Component: Performance

Symptoms:
The BIG-IP system fails to prevent control characters from being embedded within GTM object names. Once the objects exist in the configuration, the BIG-IP system fails to load GTM configurations where objects containing control characters are referenced by other objects.

The following GTM objects are susceptible to this control character issue:

gtm datacenter
gtm prober-pool
gtm device
gtm application
gtm region entry
gtm virtual server
gtm server
gtm link
gtm pool

Conditions:
-- A GTM object with a control character in the name.
-- That object is referenced by another object.

Reproduction example:

create gtm datacenter "start^Mend"
create gtm server test datacenter "start^Mend" address add { 1.2.3.4 }
save sys config gtm-only
load sys config gtm-only

Impact:
Causes the config to fail to load.

Workaround:
Remove control characters prior to creating GTM objects.


615303-2 : bigd crash with Tcl monitors

Solution Article: K47381511

Component: Local Traffic Manager

Symptoms:
bigd crashes after logging an error similar to the following:

emerg bigd: PID: 38611 Received invalid magic '1213486160' in the stream

Conditions:
-- Tcl Monitors: FTP, SMTP, POP3, IMAP.

-- This issue might also occur if the Tcl worker is in a stuck state, due to pool member not responding within the configured timeout.

-- May be particularly likely if the monitor is configured with an interval value of 1 second.

Note: Although less frequent, this issue might still occur with proper monitor configurations (timeout: 3*interval + 1).

Impact:
bigd crashes and error messages.

Possible interruption of monitoring status, pool members going down, interruption of traffic.

Workaround:
For the case where a Tcl monitor is configured with a 1-second interval value, increase the interval value to 2 seconds. Also increase the timeout value to 7 seconds (3*interval + 1). This reduces the chances of this issue occurring but does not eliminate it entirely.


614808-1 : Running qkview with option -c (--complete) fails if there is an encrypted key

Component: TMOS

Symptoms:
When you run qkview -c, you are prompted for a password:
Enter pass phrase for ./Common_d/certificate_key_d/:Common:f5_api_com.key_64768_1:

Conditions:
An OpenSSL key exists that is encrypted with a passphrase.

Impact:
qkview -c cannot be run because /bin/printcertmods requires a valid passphrase to finish.

Workaround:
Unless you can enter passphrases from the command line, assuming there are a small number of such keys and the passphrase is available, there is no workaround.


614648-1 : Unable to upload software image larger than 2GB using the GUI

Component: TMOS

Symptoms:
If you attempt to upload a software image at the System :: Software Management : Image List :: New Image screen, the following results may be observed:
-- The Progress bar in the GUI never moves from 0%.
-- A temporary file is created under /shared/images with a name in the form of: upload_###################.dat.
-- The temporary file is never renamed to the correct image file name (as uploaded).

Conditions:
This may occur when the size of the software image to be uploaded is larger than 2 GB in size.

Note: The BIG-IP v14.1.0 Upgrade ISO is 2.1 GB in size. Other BIG-IP v13.x and v14.x Recovery ISOs may also be larger than 2 GB in size.

Impact:
Unable to upload software image via the GUI.

Workaround:
1. Use another method, such as SCP, to copy the BIG-IP software image to the target BIG-IP system.
2. After sufficient time has elapsed to allow the software image upload to complete, manually rename the temporary file under /shared/images to the final file name.

Note: It is highly recommended to verify the md5sum of the temporary file to confirm that upload is complete, and that the temporary file is an accurate copy of the original software image uploaded.


614493-1 : BIG-IP reset on ePVA accelerated flow may contain stale TCP window information.

Component: TMOS

Symptoms:
Reset sent by BIG-IP system on ePVA accelerated active flows might contain stale sequence number and ACK number, which might be out of the receiver's valid RST window.

Conditions:
For example, server side pool member down events lead to BIG-IP reset of all client flows on the pool member. If these flows are actively offloaded in ePVA with heavy traffic at the time of pool member down and reset sending out time, the SEQ/ACK number for the sending RST by BIG-IP SW might not be recent, and therefore a RST with most SW aware SEQ/ACK will be encoded.

Impact:
These RST might be ignored by the receiver if it is out of the valid window. The receiver must rely on the idle or alive timeout to clean this up. Although the receiver must rely on its TCP alive or idle timeout to activate in order to clean up these connections, this is the standard TCP stack behavior.

Workaround:
None.


614410-3 : Unexpected handling of TCP timestamps in HA configuration

Component: Local Traffic Manager

Symptoms:
Despite TCP timestamps being configured, the BIG-IP system fails to present timestamp option during TCP negotiation.

The BIG-IP system calculates invalid round trip time, which might result in delayed retransmission.

Conditions:
This occurs when the following conditions are met:
- Virtual server configured with a TCP profile with timestamps enabled.
- Virtual server configured with connection mirroring.

Impact:
Retransmission timeout (RTO) value may be skewed. Segments that are subject to RTO might take up to 64 segments to retransmit.

Workaround:
None.


614364-1 : Linux client NA components cannot be installed neither using sudo password nor root password

Component: Access Policy Manager

Symptoms:
Linux client Network Access components cannot be installed neither using sudo password nor root password on firefox browser. Issue occurs because version reported is incorrect and post installation version on the machine still doesn't match with version reported by the server.

Conditions:
Firefox web browser, NPAPI plugins, Network Access on Linux distributions

Impact:
Installation and update of web browser plugin for network access fails


614072-1 : Source Address Translation to SNAT pool breaks SWG explicit use case for IP based session.

Component: Access Policy Manager

Symptoms:
All SWG session maps to SNAT pool IP and many requests will get stuck.

Conditions:
SWG virtual with Source Address Translation to SNAT pool, create session and send traffic for expired session

Impact:
Request will get stuck in ACCESS filter and browser will keep looping..

Workaround:
Change source address translation to AUTOMAP instead of SNAT Pool.


613844 : iApp may fail to install if AFM is provisioned

Component: Advanced Firewall Manager

Symptoms:
When you try to deploy the f5.microsoft_sharepoint_2016.v1.0.0rc1 iApp from the GUI, the install may fail when AFM is provisioned. A similar error occurs when deploying f5.http iApp. The failure to deploy might not be related to a specific iApp.

Conditions:
-- AFM provisioned.
-- Using the GUI to deploy the iApp, f5.microsoft_sharepoint_2016.v1.0.0rc1, f5.http, and others.

Impact:
Deployment fails.

Workaround:
None.


613542-2 : tmm core while running the iRule STATS:: command

Solution Article: K81463390

Component: TMOS

Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.

Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED


613483-2 : Some SSL certificate SHA verification fails for different SHA prefix used by crypto codec.

Solution Article: K18133264

Component: Local Traffic Manager

Symptoms:
For PKCS#1, the SHA256 header should be:
30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20.

However, there might also be this alternate header:
30 2f 30 0b 06 09 60 86 48 01 65 03 04 02 01 04 20,

Some implementation use the alternate. According to PKCS#1, the first one is used when producing signature, but both should be accepted when verifying signatures.

In BIG-IP, SSL uses the 1st header: 30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20, whereas crypto uses the 2nd header format for some cert verification: 30 2f 30 0b 06 09 60 86 48 01 65 03 04 02 01 04 20, which causes the inconsistent and signature verification fail.

Conditions:
For some particular certificates, crypto uses alternative SHA prefix for verification.

Impact:
SSL handshake fails because of certificate verification failure.

Workaround:
None.


612758-1 : Exception within function F5_Inflate_innerHTML.

Solution Article: K46453748

Component: Access Policy Manager

Symptoms:
Using the Mozilla FireFox browser might cause portal access to keep reloading.

Conditions:
Web-application contains object created by application code with following properties:
o = {tagName: true, setAttribute: true}

o.innerHTML = "any_value";

Impact:
Web-application does not work as expected.

Workaround:
Use the following iRule (customization required for /PATTERN_PATH):

# Updated workaround for SR 1-2326181581

when REWRITE_REQUEST_DONE {
  if { [HTTP::path] contains "/PATTERN_PATH" } {

    # log "URI=([HTTP::path])"
    # Found the file we wanted to modify

    REWRITE::post_process 1
  }
}

when REWRITE_RESPONSE_DONE {
  set strt [string first {<script>} [REWRITE::payload]]

  if {$strt > 0} {
    REWRITE::payload replace $strt 0 {
      <script>
        if (typeof F5_Inflate_index !== 'undefined' && typeof F5_old_Inflate_index === 'undefined') {
          var F5_old_Inflate_index = F5_Inflate_index;
          F5_Inflate_index = function(o, s, incr, v) {
            if (typeof v !== 'boolean') return F5_old_Inflate_index (o,s,incr,v);
            return (o[s] = incr ? o[s] + v : v)
          }
        }
      </script>
    }
  }
}


612584-1 : Server side blocking/asm cookie setting may not work under some circumstances

Solution Article: K34500121

Component: Application Security Manager

Symptoms:
ASM Cookies are not set, blocking doesn't happen due to server side violation (such as HTTP status or attack signature in response), or data guard masking/blocking doesn't happen.

Conditions:
CSRF or web scraping is configured.

Impact:
False negative - missing blocking.
False positives due to possible missing cookies.

Workaround:
Add the following iRule to the web server:

when HTTP_REQUEST {
  if { [HTTP::uri] contains "TSbd"} {
    HTTP::header remove "Connection"
    HTTP::header insert "connection" "close"
  }
}


612143-2 : Potential tmm core when two connections add the same persistence record simultaneously.

Component: Service Provider

Symptoms:
If two messages processed on different connections with the same persistence key add a persistence record at the same time, one add operation is returned a non-fatal error, stating the 'a' record exists. The error might cause the message to be sent to both the destination and the originator, which fails.

Conditions:
Two messages processed on different connections with the same persistence key add a persistence record at the same time.

Impact:
A potential core occurs. The error might cause the message to be sent to both the destination and the originator, which fails. Traffic disrupted while tmm restarts.

Workaround:
None.


612086-3 : Virtual server CPU stats can be above 100%

Solution Article: K32857340

Component: TMOS

Symptoms:
The CPU usage is reported as above 100%.

Conditions:
It is not known exactly what triggers this.

Impact:
The reported CPU usage values are invalid and do not properly report the actual CPU usage. The invalid values will be visible in results from tmsh commands, SNMP OID messages, and also in the GUI.

Workaround:
Use top to see the actual CPU usage, or tmctl to examine the stats for the individual CPUs.


612083 : Following an AC power cycle, the System Event Log may list HW, PCIe or DMI errors.

Component: TMOS

Symptoms:
One or more of the following messages appear in the system event log:

CPU0 HW Correctable Error
CPU 0 Corrected Error: Port 1a PCIe* logical port has detected an error.
CPU 0 PCI/DMI Error B:D:F 0x8: xpglberrsts: pcie_aer_correctable_error
CPU 0 PCI/DMI Error B:D:F 0x8: corerrsts: receiver_error_status
CPU 0 PCI/DMI Error B:D:F 0x8: rperrsts: correctable_error_received
CPU 0 PCI/DMI Error B:D:F 0x8: rperrsts: multiple_correctable_error_received
CPU 0 Corrected Error: DMI Error Status
CPU 0 PCI/DMI Error B:D:F 0x0: xpglberrsts: pcie_aer_correctable_error
CPU 0 PCI/DMI Error B:D:F 0x0: corerrsts: receiver_error_status
CPU 0 PCI/DMI Error B:D:F 0x0: rperrsts: correctable_error_received
CPU 0 PCI/DMI Error B:D:F 0x0: rperrsts: multiple_correctable_error_received

Conditions:
The error messages may appear following an AC power cycle of the BIG-IP i-Series platforms: i2000, i2800 and i4000.

Impact:
The system detected an error on an internal bus and was able to correct it. There is no data loss or functional impact.

Workaround:
There is no mitigation or workaround for this.


611652-3 : iRule script validation presents incorrect warning for 'HTTP::cookie cookie-name' command.

Component: Local Traffic Manager

Symptoms:
While saving an iRule containing HTTP::cookie without the value parameter, you get a validation warning: 'warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. 'unexpected end of arguments;expected argument spec:COOKIE_NAME"160 25][HTTP::cookie $cookie_name]'.

The offending iRule command looks similar to this:
[HTTP::cookie $cookie_name]

Conditions:
iRules containing HTTP::cookie, but missing the optional value parameter, e.g. [HTTP::cookie $cookie_name].

Impact:
Validation warning incorrectly occurs if the optional 'value' parameter is left off. Note that the iRule is still loaded into the configuration.

Workaround:
Use the 'value' parameter in the HTTP::cookie command:
[HTTP::cookie value $cookie_name].


611485-1 : APM AAA RADIUS server address cannot be a multicast IPv6 address.

Component: Access Policy Manager

Symptoms:
In the 13.0.0 release, support for AAA RADIUS direct IPv6 is added. However, validation will prevent using a multicast address for AAA radius IPv6 address. If you upgrade from a previous version to this version, you will see a validation error when the configuration loads.

Conditions:
The validation error occurs if APM AAA RADIUS address is an IPv6 multicast address on BIG-IP version 13.0.0 and beyond.

Impact:
Support for AAA RADIUS direct IPV6 is added in BIG-IP version 13.0.0. And the new validation affects only IPv6 multicast address. So any working IPv4 configuration will not be affected by this validation.

Workaround:
Multicast IPv6 addresses are not supported for direct IPv6 RADIUS, ensure you are using unicast addresses.


611327-1 : Using an established app tunnel may display a Java exception error message.

Solution Article: K35559723

Component: Access Policy Manager

Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:

When users attempt to use the established access session app tunnel, their Mac OS X device displays a Java exception error message similar to the following example:

An uncaught exception was raised. Choose "Continue" to continue running in an inconsistent state. Choose "Crash" to halt the application and file a bug with Crash Reporter. Choosing "Crash" will result in the loss of all unsaved data.

When the user selects Continue, the exception error message is immediately displayed again (loop).

When the user selects Crash, the established app tunnel is terminated.

Though the Java exception error message is displayed, the app tunnel functions as expected.

Conditions:
This issue occurs when all of the following conditions are met:

-- The local user device is running Mac OS X 10.12 (Sierra).
-- The BIG-IP APM system is configured with an app tunnel that is Java Tunnel-enabled.
-- The user established an access session using the Safari 10 web browser.
-- The user launches an app tunnel session.
-- The user attempts to use the established app tunnel.

Impact:
Cannot use Safari 10 web browser for an app tunnel that is Java Tunnel-enabled.

Workaround:
To work around this issue, you can use an alternate browser, or Apple Safari browser, or ignore the system generated error message while using the app tunnel.


611054-1 : Network failover "enable" setting is sometimes ignored on chassis systems

Component: TMOS

Symptoms:
The failover device group network-failover attribute has no effect on chassis systems. The high availability subsystem will continue to send network failover packets, and continue to operate normally, even if this is set to "disable".

Conditions:
This only affects chassis systems. On appliances, the setting takes effect, causing all devices to become Active simultaneously.

Impact:
System appears to failover normally even when the configuration is incorrect; however, if the system contains more than one traffic-group, the next-active calculation and other failover features do not function correctly.

Workaround:
Enable network-failover in the sync-failover device-group.


610682-2 : LTM Policy action to reset connection only works for requests

Component: Local Traffic Manager

Symptoms:
The LTM Policy forwarding action 'reset', which forcibly terminates the client connection, works for requests, but gives an error when used with a response event.

Conditions:
Issue occurs in an LTM Policy rule where one or more of the conditions is associated with HTTP response, for example, checking the HTTP status code in the response from a backend server.

Impact:
LTM Policy action does not work. System posts error message similar to the following: transaction failed:010716e2:3: Policy '/Common/Drafts/mypolicy', rule 'rule-1'; an action precedes its conditions.

Workaround:
None.


610436-3 : DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10.

Solution Article: K13222132

Component: Access Policy Manager

Symptoms:
DNS resolution does not work in a particular case of DNS Relay Proxy Service, when two adapters have the same DNS Server address on Microsoft Windows version 10.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP APM configuration uses a network access profile.
-- The user device is running Windows 10 and is connected to two networks through two network interfaces.
-- The Windows user has installed the BIG-IP Edge Client that includes the DNS Relay Proxy Service.
-- Prior to establishing an access session, the lower index network interface of the Windows device is disconnected.
-- The Windows user establishes an access session using BIG-IP Edge Client.
-- The Windows device's lower index network interface is reconnected.
-- The Windows user attempts a DNS resolution.

Impact:
DNS resolution completely stops working on client systems until the VPN is disconnected.

Workaround:
To work around this issue, add the following registry key:

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient with DWORD EnableMultiHomedRouteConflicts set to 0.

This reverts the Windows DNS client behavior to pre-Windows 10 behavior, so the DNS relay proxy creates listeners on loopback for incoming requests, and the driver redirects DNS requests to the listener on the loopback.

Important: Use extreme care when editing Windows registry keys. Incorrect modification of keys might cause unexpected behavior.

For step-by-step instructions for adding this registry key, see K13222132: The DNS Relay Proxy Service may fail to resolve DNS requests :: https://support.f5.com/csp/article/K13222132.


610077-2 : Access Policy Manager CRL cache is locked out for CRLDP authentication

Component: Access Policy Manager

Symptoms:
A page protected by an Access Policy cannot be displayed after submitting credentials.

Internally, on the BIG-IP device, apmd CPU utilization becomes very high.

Conditions:
1. Access policy uses CRLDP authentication.
2. Cached CRL file(s) are expired.

Impact:
Unable to log on due to CRL cache lockout.

Workaround:
None.


609200-2 : Hotfix installation failure using certain version 11.x software to host incremental hotfix application of version 12.x software.

Component: TMOS

Symptoms:
Hotfix installation fails using certain version 11.x software to host incremental hotfix application of version 12.x software.

Conditions:
This issue occurs when the following conditions are met:
-- Active software is v11.x.
-- Target software is v12.x.
-- This is the first attempt install a hotfix to the installation target.

Impact:
Cannot install hotfix.

Workaround:
Delete the target location, and perform the hotfix installation again.

Subsequent attempts to install the hotfix will automatically install the base release first, which includes the needed DB hash type, and the hotfix will succeed.


609186-5 : TMM or MCP might core while getting connections via iControl.

Component: TMOS

Symptoms:
When getting the connections list over iControl using System.Connections.get_list(), TMM or MCP cores or exits.

Conditions:
Using iControl to view all connections, and there is a very large number of connections (1 million or more) in the list.

Impact:
TMM or MCP may core or exit. Traffic disrupted while tmm restarts.

Workaround:
None.


609043-1 : When BIG-IP processes SAML Single logout request/response, tmm cores intermittently.

Component: Access Policy Manager

Symptoms:
The tmm process crashes.

Conditions:
-- BIG-IP system is configured as SAML IdP or SAML SP.

-- BIG-IP processes SAML Single Logout Request/Response

Impact:
Traffic disrupted while tmm restarts. All APM end users must log back in.

Workaround:
None.


608511-2 : Message router profile is not inheriting the traffic-group from the parent folder

Solution Article: K22141268

Component: TMOS

Symptoms:
The standby system sends gratuitous ARPs on the standby system for virtual servers configured with message router.

Conditions:
This symptom may occur if:
-- The message router profile traffic-group is set to default (inherit from folder).
-- The message router profile folder is also set to inherit from parent folder.
-- A configuration change is made to the virtual server on the non-active unit.

