Applies To:
Show Versions
BIG-IP AAM
- 13.1.0
BIG-IP APM
- 13.1.0
BIG-IP Link Controller
- 13.1.0
BIG-IP Analytics
- 13.1.0
BIG-IP LTM
- 13.1.0
BIG-IP AFM
- 13.1.0
BIG-IP PEM
- 13.1.0
BIG-IP DNS
- 13.1.0
BIG-IP FPS
- 13.1.0
BIG-IP ASM
- 13.1.0
BIG-IP Release Information
Version: 13.1.0.1
Build: 8.0
Known Issues in BIG-IP v13.1.x
Functional Change Fixes
None
TMOS Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 686190-1 | 2-Critical | LRO performance impact with BWC and FastL4 virtual server | |
| 667173-1 | 2-Critical | 13.1.0 cannot join a device group with 13.1.0.1 |
Performance Fixes
| ID Number | Severity | Solution Article(s) | Description |
| 685628-1 | 1-Blocking | Performance regression on B4450 blade★ | |
| 673832-1 | 1-Blocking | Performance impact for certain platforms after upgrading to 13.1.0. | |
| 696525-1 | 2-Critical | B2250 blades experience degraded performance. |
Cumulative fix details for BIG-IP v13.1.0.1 that are included in this release
696525-1 : B2250 blades experience degraded performance.
Component: Performance
Symptoms:
B2250 blades have degraded performance by up to 17%. This is caused by connections not being offloaded to hardware as often as expected.
Conditions:
This occurs when the FastL4 profile is configured to offload to hardware and the service provider DAG is configured and in use on B2250 blades.
Impact:
Performance will be degraded due to more connections being handled in software.
Workaround:
None.
Fix:
The performance issue for the B2250 blades has been fixed.
686190-1 : LRO performance impact with BWC and FastL4 virtual server
Component: TMOS
Symptoms:
Using Bandwidth controller (BWC) might result in a very large drop in performance of up to 75%. In this release, Large receive offload (LRO) is enabled by default.
Conditions:
-- BWC is configured.
-- Virtual server has a FastL4 profile assigned.
-- LRO is enabled (enabled by default in 13.1.0).
Impact:
Very large performance impact to the BWC policy (up to 75%). For example, if the BWC policy rate limit is set to 100Mb, the actual rate limit could be 25Mb.
Workaround:
Disabling LRO recaptures most of the performance degradation related to using FastL4. To disable LRO (this is a system-wide setting), run the following command:
tmsh modify sys db tm.largereceiveoffload value disable
Important note: Although you can disable LRO to recapture much of the 13.0.0-level performance, you will likely still experience some impact: 2-5% for small files, 17-22% degradation for the '10 requests per connection' benchmark. The only guaranteed way to avoid performance degradation is to remain on version 13.0.0.
685628-1 : Performance regression on B4450 blade★
Component: Performance
Symptoms:
Performance degradation may occur for certain types of traffic when the system is under heavy traffic load. L4 and L7 performance may be degraded by up to 5% compared to previous BIG-IP releases.
Conditions:
- L4 and L7 traffic when system is under heavy traffic load.
- VIPRION B4450 blades.
Impact:
You may encounter a performance degradation for certain types of traffic upon upgrading.
Workaround:
None.
Fix:
Performance regression on B4450 blade has been eliminated.
673832-1 : Performance impact for certain platforms after upgrading to 13.1.0.
Component: Performance
Symptoms:
Performance impact for certain platforms after upgrading to 13.1.0.
Conditions:
The following platforms, with Fast HTTP/OneConnect/Full Proxy configured.
-- i2800
-- i4800
-- i5800
-- i7800
-- i10800
-- i11800
-- B2250
-- B4450
Impact:
The performance impacts occur on the following platforms under the associated conditions:
-- i2800 2%-3% Full Proxy traffic.
-- i4800 2%-3% Full Proxy traffic.
-- i5800 3%-8% Fast HTTP/Full Proxy traffic.
-- i7800 3%-7% Fast HTTP/Full Proxy traffic.
-- i10800 3%-7% Fast HTTP/Full Proxy traffic.
-- i11800 2%-3% Fast HTTP traffic.
-- B2250 3%-6% OneConnect/Full Proxy traffic.
-- B4450 4%-10% Fast HTTP/OneConnect/Full Proxy traffic.
Workaround:
None.
Fix:
Performance impact for certain platforms has been eliminated.
667173-1 : 13.1.0 cannot join a device group with 13.1.0.1
Component: TMOS
Symptoms:
13.1.0.1 cannot form device trust with a 13.1.0 device.
Conditions:
A device running 13.1.0 wanting to establish device trust with a device running 13.1.0.1 or vice versa.
Impact:
Cannot form Device Trust.
Workaround:
13.1.0 cannot initially form device trust with a 13.1.0.1 device. However, if you establish trust from the 13.1.0.1 device and then bring in the 13.1.0 device from 13.1.0.1, you can mitigate this issue. Once trust is formed, there should be no issue.
Fix:
13.1.0.1 now can form device trust with a 13.1.0 device.
Known Issues in BIG-IP v13.1.x
TMOS Issues
| ID Number | Severity | Solution Article(s) | Description |
| 667148-3 | 1-Blocking | K02500042 | Config load or upgrade can fail when loading GTM objects from a non-/Common partition |
| 696732-3 | 2-Critical | tmm may crash in a compression provider | |
| 696113-3 | 2-Critical | Extra IPsec reference added per crypto operation overflows connflow refcount | |
| 693996-5 | 2-Critical | MCPD sync errors and restart after multiple modifications to file object in chassis | |
| 693206 | 2-Critical | iSeries LCD screen is frozen on a red spinning 'please wait' indicator | |
| 692158-1 | 2-Critical | iCall and CLI script memory leak when saving configuration | |
| 689577-3 | 2-Critical | K45800333 | ospf6d may crash when processing specific LSAs |
| 689437-1 | 2-Critical | icrd_child cores due to infinite recursion caused by incorrect group name handling | |
| 689002-3 | 2-Critical | Stackoverflow when JSON is deeply nested | |
| 677937-3 | 2-Critical | K41517253 | APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets |
| 665362-2 | 2-Critical | MCPD might crash if the AOM restarts | |
| 665354-1 | 2-Critical | K31190471 | Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log |
| 581851-6 | 2-Critical | K16234725 | mcpd restarts due to interleaving of messages / folder contexts from primary to secondary blade |
| 563661-1 | 2-Critical | Datastor may crash | |
| 698013-1 | 3-Major | TACACS+ system auth and file descriptors leak | |
| 694740-3 | 3-Major | BIG-IP reboot during a TMM core results in an incomplete core dump | |
| 693884-1 | 3-Major | ospfd core on secondary blade during network unstability | |
| 693563-1 | 3-Major | No warning when LDAP is configured with SSL but with a client certificate with no matching key | |
| 692371 | 3-Major | Unexpected Octeon, Nitrox, and/or Super IO recovery warnings in LTM log | |
| 692189-1 | 3-Major | errdefsd fails to generate a core file on request. | |
| 692179-1 | 3-Major | Potential high memory usage from errdefsd. | |
| 691749-1 | 3-Major | reset-stats operations cannot be part of TMSH transactions | |
| 691497-2 | 3-Major | tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions | |
| 690928 | 3-Major | System posts error message: 01010054:3: tmrouted connection closed | |
| 690890-1 | 3-Major | Running sod manually can cause issues/failover | |
| 690259 | 3-Major | Benign message 'keymgmtd started' is reported at log-level alert. | |
| 689567-1 | 3-Major | Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned | |
| 689375-1 | 3-Major | Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled | |
| 688406-1 | 3-Major | K14513346 | HA-Group Score showing 0 |
| 688231 | 3-Major | Unable to set VET, AZOT, and AZOST timezones | |
| 687658 | 3-Major | Monitor operations in transaction will cause it to stay unchecked | |
| 687617-1 | 3-Major | DHCP request-options when set to "none" are reset to defaults when loading the config. | |
| 687534-1 | 3-Major | If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page | |
| 687353-1 | 3-Major | K35595105 | Qkview truncates tmstat snapshot files |
| 686926-2 | 3-Major | IPsec: responder N(cookie) in SA_INIT response handled incorrectly | |
| 686816-1 | 3-Major | Link from iApps Components page to Policy Rules invalid | |
| 686124-1 | 3-Major | IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs | |
| 686029-2 | 3-Major | A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces | |
| 684391-3 | 3-Major | Existing IPsec tunnels reload. tmipsecd creates a core file. | |
| 684218-1 | 3-Major | vADC 'live-install' Downgrade from v13.1.0 is not possible | |
| 683767-1 | 3-Major | Users are not able to complete the sync using GUI | |
| 683131-1 | 3-Major | Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present★ | |
| 682213-1 | 3-Major | K31623549 | TLS v1.2 support in IP reputation daemon |
| 681782-6 | 3-Major | K30665653 | Unicast IP address can be configured in a failover multicast configuration |
| 680838-2 | 3-Major | IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator | |
| 679347-2 | 3-Major | ECP does not work for PFS in IKEv2 child SAs | |
| 678925-1 | 3-Major | Using a multicast VXLAN tunnel without a proper route may cause a TMM crash. | |
| 678488-1 | 3-Major | BGP default-originate not announced to peers if several are peering over different VLANs | |
| 678380-2 | 3-Major | Deleting an IKEv1 peer in current use could SEGV on race conditions. | |
| 676897-3 | 3-Major | IPsec keeps failing to reconnect | |
| 676092-3 | 3-Major | IPsec keeps failing to reconnect | |
| 675718-3 | 3-Major | IPsec keeps failing to reconnect | |
| 673952-3 | 3-Major | 1NIC VE in HA device-group shows 'Changes Pending' after reboot | |
| 670197-1 | 3-Major | IPsec: ASSERT 'BIG-IP_conn tag' failed | |
| 669462-2 | 3-Major | Error adding /Common/WideIPs as members to GTM Pool in non-Common partition | |
| 669255-5 | 3-Major | K20100613 | An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms |
| 668273-1 | 3-Major | Logout button not available in Configuration Utility when using Client Cert LDAP | |
| 668041-2 | 3-Major | K27535157 | Config load fails when an iRule comment ends with backslash in a config where there is also a policy. |
| 631316-2 | 3-Major | Unable to load config with client-SSL profile error★ | |
| 627760-5 | 3-Major | gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card | |
| 620954-5 | 3-Major | Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable | |
| 471237-4 | 3-Major | K12155235 | BIG-IP VE instances do not work with an encrypted disk in AWS. |
| 464650-6 | 3-Major | Failure of mcpd with invalid authentication context. | |
| 402691-1 | 3-Major | The fields displayed in the 'tmsh show net ipsec' should be visible through SNMP | |
| 697766-1 | 4-Minor | Cisco IOS XR ISIS routers may report 'Authentication TLV not found' | |
| 692172-1 | 4-Minor | rewrite profile causes "No available pool member" failures when connection limit reached | |
| 692165-1 | 4-Minor | A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token | |
| 691571 | 4-Minor | tmsh show sys software doesn't show the correct HF version | |
| 691491-5 | 4-Minor | 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces | |
| 689147 | 4-Minor | Confusing log messages on certain user/role/partition misconfigurations when using remote role groups | |
| 687368-1 | 4-Minor | K64414880 | The Configuration utility may calculate and display an incorrect HA Group Score |
| 686111-1 | 4-Minor | Searching and Reseting Audit Logs not working as expected | |
| 685582-7 | 4-Minor | Incorrect output of b64 unit key hash by command f5mku -f | |
| 685475-1 | 4-Minor | Unexpected error when applying hotfix | |
| 685233-1 | 4-Minor | K13125441 | tmctl -d blade command does not work in an SNMP custom MIB |
| 683029-1 | 4-Minor | Sync of virtual address and self IP traffic groups only happens in one direction | |
| 680856-2 | 4-Minor | IPsec config via REST scripts may require post-definition touch of both policy and traffic selector | |
| 678388-1 | 4-Minor | K00050055 | IKEv1 racoon daemon is not restarted when killed multiple times |
| 674145-1 | 4-Minor | chmand error log message missing data | |
| 679431-1 | 5-Cosmetic | In routing module the 'sh ipv6 interface <interface> brief' command may not show header |
Local Traffic Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 694656-1 | 2-Critical | Routing changes may cause TMM to restart | |
| 692970-2 | 2-Critical | Using UDP port 67 for purposes other than DHCP might cause TMM to crash | |
| 691706-5 | 2-Critical | HTTP2/SPDY profile can cause orphaned connections | |
| 690756-1 | 2-Critical | APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated | |
| 687635-1 | 2-Critical | Tmm becomes unresponsive and experiences restart | |
| 687205-2 | 2-Critical | Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart | |
| 686228-1 | 2-Critical | K23243525 | TMM may crash in some circumstances with VLAN failsafe |
| 681175-3 | 2-Critical | K32153360 | TMM may crash during routing updates |
| 452283-5 | 2-Critical | An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows | |
| 698379-2 | 3-Major | HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR( | |
| 698211-1 | 3-Major | DNS express response to non-existent record is NOERROR instead of NXDOMAIN. | |
| 698000-3 | 3-Major | Connections may stop passing traffic after a route update | |
| 695925-1 | 3-Major | tmm crash when showing connections for a CMP disabled virtual server | |
| 695109-1 | 3-Major | Changes to fallback persistence profiles attached to a Virtual server are not effective | |
| 694697-1 | 3-Major | clusterd logs heartbeat check messages at log level info | |
| 693910-4 | 3-Major | Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series) | |
| 691806-1 | 3-Major | RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state | |
| 691785-1 | 3-Major | The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes | |
| 690778-1 | 3-Major | Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule | |
| 690042-1 | 3-Major | K43412307 | Potential Tcl leak during iRule suspend operation |
| 689449-1 | 3-Major | Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured | |
| 689361-1 | 3-Major | Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor) | |
| 689089-1 | 3-Major | VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot | |
| 688744-1 | 3-Major | LTM Policy does not correctly handle multiple datagroups | |
| 688629-1 | 3-Major | Deleting data-group in use by iRule does not trigger validation error | |
| 688571-2 | 3-Major | Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile. | |
| 687807-1 | 3-Major | The presence of a file with the suffix ".crt.csr" in folder /config/ssl/ssl.csr/ causes a GUI exception | |
| 687044-3 | 3-Major | tcp-half-open monitors might mark a node up in error | |
| 686563-1 | 3-Major | WMI monitor on invalid node never transitions to DOWN | |
| 686547-1 | 3-Major | WMI monitor sends logging data for credentials when no credentials specified | |
| 686307-3 | 3-Major | Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later | |
| 686305-1 | 3-Major | Memory leak when SSL forward proxy forged certificate. | |
| 686101-1 | 3-Major | Creating a pool with a new node always assigns the partition of the pool to that node. | |
| 686065-2 | 3-Major | RESOLV::lookup iRule command can trigger crash with slow resolver | |
| 685615-4 | 3-Major | K24447043 | Incorrect source mac for TCP Reset with vlangroup for host traffic |
| 685519-1 | 3-Major | Mirrored connections ignore the handshake timeout | |
| 685344-1 | 3-Major | Monitor 'min 1 of' not working as expected with FQDN nodes/members | |
| 685110-1 | 3-Major | K05430133 | With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members. |
| 683706-3 | 3-Major | Pool member status remains 'checking' when manually forced down at creation | |
| 683697-1 | 3-Major | K00647240 | SASP monitor may use the same UID for multiple HA device group members |
| 683061-1 | 3-Major | Rapid creation/update/deletion of the same external datagroup may cause core | |
| 681757-3 | 3-Major | K32521651 | Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member' |
| 681673-4 | 3-Major | tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results | |
| 679613-1 | 3-Major | K23531420 | i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1' |
| 678872-3 | 3-Major | Inconsistent behavior for virtual-address and selfip on the same ip-address | |
| 678524-1 | 3-Major | Join FF02::2 multicast group when router-advertisement is configured | |
| 677666-2 | 3-Major | K60909141 | /var/tmstat/blades/scripts segment grows in size. |
| 677525-2 | 3-Major | K06831814 | Translucent VLAN group may use unexpected source MAC address |
| 663821-1 | 3-Major | K41344010 | SNAT Stats may not include port FTP traffic |
| 659519-6 | 3-Major | K42400554 | Non-default header-table-size setting on HTTP2 profiles may cause issues |
| 594751-1 | 3-Major | LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN | |
| 495443-9 | 3-Major | ECDH negotiation failures logged as critical errors. | |
| 251162-1 | 3-Major | The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name | |
| 692095-1 | 4-Minor | bigd logs monitor status unknown for FQDN Node/Pool Member | |
| 688557-1 | 4-Minor | Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull' | |
| 685467-1 | 4-Minor | Certain header manipulations in HTTP profile may result in losing connection. | |
| 680680-1 | 4-Minor | The POP3 monitor used to send STAT command on v10.x, but now sends LIST command | |
| 592503-1 | 4-Minor | TMM 'timer' device does not report 'busy' for non-priority timers. |
Performance Issues
| ID Number | Severity | Solution Article(s) | Description |
| 681256-1 | 1-Blocking | Virtual Edition GTM DNS Query Performance Degradation | |
| 682209 | 2-Critical | Per Request Access Policy subroutine performance down by about 7% | |
| 681352 | 2-Critical | Performance of a client certificate validation with OCSP agent is degraded |
Global Traffic Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 682335-1 | 2-Critical | TMM can establish multiple connections to the same gtmd | |
| 562921-5 | 2-Critical | Cipher 3DES and iQuery encrypting traffic between BIG-IP systems | |
| 690166-1 | 3-Major | ZoneRunner create new stub zone when creating a SRV WIP with more subdomains | |
| 689583-1 | 3-Major | Running big3d from the command line with arguments other than '-v' or '-version' may cause a GTM disruption. | |
| 688335-5 | 3-Major | K00502202 | big3d may restart in a loop on secondary blades of a chassis system |
| 580537-3 | 3-Major | The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data | |
| 693007-1 | 4-Minor | Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC | |
| 688266-5 | 4-Minor | big3d and big3d_install use different logics to determine which version of big3d is newer |
Application Security Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 691670-5 | 2-Critical | K02515009 | Rare BD crash in a specific scenario |
| 686108-1 | 2-Critical | User gets blocking page instead of captcha during brute force attack | |
| 684312-1 | 2-Critical | During Apply Policy action, bd agent crashes, causing the machine to go Offline | |
| 697303-1 | 3-Major | BD crash | |
| 696265-5 | 3-Major | BD crash | |
| 694934-1 | 3-Major | bd crashes on a very specific and rare scenario | |
| 694922-5 | 3-Major | ASM Auto-Sync Device Group Does Not Sync | |
| 690883-1 | 3-Major | BIG-IQ: Changing learning mode for elements does not always take effect | |
| 689982-3 | 3-Major | FTP Protocol Security breaks FTP connection | |
| 686517-2 | 3-Major | Changes to a parent policy, which has no active children, are not synced to the secondary chassis slots | |
| 686470-1 | 3-Major | Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load. | |
| 686452-1 | 3-Major | File Content Detection Formats are not exported in Policy XML | |
| 685964-1 | 3-Major | cs_qualified_urls bigdb does not cause configured URLs to be qualified. | |
| 685771-1 | 3-Major | Policies cannot be created with SAP, OWA, or SharePoint templates | |
| 685164-1 | 3-Major | In partitions with default route domain != 0 request log is not showing requests | |
| 683508-1 | 3-Major | WebSockets: umu memory leak of binary frames when remote logger is configured | |
| 680353-1 | 3-Major | Brute force sourced based mitigation is not working as expected | |
| 679384-3 | 3-Major | K85153939 | The policy builder is not getting updates about the newly added signatures. |
| 676223-4 | 3-Major | Internal parameter in order not to sign allowed cookies | |
| 674494-4 | 3-Major | BD memory leak on specific configuration and specific traffic | |
| 668184-2 | 3-Major | Huge values are shown in the AVR statistics for ASM violations | |
| 667414-1 | 3-Major | JSON learning of parameters in WebSocket context is not working | |
| 605649-2 | 3-Major | K28782793 | The cbrd daemon runs at 100% CPU utilization |
| 694073-3 | 4-Minor | All signature update details are shown in 'View update history from previous BIG-IP versions' popup | |
| 688833-3 | 4-Minor | Inconsistent XFF field in ASM log depending violation category | |
| 685743-5 | 4-Minor | When changing internal parameter 'request_buffer_size' in large request violations might not be reported | |
| 685193-1 | 4-Minor | If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies | |
| 675232-6 | 4-Minor | Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction | |
| 665470-3 | 4-Minor | Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised |
Application Visibility and Reporting Issues
| ID Number | Severity | Solution Article(s) | Description |
| 697421 | 3-Major | Monpd core when trying to restart | |
| 688813-2 | 3-Major | K23345645 | Some ASM tables can massively grow in size. |
| 683474 | 3-Major | The case-sensitive problem during comparison of 2 Virtual Servers | |
| 679088-1 | 3-Major | Avr reporting and analytics does not display statistics of many source regions |
Access Policy Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 692557-1 | 2-Critical | When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted. | |
| 695953-1 | 3-Major | Custom URL Filter object is missing after load sys config TMSH command | |
| 694624-1 | 3-Major | SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor | |
| 693844-1 | 3-Major | APMD may restart continuously and cannot come up | |
| 688046-2 | 3-Major | Change condition and expression for Protocol Lookup agent expression builder | |
