BIG-IP Release Information

Version: 13.1.0
Build: 1868.0

Known Issues in BIG-IP v13.1.x

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
693211-1	CVE-2017-6168	K21905460	CVE-2017-6168
684879	CVE-2017-6164	K02714910	Malformed TLS1.2 records may result in TMM segmentation fault.
673595	CVE-2017-3167	K34125394	Apache CVE-2017-3167
670376	CVE-2017-1000364	K51931024	CVE-2017-1000364
668501	CVE-2017-6151	K07369970	HTTP2 does not handle some URIs correctly
662022	CVE-2017-6138	K34514540	The URI normalization functionality within the TMM may mishandle some malformed URIs.
658764-1	CVE-2017-6135	K43322910	Linux kernel lasthop driver memory issue
653993	CVE-2017-6132	K12044607	A specific sequence of packets to the HA listener may cause tmm to produce a core file
653879	CVE-2017-6214	K81211720	CVE-2017-6214
651221	CVE-2017-6133	K25033460	Parsing certain URIs may cause the TMM to produce a core file.
650286-1	CVE-2017-6167	K24465120	REST asynchronous tasks permissions issues
650059	CVE-2017-6129	K20087443	TMM may crash when processing VPN traffic
649907	CVE-2017-3137	K30164784	BIND vulnerability CVE-2017-3137
649904	CVE-2017-3136	K23598445	BIND vulnerability CVE-2017-3136
648867	CVE-2017-6074	K82508682	Kernel vulnerability: CVE-2017-6074
644904	CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925, CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929, CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933, CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937, CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993, CVE-2016-8574, CVE-2016-8575, CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984, CVE-2016-7985 CVE-2017-5202, CVE-2017-5203, CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342, CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485, CVE-2017-5486	K55129614	tcpdump 4.9
643187	CVE-2017-3135	K80533167	BIND vulnerability CVE-2017-3135
641445	CVE-2017-6145	K22317030	iControl improvements
641360	CVE-2017-0303	K30201296	SOCKS proxy protocol error
641311	CVE-2016-9180	K08383757	perl-XML-Twig vulnerability CVE-2016-9180
638556	CVE-2016-10045	K73926196	PHP Vulnerability: CVE-2016-10045
636702	CVE-2016-9444	K40181790	BIND vulnerability CVE-2016-9444
636700	CVE-2016-9147	K02138183	BIND vulnerability CVE-2016-9147
636699	CVE-2016-9131	K86272821	BIND vulnerability CVE-2016-9131
634779	CVE-2017-6147	K43945001	In SSL Forward Proxy, an uninitialized variable may overflow a buffer and cause TMM to produce a core file
612128-7	CVE-2016-6515	K31510510	OpenSSH vulnerability CVE-2016-6515
659791	CVE-2017-6136	K81137982	TFO and TLP could produce a core file under specific circumstances
655374	CVE-2016-8621	K26899353	CVE-2016-8621 curl: curl_getdate out-of-bounds read
655371	CVE-2016-8619	K46123931	Fix for CVE-2016-8619 in curl
655059	CVE-2017-6134	K37404773	TMM Crash
654927	CVE-2016-8615	K01006862	CVE-2016-8615 curl: Cookie injection for other servers
654926	CVE-2016-8616	K52828640	CVE-2016-8616 curl: Case insensitive password comparison
645101	CVE-2017-3731, CVE-2017-3732	K44512851	OpenSSL vulnerability CVE-2017-3732
643554	CVE-2017-3731 CVE-2017-3732 CVE-2016-7055	K37526132 K44512851 K43570545	OpenSSL vulnerabilities - OpenSSL 1.0.2k library update
642659	CVE-2015-8870, CVE-2016-5652, CVE-2016-9533, CVE-2016-9534, CVE-2016-9535, CVE-2016-9536, CVE-2016-9537, CVE-2016-9540	K34527393	Multiple LibTIFF Vulnerabilities
641612	CVE-2017-0302	K87141725	APM crash
640493	CVE-2016-7543	K73705133	Bash vulnerability CVE-2016-7543
639729	CVE-2017-0304	K39428424	Request validation failure in AFM UI Policy Editor
637666	CVE-2016-10033	K74977440	PHP Vulnerability: CVE-2016-10033
635314	CVE-2016-1248	K22183127	vim Vulnerability: CVE-2016-1248
631688	CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433	K55405388 K87922456 K63326092 K51444934 K80996302	Multiple NTP vulnerabilities
617273	CVE-2016-5300	K70938105	Expat XML library vulnerability CVE-2016-5300
615267-3	CVE-2016-2183	K13167034	OpenSSL vulnerability CVE-2016-2183
606710	CVE-2016-2834, CVE-2016-5285, CVE-2016-8635	K15479471	Mozilla NSS vulnerability CVE-2016-2834
593139-10	CVE-2014-9761	K31211252	glibc vulnerability CVE-2014-9761
673607	CVE-2017-3169	K83043359	Apache CVE-2017-3169
656912	CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464, CVE-2017-6451, CVE-2017-6458	K32262483	Various NTP vulnerabilities
655421	CVE-2016-8624	K85235351	CVE-2016-8624 curl: Invalid URL parsing with '#'
655382	CVE-2016-8623	K84940705	CVE-2016-8623 curl: Use-after-free via shared cookies
655157	CVE-2016-8618	K10196624	CVE-2016-8618 curl: Double-free in curl_maprintf
654934	CVE-2016-8617	K44503763	CVE-2016-8617 curl: Out-of-bounds write via unchecked multiplication
644693	CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231,CVE-2016-5547,CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2017-3241	K15518610	Fix for multiple CVE for openjdk-1.7.0
615226-6	CVE-2016-4809, CVE-2016-7166, CVE-2015-8916, CVE-2015-8917, CVE-2015-8919, CVE-2015-8920, CVE-2015-8922, CVE-2015-8924, CVE-2015-8925, CVE-2015-8926, CVE-2015-8928, CVE-2016-4300, CVE-2016-4302, CVE-2015-8921, CVE-2015-8923	K13074505	Libarchive vulnerabilities: CVE-2016-8687 and others
609691-9	CVE-2014-4617	K21284031	GnuPG vulnerability CVE-2014-4617
600205	CVE-2016-2178	K53084033	OpenSSL Vulnerability: CVE-2016-2178
600189	CVE-2016-2178	K53084033	K53084033: OpenSSL vulnerability CVE-2016-2178
599285	CVE-2016-5094 CVE-2016-5095 CVE-2016-5096	K51390683	PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095
598002-8	CVE-2016-2178	K53084033	OpenSSL vulnerability CVE-2016-2178
590840	CVE-2015-8325	K20911042	OpenSSH vulnerability CVE-2015-8325
578983-2	CVE-2015-8778	K51079478	glibc: Integer overflow in hcreate and hcreate_r
655021	CVE-2017-3138	K23598445	BIND vulnerability CVE-2017-3138
627203	CVE-2016-5542, CVE-2016-5554, CVE-2016-5573, CVE-2016-5582, CVE-2016-5597	K63427774	Multiple Oracle Java SE vulnerabilities
598950-2	CVE-2016-2099 CVE-2015-0252	K04253390	Apache Xerces vulnerability CVE-2016-2099

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
682482	1-Blocking		LTM Policy with 'requires {ssl-persistence}' load issue resolved in 13.1.0★
643210	1-Blocking		Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM
670893	2-Critical		Sensitive monitor parameters recorded in monitor logs
653453-4	2-Critical	K35241150	ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.
652094	2-Critical		Improve traffic disaggregation for uncommon IP protocols
649369	2-Critical		DES, 3DES and HIGH cipher string includes/excludes wrong ciphers
643054	2-Critical		ARP and NDP packets should be CoS marked by the swtich on ingress
435458	2-Critical	K47553552	The HTTP Explicit Proxy and the SOCKS Proxy do not support AAAA address lookups
672038	3-Major		SSH Proxy log settings change for 'partial authentication' activity
671999	3-Major		Re-extract the the thales software everytime the installation script is run
671234	3-Major		HTTP Authentication agent will hang waiting on unresponsive authentication server.
669241	3-Major		Cannot create stateless virtual servers with ip-protocol set to 'gre'.
667600	3-Major	K34203924	Default 'enabled' value for 'request-based-authentication' of Kerberos Auth agent leads to various issues.
663521	3-Major		Intermittent dropping of multicast packets on certain BIG-IP platforms
660196	3-Major		Sys connection behavior change
659399	3-Major		HTTPS monitors might share one SSL profile
653772	3-Major		fastL4 fails to evict flows from the ePVA
652671	3-Major	K31326690	Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.
652146	3-Major		Email agent does not send email if the remote server does not provide a 200 OK response to VRFY request.
651772	3-Major		IPv6 host traffic may use incorrect IPv6 and MAC address after route updates
651067	3-Major		SSL/TLS-based monitors now use ServerSSL profiles
650074	3-Major		Changed Format of RAM Cache REST Status output.
645206	3-Major	K23105004	Missing cipher suites in outgoing LDAP TLS ClientHello★
644870-1	3-Major		Improvements of protocol for sending data to AppIQ offbox via TCP
643646	3-Major		Add a new configuration option in tmsh to disallow exporting of private keys in iControl and GUI
643459	3-Major	K81809012	Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy
643143	3-Major		ARP and NDP packets should be QoS/DSCP marked on egress
643034	3-Major		Turn off TCP Proxy ICMP forwarding by default
639505	3-Major		BGP may not send all configured aggregate routes
638967	3-Major		SSL Forward Proxy not to cache forged certificate if soft_vfyresult indicating an 'untrusted CA' or 'expired cert'
635275	3-Major		Prefer P-256 to P-384 for ECDHE in client SSL, except when the server static key security is matching P-384
633723	3-Major		New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot
633391	3-Major		GUI Error trying to modify IP Data-Group
632875	3-Major		Non-Administrator TMSH users no longer allowed to run dig
627841	3-Major	K16626343	Connection queue limit is not properly enforced on bladed systems
626594	3-Major		No way to perform a soft server certificate verification
620445	3-Major		New SIP::persist keyword to set the timeout without changing key
618982	3-Major		IPSEC + chassis behavior for case secondary blades on-off switch.
613823	3-Major		DNS Resource Records for Wide-IPs are potentially missing when creating a large number of Wide-IPs
610710	3-Major		Pass IP TOS bits from incoming connection to outgoing connection
595918	3-Major		Aggregation issues in 'last day' and 'last month' data in AVR-related charts
585043	3-Major		Question mark prevents TMSH from loading configuration file
584545	3-Major		Failure to stabilize internal HiGig link will not trigger failover event
462524	3-Major	K16131	HTTP compression browser workarounds incorrectly match modern browsers.
439594	3-Major		Order of members in AAA server pools now show in reverse order of Priority Group
409059	3-Major	K17061922	CGNAT hairpinning is not supported for NAT64
273014	3-Major		LTM Monitor Test Feature
224988	3-Major		LTM does not log anything when node/pool member connection limit is reached
222409	3-Major		The HTTP::path iRule command may return more information than expected
649315	4-Minor		Display OCSP configuration change as warning message on the screen during upgrade
640399	4-Minor		New ICAP logging subset and messages
627221	4-Minor		iControl SOAP doesn't support displaying all possible media options for interfaces
623509	4-Minor		Gx CCA with non-existent or non-pem policy does not trigger CCR-u reply
618332	4-Minor		No event triggered when the system receives a certificate message from the server.
609084-3	4-Minor	K03808942	Max number of chunks not configurable above 1000 chunks
586287	4-Minor		No way to control how aborted iRules log messages are generated and sent to /var/log/ltm.
569441	4-Minor		Added --num_threads option to nethsm-thales-install.sh and nethsm-safenet-install.sh
567177	4-Minor		Log all attempts of key export in ltm log
530300	4-Minor		Added SSL certificate expiration date as an OID into F5 MIBs
480209	4-Minor		Stats and Logging for ADAPT dynamic contexts, and IVS Transaction Logging
479537	4-Minor		Force to Standby does not work with HA Groups configured.
611790	5-Cosmetic		HA Message Sweeper Interval renamed to Mirrored Message Sweeper Interval