Impact:
Traffic is routed to the standby system instead of the active one, causing connections to stall/fail until the neighbor table is updated.

Workaround:
Set traffic-group on the message router profile.


608453-1 : Shrink/Expand imgs of Webtop Section is customizable

Component: Access Policy Manager

Symptoms:
Changing images for Shrink/Expand of Webtop Section in Webtop Customization does not actually change images on client; users see default images instead

Conditions:
This is encountered when using Webtop Customization.

Impact:
The default image is displayed instead of the customized image.

Workaround:
None.


607684 : tmsh provides option to delete all URLs from a custom category, which is not possible

Component: Access Policy Manager

Symptoms:
tmsh provides a command option for admin to delete all URLs from a custom category. However, this is not a valid option, and an error will be displayed. The system presents the following error:
Configuration error: Cannot delete url (http://www.example.com*). This occurs because because url-category (/Common/ex) is a custom category. A custom category must have at least one URL.

Conditions:
Running the following command:
tmsh modify sys url-db url-category pattern urls delete { all }

Impact:
No URLs are deleted. Each URL must be deleted individually.

Workaround:
Delete URLs individually.


607166-1 : Hidden directories and files are not synchronized to secondary blades

Component: Local Traffic Manager

Symptoms:
Hidden directories and files (those whose filenames start with '.') that are created on primary blade are not synced to secondary blades.

Existing hidden files that are edited on the primary blade are not synced to secondaries.

Conditions:
Multi-bladed system.

Impact:
The most common uses of hidden files are per-user shell configuration and history.

Workaround:
Manually copy configuration files onto other blades.


606799-1 : GUI total number of records not correctly initialized with search string on several pages.

Solution Article: K16703796

Component: TMOS

Symptoms:
GUI total number of records not correctly initialized with search string on several pages.

Conditions:
Searching on the Data Group File List, iFile List, and lw4o6 File Object List pages.

Impact:
GUI shows that there are two pages, but advancing to the second page shows empty page.

Workaround:
Avoid searching in the Data Group File List, iFile List, and lw4o6 File Object List pages to view all items.


606330-4 : The BIG-IP system does not accept BGP connection requests when using peer-groups and no default address family.

Component: TMOS

Symptoms:
The BIG-IP system does not accept incoming or initiate outgoing BGP connections when using peer-groups and no default address family.

Conditions:
BGP configured with 'no bgp default ipv4-unicast' and neighbors configured using a peer group that's explicitly activated for IPv4.

Impact:
The BGP connection to any neighbor in the peer group will not come up until 'clear ip bgp' is run on the neighbor or tmrouted is restarted.

Workaround:
Clear the BGP neighbor after changing the configuration.


606032 : Network Failover-based HA in AWS may fail

Component: TMOS

Symptoms:
MCPD posts an error that network failover is not configurable:
01071ac2:3: Device-group (/Common/autoscale-group): network-failover property must be disabled in VE-1NIC.

Conditions:
Attempting to setup high availability (HA) in Amazon Web Services (AWS) with only 1 network interface.

Impact:
Configuration of HA in AWS cannot be completed.

Workaround:
The current workaround is to configure HA in AWS with at least 2 network interfaces.


605891-1 : Enable ASM option disappears from L7 policy actions

Component: TMOS

Symptoms:
ASM cannot be enabled if 'Application Security Manager' is used in the license string instead of 'ASM'.

Conditions:
'Application Security Manager' is used in the license string instead of 'ASM'.

Impact:
The ASM module cannot be enabled using the GUI under certain licenses where ASM is licensed.

Workaround:
Enable ASM using tmsh instead of the GUI.


605840-5 : HSB receive failure lockup due to unreceived loopback packets

Component: TMOS

Symptoms:
HSB reports a lockup due to a receive failure. Analysis of the HSB receive/transmit rings indicate that this is a false positive. Loopback packets were successfully transmitted, but not received, resulting in the receive failure. /var/log/ltm contains this signature: notice *** TMM 9 - PDE 19 - receive failure ***

Conditions:
Unknown.

Impact:
The unit is rebooted.

Workaround:
None.


605800-3 : Web GUI submits changes to multiple pool members as separate transactions

Component: TMOS

Symptoms:
You notice an unusually high amount of sync traffic when changing many pool members at once. In extreme cases, mcpd may run out of memory and crash.

Conditions:
When looking at a list of pool members, it is possible to choose to view many pool members at once, and you can then select them all and enable or disable them with one press of a button. Rather than sending all of the operations in a single transaction, the GUI code updates each pool member one by one. When there are a lot of pool members and auto-sync is being used, this can cause race conditions that can generate a large number of transactions going from the local machine to the remote machine.

Impact:
This can cause an unusually high amount of sync traffic to occur between devices in the sync group with auto-sync enabled. In extreme cases this can cause mcpd to crash and traffic is disrupted while mcpd restarts.

Workaround:
If you frequently need to enable/disable many pool members at once, there are a couple of options:
1. You can switch to manual sync during this operation.
2. You can minimize the number of pool members that are altered at once. The issue was observed when changing over 300 pool members at once.


605675-1 : Sync requests can be generated faster than they can be handled

Component: TMOS

Symptoms:
Device group modify operations, or set-sync-leader, might generate full loads faster than the receiving BIG-IP system can parse them. The sending BIG-IP system's queue for its peer connection fills up, mcp fails to allocate memory, and then the system generates a core file.

Conditions:
-- High availability (HA) configurations.
-- Config sync operations.

Impact:
Core file and sync operation does not complete as expected. The possibility for this occurring is depending on the size and complexity of the configuration, which impacts the time required to sync, and the traffic load occurring at the time of the sync operation.

Workaround:
None.


605414-1 : Mysqld and bcm56xxd seem to run at 100% on vCMP host.

Solution Article: K23230852

Component: Application Visibility and Reporting

Symptoms:
Mysqld and bcm56xxd seem to run at 100% on vCMP host.

Conditions:
When the hypervisor collects statistical data from itself and all hosted guests, too many system resources are used, leading to constant updates of data to mysql.

Impact:
This results in the hypervisor not functioning properly.

Workaround:
Execute the following command:
bigstart stop monpd.

Impact of this workaround: Although no statistical data will be collected, the hypervisor will perform all other functions.


605175-1 : Backslashes in monitor send and receive strings

Component: Local Traffic Manager

Symptoms:
After creating a monitor using the GUI containing a recv parameter with a backslash such as '\* OK', loading the configuration generates a validation error:

01070753:3: Monitor /Common/test recv parameter contains an invalid regular expression (Invalid preceding regular expression).
Unexpected Error: Loading configuration process failed.

Attempting to configure the same monitor via tmsh throws the validation error before creating the monitor, but the GUI allows the single backslash. Two backslashes are required in this case.

Conditions:
Using the GUI to configure a monitor, whose receive string needs to look for a backslash, and only a single backslash is entered in the GUI.

Impact:
Configuration fails to load after it is successfully created via the GUI. The GUI accepts this when it should throw a validation error: two backslashes are required.

Workaround:
When configuring the monitor via the GUI, use two backslashes instead of one.


605018-2 : Citrix StoreFront integration mode with pass through authentication fails for browser access

Solution Article: K47516511

Component: Access Policy Manager

Symptoms:
Citrix StoreFront integration mode with pass through authentication fails for browser access. After providing the credentials, browser access continuously asks for 'Can not complete the request', press 'OK'.

Conditions:
This occurs when the following conditions are met:
- APM is configured in integration mode with StoreFront.
- External access virtual server IP is used in Citrix gateway configuration 'Subnet IP address' column.
- (Request Header Insert) :: [X-Citrix-Via-Vip:10.10.10.10], 10.10.10.10 is the virtual server IP address. Request Header Insert is configured on the HTTP profile of the same virtual server.

Impact:
No browser access to StoreFront.

Workaround:
StoreFront combines multiple headers of the same name and cannot use the resulting value. You can workaround this issue by stripping multiple headers of type x-citrix-via-vip.
Make 10.10.10.10 the corresponding External access virtual IP address.

when HTTP_REQUEST {
   if { [HTTP::header count "X-Citrix-Via-Vip"] >= 2 } {
        HTTP::header remove "X-Citrix-Via-Vip"
        HTTP::header insert "X-Citrix-Via-Vip" "10.10.10.10"
    }
}


604811-3 : Under certain conditions TMM may crash while processing OneConnect traffic

Component: Local Traffic Manager

Symptoms:
TMM may crash while processing OneConnect traffic

Conditions:
Removing the OneConnect profile from a virtual server while passing traffic.

Impact:
TMM crash leading to a failover event


604050 : Failed to get master key (ERR_NOT_FOUND) in apm log on first boot

Component: Access Policy Manager

Symptoms:
After booting a new platform for the first time, you may see the following log entry in /var/log/apm:
err tmm1[17340]: 01490563:3: (null):Common:00000000: Access stats encountered error: Failed to get master key (ERR_NOT_FOUND)

Conditions:
Viewing /var/log/ltm after first boot

Impact:
This is a residual log entry and is benign and can be safely ignored


603772-1 : Floating tunnels with names more than 15 characters may cause issues during config-sync.

Component: TMOS

Symptoms:
Floating tunnels with names more than 15 characters may cause issues in config-sync, because such a long name is truncated when creating a corresponding Linux tunnel interface.

Conditions:
The BIG-IP system consists of both floating and non-floating tunnels and their names are longer than 15 characters.

Impact:
When the config-sync happens, the following error may occur:

Caught configuration exception (0), Cannot create tunnel 'g123456789abc~1' in rd0 - ioctl failed: File exists.

Workaround:
Some workarounds are available:

- Make sure that tunnel names are less than 16 characters; or

- Make sure that the names of floating and non-floating tunnels do not share a common prefix in the first 15 characters; or

- Make sure that the BIG-IP system does not have a mixture of floating and non-floating tunnels.


603690-2 : CPU Saver option not working while the 'latency' compression provider selection algorithm is in use.

Solution Article: K82210057

Component: Local Traffic Manager

Symptoms:
CPU Saver option not working while the 'latency' compression provider selection algorithm is in use.

Conditions:
APM Edge Client over VPN tunnel. The issue tends to occur when CPR Saver is configured on the Edge Client on devices where hardware compression cannot perform the specific type of compression/decompression being requested.

Impact:
Edge Client shows the VPN tunnel as 'Connected' but no traffic flow. This is an intermittent issue.

Workaround:
You can use either of the following workarounds:

-- Enable CPU Saver in the secure connectivity profile.
  + To do so in the GUI:
    1. Navigate to GUI: Access Policy :: Secure Connectivity :: profile_name :: Compression Settings :: Network Access.
    2. Check the CPU Saver checkbox.

  + To do so in tmsh, run the following command:
tmsh modify apm profile connectivity dummy compress-cpu-saver true

-- Configure compression strategy to 'speed' (from 'latency'). To do so, run the following command:
tmsh modify sys db compression.strategy value "speed".


603380-6 : Very large number of log messages in /var/log/ltm with ICMP unreachable packets.

Component: Local Traffic Manager

Symptoms:
With ICMP unreachable packets, every packet generates a log message in /var/log/ltm. This results in a very large number of log messages, which takes up space without providing additional information.

Conditions:
You have a DNS virtual server with DNS resolver cache configured. The virtual server receives ICMP unreachable in response to the DNS query.

Impact:
You will see messages similar to the following in /var/log/ltm.

   err tmm[5021]: comm_point_tmm_recv_from failed: Software caused connection abort

Workaround:
None.


603093 : AC Power Supply output DC LED does not turn off when the input power is cut-off to it in redundant system

Component: TMOS

Symptoms:
The BIG-IP i-Series platform (i2600, i2800, i4600, i4800) 250W AC power supply PWR-0334-01 and PWR-0334-02 will show differences in their LED behavior when hot swap or hot plug or whenever power is removed from the supply. This includes redundant systems and systems with a single supply.

Conditions:
PWR-0334-01
When the input ramps below 80Vac, the input LED Green Blinking, output LED Amber Blinking.
When the input ramps below 72VAC, the input LED OFF, output LED Amber Blinking.
If the AC cord is removed with 1 or 2 supplies in the system the input LED OFF, output OFF.

PWR-0334-02
When the input ramps below 75VAC + 1VAC, the input LED Green Blinking, output LED Amber Blinking
When the input ramps below 70VAC + 1VAC, the input LED OFF, output LED OFF immediately

Impact:
LED behavior may be inconsistent between revisions of power supply on early platform shipments with PWR-0334-02

Workaround:
N/A


603092-5 : "displayservicenames" does not apply to show ltm pool members

Component: TMOS

Symptoms:
The db variable bigpipe.displayservicenames does not apply to the 'show ltm pool members' tmsh command.

Conditions:
This occurs when running tmsh show ltm pool members with bigpipe.displayservicenames enabled.

Impact:
The the IP address but not the service name is displayed.


602390-2 : Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.

Solution Article: K87506901

Component: TMOS

Symptoms:
Cannot use a foreign charset, such as Cyrillic, Arabic, etc., to customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.

Conditions:
Customize Advisory Banner, Username Prompt, or Password Prompt in TMUI.

Impact:
Can use only English language characters to customize these fields.

Workaround:
None.


602193-4 : iControl REST call to get certificate fails if

Component: TMOS

Symptoms:
While using the iControl REST API, a call to /mgmt/tm/sys/crypto/cert results in a 400 or 500 error. The call to /mgmt/tm/sys/crypto/key works.

Conditions:
This can occur if any of the certificates contain non utf-8 characters.

Impact:
iControl REST API call will fail.

Workaround:
If possible, generate the certificate to only contain utf-8 characters.


601414-5 : Combined use of session and table irule commands can result in intermittent session lookup failures

Component: TMOS

Symptoms:
[session lookup] commands do not return the expected result.

Conditions:
An iRule which combines use of [table] and [session lookup] commands.

Impact:
Intermittent session functionality.

Workaround:
If possible, use table commands in lieu of session commands.


601189-2 : The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode

Component: Local Traffic Manager

Symptoms:
The BIG-IP system might send TCP packets out of order in Fastl4 in syncookie mode.

Conditions:
-- Fastl4 VS.
-- syncookie mode.

Impact:
TCP packet are sent out of order.

Workaround:
None.


600985-4 : Network access tunnel data stalls

Component: Access Policy Manager

Symptoms:
In certain scenarios, the network access tunnel stays up; however, no data transfer occurs on the tunnel. This issue occurs intermittently.

Conditions:
The cause of this issue is not yet known.

Impact:
Data stalls on the tunnel and hence wont be able to access any applications. However, Edge Client shows the VPN tunnel as 'Connected'.

Workaround:
Manually re-establish the tunnel.


600944-1 : tmsh does not reset route domain to 0 after cd /Common and loading bash

Component: TMOS

Symptoms:
In tmsh, you are in a partition with a custom route domain. When you run 'cd /Common' and run bash then run 'ip route', the routing table from the partition is displayed, not /Common

Conditions:
Attempting to see the route table from the /Common partition after leaving another parition

Impact:
You cannot get /Common's route table back without quitting and restarting tmsh.

Workaround:
Quit tmsh and restart.


600872-1 : Access session inactivity expiration time not updated when accessed with http/2 enabled browsers on Windows platforms.

Component: Access Policy Manager

Symptoms:
APM end user sessions start successfully, but end within a few minutes and they are forced to logon again.

The default timeout is 900 seconds.

Conditions:
- An HTTP/2-capable browser is in use on a Microsoft Windows platform.
- APM and HTTP/2 are enabled on the same virtual server.

Impact:
APM sessions time out at the configured inactivity timeout (default is 900 seconds) regardless of activity, and APM end users must restart their sessions.

Workaround:
Remove HTTP/2 profile from the affected virtual server.


600732-2 : IKEv1 racoon daemon dangling pointer from phase-one SA to deleted peer description

Component: TMOS

Symptoms:
The IKEv1 racoon daemon can crash when a security association (SA) is deleted (which can be done either explicitly on the command line, or indirectly by changing the ike-peer definition in config via tmsh). Usually this crash also requires that the ike-peer be altered or removed at the same time.

Note: Merely altering a v1 ike-peer causes the racoon daemon to first delete the old ike-peer, and then add a new one. So 'modify' effectively means 'delete' in this bug context.

Conditions:
When a v1 ike-peer is changed in any way while the racoon daemon actually has a valid security association in current use.

Impact:
IKEv1 racoon daemon restarts, and then tunnel outage until new SAs are negotiated.

Workaround:
No workaround is known at this time.


600634-2 : Schedule-reports can break the upgrade process

Component: Application Visibility and Reporting

Symptoms:
A scheduled report (of predefined type) that is created via GUI can cause validation error on upgrade and thus might cause the upgrade process to fail. You may see this error in /var/log/ltm:

Syntax Error:(/config/bigip.conf at line: 86) "predefined-report-name" may not be specified with "multi-leveled-report.time-diff"

Conditions:
Creating predefined-scheduled-report from GUI

Impact:
Upgrade process can fail

Workaround:
If the config load fails, you can get the configuration to load by manually removing the scheduled report(s).

Impact of mitigation: this will remove scheduled reports from the configuration.

Edit bigip.conf, and look for analytics objects that have the scheduled-report in the declaration:
analytics application-security scheduled-report /Common/... {

Remove the object and the configuration will load.


600431-6 : DIAMETER::avp data get "id" ip4|ip6 errors on valid AVP

Component: Service Provider

Symptoms:
TCL error in /var/log/ltm that looks like 'error Buffer error invoked from within "DIAMETER::avp data get 257 ip4 index 0"'

Conditions:
iRule that extracts ip address from a diameter avp.

Impact:
The iRule ends with an error.

Workaround:
Instead of
set data [DIAMETER::avp data get 257 ip4]

use an iRule such as

if { [DIAMETER::avp count 257] > 0 } {
        set data [DIAMETER::avp data get 257]
       binary scan $data S family
        switch $family {
            1 {
                # ipv4 should contains 4 bytes
                set ip [IP::addr parse -ipv4 $data 2]
                log local0. "ip = $ip"
            }
            2 {
                # ipv6 should contains 16 bytes
                set ip [IP::addr parse -ipv6 $data 2]
                log local0. "ip = $ip"
            }
            default {
                log local0.alert "address family $family is not supported"
            }
        }
    }


599048-1 : BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option

Component: Local Traffic Manager

Symptoms:
As part of the OCSP Stapling feature, the BIG-IP periodically connects to an OCSP server to certify to its clients that an SSL certificate has not been revoked. It was discovered that these side connections to OCSP servers incorrectly do not use the TCP TIMESTAMPS option.

Conditions:
Use of the OCSP Stapling feature.

Impact:
Usage of the TCP TIMESTAMPS option can help reduce the time a previously used tuple remains in TIME_WAIT on the OCSP server. Therefore, this can help ensure a new connection from the BIG-IP system to the OCSP server re-using a recent tuple is not rejected by the OCSP server. Note that there is little impact even if sporadically a single connection to the OCSP server fails. The BIG-IP will quickly try again, and clients that receive non-stapled SSL SERVER HELLO messages can perform their own validation of the returned SSL certificate.