| 687937-1 | 3-Major | RDP URIs generated by APM Webtop are not properly encoded | |
| 687213-3 | 3-Major | When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED | |
| 686389-1 | 3-Major | APM does not honor per-farm HTML5 client disabling at the View Connection Server | |
| 684399-4 | 3-Major | Connectivity profiles UI shows (Not Licensed) when LTM base is presented | |
| 684325-1 | 3-Major | APMD Memory leak when applying a specific access profile | |
| 683389-3 | 3-Major | Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file | |
| 683297-2 | 3-Major | Portal Access may use incorrect back-end for resources referenced by CSS | |
| 682751-7 | 3-Major | Kerberos keytab file content may be visible. | |
| 682500-2 | 3-Major | VDI Profile and Storefront Portal Access resource do not work together | |
| 680855 | 3-Major | Safari 11 sometimes start more than one session | |
| 671138 | 3-Major | FireFox and Chrome users are asked to re-install windows "Endpoint Inspector Application" after upgrade from 13.0.0 | |
| 668247-2 | 3-Major | Machine Certificate Checker service may not be used when UAC is disable on windows machine | |
| 658278-1 | 3-Major | Network Access configuration with Layered-VS does not work with Edge Client | |
| 621158-3 | 3-Major | f5vpn does not close upon closing session | |
| 612118-2 | 3-Major | Nexthop explicit proxy is not used for the very first connection to communicate with the backend. | |
| 447565-9 | 3-Major | Renewing machine-account password does not update the serviceId for associated ntlm-auth. | |
| 686718-3 | 4-Minor | VPN tunnel adapter stays up in some cases | |
| 610436-1 | 4-Minor | DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10. |
Service Provider Issues
| ID Number | Severity | Solution Article(s) | Description |
| 698338-1 | 2-Critical | Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection | |
| 689343-2 | 2-Critical | Diameter persistence entries with bi-directional flag created with 10 sec timeout | |
| 685708-4 | 2-Critical | Routing via iRule to a host without providing a transport from a transport-config created connection cores | |
| 684068-1 | 2-Critical | FIX with PVA offload and late binding without flow release may not execute iRules on subsequent messages | |
| 696049-1 | 3-Major | High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running | |
| 692310-2 | 3-Major | ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body | |
| 691048-1 | 3-Major | K34553736 | Support DIAMETER Experimental-Result AVP response |
| 688942-5 | 3-Major | K82601533 | ICAP: Chunk parser performs poorly with very large chunk |
| 679114-4 | 3-Major | K92585400 | Persistence record expires early if an error is returned for a BYE command |
| 674747-4 | 3-Major | K30837366 | sipdb cannot delete custom bidirectional persistence entries. |
Advanced Firewall Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 685820-3 | 2-Critical | Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not | |
| 644822 | 2-Critical | K19245372 | FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned |
| 684369-2 | 3-Major | K35423171 | AFM ACL Rule Policy applied on Standby device |
| 651169-1 | 3-Major | The Dashboard does not show an alert when a power supply is unplugged |
Policy Enforcement Manager Issues
| ID Number | Severity | Solution Article(s) | Description |
| 696383-1 | 2-Critical | PEM Diameter incomplete flow crashes when sweeped | |
| 694717-1 | 2-Critical | Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup. | |
| 616008-1 | 2-Critical | K23164003 | TMM core may be seen when using an HSL format script for HSL reporting in PEM |
| 696789-1 | 3-Major | PEM Diameter incomplete flow crashes when TCL resumed | |
| 684333-1 | 3-Major | PEM session created by Gx may get deleted across HA multiple switchover with CLI command | |
| 667700-1 | 3-Major | Web UI: PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed | |
| 642068-4 | 3-Major | PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens | |
| 624231-4 | 3-Major | No flow control when using content-insertion with compression | |
| 680729-1 | 4-Minor | K64307999 | DHCP Trace log incorrectly marked as an Error log. |
Fraud Protection Services Issues
| ID Number | Severity | Solution Article(s) | Description |
| 684852-1 | 2-Critical | Obfuscator not producing deterministic output | |
| 692123 | 3-Major | GET parameter is grayed out if MobileSafe is not licensed |
Global Traffic Manager (DNS) Issues
| ID Number | Severity | Solution Article(s) | Description |
| 692941-1 | 2-Critical | GTMD and TMM SIGSEGV when changing wide IP pool in GTMD | |
| 691287-1 | 2-Critical | tmm crashes on iRule with pool command after string command | |
| 678861-1 | 2-Critical | K00426059 | DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★ |
| 672504-2 | 2-Critical | K52325625 | Deleting zones from large databases can take excessive amounts of time. |
| 667542-6 | 2-Critical | DNS Express does not correctly process multi-message DNS IXFR updates. | |
| 645615-6 | 2-Critical | zxfrd may fail and restart after multiple failovers between blades in a chassis. | |
| 696808-1 | 3-Major | Disabling a single pool member removes all GTM persistence records | |
| 691498-3 | 3-Major | Connection failure during iRule DNS lookup can crash TMM | |
| 680069-1 | 3-Major | zxfrd core during transfer while network failure and DNS server removed from DNS zone config | |
| 679149-1 | 3-Major | TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0] | |
| 667469-3 | 3-Major | K35324588 | Higher than expected CPU usage when using DNS Cache |
| 655233-2 | 3-Major | K93338593 | DNS Express using wrong TTL for SOA RRSIG record in NoData response |
| 648766-2 | 3-Major | K57853542 | DNS Express responses missing SOA record in NoData responses if CNAMEs present |
Anomaly Detection Services Issues
| ID Number | Severity | Solution Article(s) | Description |
| 697964 | 1-Blocking | admd might core under stress conditions | |
| 691462-1 | 3-Major | Bad actors detection might not work when signature mitigation blocks bad traffic | |
| 687986 | 3-Major | High CPU consumption during signature generation, not limited number of signatures per virtual server | |
| 687984 | 3-Major | Attacks with randomization of HTTP headers parameters generates too many signatures |
Known Issue details for BIG-IP v13.1.x
698379-2 : HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(
Component: Local Traffic Manager
Symptoms:
Uploads for the HTTP2 virtual server fail intermittently with HTTP2 error error_code=FLOW_CONTROL_ERROR.
Conditions:
HTTP2 virtual server configured.
Impact:
Uploads for the HTTP2 virtual server might fail intermittently.
Workaround:
None.
698338-1 : Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection
Component: Service Provider
Symptoms:
The system may core.
Conditions:
-- Egress messages are queued waiting for MR_EGRESS event to be raised.
-- Current MR event exits with an error, thus aborting the connection.
Impact:
The system cores and will restart.
Workaround:
None.
698211-1 : DNS express response to non-existent record is NOERROR instead of NXDOMAIN.
Component: Local Traffic Manager
Symptoms:
The DNS express response to a non-existent record is NOERROR instead of NXDOMAIN.
Conditions:
Delete a wildcard resource record to the related DNS express zone.
Impact:
DNS returns the incorrect response.
Workaround:
Delete the old db files: /var/db/tmmdns.bin and /var/db/zxfrd.bin, and then restart zxfrd.
698013-1 : TACACS+ system auth and file descriptors leak
Component: TMOS
Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure):
-- httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files].
-- httpd[###]: PAM audit_open() failed: Too many open files
-- Other errors that refer to 'Too many open files'.
This might eventually lead to lack of HTTP-based access to the BIG-IP system.
Conditions:
-- Remote system authentication configured to use TACACS+.
-- Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST.
-- Repeated automated access using iControl is the fastest route.
Impact:
In some circumstances, the leak might accumulate to the point that no file descriptors are available and administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.
Workaround:
Workaround options:
1. Use only SSH for administrative access.
2. Restart httpd as needed.
698000-3 : Connections may stop passing traffic after a route update
Component: Local Traffic Manager
Symptoms:
When a pool is used with a non-translating virtual server, routing updates may lead to an incorrect lookup of the nexthop for the connection.
Conditions:
-- Pool on a non-translating virtual server.
-- Routing update occurs.
Impact:
Connections may fail after routing updates. New connections will not be affected.
Workaround:
Use a route to direct traffic to the ultimate destination rather than using a pool to indicate the nexthop.
697964 : admd might core under stress conditions
Component: Anomaly Detection Services
Symptoms:
admd might core when the system is under stress.
Conditions:
1. Behavioral DoS and signatures are configured.
2. Heavy stress condition.
3. DHD licensed / AWAF licensed.
Impact:
admd daemon restarts.
Workaround:
Do not configure signatures detection.
697766-1 : Cisco IOS XR ISIS routers may report 'Authentication TLV not found'
Component: TMOS
Symptoms:
When peering with ISIS to Cisco IOS XR routers, messages similar to the following may be seen
isis[1003]: %ROUTING-ISIS-5-AUTH_FAILURE_DROP : Dropped L2 LSP from TenGigE0/0/0/1 SNPA 0001.47fd.a801 due to authentication TLV not found.
Conditions:
The BIG-IP system is configured for dynamic routing using the ISIS protocol, and is peered with an IOS XR router, or with another BIG-IP system running software older than than version 11.6.1.
In addition, authentication needs to be configured, and a value needs to be set for lsp-refresh-interval, or for max-lsp-lifetime. For example:
router isis isisrouter
is-type level-2-only
authentication mode md5
authentication key-chain keychain-isis
lsp-refresh-interval 5
max-lsp-lifetime 65535
net 49.8002.00c1.0000.0000.f523.00
Impact:
This is a cosmetic issue. Routing is not impacted. LSPs containing actual routing information do contain the Auth TLV, as expected.
Workaround:
None.
697421 : Monpd core when trying to restart
Component: Application Visibility and Reporting
Symptoms:
Monpd tries to restart and tries to access a non-initiated variable
Conditions:
Monpd tries to restart due to change of primary blade
Impact:
Monpd cores
Workaround:
N/A
697303-1 : BD crash
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.
Impact:
BD crash, failover, and traffic disturbance.
Workaround:
Turn off the internal parameter relax_unicode_in_json.
696808-1 : Disabling a single pool member removes all GTM persistence records
Component: Global Traffic Manager (DNS)
Symptoms:
Disabling a single pool member removes all GTM persistence records.
Conditions:
1. WideIP with persistence enabled.
2. drain-persistent-requests no.
3. GTM pool member toggled from enabled to disabled.
Impact:
All GTM persistence records are accidently cleared.
Workaround:
Set drain-persistent-requests yes.
696789-1 : PEM Diameter incomplete flow crashes when TCL resumed
Component: Policy Enforcement Manager
Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, and the irule is resumed because of timeout.
Conditions:
PEM Diameter flow not fully created, suspended by iRule, and the iRule is resumed by timeout.
Impact:
The tmm will restart and all flows will reset.
696732-3 : tmm may crash in a compression provider
Component: TMOS
Symptoms:
TMM may crash with the following panic message in the log files:
panic: ../codec/compress/compress.c:1161: Assertion "context active" failed.
Conditions:
-- Running on the following platforms: BIG-IP i-series or VIPRION 4400 blades.
-- Virtual servers are performing compression.
Impact:
TMM crashes, which will result in a temporary traffic disruption and failover.
Workaround:
Do not use compression, or use software compression instead of hardware compression. To configure for software compression, run the following command:
tmsh modify sys db compression.strategy value softwareonly
696383-1 : PEM Diameter incomplete flow crashes when sweeped
Component: Policy Enforcement Manager
Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, the sweeper may encounter a tmm crash.
Conditions:
-- PEM Diameter flow not fully created.
-- The flow is suspended by an iRule.
-- There is a CMP state change (likely) or a manual cluster-mirror change (less likely) while the flow is suspended.
Impact:
The tmm restarts and all flows reset. Traffic disrupted while tmm restarts.
Workaround:
None.
696265-5 : BD crash
Component: Application Security Manager
Symptoms:
BD crash.
Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.
Impact:
Potential traffic disturbance and failover.
Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.
696113-3 : Extra IPsec reference added per crypto operation overflows connflow refcount
Component: TMOS
Symptoms:
The size of the refcount field in connflow became smaller, making the length of some crypto queues in IPsec able to reach and exceed the maximum refcount value.
Conditions:
When a large data transfer under an IPsec SA creates a queue of crypto operations longer than the connflow's refcount can handle, the refcount can overflow.
Impact:
Unexpected tmm failover after refcount overflow.
Workaround:
There is no workaround at this time.
696049-1 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
Component: Service Provider
Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.
Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.
Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.
Workaround:
None.
695953-1 : Custom URL Filter object is missing after load sys config TMSH command
Component: Access Policy Manager
Symptoms:
The user will not be able to see the custom URL Filter object that is created either through TMSH/GUI.
If the filter object is referred in Access Policy, the policy will fail to load during "load sys config" command.
01070712:3: Values (/Common/custurlfilter) specified for URL Filter Lookup Agent (/Common/prp_act_url_filter_lookup_ag): foreign key index (name_FK) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.
Conditions:
The custom URL Filter object is missing after the user does "load sys config" command in TMSH. Please note that SWG is not provisioned in this case.
Impact:
(1) The access policy will fail to load if it refers the URL Filter object. The user will not be able to use the URL Filter object in the policy.
Workaround:
(1) Provision SWG, and recreate the URL Filter
or
(2) Change bigip.conf to include the URL Filter object
695925-1 : tmm crash when showing connections for a CMP disabled virtual server
Component: Local Traffic Manager
Symptoms:
tmm crashes when performing 'tmsh show sys connection' and there is a connection from a secondary blade to a CMP-disabled virtual server.
Conditions:
This occurs when all of the following conditions are met:
-- There is a CMP-disabled virtual server.
-- There is a connection to that server from the control plane of a secondary blade (this can include monitoring traffic).
-- Connections are displayed that include the connection from the secondary blade ('tmsh show sys connection').
Impact:
tmm crashes and restarts impacting traffic.
Workaround:
Do not use 'cmp-enabled no' virtual servers when there will be connections from the BIG-IP control plane to the virtual server.
Avoid using tmsh show sys connection
695109-1 : Changes to fallback persistence profiles attached to a Virtual server are not effective
Component: Local Traffic Manager
Symptoms:
Changes to fallback persistence profiles attached to a Virtual server may not be effective.
Conditions:
-- Virtual server configured with persistence and a fallback persistence profile.
-- Changes made to the fallback persistence profile.
Impact:
Changes to the fallback persistence profile are not effective with new connections until a change is made to the virtual server or TMM is restarted.
Workaround:
Make a simple change, for instance to the description field, to the virtual servers that have the changed fallback persistence profile configured.
694934-1 : bd crashes on a very specific and rare scenario
Component: Application Security Manager
Symptoms:
When the system is configured in a specific way and the request sender responds incorrectly, bd crashes.
Conditions:
This rarely encountered crash occurs when there is a very specific BIG-IP system configuration, and ICAP is configured but not responding.
Impact:
bd crashes.
Workaround:
None.
694922-5 : ASM Auto-Sync Device Group Does Not Sync
Component: Application Security Manager
Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.
Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device
Impact:
ASM configuration is not correctly synchronized between devices
Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic
694740-3 : BIG-IP reboot during a TMM core results in an incomplete core dump
Component: TMOS
Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then HSB panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On this platform, the reboot occurs before the core file is fully written, resulting in a truncated core.
Conditions:
An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.
Impact:
The reboot happens before the core dump completes, resulting in an incomplete core dump which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.
Workaround:
No workaround; does not hinder device operation, but does prevent post-crash analysis.
694717-1 : Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
Component: Policy Enforcement Manager
Symptoms:
TMM crashes
Conditions:
PEM iRule command that would result in an inter-TMM lookup on a long lived flow that would result in the PEM iRule command being hit several times. For example, a long lived flow with multiple HTTP transactions.
Impact:
Traffic disrupted while tmm restarts.
694697-1 : clusterd logs heartbeat check messages at log level info
Component: Local Traffic Manager
Symptoms:
The system reports clusterd logs heartbeat check messages at log level info, similar to the following.
-- info clusterd[6161]: 013a0007:6: Skipping heartbeat check on peer slot 3: Slot is DOWN.
-- info clusterd[5705]: 013a0007:6: Checking heartbeat of peer slot: 2 (Last heartbeat 0 seconds ago)
Conditions:
log.clusterd.level set to info.
Impact:
This is a cosmetic issue: clusterd heartbeat messages will be logged at info to the /var/log/ltm.
Workaround:
Set log.clusterd.level to notice (or debug).
694656-1 : Routing changes may cause TMM to restart
Component: Local Traffic Manager
Symptoms:
When routing changes are made while traffic is passing through the BIG-IP system, TMM might restart. This isn't a general issue, but can occur when other functionality is in use (such as Firewall NAT).
Conditions:
-- Routing changes occurring while BIG-IP is active and passing traffic.
-- Dynamic routing, due to its nature, is likely increase the potential for the issue to occur.
-- Usage of Firewall NAT functionality is one specific case known to contribute to the issue (there may be others).
Impact:
TMM restarts, resulting in a failover and/or traffic outage.
Workaround:
If dynamic routing is not in use, avoiding static route changes may avoid the issue.
If dynamic routing is in use, there is no workaround.
694624-1 : SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor
Component: Access Policy Manager
Symptoms:
APM Webtop's SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113)) from Mac, iOS and Android clients. Each launch attempt generates following errors in /var/log/apm:
... err vdi[123] ... {45.C} RsaDecryptData error: AsyncError:5: InvalidData
... err vdi[123] ... {45.C} An exception is thrown: handshake: decryption failed or bad record mac
Conditions:
Native RDP resource with enabled SSO is used on hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113)).
The client OS is Mac, iOS or Android.
Impact:
RDP client can't launch requested resource (desktop/application).
Workaround:
Disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable
694073-3 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup
Component: Application Security Manager
Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.
Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).
Impact:
Low and incorrect visibility of signature update details.
Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.
693996-5 : MCPD sync errors and restart after multiple modifications to file object in chassis
Component: TMOS
Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:
1. Errors are logged to /var/log/ltm similar to the following:
-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..
2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.
Conditions:
Making multiple changes to the same file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group.
Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.
Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.
693910-4 : Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)
Component: Local Traffic Manager
Symptoms:
Some MAC addresses might experience delayed forwarding after the interface on which they are learned transition to a STP blocked state. This is because the FDB entries are not being flushed on these interfaces after they change to a block state. Traffic destined to these MAC addresses gets dropped until their associated entries in the FDB age out.
Conditions:
MAC addresses are learned on a STP forwarding interface that transitions to a blocked interface following a topology change.
Impact:
Traffic interruption for up to a few minutes for MAC addresses learned on the affected interface.
Workaround:
None.
693884-1 : ospfd core on secondary blade during network unstability
Component: TMOS
Symptoms:
ospfd core on secondary blade while network is unstable.
Conditions:
-- Dynamic routing configured with OSPF on a chassis.
-- During a period of network instability.
Impact:
Dynamic routing process ospfd core on secondary blade.
Workaround:
None.