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
655500-1	1-Blocking		Rekey SSH sessions after one hour
652223	1-Blocking	K50325308	BWC: Non-TCP data going through Category can make policy active
642703	1-Blocking		Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.★
641390	1-Blocking		Backslash removal in LTM monitors after upgrade★
636016-1	1-Blocking		VADC: when using an Intel XL710 SR-IOV nic a bigstart restart can re-order the interfaces and impact traffic
681377	2-Critical		The BIG-IP system sends out SYN/ACK with MSS 0 in VLAN syncookie protection mode on some platforms
681081-1	2-Critical	K48366429	Running tmsh show commands may cause mcpd memory leak
673692	2-Critical		qkview may take up to 90 seconds longer to execute on FIPS enabled systems
673484	2-Critical	K85405312	IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO
672947	2-Critical		CVE-2017-2583 CVE-2017-6214 CVE-2017-7477 CVE-2017-7645 CVE-2017-7895
671314-2	2-Critical	K37093335	BIG-IP system cores when sending SIP SCTP traffic
667405	2-Critical		Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM.
667404	2-Critical	K77576404	Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts
667114	2-Critical	K32622880	TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.
666790	2-Critical		Use HSB HiGig MAC reset to recover both FCS errors and link instability
666165	2-Critical		iApp - f5.forward_proxy + checksum - config error upgrading from v12 to v13★
665656	2-Critical		BWC with iSession may memory leak
664549	2-Critical		TMM restart while processing rewrite filter
663650	2-Critical		iRules LX does not enforce best practices
663366	2-Critical		SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.
663197	2-Critical		Security hardening of files to prevent sensitive configuration from being stored in qkview.
660833	2-Critical		merged repeatedly cores due to unused istats-trigger object
660577	2-Critical		openldap; prevent crash on rc==LDAP_SUCCESS && res==NULL
658574	2-Critical		An accelerated flow transmits packets to a stale (incorrect) destination MAC address.
655357	2-Critical	K06245820	Corrupted L2 FDB entries on B4450 blades might result in dropped traffic
653376	2-Critical		bgpd may crash on receiving a BGP update with >= 32 extended communities
651173-1	2-Critical		Security hardening of qkview
651136	2-Critical	K36893451	ReqLog profile on FTP virtual server with default profile can result in service disruption.
651084	2-Critical		'tmsh show sys memory raw' command shows a slow build up of memory usage.
649866	2-Critical		fsck should not run during first boot on public clouds
648056	2-Critical		bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.
645805-3	2-Critical		LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain bad ethernet src mac address
641013	2-Critical		GRE tunnel traffic pinned to one TMM
638997	2-Critical		Reboot required after disk size modification in a running BIG-IP VE instance.
637141	2-Critical		TMM core after deleting POLICY and executing command: show net ipsec ike-sa.
634117	2-Critical	K33241169	Disabling IKE peers has no effect
634085	2-Critical		IPsec tmm assert "ike_ctx tag"
629085	2-Critical	K55278069	Any CSS content truncated at a quoted value leads to a segfault
626861	2-Critical		Ensure unique IKEv2 sequence numbers
624992	2-Critical		LTM Configuration Found after Provisioning VCMP
621233	2-Critical		fastL4 + http profile with ip-protocol not set to tcp can crash tmm
615372-1	2-Critical		Occasional TCP resets during connection initiation (RST cause is "No local listener")
613542-5	2-Critical	K81463390	tmm core while running the iRule STATS:: command
598748-1	2-Critical		IPsec AES-GCM IVs are now based on a monotonically increasing counter
598724	2-Critical		Abandoned indefinite lifetime SessionDB entries on STANDBY devices.
580472-1	2-Critical		/var/log partition is full, sadf may crash
579210	2-Critical	K11418051	VIPRION B4400N blades might fail to go Active under rare conditions.
528984-1	2-Critical		Support limited to 1000 BIG-IP system users.
508113	2-Critical		tmsh load sys config base merge file <filename> fails
448409	2-Critical		'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle
419741	2-Critical		Rare crash with vip-targeting-vip and stale connections on VIPRION platforms
679480	3-Major		User able to create node when an ephemeral with the same IP already exists
678456	3-Major		ZebOS BGP peer-group configuration not fixed up on upgrade★
677928	3-Major		A wrong source MAC address may be used in the outgoing IPsec encapsulated packets.
676705	3-Major		do not run agetty on VE without serial port
675718	3-Major		IPsec keeps failing to reconnect
675514	3-Major		Addition of integrity check cronjob
675236	3-Major	K03293523	'Require consistent IP address' does not apply to some management GUI menu items
674486	3-Major		Expat Vulnerability: CVE-2017-9233
674328	3-Major		Multicast UDP from BIG-IP may have incorrect checksums
674320	3-Major	K11357182	Syncing a large number of folders can prevent the configuration getting saved on the peer systems
673974	3-Major		agetty auto detects parity on console port incorrectly
673962	3-Major	K55463371	Potential memory issue in iprepd
673027	3-Major		One extra mcpd AUDIT message logged after disabling mcpd audit logging
672988	3-Major		MCP memory leak when performing incremental ConfigSync
672209	3-Major	K22031410	Upgrade, load config or reboot may fail if IPsec traffic-selector references default-ipsec-policy★
672063	3-Major	K38335326	Misconfigured GRE tunnel and route objects may cause an ill-formed routing loop inside the TMM, resulting in a TMM crash.
671920	3-Major		Accessing SNMP over IPv6 on non-default route domains
671447-5	3-Major		ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form
671236	3-Major	K27343382	BGP local-as command may not work when applied to peer-group
671082	3-Major		snmpd constantly restarting
670443	3-Major	K57299401	Missing descriptions for SNMP OID ltmNodeAddrMonitorState and ltmNodeAddrMonitorStatus values
669888	3-Major		No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96
669255-4	3-Major	K20100613	An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms
668352-1	3-Major		High Speed Logging unbalance in log distribution for multiple pool destination.
668048	3-Major		TMM memory leak when manually enabling/disabling pool member used as HSL destination
667627	3-Major		sudo security update
667302	3-Major		Cannot create CE policies when only APM is provisioned.
667278-5	3-Major		DSC connections between BIG-IP units may fail to establish
667082-4	3-Major	K21090061	Dynamic Routing ZebOS using ip ospf <IP> message-digest-key command may fail.
666884	3-Major	K27056204	cpcfg cannot copy a configuration on a chassis platform★
666406	3-Major	K62832776	rpcbind was removed from the BIG-IP
666117	3-Major		Network failover without a management address causes active-active after unit1 reboot
665725	3-Major	K10773217	Second block device image install fails to install
664894	3-Major	K11070206	PEM sessions lost when new blade is inserted in chassis
664829	3-Major		BIG-IP sometimes performs unnecessary reboot on first boot
664737	3-Major		Do not reboot on ctrl-alt-del
664057	3-Major		Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached
664017	3-Major		OCSP may reject valid responses
663655	3-Major		IP::intelligence and IP::reputation commands fail to return data★
663580	3-Major		logrotate does not automatically run when /var/log reaches 90% usage
663492	3-Major		Reconfigured istat may stop being recomputed
663063	3-Major		Disabling pool member used in busy HSL TCP destination can result service disruption.
662913	3-Major	K17213048	GUI LTM Virtual Server page cannot open. Virtual Server cannot be created or updated.
659141	3-Major	K11435321	Support tcpdump file has qkview extension
658636-4	3-Major	K51355172	When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.
658227	3-Major		Using variable substitution for Console attribute for remote-role always denies ssh access
658036	3-Major	K04651090	Honoring negotiated MSS for TCP segmentation
657727	3-Major	K39694060	Running tcpdump from TMSH cannot capture the local "tmm" interface
655671	3-Major		Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced
655649	3-Major		BGP last update timer incorrectly resets to 0
655506-1	3-Major		Guest configurations with mergeable buffers disabled are not supported.
655005	3-Major	K23355841	"Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync
654026	3-Major		No way to ensure the monitor works prior to applying the monitor to a pool
654011	3-Major	K33210520	Pool member's health monitors set to Member Specific does not display the active monitors
653888	3-Major		BGP advertisement-interval attribute ignored in peer group configuration
652968	3-Major	K88825548	IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys
652689	3-Major	K14243280	Displaying 100G interfaces
652638	3-Major		php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
652484-1	3-Major		tmsh show net f5optics shows information for only 1 chassis slot in a cluster
651155	3-Major		HSB continually logs 'loopback ring 0 tx not active'
650349-1	3-Major	K50168519	Creation or reconfiguration of iApps will fail if logging is configured
650002	3-Major		tzdata bug fix and enhancement update
649949	3-Major		Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM★
649759	3-Major	K15188934	ssmtp RewriteDomain setting is set to the empty string.
649617	3-Major		qkview improvement for OVSDB management
648873	3-Major	K93513131	Traffic-group failover-objects cannot be retrieved via iControl REST
648544	3-Major		HSB transmitter failure may occur when global COS queues enabled
648317	3-Major		Upgrade to 13.0.0 on B2100/B2150 with IOMMU enabled prevents vCMP guests from starting★
648316-1	3-Major		Flows using DEFLATE decompresion can generate error message during flow tear-down.
647988	3-Major	K15331432	HSL Balanced distribution to Two-member pool may not be balanced correctly.
647944	3-Major		MCP may crash when making specific changes to a FIX profile attached to more than one virtual server
647834	3-Major		Failover DB variables do not correctly implement 'reset-to-default'
647151	3-Major		CPU overtemp condition threshold is 75C
646890	3-Major	K12068427	IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512
646804	3-Major		call to tmctl in diskmonitor for the tmstat vmcp_stat table results in error: tmctl: vcmp_stat: No such table.
646760-1	3-Major		Common Criteria Mode Disrupts Administrative SSH Access
646500	3-Major		System Log is not visible for ASM-related user roles
645723	3-Major	K74371937	Dynamic routing update can delete admin ip route from the kernel
645225	3-Major	K91019134	GUI Pool Member statistics to be reset individually
645179	3-Major		Traffic group becomes active on more than one BIG-IP after a long uptime
644979	3-Major	K02641631	Errors not logged from hourly 1k key generation cron job
644950	3-Major		GUI LTM Monitors to show related Pools for Pool Members
644490	3-Major		Finisar 100G LR4 values need to be revised in f5optics
644416	3-Major	K29545416	iControl REST receives error code '500' and 'Internal error occurred' in the return for the list (GET) for /mgmt/tm/sys/crypto/cert
644404	3-Major		Extracting SSD from system leads to Emergency LCD alert★
644184	3-Major	K36427438	ZebOS daemons hang while AgentX SNMP daemon is waiting.
643839	3-Major		lind log levels Alert, Emergency, Verbose not configurable
643768-2	3-Major		Invalid entries in SNMP allowed-address and SNMP community fields can cause upgrade failure.★
643673	3-Major	K34307244	Creating a route domain with error on GUI gives incorrect error message
643150	3-Major		VE: Native drivers are allowed when single NIC is provisioned
642982	3-Major		tmrouted may continually restart after upgrade, adding or renaming an interface★
642422	3-Major		BFD may not remove dependant static routes when peer sends BFD Admin-Down
642314	3-Major	K24276198	CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★
641001-1	3-Major		BWC: dynamic policy category sees lower bandwidth than expected in Congested policies
639774	3-Major	K30598276	mysqld.err rollover log files are not collected by qkview
639674	3-Major		Blackhole management routes don't work
639575	3-Major		Using libtar with files larger than 2 GB will create an unusable tarball
639049	3-Major		Virtual Server creation ignores translate-address setting with wild card destination
638825	3-Major		SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD
638086	3-Major		Data publisher not found or not implemented when processing request
637561	3-Major		Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice
636744	3-Major	K16918340	IKEv1 phase 2 SAs not deleted
636666	3-Major		New Threat Categories Identification in IP Intelligence Subscription Service
636573	3-Major	K75870356	After changing ike-peer change from IKEv2 to IKEv1 racoon does not get updated.
636167	3-Major		checkcert utility does not process certificates that reside outside of /Common partition
635703	3-Major		Interface description may cause some interface level commands to be removed
635116	3-Major		Memory leak when using replicated remote high-speed logging.
633879	3-Major		Fix IKEv1 md5 phase1 hash algorithm so config takes effect
633413	3-Major		IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI
632366	3-Major		Prevent a spurious Broadcom switch driver failure.