Workaround:
None


598650-1 : apache-ssl-cert objects do not support certificate bundles

Component: TMOS

Symptoms:
The Traffic Management Shell (tmsh) documents command options for apache-ssl-cert objects that suggest that Apache SSL Certificates (apache-ssl-cert objects) support certificate bundles.
References to certificate bundles in context of the 'bundle-certificates', 'subject' and 'is_bundle' fields are in error, and should refer to single certificates only.
Apache SSL Certificates (apache-ssl-cert objects) do not actually support certificate bundles.
On BIG-IP v11.5.0 and later, attempting to create Apache SSL Certificate objects from a certificate bundle will result an error like the following:
01070712:3: Values (/Common/certificate_name) specified for Certificate Bundle Entity (/Common/certificate_name.0 /Common/certificate_name): foreign key index (certificate_file_object_FK) do not point at an item that exists in the database.

Conditions:
Attempting to create Apache SSL Certificate objects from a certificate bundle.

Impact:
Unable to create Apache SSL Certificate objects from a certificate bundle.


598204-3 : In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.

Solution Article: K54284420

Component: Local Traffic Manager

Symptoms:
In syncookie mode, TCP profile MSS is not honored when the BIG-IP system sends back the SYN-ACK.

Conditions:
This occurs when the following conditions are met:
-- TCP profile.
-- syncookie mode.

Impact:
A TCP virtual server might use bigger MSS in syncookie mode and not honor the MSS specified in the profile. Some configurations require a smaller MSS for certain virtual servers, rather than using the VLAN's MTU to calculate the MSS.

Workaround:
None.


597818-2 : Unable to configure IPsec NAT-T to "force"

Component: TMOS

Symptoms:
When configuring IPsec NAT traversal to "Force", the behavior is as if the setting is "Off".

Conditions:
Configuring IPsec NAT Traversal to Force

Impact:
NAT-T does not work

Workaround:
Configure NAT-T to On instead.


597564-3 : 'tmsh load sys config' incorrectly allows the removal of the 'app-service' statement from configuration items

Component: TMOS

Symptoms:
The 'tmsh load sys config' command incorrectly allows users to manually remove the 'app-service' statement from configuration items. For example, if a user is manually editing the bigip.conf file, and they remove the 'app-service' statement from a virtual server, 'tmsh load sys config' will not fail to load the config, which is incorrect.

Conditions:
A user manually edits a BIG-IP configuration file and improperly removes the 'app-service' statement from an object.

Impact:
The lack of the 'app-service' statement effectively disassociates the object from its Application Service. This can lead to further issues down the line. For example, if the object is then updated on a multi-blade VIPRION system, secondary blades will restart with an error similar to the following example:

May 6 08:18:27 slot2/VIP2400-R16-S10 err mcpd[32420]: 01070734:3: Configuration error: Configuration from primary failed validation: 010715bd:3: The parent folder is owned by application service (/Common/dummy.app/dummy), the object ownership cannot be changed to ().... failed validation with error 17241533.

Workaround:
Exercise caution when manually editing BIG-IP configuration files.


597253-1 : HTTP::respond Tcl command may incorrectly identify parameters as iFiles

Component: Local Traffic Manager

Symptoms:
The HTTP::respond iRule command may incorrectly identify parameters as an iFile parameter when attaching the iRule to a virtual server.

Conditions:
HTTP::respond command making use of a variable as a header name. For instance:

HTTP::respond 500 -version 1.1 content "<content>" "$VariableHeaderName" "header_value_text" "Connection" "close"

Configure a HTTP/TCP virtual server and attach the iRule.

Impact:
1070151:3: Rule [/Common/example_rule] error: Unable to find ifile (header_value_text) referenced at line 3: [HTTP::respond 500 -version 1.1 content "<content>" "$VariableHeaderName" "header_value_text" "Connection" "close"]

Workaround:
Ensure the offending header name and value are either both literal strings or variables.


596826-5 : Don't set the mirroring address to a floating self IP address

Component: TMOS

Symptoms:
Using tmsh, you can configure the mirroring IP address using the command tmsh modify cm device devicename mirror-secondary-ip ip_address

It is possible to set ip_address to a floating self IP address when using tmsh, but BIG-IP can't mirror to a floating self IP address. The tmsh command will complete without error.

Conditions:
Accidentally setting the mirroring IP address to the floating self IP address using tmsh.

Impact:
Mirroring does not work in this case. If you configured it this way using tmsh, the GUI will show the primary and secondary mirroring address as "None".

Workaround:
Change the mirroring address to a non floating self IP address. The GUI will only present non floating self IP addresses.

For more information about mirroring, see K13478: Overview of connection and persistence mirroring at https://support.f5.com/csp/#/article/K13478


596815-1 : System DNS nameserver and search order configuration does not always sync to peers

Component: TMOS

Symptoms:
Modifying the System DNS nameserver and search order configuration does not always sync during an incremental sync if modified in the GUI or tmsh modify sys db.

Conditions:
The device is in a failover device group with incremental sync turned on.

In the GUI, modify the DNS Lookup Server List or the DNS Search Domain List fields under System >> Configuration : Device : DNS.

In tmsh, tmsh modify sys db dns.nameserver (or dns.domainname), and in some cases tmsh modify sys dns name-servers (or search)

Impact:
Modifications will not change the sync status nor sync the change to peers.

Workaround:
Perform a full sync or use 'tmsh modify sys dns name-servers replace-all-with' or 'tmsh modify sys dns search replace-all-with'.

Optionally, to get this setting to sync, modify the file /config/BigDB.dat to set realm=common for [DNS.NameServers] and [DNS.DomainName] and restart mcpd on all devices in the failover device group. However, this file may get overridden on a hotfix or upgrade.


596278 : ILX workspace created by iApp made from template not deleted when iApp deleted

Component: Local Traffic Manager

Symptoms:
Any ILX workspace created by an iApp from a template (and possibly otherwise) remains even after the iApp is deleted.

You can check for them under tmsh's ltm/ilx/workspace, on the file system in /var/ilx/workspaces, or in the GUI at Local Traffic :: iRules : LX Workspace.

Conditions:
This occurs when using iApps which create ILX workspaces.

Impact:
Configuration which was supposed to be deleted stays on the box.

Workaround:
Delete the left over workspace manually.


596020-3 : Devices in a device-group may report out-of-sync after one of the devices is rebooted

Component: TMOS

Symptoms:
Devices in a device-group may report out-of-sync after one of the devices is rebooted.

As a result of this issue, you may encounter the following symptoms:

- After the reboot, the config-sync originator reports 'Not All Devices Synced'.
- After the reboot, the other devices in the device-group report 'Changes Pending'.

Conditions:
This issue occurs when all of the following conditions are met:

- You have a Sync or Sync-Failover device-group with multiple devices in it.
- On a device (the config-sync originator, you modify the configuration, triggering the devices to become out of synchronization.
- Using the Overwrite Configuration option in the GUI, you manually initiate a synchronization of the configuration from the device where the configuration was modified, to the device-group.
- The devices in the device-group display that they are in the synchronized state.
- You reboot the config-sync originator device.

Impact:
After the reboot, the devices report out-of-sync.

Note: This issue is purely cosmetic; no configuration is lost as result of this issue.

Workaround:
You can work around this issue by not using the Overwrite Configuration option in the Configuration utility if you know you will have to reboot the device soon.

Also note that once the issue occurs, you can restore normal config-sync status on the devices by performing a new config-sync operation.


595921-1 : VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.

Component: Local Traffic Manager

Symptoms:
VLAN groups with no Self IP addresses defined might generate ICMP messages with loopback addresses.

Conditions:
Configuration of a virtual server on a VLAN group that does not have a Self-IP configured.

Impact:
Traffic destined for the virtual server might be rejected with an ICMP unreachable sourced from a loopback address.

Workaround:
Use a Self IP address on the VLAN group.


595868-1 : HSB TX HGM lockup on 3900, 8900, and 10000-series platforms.

Component: TMOS

Symptoms:
HSB TX HGM lockup on 3900, 8900, and 10000-series platforms. Tmm cores with the following error message in /var/log/ltm: notice panic: hsb interface 2 DMA lockup on transmitter failure.

Conditions:
It is not known what triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


595617-1 : Modifying an IPsec tunnel and IPsec plus IKE SA does not remove the remote SA.

Solution Article: K40420553

Component: TMOS

Symptoms:
When modifying the ipsec-tunnel-profile, the BIG-IP system deletes the IKEv1 phase 2 SAs locally, but does not inform the remote IPsec peer.

Conditions:
- Configuration uses both IPsec 'interface' mode tunnel(s) and IKEv1.
- A user modifies ipsec-tunnel-profile. Namely found here:
  -- web UI 'Network : Tunnels : Profiles : IPsec Interface : ipsec-tunnel-profile'.
  -- tmsh 'net tunnels ipsec ipsec-tunnel-profile'.

Impact:
A traffic outage on one tunnel when the remote IPsec peer is generally plays the role of Initiator. The remote system, will not attempt to establish a new tunnel because it believes that a valid SA exists.

Workaround:
Delete the defunct IPsec SA from the remote peer. If the remote IPsec peer is also a BIG-IP system, then restarting tmipsecd can be employed, however this will cause all IPsec tunnels to restart.


595317-4 : Forwarding address for Type 7 in ospfv3 is not updated in the database

Component: TMOS

Symptoms:
The ospf nssa-external database is not updated when the global address on an interface that is used as a forwarding address is changed

Conditions:
remove the global address on the forwarding interface

Impact:
the packets will be sent to an incorrect interface.

Workaround:
clear ipv6 ospf process


594751-3 : LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN

Solution Article: K90535529

Component: Local Traffic Manager

Symptoms:
Vlan Name and Vlan Tag values are not seen by the LLDP neighbors of the BIG-IP system.

Conditions:
1. LLDP is enabled globally and per interface.

2. Interfaces are added to a trunk after it has already been assigned to a VLAN.

For instance, assume the following protocol were followed for creating an LLDP trunk:

tmsh modify net lldp-globals enabled
tmsh modify net interface 1.1 lldp-admin txrx lldp-tlvmap 114680
tmsh modify net interface 1.2 lldp-admin txrx lldp-tlvmap 114680
tmsh create net trunk myTrunk
tmsh create net vlan myVlan
tmsh modify net trunk myTrunk interfaces add { 1.1 1.2 }
tmsh modify net vlan myVlan interfaces add { myTrunk }

The neighbor to this BIG-IP unit would not see the Vlan Name and Vlan Tag information of this trunk because the interfaces were added after the trunk was already assigned to a VLAN.

Impact:
LLDP Neighbors are unable to see VLAN information for the LLDP interfaces of the BIG-IP.

Workaround:
If the configuration has not yet been performed, the issue can be prevented by assigning all the desired interfaces to a trunk before assigning the trunk to a VLAN.

If the problem already exists, it can be remedied by performing a restart of the LLDP service. This should not impact dataplane services outside of LLDP. To do so, run the following command:
 bigstart restart lldpd


594547 : LTM policy TCP address selector offers only the condition 'match any of'

Component: Local Traffic Manager

Symptoms:
In the GUI, you can create a condition on a TCP address where a list of specified addresses are considered for a match. But the negated condition (i.e., 'do not match any of') is not available.

Conditions:
Using the GUI, attempt to create an LTM policy condition that checks for addresses that do not match the specified list.

Impact:
Cannot use the GUI to specify conditions in a policy where the TCP address does-not-match a list of specified addresses.

Workaround:
Use tmsh to create or modify a policy to negate a condition on TCP addresses, for example, in tmsh construct a command similar to the following:

modify ltm policy my_policy rules modify { my_rule { conditions replace-all-with { 0 { tcp address not matches values { 10.10.4.0/0 } } } } }


594228-2 : Resetting mgmt interface statistics doesn't work on VE or VCMP

Component: TMOS

Symptoms:
$ tmsh reset-stats net interface mgmt
Doesn't reset mgmt interface statistics.

Conditions:
Only on VE or VCMP

Impact:
You cannot reset the management interface statistics, but this has no impact elsewhere in the system.


594064-2 : tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.

Solution Article: K57004151

Component: Local Traffic Manager

Symptoms:
When the tcpdump utility is used with the ':p' modifier, it appears that the first few serverside packets are not captured.

Conditions:
-- Using the ':p' modifier with the tcpdump utility to capture serverside flows associated with clientside flows that match a tcpdump filter.
-- FastL4 or standard virtual server UDP flows are being captured.

Impact:
Typically, the peer flow will not be captured until the second packet is processed on the original flow that is captured by the tcpdump filter. Although there is no operational impact, it might cause confusion when looking for serverside traffic when capturing using a command similar to the following: tcpdump -i <vlan>:p host <client-ip>

Typical examples of missing packets include:
  -- Serverside syn and syn-ack from FastL4 TCP traffic.
  -- All serverside packets for single packet request/reply traffic, e.g., dns request/reply.

Workaround:
Specify filter that includes serverside traffic (e.g., include pool member addresses as 'host <addr>').


593845-3 : VE interface limit

Solution Article: K24093205

Component: TMOS

Symptoms:
TMM fails to bootup successfully.

Conditions:
More than 10 interfaces assigned to Virtual Edition (VE).

Impact:
BIG-IP fails to pass traffic as TMM fails to load successfully.

Workaround:
Make sure VE is assigned 10 or fewer interfaces.


593396-5 : Stateless virtual servers may not work correctly with route pools or ECMP routes

Component: Local Traffic Manager

Symptoms:
Stateless virtual servers might not work correctly if the configured poolmember is reachable via a route pool or via several ECMP routes learned via dynamic routing.

Conditions:
- Stateless virtual server.
- Pool reachable via route pool or via ECMP routes.

Impact:
Traffic might be dropped.

Workaround:
Use other virtual server types to process this traffic.


593361-1 : The malformed MAC for inner pkt with dummy MAC for NSH with VXLAN-GPE.

Component: TMOS

Symptoms:
The target platform implementation need to be ensure that it is update to date with draft and additionally tested with other open sources and commercial implementations to deem stable. If not a stable and production version as in case below, sender packets can be with a dummy MAC which is not recognized by BIG-IP.

Conditions:
Target platforms which may be unstable and untested in VXLAN-GPE.

Impact:
BIG-IP drop packets since it does not recognize inner pkt MAC.

Workaround:
Ensure target platform is stable, tested and production version wrt VXLAN-GPE and NSH.


592819-2 : Enabling of whitelists on a protected object requires disabling DoS protection support in hardware

Component: Advanced Firewall Manager

Symptoms:
On certain platforms, DDoS protection support in hardware prevents configuration of a whitelist for a protected object.

Conditions:
-- Configuration of a whitelist on a protected object.
-- Hardware acceleration is configured on 5xxx/7xxx/10xxx/12xxx appliances, and all blades other than B2250/B4450.

Impact:
Cannot configure whitelist on a protected object.

Workaround:
Disable hardware support for DDoS protection from the command line using the following command:

modify sys db dos.forceswdos value true.

Note: Disabling DDoS hardware support might impact the performance of the device because then, all DDoS protection mechanisms are managed in software.


592620-1 : iRule validation does not catch incorrect 'after' syntax

Component: Local Traffic Manager

Symptoms:
iRule validation does not catch iRule with incorrect 'after' syntax, allowing an invalid iRule to be saved.

Conditions:
iRule with incorrect 'after' syntax. For example "after 5000 periodic" should be "after 5000 -periodic" (with a hyphen)

Impact:
Traffic handled by the iRule fails, generating the Tcl error 'invalid command name 'periodic' while executing 'periodic LB::reselect''.

Workaround:
Correct the syntax error.


592591-2 : Deleting/Modifying access profile prompts for apply access policy for other untouched access profiles

Component: Access Policy Manager

Symptoms:
After deleting/modifying an access profile, the 'Apply Access Policy' link appears, and the status flags for other, untouched access profiles turn yellow. Also, there are APM log messages indicating that the configurations for those untouched access profile have been changed.

Conditions:
1. On Admin UI, make a copy of an access policy that contains macros.
3. Delete or modify the copied version of the access policy.

Impact:
The system posts the 'Apply Access Policy' link, and the status flag for the copy becomes yellow.

Note: There is no change to the access profiles that are affected by the deletion or modification. You can click 'Apply Access Policy' to make the link disappear.

Workaround:
None.


592211-1 : Stress CPU on BIG-IP will also take into the packets dropped by hardware.

Component: Advanced Firewall Manager

Symptoms:
Rate limit is directly proportional to CPU stress seen by the BIG-IP system. DoS will rate-limit traffic in hardware (HW) when the BIG-IP system is under stress (CPU is high), then if packets are dropped by HW and CPU of the system will come down and hence DOS will stop rate-limiting. SO this kind of behavior could result in toggling of DOS rate-limit state.

Conditions:
-- DoS in HW starts rate-limit in HW.
-- DoS has autodos enabled.

Impact:
The BIG-IP system may see that one second, DoS is rate-limiting packets and next second, it is allowing packets, and then next second it starts rate-limiting again, and so on. So there will be toggling of DoS vector mitigation state.

Workaround:
The workaround is to disable autodosd for that vector.


591732-2 : Local password policy not enforced when auth source is set to a remote type.

Component: TMOS

Symptoms:
Local password policy not enforced when auth source is set to a remote type. Any non-default password policy change is not enforced for local users.

Conditions:
1) Some part of the local password policy has been changed from the default values, for example, changing the password minimum-length to 12 where the default is 6.

2) The auth source is set to a remote source, such as LDAP, AD, TACACS.

Impact:
The system does not enforce any of the non-default local password policy options.

For example, even if the minimum-length is set to 12, a local user's password can be set to something less than 12.

Another example, even if the max-duration is set to 90 days, the password does not expire for 99999 days (the default).

Workaround:
None.


591708-1 : HSB may drop off of PCI bus

Component: TMOS

Symptoms:
The HSB may drop off of the PCI bus. This results failure to read the HSB registers, which is indicated by the following log entries in the tmm logfile:

Device error: hsb_lbb1 hde1_crc_errs count 65535.
Device error: hsb_lbb1 hde2_crc_errs count 65535.

This is usually followed by SIGABRT. The subsequent TMM reload fails to load the HSB device.

Querying the PCI bus (using lspci), shows that the HSB device is unavailable:

03:00.0 Ethernet controller: F5 Networks Inc. Device 0006 (rev ff) (prog-if ff)
!!! Unknown header type 7f

Conditions:
Unknown.

Impact:
Disruption of traffic. Request unit reboot.

Workaround:
Reboot unit.


591505-1 : Policy may become unsyncable after changing contexts

Component: Advanced Firewall Manager

Symptoms:
This is a known issue due to internal framework in MCPD which marks configurable objects as either synced and non-synced. If the user applies the policy to a non-syncing context (non-floating self-IP), then that policy won't be synced across HA devices anymore.

Conditions:
A config with standalone firewall policy applied to synced and non synced context.

Impact:
A policy that is assigned to otherwise non-syncing context, e.g. non-floating self-IP, the attached policy will no longer be synced even if attached to a syncing object later.

Workaround:
Create a "local" policy for non-floating self-IP only.