693844-1 : APMD may restart continuously and cannot come up
Component: Access Policy Manager
Symptoms:
apmd process cannot start correctly and restarts in an infinite loop. When apmd initializes the Allow Ending agent, the process tries to load all resources (including ACLs, the webtop, and all resources for every webtop, app tunnels, rdp, etc.). The most likely configuration to encounter this issue is with ACLs. For example, if you have thousands of ACL records, the Allow agent pulls them all at once. If the mcpd process is consumed with other operations, it might be that apmd cannot initialize the Allow agent in 30 secs, so it restarts, at which point the process tries to load all resources, cannot complete within the 30 seconds, and restarts in a loop.
Conditions:
Too many resources assigned in an Access Policy profile
for example thousands of ACLs configured.
apmd cannot initialize the Allow Ending agent in 30 seconds and decides it has stopped responding. Then it restarts by it's own, but problem is not solved, so it restarts in a loop
Impact:
APM end users cannot authenticate.
Workaround:
Reduce amount of resources so every agent can initialize within the 30-second timeframe.
693563-1 : No warning when LDAP is configured with SSL but with a client certificate with no matching key
Component: TMOS
Symptoms:
When LDAP auth is configured with SSL:
- Authentication attempts fail
- Packet captures between the BIG-IP system and the LDAP server show the BIG-IP system sending FIN after TCP handshake.
Conditions:
LDAP auth is configured with SSL with client cert set but no matching key.
Impact:
LDAP auth fails. There is no warning that the auth failed.
Workaround:
Configure a key that matches the specified client certificate.
693206 : iSeries LCD screen is frozen on a red spinning 'please wait' indicator
Component: TMOS
Symptoms:
There are conditions where the LCD looks frozen on a red spinning 'please wait' indicator. Known conditions include: power supply swaps, AC power cycles, or LCD connection issues to the host or AOM.
Conditions:
This occurs during power supply swaps, AC power cycles, or LCD connection issues to the host or AOM.
Impact:
iSeries LCD screen is frozen on a red spinning 'please wait' indicator. At this point the LCD screen is not usable until it is reset.
Workaround:
Using a command line prompt, from either the front panel management port or serial port, issue the following IPMI commands to reset the LCD module:
ipmiutil cmd 00 20 e8 29 5 1
ipmiutil cmd 00 20 e8 29 5 0
693007-1 : Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC
Component: Global Traffic Manager
Symptoms:
The current IPv4 address for b.root-servers.net is 192.228.79.201. The IPv4 address for b.root-servers.net will be renumbered to 199.9.14.201, effective 2017-10-24. The older number will be invalid after that date.
Conditions:
Several profiles contain the b.root-servers.net IPv4 address as 192.228.79.201.
Impact:
The impact is likely minimal, at most a single timeout for pending TLD queries when they happen to round-robin onto an old IP address, probably not more often than the hint's TTL, which is more than a month, and even this should cause a timeout only when the old IP actually stops responding.
Workaround:
Update the root hints for all affected profiles manually except the hardwired ones.
692970-2 : Using UDP port 67 for purposes other than DHCP might cause TMM to crash
Component: Local Traffic Manager
Symptoms:
DHCP relay presumes that a flow found via lookup is always a server-side flow of type DHCP relay. Hence TMM can crash when DHCP relay makes a server connection if UDP port 67 is used for another purpose, in which case a wrong DHCP server flow could be selected.
Conditions:
A UDP port 67 is configured for a purpose other than DHCP relay.
Impact:
TMM restart causes traffic interruption or failover.
Workaround:
Do not use UDP port 67 for other virtual servers, or configure a drop listener on certain VLANs that cannot avoid using UDP port 67.
692941-1 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
Component: Global Traffic Manager (DNS)
Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.
Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.
Impact:
gtmd and tmm core. Traffic disrupted while tmm restarts.
Workaround:
None.
692557-1 : When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted.
Component: Access Policy Manager
Symptoms:
After processing signed authentication requests from external SAML SP, SAML IdP may corrupt a block of tmm memory.
Conditions:
- BIG-IP system is configured as SAML IdP.
- IdP is configured with external SP's signing certificate.
- External SP sends signed authentication request.
Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.
Workaround:
None.
692371 : Unexpected Octeon, Nitrox, and/or Super IO recovery warnings in LTM log
Component: TMOS
Symptoms:
Unexpected warnings in the LTM log indicating Octeon, Nitrox, and/or Super IO recovery happening in BIOS.
Messages appear similar to the following:
-- warning chmand[5972]: 012a0004:4: Nitrox recoveries: 1
-- warning chmand[5972]: 012a0004:4: Octeon recoveries: 1
-- warning chmand[6018]: 012a0004:4: Host CPU subsystem power-off event caused by Super IO
Conditions:
-- Currently released BIOS with error recovery enabled.
-- VIPRION B2150 and B2250 blades.
Impact:
There is no functional impact to the system. The BIOS shipping with the VIPRION B2150 and B2250 blades configures the PCIe interfaces in such an order that BIOS recovery may have to take over. These messages are generated as BIOS error recovery is implemented to correct the PCIe interfaces configuration issues after which the system will boot normally. These messages are then benign.
Workaround:
These are benign messages in the LTM and shows that BIOS error recovery is working. The messages may be ignored.
692310-2 : ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body
Component: Service Provider
Symptoms:
When a modified HTTP v1.1 request or response is returned from an ICAP server and has no body (and also no content-length), a 'Transfer-Encoding: chunked' header is added and a zero-length chunk is appended.
Conditions:
-- HTTP profile.
-- Either request-adapt or response-adapt profile.
-- Modified HTTP v1.1 request/response has no body (and no content-length header).
Impact:
The HTTP server or client to which the modified request or response is destined, receives invalid HTTP and might behave in an unexpected manner.
Workaround:
Use an iRule to detect the lack of a Content-Length header in the modified request or response, and insert 'Content-Length: 0'.
For example with modified request:
when ADAPT_REQUEST_HEADERS {
if {([HTTP::method] eq "GET") and (not [HTTP::header exists 'Content-Length'])} {
HTTP::header insert Content-Length 0
}
}
Similarly when ADAPT_RESPONSE_HEADERS {} for a response.
692189-1 : errdefsd fails to generate a core file on request.
Component: TMOS
Symptoms:
Should errdefsd crash or be manually cored for the purpose of gathering diagnostic information, no core file will be generated.
Conditions:
Forcing errdefsd to core for diagnostic purposes.
Impact:
Increased communication required with F5 Support when attempting to diagnose problems with errdefsd.
Workaround:
1. Add the following lines to the official errdefsd script, /etc/bigstart/scripts/errdefsd:
16a17,19
> # set resource limits, affinity, etc
> setproperties ${service}
>
2. Run the following command: bigstart restart errdefsd
692179-1 : Potential high memory usage from errdefsd.
Component: TMOS
Symptoms:
errdefsd memory usage grows with each config-sync or config update.
Conditions:
Ever increasing errdefsd memory usage is visible when the following conditions are met:
-- Config updates are frequent.
-- management-port logging is not being used.
Impact:
In extreme cases, errdefsd memory usage might increase userland memory-pressure. Note, however, that it isn't actually using the extra memory, so while Virtual Memory Size (VSZ) might be high, Resident Set Size (RSS) need not be.
Workaround:
A workaround for this problem is to periodically send logs to a management-port destination. The destination may be as simple as a dummy UDP port on 127.0.0.1. Adding such a destination to the publisher for an existing, active log source will work. errdefsd just needs a reason to process and flush accumulating configurations.
692172-1 : rewrite profile causes "No available pool member" failures when connection limit reached
Component: TMOS
Symptoms:
ltm rewrite profile (with mode uri-translation) can cause connections on ltm forwarding virtual server to be terminated with reason "No available pool member".
Conditions:
Virtual server configured with ltm rewrite profile. Default pool has request queuing enabled and connection limits configured for all its nodes.
Impact:
When the connection limit is reached, further connections are terminated with "No available pool member" cause instead of being queued.
Workaround:
An iRule which selects default pool on HTTP_REQUEST:
when HTTP_REQUEST priority 1000 {
pool [LB::server pool]
}
692165-1 : A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token
Component: TMOS
Symptoms:
For some HTTP requests, a request-log profile can log nothing for the $VIRTUAL_POOL_NAME token (which expands to an empty string in the resulting logs).
Conditions:
- The virtual server where the request-log profile is used also uses OneConnect.
- The client uses HTTP Keep-Alive and sends multiple HTTP requests over the same TCP connection.
Impact:
For all HTTP requests the client sends except the first one, the $VIRTUAL_POOL_NAME token logs nothing. As a result, a BIG-IP Administrator may struggle to determine which pool serviced which request.
Workaround:
The $SERVER_IP and $SERVER_PORT tokens work for all requests, and so if those are also being logged it may be possible to deduce the pool name from that information.
However, there is no workaround to make the $VIRTUAL_POOL_NAME token work all of the time.
692158-1 : iCall and CLI script memory leak when saving configuration
Component: TMOS
Symptoms:
Whenever an iCall script or CLI script saves the configuration, the scriptd process on the device will leak memory.
Conditions:
Use of iCall or CLI scripts for saving config.
Impact:
Repeated invocation may cause the system to run out of memory causing tmm to restart disrupting traffic.
Workaround:
Do not save the configuration from iCall or CLI scripts.
692123 : GET parameter is grayed out if MobileSafe is not licensed
Component: Fraud Protection Services
Symptoms:
GET parameter is grayed out if MobileSafe is not licensed.
Conditions:
-- Provision FPS on a system whose license has at least one active feature.
-- Do not license MobileSafe.
Impact:
In FPS Parameter's list, the GET method is always grayed out.
Workaround:
Use either of the following workarounds:
-- License MobileSafe.
-- Use TMSH or REST.
692095-1 : bigd logs monitor status unknown for FQDN Node/Pool Member
Component: Local Traffic Manager
Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]
Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.
Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.
Workaround:
None.
691806-1 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
Component: Local Traffic Manager
Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.
Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.
Impact:
The BIG-IP system resets connection with RST.
Workaround:
None.
691785-1 : The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes
Component: Local Traffic Manager
Symptoms:
The bcm570x driver will cause TMM to core with the log message:
panic: ifoutput: packet_data_compact failed to reduce pkt size below 4.
Conditions:
-- Running on a platform that uses the bcm570x driver (BIG-IP 800, 1600, 3600).
-- A packet larger than 6144 bytes is transmitted from the BIG-IP system.
Impact:
TMM core. Failover or outage. Traffic disrupted while tmm restarts.
Workaround:
None.
691749-1 : reset-stats operations cannot be part of TMSH transactions
Component: TMOS
Symptoms:
Operations that reset statistics are currently cannot be part of transactions. A know exception to this is the "delete sys connection ..." command. Once the TMSH transaction is submitted, TMSH actually freezes up if a "delete sys connection ..." command was included.
Conditions:
include reset-stats operations in the TMSH transactions
Impact:
reset-stats operations cannot be part of TMSH transactions
Workaround:
using tmsh reset-stats operations outside the TMSH transactions
691706-5 : HTTP2/SPDY profile can cause orphaned connections
Component: Local Traffic Manager
Symptoms:
When tearing down a HTTP2 connection, which is composed of a clientside HTTP2 connection and 'n' serverside HTTP1.1 connections, the system might leave a subset of the 'n' serverside HTTP1.1 connection behind. Those left behind connections are still referencing the clientside PCB, which might result in a crash should they ever be expired, e.g., due to an AFM firewall policy change triggering the sweeper.
Conditions:
-- HTTP2 leaves serverside connections behind.
-- AFM firewall policy change occurs that triggers the sweeper.
Impact:
Orphaned connections might result in various behaviors, from a small memory leak to a tmm restart, which has the possibility of disrupting traffic.
Workaround:
None.
691670-5 : Rare BD crash in a specific scenario
Solution Article: K02515009
Component: Application Security Manager
Symptoms:
BD crash or False reporting of signature ID 200023003.
Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).
Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.
Workaround:
Removing attack signature 200023003 from the security policy stops the issue.
691571 : tmsh show sys software doesn't show the correct HF version
Component: TMOS
Symptoms:
tmsh show sys software does not show the correct hotfix version. Instead, it shows the base 12.1.2 release, not the 12.1.2 HF1 hotfix version. However, selecting it boots the correct version. At the login prompt, in /VERSION and in tmsh show sys version the correct hotfix version is shown.
Conditions:
Using tmsh command: tmsh show sys software
Impact:
Hotfix version is not correct.
Workaround:
At the login prompt, using /VERSION or using tmsh show sys version, the correct hotfix version will be shown.
691498-3 : Connection failure during iRule DNS lookup can crash TMM
Component: Global Traffic Manager (DNS)
Symptoms:
The TMM crashes in the DNS response cache periodic sweep.
Conditions:
The DNS resolver connection fails after a successful lookup response is cached. This has been reproduced with a failure due to a lost route. Other failures such as down ports do not cause a crash.
Impact:
The TMM cores and automatically restarts, leading to a temporary loss of service.
Workaround:
No known workaround.
691497-2 : tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions
Component: TMOS
Symptoms:
The .diffVersions directory has config change-diffs saved into patch files every time tmsh saves the configs. This is used for diagnostic purposes only.
Conditions:
When doing a 'tmsh save sys ucs <file>', it is possible that a background 'tmsh save sys config' gets run at the same time, causing a patch file to be deleted that the ucs-save feature now expected to exist.
Impact:
The ucs-save feature complains about the missing patch file and exits.
Workaround:
Re-run the 'tmsh save sys ucs <file>' ignoring the missing patch file message. That missing file doesn't need to be restored.
691491-5 : 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
Component: TMOS
Symptoms:
2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
Conditions:
-- 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms.
-- SNMP query of network interfaces via OID sysIfxStatHighSpeed.
Impact:
Value returned for 10G/40G/100G interfaces may be incorrect.
Workaround:
Use OID sysInterfaceMediaActiveSpeed.
691462-1 : Bad actors detection might not work when signature mitigation blocks bad traffic
Component: Anomaly Detection Services
Symptoms:
When signature detected and mitigating no bad actors detection
Conditions:
1. Signatures detected and mitigating
2. Attack traffic is not significantly higher than the good traffic
Impact:
No bad actors detected.
Only signatures provides DoS protection.
BIG-IP CPU utilization is higher than necessary
Workaround:
No workaround at this time.
691287-1 : tmm crashes on iRule with pool command after string command
Component: Global Traffic Manager (DNS)
Symptoms:
tmm crashes when a pool command immediately follows a string command in an iRule, for example:
when DNS_REQUEST {
pool [string tolower "Test.com"]
}
Conditions:
Similar GTM iRule with pool command after string command.
when DNS_REQUEST {
pool [string tolower "Test.com"]
}
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use a pool command immediately after a string command in an iRule.
691048-1 : Support DIAMETER Experimental-Result AVP response
Solution Article: K34553736
Component: Service Provider
Symptoms:
When the Diameter server returns an answer message with an Experimental-Result AVP, but doesn't have Result-Code AVP inside, then the server side flow is aborted.
Conditions:
Diameter answer message doesn't have Result-Code AVP available, but with Experimental-Result AVP.
Impact:
The server side flow is aborted.
Workaround:
Use iRule to insert Result-Code AVP in all Diameter answer messages.
690928 : System posts error message: 01010054:3: tmrouted connection closed
Component: TMOS
Symptoms:
Beginning in BIG-IP 12.0.0, the tmrouted process pushes dynamic routes directly to the Traffic Management Microkernel (TMM). This message indicates the system is shutting down and is expected behavior during the reboot or shutdown process. The appearance of this message on a stable running system may indicate an issue with tmrouted functionality.
System posts the following message in /var/log/ltm: 01010054:3: tmrouted connection closed
Conditions:
This message occurs when all of the following conditions are met:
-- You have configured the BIG-IP system to use dynamic routing.
-- The BIG-IP system is in the process of shutting down or rebooting.
Impact:
This message is benign, unless you view the message on a stable running system. In this case, the message may indicate an issue with the tmrouted process.
Workaround:
None.
690890-1 : Running sod manually can cause issues/failover
Component: TMOS
Symptoms:
If multiple instances of the system failover daemon are executed, improper behavior results. The system failover daemon is run internally by the system service manager (bigstart). When accidentally or intentionally executing the command 'sod', the second running instance will disrupt the failover system.
Conditions:
Accidentally or intentionally executing the command 'sod'.
Impact:
System might failover, reboot, or perform other undesirable actions that result in traffic interruption.
Workaround:
Do not attempt to invoke the 'sod' daemon directly. There is no use case for executing 'sod' directly, it is managed by 'bigstart'.
690883-1 : BIG-IQ: Changing learning mode for elements does not always take effect
Component: Application Security Manager
Symptoms:
When changing learning mode for an element type (e.g., WebSocket URLs), if no other changes are made to the default '*' entity, then suggestions are not created correctly.
Conditions:
Changes are deployed from a BIG-IQ device, where the learning mode for an element type (e.g., WebSocket URLs) is changed (e.g., from Never to Always), and no other changes are made to the default '*' entity.
Impact:
Suggestions are not created correctly.
Workaround:
Modify the '*' entity as well (change description).
690778-1 : Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule
Component: Local Traffic Manager
Symptoms:
Memory leak; the memory_usage_stat cur_allocs will increase each time the iRule is invoked.
Conditions:
This occurs when using an iRule that calls the STREAM::replace command more than once in the iRule's STREAM_MATCHED event.
Impact:
Memory leak; eventually the system will run out of memory and TMM will restart (causing a failover or outage). Traffic disrupted while tmm restarts.
Workaround:
Change the way the iRule is written so that the STREAM::replace command is not called more than once in the iRule's STREAM_MATCHED event.
690756-1 : APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated
Component: Local Traffic Manager
Symptoms:
Using the ACCESS::restrict_irule_events disable command to allow iRule events triggered by APM-generated responses to be visible to the iRule no longer works.
Conditions:
-- ACCESS::restrict_irule_events disable.
-- HTTP iRules commands used in HTTP_RESPONSE_RELEASE after a retry has been triggered by APM.
Impact:
iRule execution is aborted.
Workaround:
The only possible workaround is to abandon the iRule, and implement the functionality using a VIP-targeting-VIP configuration.
Note: This might not be acceptable in many cases either because of functionality loss (e.g., client certificate auth), or because there are complicated issues specifically solved by iRules.
690259 : Benign message 'keymgmtd started' is reported at log-level alert.
Component: TMOS
Symptoms:
Whenever keymgmtd starts, a benign message reporting that keymgmtd has started is reported in ltm logs at log-level alert: alert keymgmtd[7853]: 01a40000:1: keymgmtd started.
Note: The keymgmtd daemon provides CA-bundle management functionality.
Conditions:
Whenever keymgmtd starts.
Impact:
No functional impact. This is a benign message that you can safely ignore.
Workaround:
None.
690166-1 : ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
Component: Global Traffic Manager
Symptoms:
Creating SRV wideip will result in stub zone creation even there are already matching zones.
Conditions:
Creating SRV wideip with three more layers than existing zone.
Impact:
Unnecessary stub zones created.
690042-1 : Potential Tcl leak during iRule suspend operation
Solution Article: K43412307
Component: Local Traffic Manager
Symptoms:
TMM's Tcl memory usage increases over time, and does not decrease. Memory leak of Tcl objects might cause TMM to core.
Conditions:
-- iRules are in use.
-- Some combination of nested proc calls and/or loops must go at least five levels deep.
-- Inside the nested calls, an iRule executes a suspend operation.
Impact:
Degraded performance. TMM out-of-memory crash. A failover or temporary outage might occur. Traffic disrupted while tmm restarts.
Workaround:
None.
689982-3 : FTP Protocol Security breaks FTP connection
Component: Application Security Manager
Symptoms:
FTP Protocol Security breaks FTP connection.
Conditions:
-- ASM provisioned
-- FTP profile (Local Traffic :: Profiles : Services : FTP) with 'Protocol Security' enabled is assigned to a virtual server.
Impact:
-- RST on transaction.
-- bd PLUGIN_TAG_ABORT messages in mpidump.
Workaround:
Create and use a custom "FTP Security Profile" instead of the system default one.
1. Navigate to Security :: Protocol Security : Security Profiles : FTP.
2. Create a custom FTP Security Profile alongside the system default named 'ftp_security'.
3. Navigate to Security :: Protocol Security : Profiles Assignment : FTP.
4. From the Assigned Security Profile drop-down menu, choose the newly created custom FTP Security Profile, instead of the pre-selected system default 'ftp_security'.