631172	3-Major		GUI user logged off when idle for 30 minutes, even when longer timeout is set
630610	3-Major		BFD session interface configuration may not be stored on unit state transition
629830	3-Major	K36048158	Remote-logging where destination matches virtual will be sourced from loopback network
629095	3-Major	K08240314	iControl keymanagment impory may fail when stale content exists in /config/ssl
628164	3-Major		OSPF with multiple processes may incorrectly redistribute routes
627648	3-Major		Power on option in bladectl incorrectly resets already powered on blade
626589	3-Major	K73230273	iControl-SOAP prints beyond log buffer
625703	3-Major		SELinux: snmpd is denied access to tmstat files
625514	3-Major		[RFE] - iApp modification request to add apm policy - f5.peoplesoft_9
624802	3-Major	K43044995	AWS - Sometimes iid-document is not loaded on instance startup
624692	3-Major		Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying
624671	3-Major		A route for /32 mask can't be added
624626	3-Major		Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility
622619	3-Major		BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD
621314-5	3-Major	K55358710	SCTP virtual server with mirroring may cause excessive memory use on standby device
621259	3-Major		Config save takes long time if there is a large number of data groups
621197	3-Major		Question mark prevents TMSH from loading configuration file
620933	3-Major		qkview generation is slow due to 'ss -p' command
620659	3-Major		The BIG-IP system may unecessarily run provisioning on successive reboots
620567	3-Major		HTTP to HTTPS TMUI redirection erroneously allows HTTP access to iControl SOAP and iControl REST
619873	3-Major		Secure Vault: Key cleanup for 5000- and 7000-series platforms★
614887	3-Major		large qkview files may not be uploadable to iHealth
614400	3-Major		IPv6 configuration limitations
612954	3-Major		IKEv1 log line warns proxy-support must be enabled for v1 peers to work
612752-3	3-Major		UCS load or upgrade may fail under certain conditions.★
612721-1	3-Major		FIPS: .exp keys cannot be imported when the local source directory contains .key file
611787	3-Major		Collect thread stats in qkview's proc module
610639	3-Major		Collect non-truncated SAR data when the -c switch is specified
609967	3-Major	K55424912	qkview missing some HugePage memory data
605918	3-Major		tmsh list sys db non-default-properties, was listing db vars with default values.
605792-9	3-Major		Installing a new version changes the ownership of administrative users' files★
605491	3-Major		No confirmation prompt for tmsh 'load sys config base' in command line mode
605270-4	3-Major		On some platforms the SYN-Cookie status report is not accurate
604547	3-Major		Unix daemon configuration may lost or not be updated upon reboot
600570	3-Major		VE License may enforce improper TMM count
598650	3-Major		apache-ssl-cert objects do not support certificate bundles
597972	3-Major	K49512487	Inconsistent treatment for sFlow configuration in CLI and GUI.
596429	3-Major		pgadmind process restarts continuously
593845	3-Major	K24093205	VE interface limit
588929	3-Major		SCTP emits 'address conflict detected' log messages during failover
588794	3-Major		Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements
588771	3-Major		SCTP needs traffic-group validation for server-side client alternate addresses
586938	3-Major	K57360106	Standby device will respond to the ARP of the SCTP multihoming alternate address
586031	3-Major		Configuration with LTM policy may fail to load
579760-2	3-Major	K55703840	HSL::send may fail to resume after log server pool member goes down/up
579035	3-Major	K46145454	Config sync error when a key with passphrase is converted into FIPS.
575368	3-Major		Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card
570783	3-Major		Improved debug log for IKEv2 proposal transforms and payloads.
563905-4	3-Major	K62975642	vCMP guest fails to go Active after the host system is rebooted
557155-7	3-Major	K33044393	BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.
548321	3-Major		External link status not displayed for VLAN/interfaces
544906	3-Major	K07388310	Issues when using remote authentication when users have different partition access on different devices
543208-3	3-Major	K40670213	Upgrading v11.6.0 to v12.x in a sync-failover group might cause mcpd to become unresponsive.★
542347	3-Major		Denied message in audit log on first time boot
534996	3-Major		Allow swapping of vlan names in config for switch based platforms
530530	3-Major	K07298903	tmsh sys log filter is displays in UTC time
523797	3-Major		Upgrade: file path failure for process name attribute in snmp.★
522304	3-Major		Some password policy changes are not reflected in /etc/shadow when synced in a CMI device group
516167	3-Major	K21382264	TMSH listing with wildcards prevents the child object from being displayed
514871-1	3-Major		Unnecessary ssh key pair exist for root user in AWS and Azure.
507140	3-Major	K63390807	Sod daemon stalls while writing to syslog, and is halted repeatedly on startup.
438574	3-Major		Web UI: iSession Profile properties page displays incorrect parent profile name.
429013-3	3-Major		Log file permissions lock down
421851	3-Major		Config load does not skip leading whitespaces if iRule starts with #
421797	3-Major		ePVA continues to accelerate IP Forwarding VS traffic even in Standby
418349	3-Major		Update/overwrite of FIPS keys error
382109	3-Major		No message when removing PSU from chassis.
668964	4-Minor	K81873940	'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group
668434	4-Minor		Trap destination network option of 'default' is not valid
664505	4-Minor		Improve error messages related to clientssl profile cert-key-chain by showing clientssl profile name
662372	4-Minor	K41250179	Uploading a new device certificate file via the GUI might not update the device certificate
658298	4-Minor		SMB monitor marks node down when file not specified
656900	4-Minor		Blade family migration may fail
655691	4-Minor		GUI image list contains misleading 'MD5 Sum Verified' field
655448	4-Minor	K80470655	Virtual Edition Single-process requirement not enforced
654566	4-Minor		Incomplete files still linked in /shared/vmisolinks
653770	4-Minor		Cannot copy fields in Policy Rule section of LTM Policy rule overview page
653225	4-Minor		coreutils security and bug fix update
653224	4-Minor		Multiple GnuTLS Vulnerabilities
653217	4-Minor		Multiple Samba Vulnerabilities
652935	4-Minor		Exotic tmipsecd crash when internally the wrong path was used for racoon.
652585	4-Minor		BWC statistics include active and inactive policy counts.
652539-5	4-Minor		Multiple Bash Vulnerabilities
652056	4-Minor		[api-status-warning] are generated at stderr and /var/log/ltm when listing config in tmsh from top level namespace or at module level
652048	4-Minor		TMSH save sys config contains [api-status-warning] that do not correspond to any configuration instances
651599	4-Minor	K78500502	/shared/em/ssl.crt are not collected as part of qkview
650019	4-Minor		The commented-out sample functions in audit_forwarder.tcl are incorrect
649987	4-Minor		GUI LTM UDP profile missing Max Buffer Bytes and Max Buffer Packets setting
647972	4-Minor		inconsistent attribute naming in sys connection
647812	4-Minor		/tmp/wccp.log file grows unbounded
645717-2	4-Minor		UCS load does not set directory owner
644975	4-Minor	K09554025	/var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost
644805-1	4-Minor		Kernel.el7.2: BIG-IP VIPRION B4450 - ACPI complaints about unpopulated cpu cores
644799	4-Minor	K42882011	TMM may crash when the BIG-IP system processes CGNAT traffic.
644723-3	4-Minor		cm56xxd logs link 'DOWN' message when an interface is admin DISABLED
644517	4-Minor		LTM 12.1.1 - f5.http iapp enables mirroring based on inverse of cm_sync_status
643404	4-Minor	K30014507	"tmsh system software status" does not display properly in a specific cc-mode situation★
643121	4-Minor		Failed installation volumes cannot be deleted in the GUI.
642990	4-Minor	K05304332	Processes started from interactive shells do not generate core files when they crash
641886	4-Minor		'SELinux targeted policy relabel is required' message
641099	4-Minor		Displaying warning when Packet Filtering is disabled since Rules won't apply
640863	4-Minor	K29231946	Disabling partition selector in DNS Resolver's Forward Zones
640489-1	4-Minor	K53571714	iSeries LCD alerts screen returns to splash screen intermittently
640031	4-Minor		RedHat: bash bug fix update - RHBA-2017-0038
640029	4-Minor		db4 bug fix update - RHBA-2017-0035
640027	4-Minor		ORBit2 bug fix update - RHBA-2017-0033
639932	4-Minor		VADC: link status of a XL710 SR-IOV interface does not reflect the state of the physical link
639516	4-Minor		Improve traffic distribution on backplane links
639349	4-Minor		LTM 11.6.1 - Weblogic iApp inserts WL-Proxy-Client-IP header with route domain
638960	4-Minor		A subset of the BIG-IP default profiles can be incorrectly deleted
636520	4-Minor	K88813435	Detail missing from power supply 'Bad' status log messages
636031	4-Minor	K23313837	GUI LTM Monitor Configuration String adding CR for type Oracle
635435	4-Minor		DPD transmit timer has big variations
635267	4-Minor		Fallback persistence not configurable in f5.http iApp
633313	4-Minor		Config load failure can be caused by changing the mgmt shared settings api-status availability settings
633181	4-Minor		A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section
633091-1	4-Minor		Avr debug messages are printed to screen when saving/loading sys config
632668	4-Minor		When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds
632069	4-Minor		Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076
631334-1	4-Minor		TMSH does not preserve \? for config save/load operations
630795	4-Minor		No guestagentd entry in merged.conf
629426	4-Minor		No option to display time in 24-hour format at top of web-GUI
627554	4-Minor		Partition of LTM policies is displayed in breadcrumb rather than properties table row
625428	4-Minor		SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit
624909	4-Minor		Static route create validation is less stringent than static route delete validation
624896	4-Minor		GUI LTM Virtual Server Connection Limit and Connection Rate Limit
624484	4-Minor	K09023677	Timestamps not available in bash history on non-login interactive shells
623536	4-Minor		SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent
623362	4-Minor		Oversized pool member input
622845	4-Minor		Adding unlimited snaplen option to support page
622395	4-Minor		Allowing Application Editor users to remove pool members
617901	4-Minor		GUI to handle file path manipulation to prevent GUI instability.
614804	4-Minor		libcurl vulnerabilities: CVE-2016-5420, CVE-2016-5421, CVE-2016-7141
613275	4-Minor	K62581339	SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up
607438	4-Minor		False alert in daemon log (/var/log/daemon.log) when listing all certificates using iControl SOAP or GUI
605891-2	4-Minor		Enable ASM option disappears from L7 policy actions
602074	4-Minor	K46583034	Management.KeyCertificate.get_certificate_validator() doesn't throw not-found exception when a given certificate doesn't exist.
598437	4-Minor		SNMP process monitoring is incorrect for tmm and bigd
598289-5	4-Minor		TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>
598024	4-Minor		FastL4 profile with immediate idle timeout is not honored for ePVA offloaded flows
587266	4-Minor		Chassis Name and Type are blank in "tmsh show sys hardware"
581857	4-Minor	K13950312	Rewrite option missing in TCP Window Scale Mode for FastL4 profiles
571017	4-Minor		Extra log messages seen on optics removal.
554393	4-Minor		Multiple log messages stating 'AdminIp fixed up with dhcp_enabled = false' are printed in /var/log/ltm after upgrade.
548003	4-Minor	K03416530	GUI Network Map page runs out of memory and the GUI hangs indefinitely.
541550	4-Minor		Defining more than 10 remote-role groups can result in authentication failure
538014	4-Minor	K40533060	EVAL shown in CLI Mode even after purchasing subscription license for SWG.
530927	4-Minor	K01481294	Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed
527720	4-Minor		Rare 'No LopCmd reply match found' error in getLopReg
520877	4-Minor		Alerts sent by the lcdwarn utility are not shown in tmsh
507206	4-Minor		Multicast Out stats always zero for management interface.
479471	4-Minor	K00342205	CPU statistics reported by the tmstat command may spike or go negative
472581	4-Minor		Cannot use 'default' as the FIPS security officer password.
394734	4-Minor		Added the transparent option for DNS monitor
382577	4-Minor	K40515053	imish 'terminal monitor' command does not have any effect in TMOS
651826	5-Cosmetic		SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly
649220	5-Cosmetic		Filterable rule's pools
637069	5-Cosmetic	K85255027	BIG-IP unstable when SCTP tx_chunks and rx_chunks configuration values are set incorrectly
626363	5-Cosmetic		HA Groups sufficient threshold warns sufficient count=0 when sufficient count is set to all
619593	5-Cosmetic		Provisioning page table cells overlap
619162	5-Cosmetic		Two Delete buttons for records and main delete. Edit and Delete buttons are enabled when no record selected.
609995	5-Cosmetic		Device Connectivity tabs not properly highlighted
571634	5-Cosmetic		tmstat CPU values can be incorrect
447417	5-Cosmetic		GUI Node Address List does not display by hostname.