591305-4 : Audit log messages with "user unknown" appear on install

Component: TMOS

Symptoms:
Multiple log entries in /var/log/audit similar to

May 4 11:37:35 localhost notice mcpd[5488]: 01070417:5: AUDIT - client Unknown, user Unknown - transaction #33-1 - object 0 - create_if { db_variable { db_variable_name "version.edition" db_variable_value "<none>" db_variable_sync_type "private_internal" db_variable_data_type "string" db_variable_display_name "Version.Edition" } } [Status=Command OK]

Conditions:
This happens on initial install, it is not yet known what triggers it.

Impact:
This is the result of a daemon on the system not properly identifying itself to mcpd. The log messages can be safely ignored.


591060-1 : APMD high CPU utilization

Component: Access Policy Manager

Symptoms:
APMD is running at unexpectedly high CPU.

Conditions:
This occurs when both of the following conditions are met:
-- The connection between APMD and MCPD is lost due to MCPD restart.
-- APMD keeps reading from the stale socket.

Impact:
-- High CPU utilization.
-- Configuration cannot be pushed to APMD after MCPD restarts.

Workaround:
None.


590851-4 : "never log" IPs are still reported to AVR

Component: Application Security Manager

Symptoms:
IP addresses marked as "never log" are reported to AVR regardless of the flag

Conditions:
Always

Impact:
Extra, unwanted logging for IP addresses flagged as "never log"

Workaround:
N/A


590415-1 : Partition can be removed when remote role info entries refer to it

Component: TMOS

Symptoms:
If you have a partition, and a remote-role info that mentions the partition, then you can delete the partition but the role info is not modified. Once this configuration is saved, future loads fail with an error similar to the following:

01070829:5: Input error: Invalid partition ID request, partition does not exist (your-partition-name)

Conditions:
A partition has been deleted, but the remote role configuration still names the partition.

Impact:
Load fails.

Workaround:
Before removing a partition, ensure that any role-info entries mentioning the partition are also removed.

If you already have encountered a failure to load such a configuration, edit /config/bigip.conf to remove the remote-role entries in the 'auth remote-role' section.


590399-1 : Unnecessary logging during startup: 'Unable to connect to MCPD' and Errdefsd is starting'.

Solution Article: K11304001

Component: TMOS

Symptoms:
Unnecessary logging during startup: err errdefsd[5106]: 01940019:3: Unable to connect to MCPD, will try again in 30 seconds. err errdefsd[5106]: 0194001d:3: Errdefsd is starting. Old shared memory arena is now deprecated.

Conditions:
This occurs during system startup.

Impact:
No to low impact. This message is benign, and you can safely ignore it.

Workaround:
None needed.


590156-3 : Connections to an APM virtual server may be reset and fail on appliance and VE platforms.

Component: Local Traffic Manager

Symptoms:
APM connections failing when mac masquerade is in use and source-port preserve-strict is enabled on the APM virtual server.

Conditions:
The traffic-group has mac-masquerade configured and source-port preserve-strict is in use on the APM virtual server

Impact:
Connections to an APM virtual server may be reset and fail on appliance and VE platforms.

Workaround:
Disable either mac-masquerade or source-port preserve-strict (or both)


589862-6 : HA Grioup percent-up display value is truncated, not rounded

Component: TMOS

Symptoms:
The value displayed in "show sys ha-group detail" and "list sys ha-group" is shown as only the integer portion of the actual percent-up value.

Conditions:
When the number of "up" members in an HA Group results in a percent-up value that is not a whole number, the displayed value is truncated, not rounded.

Impact:
Incorrect display of the percent-up value. The score contribution is correct, and displayed rounded properly.


589856-2 : IControl REST : possible to get duplicate transaction IDs when transactions are created by multiple clients

Component: TMOS

Symptoms:
When two iControl REST clients using the same username create transactions simultaneously, they can potentially get the same transaction ID, which results in unexpected errors and transaction issues.

Conditions:
-- Two iControl REST clients using the same username.
-- Requests to create transactions, either simultaneously or in quick sequence.

Impact:
Transaction semantics are not followed, and unintended errors may occur.

Workaround:
None.


589367-2 : Some Edge Client's German translations are incorrect

Component: Access Policy Manager

Symptoms:
Some Edge Client's German translations are incorrect.

Conditions:
APM end-user's system using German locale.

Impact:
Conversion results in confusing text.

Workaround:
None.


588646-1 : Use of Standard access list remarks in imish may causes later entries to fail on add

Component: TMOS

Symptoms:
The use of remarks in standard access lists in dynamic routing shell causes subsequent filters in the same ACL to fail to load.

Conditions:
Create a standard access list with a remark.
Add to the same list another entry to permit or deny a IP/range.

Impact:
The ACL does not load and error is returned.

Workaround:
No not use remarks in standard access lists or use an access list in the extended or named ranges.


588626 : Analytics alerts: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member).

Component: Application Visibility and Reporting

Symptoms:
While configuring an alert for Maximum TPS on an Analytics profile, you get an error: Metric "Maximum TPS" can only be used with Virtual Servers (but not with a Pool Member)

Conditions:
This occurs when attempting to add an Analytics alert that triggers on Max TPS, and the alert is configured to run against a pool member or an application (the default is Virtual Server, not pool member or application).

Impact:
You cannot configure Max TPS alerts at the pool member level. The GUI appears to allow you to do this, but validation rules will prevent you from adding the alert.

The full list of alerts that cannot be configured at the pool or application level include all rules with the word Maximum in them:

- Maximum TPS
- Maximum Server Latency
- Maximum Page Load Time
- Maximum Request Throughput
- Maximum Response Throughput


588229-1 : DNS protocol default profiles can be deleted after being modified.

Component: Global Traffic Manager (DNS)

Symptoms:
A protocol default profile can be deleted in some cases.

Conditions:
The protocol default profile is not a parent to any other profile and has been modified.

Impact:
Default protocol profile can be deleted. If a default profile has been deleted, the config might get into an invalid state, and a config reload might be necessary.

Workaround:
Do not attempt to delete a protocol default profile.


588028-1 : Clearing alerts from the LCD while the host is down will re-display the alerts on the LCD when the host comes up

Component: TMOS

Symptoms:
If the LCD visible alerts are cleared using the LCD menu while the Host is down, then when the host is brought back up the LCD will re-display any alerts that were generated after the host went down.

Alerts generated after a the Host is down are persistent and when the host comes up it will harvest those alerts and re-display them on the LCD. Alarm LED may be re-initialized to an unexpected state.

Conditions:
Alerts generated while the host is down and alerts are cleared using the LCD menu interface.

Impact:
Alerts are re-displayed on the LCD when the host comes back up. And the alarm LED may indicate an alarm that was thought previously cleared.

Workaround:
Do not clear the alerts from the LCD interface while the host is down.


587821-5 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.

Solution Article: K91818030

Component: TMOS

Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.

In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.

Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.

Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.

Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.

Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.


587804-1 : Symmetric Unit Key decrypt failure on base load

Component: TMOS

Symptoms:
On initial boot of VIPRION blade, before the blade is licensed, you may see the following error message in /var/log/ltm:

err mcpd[5015]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure

Conditions:
It is not yet known what the conditions are that trigger this error.

Impact:
This occurs on initial boot of the VIPRION blade, prior to licensing the device. After licensing, this error does not occur.

Workaround:
None. If this error is reported on first boot, but can otherwise be licensed, it can be safely ignored. If this occurred after loading a ucs file, see SOL13132: Backing up and restoring BIG-IP configuration files at https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13132.html for more information on this error.


586862-2 : Tcl evaluation outside of an iRule can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule.

Solution Article: K30859144

Component: Local Traffic Manager

Symptoms:
Tcl expression evaluations (outside of an iRule) can lead to tmm crash when the payload is synchronously released from below HTTP via an iRule. A couple of examples where Tcl expressions are evaluated outside the context of an iRule include the tcl-setvar action of LTM Policy and the Request Header Insert feature of the HTTP profile.

Conditions:
Issue has been found on a virtual server with both an attached iRule and LTM Policy. The iRule calls TCP::collect when connection is accepted, and calls TCP::release at the CLIENT_DATA event. The LTM Policy has a single action to set a tcl set-variable expression.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


586660-1 : HTTP/2 and RAM Cache are not compatible.

Component: Local Traffic Manager

Symptoms:
A virtual server fails some requests where the response is served from cache.

Conditions:
This might occur in any of the following circumstances:

1.
-- Virtual server has either SPDY or HTTP/2 enabled
-- Requests that would normally served from RAM cache.

2.
-- HTTP virtual server has an iRule attached that responds to the HTTP_RESPONSE_RELEASE event.
-- Tcl commands attempt to access the response headers.

3.
Certain filters and plugins that require access to the response headers.

Impact:
Errors in certain Tcl commands or failed requests. These correlate to Conditions as follows:

1. If a virtual server has either SPDY or HTTP/2 enabled, it might fail requests that would normally be served from RAM cache.

2. An HTTP virtual server that has an iRule attached that responds to the HTTP_RESPONSE_RELEASE event might give errors to Tcl commands that attempt to access the response headers.

3. Certain filters and plugins that require access to the response headers might also fail in unexpected ways.

Workaround:
Disable CACHE via an iRule:

when HTTP_REQUEST {
if {[HTTP2::active]} {
CACHE::disable
}
}


586348-1 : Network Map Pool Member Parent Node Name display and Pool Member hyperlink

Component: TMOS

Symptoms:
The Network Map was not displaying the correct node name and the link was taking you to an incorrect pool member.

Conditions:
Create a pool and pool member from a FQDN node. Add that pool to a virtual server. From the Network Map page the pool member link does not show the FQDN making it hard to tell what pool member it is. When you click on the pool member hyperlink it takes you to the incorrect pool member.

Impact:
This causes confusion because the pool members are difficult to identify without the FQDN and the link takes you to the incorrect pool member.


586138-1 : Inconsistent display of route-domain information in administrative partitions.

Solution Article: K84112154

Component: Local Traffic Manager

Symptoms:
When IpAddress is displayed in GUI and TMSH, there exists some inconsistencies on how the route-domain of the address is displayed. This occurs for virtual servers and pool members.

Conditions:
IpAddresses configured for virtual servers and pool members outside the default-route-domain of the administrative partition.

Impact:
Although this is only a cosmetic issue, there might be confusion associated with the display inconsistencies.

Workaround:
None.


585248-1 : Resetting crypto client statistics can crash TMM and disrupt traffic handling.

Component: Local Traffic Manager

Symptoms:
TMM crashes when the statistics of the crypto client is reset when the External Crypto Offload feature is not licensed and the client configured with an unreachable crypto server. The command to reset the statistics of a crypto client is below:

  tmsh reset-stats sys crypto client [<client name>]

Conditions:
With a crypto client configured to target an invalid or unreachable crypto server and the External Crypto Offload (ECO) feature is not licensed, reset the statics of the crypto client.

Impact:
Traffic is temporarily disrupted while TMM restarts.

Workaround:
Ensure the External Crypto Offload feature is licensed and/or target a valid crypto server when creating the crypto client.


584948-5 : Safenet HSM integration failing after it completes.

Component: Local Traffic Manager

Symptoms:
tmm cannot load the Safenet library, and the following log entry is found in /var/log/auditd/audit.log:

denied { read } for pid=4936 comm="tmm" name="libCryptoki2_64.so" dev=dm-1 ino=1441838 scontext=system_u:system_r:tmm_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file.

Conditions:
This occurs when there is at least one symlink in the shared/safenet/lunasa/lib/ directory.

The safenet-sync.sh script (used to replicate a functioning Safenet HSM installation to a newly-inserted secondary blade) and csyncd conspire to improperly install/fix permissions on the secondary blade if there are symlinks, which results in the Safenet HSM integration failing after it completes, until the user takes appropriate actions.

Impact:
Upon failover to secondary blade, the BIG-IP system will be unable to communicate with the configured netHSM.

Workaround:
Use chcon and chcon -h to fix any permissions issues. The --reference option can be used on any properly permissioned file in the same directory to do this quickly.

For example: chcon -h --reference=libcklog2.so libCryptoki2_64.so.


584788-1 : Directed failover of HA pair using only hardwire failover will fail

Component: TMOS

Symptoms:
Units configured in a HA pair using only hardwire failover will not be able to use a targeted failover.

Conditions:
HA pair configured without network failover but with a hardwire failover.
Failover is attempted using one of the 2 following methods:

Via GUI
Device Management -> Traffic Groups
  check <traffic group>
    click "force to standby"
      again click "force to standby"


via tmsh
tmsh run sys failover standby device <peer device> traffic-group <traffic group name>

Impact:
Failover may fail with the following logs in /var/log/ltm
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c0044:5: Command: go standby <traffic group name> <device name> GUI.
Mar 15 10:27:57 <hostname> notice sod[8214]: 010c002b:5: Traffic group <traffic group name> received a targeted failover command for <peer mgmt IP>.
Mar 15 10:28:00 <hostname> notice sod[8214]: 010c004b:5: Target device <traffic group name> is not responding, cannot failover.

Workaround:
Use an alternative failover method:
  - Device Management > Devices > Force to Standby
  - Device Management > Traffic Groups > [traffic Group name] > Force to Standby
  - tmsh run sys failover standby # without device


584772 : ssldump may crash when decrypting bad records

Component: Local Traffic Manager

Symptoms:
ssldump crashes while decrypting.

Conditions:
Using ssldump to decrypt SSL which contains bad records.

Impact:
ssldump crashes making it difficult to decrypt SSL data.


584504-2 : Allowing non-English characters on login screen

Solution Article: K36912228

Component: TMOS

Symptoms:
Passwords can contain non-English characters but it fails when logging in.

Conditions:
Passwords contain non-English characters.

Impact:
Users entering these characters on the login screen are unable to log in.

Workaround:
Make sure passwords contain only English characters.


584414 : Deleting persistence-records via tmsh may result in persistence being created to different nodes

Component: Local Traffic Manager

Symptoms:
After deleting the persistence records, a connection may use persistent records to two different nodes breaking persistence.

Conditions:
Deleting persistence records when there is high concurrency for particular persistence records (e.g., load testing).

Impact:
Client fails to persist to a particular node.

Workaround:
Avoid removing persistence records from tmsh or use iRules to remove persistence records.


584041 : forward slash '/' is used in the description field, admin user will be demoted to guest.

Component: TMOS

Symptoms:
When creating a new admin user, if a forward slash '/' is used in the description field, the user will be demoted to guest.

Conditions:
Creating a new admin user with a forward slash in the description text.

Impact:
mcp user's admin group demotion to guest.

Workaround:
Do not use forward slashes in the users description.


583777-5 : [TMSH] sys crypto cert missing tab completion function

Solution Article: K33230520

Component: TMOS

Symptoms:
When pressing the tab key for the tmsh command "sys crypto cert", it does not display existing certificate names. You must manually type the certificate name that you want to operate.

Conditions:
This occurs in tmsh:

root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys crypto cert <------- press <tab>.
Options:
  all | <------------ nothing shows up.
root@(big7)(cfg-sync Standalone)(Active)(/Common)(tmos)# show sys crypto cert <------- press <tab>.
Options:
  all | <------------ nothing shows up.

Impact:
Not possible to select a certificate using tab complete.

Workaround:
Manually type the certificate name.


583101-2 : ADAPT::result bypass after continue causes bad state transition

Component: Service Provider

Symptoms:
Tcl command 'ADAPT::result bypass' does not work in ADAPT_REQUEST_RESULT when the ICAP server has previously returned 100-continue.

Conditions:
iRules exist on a VS with an adapt profile, containing:

when ADAPT_REQUEST_RESULT {
    ADAPT::result bypass
}

or

when ADAPT_RESPONSE_RESULT {
    ADAPT::result bypass
}

Impact:
ADAPT logs an unexpected state transition and resets the connection, making it impossible for iRules to replace the ICAP response.

Workaround:
Avoid 'ADAPT::result bypass' commands in cases where there is no preview (either configured for no preview, or after the preview has been dropped due to a 100-continue or 200-ok ICAP response).


583084-5 : iControl produces 404 error while creating records successfully

Solution Article: K15101680

Component: TMOS

Symptoms:
iControl produces 404 error while creating gtm topology record successfully.

Conditions:
Creating gtm topology record without using full path via iControl.

Impact:
Result code/information is not compatible with actual result.

Workaround:
Use full path while creating gtm topology record using iControl.


582606-1 : IPv6 downloads stall when NA IPv4&IPv6 is used.

Component: Access Policy Manager

Symptoms:
When downloading large files through network access, downloads can appear to stall for a period of time and then resume.

Conditions:
This occurs when Network Access is configured with an IPv4&IPv6 resource

Impact:
Downloads occasionally stall with download speed going to 0, and then they resume.

Workaround:
It is possible that disabling large receive offload will work as a mitigation. To do so, run the following command:
tmsh modify sys db tm.tcplargereceiveoffload value disable.


582595-2 : default-node-monitor is reset to none for HA configuration.

Solution Article: K52029952

Component: TMOS

Symptoms:
default-node-monitor is reset to none for high availability (HA) configuration.

Conditions:
Scenario #1
Upgrading HA active/standby configuration, and reboot standby.
Where configuration consists of the following:
  * ltm node with a monitor.
  * ltm default-node-monitor with a different monitor.

Scenario #2
Given a HA active/standby configuration with an ltm default-node-monitor configured, set device-group sync-leader.

Impact:
Monitoring will stop after upgrading or setting sync-leader for all nodes that relied on the default-node-monitor.

Workaround:
Reconfigure a default-node-monitor.


582440-4 : Linux client does not restore route to the default GW on Ubuntu 15.10

Component: Access Policy Manager

Symptoms:
Default route may be deleted after network access connection is deleted on Linux Ubuntu 15.10 distribution.

Conditions:
Ubuntu 15.10, network access tunnel connect and then disconnect

Impact:
User will not be able to reach internet after disconnecting from network access.

Workaround:
If Wifi is in use then turn off and on again.
If Ethernet is used then unplugging and plugging cable again should solve the problem.


582331-1 : Maximum connections is not accurate when TMM load is uneven

Component: Local Traffic Manager

Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections per virtual server.

Conditions:
This occurs when the load disaggregated to available TMMs is uneven.

Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in lower-than-expected maximum connections.

Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.


582234-6 : When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.

Component: Local Traffic Manager

Symptoms:
When using a config merge load to disable and then later re-enable a monitored pool member, monitor checking will not start up again.

Conditions:
A monitored pool member is initially disabled, and a config merge re-enables it

Impact:
Monitoring does not resume when pool member is re-enabled via config merge.

Workaround:
You can re-enable monitoring by running the following commands:

tmsh save sys config
tmsh load sys config


582207-7 : MSS may exceed MTU when using HW syncookies

Component: Local Traffic Manager

Symptoms:
Packets larger than the interface's MTU can be transmitted.

Conditions:
A SYN packet is received with an MSS that exceeds the interface's MTU.

Impact:
Potential packet loss.

Workaround:
Disable HW syncookie mode.


582127-1 : VE OVA logrotate max-file-size too big for /var/log partition size

Solution Article: K55138704

Component: TMOS

Symptoms:
Virtual Edition (VE) OVA logrotate max-file-size is too big for the /var/log partition size.

Conditions:
This occurs on 11.5.0 and later, where the partition size was reduced from 6 GB to 500 MB, to better manage disk space.

This can also happen on Micro instance on a fixed version

Impact:
The BIG-IP VE system runs out of disk space due to increased logging. In this instance, logrotate should run and potentially free up space by rotating and compressing the actively written logs. With the current setting for max-file-size, however, that cannot happen, thus leading to increased likelihood of running out of space in /var/log.