689583-1 : Running big3d from the command line with arguments other than '-v' or '-version' may cause a GTM disruption.
Component: Global Traffic Manager
Symptoms:
Running big3d from the command line with arguments other than '-v' or '-version' might cause a GTM disruption. When viewing /var/log/gtm, you might see messages similar to the following:
notice big3d[4131]: 012b0020:5: Executable /shared/bin/big3d timestamp is newer than (or the same as) /usr/sbin/big3d.
notice big3d[4137]: 012b0018:5: Respawning to run /shared/bin/big3d.
err big3d[4026]: 012b1015:3: Error 'Address already in use' attempting to bind to socket.
Conditions:
This occurs when attempting to get the big3d version and accidentally typing an invalid or nonsense argument or a valid argument that does not immediately cause big3d to exit. Here are some examples (note the double-dash in the first example):
big3d --version
big3d
big3d -xyz
big3d -d
Impact:
GTM server goes red momentarily.
Workaround:
There is no workaround other than not specifying an invalid or nonsense argument or a valid argument that does not immediately cause big3d to exit.
689577-3 : ospf6d may crash when processing specific LSAs
Solution Article: K45800333
Component: TMOS
Symptoms:
When OSPFv3 is configured and another router in the network performs a graceful restart, ospf6d may crash.
Conditions:
-- OSPFv3 in use.
-- Graceful restart initiated by another system.
Impact:
OSPFv3 routing will interrupted while the daemon restarts and the protocol re-converges.
Workaround:
Disabling graceful restart on other network systems will prevent ospf6d from crashing on the BIG-IP system. However, it will cause a routing interruption on a system that restarts.
689567-1 : Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned
Component: TMOS
Symptoms:
Several pages in the Acceleration tab (e.g., Acceleration :: Quick Start : Symmetric Properties) display a warning message that directs you to provision AAM in order to access WOM utilities. These pages are visible even if it is impossible for you to provision AAM, which is confusing.
Conditions:
You have an iSeries platform with no AAM license.
Impact:
The impact is cosmetic only. The page is confusing because it suggests that AAM can be provisioned without the proper license (e.g., that WOM/AAM can be set up with only an LTM license), which it cannot. You can safely ignore the warning messages.
Workaround:
No workaround at this time.
689449-1 : Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
Component: Local Traffic Manager
Symptoms:
As a result of a known issue, in some circumstances the system may experience an unconstrained TMM memory growth when a virtual server is configured for spdy/http2 and http with fallback-host.
Conditions:
- VIP configured with spdy/http2 and http with fallback-host.
Impact:
TMM may eventually enter aggressive sweeper mode where this memory will be released. In the process it is possible that some legitimate connections will killed.
Workaround:
No workaround at this time.
689437-1 : icrd_child cores due to infinite recursion caused by incorrect group name handling
Component: TMOS
Symptoms:
Every time the virtual server stats are requested via REST, icrd_child consumes high CPU, grows rapidly toward the 4 GB max process size (32-bit process), and might eventually core.
Conditions:
Virtual server stats are requested via iControl REST with a special string that includes the dotted group names.
Impact:
icrd_child consumes high CPU, grows rapidly, and might eventually core.
Workaround:
Clear the virtual server stats via reset-stats and icrd_child no longer cores.
689375-1 : Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled
Component: TMOS
Symptoms:
TMUI hides several SSL client/server settings when 'Proxy SSL' is enabled, including the 'Generic Alert' setting, so you cannot set it.
Conditions:
Enable 'Proxy SSL' on SSL client/server profile in TMUI.
Impact:
TMUI hides many config settings, including 'Generic Alert'. You cannot modify 'Generic Alert' setting on SSL client/server profile using the GUI when 'Proxy SSL' is enabled.
Workaround:
Modify the same setting through TMSH modify client/server SSL profile command, as follows:
tmsh modify ltm profile client-ssl <profile_name> generic-alert disabled
tmsh modify ltm profile server-ssl <profile_name> generic-alert disabled
689361-1 : Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)
Component: Local Traffic Manager
Symptoms:
It is possible for an overwrite-configsync to change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device.
Conditions:
Two pool members are monitored; and one references a node not responding to ICMP requests; and a gateway_icmp monitor is on both nodes; and an overwrite-configsync is initiated from a paired device, where the node does respond to ICMP requests from that paired device.
Impact:
The overwrite-configsync causes the 'unchecked' monitor to transition to 'up', when it should remain 'unchecked' for the device to which the node does not respond to ICMP requests.
Workaround:
Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node will not respond to ICMP requests.
689343-2 : Diameter persistence entries with bi-directional flag created with 10 sec timeout
Component: Service Provider
Symptoms:
Diameter persistence entries have timeout value less than 10 seconds, although the configured persistence timeout is 120 seconds
Conditions:
When Diameter custom persistence "DIAMETER::persist key 1" bi-directional iRule is used.
Impact:
The persist timeout is less than 10 seconds, thus subsequent requests will be dispatched to other pool member.
Workaround:
Don't use bi-directional persistence iRule. Use AVP persistence type with session-id as the persist key.
689147 : Confusing log messages on certain user/role/partition misconfigurations when using remote role groups
Component: TMOS
Symptoms:
When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful.
Errors appear in /var/log/ltm, one of:
User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition.
or
Input error: invalid remote user credentials, partition does not exist, broken-partition
Conditions:
Using remote role groups to set user/role/partition information for remote users. A remote user is configured so that they will receive a role of administrator, resource administrator, auditor, or web application security administrator and access to a particular partition, rather than all. (These roles require access to all partitions.) Or a remote user is configured so that their partition access will be set to a partition that does not exist on the bigip.
Impact:
The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.
Workaround:
Check /var/log/ltm for more specific error message
689089-1 : VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
Component: Local Traffic Manager
Symptoms:
The cluster configuration file can be lost or corrupted, resulting in the out-of-band cluster management IP reverting to the default value.
Conditions:
Unexpected system restart while the configuration file is being updated may cause the file to become corrupted. If this occurs, the following error will be logged during blade startup:
"err clusterd[8171]: 013a0027:3: Chassis has N slots, config file has 0, ignoring config file"
Where "N" is the number of physical slots in the chassis (2, 4, or 8).
Impact:
Management IP reverts to 192.168.1.246, resulting in loss of access to the chassis through the out-of-band management network.
Workaround:
If this occurs, the management IP can be restored using TMSH or the UI through an in-band self IP, or with TMSH through the management console port.
689002-3 : Stackoverflow when JSON is deeply nested
Component: TMOS
Symptoms:
When the returned JSON payload from iControl REST is very large and deeply nested, the JSON destruction could trigger stack overflow due to deep recursion. This will crash icrd_child.
Conditions:
Deeply nested JSON returned from iControl-REST.
Impact:
icrd_child process coredumps.
Workaround:
None.
688942-5 : ICAP: Chunk parser performs poorly with very large chunk
Solution Article: K82601533
Component: Service Provider
Symptoms:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system buffers the entire chunk and reevaluates the amount of data received as each new packet arrives.
Conditions:
ICAP server returns large payload entirely in a single chunk, or otherwise generates very large chunks (MB to GB range).
Impact:
The BIG-IP system uses memory to buffer the entire chunk. In extreme cases the parser can peg the CPU utilization at 100% as long as packets are arriving.
Workaround:
If possible, configure the ICAP server to chunk the response payload in mulitple normal sized chunks (up to a few tens of KB).
688833-3 : Inconsistent XFF field in ASM log depending violation category
Component: Application Security Manager
Symptoms:
Depending on the violation category, the xff ip field is reported as 'xff_ip' and sometimes as 'xff ip'.
Conditions:
Viewing the XFF results in ASM log.
Impact:
This might cause problems with the syslog filters configured on the remote loggers.
Workaround:
Put in the rules that the client is using both 'xff ip' and 'xff_ip'.
688813-2 : Some ASM tables can massively grow in size.
Solution Article: K23345645
Component: Application Visibility and Reporting
Symptoms:
/var/lib/mysql mount point gets full.
Conditions:
Many combinations of IP addresses, Device IDs (and other ASM dimensions) in traffic over very long period of time (potentially weeks/months).
Impact:
While other dimensions are being collapsed correctly, the Device ID field is not being collapsed causing the growth in size.
-- High disk usage.
-- Frequent need to clear AVR data.
Workaround:
Manually delete AVR mysql partitions located in /var/lib/mysql/AVR.
688744-1 : LTM Policy does not correctly handle multiple datagroups
Component: Local Traffic Manager
Symptoms:
Policy in use where the conditions reference two or more datagroups, but only the conditions that refer to the first datagroup have any effect.
Conditions:
LTM Policy where the conditions reference two or more datagroups.
Impact:
LTM Policy conditions do not check against second and subsequent datagroups, resulting in policy not working as intended.
Workaround:
Only mitigation is to refactor the policy so that it does not refer to more than one datagroup-based condition.
688629-1 : Deleting data-group in use by iRule does not trigger validation error
Component: Local Traffic Manager
Symptoms:
iRule aborts due to failed commands, causing connflow aborts.
Conditions:
-- Delete a data group.
-- iRule uses that data-group on a virtual server
Impact:
In use data-group can be deleted without error. iRule aborts leading to connflow aborts.
Workaround:
Don't delete data-groups in use by an iRule.
688571-2 : Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile.
Component: Local Traffic Manager
Symptoms:
If the server-ssl profile is configured with 'untrusted-cert-response-control drop', and the system receives the certificate from the backend server which is not trusted by current BIG-IP system, the expected behavior is that the system should end the connection.
But the current server-side behavior is that the system still accepts the untrusted certificate and establishes the SSL connection with backend server.
Conditions:
-- The BIG-IP system receives a certificate from the backend server that is not trusted by the BIG-IP system.
-- Configure the 'untrusted-cert-response-control drop' in the server-ssl profile.
-- The corresponding server-ssl is configured at the virtual server.
Impact:
Virtual server might communicate with the backend server that sends the untrusted certificate to the BIG-IP system. Untrusted cert could still be accepted by the server-ssl virtual server even though 'untrusted-cert-response-control drop' is configured in the server-ssl profile.
Workaround:
None.
688557-1 : Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'
Component: Local Traffic Manager
Symptoms:
The description of the 'mode' parameter shown by tmsh help for the ltm sasp monitor indicates that the default value for the 'mode' parameter is 'pull' (where the load balancer sends Get Weight Requests to the GWM).
As of BIG-IP v13.0.0 and v12.1.2-hf1, the default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
This is a change from prior versions of BIG-IP, where the default value for the 'mode' parameter was 'pull'.
Conditions:
The incorrect description appears when issuing the 'tmsh help ltm monitor sasp' command on BIG-IP v13.0.0, v12.1.2-hf1, and later.
Impact:
Incorrect information about the default value for the 'mode' parameter for the ltm sasp monitor.
Workaround:
The default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
688406-1 : HA-Group Score showing 0
Solution Article: K14513346
Component: TMOS
Symptoms:
The 'show sys ha-group' command incorrectly displays a "0" for the total score even if the pools/trunks/clusters components have non-zero scores.
Conditions:
If the sys ha-group object is not currently assigned to any traffic-group.
Impact:
The total score is not calculated. An incorrect score value is displayed.
Workaround:
Refer to the component Score Contributions displayed using the following command: show sys ha-group detail.
688335-5 : big3d may restart in a loop on secondary blades of a chassis system
Solution Article: K00502202
Component: Global Traffic Manager
Symptoms:
After big3d_install is run against a target system, and this target system is a multi-blade chassis, the big3d utility may begin restarting in a loop on all secondary blades of the target system. The primary blade is not affected, where big3d continues to run stable.
Conditions:
The following conditions are required to encounter this issue:
-- The big3d_install utility is used against a target system.
-- The target system is a multi-blade chassis.
-- The big3d_install utility picks the iQuery installation method (and not the SSH one).
-- The big3d_install utility incorrectly determines that the local version of the big3d utility should be copied to the remote system.
Impact:
big3d does not typically do anything on secondary blades, so this issue should have no immediate material impact.
However, should the cluster elect a new primary blade, and should big3d still be restarting on that blade, this could cause iQuery communication failures between that system and remote BIG-IP systems.
Workaround:
To stop secondary blades from restarting, manually restart big3d on the primary blade using the following command:
bigstart restart big3d
To prevent this issue from happening, you can run the big3d_install by specifying that the SSH installation method be used using the following command:
big3d_install -use_ssh <target IP>
688266-5 : big3d and big3d_install use different logics to determine which version of big3d is newer
Component: Global Traffic Manager
Symptoms:
The big3d_install utility includes logic to determine whether the local system should copy its version of the big3d daemon to the remote system specified by the user.
This logic is incorrect and may result in the local copy of the big3d daemon being unnecessarily copied to the remote system or not copied when actually necessary.
Conditions:
A user runs the big3d_install utility.
Impact:
If the local big3d daemon was unnecessarily copied over to the remote system, there is no tangible impact (other than the fact big3d restarts on the remote system, which is expected). Eventually, the remote system restores and uses its version of the big3d daemon.
If the local big3d daemon was not copied over when it should have been, then the remote system may continue to run an older version of the big3d daemon, which may impede iQuery communication.
Workaround:
If the local big3d daemon was unnecessarily copied over to the remote system, you do not need to perform any remedial action. The remote system will automatically resolve this situation by restoring the intended (i.e., newer) big3d version.
If the local big3d daemon was not copied over when it should have been, you can invoke the big3d_install utility using the -f argument, which forces an install of the big3d daemon regardless of the local and remote versions.
688231 : Unable to set VET, AZOT, and AZOST timezones
Component: TMOS
Symptoms:
Unable to set VET, AZOT, and AZOST timezones
Conditions:
This occurs under normal operation.
Impact:
Cannot set these timezones.
Workaround:
Use the following zones with the same offset:
The AZOT timezone is the same offset as
N – November Time Zone.
The AZOST timezone is the same offset as
Z – Zulu Time Zone,
GMT – Greenwich Mean Time,
WET – Western European Time.
The VET timezone is the same offset as
AST – Atlantic Standard Time,
CDT – Cuba Daylight Time, CLT – Chile Standard Time,
EDT – Eastern Daylight Time,
FKT – Falkland Island Time,
Q – Quebec Time Zone.
688046-2 : Change condition and expression for Protocol Lookup agent expression builder
Component: Access Policy Manager
Symptoms:
Protocol lookup agent shows the incorrect condition and expression in the expression builder when included in the per-request policy.
Conditions:
This occurs when the protocol lookup agent is used in the expression builder for branching.
Impact:
Cannot follow successful branch in per-request policy.
Workaround:
To work around this issue:
1. Include Protocol lookup agent in the expression builder.
2. Click the 'change' link right next to the existing expression.
3. Go to the Advanced tab and change the expression to one of the following (depending on whether you are using HTTPS or HTTP):
-- "expr { [mcget {perflow.protocol_lookup.result}] == "https" }"
-- "expr { [mcget {perflow.protocol_lookup.result}] == "http" }"
4. Click Finished.
687986 : High CPU consumption during signature generation, not limited number of signatures per virtual server
Component: Anomaly Detection Services
Symptoms:
The number of the signatures per virtual server is not limited. This can result in a very large number of generated signatures during sophisticated attacks that use changing patterns. After a time, when a system experiences a number of attacks, the list of generated signatures can be too long.
Conditions:
-- Sophisticated attacks that use changing patterns.
-- System experiences a large number of attacks.
Impact:
High CPU utilization when mitigating. Overloaded GUI signatures screen.
Workaround:
Manually remove old / not-often-used signatures.
687984 : Attacks with randomization of HTTP headers parameters generates too many signatures
Component: Anomaly Detection Services
Symptoms:
When attackers randomize HTTP headers parameters, Behavioral DoS (BADoS) might generate too many signatures.
Conditions:
Attacks with randomization of HTTP headers parameters.
Impact:
The list of generated signatures is too long. It produces unnecessary CPU utilization for attack mitigation.
Workaround:
None.
687937-1 : RDP URIs generated by APM Webtop are not properly encoded
Component: Access Policy Manager
Symptoms:
RDP URIs used to launch Native RDP resources form APM Webtop on Android/iOS/Mac are not properly encoded. As a result, RDP client might misinterpret the URI, in cases in which some RDP parameter contains the ampersand ( & ) symbol.
Conditions:
Native RDP resource is launched via RDP URI from APM Webtop.
One of RDP parameters contains symbol that should be URI encoded, e.g., '&'.
Impact:
RDP client misinterprets URI, which may result in failure to open RDP resource.
Workaround:
None.
687807-1 : The presence of a file with the suffix ".crt.csr" in folder /config/ssl/ssl.csr/ causes a GUI exception
Component: Local Traffic Manager
Symptoms:
When there is a file named *.crt.csr in folder /config/ssl/ssl.csr/, the webgui will get an exception on page: System ›› Device Certificates : Device Certificate ›› Device Certificate
A message, "An error has occurred while trying to process your request." appears.
Conditions:
The presence of a file with the suffix ".crt.csr" in folder /config/ssl/ssl.csr/
Impact:
the webgui will get an exception on page: System ›› Device Certificates : Device Certificate ›› Device Certificate
A message, "An error has occurred while trying to process your request." appears.
Workaround:
rename the csr file suffix from ".crt.csr" to ".csr"
687658 : Monitor operations in transaction will cause it to stay unchecked
Component: TMOS
Symptoms:
If a monitored object is deleted and created or modified in the same transaction, and any of its monitor configuration is changed (either the monitor, or the state user-down), the monitor state will become unchecked.
Conditions:
This only happens within transactions.
Note: Using the command 'modify ltm pool <name> members replace-all-with' is considered a transaction containing a delete and create of pool members.
Impact:
Monitor state never returns to its correct value.
Workaround:
Do not do these operations in transactions. For pool members, use 'modify ltm pool <name> members modify' instead of replace-all-with.
687635-1 : Tmm becomes unresponsive and experiences restart
Component: Local Traffic Manager
Symptoms:
Under certain conditions, the tmm process can become unresponsive, and eventually be restarted by the watchdog process.
Conditions:
Problem occurs when there is an unexpected interaction between HTTP and SSL handlers during an abnormal connection shutdown.
Impact:
Tmm becomes unresponsive and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
687617-1 : DHCP request-options when set to "none" are reset to defaults when loading the config.
Component: TMOS
Symptoms:
Config load resets the request-option in "tmsh sys management-dhcp" to its default value when they are set to "none" in configuration.
Conditions:
- A config load in which request-option in "tmsh sys management-dhcp" is set to "none".
Impact:
User configuration is reverted as a side-effect of config load.
Workaround:
request-option specify the minimal set of configuration that DHCP server must provide as part of the lease. Setting it to "none" defeats the whole purpose of DHCP. It's better to set it to a minimal value like "routers, subnet-mask" in order to have management connectivity.
687534-1 : If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page
Component: TMOS
Symptoms:
- Create a pool with name containing two dots (that is, the string '..')
- Go to the GUI Local Traffic :: Pools : Member List page and click the Add button to add a member.
- There is a No Access error preventing you from adding a member to the pool
Conditions:
This issue occurs when a pool name contains .. in the name.
Impact:
Cannot add a Member to the pool using the GUI.
Workaround:
Use tmsh to add pool members to an existing pool using a command similar to the following.
tmsh modify ltm pool <pool name> members add { <member info> }
687368-1 : The Configuration utility may calculate and display an incorrect HA Group Score
Solution Article: K64414880
Component: TMOS
Symptoms:
The Configuration utility may calculate and display a high availability (HA) Group Score of 0, while in reality the correct HA Group Score is greater than 0.
Conditions:
This issue occurs when a particular HA Group object (for example, a Pool) has no available members, and the 'Minimum Member Count' option is not used (this is the default).
Impact:
This issue is cosmetic as it is limited to what the Configuration utility calculates and displays to the user. Internally, the system uses the correct HA Group Score to determine the role of the unit. However, it is possible for a BIG-IP Administrator to be mislead by this issue and take a wrong or unnecessary corrective action because of it.
Workaround:
You can use the TMSH utility from the command line to display the correct HA Group Score.
687353-1 : Qkview truncates tmstat snapshot files
Solution Article: K35595105
Component: TMOS
Symptoms:
Qkview truncates the snapshot files it collects in /shared/tmstat/snapshots/.