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
670011	1-Blocking		SSL forward proxy does not create the server certchain when ignoring server certificates
682682	2-Critical		tmm asserts on a virtual server-to-virtual server connection
677975-1	2-Critical	K59237122	SSL may cause the TMM to core when forging a certificate due to race condition
676982	2-Critical		Active connection count increases over time, long after connections expire
676721	2-Critical		Missing check for NULL condition causes tmm crash.
676028	2-Critical	K09689143	SSL forward proxy bypass may fail to release memory used for ssl_hs instances
674004	2-Critical	K34448924	tmm may crash when after deleting pool member in traffic
673951	2-Critical		Memory leak when using HTTP2 profile
671714	2-Critical		Empty persistence cookie name inserted from policy can cause TMM to crash
671638	2-Critical		Memory leak when load-balancing mptcp traffic
670238-1	2-Critical	K26297385	TMM may crash due to wrong flow assigned to fragmented IPv4 packet
669306	2-Critical		The HTTP_DISABLE iRule event may cause a TMM crash
667648	2-Critical		TMM can crash when it exits while still processing traffic
667259	2-Critical	K15364500	Memory Leak in RAM Cache
666889	2-Critical		Deleting virtual server may cause tmm to segfault
666401	2-Critical		Memory might become corrupted when a Standby device transitions to Active during failover
666032-2	2-Critical		Secure renegotiation is set while data is not available.
665924	2-Critical		The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios
665906	2-Critical		tmm crash in free_bufctls
665732	2-Critical	K45001711	FastHTTP may crash when receiving a fragmented IP packet
665185	2-Critical		SSL handshake reference is not dropped if forward proxy certificate lookup failed
664461	2-Critical	K16804728	Replacing HTTP payload can cause tmm restart
659899	2-Critical	K10589537	Rare, intermittent system instability observed in dynamic load-balancing modes
659709	2-Critical		Memory leak under rare conditions
658989	2-Critical		Memory leak when connection terminates in iRule process
657858	2-Critical	K85425460	TMM can restart when VLAN keyed connections are disabled.
657713	2-Critical		Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.
655628	2-Critical		TCP analytics does not release resources under specific sequence of packets
655211	2-Critical		bigd crash (SIGSEGV) when running FQDN node monitors
653495	2-Critical		Incorrect SNI hostname attached to serverside connections
650317	2-Critical		The TMM on the next-active panics with message: "Missing oneconnect HA context"
649171	2-Critical		tmm core in iRule with unreachable remote address
648902	2-Critical		TMM crashes after changing VLAN tag to 'any'
648715	2-Critical	K45001725	BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0
648245	2-Critical	K29101604	When using a route TMM may use a smaller MTU
648037	2-Critical		LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash
647962	2-Critical		B2250: Interface is dropping traffic in passive mode
647757	2-Critical	K96395052	RATE-SHAPER:Fred not properly initialized may halt traffic
647137-1	2-Critical		bigd/tmm con vCMP guests
646643	2-Critical		HA standby virtual server with non-default lasthop settings may crash.
646604	2-Critical		Client connection may hang when NTLM and OneConnect profiles used together
644112-1	2-Critical	K56150996	Permanent connections may be expired when endpoint becomes unreachable
643396	2-Critical	K34553627	Using FLOW_INIT iRule may lead to TMM memory leak or crash
643375	2-Critical		tmm might crash with SIGSEGV when the system receives an unexpectedly large amount of input.
642400	2-Critical		Path MTU discovery occasionally fails
641869	2-Critical		Assertion "vmem_hashlist_remove not found" failed.
641835	2-Critical		3DES Ciphers have been removed from the SSL DEFAULT cipher list
641491	2-Critical		TMM core while running iRule LB::status pool poolname member ip port
640352	2-Critical		Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet
639764	2-Critical		Crash when searching external data-groups with records that do not have values
639744	2-Critical	K84228882	Memory leak in STREAM::expression iRule
639383-1	2-Critical		ILX HTTP headerNames are not being properly treated as case insensitive
639039	2-Critical	K33754014	Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons
637181	2-Critical		VIP-on-VIP traffic may stall after routing updates
633566	2-Critical		tmm crash with Nitrox
629178	2-Critical	K42206046	Incorrect initial size of connection flow-control window
626311	2-Critical		Potential failure of DHCP relay functionality credits to incorrect route lookup.
621870	2-Critical		Outage may occur with VIP-VIP configurations
619071	2-Critical		OneConnect with verified accept issues
618463	2-Critical		artificial low route mtu can cause SIGSEV core from monitor traffic
615303	2-Critical		bigd crash with Tcl monitors
614702	2-Critical		Race condition when using SSL Orchestrator can cause TMM to core
608304	2-Critical	K55292305	TMM crash on memory corruption
581746	2-Critical		MPTCP or SSL traffic handling may cause a BIG-IP outage
680145	3-Major	K82484604	HA mirroring for flows without autolasthop cause a crash on the standby
678337	3-Major		Route Advertisement setting for virtual-address disabled after upgrade from pre-13.0.0 versions★
677400	3-Major	K82502883	pimd daemon may exit on failover
676914	3-Major		The SSL Session Cache can grow indefinitely if the traffic group is changed.
673147	3-Major	K01350083	Virtual server configuration incorrectly allows mutually exclusive iSession and OneConnect profiles.
673078	3-Major		TMM may crash when processing FastL4 traffic
673052	3-Major		On i-Series platforms, HTTP/2 is limited to 10 streams
672008	3-Major	K22122208	NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds
671935	3-Major	K64461712	Possible ephemeral port reuse.
671725	3-Major	K19920320	Connection leak on standby unit
671112	3-Major		Internal IP Datagroups not matching against some IPv6 network addresses
670822	3-Major		Handle correctly long host name from SOCKS server
670816	3-Major	K44519487	HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters
670258	3-Major		Multicast pings not forwarded by TMM
670245	3-Major		IP forwarding virtual server drops packets with TTL of 1 in TTL preserve mode
669974	3-Major	K90395411	Encoding binary data using ASN1::encode may truncate result
669025	3-Major	K11425420	Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate
668522	3-Major		bigd might try to read from a file descriptor that is not ready for read
668521	3-Major		Bigd might stall while waiting for an external monitor process to exit
668419	3-Major	K53322151	ClientHello sent in multiple packets results in TCP connection close
668196	3-Major		Connection limit continues to be enforced with least-connections and pool member flap, member remains down
668006	3-Major		Suspended 'after' command leads to assertion if there are multiple pending events
666947	3-Major		L2 Wire global syn cookie in HW floods SYN ACK packets to both the VLANs joined in a L2 VLAN group.
666616	3-Major	K82565029	Some HTTP iRule commands should always return results as Tcl lists, but do not.
666595	3-Major		Monitor node log fd leak by bigd instances not actively monitoring node
666160	3-Major	K63132146	L7 Policy reconfiguration causes a slow memory leak
665652	3-Major	K41193475	Multicast traffic not forwarded to members of VLAN group
665022	3-Major	K32120323	Rateshaper stalls when TSO packet length exceeds max ceiling.
664769	3-Major	K33637041	TMM may restart when using SOCKS profile and an iRule
663551	3-Major		SERVERSSL_DATA is not triggered when iRule issues [SSL::collect] in the SERVERSSL_HANDSHAKE event
663326	3-Major		Thales HSM: "fipskey.nethsm --export" fails to make stub keys
663181	3-Major		VDI plugin-initiated connections may select inappropriate SNAT address
662911	3-Major	K93119070	SASP monitor uses same UID for all vCMP guests in a chassis or appliance
662881	3-Major	K10443875	L7 mirrored packets from standby to active might cause tmm core when it goes active.
662816	3-Major	K61902543	Monitor node log fd leak for certain monitor types
662663	3-Major		Decryption failure Nitrox platforms in vCMP mode
662085	3-Major		iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages
661881	3-Major	K00030614	Memory and performance issues when using certain ASN.1 decoding formats in iRules
660532	3-Major	K21050223	Cannot specify the event parameter for redirects on the policy rule screen.
660119	3-Major		Monitor configured with timeout large enough that the timeout plus interval is greater than 86400 seconds, the service may be incorrectly marked down.
659956	3-Major		tmsh stats are not one-to-one mapping to tmctl
658214	3-Major		TCP connection fail intermittently for mirrored fastl4 virtual server
657883	3-Major	K34442339	tmm cache resolver should not cache response with TTL=0
657795	3-Major	K51498984	Possible performance impact on some SSL connections
657626	3-Major		User with role 'Manager' cannot delete/publish LTM policy.
656872	3-Major		Rolling forward with HTTPS monitors in the configuration with mismatched keys and certs
655793	3-Major		SSL persistence parsing issues due to SSL / TCP boundary mismatch
655767	3-Major		MCPD does not prevent deleting an iRule that contains in-use procedures
655724	3-Major	K15695	MSRDP persistence does not work across route domains.
655432	3-Major	K85522235	SSL renegotiation failed intermittently with AES-GCM cipher
654981	3-Major		Local Traffic Policies operating in First Match mode do not stop executing after the first matched rule if this has no action
654368	3-Major		ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require
654109	3-Major	K01102467	Configuration loading may fail when iRules calling procs in other iRules are deleted
654086-1	3-Major	K18323013	Incorrect handling of HTTP2 data frames larger than minimal frame size
653930	3-Major	K69713140	Monitor with description containing backslash may fail to load.
653511	3-Major	K45770397	Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve
653228	3-Major	K34312110	SNAT does not work properly on FTP VIP2VIP
652535-3	3-Major	K54443700	HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.
652480	3-Major		C3D feature needs control plane support, SNMP, tmsh and iControl
652445	3-Major	K87541959	SAN with uppercase names result in case-sensitive match or will not match
651901	3-Major		Removed unnecessary ASSERTs in MPTCP code
651889	3-Major		persist record may be inconsistent after a virtual hit rate limit
651681-1	3-Major	K49562354	Orphaned bigd instances may exist (within multi-process bigd)
651651	3-Major	K54604320	bigd can crash when a DNS response does not match the expected value
651541	3-Major	K83955631	Changes to the HTTP profile do not trigger validation for virtual servers using that profile
651135	3-Major		LTM Policy error when rule names contain slash (/) character★
650152	3-Major		Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms
649571	3-Major		Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello
648990-2	3-Major		Serverside SSL renegotiation does not occur after block cipher data limit is exceeded
648954	3-Major		Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls
648700	3-Major		Verification of peer certificate chain may return incorrect result.
647625	3-Major		L7 Policy state may be corrupted in rare occasions
647071	3-Major		Stats for SNATs do not work when configured in a non-zero route domain
645197	3-Major		Monitors receiving unique HTTP "success" response codes may stop monitoring after status change
645058	3-Major	K93819312	Modifying SSL profiles in GUI may fail when key is protected by passphrase
645036-1	3-Major	K85772089	Removing pool from virtual server does not update its status
644873	3-Major	K97237310	ssldump can fail to decrypt captures with certain TCP segmenting
644851	3-Major		Websockets closes connection on receiving a close frame from one of the peers
644418	3-Major		Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate
643860	3-Major		Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly
643777	3-Major	K27629542	LTM policies with more than one IP address in TCP address match may fail
643733	3-Major		ssldump crashes when processing out-of-order packet
643582	3-Major		Config load with large ssl profile configuration may cause tmm restart
643041	3-Major	K64451315	Less than optimal interaction between OneConnect and proxy MSS
642786	3-Major	K01833444	TMM may drop tunneled traffic when the sys db variable 'connection.vlankeyed' is set to 'disable'.
641512	3-Major		DNSSEC key generations fail with lots of invalid SSL traffic
640809	3-Major	K79892782	Merged constantly restarts★
640565	3-Major	K11564859	Incorrect packet size sent to clone pool member
640369	3-Major		TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan
638715	3-Major		Multiple Diameter monitors to same server ip/port may race on PID file
637994	3-Major		Safenet keys now use SHA-256 digest instead of SHA-1 digest.
637094-1	3-Major		The iRules LX streaming external data-group API may incorrectly not find a match.
636289	3-Major		Fixed a memory issue while handling TCP::congestion iRule
636149-2	3-Major		Multiple monitor response codes to single monitor probe failure
634054	3-Major		Use GUI/iControl to manage key/cert for Thales users
634023	3-Major		Use tmsh to create key and certificate based on Thales netHSM
633564	3-Major		Route unavailable when static route depends on another static route
633464-1	3-Major		Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.
633402	3-Major		In rare circumstances, the use of persistence can cause a TMM memory leak.
633333	3-Major		During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent
632824	3-Major	K00722715	SSL TPS limit can be reached if the system clock is adjusted
632575	3-Major	K19415206	SNAT creates duplicate snat-translation object - configuration load fails
631862	3-Major		Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk
629390	3-Major		GUI: virtual-address route-advertisement setting changed from 'selective' to 'disabled' after update
626386	3-Major		SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled
623940-4	3-Major		SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello
620625	3-Major		Changes to the Connection.VlanKeyed DB key may not immediately apply
619844-1	3-Major		Packet leak if reject command is used in FLOW_INIT rule
618985	3-Major		Changing type on external data-group may cause issues with iRule
618430	3-Major		iRules LX data not included in qkview
615553	3-Major	K51205306	Reverse/transparent setting reverting to disabled on child monitor
614410	3-Major		Unexpected handling of TCP timestamps in HA configuration
612369	3-Major		Thales install script has no support for Thales HA
612086-4	3-Major		Virtual server CPU stats can be above 100%
612040	3-Major		Statistics added for all crypto queues
611691	3-Major		Packet payload ignored when DSS option contains DATA_FIN
610682	3-Major		LTM Policy action to reset connection only works for requests
610323	3-Major		LTM SSL supports Client Certificate Constrained Delegation
610138-3	3-Major		STARTTLS in SMTPS filter does not properly restrict I/O buffering
609244-3	3-Major		tmsh show ltm persistence persist-records leaks memory
607246	3-Major		Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires
607166	3-Major		Hidden directories and files are not synchronized to secondary blades
604011	3-Major		Sync fails when iRule or policy is in use★
603609	3-Major		Policy unable to match initial path segment when request-URI starts with "//"
600812	3-Major		IPv6 virtual address with icmp-echo is enabled on a IPv6 Host IP forwarding ignores the neighbor advertisement packet.
599177	3-Major		Regression in Route Domain and Partition GUI load times due to high CPU utilization in merged.
599048	3-Major		BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option
598707	3-Major		Path MTU does not work in self-IP flows
591486	3-Major		Pipeline reject in HTTP filter is not enforced in certain cases.
586621-6	3-Major	K36008344	SQL monitors 'count' config value does not work as expected.
577846	3-Major		NPN configuration options are obsolete
574811	3-Major		SSL Orchestrator: Add the ability to dynamically update the CA bundles on the BIG-IP
574088	3-Major		Add AES-GCM support for ssldump
572234	3-Major		When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.
563689	3-Major		ZebOS configuration cannot be loaded via imish when service password-encryption is set
563444	3-Major		vCMP guest cluster may have two primaries due to partial partitioning of the management backplane network on one cluster member
560291	3-Major		vCMP guest cluster may have two primaries due to partial partitioning of the management backplane network on one cluster member
549927	3-Major		iRule validation does not check RULE_INIT/virtual are disallowed in proc calling
532904	3-Major	K24219334	Some HTTP commands fail validation when it is in a proc and the proc is called from another proc
523126	3-Major	K40362020	Change in route domain in NAT configuration does not take effect until restart
517756	3-Major		Existing connections can choose incorrect route when crossing non-strict route-domains
516307	3-Major		Multiple Relay in DHCP relay is not working.
510395-4	3-Major	K17485	Disabling some events while in the event, then running some commands can cause tmm to core.
452482-9	3-Major	K16014	HTTP virtual servers with cookie persistence might reset incoming connections
368690	3-Major	K33313540	Disabling iRule events that are executing or pending execution will work correctly
367226	3-Major		Outgoing RIP advertisements may have incorrect source port
352957	3-Major		Route lookup after change in route table on established flow ignores pool members
248914	3-Major	K00612197	ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address
677439	4-Minor		FQDN ephemeral Node Address object naming change
668802	4-Minor		GTM link graphs fail to display in the GUI
667318	4-Minor		BIG-IP DNS/GTM link graphs fail to display in the GUI.
660170	4-Minor	K28505910	tmm may crash at ~75% of VLAN failsafe timeout expiration
653746	4-Minor	K83324551	Unable to display detailed CPU graphs if the number of CPU is too large
652080	4-Minor		LTM Policy blocks a URL containing pound/hash (#) character
651953	4-Minor		Thales nethsm install script can configure BIG-IP for softcard/OCS keys
651005	4-Minor		FTP data connection may use incorrect auto-lasthop settings.
649986	4-Minor		buffer-max-packets default value is 0, not 10 as stated in tmsh documentation
646495	4-Minor		BIG-IP may send oversized TCP segments on traffic it originates
645729	4-Minor		SSL connection is not mirrored if ssl session cache is cleared and resume attempted
644282	4-Minor	K88633423	Incorrectly formatted log entry for Route
641273	4-Minor		port-fwd-mode mode configuration object value
640626	4-Minor	K20300705	Added more error checking and reporting to RAM Cache TMSH commands
632901	4-Minor		JET documentation incorrect for RESOLV::lookup
628016	4-Minor		MP_JOIN always fails if MPTCP never receives payload data
627695	4-Minor		[netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational
625892	4-Minor		Nagle Algorithm Not Fully Enforced with TSO
621379	4-Minor		TCP Lossfilter not enforced after iRule changes TCP settings
615479	4-Minor		netHSM key creation with tmsh fails if CSR is also requested
614533	4-Minor		SSL session cache invalidations stat unused in TMM
611161	4-Minor	K28540353	VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.
610201	4-Minor		Undefined behavior when calling HTTP::payload within HTTP_REQUEST_SEND iRule event
598387	4-Minor		Limiting Node's Default Monitor updates to the Common partition
594260	4-Minor	K85831051	Pool members do not exit slow ramp when CARP persistence is enabled.
593396	4-Minor		Stateless virtual servers may not work correctly with route pools or ECMP routes
592647	4-Minor	K58112012	Thales client install requires an SSH username, and always attempts to SSH into the RFS
570855	4-Minor		DB variable log.csyncd.level cannot be set to certain values
569814-1	4-Minor		iRule "nexthop IP_ADDR" rejected by validator
552988	4-Minor		Cannot enable MPTCP on some profiles in GUI.
544171	4-Minor		bigd loses connection to mcpd on debug data dump
523814	4-Minor		When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections
517347	4-Minor		DNS::return iRule can lead to infinite packet processing loop
511664	4-Minor		The fipskey.nethsm utility does not support or enforce RFC 3280 with regards to field length Upper/Lower Bounds.
500684	4-Minor	K62862317	Use of cookie hash persist, local cache entry may not removed upon connection close.
497559	4-Minor		Chrome developer console shows error with iRules LX Workspace Editor
474901	4-Minor		Profiles with a large number of regexps can cause excessive memory usage.
462043	4-Minor		DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms
390197	4-Minor		Allow the HTTP::payload command to be used in the HTTP_REJECT iRule event
374441-1	4-Minor		IPv6.port format in iRule pool command is not errored out
572111	5-Cosmetic		Rate shaper drop policy sometimes show value is zero which is equivalent of default value
567330	5-Cosmetic		tmsh show sys memory on secondaries will generate innocuous error