Workaround:
You can extend the disk space for logs by performing the following procedure. (From K14952: Extending disk space on BIG-IP Virtual Edition, available here: https://support.f5.com/csp/article/K14952#proc3.)

Impact of procedure: You need to shut down the BIG-IP VE system during the disk provisioning steps, and the system will not be available for traffic processing. You should perform this procedure during a suitable maintenance window. Increasing the disk size on the VE system is irreversible, since F5 does not support disk shrinking.

1. Log in to the command line on the BIG-IP VE system.

2. Shut down the system by typing the following command:
shutdown -h now

3. Provision the desired disk space for the VE system on the hypervisor. For information about disk provisioning on the hypervisor, refer to the documentation from your hypervisor vendor.

4. Start up the BIG-IP VE guest instance on your hypervisor. For information about starting a guest instance on the hypervisor, refer to the documentation from your hypervisor vendor.

5. When the BIG-IP VE system is up, log in to the command line on the VE system.

6. Extend the /var/log directory by using the following command syntax:
tmsh modify /sys disk directory /var/log new-size <desired value in KB>.

--For example you would type the following command to extend the /var/log directory to 10 GB:
tmsh modify /sys disk directory /var/log new-size 10485760.

7. Save the configuration by typing the following command:
tmsh save /sys config.

8. Reboot the VE system by typing the following command:
reboot.

9. When the BIG-IP VE system is up, log in to the command line on the VE system.

10. Verify that the /var/log directory is successfully extended to the size you have specified in step 6 by typing the following command:
tmsh show /sys disk directory.


581865-2 : 6900, 8900, 8950, or 11050 platforms missing swap storage

Solution Article: K11053914

Component: TMOS

Symptoms:
No swap is available; observable via 'cat /proc/swaps'.

Conditions:
A 6900, 8900, 8950, or 11050 platform with RAID LVM, directly upgraded from a pre-10.2.4 version to version 11.x/12.x.

Impact:
No swap space is created during upgrade. Multiple unexpected issues might occur because there is no swap space available.

Workaround:
Newer systems have the swap storage created during initial format. You might also be able to first upgrade to version 10.2.4. Then, when upgrading to version 11.x/12.x, the process creates the swap during upgrade.


581668 : DNS/SIP whitelisted packets not reported

Component: Advanced Firewall Manager

Symptoms:
If a DNS/SIP packet hits DOS whitelist then this packet is not being reported to AVR.

Conditions:
The packet has to be DNS or SIP packet and has to hit the whitelist.

Impact:
There is no functional impact but AVR tables will not have the whitelisted packets in their count.


580499-2 : Configuring alternate admin user fails on multi-blade VIPRION chassis if default admin on primary is disabled.

Solution Article: K34082034

Component: TMOS

Symptoms:
Configuring alternate admin user fails on multi-blade VIPRION chassis and will prevent newly added blades from being available to process traffic. If default admin on primary is disabled and you are on a chassis with at least two blades. After disabling the default admin on the primary and configuring an alternate, mcpd on secondary blades goes into a restart loop, and posts error messages similar to the following in /var/log/ltm:

warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-primary2.
warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-secondary1.
warning mcpd[26012]: 01071859:4: Warning generated : WARNING! Role no-access will lockout the user admin-secondary2.
err mcpd[26012]: 010718e7:3: The requested primary admin user (admin-primary1) must have a password set.
err mcpd[26012]: 01070734:3: Configuration error: Configuration from primary failed validation: 010718e7:3: The requested primary admin user (admin-primary1) must have a password set.... failed validation with error 17242343.

In this example, admin-primary1 is the default admin user set in the GUI under System :: Platform :: Admin Account, admin-primary2, admin-secondary1 and admin-secondary2 are other admin users on the device, but they are not configured as the default admin user.

Conditions:
Chassis with multiple blades; alternate primary admin is set on the primary blade.

Impact:
mcpd in a restart loop on secondaries.

Workaround:
There is no workaround that will allow you to use a different primary admin user on BIG-IP software versions affected by this issue. To stop secondary blades from restarting in a loop, issue the following commands on your primary blade, which should be stable at this time:

# tmsh modify sys db systemauth.primaryadminuser value admin
# tmsh save sys config


579652-1 : Multidomain SSO Access policy in progress with multiple tabs, landing URL set to the tab in which policy is completed.

Component: Access Policy Manager

Symptoms:
When URLs from multiple browser tabs start an access policy, the session is created with the landing URL from the first tab that started the session, not with URL the second tab that continued and finished establishing the access session.

For example, an end user opens browser and sends GET to /first_url resource. Access initiates session, and renders logon page. Then end user opens another tab, and sends GET to /second_url resource. Access returns an error message "Access policy evaluation is already in progress for your current session." with a link to start new session. If the end user selects the "click here", the new session will start with /first_url, and not with /second_url as would be expected.

Conditions:
Using Multidomain SSO, and accessing two different resources before the access policy has been created. This causes the access policy to run from two different landing URLs

Impact:
This may cause BIG-IP as SAML SP unable to establish a session with IdP. In the case of LTM and APM, the user is always redirected to the URL from first tab after policy execution finishes.

Workaround:
None.


579252-3 : Traffic can be directed to a less specific virtual during virtual modification

Component: Local Traffic Manager

Symptoms:
Traffic can be directed to an less specific virtual during virtual modification. It could also be dropped if there is no less specific virtual server.

Conditions:
net self external-ipv4 {
    address 10.124.0.19/16
    traffic-group traffic-group-local-only
    vlan external
  }
  net self internal-ipv4 {
    address 10.125.0.19/16
    traffic-group traffic-group-local-only
    vlan internal
  }

  ltm pool redirect-echo {
    members { 10.125.0.17:7 }
  }
  ltm virtual fw {
    description "less-specific virtual"
    destination 10.125.0.0:any
    ip-forward
    mask 255.255.255.0
    profiles { fastL4 }
    translate-address disabled
    translate-port disabled
    vlans-disabled
  }
  ltm virtual redirect-echo {
    description "enable/disable this one"
    destination 10.125.0.20:echo
    ip-protocol udp
    mask 255.255.255.255
    pool redirect-echo
    profiles { udp }
    vlans { external }
    vlans-enabled
  }

Impact:
Traffic can be directed to less specific virtual server

Workaround:
No known workaround at this time other than applying configuration changes in a manner that avoids doing them on a unit that is handling the traffic. Applying changes on the standby and then failing over and syncing or utilizing a maintenance window would be common schemes to achieve a separation between production traffic and configuration changes.


579035-5 : Config sync error when a key with passphrase is converted into FIPS.

Solution Article: K46145454

Component: TMOS

Symptoms:
When a key with passphrase is converted to a FIPS key (that is, imported into the FIPS card) and a config sync is done, sync fails with an error saying that passphrase is specified but the key is not passphrase protected.

Conditions:
Converting a private key with a passphrase to FIPS key and then performing a config-sync.

Impact:
Config sync will fail.

Workaround:
Ensure that you only import FIPS keys that are not encrypted with a passphrase. For more information, see K15720: Certain tasks related to the management of SSL certificates do not support encrypted private keys (11.x) at https://support.f5.com/csp/#/article/K15720


578989-5 : Maximum request body size is limited to 25 MB

Component: Access Policy Manager

Symptoms:
When a POST request with body size exceeds 25 MB is sent to APM virtual server, the request fails.

Conditions:
POST request body size exceeded 25 MB.

Impact:
The POST request fails. The maximum request body size is limited to 25 MB

Workaround:
There is no workaround at this time.


575642-1 : rst_cause of "Internal error"

Component: Local Traffic Manager

Symptoms:
The rst_cause may be logged as "Internal Error". rst_cause of "Internal error" does not give a narrow reason for the reset. It means that one of the other reset causes was not matched but the exact issue cannot be determined from this generic error.

Conditions:
Heavy/normal production network usage.

Impact:
System problem diagnosis is more difficult.

Workaround:
N/A


575368-5 : Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card

Component: TMOS

Symptoms:
When a UCS with FIPS keys is loaded after re-initializing the FIPS card, errors should be posted that the FIPS keys in the configuration that are now invalid. Instead, the configuration loads without any errors, and SSL handshake failures are seen when a clientSSL profile uses the FIPS key.

Conditions:
UCS file with FIPS keys is loaded after re-initializing the FIPS card.

Impact:
SSL handshake failures are seen when a clientSSL profile uses the FIPS key.

Workaround:
You can delete the FIPS keys, re-initialize the FIPS card, then install the needed keys.


574318-3 : Unable to resume session when switching to Protected Workspace

Component: Access Policy Manager

Symptoms:
Clients logging into Protected Workspace are unable to view the page. The client's log file may have the following signature: HandlePwsCmd, detoured.dll signature validation error

Conditions:
This occurs infrequently on certain Windows clients logging into Protected Workspace

Impact:
Client browser cannot render the protected workspace


574113-2 : Block All - Session Tracking Status is not persisted across an auto-sync device group

Component: Application Security Manager

Symptoms:
Users, IP addresses, and Sessions that are meant to be blocked due to their traffic patterns, are not being synchronized to the peer device in an auto-sync device group with ASM sync enabled.

This can lead to bad actors becoming unblocked again after failover, or in an Active-Active configuration.

Conditions:
1) Devices are in an auto-sync device group with ASM sync enabled.
2) Session Tracking is enabled.

Impact:
This can lead to bad actors becoming unblocked again after failover, or in an Active-Active configuration.

Workaround:
Force a full sync to propagate the session tracking information.


572519-1 : More than one header name/value pair not accepted by ACCESS::respond

Component: Access Policy Manager

Symptoms:
An error is seen when ACCESS::respond command is used, for example, in an iRule with multiple header name/value pairs. The error appears similar to the following:

warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected token(s):....

Conditions:
When ACCESS::respond command is used with multiple header name/value pairs.

Impact:
An error is generated when the command is used.

Workaround:
Let the command take only one name/value pair.


572142-2 : Config sync peer may fail to monitor newly added pool member after it is added via sync

Component: Local Traffic Manager

Symptoms:
If a pool member in a sync group is removed and another member added and then synced to the peer, the monitor state on the peer may be erroneous.

Conditions:
2 or more devices in a device group
A pool member is deleted, and another is added, then a full config sync is performed

Impact:
Monitoring does not happen. If the pool member should be marked down by the monitor, it may indicate as being up. You may need to do a system restart to get monitoring to resume properly.

Workaround:
Suggested workaround:

Here’s a way that should avoid any possible downtime:
 
1. Do the node replacement on box A. Do not sync.
2. Do the node replacement on box B. Do not sync.
3. This will cause a sync conflict, and its resolution will require a full load. This is intentional. Force a sync.
 
The result of that final sync will be that mcpd sends no changes to the relevant nodes on the receiving device.


571727-1 : 'force-full-load-push' is not tab expandable

Solution Article: K52707821

Component: TMOS

Symptoms:
The 'force-full-load-push' option for 'run cm config-sync' is not tab expandable unless it's the first option given.

Conditions:
This is encountered when trying to use tab complete in tmsh for the 'run cm config-sync' command.

Impact:
The keyword 'force-full-load-push' has to be typed out in full or used as the first option.

Workaround:
Use 'force-full-load-push' as the first option, or type it out in full.


571634-1 : tmstat CPU values can be incorrect

Component: TMOS

Symptoms:
The CPU values returned by blades in a chassis may not be sorted correctly and so the returned values might appear confusing or invalid.

Conditions:
Retrieving values for a chassis using the following command: tmstat cpu.

Impact:
Incorrect reporting of TMM CPU utilization using tmstat command.

Workaround:
No workaround.


571622-1 : 'Exceeding pool member limit' error with FQDN pool members and non-LTM license

Component: Local Traffic Manager

Symptoms:
When configuring FQDN pool members on a BIG-IP system with a license that does not include the LTM module, an error similar to the following may be logged by mcpd:

01071732:3: Exceeding pool member limit (3). Cannot add pool member to pool:(/Common/pool_name).

Conditions:
This may occur if:
1. The active BIG-IP license does not include the LTM module. Specifically, the active license defines a pool member limit (ltm_lb_pool_member_limit) other than 'unlimited'. This applies to AFM, APM, and ASM licenses.
2. FQDN pool members are configured with 'autopopulate' set to 'enabled'.

Impact:
Under these conditions, the ephemeral FQDN pool members are counted against the pool member limit (ltm_lb_pool_member_limit) defined in the LTM license. Cannot configure FQDN pool members with autopopulate enabled on BIG-IP systems without an LTM license.

Workaround:
There are two workarounds for this issue:
Workaround 1
-----------
1. Configure FQDN pool members with autopopulate disabled.
2. Do not attempt to configure more pool members than are permitted by the active license.

Workaround 2
-----------
Add the LTM module to the license configuration.


571503-1 : Windows Edge client cannot detect local LAN in some cases

Component: Access Policy Manager

Symptoms:
If Edge client is configured in Always Connected mode with option to "Allow Traffic" without VPN, it will continue to establish VPN even when location awareness is configured.

Conditions:
1) Edge client was installed using a package that was created without setting DNS suffix list in connectivity profile
2) DNS suffix list to identify enterprise LAN was set in the connectivity profile after client package was created.

Impact:
Edge client will fail to detect Enterprise LAN and continue to establish VPN even when machine is connected to enterprise LAN.


571333-8 : fastL4 TCP handshake timeout not honored for offloaded flows

Solution Article: K36155089

Component: TMOS

Symptoms:
When a virtual server is configured with a fastl4 profile that enables full acceleration and offload state set to 'embryonic', and if a flow is offloaded to be hardware accelerated, the connection idle timeout during the TCP handshake is set to the 'idle timeout' value of the fastl4 profile, but it should be set to the 'tcp handshake timeout' instead.

Conditions:
-- Virtual server is configured with a fastl4 profile that enables full acceleration and offload state of 'embryonic'.
-- A flow is offloaded for hardware acceleration.

Impact:
The connection may remain in the half-open state longer than what is set in the TCP handshake timeout value.

Workaround:
Set the offload state to 'established'.


571017-1 : Extra log messages seen on optics removal.

Component: TMOS

Symptoms:
Following message may appear in /var/log/ltm when optics are removed:
soc_phy_i2c_read_devtype - eeprom soc_phy_i2c_read_bytes failed port(28)

Conditions:
Optics removal.

Impact:
This is a cosmetic message and does not indicate a problem with the system.

Workaround:
None needed.


570845-3 : Configuration infrastructure should reject invalid 'None' option for IKE Peer Phase 1 Perfect Forward Secrecy

Solution Article: K00334323

Component: TMOS

Symptoms:
The configuration infrastructure currently allows the invalid 'None' option to be configured on an IPsec IKE peer for phase 1 Perfect Forward Secrecy. Although the ability to configure the 'None' option is incorrect functionality which happens on specific browsers, the configuration infrastructure should have stronger checking and prevent the acceptance of an invalid 'None' option for configured IKE peers.

Conditions:
The ability to configure an IKE peer with an invalid 'None' option for Perfect Forward Secrecy occurs on Internet Explorer and Safari browsers, and the configuration infrastructure does not reject this invalid configuration for these cases.

Impact:
The racoon daemon will fail to start and all IPsec tunnels may fail to work. The racoon.log file may contain messages like:

INFO: Reading configuration from "/etc/racoon/racoon.conf"
ERROR: /etc/racoon/racoon.conf.bigip:59: "}" DH group required.
ERROR: fatal parse failure (1 errors)
ERROR: failed to parse configuration file.

Workaround:
Don't configure the 'None' option for Perfect Forward Secrecy in the IKE peer configuration section.


570013 : TCP Analytics Profile section in virtual server UI has erroneous caption

Component: TMOS

Symptoms:
In TMUI: Local Traffic: Virtual Server:: Create: advanced, TCP Analytics profile section has a erroneous caption for HTTP Analytics profile.

Conditions:
This occurs when creating a TCP Analytics profile in the GUI when AVR is not provisioned.

Impact:
The screen posts a warning similar to the following: Warning: The Application Visibility and Reporting (AVR) module is not provisioned. Assigning an HTTP Analytics profile is not recommended.

However, it should be TCP Analytics profile.

Workaround:
None. The message is correct the AVR is not provisioned. However, the warning should reference the TCP Analytics profile instead of the HTTP Analytics profile.


569968 : snmpd core during startup

Component: TMOS

Symptoms:
sod reanimates (with core dump) snmpd due to heartbeat timeout during BIG-IP system startup and configuration load.

Conditions:
During startup and configuration load, snmpd sometimes blocks while waiting for certain system resources to become available. If snmpd blocks longer than its configured heartbeat timeout, sod reanimates it (with a core dump).

Impact:
Only impact is the generation of a core file.

Workaround:
Increase the snmpd heartbeat timeout to 300 seconds or more.

The 11.5.1 default timeout of 60 seconds might be too short for certain platforms and configurations. The default timeout for later releases is 300 seconds.


569859-2 : Password policy enforcement for root user when mcpd is not available

Component: TMOS

Symptoms:
When the mcpd configuration database is not available password policy is not enforced when changing passwords for the user 'root' using the command-line utility 'passwd' utility.

Conditions:
-- Advanced shell access
-- mcpd is not available.
-- Change root password with the 'passwd' utility.

Impact:
Root password may be set to a string that does not comply with the current password policy.

Workaround:
None.


569331-3 : Recovery from Amazon Network Failure may associate some virtual addresses to the standby BIG-IP

Component: TMOS

Symptoms:
Traffic will not pass to virtual servers of a traffic group

Conditions:
BIG-IP AWS
High Availability
AWS network outage

Impact:
Some of virtual addresses end up associated with the standby BIG-IP; traffic will not pass to their virtual servers.

Workaround:
If the desired BIG-IP is standby, failover to the BIG-IP.
If the desired BIG-IP is already active, failover from this BIG-IP and then failover back to this BIG-IP.


569281-6 : L2 loop on the BIG-IP system's management port network might cause VIPRION to reboot

Solution Article: K33242855

Component: TMOS

Symptoms:
Several 'kernel: BUG: soft lockup' messages from kernel leading to TMM. Eventual blade reboot

Conditions:
-- Using vCMP.
-- Network to which the BIG-IP management port is connected has a Layer 2 loop.

Impact:
The BIG-IP system is unusable and eventually reboots.

Workaround:
Avoid L2 loops in the network to which the BIG-IP management port is connected.


568458 : DoS vectors must be enabled in both DoS Profile and Device Configuration

Component: Advanced Firewall Manager

Symptoms:
In order for a DoS vector in a DoS Profile to detect a you must enable that same vector in the DoS Device Configuration.

Conditions:
DoS vector configured at the per-virtual server level, but not at the device level.

Impact:
Might result in false negatives.

Workaround:
You can use the following workaround:
1. Enable the vector in Security : DoS Protection : DoS Profiles.
 To do so, click Network Protection, click Enabled, and enable the DoS Vector for the DoS Profile.
2. Enable the vector in the Device Configuration.
 To do so, go to Security : Dos Protection : Device Configuration, select the vector, and then configure the vector either manually, or with the auto-configuration option.


567513-4 : Erroneous syncookie flag in HSB return descriptor causes the BIG-IP system to pass through the ACK packets after the session is closed.