Conditions:
Files are larger than 5 MiB, or the 'max file size' limit specified when running Qkview (the -s argument).
Note: 5 MiB is qkview utility's default maximum file size value.
Impact:
Snapshot data may not be collected in qkview. This may result in data being lost if the issue is only identified once important data has rotated out of history.
Workaround:
To specify no file size limit when collecting qkviews, use the following tmsh command:
qkview -s0
687213-3 : When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED
Component: Access Policy Manager
Symptoms:
When access to APM is denied, Edge Client goes into ALWAYS_DISCONNECTED mode. Hence, it does not retry to establish VPN tunnel.
Conditions:
-- Edge Client installed in ALWAYS_CONNECTED mode (locked client).
-- Access to APM is denied.
Impact:
No VPN tunnel is established, even if APM becomes accessible momentarily.
Workaround:
None.
687205-2 : Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart
Component: Local Traffic Manager
Symptoms:
During flow shutdown, SSL may deliver HUDEVT_SENT messages, causing additional messages to be queued by higher filters, which may result in a tmm crash and restart.
Conditions:
This happens in response to a relatively rare condition that occurs during shutdown, such as HUDEVT_SENT queued after HUDCTL_SHUTDOWN.
Impact:
Possible tmm restart. Traffic disrupted while tmm restarts.
Workaround:
None.
687044-3 : tcp-half-open monitors might mark a node up in error
Component: Local Traffic Manager
Symptoms:
The tcp-half-open monitor might mark a node or pool member up when it is actually down, when multiple transparent monitors within multiple 'bigd' processes probe the same IP-address/port.
Conditions:
All of the following are true:
-- There are multiple bigd processes running on the BIG-IP system.
-- There are multiple tcp-half-open monitors configured to monitor the same IP address.
-- One or more of the monitored objects are up and one or more of the monitored objects are down.
Impact:
The BIG-IP system might occasionally have an incorrect node or pool-member status, where future probes may fix an incorrect status.
Workaround:
You can use any of the following workarounds:
-- Configure bigd to run in single process mode by running the following command:
tmsh set sys db bigd.numprocs value 1
-- Use a tcp monitor in place of the tcp-half-open monitor.
-- Configure each transparent monitor for different polling cycles to reduce the probability that an 'up' response from the IP address/port is mistakenly viewed as a response to another monitor that is currently 'down'.
686926-2 : IPsec: responder N(cookie) in SA_INIT response handled incorrectly
Component: TMOS
Symptoms:
IKEv2 negotiation fails when a responder uses N(cookie) in the SA_INIT response, because the BIG-IP system does not expect a second response with the same zero message_id always used by SA_INIT.
Conditions:
Any time a responder sends N(cookie) in the first response to SA_INIT from a BIG-IP initiator.
Impact:
The SA negotiation fails when a responder includes N(cookie) in a SA_INIT response, because a second response appears to have an out-of-order message ID when BIG-IP believe the first message_id of zero was already handled earlier.
Workaround:
None.
686816-1 : Link from iApps Components page to Policy Rules invalid
Component: TMOS
Symptoms:
In an application that contains a Local Traffic policy, the link from the Components page to the Rule will not be valid.
Conditions:
-- Application creates or contains a Local Traffic Policy.
-- Click the link from the iApps Components page to the Policy Rules page.
Impact:
Cannot navigate to the policy rule directly from the Components page.
Workaround:
Click on the Policy within the Components page to navigate to the Rule from that page.
686718-3 : VPN tunnel adapter stays up in some cases
Component: Access Policy Manager
Symptoms:
In some cases, VPN tunnel adapter created by VPN client stays up even when tunnel is disconnected.
Conditions:
Application launch on VPN establishment is configured on APM and launched application is not closed
Impact:
Cosmetic. No functionality impact. Subsequent launch of VPN will create a new tunnel adapter
Workaround:
Close the launched application
686563-1 : WMI monitor on invalid node never transitions to DOWN
Component: Local Traffic Manager
Symptoms:
A WMI monitor configured for an invalid node defaults to 'UP', and never transitions to 'DOWN'. Upon loading a configuration, a node defaults to 'UP' as an initial probe is sent based on the monitor configuration, and the node is then marked 'DOWN' as probes timeout or monitor responses indicate an error. However, an WMI monitor probe sent to a non-existent node is not detected as an error, and that node may persist in an 'UP' state (not transitioning to 'DOWN' as expected, such as after expiration of the configured monitor timeout).
Conditions:
WMI monitor is configured for an invalid node address, or for a node address on which no WMI service is running.
Impact:
The node persists in an 'UP' state, even though no WMI service is available, or that node does not exist.
Workaround:
An additional node monitor can be created to confirm the node is available (which may be a partial solution in some configurations). Using a non-WMI monitor (such as TCP) to probe availability of the WMI service on the target node may be possible in other scenarios.
686547-1 : WMI monitor sends logging data for credentials when no credentials specified
Component: Local Traffic Manager
Symptoms:
A properly configured WMI monitor requires username and password credentials; but when these are omitted from the configuration, logging data is sent in place of the username and password (with the monitored object likely being marked 'down'). Because username/password credentials are required, the monitor should have been identified as wrongly configured before the monitor is marked down.
Conditions:
A WMI monitor is configured without including the required username/password credentials.
Impact:
The monitored object will be marked 'down'.
Workaround:
Configure the WMI monitor to include the username/password credentials.
686517-2 : Changes to a parent policy, which has no active children, are not synced to the secondary chassis slots
Component: Application Security Manager
Symptoms:
Changes to a parent policy, which has no active children, are not synced to the secondary chassis slots
Conditions:
v13 or later
ASM provisioned
Having a Parent policy, which has no active children
Impact:
On a chassis failover, the new Primary slot will have an outdated version of the Parent policy
Workaround:
n/a
686470-1 : Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load.
Component: Application Security Manager
Symptoms:
AJAX requests are not sent, JavaScript errors, AJAX-based web-app malfunctions.
Conditions:
1a. Single page application enabled either via a DoS application profile or in an ASM policy.
1b. AJAX Response Page enabled via ASM policy.
2. Web Application client side code uses jQuery or any other AJAX clientside framework.
Impact:
AJAX request might not be sent, and the overall website's clientside functionality related to the AJAX requests might not work as expected.
Workaround:
Disable Single Page Application support.
686452-1 : File Content Detection Formats are not exported in Policy XML
Component: Application Security Manager
Symptoms:
If a policy is configured with Data Guard enabled with File Content Detection, the selected File Content Detection Formats are not correctly exported in the Policy XML.
When the policy is then imported, the Data Guard settings will be invalid and cannot be changed until the File Content Detection Formats are configured again.
Conditions:
A policy is configured with Data Guard enabled with File Content Detection, and then exported in XML format.
Impact:
When the policy is then imported, the Data Guard settings will be invalid and cannot be changed until the File Content Detection Formats are configured again.
The formerly selected file content formats will not be correctly identified.
Workaround:
Use Binary Policy import/export.
686389-1 : APM does not honor per-farm HTML5 client disabling at the View Connection Server
Component: Access Policy Manager
Symptoms:
Current logic for determining whether to offer HTML5 client option works for Horizon 6.x (and earlier) but it does not work for Horizon 7.x.
With Horizon 7.x, VMware has enhanced the XML so that each resource includes a flag to indicate whether HTML5 client is enabled (absence of <html-access-disabled/> tag). APM does not honor this flag to show HTML5 client option to APM end user only if it has been enabled for that resource.
Conditions:
-- APM webtop with a VMware View resource assigned.
-- HTML5 Access disabled for some of the RDS farms managed by the broker.
Impact:
APM offers HTML5 client launch option and actually runs it if requested, although it is disabled at the backend.
Workaround:
There is no workaround at this time.
686307-3 : Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later
Component: Local Traffic Manager
Symptoms:
When upgrading, monitor attributes such as receive string and send string might contain escape sequences that must be processed after the upgrade. However, due to a problem introduced by the LTM policy upgrade script, this processing is not performed, resulting in monitors not functioning correctly after the upgrade.
Note: Without LTM policies in the configuration, monitors upgrade without problem.
Conditions:
-- Upgrading and rolling forward monitor configuration data.
-- LTM policy data present.
Impact:
Monitors may not work after upgrade.
Workaround:
No workaround at this time.
686305-1 : Memory leak when SSL forward proxy forged certificate.
Component: Local Traffic Manager
Symptoms:
Four types of memory leaks happen when SSL forward proxy tries to forge one certificate.
Conditions:
When SSL forward proxy is enabled.
Impact:
Memory leaks and causes TMM restart. Traffic disrupted while TMM restarts.
Workaround:
None.
686228-1 : TMM may crash in some circumstances with VLAN failsafe
Solution Article: K23243525
Component: Local Traffic Manager
Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms
Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.
Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.
Workaround:
Relax the timer to the default VLAN failsafe timer setting.
686124-1 : IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs
Component: TMOS
Symptoms:
Deleting SAs on a remote peer can cause improper handling in the IKEv1 racoon daemon when invalid SPI notifications are processed.
Conditions:
Events causing deletion of phase one IKE SAs.
Impact:
IPsec IKEv1 tunnels will halt or restart. Connectivity between remote private networks will be interrupted.
Workaround:
None.
686111-1 : Searching and Reseting Audit Logs not working as expected
Component: TMOS
Symptoms:
Clicking the Search and Reset buttons on Audit Logs might post the following error message: An error has occurred while trying to process your request.
Conditions:
Clicking the 'Search' or 'Reset' button on Audit Logs.
Impact:
Cannot search Audit Logs.
Workaround:
Use tmsh or bash.
686108-1 : User gets blocking page instead of captcha during brute force attack
Component: Application Security Manager
Symptoms:
Unexpected blocking page while captcha is configured.
Conditions:
-- Brute force configured with alarm and captcha mitigation.
-- The only source configured is username.
-- These are the first failed login requests after a system start up or after a login page configuration change.
Impact:
Unexpected blocking page mitigation where captcha mitigation was expected.
Workaround:
Access the login page at least 10 times within 5 minutes.
686101-1 : Creating a pool with a new node always assigns the partition of the pool to that node.
Component: Local Traffic Manager
Symptoms:
When creating a node while creating a pool, the partition of the node is set to the one of the pool regardless of what was expected. For example, after running the command below, the new node will be assigned to differentpartition:
root@(v13)(Active)(/differentpartition)(tmos)# create ltm pool my_pool2 members add { /Common/172.16.199.33:0 }
Conditions:
Creating a node while creating a pool in a partition different from the node.
Impact:
The node is displayed in the wrong partition.
Workaround:
Create a node separately and then add it to the pool.
686065-2 : RESOLV::lookup iRule command can trigger crash with slow resolver
Component: Local Traffic Manager
Symptoms:
If thousands of connections are serviced by an iRule that performs a lookup for the same FQDN before the FQDN can be resolved, tmm may crash.
Conditions:
iRule with RESOLV::lookup.
Slow DNS resolver.
Thousand of connections triggering resolution of the same name.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Remove RESOLV::lookup from the workflow if it is not required.
686029-2 : A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces
Component: TMOS
Symptoms:
FDB flushing on VLAN deletes is performed by VLAN member interface reference only, without regard to VLAN tags. This can result in unrelated VLAN FDB entries also being flushed on shared VLAN member interfaces.
Conditions:
Issuing a VLAN delete with other VLANs using shared tagged member interfaces with the VLAN being deleted.
Impact:
FDB entries for unrelated VLANs will be flushed if they share the same tagged VLAN member interfaces as the VLAN being deleted.
Workaround:
None.
685964-1 : cs_qualified_urls bigdb does not cause configured URLs to be qualified.
Component: Application Security Manager
Symptoms:
cs_qualified_urls is configured but is not functional.
Conditions:
-- cs_qualified_urls is configured.
-- A request to the URL listed in the bigdb arrives.
-- The URL is seen as non-qualified although configured.
Impact:
URLs that are not supposed to getting through configuration.
Workaround:
None.
685820-3 : Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not
Component: Advanced Firewall Manager
Symptoms:
If ASM licensed and provisioned, but AFM is not licensed/provisioned, active connections are silently dropped after HA-failover.
In earlier versions, active connections were reset after HA-failover if only ASM was licensed/provisioned. When AFM is also licensed/provisioned, existing active connections were always silently dropped after HA-failover.
Conditions:
-- ASM licensed and provisioned, but AFM is not licensed/provisioned.
-- HA-failover occurs.
Impact:
ASM client connections are not reset, but are silently dropped after HA-failover event.
Workaround:
None.
685771-1 : Policies cannot be created with SAP, OWA, or SharePoint templates
Component: Application Security Manager
Symptoms:
Attempting to create a security policy using "OWA Exchange", "SAP NetWeaver", or "SharePoint" Policy Template fails.
Conditions:
Attempt to create a security policy using "OWA Exchange", "SAP NetWeaver", or "SharePoint" Policy Templates
Impact:
Policy creation fails.
Workaround:
None.
685743-5 : When changing internal parameter 'request_buffer_size' in large request violations might not be reported
Component: Application Security Manager
Symptoms:
When the internal 'request_buffer_size' is set to a large value, long requests might be blocked, and no violation is reported.
Conditions:
-- Internal parameter 'request_buffer_size' is set to a large value (~50 KB or larger).
-- Request is long (~50 KB or longer).
-- Violations found.
Impact:
Requests might be blocked, and no reason is reported.
Workaround:
Reset internal 'request_buffer_size' to default.
685708-4 : Routing via iRule to a host without providing a transport from a transport-config created connection cores
Component: Service Provider
Symptoms:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.
Conditions:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Specify a transport to use for creating a new outgoing connection in the MR::message route command.
685615-4 : Incorrect source mac for TCP Reset with vlangroup for host traffic
Solution Article: K24447043
Component: Local Traffic Manager
Symptoms:
BIG-IP outbound host TCP RST packets have incorrect source-mac-address.
Conditions:
BIG-IP host traffic is exiting via VLANs in a VLAN group.
Impact:
TCP Reset for traffic exiting the BIG-IP system with incorrect source-mac-address, which could include monitor traffic.
Workaround:
Use transparent mode on the VLAN group.
685582-7 : Incorrect output of b64 unit key hash by command f5mku -f
Component: TMOS
Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.
Conditions:
Viewing output of 'f5mku -f' command.
Impact:
Inconsistent output of the b64 unit key.
Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:
f5mku -vf
For example:
# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...
685519-1 : Mirrored connections ignore the handshake timeout
Component: Local Traffic Manager
Symptoms:
Mirrored connections that do not complete the TCP 3-way-handshake do not honor the configured TCP handshake timeout on active and standby systems.
Conditions:
High availability mirroring enabled on virtual server with attached FastL4 profile.
Impact:
Unestablished TCP sessions in the connection table stay open for the duration of the TCP idle-timeout.
Workaround:
None.
685475-1 : Unexpected error when applying hotfix
Component: TMOS
Symptoms:
Software 'install hotfix' commands fail with a message similar to the following: Image (BIGIP-11.6.1.0.0.317.iso) has a software image entry in MCP database but does not exist on the filesystem.
Conditions:
Before installing the hotfix, the necessary full (base) software image prerequisite was added to the images directory, but then was removed before issuing the hotfix command.
For example, to apply 'Hotfix-BIGIP-11.6.1.2.0.338-HF2.iso', the system must have access to the base image; 'BIGIP-11.6.1.0.0.317.iso'.
Impact:
Cannot apply hotfix until the full base image is present.
Workaround:
Perform the following procedure:
1. Copy the base image to the images directory on the BIG-IP system.
2. Restart the 'lind' daemon.
3. Try the hotfix installation process again.
685467-1 : Certain header manipulations in HTTP profile may result in losing connection.
Component: Local Traffic Manager
Symptoms:
HTTP profile has an option 'Insert X-Forwarded-For' which adds a header when a request is forwarding to a pool member. When a virtual server has iRule with a collect command like SSL::collect, it is affected by the HTTP profile processing. Same issue has an option 'Request Header Erase' available in HTTP profile.
Conditions:
A virtual server meets the following conditions:
-- ClientSSL profile.
-- HTTP profile with option 'Insert X-Forwarded-For' enabled and/or configured option 'Request Header Erase'.
-- iRule that has an 'SSL::collect' command in at least two events (e.g., CLIENTSSL_HANDSHAKE and CLIENTSSL_DATA).
Impact:
TCP connection is reset, and no response is provided to a client.
Workaround:
Use iRule to insert X-Forwarded-For with an appropriate IP address and/or remove headers configured in 'Request Header Erase' option of HTTP profile.
685344-1 : Monitor 'min 1 of' not working as expected with FQDN nodes/members
Component: Local Traffic Manager
Symptoms:
A pool with a monitor configured as 'min 1 of {...}' may be unavailable when one or more members configured with FQDN are down, rather than remain available as long as at least one pool member remains up.
Conditions:
-- Pool nodes/members are configured with FQDN.
-- At least one associated monitor is defined with the 'min 1 of {...}' feature.
Impact:
The pool may be seen as 'offline' when one or more members are down, rather than remaining available as long as a single pool member is 'UP'.
Workaround:
To configure a pool with 'min 1 of{...}', specify static pool members, do not use FQDN to configure pool members.
685233-1 : tmctl -d blade command does not work in an SNMP custom MIB
Solution Article: K13125441
Component: TMOS
Symptoms:
tmctl -d blade commands run in an SNMP custom MIB fail.
Conditions:
-- Using an SNMP custom MIB.
-- Running tmctl -d blade commands.
Impact:
Unable to configure a custom MIB to gather data via a tmctl -d blade command.
Workaround:
Instead of tmctl -d blade, use the following command:
tmctl -d /var/tmstat/blade.
685193-1 : If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies
Component: Application Security Manager
Symptoms:
If Inheritance is None in the Parent Policy and there is at least one child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies.
Conditions:
1) Create Parent policy and set some section's Inheritance to None.
2) Create child policy and assign it to the parent created above.
3) Go to the Parent Policy Inheritance Setting tab, you will see that number of comments for sections with None will be equal to number of child policies.
Impact:
There is an incorrect number of Comments shown in Inheritance Settings
Workaround:
None.
685164-1 : In partitions with default route domain != 0 request log is not showing requests
Component: Application Security Manager
Symptoms:
No requests in request log when partition selected, while they can be seen when 'All [Read Only]' is selected.
Conditions:
Select a partition whose default route domain is not 0 (zero).
Impact:
No requests in request log.
Workaround:
As a partial workaround, you can use [All], but it's read only.
685110-1 : With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
Solution Article: K05430133
Component: Local Traffic Manager
Symptoms:
1. FQDN Node/pools fails to populate with members.
2. An error similar to the following is logged in /var/log/ltm when an FQDN node or pool member is created:
err mcpd[####]: 01070356:3: Ratio load balancing feature not licensed.
Conditions:
1. License a BIG-IP system with non-LTM license lacking the ltm_lb_ratio feature.
Such licenses include APM and/or ASM licenses for certain newer platforms which do not support the AAM module.
Affected platforms include certain iSeries and Virtual Edition (VE) releases.
2. Configure an FQDN node/pool member. Do not specify a 'ratio' value.
Impact:
Unable to use FDQN nodes/pool members with non-LTM license.
Workaround:
None.
684852-1 : Obfuscator not producing deterministic output
Component: Fraud Protection Services
Symptoms:
Proactive defense challenge is not passed.
Conditions:
The obfuscator does not produce the same output for the same pair of key and seed. Therefore, on multi-blade devices, or on active-active deployments, when the request to the page (url=/) and the request to the javascript (/TSPD/*?type=10) each go to a different blade or a different device.
More frequently, it happens when the page and javascript are loaded from the same blade, but the javascript is stored in the cache.
Then another refresh, and the request goes to the second blade. Because the javascript in the cache was received from the first blade, it does not match the page.
Impact:
Proactive defense challenge is not passed; challenge remains on blank page on chassis.
Workaround:
None.
684399-4 : Connectivity profiles UI shows (Not Licensed) when LTM base is presented
Component: Access Policy Manager
Symptoms:
In APM, the connectivity profile UI shows (Not Licensed) when LTM base is presented
Conditions:
when LTM and APM is provisioned.
Impact:
UI shows FEC profile as not licensed. But user can still choose FEC profile.
Workaround:
Ignore the not licensed warning.