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
588752	1-Blocking		APM Login Performance may be degraded
620903	2-Critical		Decreased performance of ICMP attack mitigation.
634022	3-Major		Active Directory authentication with Step-Up-Auth has degraded performance.
632838	3-Major		Deterministic NAT performance may be degraded

Global Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
663310	3-Major	K50871313	named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★
643813	3-Major	K32906881	ZoneRunner does not properly process $ORIGIN directives
642330-1	3-Major		GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
681109	2-Critical	K46212485	BD crash in a specific scenario
679603	2-Critical	K15460886	bd core upon request, when profile has sensitive element configured.
678228	2-Critical	K27568142	Repeated Errors in ASM Sync
677193	2-Critical		ASM BD Daemon Crash
672301	2-Critical		ASM crashes when using a logout object configuration in ASM policy
662281	2-Critical		Inconsistencies in Automatic sync ASM Device Group
657925	2-Critical		Error when enabling ASM via iRule
657521	2-Critical	K49102057	Transient error may appear in bd.log shortly after Signature Set is added to policy
653292	2-Critical		MySQL does not initialize correctly on first system start
653014	2-Critical		Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name
652200	2-Critical	K81349220	Failure to update ASM enforcer about account change.
650070	2-Critical		iRule that uses ASM violation details may cause the system to reset the request
642119	2-Critical		Websocket URLs can't be explicitly excluded per attack signature
640829	2-Critical		bd crash scenario
639500	2-Critical		BD crash fix
638629	2-Critical		Bot can be classified as human
636669	2-Critical		bd log are full of 'Can't run patterns' messages
674527	3-Major		TCL error in ltm log when server closes connection while ASM irules are running
674494	3-Major		BD memory leak on specific configuration and specific traffic
673311	3-Major		When 'Web Scraping Configuration' has 'Bot Detection' set to 'Alarm', the type=7 JavaScript challenge is sent.
672828	3-Major		Different ASM logging profiles can have cross-impact on response logging decision
672695	3-Major		Internal perl process listening on all interfaces when ASM enabled
670501	3-Major	K85074430	ASM policies are either not (fully) created or not (fully) deleted on the HA peer device
667076	3-Major	K92494571	WebSocket URLs over SSL don't match when differentiate HTTP/HTTPS is disabled
667013	3-Major	K13220614	Wildcard URLs with identical wildcard order will have only one of them being enforced
666986	3-Major	K50320144	Filter by Support ID is not working in Request Log
666523	3-Major		Added indication for requests that were logged only as sample request for the learning suggestion or were marked for delete
666118	3-Major	K58571155	High CPU usage from asm_config_server
665992	3-Major		Live Update via Proxy No Longer Works
665430	3-Major		Endless loop of requests when Fingerprint enabled on ASM Policy and client timezone is UTC+5 and east
664930	3-Major		Policy automatic learning mode changes to manual after failover
663687	3-Major		Upgrade halts when external XML schema cannot be accessed
662272	3-Major		ASM MySQL persistent query causing GUI to hang.
660327	3-Major		Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.
660326	3-Major	K91072177	Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.★
659281	3-Major		"Severe critical" message after failed upgrade persists even after subsequent successful config load★
657531	3-Major	K02310615	High memory usage when using the ICAP server
655617	3-Major	K36442669	Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge
654996	3-Major	K50345236	Closed connections remains in memory
654925	3-Major	K25952033	Memory Leak in ASM Sync Listener Process
654873	3-Major		ASM Auto-Sync Device Group
654872	3-Major		After an upgrade, an URL from another policy's WSDL may be erroneously added after XML profile change★
653017	3-Major		Bot signatures cannot be created after upgrade with DoS profile in non-Common partition
649513	3-Major		IP Intelligence: Policy diff doesn't work for categories
648639	3-Major		TS cookie name contains NULL or other raw byte
648008	3-Major	K70289415	bd keeps coring after upgrade to 12.1.2 or later★
647828	3-Major		Historical session data in db and inconsistent GUI info
646800	3-Major		A part of the request is not sent to ICAP server in a specific case
646581	3-Major		Unnecessary disk monitor warnings for /var/asmdata1 on large platforms
646572	3-Major		Multiple log messages 'Async process socket is full' written to asm_config_server.log
644725	3-Major	K01914292	Configuration changes while removing ASM from the virtual server may cause graceful ASM restart
642185	3-Major		Add support for IBM AppScan scanner schema changes
641559	3-Major		Session-based brute force resets failed logins counter upon successful login
641547	3-Major		Possible dead-lock on accept of multiple suggestions at once
641307	3-Major		Response Page contents are corrupted by XML policy import for non-UTF-8 policies
641083	3-Major		Policy Builder Persistence is not saved while config events are received
640824	3-Major		Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★
640290	3-Major		Custom headers configuration issue
639767	3-Major		Policy with Session Awareness Statuses may fail to export
639630	3-Major		Searching for signatures with overrides in the policy returns incorrect results
637516	3-Major		Copying a Child Security Policy as a Parent Security Policy Leaves Elements Uneditable
635754	3-Major	K65531575	Wildcard URL pattern match works inncorectly in Traffic Learning
635111	3-Major		New Application Ready Templates Available
633985	3-Major		CS challenged URL is rejected on complex CPM/irule configurations
632344	3-Major		POP DIRECTIONAL FORMATTING causes false positive
632326	3-Major		relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation
631715	3-Major		ASM::disable does not disable client side challenges
630390	3-Major		Client Side challenges and device ID doesn't work on a virtual server that has also APM
630355	3-Major	K57041868	Local Logs Missing Or Recorded Found For Incorrect Policy
630278	3-Major		Top Traffic Learning Violations
629626	3-Major	K92486415	ASM failures after upgrade due to empty file for most recent policy history★
629625	3-Major	K95558398	Corrupt policy history file causes UCS load to fail★
608245-2	3-Major		Reporting missing parameter details when attack signature is matched against parameter value
599313	3-Major		Support IPv6 address in XFF header to encapsulated within square brackets
585351	3-Major	K22971309	ASM add_del_internal script does not sync across blades on the VIPRION platform.
575818	3-Major		Apply Security Policies Only During Specified Times
564105	3-Major		ArcSight gives error on specific transactions
424689	3-Major		Rename 'IP Address Intelligence' to 'IP Intelligence'
346852	3-Major		Only three signatures are reported in the remote logger
660721	4-Minor	K51431600	Enforcement Readiness filter not preserved after changing page in Parameters page
657526	4-Minor		Rename Remote Logging format 'Key-Value Pairs' to 'Key-Value Pairs (Splunk)'
655159	4-Minor	K84550544	Wrong XML profile name Request Log details for XML violation
653633	4-Minor		Allowed Receiving Domain in SMTP Protocol Security is case sensitive
651585	4-Minor		ASM policy history GUI Validation Errors
644537	4-Minor		Some temporary files created by ASM have write permissions for all users.
642874	4-Minor	K15329152	Ready to be Enforced filter for Policy Signatures returns too many signatures
640751	4-Minor		No PCRE Validation Performed For Regular Expression Parameters
638576	4-Minor		Modified ASM Cookie violation is off by default
625602	4-Minor		ASM Auto-Sync Device Group Does Not Sync
562087	4-Minor		Supported platforms for Event Correlation
649180	5-Cosmetic		Attack Signatures do not mention 'Cookie' in Signature Scope field
609731	5-Cosmetic		Error message on WSDL schema validation

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
643411	2-Critical	K59119323	High memory usage for avrd statistics
683177	3-Major		Can't drilldown or filter by 'Client Countries'
665425	3-Major	K24182390	AVR Max metrics shows wrong values
659527	3-Major		Custom Predefined Reports are not displayed in ASM Analytics Schedules
658343	3-Major	K33043439	AVR tcp-analytics: per-host RTT average may show incorrect values
654915	3-Major		Traffic Capturing: Pool member that has a special name (internal activity) should be exported with its name, not an IP address
652840	3-Major		vCMP host avrd high CPU usage
651627-1	3-Major		IP addresses may appear "Aggregated" in "COMMON" section of dashboard but not Aggregated when applying module-specific filter
649177	3-Major	K54018808	Testing for connection to SMTP Server always returns "OK"
646563	3-Major		AVR external log should have the option to start publishing at random time
643327-1	3-Major		DoS Visibility Attacks Graph tooltip does not provide sufficient information
643325-1	3-Major		Tooltips and help hints are inconsistent across the page
642449-1	3-Major		Standard deviation for Request Duration is calculated incorrectly
642221	3-Major		Incorrect entity is used when exporting TCP analytics from GUI
641963-1	3-Major		Average CPU usage is calculated differently in DOS Visability page
638115	3-Major		DoS Visibility page on a system under stress can cause GUI timeouts and disconnections
636104-1	3-Major		If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.
635680	3-Major		Link to DoS Visibility from a signature page starts with incorrect time-range
629573-2	3-Major	K66001885	No drill-down filter for virtual-servers is mentioned on exported reports when using partition
629013-1	3-Major		Right pane displaying doesn't respect pin selected function when filter just applied
627832	3-Major	K08001397	AVR HTTP/TCP: Only profiles from Common partition are displayed under All
610485	3-Major		Attacks chart has no time axis
580149	3-Major		AVR widgets are not synchronized in a HA configuration
574160-6	3-Major		Publishing DNS statistics if only Global Traffic and AVR are provisioned
564524	3-Major		Cron logs hourly email failure messages.
473755	3-Major		It's possible to exhaust monpd's Thrift server connections by simply not closing the connection on the client side
649336	4-Minor		AVR doesn't display units for "Avg Read Latency" measurement
639395	4-Minor		AVR does not display 'Max read latency' units.
636377	5-Cosmetic		Some metric terms are confusing.