Component: Performance

Symptoms:
In rare situations, a packet with ACK flag arriving shortly after the FIN packet is received on a flow might be marked by FPGA to be a valid syncookie response. The BIG-IP system creates a new connection for the ACK packet and passes the packet to the server side, causing a double transaction on the server.

Conditions:
This occurs in the unlikely event of an ACK packet accidentally matching the match hardware syncookie.

Impact:
Confusion on the client/server and double transaction on the server side.

Workaround:
None.


567503-1 : ACCESS::remove can result in confusing ERR_NOT_FOUND logs

Solution Article: K03293396

Component: Access Policy Manager

Symptoms:
When using the iRule command ACCESS::remove, ERR_NOT_FOUND messages may appear in /var/log/apm. Theses are not real errors. ACCESS is trying to insert a session variable, but it is not able to find the session because the iRule already deleted the session.

The logs in /var/log/apm look something like this:
err tmm1[15932]: 01490514:3: 00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_save_init_req_to_sessiondb, Line: 14823.

Conditions:
An iRule using the command ACCESS::remove, and the end-user does a POST.

Impact:
No functional impact, the iRule correctly deletes the session, and BIG-IP does not send a reset. But the log messages can be alarming or confusing.

Workaround:
None.


567490-2 : db.proxy.__iter__ value is overwritten if it's manually set

Component: TMOS

Symptoms:
When setting the "BIND Forwarder Server List" on the "Configuration : Device : DNS" page, the system stores the values in the sysdb variable db.proxy.__iter__. When changing the value using tmsh or iControl, the db.proxy.__iter__ value is overwritten when subsequently viewing the value in the GUI.

Conditions:
When setting these values in sysdb via tmsh or REST, the values are set, but then upon re-visiting Configuration : Device : DNS in the GUI, the values in the sysdb variable are reset to their former values.

Impact:
BIND Forwarder Server List values do not persist.

Workaround:
Use the GUI to change the BIND Forwarder Server List values.


567330-1 : tmsh show sys memory on secondaries will generate innocuous error

Component: Local Traffic Manager

Symptoms:
The ltm log file contains these errors: err mcpd[9011]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (5130).

Conditions:
This occurs when logged into secondary member of a cluster (VIPRION blade or vCMP guest) and running the command: tmsh show sys memory.

Impact:
The error indicates that the secondary member cannot display information that is only presented on a primary. This is a spurious error, and you can safely ignore it.

Workaround:
Ignore the specific error with this signature:

0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (5130).


565755 : Dashboard does not work when custom port is used for management port.

Component: TMOS

Symptoms:
BIG-IP v12.0.0 introduced the ability to change the management port, but the dashboard was not changed to support that. Dashboard does not work when a port is used for management port other than the default port 443.

Conditions:
Using the dashboard when the management address is configured to use a port other than port 443.

Impact:
The dashboard reports a connection error and asks you to log back in.

Workaround:
None.


564634-5 : Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool

Component: Local Traffic Manager

Symptoms:
Using the tmsh "edit" command to remove a monitor from a pool does not stop bigd from monitoring the pool.

Conditions:
Remove a monitor from a pool using tmsh edit commands.

Impact:
bigd still monitors the pool.

Workaround:
None.


564431-3 : Lines without EOL characters cause "tmsh load pem subscriber file" and GUI import to fail

Component: Policy Enforcement Manager

Symptoms:
Subscriber lines terminated with an EOL that occur before the line without an EOL are loaded.

Conditions:
At least one line in the static subscriber file is not terminated with an EOL character.

Impact:
Impact to support staff in diagnosing the root cause for failure while importing a subscriber file.

Workaround:
Save the file in unix format that appends EOL characters to the each line.
While editing the file make sure lines are terminated with an EOL character.


563651-2 : Web application does not work/works intermittently via Portal Access after upgrading BIG-IP to any new version.

Component: Access Policy Manager

Symptoms:
Web application does not work/works intermittently via Portal Access after upgrading the BIG-IP system to any new software version.

Conditions:
-- Web application via Portal Access.
-- Using any modern browser, for example Google Chrome, Mozilla Firefox, Safari, Microsoft Internet Explorer 11 (IE11), or Microsoft Edge.
-- Upgrading BIG-IP software.
-- Web Application uses HTML5 features Local Storage or Session Storage.

Impact:
Various unexpected behaviors. For example, a custom intranet application link might experience intermittent failures through rewrite. This occurs because Portal Access does not support Storage areas (localStorage, sessionStorage). This might impact web-applications with content previously populated in Storage areas.

Workaround:
Possible workaround:
-- Clear browser 'cookies and website data' or 'offline data' manually after upgrading (options to use depend on which browser you are using).


560601-1 : HTML5 File API and MediaSource URLs are blocked in Portal Access

Component: Access Policy Manager

Symptoms:
Web Application is not working and a message similar to following is logged to the developer tools console in the browser:
"Refused to load media from 'blob:https://...' because it violates the following Content Security Policy directive: ..."

Conditions:
This occurs on web applications that are using the HTML5 file API

Impact:
Applications with usage of HTML5 File API could stop working when accessed via APM Portal Access.

Workaround:
when HTTP_RESPONSE_RELEASE {
    if { [HTTP::header exists Content-Security-Policy] } {
        HTTP::header replace Content-Security-Policy \
            [string map {"data:" "data: blob: mediasource: mediastream:"} [HTTP::header Content-Security-Policy]]
    }
}


559402-4 : Client initiated form based SSO fails when username and password not replaced correctly while posting the form

Component: Access Policy Manager

Symptoms:
Client initiated form based SSO fails when the username and password are not replaced correctly in post request. The reason for this is that client initiated form based SSO and browser urlencode special character in username/password differently. and the case sensitive comparison fails to find match between both these urlencoded values. So sso module adds the username password to the token again. This results in password attribute/value pair appears twice with both the f5-sso-token and the real password and so it fails

Conditions:
When the password contains special charaters like [ or ]

Impact:
SSO fails with password attribute/value pair appears twice with both the f5-sso-token and the real password in the token and so it fails

Workaround:
No workaround


559082-2 : Tunnel details are not shown for MAC Edge client

Component: Access Policy Manager

Symptoms:
Tunnel details are not shown for MAC Edge client.
Tunnel details are located in Edge client :: View details :: Connection :: Tunnel details

Conditions:
MAC Edge client and established network access connection.

Impact:
Minor. Only diagnostic information is missing, otherwise tunnel works fine.

Workaround:
None.


557322-1 : Sensitive monitor parameters recorded in bigd and monitor logs

Component: Local Traffic Manager

Symptoms:
When bigd debug logging is enabled, the resulting bigd debug log may contain sensitive parameters from the monitor configuration.

When monitor instance logging or monitor debug logging is enabled for certain monitor types, the resulting monitor instance logs may contain sensitive parameters from the monitor configuration.

In each case, the monitor parameters logged may include:
- user-account password
- radius/diameter secret
- snmp community string

Conditions:
This may occur under either of the following conditions:

1. bigd debug logging is enabled:
tmsh modify sys db bigd.debug value enabled

2. Monitor instance logging is enabled for one of the following LTM monitor types:
ftp
imap
pop3
smtp

Impact:
The user-account password, radius/diameter secret, or snmp community string configured in the LTM health monitor may appear in plain text form in the bigd debug log (/var/log/bigdlog) or in the monitor instance logs under /var/log/monitors.

Workaround:
1. Do not enable bigd debug logging.

2. Do not enable monitor instance logging or monitor debug logging for affected LTM monitor types.

3. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes, remove the resulting log files from the BIG-IP system after troubleshooting is completed.


554504 : Client OS version not logged in Browser/OS Reports for iOS client devices

Component: Access Policy Manager

Symptoms:
When an iOS device is used to login with APM, the client OS version is not logged and is not correctly reported in the Browser/OS Report.

Conditions:
Client device must run iOS.

Impact:
Devices running different versions of iOS are not differentiated in the Browser/OS Report.

Workaround:
None.


552988-2 : Cannot enable MPTCP on some profiles in GUI.

Component: Local Traffic Manager

Symptoms:
Version 12.1 Cannot enable MPTCP on some profiles in GUI. Get error message: 01070734:3: Configuration error: In profile /Common/proxy-client to enable MPTCP, Hardware SYN Cookie must be disabled.

Conditions:
Version 12.1 Enabling MPTCP on some profiles in GUI.

Impact:
Version 12.1 Cannot enable MPTCP.

Workaround:
Use tmsh to enable MPTCP on some profiles.


552444-1 : Dynamic drive mapping in network access may not work if path is received via session variable from LDAP/AD

Component: Access Policy Manager

Symptoms:
Dynamic drive mapping in network access may not work if
mapping is configured to use session variable, and session variable is received from LDAP/AD.

Conditions:
Drive mapping is received from LDAP/AD and contains double slash in the path, e.g. "\\server\path"

Impact:
Dynamic drive mapping may not function.

Workaround:
For example using session.ad.last.attr.homeDirectory attribute value to drive map. Assign variable and escape the textra backslashes added by APM.

homeDirectory = return [regsub -all {\\\\} [mcget {session.ad.last.attr.homeDirectory}] {\\}]


547692-3 : Firewall-blocked KPASSWD service does not cause domain join operation to fail

Component: Access Policy Manager

Symptoms:
KPASSWD service runs on tcp/464 and udp/464. If both of these ports were blocked, BIG-IP would not be able to properly set the machine account password for the created machine account. However, there is a bug on BIG-IP as well, which fails to report this failure back to the administrator.

As the machine account itself was successfully created on ActiveDirectory side without the correct password, and BIG-IP's failure to report the KPASSWD failure problem, the domain join operation seems had worked perfectly.

However, since the password information is never set on ActiveDirectory side, this causes this machine account effectively unusable because BIG-IP would never be able to establish a working SCHANNEL with ActiveDirectory server because of this password mismatch.
creation is LDAP (+ Kerberos GSS-API with SASL binding), the machine account itself is generated. Furthermore, as password setting for machine account is not allowed to be performed by administrator, this situation obfuscate the fact the KPASSWD was failing as AD server never receives thus AD never logged any failure on this matter, while BIG-IP fails to detect the KPASSWD failure, and so as administrator's user experience goes, everything seems perfectly worked for domain join.

Conditions:
Out of DNS, LDAP, KERBEROS, KPASSWD services which are required for domain join operation, only KPASSWD is blocked.

Impact:
Created machine account is effectively unusable due to password mismatch, and BIG-IP would never be able to establish a working SCHANNEL, this renders NTLM authentication feature to be not working.

Workaround:
Allow KPASSWD to reach ActiveDirectory server


544958-4 : Monitors packets are sent even when pool member is 'Forced Offline'.

Component: Local Traffic Manager

Symptoms:
If you have a pool member associated with more than one virtual server and the pool member is marked Forced-Offline, the pool monitor will continue to function if the monitor is assigned to both pools.

Conditions:
-- Pools containing identical members.
-- Pool monitoring configured.
-- Pool members are Forced Offline.

Impact:
Monitors packets are sent even when pool member is 'Forced Offline'.

Workaround:
None.


544568-5 : Flows for a FastL4 profile that are forwarded may now be accelerated.

Component: TMOS

Symptoms:
Forwarded FastL4 profiles are not accelerated.

Conditions:
This occurs when any of the following conditions is met:
-- Using a preserve-strict setting on a virtual server.
-- Using the "snat" command in an iRule.
-- Using CGNAT with few available endpoints.

Impact:
Forwarded FastL4 flows are not accelerated.

Workaround:
None.


542347-2 : Denied message in audit log on first time boot

Component: TMOS

Symptoms:
After booting BIG-IP for the first time, you may see a 'denied' message for the lastlog file in /var/log/audit.log:

type=AVC msg=audit(1440786377.593:32): avc: denied { read write } for pid=5922 comm="login" name="lastlog" dev=md2 ino=18 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file.

Conditions:
This can occur on first time boot of devices that contain version 11.x software in one of the image slots.

Impact:
This error message is benign and can be ignored.

Workaround:
None needed. This is cosmetic and does not indicate an issue with the system.


542104-2 : In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.

Solution Article: K33458192

Component: Local Traffic Manager

Symptoms:
In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.

TCP monitors may fail because the server fails to respond to the initial TCP SYN.

TCP traffic that utilizes a SNAT may fail because the server fails to respond to the initial TCP SYN.

Conditions:
A server with tcp_tw_recycle enabled.

A multi-blade BIG-IP chassis.

Impact:
Monitor failures or traffic disruption.

Workaround:
After confirming that the time is properly synchronized across the chassis, reboot the chassis.

Alternatively, if your servers do not require tcp_tw_recycle to be enabled, it is recommended that you disable this setting on your servers.


541622-2 : APD/APMD Crashes While Verifying CAPTCHA

Component: Access Policy Manager

Symptoms:
APD (pre v12.0.0) or APMD (v12.0.0) crashes in libcurl function when verifying CAPTCHA

Conditions:
This issue shows up when multiple sessions are being verified for CAPTCHA at SimpleLogonPageAgent.

Impact:
Authentication service will be disrupted until APD/APMD is up again.


539026-5 : Stats refinements for reporting Unhandled Query Actions :: Drops

Component: Local Traffic Manager

Symptoms:
There are five drop down sections for Unhandled Query Actions:
Allow
Drop
Reject
Hint
No Error

but in statistics page, there are only four Unhandled Query Actions:
Drops
Rejects
Hints
No Errors

Drops refers to the dropped packets for the system, not specifically for Unhandled Query Actions. It would be more clear if there were one dropped packets stats for the system, and another specifically for Unhandled. And also add stats for Allow packets under Unhandled.

Conditions:
Statistics pages for Unhandled Query Actions :: Drops.

Impact:
May be confusing to determine what the statistics mean.

Workaround:
None.


537209-5 : Fastl4 profile sends RST packet when idle timeout value set to 'immediate'

Component: Local Traffic Manager

Symptoms:
When a virtual is configured with a Fastl4 profile and the idle timeout value is set to 'immediate', traffic is handled improperly and a RST is issued.

Conditions:
A virtual is processing traffic that contains a Fastl4 profile with idle timeout set to 'immediate'.

Impact:
Traffic is Reset on a virtual where it should properly handle the traffic.

Workaround:
Avoid using the 'immediate' setting for the idle timeout value on a Fastl4 profile.


535122-8 : [tmsh/iCRD/GUI] Do not automatically add extensions to SSL key/cert/crl/csr file objects

Component: TMOS

Symptoms:
Using iControl REST's process (iCRD) with 'sys crypto' always fails, and the GUI does not work with SSL file objects created without extensions using tmsh (with 'sys file') during the create process.

Conditions:
-- Creating SSL certificates/keys/CRL/CSR objects using iControl (with 'sys crypto') or tmsh (with 'sys file').
-- Specifying the file extension associated with the object: .crt/.key/.crl/.csr.

Impact:
The system creates a file with two extensions, for example, specifying the filename csrname.crt creates a file named csrname.crt.csr in folder /config/ssl/ssl.csr/.

-- Using iCRD with 'sys crypto' fails.
-- The BIG-IP GUI exhibits the following behavior:
   + Inconsistently manages those files improperly.
   + May return errors (e.g., 'An error has occurred while trying to process your request.' or 'No certificate.').
   + May confuse two objects (e.g., 'web-server' and 'web-server.crt').
   + GUI cannot create an archive (System :: File Management : SSL Certificate List :: Archive) containing one of these files, and reports an error similar to the following: Key management library returned bad status: -2, Not Found.

Workaround:
When creating SSL-related file objects via tmsh 'sys file' or iCRD with 'sys crypto', do include a file extension (.crt/.key/.crl/.csr) in the object name, even if it is the extension associated with the type of object. This is because the system explicitly adds the appropriate file extension during the create operation for ('sys crypto') but does not add extensions for ('sys file').


535119-1 : APM log tables initial rotation in MySQL may be wrong

Component: Access Policy Manager

Symptoms:
APM uses local MySQL to store logs and automatically rotate the log tables when the log table size exceeds a limit, which removes the oldest log table and make room for a new current log table.

However, the initial timestamps of those log tables may be very close--or the same in 1-second granularity of MySQL timestamps--right after the installation that initially creates those log tables. Due to the timestamp granularity, it may be wrong for APM to choose the oldest log table to remove in the first round of rotation, resulting in removal of log data that are not the oldest.

After the first rotation, the log table rotation should work as normal.

Conditions:
The first round of log table rotation after installation

Impact:
Log data that are not the oldest may be removed at the first round of log table rotation.


534187-2 : Passphrase protected signing keys are not supported by SAML IDP/SP

Component: Access Policy Manager

Symptoms:
Signing operation may fail if the BIG-IP system is used as a SAML Identity Provider or Service Provider and is configured to use passphrase-protected signing keys.

Conditions:
Private key used to perform digital signing operations is passphrase protected.

Impact:
SAML protocol will not function properly due to inability to sign messages.

Workaround:
To work around the problem, remove the passphrase from the signing key.


530092-2 : AD/LDAP groupmapping is overencoding group names with backslashes

Component: Access Policy Manager

Symptoms:
Adding a group value that contains space(s) manually in AD/LDAP Group Resource Assign actions will result in the space(s) being escaped and thus invalidating match attempts. For example, adding group 'Foo Bar' (without the quotes) will result in an expression found in bigip.conf as follows:

expression "expr { [mcget -decode {session.ldap.last.attr.memberOf}] contains \"CN=Foo\\\\ Bar\" }"

The value '\"CN=Foo\\\\ Bar\"' will not match a memberOf group returned that contains 'CN=Foo Bar,...'.

Conditions:
Spaces are encoded with backslashes.

Impact:
Matching for memberOf group will not working.

Workaround:
N/A


528295-6 : Virtual ARP ICMP echo settings are flipped on reloading a 10.x configuration on 11.4.x or later.

Solution Article: K40735404

Component: TMOS

Symptoms:
A 10.x UCS containing LTM virtual servers with ARP set to disable. Loading the 10.x UCS on 11.4.x or later system leads to the ARP and ICMP echo setting value being flipped each time the load occurs.

Conditions:
Reloading a 10.x UCS containing virtual servers on 11.4.x or later system.

Impact:
ARP and ICMP echo setting value being flipped each time the load occurs. Note that the ICMP echo virtual field will be flipped even if ARP is enabled.

Workaround:
Delete the LTM virtual servers on the 11.x/12.x version system prior to re-loading the 10.x UCS.


527119-4 : Iframe document body could be null after iframe creation in rewritten document.

Component: Access Policy Manager

Symptoms:
End users report being unable to use certain page elements in chrome (such as the Portal Access menu), and it appears that Javascript has not properly initialized.

Conditions:
The body of a dynamically created iframe document could be initialized asynchronously after APM rewriting. The issue is specific to Chrome browser and results in JavaScript errors on the following kind of code:
    iframe.contentDocument.write(html);
    iframe.contentDocument.close();
    <any operation with iframe.contentDocument.body>

One of applications known to contain such code and fail after APM rewriting is TinyMCE editor.

Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access.

Workaround:
Revert rewriting of the document.write call with a post-processing iRule.
The workaround iRule will be unique for each affected application.