684391-3 : Existing IPsec tunnels reload. tmipsecd creates a core file.
Component: TMOS
Symptoms:
Existing IPsec tunnels reload. tmipsecd creates a core file.
Conditions:
Although an exact replication of the issue has not been reliable, the one instance occurred after the following conditions:
-- Remote peer repeatedly tries to establish a tunnel.
-- The IPsec IKEv1 daemon 'racoon' is dead.
Impact:
Existing IPsec tunnels reload when tmipsecd aborts. tmipsecd creates a core file.
Workaround:
None.
684369-2 : AFM ACL Rule Policy applied on Standby device
Solution Article: K35423171
Component: Advanced Firewall Manager
Symptoms:
In a Active/Standby setup, with a Virtual Server configured to Mirror Connection State, the Standby Device is aware of the state of connections. The Standby device apart from maintaining the state of connections, need not apply ACL policy to the mirrored connections.
But in a specific case where a ACL Policy happens to have Rule with Schedules attached, the Standby happens to apply policy on mirrored connections, which also generates ACL rule hit logs.
Conditions:
1) Active/Standby device setup.
2) Virtual Server with Connection Mirroring enabled.
3) ACL Policy with a Rule having a Schedule attached, and during periods of transition when a Schedule may cause a Rule to be enforced or expired.
Impact:
Does not impact handling of traffic.
Generation of ACL Rule hit logs from Standby is unexpected, and is not desirable.
Workaround:
Objective:
- Disable sweeper applying ACL policy on Standby device.
- Sys DB tunable must disable only on Standby device. Because sys db settings are auto-sync'd to Active device as well, you must do so using the following procedure.
Steps to Apply Sys DB setting only on Standby device:
1. Turn off auto-sync for the device-group.
2. Apply settings just before Rule Schedule expiry on Standby device.
3. Wait till Rule Schedule change takes effect.
4. Revert the settings to normal, and enable auto-sync again.
TMSH Command Sequence:
root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
# list sys db tm.sweeper.flow.acl value
sys db tm.sweeper.flow.acl {
value "enable" <<<< Set this to 'disable'
}
root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
# modify cm device-group <device-group-for-failover> auto-sync disabled
root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
# modify sys db tm.sweeper.flow.acl value disable
root@(BIG-IP-primary)(cfg-sync Changes Pending)(Standby)(/Common)(tmos)
# list sys db tm.sweeper.flow.acl value
sys db tm.sweeper.flow.acl {
value "disable"
}
On Active, it's still 'enable':
root@(BIG-IP-secondary)(cfg-sync Changes Pending)(Active)(/Common)(tmos)
# list sys db tm.sweeper.flow.acl value
sys db tm.sweeper.flow.acl {
value "enable"
}
Enable auto-sync again:
root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
# modify cm device-group <device-group-for-failover> auto-sync enable
Might have to issue this run command if the device is reported as 'requiring sync'.
root@(BIG-IP-primary)(cfg-sync Changes Pending)(Standby)(/Common)(tmos)
# run cm config-sync to-group <device-group-for-failover>
684333-1 : PEM session created by Gx may get deleted across HA multiple switchover with CLI command
Component: Policy Enforcement Manager
Symptoms:
PEM sessions may get cleaned up with terminate cause of FATAL GRACE TIMEOUT, if multiple high availability (HA) failover is being performed using the following command: tmsh run sys failover standby.
Conditions:
Multiple HA failover performed using the following command: tmsh run sys failover standby.
Impact:
PEM session created using Gx may get deleted.
Workaround:
Initiate failover using alternate commands, such as the following:
tmm big start restart.
684325-1 : APMD Memory leak when applying a specific access profile
Component: Access Policy Manager
Symptoms:
Access profile having CheckMachineCert agent, while updating profile using 'Apply access policy', each time it leaks 12096 bytes of memory.
Conditions:
-- Access profile configured with agent 'CheckMachineCert'.
-- Repeatedly update the profile using 'Apply access policy'.
Impact:
APMD process stops after repeated application of the script.
Workaround:
None.
684312-1 : During Apply Policy action, bd agent crashes, causing the machine to go Offline
Component: Application Security Manager
Symptoms:
During Apply Policy action, bd agent crashes, causing with this error:
--------------------
crit perl[21745]: 01310027:2: ASM subsystem error (bd_agent,): bd_agent exiting, error:[Bit::Vector::new_Dec(): input string syntax error at /usr/local/share/perl5/F5/CfgConvert.pm line 66, <$inf> line 1. ]
--------------------
Causing bd and bd_agent processes restart, and causing the machine to go Offline.
Conditions:
-- ASM provisioned.
-- Applying policy.
-- Corrupted data was attempted to be loaded during an Apply Policy action.
Impact:
bd and bd_agent processes restart, causing the machine to go Offline while the processes restart..
Workaround:
None.
684218-1 : vADC 'live-install' Downgrade from v13.1.0 is not possible
Component: TMOS
Symptoms:
vADC v13.1.0 has a new storage format that is incompatible with earlier versions. It should be possible to use the '--format' option of 'image2disk' to downgrade a v13.1.0 vADC system, but it is not.
Conditions:
Running v13.1.0, attempt software downgrade to 11.5.4, for example:
image2disk --format=volumes --nosaveconfig 11.5.4
Impact:
request is not allowed. no changes are made.
Workaround:
deploy a new 11.5.4 software image via the hypervisor environment
684068-1 : FIX with PVA offload and late binding without flow release may not execute iRules on subsequent messages
Component: Service Provider
Symptoms:
With a virtual server configured with a fastL4 profile and a FIX profile where the fast L4 profile is configured with late binding and explicit flow migration, the first connection after a setup or restart may not correctly execute FIX iRules if the flow is not handed off to ePVA after the first FIX message.
Conditions:
Configure a virtual server with a fastL4 profile and a FIX profile. Configure the FastL4 profile to have late binding and explicit flow migration. Place iRules on the virtual server that trigger on FIX_MESSAGE or FIX_HEADER. Restart the BIGIP, connect to the virtual server and begin sending FIX messages.
Impact:
The iRules may not trigger on the second and further messages sent to the FIX virtual server on the first connection after the restart.
683767-1 : Users are not able to complete the sync using GUI
Component: TMOS
Symptoms:
A validation error occurred while syncing to a remote device
Sync error on unitA.lab.local: Load failed from /Common/unitB.lab.local 01070080:3: The requested pool member is already in use as a self IP address (1.1.2.1)
The above is expected as unit B is unable to validate the config for unit A. Incremental sync adds and removes configuration on unit A, hence the error.
Conditions:
1.Units A and B in HA with manual incremental sync, unit B is active.
2.On unit B add a pool with a member having IP address matching the self IP of unit A. Then delete it.
3.create ltm pool p1 members add { 1.1.2.1:80 }
4.delete ltm pool p1
5.Try config-sync (using GUI). You will end up with a Sync Failed message:
A validation error occurred while syncing to a remote device
Sync error on unitA.lab.local: Load failed from /Common/unitB.lab.local 01070080:3: The requested pool member is already in use as a self IP address (1.1.2.1
Impact:
Users are not able to complete the sync using GUI
Workaround:
using tmsh to force a full sync
683706-3 : Pool member status remains 'checking' when manually forced down at creation
Component: Local Traffic Manager
Symptoms:
When a pool member is created with an associated monitor, and initially forced offline (e.g., '{session user-disabled state user-down}'), that pool member status remains in 'checking'. By default, the pool member status initializes to 'checking' until the first monitor probe confirms the pool member is available. However, by creating-and-forcing-offline the pool member, no monitoring is performed and the status remains in 'checking'.
Conditions:
Pool member is created with an associated monitor, and that pool member is simultaneously forced offline.
Example: create ltm pool test1 members add { 10.1.108.2:80 { session user-disabled state user-down } } monitor http
Impact:
Pool member remains offline as directed, but pool member status indicates 'checking' rather than 'user-down'.
Workaround:
Create the pool member with associated monitor, and in a separate step, force the pool member offline.
683697-1 : SASP monitor may use the same UID for multiple HA device group members
Solution Article: K00647240
Component: Local Traffic Manager
Symptoms:
Under rare timing conditions, the SASP monitor running on one member of an HA group (failover device group) may use the same LB UID as another member of the device group.
The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.
As a result, only the first HA group member using the duplicated UID is able to successfully use the SASP monitor.
The SASP monitor instance running on the HA group member using the duplicated UID will fail to connect to the SASP GWM.
Conditions:
This occurs under rare timing conditions when using the SASP monitor on a BIG-IP system that belongs to an HA group.
It is possible that the necessary timing conditions may occur if the external SASP monitor daemon is forcibly restarted (such as for troubleshooting purposes).
Impact:
The SASP monitor is unable to monitor pool member availability on all members of the HA group.
Workaround:
Forcing the mcpd process to reload the configuration (as described in article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030) allows recovery from this condition.
It is possible that less-intrusive measures such as restarting the external SASP monitor daemon (such as by sending a SIGTERM to the SASPD_monitor process) may also allow recovery. Due to the rare occurrence of this symptom, this solution has not been confirmed.
683508-1 : WebSockets: umu memory leak of binary frames when remote logger is configured
Component: Application Security Manager
Symptoms:
ASM out of memory error messages in /var/log/asm.
Conditions:
-- Virtual server configured with WebSocket profile.
-- ASM remote logger configured and assigned to the virtual server.
Impact:
ASM out of memory, memory leak.
Workaround:
Remove ASM remote logging profile from a virtual server.
683474 : The case-sensitive problem during comparison of 2 Virtual Servers
Component: Application Visibility and Reporting
Symptoms:
Failed to load "incident types volume graph" if incident was filtered by Virtual Server
Impact:
Chart of incident data will not be displayed.
Workaround:
Avoid to create virtual servers that have the same letters, differing only by capital letters verses small letters.
683389-3 : Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
Component: Access Policy Manager
Symptoms:
Flash ActionScript3 application shows Error #2134 when trying to call flash.net::SharedObject.getLocal with localPath specified.
Conditions:
Attempt to create local SharedObject.
Impact:
Affected Flash applications are not working when accessed through Portal Access.
Workaround:
None.
683297-2 : Portal Access may use incorrect back-end for resources referenced by CSS
Component: Access Policy Manager
Symptoms:
If HTML page contains reference to external CSS file with URL beginning with '//', then host-less references in this CSS file are handled incorrectly by Portal Access.
Conditions:
- HTML page at http://example.host/page.html:
<link rel=stylesheet href=//another.host/some/path/my.css>
- and this CSS contains reference with absolute path like this:
html { background-image: url(/misc/image/some.png); }
Portal Access uses 'http://example.host' as back-end for this image instead of correct 'http://another.host'.
Impact:
Web application may not work correctly.
Workaround:
Use iRule to correct back-end host.
683131-1 : Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present★
Component: TMOS
Symptoms:
BIG-IP software installations will fail and report a status of:
waiting for cleanup; multiple base builds found (BIG-IP 13.0.0)
Conditions:
- Perform software installation in a vCMP guest when guest is running v13.0.0 or newer.
- Ask the guest to install a hotfix (e.g. "tmsh install /sys software hotfix 13.0.0-hf2.iso volume HD1.2 create-volume") to a boot location that does not have a base software version installed.
- Hypervisor has a valid copy of the the correct base image (e.g. v13.0.0 build 0.0.1645)
- Guest has a valid copy of the correct base image (e.g. v13.0.0 build 0.0.1645)
Impact:
Software installation fails, and will not complete/continue.
Workaround:
Delete the base software image from either the hypervisor or guest's file system
683061-1 : Rapid creation/update/deletion of the same external datagroup may cause core
Component: Local Traffic Manager
Symptoms:
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued.
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued for update.
-- err tmm[15187]: 01010258:3: External Datagroup (/Common/Datagroup_1) creation failed: initial load error, deleting.
Conditions:
Using external datagroup, rapidly creating updating and then deleting it.
Impact:
TMM fails
Workaround:
Allow TMM enough time to finish processing external data-group before starting another operation. Depending on the size of the datagroup anywhere from 1s to 10s or more may be needed. The LTM log can be examined for the create/finished message to help determine how much wait time is required.
683029-1 : Sync of virtual address and self IP traffic groups only happens in one direction
Component: TMOS
Symptoms:
If you have a virtual address and a self IP that both listen on the same IP address, changing the traffic group of the self IP will make an equivalent change to the traffic group of the virtual address. However, this does not work in reverse. Changing the traffic group of the virtual address will not cause a change of the traffic group of the self IP.
Conditions:
You have a virtual address and a self IP that both listen on the same IP address. (The subnet mask need not be the same.)
Impact:
This is by design, but is counterintuitive, and there is no warning message that this is the case. Setting the traffic group on both objects will always work properly.
Workaround:
Care should be taken to ensure that the desired traffic group is set on both objects.
682751-7 : Kerberos keytab file content may be visible.
Component: Access Policy Manager
Symptoms:
Kerberos keytab file content may be visible.
Conditions:
Import a Kerberos keytab file.
From the command line, check the file permissions. It is readable.
Impact:
keytab is similar to a private key file and should not be readable.
Workaround:
Use chmod to change the keytab file permission manually so that it is not world-readable.
682500-2 : VDI Profile and Storefront Portal Access resource do not work together
Component: Access Policy Manager
Symptoms:
Accessing a Citrix Storefront portal access resource and clicking on the application does not work since VDI returns HTTP status 404.
Conditions:
-- VDI profile is attached to the Virtual server.
-- Access policy has Citrix Storefront portal access resource.
-- Citrix remote-desktop resource is attached.
Impact:
Citrix Storefront portal access resource cannot be used to launch applications.
Workaround:
None.
682335-1 : TMM can establish multiple connections to the same gtmd
Component: Global Traffic Manager
Symptoms:
TMM can establish multiple connections to the same gtmd, and tmm may core.
Conditions:
This timing-related issue involves coordination between license blob arrival, gtmd connection teardown/establishment, and gtmd restart.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
682213-1 : TLS v1.2 support in IP reputation daemon
Solution Article: K31623549
Component: TMOS
Symptoms:
The IP reputation daemon opens SSL connections to the Webroot BrightCloud server using TLS 1.0 protocol.
Conditions:
This occurs when using IP reputation.
Impact:
Because IP reputation services are used to accept/deny connections to critical business applications, there might be concerns about the service. Also some configurations might require that all transactions exfiltrating a PCI-controlled environment leverage secure protocols and ciphers, which won't be the case for IP reputation services.
Workaround:
None.
682209 : Per Request Access Policy subroutine performance down by about 7%
Component: Performance
Symptoms:
The performance of the per-request access policy with subroutines, even an empty one (in->out) is down by about 7%.
Conditions:
All of the following must be true for this issue to be exposed.
1) APM is provisioned.
2) An APM profile is attached to the virtual server.
3) A Per-Request access policy containing a subroutine is attached to the virtual server.
Impact:
Maximum RADIUS TPS is degraded (~7%).
Workaround:
No workaround at this time.
681782-6 : Unicast IP address can be configured in a failover multicast configuration
Solution Article: K30665653
Component: TMOS
Symptoms:
Failover multicast configuration does not work when configured with a unicast IP address. Although this is an invalid configuration, the system does not prevent it.
Conditions:
Specify a unicast IP address under 'Failover Multicast Configuration' for network failover in high availability configurations.
Impact:
Failover multicast configuration does not work.
Workaround:
Specify a multicast IP address under 'Failover Multicast Configuration' for network failover.
681757-3 : Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'
Solution Article: K32521651
Component: Local Traffic Manager
Symptoms:
In response to this issue, you might see the following symptoms:
-- System remains inoperative
-- Screen alerts similar to the following are posted: 'Configuration has not yet loaded'.
-- Configuration fails to load after upgrade to v12.1.0 or higher.
The system records an error message similar to the following in the ltm log file:
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 010716de:3: Policy '/Common/Policy', rule 'Policy-Rule'; target 'forward' action 'select' does not support parameter of type 'member'. Unexpected Error: Loading configuration process failed.
Conditions:
Local Traffic Policy with a forward action that selects a target of type 'member'.
Impact:
Configuration fails to load on upgrade.
Workaround:
Modify the local traffic policies to use a target type of 'node' before upgrading, or, after upgrading, edit the config file and modify 'member' to 'node' in the local traffic policy, and then reload the configuration.
681673-4 : tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results
Component: Local Traffic Manager
Symptoms:
TMSH does not block modify FDB commands that add a multicast MAC addresses.
Conditions:
This occurs when the following is configured using tmsh commands when the mac-address is multicast:
fdb vlan <vlan> records add {<mac-address> {interface <slot>/<port>}}.
Impact:
There is not enough information to map the outgoing MAC address to a multi-cast group, and therefore it gets a default entry added that has no ports mapped. The result is that the frame will not go out the interface indicated in the tmsh command yet no warning is provided.
Workaround:
None.
681352 : Performance of a client certificate validation with OCSP agent is degraded
Component: Performance
Symptoms:
Performance is being degraded for OCSP agent. This can lead to Access Policy performance degradation if there are no more heavy agents configured.
Conditions:
OCSP agent is configured in an Access Policy.
Impact:
Fewer logons processed per second by the access policy that contains OCSP agent configured.
Workaround:
There is no workaround at this time.
681256-1 : Virtual Edition GTM DNS Query Performance Degradation
Component: Performance
Symptoms:
The transaction rate for a DNS A record request synthetic test was up to fourteen percent lower for the BIG-IP Virtual Edition Release 13.1.0 compared to Release 13.0.0.
Conditions:
BIG-IP Virtual Edition 13.1.0 is deployed on a vSphere 6.0 or 6.5 system. Traffic consists solely of DNS A record requests at the rate of 700,000 requests per second. Ingress traffic is handled by an EXSi Intel ixgbe driver.
Impact:
The DNS transaction rate is up to fourteen percent lower on BIG-IP Virtual Edition 13.1.0 compared to 13.0.0.
Workaround:
DNS performance can be restored by altering the
TMM scheduler minimum sleep duration to 250 usec:
tmsh modify sys db scheduler.maxsleepduration.ltm value 250000
The 250 usec value will improve DNS performance on a 10 GbE NIC, but reduce TCP performance on a 40 GbE NIC.
681175-3 : TMM may crash during routing updates
Solution Article: K32153360
Component: Local Traffic Manager
Symptoms:
When dynamic routing is configured and ECMP routes are received, certain routing updates may lead to a TMM crash.
Conditions:
-- Dynamic routing.
-- ECMP routes.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable ECMP routes by configuring "max-paths 1" in ZebOS.
680856-2 : IPsec config via REST scripts may require post-definition touch of both policy and traffic selector
Component: TMOS
Symptoms:
A new IPsec tunnel may not work after being configured over REST. While the configuration is correct, a log message similar to the following may appear in ipsec.log (IKEv2 example):
info tmm[24203]: 017c0000 [0.0] [IKE] [INTERNAL_ERR]: selector index (/Common/Peer_172.16.4.1) does not have corresponding policy
Conditions:
A new IPsec tunnel is configured over REST.
Impact:
The newly configured IPsec tunnel does not start.
Workaround:
The following methods cause the traffic-selector and ipsec-policy to be correctly related to one another:
-- Restart tmm.
-- Change the configuration, for example the Description field, of both the policy and the traffic selector. This may also be done using REST.
680855 : Safari 11 sometimes start more than one session
Component: Access Policy Manager
Symptoms:
In Safari 11 after session is finished and being restarted by "Click here to establish a new session" more than one session appears. It looks like Safari 11 beta and release bug.
Conditions:
Safari 11 beta and official release
Policy with webtop
Several passes from start to finish
Impact:
At certain point browser is reaching max sessions per IP and hangs on webtop.
Workaround:
Don't use Safari 11 for now
680838-2 : IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator
Component: TMOS
Symptoms:
A tmm restart and corefile can occur in rare cases while negotiating an IKEv2 IPsec tunnel.
A child_sa managed to process GETSPI_DONE once in the IDLING state, where the ike_sa was expected to be the initiator, but it appeared not to be -- failing an assert.
Conditions:
The BIG-IP is negotiating an IPsec tunnel as the Initiator, but an unexpected state change associated with being the Responder occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
680729-1 : DHCP Trace log incorrectly marked as an Error log.