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
647108	1-Blocking		Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction
682043-1	2-Critical	K41041660	Chrome v60 and newer might incorrectly report that F5 VPN and F5 EPI status
679235-2	2-Critical		Inspection Host NPAPI Plugin for Safari can not be installed
676904	2-Critical		tmm may crash while printing VDI logging information
675326	2-Critical	K15530703	TMM core with Modify Header with 'remove header' option
671579	2-Critical		Macro and macrocall creation issues when policy is in folder
667594	2-Critical		Rewrite plugin could crash on rewriting of some URLs in POST data
666454	2-Critical		Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update
664758	2-Critical		URLDB SIGFPE - 'urldb tcl result not overwritten'
663506	2-Critical	K30533350	apmd crash during ldap cache initialization
660711	2-Critical	K05265457	MCPd might crash when user trying to import a access policy
658462	2-Critical	K10251490	Portal Access: tmm may crash if web application uses long cookie names and/or values
655507	2-Critical	K50080455	Rewrite may crash on empty values in Headers list of Portal Access Resource Item configuration
653771	2-Critical		tmm crash after per-request policy error
652799	2-Critical		When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.
652004	2-Critical	K45320415	Show /apm access-info all-properties causes memory leaks in tmm
651229	2-Critical	K14429395	tmm may restart when SAML SLO is initiated by SP using redirect binding
650450-1	2-Critical		After upgrade to v13.0.0, users may be met with a javascript error on the logon page or other APM pages
649234	2-Critical		TMM crash from a possible memory corruption.
645203	2-Critical	K72361514	Configuration load fails after upgrade when a SAML SSO config object is put in a sync-only device group★
639929	2-Critical		Session variable replace with value containing these characters ' " & < > = may case tmm crash
637308	2-Critical		apmd may crash when HTTP Auth agent is used in an Access Policy
636044	2-Critical		Large number of glob patterns affects custom category lookup performance
634576-1	2-Critical	K48181045	TMM core in per-request policy
633349-1	2-Critical		localdbmgr hangs and eventually crashes
630062	2-Critical		gnome-software throws error "This file is not supported" for F5EPI and F5VPN RPMs on Fedora 25
626056	2-Critical		Apmd crashes when using iRule in clientless mode
592611	2-Critical		Some Access Policy sessions may not be sent over High Speed Logging destinations.
570841	2-Critical		Cannot create or edit a new document from SharePoint 2013 ribbon buttons via Portal Access
452321	2-Critical		APM does not support more than one traffic group with different HA order
435419-1	2-Critical	K10402225	Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.
426844	2-Critical	K10354385	In Admin UI, import of CSV file with users very slow to process complete CSV.
679460	3-Major		User's timezone is not reflected when accessing Vmware Horizon desktop using Horizon HTML5 Client
678976	3-Major	K24756214	Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.
678001	3-Major		Websso crash due to uninitialized member in websso context object while processing a log message
677058	3-Major		Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text
676690-1	3-Major		Windows Edge Client sometimes crashes when user signs out from Windows
676300	3-Major		EPSEC binaries may fail to upgrade in some cases★
675597	3-Major		APM may prematurely close client-side RD Gateway connections on server-side disconnect
675399	3-Major	K14304639	Network Access does not work when empty variables are assigned for WINS and DNS
675340	3-Major		Portal Access: non-breaking space and soft hyphen characters in JavaScript code are handled correctly
675319	3-Major		Multiple client-policy objects can be added to a connectivity profile using TMSH
675085	3-Major		When BIG-IP as SAML IdP is configured to create large assertions, occasionally BIG-IP will not send entire assertion as part of the HTTP response to the client
674593	3-Major		APM configuration snapshot takes a long time to create
674410	3-Major		AD auth failures due to invalid Kerberos tickets
672818	3-Major		When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established
672040	3-Major		Access Policy Causing Duplicate iRule Event Execution
671892	3-Major		AD Auth/Query may fail when cross-domain option is requested
671883	3-Major		[APM] Ping Access Agent does not correctly handle HTTP request with invalid version
671880	3-Major		[APM] Ping Access Agent's internal request processing state needs improvement
671151	3-Major	K40135424	Public route to excluded DNS resolved IP addresses is not added if user connects to VPN quickly after a disconnect and DNS relay proxy is running
671149	3-Major		Captive portal login page is not rendered until it is refreshed
670918	3-Major		Flash AS3 wrappers should have an additional check for the activation object
670910	3-Major		Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined
670709	3-Major	K14321598	ping_access_agent process may silently restart when BIG-IP VE is installed on appliance with over 24 CPU cores
670583	3-Major		EdgeClient does not failover when primary APM server goes down
670456	3-Major		Flash AS3 mx.core::CrossDomainRSLItem() wrapper issue with arguments number
670367	3-Major	K39391280	On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation.
669459	3-Major		Efect of bad connection handle between APMD and memcachd
669154	3-Major		Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases.
669153	3-Major		On demand cert authentication does not work with Linux CLI client
669021	3-Major		Application Tunnel fails to start with the following message: Failed, Couldn't open proxy server.
668623	3-Major	K85991425	macOS Edge client fails to detect correct system language for regions other than USA
668532	3-Major		Cached stale Kerberos tickets can cause auth failures.
667763	3-Major		APM Network Tunnel not connecting when Virtual Server has Application DoS profile
667577	3-Major		Access profile 'Restrict to Single Client IP' setting not enforced with DTLS tunnel
667382	3-Major		Unable to highlight and copy session ID from Active Sessions
666783	3-Major	K11974816	svpn goes into a reconnect loop when another adapter is connected after VPN is connected.
666689	3-Major		Occasional "profile not found" errors following activate access policy
666285	3-Major		TIN cookie value is sent as a negative integer when Max session timeout and Inactivity timeout are set to more than 24 days in access policy.
666058	3-Major		XenApp 6.5 published icons are not displayed on APM Webtop
665611	3-Major	K36337390	Cannot create a Citrix or VMware View resource from Admin UI in a non-Common partition with a non-default route domain using pool as a destination
665416	3-Major		Old versions of APM configuration snapshots need to be reaped more aggressively if not used
664507	3-Major		When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration
664344	3-Major		DNS resolution fails for certain hostnames On Win10 when DNS relay proxy is present and IP filtering engine is enabled for split tunnel config with no DNS include scope.
663127	3-Major		Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration.
662639	3-Major		Policy Sync fails when policy object include FIPS key
660868	3-Major		Resets after adding URL Branching item
659371	3-Major		apmd crashes executing iRule policy evaluate
658852	3-Major		Empty User-Agent in iSessions requests from APM client on Windows
658664	3-Major	K21390304	VPN connection drops when 'prohibit routing table change' is enabled
655146	3-Major		APM Profile access stats are not updated correctly
654513	3-Major	K11003951	APM daemon crashes when the LDAP query agent returns empty in its search results.
654508	3-Major		SharePoint MS-OFBA browser window displays Javascript errors
654485	3-Major	K85549136	Portal Access: Same-origin AJAX rquest may fail if response contains non-wildcard Access-Control-Allow-Origin header
654046	3-Major		BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs.
654003	3-Major	K03540372	Portal Access incorrectly prefers charset from meta tag over the value from header
653842	3-Major		OPSWAT inspect checks now supports privilege elevation
653324	3-Major	K87979026	On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly
652910	3-Major		Native RDP published on webtop does not connect if allowed vlans specified explicitly
652442	3-Major		Portal Access might incorrectly rewrite certain JavaScript constructor calls
651947	3-Major		Token validate response session variables created with no prefix might collide with other session variables.
651910	3-Major		When we upgrade from 12.* to 13.0+ you cannot change the "Enable Access System Logs" and "Enable URL Request Logs" properties via the UI
649929	3-Major		saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it
649613	3-Major		Multiple UDP/TCP packets packed into one DTLS Record
649342	3-Major		No port configuration on the OAuth Client agent redirection uri
648083	3-Major	K83700745	Argument of indirectly referenced eval() was not rewritten
648060	3-Major	K85067418	EdgeClient locked mode exclusion list admin UI doesn't allow underscore character
648053	3-Major		Rewrite plugin may crash on some JavaScript files
647706	3-Major		iOS RDP client fails to connect to RD Connection Broker via APM's Native RDP resource
647645	3-Major		Accessing SAML Resource may cause reset connection when SSO on access profile contains v1 (NTLM, form based) configuration
647091	3-Major		EPSEC installation failure reason is not logged in certain conditions.
646928	3-Major		Landing URI incorrect when changing URI
645684	3-Major		Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.
643547	3-Major	K43036745	APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP
643457	3-Major		Config load failure with connectivity resource name the same as a SAML Resource★
643053	3-Major		Mac OS X Edge client fails to reconnect in some rare cases
642926	3-Major		Increased MySQL Memory usage when APM is provisioned on lower-end systems.
641126	3-Major		Edge Client now can launch administrator-defined script on session termination
640924	3-Major		On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly
640298	3-Major	K54188582	iOS Edge Client is not able to establish per-app VPN connections with APM when it has VPE with iRule event agent without assigned webtop resource.
639288	3-Major		OAuth Authorization Server - OAuth Profile is not listing associated Access Profiles appropriately.
639283	3-Major		Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate
638799	3-Major		Per-request policy branch expression evaluation fails
637745	3-Major		Edge client may terminate session sooner than what is specified in inactivity timeout
636866	3-Major		OAuth Client/RS secret issue with export/import
636160	3-Major	K21310670	Clicking on the Validation timeout and Idle Timeout column headers would result in an error
635999	3-Major		Portal Access: URL with backslashes in query/fragment parts may not work correctly
635972	3-Major		Missing icons from custom fonts
633384	3-Major		AD/LDAP Resource Mapping should match against group name with trailing comma
632958	3-Major		APM MIB gauges not reset on standby device
632504	3-Major	K31277424	APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list
632499	3-Major	K70551821	APM Policy Sync: Resources under webtop section are not sync'ed automatically
630961	3-Major		Sorting Policy Sync's 'Static' or 'Dynamic' list of objects based on their 'LSO' or 'Dynamic' attribute, leads to unexpected behavior
630699	3-Major		Preserve original umask of /etc/hosts file
629921	3-Major		[[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.
629411	3-Major		OAuth Client/RS and Authorization Server don't work together on the same BIG-IP
629069	3-Major		Portal Access may delete scripts from HTML page in some cases
627063	3-Major		Browser will be stuck on 'checking endpoint status' in some cases
626894	3-Major		Portal Access may determine end of HTML SCRIPT tag incorrectly
626890	3-Major		Portal Access: URLs in CSS image-set() function may not work correctly
626641	3-Major		CLI VPN client crashes when HOME environment variable is not defined
625165	3-Major		Routes added by 'Allow local DNS servers' are not removed even if these DNS servers are no longer among client's local DNS servers.
622304	3-Major	K52854041	Windows command line client cannot connect if Edge client is running and disconnected
621976	3-Major		OneDrive for Business thick client shows javascript errors when rendering APM logon page
621974	3-Major		Skype For Business thick client shows javascript errors when rendering APM logon page
621682	3-Major		Portal Access: problem with specific JavaScript code
620280	3-Major		Some parts of Portal Access client may cause performance issues on rewritten pages
616104	3-Major		VMware View connections to pool hit matching BIG-IP virtuals
610582	3-Major		Device Guard prevents Edge Client connections
601978	3-Major		APM does not support Dell/Wyse ThinOS client for VMware View access
601936	3-Major		VPN client session hangup cause reported as unknown_error
600178	3-Major		Support for ProtocolBinding and ProviderName attributes in SAML 2.0 Authentication Requests
594775	3-Major		Include <AttributeConsumingService> in SP metadata
583272	3-Major		"Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth
575733	3-Major		Support launching native RDP client from APM Webtop on iOS
572567	3-Major		Portal Access: JavaScript errors accessing MS SharePoint 2010 / 2013 / 2016 in Internet Explorer 11
572519	3-Major		More than one header name/value pair not accepted by ACCESS::respond
566553	3-Major		Support two factor authentication for Citrix Receiver for Windows
550547	3-Major		URL including a "token" query fails results in a connection reset
549622	3-Major		Cannot launch Horizon RDS applications with the HTML5 client
539075	3-Major		Client side checks on CentOS 7 don't work.
534008	3-Major		[Portal Access] Server-side URL parser does not recognize URLs with HTML entities in scheme part
449427	3-Major		BIG-IP as IdP does not support Attribute Name Format Identifiers
445501	3-Major		Only one delegation account supported for Kerberos SSO for a same domain
438572-1	3-Major		Support Email-Based Account Discovery through BIG-IP APM
427028	3-Major		Support Citrix or VMware view resources launch client selection prompt
422525	3-Major		Portal Acccess resources with proxy require hostnames to be resolvable to BIG-IP
417819	3-Major	K69046914	APM - when Edge Clients, some JS contents are different causing warning
386996	3-Major		Client detection does not work for new browsers and always Download client prompt is shown
667304	4-Minor		Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled
664778	4-Minor		Text in 'About BIG-IP Edge Client' cannot be copied using mouse or keyboard selection
662682	4-Minor		F5 EPI and F5 VPN cannot be downloaded on some older Firefox version like 31.7
651828	4-Minor		[Chrome] Web application's pop up window is blank
645750	4-Minor	K85023830	EdgeClient doesn't notify the user when it's time to interact with the logon page.
640521	4-Minor		EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices
636254	4-Minor		Cannot reinitiate a sync on a target device when sync is completed
624181	4-Minor		Preserve original ownership of /etc/hosts file
589367	4-Minor		Some Edge Client's German translations are incorrect
579932	4-Minor		[Portal Access] Web-applications can't set cookies with expiration date after 07 Feb 2106
556780	4-Minor		Portal Access should ignore incorrect IE-specific cookies with empty name and value
535340	4-Minor		Confusing message in edge client logs
498524	4-Minor		[Portal Access] Server-side URL parser interprets &# in URL as HTML entity in any case

Wan Optimization Manager Fixes

ID Number	Severity	Solution Article(s)	Description
644970	2-Critical		Editing a virtual server config loses SSL encryption on iSession connections
644489	3-Major	K14899014	Unencrypted iSession connection established even though data-encrypt configured in profile
636693	3-Major		The WCCP client source-ip mask may now be configured.

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
669739	2-Critical		Potential core when using MRF SIP with SCTP
664535	2-Critical		Diameter failure: load balancing fails when all pool members use same IP Address
659173	2-Critical	K76352741	Diameter Message Length Limit Changed from 1024 to 4096 Bytes
640407	2-Critical	K41344483	Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF
639236	2-Critical	K66947004	Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute
673814-1	3-Major	K37822302	Custom bidirectional persistence entries are not updated to the session timeout
669978	3-Major		SIP monitor - Via header's branch parameter collision.
662364	3-Major		MRF DIAMETER: IP ToS not passing through with DIAMETER
651886	3-Major		Certain FIX messages are dropped
649933	3-Major		Fragmented RADIUS messages may be dropped
647803	3-Major		Multiple requests from server may cause RTSP connection to stall
647158	3-Major	K76581555	Internal virtual server inherits CMP hash mode from parent virtual server
645148	3-Major		MRF Diameter: persistence entry not created if message routed via iRule command
644565	3-Major		MRF Message metadata lost when routing message to a connection on a different TMM
642298	3-Major		Unable to create a bidirectional custom persistence record in MRF SIP
642211	3-Major		Warning logged when GENERICMESSAGE::message drop iRule command used
640384	3-Major		New iRule options for MR::message route command
634078	3-Major		MRF: Routing using a virtual with SNAT set to none may select a source port of zero
629663	3-Major	K23210890	CGNAT SIP ALG will drop SIP INVITE
625542	3-Major		SIP ALG with Translation fails for REGISTER refresh.
624155	3-Major		MRF Per-Client mode connections unable to return responses if used by another client connection
620929	3-Major		New iRule command, MR::ignore_peer_port
620759	3-Major		Persist timeout value gets truncated when added to the branch parameter.
608927-1	3-Major		SIP Parser logging improvements
608635	3-Major		SIP ALG not compatible with LSN PBA mode
601957	3-Major		Message Routing SIP ALG with Address Translation doesn't support LSN iRule Commands
590091	3-Major	K79075081	Single-line Via headers separated by single comma result in first character second header being stripped.
401815	3-Major		IP ToS not passing through with SIP LB
353229	3-Major	K54130510	Buffer overflows in DIAMETER code
651640	4-Minor		queue full dropped messages incorrectly counted as responses
645490	4-Minor		profile_clientssl should not be used with a transport-config
641587	4-Minor	K81048052	request-adapt or response-adapt should be disabled by HTTP::disable
632658	4-Minor		Enable SIP::persist command to operate during SIP_RESPONSE event
617690	4-Minor		enable SIP::respond iRule command to operate during MR_FAILED event
566565	4-Minor		ADAPT could time out during sending to IVS with no preview