526519-1 : APM sessiondump command can produce binary data

Component: Access Policy Manager

Symptoms:
New session variable "session.access.scope" includes a null character after the value. This will result in piped grep commands from sessiondump such as:
sessiondump <args> | grep <search value>

returning the text:
Binary file (standard input) matches

instead of the expected output.

Note that this problem exists in APM version 12.

Conditions:
Using sessiondump command with pipe to grep.

Impact:
Administrator cannot use "grep" command with sessiondump.

Workaround:
Use "-a" option with grep. For example:
sessiondump <args> | grep -a <search value>


525378 : iRule commands do not validate session scope

Component: Access Policy Manager

Symptoms:
Assume that a user establishes a session on one virtual server. If the user learns his session ID, he may attempt to reuse that session ID to gain access to resources guarded by a different virtual server. When this happens, the iRule access session commands like [ACCESS::session sid] and [ACCESS::session exists] do not validate the scope of the session. The iRules consider sessions from other virtual servers to be valid, which can cause unintended results and potentially lead to end-users gaining higher privileges than administrators intended.

Conditions:
There may be multiple access profiles assigned to multiple virtual servers, but the iRule session commands will treat all sessions the same.

Impact:
If the administrator is not careful with how the iRule session commands are used, it can result in a user bypassing the access policy and receiving higher privileges than the administrator intended.

Workaround:
Care must be used to ensure that iRules using the session commands do not result in unintended behavior. An iRule similar to one below can be used to restrict a session to the virtual server on which it was created:

when ACCESS_ACL_ALLOWED {
  set sessionlistener [ACCESS::session data get "session.server.listener.name"]
  set virtualname [virtual name]
  
  if { [HTTP::cookie MRHSession] != "" } {
    if { not ($sessionlistener equals $virtualname) } {
      # enter whatever command you wish to use to prevent the connection
      reject
    }
  }
}


524193-5 : Multiple Source addresses are not allowed on a TMSH SNMP community

Component: TMOS

Symptoms:
If multiple source addresses are specified on a TMSH snmp community command (add, modify,delete, replace-all). Only the first address will be saved.

Conditions:
Specifying multiple source addresses are specified on a TMSH snmp community command.

Impact:
The command is accepted, but only the first address will be allowed snmp access.

Workaround:
Add an additional source address to another snmp community object that has the same community string.


524123-1 : iRule ISTATS::remove does not work

Component: TMOS

Symptoms:
When an iRule invokes ISTATS::remove to remove an iStat, the iStat is not removed.

Conditions:
Invoking the ISTATS::remove command from an iRule.

Impact:
The value of the iStat remains defined.

Workaround:
Use istats-triggers and iCall scripts to invoke the iStats command line tool indirectly.


523198-1 : DNS resolver multiplexing might cause unexpected behaviors

Component: Global Traffic Manager (DNS)

Symptoms:
DNS resolver multiplexing might cause unexpected behaviors, resulting in multiple error message: notice hud_msg_queue is full.

Conditions:
This occurs with a DNS resolver configured.

Impact:
TMM cores or connflows not expiring. System posts messages similar to the following: notice hud_msg_queue is full.

Workaround:
None.


523158-1 : In vpe if the LDAP server returns "cn=" (lower case) dn/group match fails

Component: Access Policy Manager

Symptoms:
In rare case when dn is returned with cn= in lower case VPE is failing to match groupnames

Conditions:
Server that returns cn in low case

Impact:
Group mapping doesn't work

Workaround:
No workaround.


517609-3 : GTM Monitor Needs Special Escape Character Treatment

Solution Article: K77005041

Component: Global Traffic Manager (DNS)

Symptoms:
When searching received data for bytes that are regex metacharacters such as $ (dollar sign), . (period), ? (question mark), etc., the search string typically requires backslash characters to escape these. Such escaped characters result in non-matching behavior in GTM monitors without warning in the GUI. The GUI also validates Perl (non-POSIX) character classes such as \d rather than [:digit:], but these Perl extensions do not search properly.

Conditions:
Any running GTM monitor.

Impact:
If a GTM monitor's expression contains regex Perl extension character classes or escaped regex metacharacters, a member's status might be incorrectly labeled.

Workaround:
When escaping a regular expression metacharacter, an \x5C can be entered as a substitute for a backslash. If searching for whitespace or digits, use [:space:] and [:digit:] rather than \s and \d.
 
For example, searching for 'HTTP/ 1.1' in a GTM HTTP monitor, you can enter the search expression HTTP/ 1\x5C.1, which the regex compiler interprets as 'HTTP/ 1\.1', to search for the period character rather than interpreting the period ( . ) as the 'any non-null byte' metacharacter.


516307-2 : Multiple Relay in DHCP relay is not working.

Solution Article: K35152864

Component: Local Traffic Manager

Symptoms:
If the BIG-IP is behind another DHCP relay, then the packets are not sent to the server, instead they are dropped.

Conditions:
This occurs when a DHCP virtual server is configured with a profile based on dhcpv4_fwd.

Impact:
This previously worked on v11.4.x, so if you are running on version 11.4.x and upgrade to 11.6.x, the virtual server may not function correctly.

Workaround:
To work around this, do the following:
1. Configure a unicast IP address for the BIG-IP DHCPv4 listener destination address field.
2. Configure the same IP address as the DHCP server IP address on DHCP relay agent.

This way the BIG-IP system can load balance DHCP load on to a pool of DHCP servers.


516280-4 : bigd process uses a large percentage of CPU

Component: Local Traffic Manager

Symptoms:
With a very large number of monitors, the bigd process can consume more than 80% CPU when a slow HTTP server returns an error.

Conditions:
~8000 HTTP/HTTPS monitors, and a slow HTTP server returns a 500 error.

Impact:
bigd process uses a large percentage of CPU.

Workaround:
None.


516167-2 : TMSH listing with wildcards prevents the child object from being displayed

Solution Article: K21382264

Component: TMOS

Symptoms:
The tmsh list command is attempted with an identifier that specifies use of wildcard match character (*) , the results returned may not print the nested objects contained within the parent object.

For example, the list ltm pool* command will print all pools that begin with the word pool, but will fail to list the profiles that are within the pool.

Conditions:
tmsh list with a wildcard character specified for parent object.

Impact:
Missing details of nested objects when tmsh list is invoked with wildcard character (*) specified in the object identifier

Workaround:
None.


514703-1 : gtm listener cannot be listed across partitions

Component: TMOS

Symptoms:
Unable to reference (perform operations: list, create, modify ...) gtm listeners across partitions.

Conditions:
-- In one partition.
-- Listener in another partition.
-- Attempt to perform operations on the listener in the other partition.

For example, the current partition is /Common, and a listener exists in /DifferentPartition, and you try to perform operations on the listener under /DifferentPartition.

Impact:
Cannot perform any operations on that listener. The listener will be listed as non-existent.

Workaround:
Change to the partition where the listener exists before performing any operations on it.


513887-8 : The audit logs report that there is an unsuccessful attempt to install a mysql user on the system

Component: Application Security Manager

Symptoms:
There are "/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'

Conditions:
Provisioning AFM and/or APM after ASM is already provisioned.

Impact:
"/usr/sbin/useradd" and "/usr/sbin/groupmod" related errors in '/var/log/auditd/audit.log'

no other impact

Workaround:
none


510395-5 : Disabling some events while in the event, then running some commands can cause tmm to core.

Solution Article: K17485

Component: Local Traffic Manager

Symptoms:
If an event is disabled inside the event itself, and then a Tcl command that executes asynchronously is executed, TMM can core.

Conditions:
An event is disabled from inside the event, and then a parking command is issued.
Example:
when HTTP_REQUEST {
   if { $a == $b } {
       event disable HTTP_REQUEST
   }
   after 100
   log local0. "foo"
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable events as the last command before exiting the event. For example:

when HTTP_REQUEST {
   if { $a == $b } {
       event disable HTTP_REQUEST
       return
    }

}


510034-2 : Access Policy memory is not cleared between access policy executions

Component: Access Policy Manager

Symptoms:
APD has a Tcl interpreter that can process commands provided inside an Access policy, for variable assignment or other purposes.

The Tcl environment provided does not reliably clear Tcl variables assigned in prior executions, so care must be taken to initialize the potentially dirty variables if they are used.

Conditions:
User uses some Tcl variables that can potentially be not initialized. For example, a variable assign:
session.test = regexp {(.+)@example.com} "[mcget {session.logon.last.username}]" foo captured; return $captured

Note that here, the regex may match or not match depending on the user input. If it does not match, the variable "captured" *may* contain the results from a different user who logged in previously.

Impact:
Unexpected results from Access Policy execution.

Workaround:
To work around the problem, any variable that was used must be checked. For example, instead of the regex statement above, this could be used:

if { [regexp {(.+)example.com} "[mcget {session.logon.last.username}]" foo captured] == 1 } { return $captured; } else { return "nomatch"; }

This way, if the regex does NOT match, then the result will be "nomatch" instead of potentially containing results from a previous session.


509596-1 : iFrames with 'javascript:' scheme in SRC may not work

Solution Article: K44043455

Component: Access Policy Manager

Symptoms:
Some applications do not work with Portal Access, resulting in an error 'F5_Invoke_write is not defined' on JavaScript Console.

Conditions:
Web application that uses IFrames with 'javascript:' scheme in SRC attribute runs through Portal Access.

Impact:
Web application does not work through Portal Access.

Workaround:
There is no workaround at this time.


509497-1 : VCMP guests on a specific host may be restarted when that host system experiences large date/time changes

Component: TMOS

Symptoms:
After a large (longer than 7 months) change in system date/time, either manually or via NTPD, vCMP guests may be terminated and restarted.

Conditions:
-- vCMP is provisioned.
-- There is a large change (longer than 7 months, for example), to the system date/time.

Impact:
Temporary loss of service of data path elements, until terminated guests are restarted.

Workaround:
Avoid large changes in system time during critical hours of operation.

It may be better to bring down guests administratively, make the date/time change, and then bring the guests back up rather than allowing them to be terminated/restarted automatically due to heartbeat timer expiration.


505037-2 : Modifying a monitored pool with a gateway failsafe device can put secondary into restart loop

Solution Article: K01993279

Component: Local Traffic Manager

Symptoms:
Modifying a monitored pool with a gateway failsafe device might put secondary into restart loop.

Conditions:
Only occurs in clustered environments, when modifying a monitored pool to set the gateway failsafe device while the secondary is down. Symptom occurs when the secondary comes back up and attempts to update the health status of a pool.

Impact:
Secondary in a restart loop.

Workaround:
Remove the gateway failsafe device. Re-apply when the blade is up.


501258-2 : Unable to modify 'gtm region region-members' via iControl REST

Component: TMOS

Symptoms:
Unable to modify 'gtm region region-members' via iControl REST. The system posts error 400 Invalid region type messages.

Conditions:
Attempt to modify gtm region region-members via iControl REST.

Impact:
Unable to use iControl REST to configure this portion of the GTM/DNS configuration.

Workaround:
Use tmsh to modify GTM Regions.


499404-7 : FastL4 does not honor the MSS override value in the FastL4 profile with syncookies

Solution Article: K15457342

Component: Local Traffic Manager

Symptoms:
FastL4 does not honor the MSS override value in the FastL4 profile when syncookies are in use. This can lead to cases where the advertised MSS value in the SYN/ACK is larger than the MSS override value.

Conditions:
The FastL4 profile specifies a non-zero MSS override value and syncookies mode is active.

Impact:
The wrong MSS value is advertised during 3WHS.

Workaround:
None.


499348-5 : System statistics may fail to update, or report negative deltas due to delayed stats merging

Component: TMOS

Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.

The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.

Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions:

-- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors).

-- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis).

Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.

Workaround:
This issue has two workarounds:

1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:

-- Reduce the frequency of configuration changes.
-- Reduce the use of 'SSL::profile' in iRules.
-- Reduce the number/frequency of processes being spawned by the system.

2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:
    tmsh modify sys db merged.method value slow_merge.


496621-1 : Portal Access incorectly rewrites expressions with JavaScript typeof operator

Component: Access Policy Manager

Symptoms:
The Portal Access module transforms intranet web application code to make it accessible via an APM virtual server. One of these transformations might incorrectly rewrite expressions with 'typeof' operator, though you might not see any immediate visible effect.

Conditions:
The issue affects expressions like 'typeof something' where 'something' is expected to be transformed by Portal Access.
For example, with the original code similar to 'var l = window.location; if (typeof l.href) {...}' unrewritten typeof argument causes condition to fail.

Impact:
When Portal Access accesses the intranet application containing such code, expressions with typeof operator may have wrong value, leading application to incorrect code paths. As a result, the application might fail with a very obscure and difficult to diagnose errors.

Workaround:
Use an iRule for each specific case. There is no global workaround.


494135-1 : HTML Event handlers may not work if 'eval' is redefined

Solution Article: K43101043

Component: Access Policy Manager

Symptoms:
If 'eval' JavaScript call is redefined in HTML page, event handlers may not work correctly.

Conditions:
There may be many ways to re-define 'eval'. For example:

<form>
<button name=eval onclick="someFunction();">Button</button>
</form>

In this case 'onclick' event handler will not work through Portal Access.

Impact:
Web application may not work correctly. In the worst case scenario, the browser (Internet Explorer 9 or later) may crash.

Workaround:
There is no workaround at this time.


493524 : ASM attack appear ongoing forever if restarting dosl7d during an attack

Component: Application Visibility and Reporting

Symptoms:
If dosl7d is restarted during an attack it doesn't write the "end attack" event to logdb.

Conditions:
Restarting dosl7d in the middle of an ASM attack (including actions that implicitly cause dosl7d restart like tmm restart or reboot).

Impact:
Attack appears ongoing in Dos Overview page (even though it should be marked "ended").

Workaround:
No workaround.


489499-3 : chmand needs to check for LopUnsSensClientExists status after registering for unsolicited alerts with lopd

Component: TMOS

Symptoms:
chmand fails to register for unsolicited LOP events, meaning that asynchronous alerts from lopd will not seen or reported by chmand. A message is seen in /var/log/ltm that contains the phrase, "failed to register for LOP at <address>"

Conditions:
Occurs when chmand has been re-started after it has already synchronized once with lopd.

Impact:
Asynchronous events from lopd will not be reported or handled, such as fan tray removal/insertion and PSU removal/insertion. Alerts that are driven by system_check through polling sensor values and comparing them to specified limits, however, will still be operational.

Workaround:
Re-start lopd:
# bigstart restart lopd


486735-5 : Maximum connections is not accurate when TMM load is uneven

Component: Local Traffic Manager

Symptoms:
Maximum connections is not accurate when TMM load is unevenly distributed. Maximum connection statistics report the sum of maximum connections per TMM, not the maximum connections virtual server.

Conditions:
This occurs when the load disaggregated to available TMMs is uneven.

Impact:
This causes the various TMMs to measure their individual maximum connections at significantly different times, resulting in higher-than-expected maximum connections.

Workaround:
Ensure the configuration matches traffic patterns, so the load of connections is evenly distributed across all TMMs.


484683-4 : Certificate_summary is not created at peer when the chain certificate is synced to HA peer.

Solution Article: K84174454

Component: TMOS

Symptoms:
-- After a configuration synchronization (ConfigSync) operation, the peer of a high-availability (HA) pair cannot show the summary of cert-chain using the command:
tmsh run sys crypto check-cert verbose enabled

-- After a ConfigSync operation, Certificate Subjects may be missing or empty when viewed in the Configuration Utility/GUI under System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: <certificate>.

Conditions:
Conditions leading to this issue include:
1. On the command line or in the GUI, set up an HA configuration.
2. Import Certificate chain to one BIG-IP system.
3. Perform a ConfigSync operation to sync the certificate chain to the HA peer.

Impact:
After a ConfigSync operation, the certificate chain summary is not created on other HA peers.

Workaround:
Copy the cert-chain file to a place (such as /shared/tmp/), and update the cert-chain using a command similar to the following:
modify sys file ssl-cert Cert-Chain_Browser_Serv.crt source-path file:/shared/tmp/Cert-Chain_Browser_Serv.crt_58761_1


482625-1 : Pages with utf-8 Content-Type and utf-16 META tag do not render

Component: Access Policy Manager

Symptoms:
Some pages cannot be displayed. A page has a Content-type header with charset utf-8. The payload has a META tag with charset utf-16. Actual data appears to be utf-8. Rewriting the page inserts a utf-16 BOM in the response, causing the page to not load.

Conditions:
Pages that contain utf-8 Content-Type headers but utf-16 META tags

Impact:
Web-application cannot display some pages.

Workaround:
An iRule can be used to fix the META charset and allow the page to load.


479262-4 : 'readPowerSupplyRegister error' in LTM log

Component: TMOS

Symptoms:
The 'readPowerSupplyRegister error' is logged in LTM log when DC PSU loses its power.

Conditions:
When a DC powered PSU loses its power, the system logs 'readPowerSupplyRegister error' messages in the LTM log. This occurs because PSU data is not available without power.

Impact:
The 'readPowerSupplyRegister error' messages occur because PSU data is not available without power. When the system is in this state, you can safely ignore these messages.

Workaround:
None. You can safely ignore this error message in this case.


477992-3 : Instance-specific monitor logging fails for pool members created in iApps

Solution Article: K07450534

Component: Local Traffic Manager

Symptoms:
Errors when enabling Debug Monitoring for an iApp-created pool member and disabling strict updates for the iApp.

Conditions:
Create pool members via an iApp, and attempt to enable logging on the pool member.

Impact:
Instance-specific monitor logging fails for pool members created in iApps. The log is never created. The system posts error messages in /var/log/ltm stating the log file cannot be opened.

Workaround:
If logging is required, bigdlog is available. To enable logging, run the following command: tmsh modify sys db bigd.debug value enabled.


476544-2 : mcpd core during sync

Component: TMOS

Symptoms:
mcpd can run out of memory and core when a device in a sync group is sending an extremely high volume of sync messages.

Conditions:
The exact cause of this is unknown, and it has been seen very rarely with a large sync in a sync group. Large incremental syncs could be a symptom of other things happening between the devices which could trigger the core.

Impact:
mcpd cores and restarts if it runs out or memory. Only through inspection of the core file can this condition be detected.

Workaround:
None.


474901-1 : Profiles with a large number of regexps can cause excessive memory usage.

Component: Local Traffic Manager

Symptoms:
tmm crashes on out of memory.

Conditions:
This can occur if you are using a lot of profiles that rely on regular expressions, such as compression or deflate.

Impact:
Traffic disrupted while tmm restarts.


473755-1 : It's possible to exhaust monpd's Thrift server connections by simply not closing the connection on the client side

Component: Application Visibility and Reporting

Symptoms:
It's possible to open a connection to monpd's Thrift server and if the client does not actively close it, the connection will persist indefinitely (even if it's idle). As a result of this issue, you might experience the following symptoms: -- Cannot access event logs or reports.
-- Cannot run tmsh analytics commands.

Conditions:
Client system opens a connection to monpd's Thrift server (port 9090 or 9091), and does not close it.

Impact:
If the number of allowed connections to monpd's Thrift server is reached, monpd will not receive new connections. Since the idle connections can persist indefinitely this will deny service from monpd.

Workaround:
No workaround (except for manually killing open idle connections).


470807-3 : iRule data-groups are not checked for existence

Component: Local Traffic Manager

Symptoms:
When an iRule specifies a data-group that is not in Common, or that does not have an explicit path to it, it does not result in an error when the iRule is saved, or during runtime.