Solution Article: K64307999
Component: Policy Enforcement Manager
Symptoms:
The following sample DHCP debug log may be found repeatedly in the TMM logs.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>
Conditions:
Send a DHCP request through a DHCP virtual and wait for 30 seconds for the DHCP callback to trigger.
Impact:
Possible clutter in the TMM logs.
Workaround:
Set the db variable to critical. To do so, run the following command: setdb tmm.dhcp.log.level critical
680680-1 : The POP3 monitor used to send STAT command on v10.x, but now sends LIST command
Component: Local Traffic Manager
Symptoms:
in BIG-IP version 10.x, the POP3 monitor sent STAT command (which returned a count of messages in the mailbox). Now, the monitor sends the LIST command (which returns a list of messages and their sizes).
Conditions:
POP3 monitor set up on a mailbox.
Impact:
If the polled mailbox used in the monitoring has a huge amount of messages, the STAT command might fail to return results in time.
Workaround:
1. Create a mail account that does not receive many emails.
2. Make sure that the mailbox is nearly empty all the time (copy /dev/null periodically to the mailbox file).
680353-1 : Brute force sourced based mitigation is not working as expected
Component: Application Security Manager
Symptoms:
Brute force mitigations are not working by the configured order under some conditions - for example a captcha is arriving instead of a drop.
Conditions:
-- Brute force is configured.
-- There is more than one source (for example, User and IP address).
Impact:
The incorrect mitigation is received.
Workaround:
None.
680069-1 : zxfrd core during transfer while network failure and DNS server removed from DNS zone config
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd cores and restarts.
Conditions:
While zone transfer is in progress, the network fails and the DNS server is removed from the DNS zone configuration.
Impact:
zxfrd cores.
Workaround:
None.
679613-1 : i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'
Solution Article: K23531420
Component: Local Traffic Manager
Symptoms:
When an interface is associated with a VLAN whose tag value is '1', traffic is incorrectly sent out as untagged.
Conditions:
1. Create a VLAN with a tag value of '1'.
2. Associate an interface with the VLAN whose value is '1'.
3. Send traffic out that interface.
Impact:
Incorrect routing/switching of traffic.
Workaround:
Use VLANs with a tag value different from '1'.
679431-1 : In routing module the 'sh ipv6 interface <interface> brief' command may not show header
Component: TMOS
Symptoms:
In the BIG-IP Advanced Routing module the 'sh ipv6 interface <interface> brief' command does not show header
Conditions:
- Advanced Routing module licensed and configured
- From within imish shell, run the command 'sh ipv6 interface <interface> brief'.
Impact:
The header is not shown.
Workaround:
Run the equivalent command without indicating the interface:
sh ipv6 interface brief
679384-3 : The policy builder is not getting updates about the newly added signatures.
Solution Article: K85153939
Component: Application Security Manager
Symptoms:
The policy builder is not getting updates about the newly added signatures.
Conditions:
When ASU is installed or user-defined signatures are added/updated.
Impact:
No learning suggestions for some of the newly added signatures.
Workaround:
Use either of the following workarounds:
-- One workaround is restarting the policy builder. This will revert the learning progress made in the last 24 hours:
killall -s SIGHUP pabnagd
-- Manually change some Policy Attack Signature Set in Learning and Blocking Settings (e.g., disabling and re-enabling Learn checkbox).
679347-2 : ECP does not work for PFS in IKEv2 child SAs
Component: TMOS
Symptoms:
The original racoon2 code has no support for DH generate or compute using elliptic curve algorithms for (perfect forward security).
Additionally, the original interfaces are synchronous, but the only ECP support present uses API with async organization and callbacks, so adding ECP does not work.
Conditions:
Changing an ike-peer definition from the default phase1-perfect-forward-secrecy value of modp1024 to something using ECP: ecp256, ecp384, or ecp512.
Note: The first child SA is negotiated successfully.
Impact:
Once the first child SA expires (or is deleted), the IKEv2 tunnel goes down when another SA cannot be negotiated.
Workaround:
Use MODP for perfect-forward-secrecy instead of ECP.
679149-1 : TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]
Component: Global Traffic Manager (DNS)
Symptoms:
TMM may crash or LB::server returns unexpected result.
Conditions:
GTM rule command LB::server is executed before a load balance decision is made or the decision is not to a real pool member.
Impact:
GTM rule command LB::server returns unexpected result. Traffic disrupted while tmm restarts.
Workaround:
None.
679114-4 : Persistence record expires early if an error is returned for a BYE command
Solution Article: K92585400
Component: Service Provider
Symptoms:
When an error is returned for a SIP command, the persistence timeout is set to the transaction timeout.
Conditions:
An error is returned for a any SIP command.
Impact:
The persistence record will expire early when the call has not been ended.
Workaround:
None.
679088-1 : Avr reporting and analytics does not display statistics of many source regions
Component: Application Visibility and Reporting
Symptoms:
1. The network reporting does not show the statistics related to some Source Regions.
2. In the Security=>Reporting=>Network=>Enforced Rules dashboard are impossible to select or find some Source Region using filtering .
For example, there are list of some missing Source Regions:
France, Ile-de-France, Ukraine, Kyyiv,Russian Federation, Tambovskaya oblast, South Africa, Western Cape and Spain,Madrid
Conditions:
This occurs when attempting to filter on the affected source regions.
Impact:
The network reporting does not show the statistics related to some Source Regions.
678925-1 : Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.
Component: TMOS
Symptoms:
Using a multicast VXLAN tunnel without a proper route associated with the tunnel's local-address may cause a TMM crash.
Conditions:
When the following conditions are met:
- No route is associated with the tunnel's local-address.
- A selfip address is assigned to the tunnel.
Then, a connection using the tunnel may cause a TMM crash.
Note that the user can use the TMSH command "show net route lookup <address>" to check if there is a route associated with the tunnel's local-address.
Impact:
The TMM crashes and traffic is disrupted.
Workaround:
Make sure that there is a route associated with the tunnel's local-address, before using the tunnel.
678872-3 : Inconsistent behavior for virtual-address and selfip on the same ip-address
Component: Local Traffic Manager
Symptoms:
Inconsistent ICMP/ARP behavior for self IP address or virtual-address when virtual-address and self IP address have the same IP address.
Conditions:
Virtual-address and self IP address have the same IP address.
-- Virtual-address ICMP and ARP disabled.
Impact:
ICMP echo reply and ARP for the IP address might be inconsistent. Self IP address might override the ARP setting of a virtual address.
Workaround:
No workaround.
678861-1 : DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★
Solution Article: K00426059
Component: Global Traffic Manager (DNS)
Symptoms:
Upgrade fails with a message similar to the following.
emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 01070356:3: Link Controller feature not licensed. Unexpected Error: Loading configuration process failed.
Conditions:
Previously had Link Controller with DNS:: commands in an iRule proc.
Impact:
Upgrade fails.
Workaround:
Remove DNS:: commands from procs before upgrade.
Or use AFM instead of iRules.
678524-1 : Join FF02::2 multicast group when router-advertisement is configured
Component: Local Traffic Manager
Symptoms:
MLD snooping switches may not deliver router solicitation packets to BIG-IP, which breaks BIG-IP's router advertisement functionality. MLD snooping switches may not deliver the packets because BIG-IP has not joined the FF02::2 multicast group.
Conditions:
router-advertisement configured, MLD snooping switches.
Impact:
IPv6 hosts never receive router advertisements from BIG-IP in response to their router solicitations.
Workaround:
Disable MLD snooping on switches.
678488-1 : BGP default-originate not announced to peers if several are peering over different VLANs
Component: TMOS
Symptoms:
BGP default-originate is not announced to peers if several are configured as peers over different VLANs.
Conditions:
-- default-originate is configured on four similar neighbors.
-- The neighbors are reachable over different interfaces/subnets.
Impact:
Only some of the peered neighbors get the default route.
Workaround:
Add the following to the the BGP configuration:
network 0.0.0.0/0
678388-1 : IKEv1 racoon daemon is not restarted when killed multiple times
Solution Article: K00050055
Component: TMOS
Symptoms:
IPsec IKEv1 tunnels will fail and stay down indefinitely if the IKEv1 racoon daemon crashes. racoon does not get restarted by tmipsecd. This can occur if racoon has crashed more than once beforehand.
Conditions:
The IPsec IKEv1 racoon daemon crashes, or is killed manually, multiple times.
Impact:
IPsec IKEv1 tunnels cannot be established because the racoon daemon is dead. The user will receive no CLI or web UI clues to indicate that racoon is dead. Attempts to reconfigure IPsec while racoon is dead will not resolve the problem.
Workaround:
Run the following command to restart the IPsec IKEv1 racoon and tmipsecd daemons at the same time:
tmsh restart sys service tmipsecd
678380-2 : Deleting an IKEv1 peer in current use could SEGV on race conditions.
Component: TMOS
Symptoms:
When either deleting a peer in IKEv1 or updating it, this problem causes the v1 racoon daemon to crash with a SIGSEGV under some race conditions, intermittently.
Conditions:
This requires a peer using IKEv1, which gets updated or deleted while the IKEv1 racoon daemon is performing operations related to this peer.
Impact:
If the problem occurs, the IKEv1 racoon daemon restarts and interrupts IPsec traffic.
Workaround:
None.
677937-3 : APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets
Solution Article: K41517253
Component: TMOS
Symptoms:
APM client cannot connect to server when the APM tunnel is encapsulated in an IPsec tunnel.
Conditions:
This requires a relatively complicated network setup of configuring an APM tunnel over an IPsec tunnel (and iSession is in use).
Impact:
No connectivity between the client and the server.
Workaround:
Do not encapsulate APM tunnel in an IPsec tunnel. (The APM tunnel has its own TLS.)
677666-2 : /var/tmstat/blades/scripts segment grows in size.
Solution Article: K60909141
Component: Local Traffic Manager
Symptoms:
Over time the /var/tmstat/blade/scripts file size grows.
Conditions:
-- Using istats.
-- Deleting configurations.
-- Using ASM.
Impact:
Virtual size of merged process grows linearly with /var/tmstat/blades/scripts segment. This could lead to out of memory condition.
Workaround:
No known workarounds.
677525-2 : Translucent VLAN group may use unexpected source MAC address
Solution Article: K06831814
Component: Local Traffic Manager
Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.
Conditions:
VLAN group in translucent mode.
Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.
Workaround:
No workaround at this time.
676897-3 : IPsec keeps failing to reconnect
Component: TMOS
Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.
Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.
Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.
Workaround:
Manually delete the SA.
676223-4 : Internal parameter in order not to sign allowed cookies
Component: Application Security Manager
Symptoms:
ASM TS cookies may get big (up to 4k).
Conditions:
policy building is turned on (manual or automatic). There are allowed cookies.
Impact:
This increases web site throughput.
Workaround:
N/A
676092-3 : IPsec keeps failing to reconnect
Component: TMOS
Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.
Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.
Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.
Workaround:
Manually delete the SA.
675718-3 : IPsec keeps failing to reconnect
Component: TMOS
Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.
Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.
Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.
Workaround:
Manually delete the SA.
675232-6 : Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction
Component: Application Security Manager
Symptoms:
Errors encountered -
In TMSH CLI transaction:
----------------
transaction failed: 01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------
In iApp template implementation:
----------------
script did not successfully complete: (01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------
Conditions:
In an iApp template implementation or TMSH CLI transaction, create a new ASM policy and then try to modify it's active state.
Impact:
The policy is created but the modify action cannot find the policy.
Workaround:
iApps are built to work with ASM Policy Templates.
A new ASM Policy Template can be created from the desired ASM Policy.
That can be done via GUI and starting from from v13.0 via REST as well.
Then, the newly created ASM Policy Template can be referenced in the iApp template implementation or TMSH CLI transaction as follows:
-----------------
tmsh::create asm policy <some_policy> active policy-template NEWLY_CREATED_POLICY_TEMPLATE
-----------------
674747-4 : sipdb cannot delete custom bidirectional persistence entries.
Solution Article: K30837366
Component: Service Provider
Symptoms:
Custom bidirectional SIP persistence entries cannot be deleted using the sipdb tool.
Conditions:
Rules and SIP messages created custom bidirectional SIP persistence entries.
Impact:
Custom bidirectional SIP persistence entries exist and can be viewed with the sipdb utility. They cannot be deleted,
however.
Workaround:
None.
674494-4 : BD memory leak on specific configuration and specific traffic
Component: Application Security Manager
Symptoms:
RSS memory of the bd grows.
Conditions:
-- Remote logger is configured.
-- IP has ignore logging configured.
-- Traffic is coming from the ignored logging IP.
Impact:
Potential memory exhaustion. The kernel might run out of memory and may kill bd, causing traffic disruption.
Workaround:
None.
674145-1 : chmand error log message missing data
Component: TMOS
Symptoms:
When there is an error with communication between chmand and lopd, a message is logged giving information about the problem. That message is missing data useful to F5 for determining the cause of the communications error.
Messages similar to:
Jul 11 11:10:19 localhost warning chmand[7815]: 012a0004:4: getLopReg: lop response data does not match request, u16DataLen=0xb expected=0xb, u8Length=0x8 expected=0x, u8Page=0x28 expected=0x$, u8Register=0x50 expected=0xP
The expected data values are missing in this message, making it more difficult for F5 engineers to determine what caused the original communications problem.
Conditions:
This issue only occurs when there is some problem with the communication channel between chmand and lopd.
Impact:
Added difficulty for F5 to determine what problem caused the error message to be logged.
673952-3 : 1NIC VE in HA device-group shows 'Changes Pending' after reboot
Component: TMOS
Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:
notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all
Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.
Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.
If the VE is part of an HA device-group, then this will result in a commit id update and the units will show 'Changes pending'.
Workaround:
None.
672504-2 : Deleting zones from large databases can take excessive amounts of time.
Solution Article: K52325625
Component: Global Traffic Manager (DNS)
Symptoms:
When deleting a zone or large number of Resource Records, zxfrd can reach 100% CPU for large amounts of time.
Conditions:
With a significantly sized database, deletes might be very time-intensive.
Impact:
Because zxfrd takes an excessive amount of time deleting records, it can delay transfer requests
Workaround:
None.
671138 : FireFox and Chrome users are asked to re-install windows "Endpoint Inspector Application" after upgrade from 13.0.0
Component: Access Policy Manager
Symptoms:
After upgrade from 13.0.0 to 13.1.0, or a later release, all APM end users running FireFox and Chrome browsers on Microsoft Windows are asked to re-install 'Endpoint Inspector Application'.
The following page appears:
'Browser is waiting for status from Endpoint Inspector Application.' 'Please confirm that this application is launched and is not waiting for your input. This application may be behind other windows on your desktop.'
Link and installation instructions provided behind 'More Option' link.
Conditions:
Endpoint inspection configured in BIG-IP APM access policy.
Impact:
APM end users are prompted to install the endpoint inspector application.
Workaround:
No workaround. APM end users must follow instructions to install application.
Note: When 'Endpoint Inspector Application' is not installed, the instruction screen is clearly visible, as it is part of normal APM usage. However, when 'Endpoint Inspector Application' is installed, the instructions window is hidden behind the 'More Option' link, and the APM end users must click the link to view the instructions.
670197-1 : IPsec: ASSERT 'BIG-IP_conn tag' failed
Component: TMOS
Symptoms:
When using IPsec, tmm assert with 'BIG-IP_conn tag' failed.
Conditions:
The conditions under which this assert occurs when using IPsec are unknown.
Impact:
The tmm restarts and all connections are reset. Traffic disrupted while tmm restarts.
Workaround:
None.
669462-2 : Error adding /Common/WideIPs as members to GTM Pool in non-Common partition
Component: TMOS
Symptoms:
Unable to use Pool Members from /Common/ when outside of /Common/
Conditions:
Adding /Common/WideIPs as members in non-Common GTM Pool
Impact:
Unable to use pool-members from /Common/ when outside of /Common/
Workaround:
No workaround at this time.
669255-5 : An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms
Solution Article: K20100613
Component: TMOS
Symptoms:
If the BIG-IP configuration includes at least one enabled sFlow receiver, certain platforms will experience poor TMM performance. Symptoms will include one or more of the following:
- Higher than normal ping latency to the BIG-IP Self-IP addresses.
- Higher than normal latency for applications flowing through BIG-IP virtual servers.
- TMM clock advanced messages in the /var/log/ltm file.
- Continuous activation and then quick deactivation of the idle enforcer for all TMM instances in the /var/log/kern.log file.
Conditions:
The BIG-IP configuration must include at least one enabled sFlow receiver (it doesn't matter whether this is reachable or not) and the platform type must be one of the following:
- BIG-IP i10000 series
- BIG-IP i7000 series
- BIG-IP i5000 series
- BIG-IP i4000 series
- BIG-IP i2000 series
- VIPRION B4450 blade
Impact:
The BIG-IP system operates at a suboptimal performance level.
Workaround:
If the sFlow receiver is not strictly necessary for the correct functioning of your deployment, this can be disabled or removed to work around the issue.
668273-1 : Logout button not available in Configuration Utility when using Client Cert LDAP
Component: TMOS
Symptoms:
When the BIG-IP system is configured to use the Client Cert LDAP for Remote Authorization, the Logout button is not available.
Conditions:
A BIG-IP system is configured to use Client Cert LDAP for Remote Authorization.
Impact:
BIG-IP system users cannot end the session on the BIG-IP system.
Workaround:
Close all windows to end the session.
668247-2 : Machine Certificate Checker service may not be used when UAC is disable on windows machine
Component: Access Policy Manager
Symptoms:
Machine Certificate Checker service may not be used when UAC is disabled on windows machine causing Machine Cert Auth to either fail or go to 'Found' branch
Conditions:
Machine Certificate Checker is installed.
Access Policy has Machine Cert Auth configured.
Windows machine has UAC disabled.
Impact:
Machine Cert Auth agent either fails or goes to 'Found' branch
Workaround:
Enable UAC or Use elevation helper app (requires user to be an local admnistrator).
668184-2 : Huge values are shown in the AVR statistics for ASM violations
Component: Application Security Manager
Symptoms:
Huge values are shown in the AVR statistics for ASM violations.
Conditions:
Out-of memory-condition in the ASM. Some other extreme conditions might also cause this behavior.
Impact:
ASM violation numbers are incorrectly reported.
Workaround:
None.
668041-2 : Config load fails when an iRule comment ends with backslash in a config where there is also a policy.
Solution Article: K27535157
Component: TMOS
Symptoms:
Config load fails when an iRule contains a commented line that ends with an escape character (backslash), and the config also contains an LTM policy. Depending on the iRule, you might also see the following error: Syntax Error:(/config/bigip.conf at line: 42078) double quotes are not balanced.
Conditions:
An iRule contains commented line that ends with a backslash, and the config also contains a policy, for example, an iRule similar to the first example, and a policy similar to the second:
ltm rule /Common/log_info {
when HTTP_RESPONSE {
#log local0. "Original Location header value: [HTTP::header value Location],\
updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"
}
}
...
ltm policy /Common/Test_Policy {
controls { forwarding }
requires { http tcp }
rules {
TestPol_Rule1 {
actions {
0 {
forward
select
node 10.2.10.20
}
}
conditions {
0 {
tcp
address
matches
values { 10.1.10.20 }
}
}
}
}
strategy /Common/first-match
}
Impact:
Config load fails.
Workaround:
You can use any of the following wordarounds:
-- Delete the comment line.
-- Merge the multiple-lines.
-- Make separate multi-line comments
667700-1 : Web UI: PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed
Component: Policy Enforcement Manager
Symptoms:
PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed. So User cannot create PEM rule with web sense classification filters from Web UI.
Conditions:
Creation of PEM rule with classification filter from Web UI
Impact:
None. User can update the configuration from TMSH.
Workaround:
Use TMSH to add websense classification filter to a PEM rule.
667542-6 : DNS Express does not correctly process multi-message DNS IXFR updates.
Component: Global Traffic Manager (DNS)
Symptoms:
If DNS Express sends an IXFR query to a DNS server, and that server responds with an IXFR update that is larger than one DNS message, DNS Express processes only the first message.
DNS Express then updates the SOA serial number to match that of the IXFR, marks the IXFR as successful and the Zone as 'Green'.
There is no indication that the IXFR was incomplete.
DNS Express might then have, and might serve, incorrect data for that Zone.
Conditions:
An IXFR response from a DNS server spans multiple DNS messages.