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
456376	1-Blocking		BigIP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32
679440	2-Critical	K14120433	MCPD Cores with SIGABRT
671052	2-Critical		AFM NAT security RST the traffic with (FW NAT) dst_trans failed
670400-2	2-Critical		SSH Proxy public key authentication can be circumvented in some cases
666221	2-Critical		tmm may crash from DoSL7
664625	2-Critical	K08041607	Connection resets on Virtual Server with APM Access Profile and ASM Security Policy
655470-1	2-Critical	K79924625	IP Intelligence logging publisher removal can cause tmm crash
652278	2-Critical		dwbld memory leak when AFM/ASM is provisioned
651001	2-Critical		massive prints in tmm log: "could not find conf for profile crc"
638495	2-Critical		Auto-thresholds are not applied for two vectors on per-VS DNS/SIP DoS profile
622204	2-Critical	K14141640	If a virtual server's name has a "." in it then a DoS profile cannot be attached to it
558865	2-Critical	K45262411	Overlapping of address are not allowed on firewall NAT policy match side
680244	3-Major		Unable to force Bot Defense action to captcha_challenge in iRule for Suspicious Browsers
666112	3-Major		TMM 'DoS Layer 7' memory leak during config load
663770-1	3-Major	K04025134	AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server
663748	3-Major		tmm might crash if AFM DoS address-list whitelist is present in sPVA HW platforms
657708	3-Major	K50308190	Packet Tester is still available in the GUI when AFM is not provisioned
653425	3-Major		Warning message "Windows Media Player Extension" appears on some IE browsers
651961	3-Major		AVR is not called for DNS packets when AFM is not provisioned.
651395	3-Major	K30953380	DoS Network, SIP and DNS logs in the GUI do not show destination address and port
650010	3-Major		Improve the detection of browsers used for web scraping
646782	3-Major		AFM TCP push flood DoS vector is not working with DoS auto detection
644855	3-Major		irules with commands which may suspend processing cannot be used with proactive bot defense
643752	3-Major		Specific configuration change sequence crashes TMM
638219-1	3-Major		L4 BDoS incorrectly learns traffic after learning period in learn-only mode
633454	3-Major		Older versions of Chrome get blocked when Proactive Bot Defense is enabled.
632388	3-Major		Sync all autodos history files from active to standby units every 5 mins
630045	3-Major		Microsoft Edge 14 on Windows 10 mobile device may collect incorrect Device ID
629674	3-Major		FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned
627747-4	3-Major		Improve cURL Usage
624777	3-Major		Reducing the response time of the Device ID collection
618773	3-Major		Improve the detection of malicious browsers
611440	3-Major		AFM NAT does not support Proxy ARP for Source Translation Addresses
596924	3-Major		Bot signatures are not reported in the PBD log when the PBD is turned off
519612	3-Major		JavaScript challenge fails when coming within iframe with different domain than main page

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
670096	2-Critical		TMM may crash when a DHCP virtual server is used with an iRule involving SERVER_DATA event and TCL 'after' command.
668252	2-Critical	K22784428	TMM crash in PEM_DIAMETER component
658261	2-Critical		TMM core after HA during GY reporting
658148	2-Critical		TMM core after intra-chassis failover for some instances of subscriber creation
657632	2-Critical		Rarely if a subscriber delete is performed following HA switchover, tmm may crash
654164	2-Critical		Active flows are aborted/torn down after PEM is disabled.
653285	2-Critical		PEM rule deletion with HSL reporting may cause tmm coredump
652973	2-Critical		Coredump observed at system bootup time when many DHCP packets arrived at BigIP
650422	2-Critical		TMM core after a switchover involving GY quota reporting
643783	2-Critical		TMM crash when sweeper in aggressive mode touches a Tcl execution Diameter connflow.
628311	2-Critical	K87863112	Potential TMM crash due to duplicate installed PEM policies by the PCRF
626851	2-Critical	K37665112	Potential crash in a multi-blade chassis during CMP state changes.
678822	3-Major		Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed
678714	3-Major		After HA failover, subscriber data has stale session ID information
675928	3-Major		Periodic content insertion could add too many inserts to multiple flows if http request is outstanding
674686	3-Major		Periodic content insertion of new flows fails, if an outstanding flow is a long flow
673823	3-Major		Web UI: Unlicensed Configuration Warning for DHCP Relay configuration★
673683	3-Major		Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener
673678	3-Major		Periodic content insertion fails, if http request/response get interleaved by second subscriber http request
673472	3-Major		After classification rule is updated, first periodic Insert content action fails for existing subscriber
659567	3-Major		iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions
652052	3-Major		PEM:sessions iRule made the order of parameters strict
641482	3-Major		Subscriber remains in delete pending state until CCR-t ack has success as result code is received
640457	3-Major		Session Creation failure after HA
639486	3-Major		TMM crash due to PEM usage reporting after a CMP state change.
638594	3-Major		TMM crash when handling unknown Gx messages.
636633	3-Major		DHCP: DHCP PEM sessions are not cleared (until idle timeout) after ip release from client in some cases
635257	3-Major	K41151808	Inconsistencies in Gx usage record creation.
635233	3-Major		Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages
634015	3-Major		Potential TMM crash due to a PEM policy content triggered buffer overflow
630611	3-Major	K84324392	PEM module crash when subscriber not fund
403866	3-Major		PEM Data plane listeners when created with cmp-hash not equal to src-ip may break PEM functionality
398416	3-Major		Volume threshold and time threshold support in Gx reporting
653502	4-Minor	K48133828	Web UI: User not able to configure RADIUS profile for a Virtual Server when only LTM is provisioned
651861	4-Minor		GUI: When configuring Gx protocol profile message, not able to keep Subscriber Attribute value empty.
638573	4-Minor		SPM and Subscriber Management profile modifications are incorrectly allowed at the PEM Data plane listener level.
633582	4-Minor		UI: TMSH - Classification, URL categorization and Flow criteria options must not be allowed to be configured for PEM rule when tethering detection is enabled
628869	4-Minor		Unconditional logs seen due to the presence of a PEM iRule.
617578-3	5-Cosmetic		Inconsistent info between tmsh and WebUI for profile radiusLB-subscriber-aware

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
663531	2-Critical		TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel
663333	2-Critical		TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high
628781	2-Critical		CGNAT: Inbound NAT session logs may not log delete event after a blade failover
462507	2-Critical		CGNAT PBA mode when setting block lifetime timeouts, may not be able to terminate SIP-ALG media flows
667662	3-Major	K06579313	Autolasthop does not work for PPTP-GRE traffic.
663974	3-Major		TMM crash when using LSN inbound connections
633400	3-Major		Deterministic NAT configuration log may be truncated
629871	3-Major		FTP ALG deployment should not rewrite PASV response 464 XLAT cases
513968	3-Major		CGNAT hairpin connections using multiple route-domains are not supported
667295	4-Minor	K51601122	'RTSP::header exists' iRule command always returns True

Wan Optimization Fixes

ID Number	Severity	Solution Article(s)	Description
673463	2-Critical		SDD v3 symmetric deduplication may start performing poorly after a failover event

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
669364	2-Critical		TMM core when server responds fast with server responses such as 404.
664650	2-Critical		Real time encryption on non-password fields
682671	3-Major		The username is updated in the alert dashboard even if login validation fails.
678757	3-Major		Encrypted field sometimes send the field value
678467	3-Major		Incorrect alert details when XMLHttpRequest's timeout is smaller than timeout configured
674909-2	3-Major		Application CSS injection might break when connection is congested
669851	3-Major		JSON encryption cannot be configured for URI's with custom ports
667872	3-Major		Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports
667034-2	3-Major		Keylogger protection is incompatible with the jQuery plugin "capslockstate".
659522	3-Major		Support combination of real-time and on-submit encryption
658315	3-Major		WebSafe Login Validation may break response
657965	3-Major		Reassess encryption health after encrypted ajax is sent
657502	3-Major		JS error when leaving page opened for several minutes
652260	3-Major		Enhanced data integrity alerts should not contain username value
633445	3-Major		False-Positive Data Integrity alert is sent when user credentials are "auto-filled"
628337-3	3-Major		Forcing a single injected tag configuration is restrictive
627656	3-Major		BIG-IP alerts contains proxy IP instead of client IP
643602	4-Minor		'Select All' checkbox selects items on hidden pages
640006	4-Minor		Unable to add bait using the GUI if baits already added via tmsh
639750	4-Minor		username aliases are not supported
639411	4-Minor		Explicit URLs are shown if Wildcard URLs Order is on.
637664	4-Minor		Vector (multi-options) lists values are not inherited if parent profile is changed.
634257	4-Minor		Missing Strong Integrity Parameter alert score is always 0
632546	4-Minor		Window.error handler is called when alert size is too large
610897	4-Minor		FPS generated request failure throw "unspecified error" error in old IE.

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
667028	2-Critical		DNS Express does not run on i11000 platforms with htsplit disabled.
649564	2-Critical		Crash related to GTM monitors with long RECV strings
645615	2-Critical		zxfrd may fail and restart after multiple failovers between blades in a chassis.
642039	2-Critical		TMM core when persist is enabled for wideip with certain iRule commands triggered.
677526	3-Major		Memory leak may occur during connflow failures.
675539	3-Major		Inter-system communications targeted at a Management IP address might not work in some cases.
671326	3-Major	K81052338	DNS Cache debug logging might cause tmm to crash.
669262	3-Major	K91122850	[GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record
666258	3-Major		GTM/DNS manual resume pool member not saved to config when disabled
665347	3-Major	K17060443	GTM listener object cannot be created via tmsh while in non-Common partition
663073	3-Major		GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.
659912	3-Major	K81210772	GSLB Pool Member Manage page display issues and error message
656807	3-Major		iRule DNS::ttl does not allow 0 (zero)
655807	3-Major	K40341291	With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score
655445	3-Major		Provide the ability to globally specifiy a DSCP value.
655233	3-Major	K93338593	DNS Express using wrong TTL for SOA RRSIG record in NoData response
654599	3-Major	K74132601	The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed
653775	3-Major	K05397641	Ampersand (&) in GTM synchronization group name causes synchronization failure.
652848	3-Major		TCP DNS profile may impact performance
651875	3-Major		GSLB Server properties page should show the iQuery section when type is BIG-IP System
650292	3-Major		DNS transparent cache can return non-recursive results for recursive queries
648766	3-Major	K57853542	DNS Express responses missing SOA record in NoData responses if CNAMEs present
648286	3-Major		GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.
644447	3-Major		sync_zones script increasingly consumes memory when there is network connectivity failure
640903	3-Major		Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen
637227	3-Major	K60414305	DNS Validating Resolver produces inconsistent results with DNS64 configurations.
636853	3-Major		Under some conditions, a change in the order of GTM topology records does not take effect.
636790	3-Major		Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete.
625565	3-Major		SSL error message is missing important information
615222	3-Major	K79580892	GTM configuration fails to load when it has gslb pool with members containing more than one ":"★
366695	3-Major		Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed
659969	4-Minor		tmsh command for gtm-application disabled contexts does not work with none and replace-all-with
648806	4-Minor		Invalid "with the first highest ratio counter" logging for pool member ratio load balance
646615	4-Minor		Improved default storage size for DNS Express database
644220	4-Minor		Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page
638170	4-Minor	K36455356	Pagination broken or missing while viewing pool statistics for GTM wideip
644817	5-Cosmetic		Unexpected behaviour during a DNS(GTM) server creation with wrong option in product field: nullGeneral database error.

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
617324	3-Major		Service health calculation creates unjustified CPU utilization
653573-3	4-Minor		ADMd not cleaning up child rsync processes

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
648786	2-Critical		TMM crashes when categorizing long URLs
649441	3-Major		Classification memory allocation
628646	3-Major		Debug Messages for libcec.so library Hitless Upgrade

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
667661-1	3-Major	K69015104	Adding HA devices to Access Group in BIG-IQ fails with error : 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'
654764	3-Major		iControl REST cannot stay in sync if /config/f5-rest-device-id is identical on each device
651951	3-Major	K32065842	Failure to use REST services on BIG-IP without 'admin' user
642983	3-Major	K94534313	Update to max message size limit doesn't work sometimes
629491	4-Minor		REST token storage improvement
619397-1	4-Minor	K04055706	LCD shows error screen on boot or after license expires

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
665778	2-Critical	K34503519	Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.
632060	3-Major		restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★

 

Cumulative fix details for BIG-IP v13.1.0 that are included in this release

693211-1 : CVE-2017-6168

Solution Article: K21905460

---

684879 : Malformed TLS1.2 records may result in TMM segmentation fault.

Solution Article: K02714910

---

683177 : Can't drilldown or filter by 'Client Countries'

Component: Application Visibility and Reporting

Symptoms:
When drilling down or filtering by 'Client Countries' (Security :: Reporting : Application : Charts) there is an error in the GUI.

Conditions:
-- ASM is provisioned.
-- Attempt to drill down or filter by 'Client Countries'.

Impact:
Internal Error is displayed in the GUI.

Workaround:
1. Edit file: /etc/avr/monpd/monp_asm_entities.cfg.
2. Delete line 171: (dim_authz_filter=vip_crc).
3. Issue the command: bigstart restart monpd.

Fix:
Drilling down or filtering results by 'Client Countries' works as expected.

---

682682 : tmm asserts on a virtual server-to-virtual server connection

Component: Local Traffic Manager

Symptoms:
tmm might crash when using a virtual server-to-virtual server connection, and that connection has a TCP profile with keepalive configured.