Conditions:
User saves an iRule with a data-group not in Common or with an explicit path to it.

Impact:
When such an iRule is saved, it can cause all traffic to fail.

Workaround:
None.


469366-3 : ConfigSync might fail with modified system-supplied profiles

Solution Article: K16237

Component: TMOS

Symptoms:
A config sync operation might fail with a parent-profile-not-found error message, despite the fact that the parent profile is present in the running configuration of both systems.

Conditions:
On the sync target (the system receiving the configuration, and the one that reports a sync failure), a system-supplied profile (e.g. /Common/serverssl) has been modified, and is present in /config/bigip.conf.

Impact:
An administrator is unable to synchronize system configurations. The system might post messages similar to the following example: '01020036:3: The requested parent profile (/Common/serverssl) was not found.'

Workaround:
One of the following: 1. Manually replicate the changes on the base profile to the system that is sourcing the config sync.
2. Undo the changes to the base profile on the system that is receiving the config sync (to do so, save the configuration, manually remove the base profile from /config/bigip.conf, and then re-load the configuration), and then perform a force sync operation. 3. Perform a sync in the other direction.
Important: Performing a sync in this direction overrides any unsync'd changes on the other system.


467589-4 : Default cron script /usr/share/mysql/purge_mysql_logs.pl throws error.

Component: WebAccelerator

Symptoms:
The /usr/share/mysql/purge_mysql_logs.pl script that ships with the new install (and is run hourly via cron) throws an error. The script is meant to be exited if AAM, ASM and PSM are not provisioned, but the check is not done appropriately and it continues execution, failing later.

Conditions:
BIG-IP system with no AAM, ASM, and PSM provisioned, when running the script /etc/cron.hourly/purge_mysql_logs.pl (linked to /usr/share/mysql/purge_mysql_logs.pl)

Impact:
The script gives false output and attempts to execute invalid actions. The system posts the following error: Usage: $class->connect([$dsn [,$user [,$passwd [,\%attr]]]]) at /etc/cron.hourly/purge_mysql_logs.pl line 27.

Workaround:
Provision AAM, ASM, or PSM. Or modify the script using the following procedure:

Remount /usr partition as RW:
# mount -o remount -rw /usr

Edit /usr/share/mysql/purge_mysql_logs.pl and change the original check:

unless( $provisioned_am || $provisioned_asm || $provisioned_psm ) {
    exit 0;
}

to:

unless( $provisioned_am == 1 || $provisioned_asm == 1 || $provisioned_psm == 1 ) {
    exit 0;
}


455066-2 : Read-only account can save system config

Component: TMOS

Symptoms:
A read-only user can run the tmsh save sys config command, which saves the configuration including changes made by other read/write users.

Conditions:
This occurs when logged in as a read-only user and running save sys config in tmsh.

Impact:
Read-only users are able to run save sys config in tmsh.

Workaround:
None.


451627-2 : If key associated with monitor is stored in external hsm, monitor fails.

Component: Local Traffic Manager

Symptoms:
Monitor does not work with netHSM keys.

Conditions:
Configure netHSM keys and monitor.

Impact:
Monitor does not work.


450136-3 : Occasionally customers see chunk boundaries as part of HTTP response

Component: Access Policy Manager

Symptoms:
Occasionally, users see chunk boundaries as part of HTTP response if the virtual server is configured with rewrite profile variant and some other profiles.

Conditions:
Virtual server with rewrite profile variant and some other profiles like OneConnect and NTLM could cause HTTP response to be double-chunked.

Impact:
End users may see random characters displayed on their web pages, or the page may fail to render because it contains invalid HTML markup.

Workaround:
To workaround this problem, use an iRule to rechunk the HTTP response always.


438574-1 : Web UI: iSession Profile properties page displays incorrect parent profile name.

Component: TMOS

Symptoms:
Local Traffic :: Profiles :: iSession Profile properties page displays incorrect parent profile name.

Conditions:
-- Viewing parent profile for an iSession profile.
-- 'iSession' is set as parent profile .
-- Another profile exists with name beginning from 'a' to 'h'.

Impact:
Incorrect information is displayed on the GUI even though the database has the correct information.

Workaround:
View the properties of iSession profile from tmsh.


435419-4 : Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.

Solution Article: K10402225

Component: Access Policy Manager

Symptoms:
Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.

Conditions:
-- Attempt to upload a current EPSEC file.
-- Upload stalls and appears hung.
-- Close the web browser used for uploading epsec.
-- Attempt to install the partially uploaded file.

Impact:
mcpd crashes, followed by multiple cores.

Workaround:
Upload the EPSEC file completely, and try the installation again.


433572-4 : DTLS does not work with rfcdtls cipher on the B2250 blade

Component: Local Traffic Manager

Symptoms:
DTLS does not work with rfcdtls cipher on the B2250 blade.

Conditions:
This occurs as a result of hardware acceleration offload on the B2250 blade when using dtls on vCMP.

Impact:
DTLS does not work with rfcdtls cipher on the B2250 blade

Workaround:
None.


431480-1 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message

Solution Article: K17297

Component: Local Traffic Manager

Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.

Conditions:
The exact conditions that result in this error are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time, but the system recovers without any user action.


417819-2 : APM - when Edge Clients, some JS contents are different causing warning

Solution Article: K69046914

Component: Access Policy Manager

Symptoms:
Intermittent JS Error in sesstimeout.js during access to full webtop by Edge Clients.

Conditions:
-- At least two different Edge Clients with User Agent strings based on Internet Explorer version 11 (IE11).
-- A version of IE earlier that IE11 is used to access full webtop resource.

Impact:
If 'Display notification about all script errors' is enabled in IE (Internet Options :: Advanced tab) IE displays JS error messages. One client might encounter a JS Syntax error, depending on TMM count and APM RAMCACHE content.

Note: There is no impact on product functionality, because Edge Clients do not call JS code from sesstimeout.js. The error is cosmetic only and can be ignored.

Workaround:
Special APM resource assignment branch for standalone Edge Clients can be configured in VPE to access 'webtop-type network', (NA_only_webtop resource does not include /vdesk/sesstimeout.js and /vdesk/hometab.js).


414713-1 : Hosted Content connected object import issues

Component: Access Policy Manager

Symptoms:
If object of policy is linked with hosted content, import will fail unless similarly named object is not created on target box.

The import error looks similar to the following:
"Configuration error: Cannot find sandbox file (Common/hosted-content:loginNew.html_1361913754973) referred in resource webtop (/Common/Import-ChangeProperty) Unexpected Error: Validating configuration process failed."

Conditions:
This can occur if you are using Hosted Content and you are using Export/Import to copy an access policy from one APM to a new APM that does not have the Hosted Content files already on it.

Impact:
The import will fail on the new device.

Workaround:
Unlink objects from hosted content or replicate similar objects under similar names in hosted content first


409340-1 : https/ssl monitor closes immediately (rather than awaiting remote close-notify)

Solution Article: K63086108

Component: Local Traffic Manager

Symptoms:
SSL-based monitors (such as https) continue to maintain an open connection for up to ~15 seconds after the monitor probe is completed, when connecting to an SSL enabled web server that fails to send close-notify before FIN.

Conditions:
Configuration uses SSL-based monitors (such as https), where your SSL enabled web server fails to send close-notify before FIN.

Impact:
SSL-enabled monitors wait ~15 seconds before closing the connection and reclaiming resources. Although this behavior is correct according to the SSL protocol, it has the potential to introduce a limited amount of connection stacking on the monitored host.

Workaround:
Your SSL enabled web server should send close-notify before FIN for SSL-based monitors to close immediately.


405898-2 : If the OSPF derived MTU is different from the path MTU, OSPF may not function as expected

Component: Local Traffic Manager

Symptoms:
If the maximum transmission unit (MTU) for a network running OSPF is different from ZebOS, or if its neighbor router has configured for its interface MTU, OSPF adjacencies may not form, or some datagrams may be rejected.

Conditions:
TMM has cached a reduced path MTU for a network that is smaller than the configured MTU of the interface. OSPF running on that interface.

Impact:
OSPF adjacencies never fully form and routes are not exchanged.

Workaround:
Restarting TMM clears the cached maximum transmission unit (MTU), and allowing all interface MTUs to function with default values should prevent a mismatch.


396273-2 : Error message in dmesg and kern.log: vpd r/w failed

Component: TMOS

Symptoms:
When running dmesg, you might see errors similar to the following: 0000:17:00.0: vpd r/w failed. This is typically considered a firmware issue on the device, and you can contact the card vendor for a firmware update.
This error can be seen in /var/log/kern.log as well.

Conditions:
This can occur whenever 'lspci -vv' (or 'lspci -vvv', e.g., during qkview generation) is executed.

Impact:
This is a benign firmware message, and you can safely ignore it.

Workaround:
There is no workaround, but this is not a functional issue.


375434-6 : HSB lockup might occur when TMM tries unsuccessfully to reset HSB.

Component: TMOS

Symptoms:
An HSB lockup might occur when the TMM driver tries to reset HSB and the effort is not successful. After several failed attempts, a bad DMA packet causes tmm to crash. This failure can also result in a "DMA lockup on transmitter failure" reported in the TMM log files.

Conditions:
This occurs on HSB platforms that have AMD processors, which include the BIG-IP 6900, 89x0, and 110x0 platforms, and the VIPRION B4100, B4200, and B4200N blades.

Impact:
The HSB is non-functional and requires reinitialization. This occurs after the BIG-IP is rebooted, which is automatically triggered when this condition occurs.

Workaround:
None.


374067-7 : Using CLIENT_ACCEPTED iRule to set SNAT pool on OneConnect virtual server interferes with keepalive connections

Solution Article: K14098

Component: Local Traffic Manager

Symptoms:
Using the 'snatpool' command in the CLIENT_ACCEPTED iRule event causes keepalive requests to originate from the self-IP of the BIG-IP system.

Conditions:
An iRule using the 'snatpool' command in CLIENT_ACCEPTED.

Impact:
Keepalive connections occasionally source from the BIG-IP system's self-IP address.

Workaround:
Use the HTTP_REQUEST event to set the SNAT pool.


369640-1 : Folder path objects in iRules can have only a single context per script

Solution Article: K17195

Component: Local Traffic Manager

Symptoms:
If an iRule is assigned to two different virtual servers in different contexts, the first time the rule runs any internal object conversions/lookups will be performed in the first context. When the second virtual runs the same rule, it will assume that the objects that have been looked up are correct, and point to the wrong members.

Conditions:
Two virtual servers in different folder paths use short names for objects like pools, procs, nodes and virtual servers.

Impact:
iRule can point to objects outside the current folder path.

Workaround:
Give each virtual servers its own copy of the iRule (it is not necessary to provide complete folder paths).


369407-3 : Access policy objects are created inconsistently depending on whether created using wizard or manually.

Component: Access Policy Manager

Symptoms:
Network Access (NA) wizard policy incorrectly labels 'Advanced Resource Assign' as 'Resource Assign' in VPE.

Conditions:
This is evident when viewing the label following completion of the NA wizard.

Impact:
The label in the VPE is 'Resource Assign', where it should be 'Advanced Resource Assign'.

Workaround:
None.


362511 : HTML entities in inline CSS style attributes may cause incorrect rewriting of URLs

Solution Article: K52162658

Component: Access Policy Manager

Symptoms:
Portal Access can incorrectly rewrite CSS in HTML style attributes if it contains HTML entities.

Conditions:
Inline CSS style attributes contains HTML entities.

For example,
  <div style="background:url(&#39;image.jpg&#39;)">
becomes
  <div style="background:url(&#39?F5CH=I;image.jpg&#39;)">
which cannot be interpreted correctly by a browser. As a result, the image won't be displayed.

Impact:
Some images on the page accessed through Portal Access may fail to load.

Workaround:
Before rewriting, use an iRule to substitute HTML entities in positions significant for parser (i.e., keywords, attribute names, quotes, brackets, colons, etc.) with the corresponding characters.


291256-5 : Changing 'Minimum Length' and 'Required Characters' might result in an error

Component: TMOS

Symptoms:
When setting a value for the password policy attribute 'Minimum Length', and setting 'Required Characters' 'Numeric', 'Uppercase', 'Lowercase', and 'Other' to values whose sum is greater than 'Minimum Length' the system does not save changes, and instead reports an error:

err mcpd[1647]: 01070903:3: Constraint 'min length must be greater than or equal to the sum of all "required" types of characters' failed for 'password_policy'

Conditions:
-- Change the value of 'Minimum Length'.
-- Change the values in 'Required Characters' ('Numeric', 'Uppercase', 'Lowercase', and 'Other').
-- The sum of the values from 'Required Characters' is a greater than 'Minimum Length' value before you changed it.

Here is an example:
1. From the default of '6', change 'Minimum Length' to 10.
2. At the same time, change each of the 'Required Characters' options ('Numeric', 'Uppercase', 'Lowercase', and 'Other') to '2', for a total of 8.
3. Click Update.

(These values should be work because the value in 'Minimum Length' (10) is greater than the sum of the values in 'Required Characters' (8).)

Impact:
The changes are not saved, and an error is posted:
Constraint 'min length must be greater than or equal to the sum of all "required" types of characters' failed for 'password_policy'.

Workaround:
You can use either of the following workarounds:

-- To workaround this using the GUI, set 'Minimum Length' and 'Required Characters' separately (i.e., specify 'Minimum Length' and click Update, and then specify 'Required Characters' and click Update).

-- Use tmsh instead of the GUI.


264701-1 : GTM: zrd exits on error from bind about .jnl file error (Formerly CR 68608)

Component: Global Traffic Manager (DNS)

Symptoms:
The zrd process exits and cannot be restarted.

Conditions:
This occurs when the journal is out-of-sync with the zone.

Impact:
The zrd process cannot be restarted.

Workaround:
Before beginning, ensure that no one else is making config changes (i.e., consider making changes during a maintenance window).

I) On a working system, perform the following:
1. # rndc freeze $z

(Do this for all nonworking zones. Do not perform the thaw until you finish copying all needed files to the nonworking system.)

2. # tar zcvf /tmp/named.zone.files namedb/db.[nonworking zones].
3. # rndc thaw $z

II) On each nonworking system, perform the following:
1. # bigstart stop zrd; bigstart stop named
2. Copy the nonworking /tmp/named.zone.files from a working GTM system.
3. # bigstart start named; bigstart start zrd.

(Before continuing, review /var/log/daemon.log for named errors, and review /var/log/gtm for zrd errors0.)

Repeat part II until all previously nonworking systems are working.

III) On a working GTM system, run the following command:
# touch /var/named/config/named.conf.


247527-2 : Mgmt interface cannot be disabled via tmsh

Solution Article: K14890

Component: TMOS

Symptoms:
Issuing a tmsh command to disable the management interface of a blade or appliance appears to succeed, but the management interface is not actually disabled.

Conditions:
This problem occurs on the following hardware platforms:
BIG-IP 1500, 3400, 3410, 6400, 6800, 8400, and 8800 appliances.

This problem does not occur on the following hardware platforms:
BIG-IP 1600, 3600, 3900, 6900, 8900-series and 11000-series appliances.

Impact:
After using the tmsh utility to set the mgmt interface to a disabled state, the tmsh utility will show the mgmt interface as disabled. However, the mgmt interface still responds to network traffic, including ping and ssh.

Workaround:
There are three possible ways to work around this issue:

1) Unplug the management interface if it is not intended to be used.

2) Bring down the switch interface to which the management port connects.

3) Disable the management interface using the following information below.

Important: This workaround might cause unintended consequences. Only use this option as a last resort, as disabling the management interface may remove the ability for the Linux host to communicate with several of the BIG-IP subsystems. As a result of this loss of communication, certain BIG-IP features may not function as expected or at all.

For platforms that expose a 'mgmt' interface via ifconfig, run the command: ifconfig mgmt down. To bring the 'mgmt' interface back up, run the command ifconfig mgmt up.

For platforms that do not expose a 'mgmt' interface via ifconfig, run the command: ifconfig eth0 down. To bring 'eth0' interface back up, run the command ifconfig eth0 up.


224665-2 : Proxy Exclusion List setting is not aware of administrative partitions

Solution Article: K12711

Component: TMOS

Symptoms:
The Proxy Exclusion List setting is not aware of administrative partitions. As of BIG-IP 10.1.0, VLAN group objects reside in administrative partitions. This means that you can create a VLAN group in an administrative partition, and then give users the authority to view and manage the object in only that partition. Proxy exclusion is a VLAN group setting, so the partition restrictions should be in effect. However, the system does not prevent you from adding proxy exclusion for a VLAN group in another partition. Doing so may result in issues for the VLAN group.

Conditions:
Using VLAN groups and proxy exclusion.

Impact:
Results in issues for the VLAN group.

Workaround:
None. For more information, see SOL12711: The Proxy Exclusion List setting is not aware of administrative partitions , available here: http://support.f5.com/kb/en-us/solutions/public/12000/700/sol12711.html.


222409-6 : The HTTP::path iRule command may return more information than expected

Solution Article: K9952

Component: Local Traffic Manager

Symptoms:
The HTTP::path iRule command is intended to return only the path of the HTTP request. However, if the HTTP request specifies an absolute URI for the request URI, the HTTP::path command returns the entire URI, which includes not only the path, but also any protocol scheme, host name, and port included in the request URI value.

The first line of an HTTP request from a client to a server is referred to as the request line. The request line begins with a method token, followed by the request URI and the protocol version. A typical HTTP request line appears similar to the following example:

GET /dir1/dir2/file.ext HTTP/1.1

In this example, the method token is GET, the resource URI is /dir2/dir2/file.ext, and the protocol version is HTTP/1.1.

Conditions:
However, some clients (most notably proxies) may send an HTTP request for the same resource by specifying the absolute URI in the request, which appears similar to the following example:

GET http://www.example.org:80/dir1/dir2/file.ext

In this example, the method token is GET, the resource URI is http://www.example.org/dir2/dir2/file.ext, and the protocol version is HTTP/1.1.

Impact:
The HTTP::path iRule command should return the following path value for both requests:

/dir1/dir2/file.ext

However, since the HTTP::path command actually returns the value of the request URI, the entire absolute URI is returned for the request in the second example, which specifies the following absolute URI in the request URI:

www.example.org:80/dir1/duir2/file.ext

Note: Both requests in the example above conform to the HTTP request specification as defined in Section 5 of RFC2616: HyperText Transfer Protocol.

Note: For more information about the HTTP::path iRule command, refer to HTTP:path on the F5 Networks DevCentral website. A separate DevCentral login is required to access this content; you will be redirected to authenticate or register if necessary.

Workaround:
You can work around this issue by parsing the path element from the return value for the HTTP::path command. To do so, use the following iRule wherever HTTP::path is called:

when HTTP_REQUEST {
log local0. "Path: [URI::path [HTTP::uri]][URI::basename [HTTP::uri]]"
}


222220-1 : Distributed application statistics

Component: Global Traffic Manager (DNS)

Symptoms:
Distributed application statistics shows only requests passed to its first wide IP.

Conditions:
Using Distributed application statistics and multiple wide-IP-members.

Impact:
The system does not include statistics for requests passed to other wide-IP-members of the distributed application.

Workaround:
None.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************