Note: This is not a common condition, but it is possible.
Impact:
This might result in incomplete or otherwise inaccurate Zone data, which DNS Express will serve.
Workaround:
Note: Although this does have a workaround, there is no way for you to determine that the Zone is complete other than to query the entire zone and compare it to the zone from the master DNS server.
To workaround this issue:
1. Stop zxfrd.
2. Remove the database /var/db/zxfrd.bin.
3. Restart zxfrd.
This triggers a full transfer (AXFR) of the zone, as well as all the other zones.
667469-3 : Higher than expected CPU usage when using DNS Cache
Solution Article: K35324588
Component: Global Traffic Manager (DNS)
Symptoms:
CPU usage shows higher than expected usage when using the DNS Cache.
Conditions:
Usage of any of the 3 DNS Cache types, particularly on chassis with multiple blades.
Impact:
Higher than expected CPU usage.
Workaround:
No workaround at this time.
667414-1 : JSON learning of parameters in WebSocket context is not working
Component: Application Security Manager
Symptoms:
When a JSON parameter arrives in WebSocket, it is not sent to policy builder, and thus is not learned.
Conditions:
1. WebSocket traffic contains JSON data.
2. In the JSON profile, parse parameter is enabled.
Impact:
JSON parameter arriving in WebSocket is not learned.
Workaround:
None.
667148-3 : Config load or upgrade can fail when loading GTM objects from a non-/Common partition
Solution Article: K02500042
Component: TMOS
Symptoms:
GTM configuration fails to load.
Conditions:
GTM config referencing non-/Common partition objects from /Common.
Impact:
GTM configuration fails to load, which may keep a system from becoming active
Workaround:
No workaround.
665470-3 : Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised
Component: Application Security Manager
Symptoms:
Failed to Learn page malicious IP addresses in a specific case.
Conditions:
-- IP intelligence is turn on.
-- Logging is turned off.
Impact:
Requests that should be learned are not.
Workaround:
Turn on logging.
665362-2 : MCPD might crash if the AOM restarts
Component: TMOS
Symptoms:
In very rare circumstances, mcpd might crash when the AOM restarts.
Conditions:
This can occur while AOM is restarting.
Impact:
System goes offline for a few minutes.
Workaround:
None.
665354-1 : Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log
Solution Article: K31190471
Component: TMOS
Symptoms:
The most common symptom is a reboot of the unit without much detail in the normal tmm or ltm logs. From there, inspect the SEL logs. In the SEL logs, you will see a message about a bad_tlp_status, followed shortly by a message about completion_time_out_status.
Those two messages together indicate this known issue.
Conditions:
-- There are empty 10 GB ports or 10 GB ports that have optics but are not connected to a proper link.
-- Running on one of the following platforms: i2600, i2800, i4600, i4800.
Impact:
The unit intermittently reboots.
Workaround:
Populate all 10 GB ports with optics and connect them to a valid link. Even a single 10 GB link left unconnected or empty of optics can cause this issue.
663821-1 : SNAT Stats may not include port FTP traffic
Solution Article: K41344010
Component: Local Traffic Manager
Symptoms:
Using 'tmsh show ltm snat' command or the GUI, SNAT stats are not updated for port 21 traffic (FTP).
Conditions:
-- SNAT is configured.
-- FTP connections transverse the SNAT.
Impact:
Stats are not incremented in tmsh or GUI
Workaround:
None.
659519-6 : Non-default header-table-size setting on HTTP2 profiles may cause issues
Solution Article: K42400554
Component: Local Traffic Manager
Symptoms:
HTTP2 connection sent RST_STREAM due to protocol error in response to headers frame.
Conditions:
HTTP2 profile configured with header-table-size with value exceeding 4096.
Impact:
Periodic HTTP2 connection failure to the virtual.
Workaround:
Restore the default header-table-size setting for the HTTP2 profile.
658278-1 : Network Access configuration with Layered-VS does not work with Edge Client
Component: Access Policy Manager
Symptoms:
When Network Access is configured in virtual server-to-virtual server targeting, the Edge client cannot connect.
Conditions:
Network Access is configured as follows :
-- The external-client-facing virtual server has the SSL profile attached.
-- The internal virtual server has the Access profile and connectivity profile attached.
-- The external-client-facing virtual server has an iRule that forwards the HTTP requests to the internal virtual server.
Impact:
When Edge client connects, the external-client-facing virtual server issues a request for '/pre/config.php?version=2.0', and the Edge client hangs.
Workaround:
None.
655233-2 : DNS Express using wrong TTL for SOA RRSIG record in NoData response
Solution Article: K93338593
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Express returns an incorrect TTL for the SOA RRSIG record in a NoData response.
Conditions:
-- DNS Express configured.
-- A query that results in a NoData response and DNSSEC signing requested.
Impact:
This brings the behavior in line with RFC2308. There is no known functional impact.
Workaround:
There is no workaround.
651169-1 : The Dashboard does not show an alert when a power supply is unplugged
Component: Advanced Firewall Manager
Symptoms:
The TMUI Dashboard's alert panel will not show any warning if the cord to one of the power supplies is unplugged.
Conditions:
One of the power supplies is unplugged.
Impact:
Watching the Dashboard will not alert the administrator to an unplugged power supply.
Workaround:
None.
648766-2 : DNS Express responses missing SOA record in NoData responses if CNAMEs present
Solution Article: K57853542
Component: Global Traffic Manager (DNS)
Symptoms:
A valid NoData response can contain CNAMEs if a partial chase occurred without final resolution. DNS Express is not including the expected SOA record in this scenario.
Conditions:
-- DNS Express configured.
-- Partial CNAME chase resulting in incomplete resolution.
Impact:
A valid DNS response with a a partial chase but missing the SOA record may not be considered authoritative due to the missing record.
Workaround:
None.
645615-6 : zxfrd may fail and restart after multiple failovers between blades in a chassis.
Component: Global Traffic Manager (DNS)
Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.
Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.
Impact:
zxfrd will create a core file and restart, picking up where it left off.
Workaround:
None.
644822 : FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned
Solution Article: K19245372
Component: Advanced Firewall Manager
Symptoms:
If AFM provisioned, a FastL4 virtual server with enabled loose-init option drops all RST packets that do not relate to any existing flows.
This behavior does not match the BIG-IP behavior when AFM is not provisioned.
Conditions:
AFM provisioned.
-- FastL4 virtual server.
-- Loose-init option enabled.
Impact:
RST packets that do not relate to any existing flows are dropped, while they should not be dropped if the loose-init option enabled.
Workaround:
No workaround.
642068-4 : PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
Component: Policy Enforcement Manager
Symptoms:
PEM sessions stay in the marked-for-delete state if CCR-T times out.
Conditions:
This occurs if PCRF does not respond to CCR-T packets from the BIG-IP system during session termination.
Impact:
PEM sessions remain in the marked-for-delete state.
Workaround:
Configure the required timeout value in the sys db variable tmm.pem.session.timeout.endpointdeleteresponse.
Note: The value must be greater than 0 (zero).
631316-2 : Unable to load config with client-SSL profile error★
Component: TMOS
Symptoms:
Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'
Conditions:
This occurs when both of the following conditions are met:
-- The system is loading config.
-- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example:
cert-key-chain {
cert /Common/default.crt <==== default cert
chain /Common/chainCA.crt <==== non-empty
key /Common/default.key <==== default key
rsa {
cert /Common/default.crt <==== default cert
chain /Common/chainCA.crt <==== non-empty
key /Common/default.key <==== default key
}
}
Impact:
Configuration can not be loaded.
Workaround:
Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again.
Steps:
1. Open the configuration file in a text editor.
2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition).
3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example:
cert-key-chain {
cert /Common/kc.crt <==== changed to non-default
chain /Common/chainCA.crt
key /Common/kc.key <==== changed to non-default
rsa {
cert /Common/kc.crt <==== changed to non-default
chain /Common/chainCA.crt
key /Common/kc.key <==== changed to non-default
}
}
4. Save your changes, and then run the following command:
tmsh load sys conf
627760-5 : gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
Component: TMOS
Symptoms:
When running gtm_add from one BIG-IP system to another, if the system being added already has the same DNSSEC key (dictated by DNSSEC key name), and you synchronize the FIPS card, then the FIPS card is wiped out (as expected), but the key is not re-added.
Conditions:
-- There is an existing DNSSEC key on one system.
-- A second system has a DNSSEC key of the same name.
-- Run gtm_add, with instructions to synchronize FIPS cards.
Impact:
No DNSSEC key of that name is present on FIPS card.
Workaround:
None.
624231-4 : No flow control when using content-insertion with compression
Component: Policy Enforcement Manager
Symptoms:
Packets can get queued in PEM and cause performance impact.
It could cause memory corruptions in some cases
Conditions:
This issue can happen when system there is are a lot of connections with compression enabled, hardware offload is not enabled, and content insertion is enabled
Impact:
Performance impact to flows and possible system crash.
Workaround:
Enable hardware offload and use the pem throttle feature for content insertion
621158-3 : f5vpn does not close upon closing session
Component: Access Policy Manager
Symptoms:
f5vpn does not close upon closing session.
Conditions:
-- With Network Access started and connected to BIG-IP using browser.
-- Clicking 'Logout' button on webtop.
Impact:
Session closes. Network Access window does not close, but instead remains in disconnected state.
Workaround:
None.
620954-5 : Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable
Component: TMOS
Symptoms:
Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:
PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.
Conditions:
High concurrent authentication attempts may trigger this issue. For example, open a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), then close the connection. If done frequently enough, there is an occasional authentication failure.
Impact:
This intermittent authentication failure results in users not being able to login.
Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to log in again.
616008-1 : TMM core may be seen when using an HSL format script for HSL reporting in PEM
Solution Article: K23164003
Component: Policy Enforcement Manager
Symptoms:
TMM core resulting in potential loss of service.
Conditions:
Requires a PEM HSL reporting action with an HSL format script against a virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
In an iRule against the virtual server, set a Tcl variable in the first line after an iRule event. Unset the same Tcl variable in the last line of the iRule event.
612118-2 : Nexthop explicit proxy is not used for the very first connection to communicate with the backend.
Component: Access Policy Manager
Symptoms:
In SWG / forward proxy, nexthop explicit proxy is not used for the very first connection to communicate with the backend.
Conditions:
SWG per-request policy with proxy select agent.
Impact:
The BIG-IP system directly communicates with the backend to fetch server certificates.
Workaround:
None.
610436-1 : DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10.
Component: Access Policy Manager
Symptoms:
DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Microsoft Windows version 10.
Conditions:
* Windows 10.
* Client system is connected to two networks.
* Both networks have the same DNS server address.
* Before VPN establishment interface with lower index is disconnected.
* After VPN establishment interface with lower index is reconnected.
Impact:
DNS resolution completely stops working on client systems until the VPN is disconnected.
Workaround:
To work around this issue, add the following registry key:
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient key with DWORD 'EnableMultiHomedRouteConflicts' set to 0.
This will revert Windows DNS client behavior to pre-Windows 10 behavior, so the DNS relay proxy will create listeners on loopback for incoming requests, and the driver will redirect DNS requests to the listener on the loopback.
Important note: Use extreme care when editing Windows registry keys. Incorrect modification of keys might cause unexpected behavior.
605649-2 : The cbrd daemon runs at 100% CPU utilization
Solution Article: K28782793
Component: Application Security Manager
Symptoms:
The cbrd daemon runs at 100% CPU utilization.
You may notice this issue while inspecting:
- The performance graphs for the BIG-IP device.
- SNMP reports from the BIG-IP device.
- The output of utilities such as top or ps.
Note: The cbrd daemon performs XML Content-Based Routing on the BIG-IP system. However, the daemon runs regardless of provisioning and whether the feature is actually being utilized or not.
Conditions:
This is a rarely occurring event whose cause is not known.
Impact:
The cbrd daemon may run inefficiently. Additionally, other control-plane processes running on the BIG-IP device may also be detrimentally affected (depending on the size of the BIG-IP device and its configuration).
Workaround:
You can try to work around this issue by restarting the cbrd daemon using the following command:
bigstart restart cbrd
As the issue occurs rarely, you may not experience this issue again for a long time. This is, however, only a temporary workaround, and will have to be repeated as needed.
594751-1 : LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN
Component: Local Traffic Manager
Symptoms:
Vlan Name and Vlan Tag values are not seen by the LLDP neighbors of the BIG-IP system.
Conditions:
1. LLDP is enabled globally and per interface.
2. Interfaces are added to a trunk after it has already been assigned to a VLAN.
For instance, assume the following protocol were followed for creating an LLDP trunk:
tmsh modify net lldp-globals enabled
tmsh modify net interface 1.1 lldp-admin txrx lldp-tlvmap 114680
tmsh modify net interface 1.2 lldp-admin txrx lldp-tlvmap 114680
tmsh create net trunk myTrunk
tmsh create net vlan myVlan
tmsh modify net trunk myTrunk interfaces add { 1.1 1.2 }
tmsh modify net vlan myVlan interfaces add { myTrunk }
The neighbor to this BIG-IP unit would not see the Vlan Name and Vlan Tag information of this trunk because the interfaces were added after the trunk was already assigned to a VLAN.
Impact:
LLDP Neighbors are unable to see VLAN information for the LLDP interfaces of the BIG-IP.
Workaround:
If the configuration has not yet been performed, the issue can be prevented by assigning all the desired interfaces to a trunk before assigning the trunk to a VLAN.
If the problem already exists, it can be remedied by performing a restart of the LLDP service. This should not impact dataplane services outside of LLDP. To do so, run the following command:
bigstart restart lldpd
592503-1 : TMM 'timer' device does not report 'busy' for non-priority timers.
Component: Local Traffic Manager
Symptoms:
A discrepancy in CPU utilization reporting can observed when looking at different utilities or reporting systems (i.e. top, tmctl, SNMP, the performance graphs in the GUI, etc.).
Specifically, certain utilities may report that TMM hyperthreads are 100% busy, while other utilities may indicate that TMM instances are only moderately busy.
In this case, the utilities or systems reporting the higher CPU utilization are correct.
Conditions:
This issue has been seen extremely rarely, as it requires some other edge condition to also be occurring (TMM firing non-priority timers in a looping manner).
Impact:
A BIG-IP Administrator monitoring CPU utilization on the system may be confused about how busy TMM actually is.
Although the main impacted system here is the tmm/stat tmctl table, these values are also exposed via the sysTmmStatTmUsageRatio5s MIB (which is more likely to be monitored by a BIG-IP Administrator).
Workaround:
Refer to utilities such as 'top' to monitor the CPU utilization of TMM hyperthreads.
581851-6 : mcpd restarts due to interleaving of messages / folder contexts from primary to secondary blade
Solution Article: K16234725
Component: TMOS
Symptoms:
MCPD on secondary blades restarts with a configuration error.
Conditions:
This issue affects clustered systems only (VIPRION or vCMP guest).
The issue occurs when the system interleaves commands from different contexts. For example, this might occur when one system requests continual persistence records resets, and another requests continual TCP statistics resets.
Impact:
Secondary blades restart services, resulting in performance degradation or failover.
Workaround:
None.
580537-3 : The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data
Component: Global Traffic Manager
Symptoms:
The geoip_update_data script will not install a City2 GeoIP data.
Conditions:
Attempting to install the City2 GeoIP data.
Impact:
The City2 GeoIP data must be installed manually.
Workaround:
The City2 GeoIP data can be installed manually by extracting the contents of the RPM and updating the associated files. The commands are:
rpm -U <full path to the City2 GeoIP RPM file>
rm /shared/GeoIP/F5GeoIP.dat
ln -s /shared/GeoIP/F5GeoIPCity2.dat /shared/GeoIP/F5GeoIP.dat
rm /shared/GeoIP/v2/F5GeoIP.dat
563661-1 : Datastor may crash
Component: TMOS
Symptoms:
In rare cases datastor may crash to protect the system from corruption. After datastor restarts, tmm may crash when attempting to communicate with datastor.
Conditions:
WAM provisioned and enabled
Impact:
Datastor and TMM crashes. Traffic disrupted while tmm restarts.
562921-5 : Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
Component: Global Traffic Manager
Symptoms:
BIG-IP systems use the iQuery protocol to securely communicate with other BIG-IP systems. The BIG-IP system supports the AES/3DES ciphers for encrypting iQuery traffic. Some of these ciphers are now considered unsecure.
Conditions:
The value is hardcoded into the product.
Note: This is completely independent of the TMM profiles or the httpd cipher values.
Impact:
There is no way to configure this; the value is hardcoded. Scanner operations performed on your configuration will report this as an unsecure cipher.
Workaround:
If you do not need iQuery at all, you can block port 4353 completely. For those who do need it, there is no workaround.
495443-9 : ECDH negotiation failures logged as critical errors.
Component: Local Traffic Manager
Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.
Conditions:
An SSL negotiation failure involving ECDH key agreement.
Impact:
Spurious critical error logs.
Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.
471237-4 : BIG-IP VE instances do not work with an encrypted disk in AWS.
Solution Article: K12155235
Component: TMOS
Symptoms:
BIG-IP VE instances cannot use encrypted disks in AWS as encryption-decryption introduces some data corruption in the disk that causes failure in some of the TMOS daemons at run-time.
Conditions:
Deploy a BIG-IP VE guests in AWS with an encrypted disk.
Impact:
TMM cores at startup, and does not start.
Workaround:
Do not use encrypted disks in AWS for BIG-IP VE instances.
464650-6 : Failure of mcpd with invalid authentication context.
Component: TMOS
Symptoms:
MCPd cores.
Conditions:
It is not known what triggers this core.
Impact:
Mcpd restarts
Workaround:
None.
452283-5 : An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows
Component: Local Traffic Manager
Symptoms:
An MPTCP connection that never expires can be seen using the command "tmsh show sys conn". Its idle time periodically resets to 0.
Conditions:
A virtual server is configured with a TCP profile with "Multipath TCP" enabled.
BIG-IP receives an MP_FASTCLOSE while the BIG-IP is advertising a zero window.
Impact:
A connection remains that never expires; its idle time periodically resets to 0.
Workaround:
There is no workaround at this time.
447565-9 : Renewing machine-account password does not update the serviceId for associated ntlm-auth.
Component: Access Policy Manager
Symptoms:
Renewing machine-account password does not update the serviceId for associated ntlm-auth.
Because of this issue, you might see the following symptoms:
-- End users report that they cannot access email.
-- NTLM logons stop working for all users.
-- Log file shows errors similar to the following:
err nlad[12384]: 01620000:3: <0x566d4b90> nlclnt[71601c70a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC.
Conditions:
This occurs when the system has an NTLM machine account configured, but it is not known exactly what triggers the error. It can be triggered if the machine account credentials change, but the symptom might not show up for days since the connection can be reused.
Impact:
End users will be unable to connect.
Workaround:
Correct the problem by running the following command:
bigstart restart eca.
402691-1 : The fields displayed in the 'tmsh show net ipsec' should be visible through SNMP
Component: TMOS
Symptoms:
The status information about traffic selectors in IPsec can be displayed with the TMSH command 'show net ipsec', but there is no way to manage the BIG-IP system and gather data using SNMP.
Conditions:
Using SNMP to query the BIG-IP system for IPsec traffic selector status.
Impact:
Use TMSH or customized SNMP solutions.
Workaround:
None.
251162-1 : The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name
Component: Local Traffic Manager
Symptoms:
If you apply a custom HTTP profile to a virtual server, and the maximum header size defined in the profile is exceeded, the BIG-IP system lists the wrong profile name in the corresponding log message. Instead of logging the profile name associated with the virtual server, the BIG-IP system logs the profile name as http.
For example:
tmm1[5133]: 011f0005:3: HTTP header (34083) exceeded maximum allowed size of 32768 (Client side: vip=http_10.1.0.30 profile=http pool=apache2)
Conditions:
-- You apply a custom HTTP profile to a virtual server.
-- The maximum header size defined in the profile is exceeded.
Impact:
The BIG-IP system lists the wrong profile name in the corresponding log message. This is a cosmetic error, as the correct profile is affected. Only its name is incorrectly reported.
Workaround:
None.
★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade
For additional support resources and technical documentation, see:
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: https://support.f5.com/csp/#/home
- The F5 DevCentral web site: http://devcentral.f5.com/