Conditions:
-- L7 virtual server-to-virtual server connection (Virtual command, cpm rule, etc.).
-- TCP profile with keepalive configured.
-- (Deflate profile.)
-- At the beginning of the connection, there is a stall for longer than the specified keepalive timer interval.
-- The received response decompresses to a size that is greater than the advertised window size on the first virtual server's TCP stack.

Impact:
Shortly after the keepalive packet is received, which then is decompressed, the assert is triggered, and tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
Remove keepalive from the TCP profiles of the two virtual servers involved.

Fix:
The system now honors the current receive window size when sending keepalives, so the tmm crash no longer occurs.

---

682671 : The username is updated in the alert dashboard even if login validation fails.

Component: Fraud Protection Services

Symptoms:
The username is updated in the alert dashboard even if login validation fails.

Conditions:
This occurs when the following conditions are met:
 -- 'trigger iRule' is enabled on the FPS profile.
 -- ANTIFRAUD::username <user> command is used in the ANTIFRAUD_LOGIN Tcl event.
 -- 'login validation' is enabled on the FPS profile.

Impact:
The new username will be updated in previous alerts in the alert dashboard.

Workaround:
Use the ANTIFRAUD::username <user> command only if ANTIFRAUD::result is SUCCESS.

Note: Reports to the risk engine will not contain the new username.

Fix:
FPS uses the new username but does not set the username cookie. This is correct behavior.

---

682482 : LTM Policy with 'requires {ssl-persistence}' load issue resolved in 13.1.0★

Component: Local Traffic Manager

Symptoms:
There was an LTM Policy with 'requires {ssl-persistence}' that was found and fixed during v13.1.0 project development.

Note: Because this issue was fixed in v13.1.0 before release, you will not encounter this issue; this release note is included to track the Behavior Change.

Conditions:
LTM policy that has 'requires {ssl-persistence}'.

Impact:
Configuration load fails.

Note: This occurs only in internal releases and was never included in an external release.

Workaround:
Change the configuration and load it manually.
- If policy is active for the ssl-client-hello event, change ssl-persistence to client-ssl.

- If policy is active for the ssl-server-handshake event, change ssl-persistence to server-ssl.

- If policy is active for both ssl-client-hello and ssl-server-handshake events, change ssl-persistence to client-ssl - server-ssl.

Fix:
13.1.0 configurations with policies that 'require {ssl-persistence}' are migrated successfully.

Behavior Change:
Beginning in v13.1.0, LTM Policy supports many more framework events than before, and certain 'requires' aspects had to be replaced. In previous releases, ssl-persistence was used for client-side and server-side events. Now policies that contain client SSL or server SSL will have specific 'requires' aspect for that side.

Here are some examples of how the values changed:
- If policy is active for the ssl-client-hello event, ssl-persistence should be client-ssl.

- If policy is active for the ssl-server-handshake event, ssl-persistence should be server-ssl.

- If policy is active for both ssl-client-hello and ssl-server-handshake events, ssl-persistence should be client-ssl - server-ssl.

When updating LTM policies that already contain these values, the system changes them as follows:

-- The system changes the 'requires' stanza to client-ssl, if policy condition or action references these events:
    - ssl-client-hello
    - ssl-client-serverhello-send

-- The system changes the 'requires' stanza to server-ssl, if policy condition or action references these events:
    - ssl-server-hello
    - ssl-server-handshake
    
-- The system changes the 'requires' stanza to reflect both client-ssl and server-ssl, if the policy condition or action references both a client and a server event:
    - client-ssl server-ssl

---

682043-1 : Chrome v60 and newer might incorrectly report that F5 VPN and F5 EPI status

Solution Article: K41041660

Component: Access Policy Manager

Symptoms:
Chrome v60 and newer might incorrectly report that F5 VPN and F5 EPI applications have not provided any status update to the browser. However, both applications are being launched and function properly.

Conditions:
Chrome v60 and newer on Microsoft Windows, Apple Macintosh, or Linux-based systems.

Impact:
F5 VPN: the webtop displays the following message:
 Waiting for Network Access Application status.

VPN or Application Tunnels work properly, and the APM end user may safely close the message box.

F5 EPI: the webtop displays the following message:
 Waiting for Endpoint Inspection status.

The latter message never goes away; however, F5 EPI applications are launched and function properly, and Security checks are performed in the background. Unless the APM end user refreshes the browser screen, the Access Policy never moves forward, causing browser never to refresh the page.

Workaround:
Use another browser: Internet Explorer 11, Microsoft Edge, Mozilla Firefox, or Safari, as available.

If using F5 EPI, refreshing the page after a one-minute since the check start should advance the position in the Access Policy, allowing the APM end user to properly log in.

Fix:
Now Chrome v60 and newer properly gets F5 VPN and F5 EPI application updates from the BIG-IP system, so this issue no longer occurs.

---

681377 : The BIG-IP system sends out SYN/ACK with MSS 0 in VLAN syncookie protection mode on some platforms

Component: TMOS

Symptoms:
A firmware issue exists on certain platforms that will result in SYN/ACK packets with an MSS filed with a value of 0, even though TMOS sets it to a different value.

Conditions:
Hardware syncookie is enabled on a VLAN that is under SYN flood attack and the syncookie protection is triggered. This occurs on the following platforms: BIG-IP series 5000, 7000, and 10000 platforms, and VIPRION B2100, B2150, B2250, and B43x0 blades.

Impact:
Most TCP clients can handle these SYN/ACK packets gracefully, but some clients (such as Ixia traffic-test appliances) may not be able to handle them properly, thus impacting traffic.

Workaround:
Turn off hardware VLAN syncookie protection if regular TCP traffic is impacted.

Fix:
In 13.1.0, the per-VLAN-based syncookie protection will be disabled in the data plane BIG-IP series 5000, 7000, and 10000 platforms, and VIPRION B2100, B2150, B2250, and B43x0 blades.

---

681109 : BD crash in a specific scenario

Solution Article: K46212485

Component: Application Security Manager

Symptoms:
BD crash occurs.

Conditions:
A specific, non-default configuration with specific traffic.

The issue is much more likely to occur when the policy is not tuned correctly, in which case you might receive a potentially huge number of false positive attack signature matches on that payload. The crash might then occur if there is a subsequent 'Parameter value does not comply with regular expression' violation on that same payload.

For example, nothing prevents you from incorrectly associating a Content-Type and <type-value> with a Request Body Handling parser that is not designed to parse that type of data, such as the following:
  Content-Type :: *xml* :: form-data

This configuration is likely to result in a very long list of false-positive attack signatures. Because of the big message generated, The regex violation which is also likely to happen on the payload cannot be added to the filled message, which causes the crash.

Impact:
Failover, traffic disturbance.

Workaround:
In order to prevent this, correctly configure the header-based-content-profile property on URLs for cases where an unusual header requires a specific, potentially unexpected parsing mechanism.

A correctly configured header-based-content-profile property on URLs appears as follows:

In URL Properties, the Header-Based Content Profiles section of the wildcard URL is by default applying the value and content signature. Here, you can associate Content-Type with <type-value> with <parser-type>. By default, the correct definitions are as follows:
 Content-Type :: *form* :: Form Data
 Content-Type :: *json* :: JSON
 Content-Type :: *xml* :: XML

Fix:
Added a check to prevent a crash in a specific scenario.

---

681081-1 : Running tmsh show commands may cause mcpd memory leak

Solution Article: K48366429

Component: TMOS

Symptoms:
mcpd memory utilization increases.

Conditions:
Periodically running tmsh show commands.

Impact:
Might cause mcpd memory leak, which might causes mcpd to restart, ultimately.

Workaround:
None.

Fix:
There is no longer a memory leak when running tmsh show commands.

---

680244 : Unable to force Bot Defense action to captcha_challenge in iRule for Suspicious Browsers

Component: Advanced Firewall Manager

Symptoms:
When a request is being blocked (tcp_rst) due to being a suspicious browser, the action cannot be forced to captcha_challenge in the iRule.

Conditions:
This occurs when a tcp_rst bot defense action is triggered on a suspicious browser, and you want to change the action to captcha_challenge.

Impact:
The bot defense action cannot be forced to 'captcha_challenge'. The TCP RST will still be sent.

Workaround:
Change the dosl7.browser_legit_min_score_drop db variable so that all suspicious browsers will be responded with the CAPTCHA challenge instead of getting blocked. To do so, run the following command:

tmsh modify sys db dosl7.browser_legit_min_score_drop value 999

Then, you can selectively block requests using the 'BOTDEFENSE::action tcp_rst' command in selected conditions.

Fix:
It is now possible to use BOTDEFENSE iRules to change the action of a Suspicious Browser from tcp_rst to captcha_challenge.

---

680145 : HA mirroring for flows without autolasthop cause a crash on the standby

Solution Article: K82484604

Component: Local Traffic Manager

Symptoms:
There is a tmm crash on a standby unit in a high availability (HA) configuration when fastL4 mirroring is configured and autolasthop is disabled.

Conditions:
FastL4 mirroring for flows without a lasthop, i.e. disabled autolasthop on the virtual server.

Impact:
tmm restarts on a standby device. No traffic is disrupted while tmm restarts on a standby device.

Workaround:
Enable autolasthop.

Fix:
tmm no longer restarts on a standby when fastL4 mirroring is configured and autolasthop is disabled.

---

679603 : bd core upon request, when profile has sensitive element configured.

Solution Article: K15460886

Component: Application Security Manager

Symptoms:
bd crash, system goes offline.

Conditions:
ASM provisioned.
-- ASM policy attached on a virtual server.
-- json profile configured with sensitive element.

Impact:
System goes offline/fails over.

Workaround:
Remove sensitive elements from the json profile in the ASM policy.

Fix:
ASM now handles this condition so the crash no longer occurs.

---

679480 : User able to create node when an ephemeral with the same IP already exists

Component: TMOS

Symptoms:
If an FQDN ephemeral node exists for a given IP address, the user is still able to create a real node for the same IP address.

Conditions:
This can only be done by the GUI, not by tmsh or iControl REST.

Impact:
This should be prevented, but is allowed.

Workaround:
Avoid creating such a node.

Fix:
Validation now prevents this from happening.

---

679460 : User's timezone is not reflected when accessing Vmware Horizon desktop using Horizon HTML5 Client

Component: Access Policy Manager

Symptoms:
Target Horizon virtual desktop does not reflect the timezone of the client machine from which the user is connecting

Conditions:
User accesses a Horizon virtual desktop using Horizon HTML5 client

Impact:
Target View virtual desktop does not reflect the timezone of the client machine that is connecting to it. This causes confusion if the user's tizmeone differs from the timezone of the Horizon desktop.

Workaround:
None

Fix:
With VMWare Integration, the target Horizon virtual desktop now correctly reflects the timezone of the client machine from which the user is connecting.

---

679440 : MCPD Cores with SIGABRT

Solution Article: K14120433

Component: Advanced Firewall Manager

Symptoms:
MCPD cores with SIGABRT.

Conditions:
This occurs while the dynamic white/black daemon (dwbld) processes auto-blacklisted IP addresses.

Impact:
MCPD core.

Workaround:
Run the following command:
tmsh modify sys db debug.afm.shun.notify_peers value disable

Fix:
MCPD no longer cores with SIGABRT if the auto-blacklisting feature is enabled.

---

679235-2 : Inspection Host NPAPI Plugin for Safari can not be installed

Component: Access Policy Manager

Symptoms:
Inspection Host NPAPI Plugin for Safari on macOS High Sierra can not be installed.

Conditions:
macOS High Sierra, Inspection Host Plugin package installation triggered.

Impact:
Inspection Host plugin cannot be installed, therefore, endpoint checks will not work.

Workaround:
There is no workaround at this time.

Fix:
Inspection Host NPAPI Plugin for Safari can now be installed successfully.

---

678976 : Do not print all HTTP headers to avoid printing user credentials to /var/log/apm.

Solution Article: K24756214

Component: Access Policy Manager

Symptoms:
VDI debug logs print user credentials to /var/log/apm.

Conditions:
VDI debug logs are enabled and VDI functionality is used on the virtual server.

Impact:
User credentials are written to /var/log/apm.

Workaround:
Set VDI debug level to Notice.

Fix:
The system no longer prints user credentials to VDI debug logs.

---

678822 : Gx/Gy stats display provision pending sessions if there is no route to PCRF or the app is unlicensed

Component: Policy Enforcement Manager

Symptoms:
If the PEM subscribers are brought up with diameter apps (Gx/Gy) configured and the PCRF is not reachable since there is no route or simply because there is no license configured for those apps. The Provision pending for sessions will get incremented and never rollback to zero even after the subscribers are cleaned up.

Conditions:
If the route to PCRF/OCS is missing or not reachable.

Impact:
Non-Zero stats for provision pending sessions

Workaround:
Disable the Gx/Gy profile if not required or configure the route.

Fix:
The system no longer increments the stats for diameter apps if the PCRF/OCS is not reachable, so this issue no longer occurs.

---

678757 : Encrypted field sometimes send the field value

Component: Fraud Protection Services

Symptoms:
Sometimes, in Microsoft Internet Explorer version 11 (IE11) mode 8, the encrypted parameter value sends only with the value, but without the name.

Conditions:
Using IE11 mode 8 with encrypted parameters.

Impact:
The application server will receive irrelevant data.

Workaround:
None.

Fix:
Remove the name attribute of the encrypted field

---

678714 : After HA failover, subscriber data has stale session ID information

Component: Policy Enforcement Manager

Symptoms:
After a failover in a high availability (HA) configuration, subscriber local data is populated with stale session id information

Conditions:
-- HA failover.
-- PEM subscriber.

Impact:
Subscriber data with stale session ID information might cause invalid reference to incorrect subscriber data.

Workaround:
None.

Fix:
Subscriber local data is now populated with new, generated session ID information.

---

678467 : Incorrect alert details when XMLHttpRequest's timeout is smaller than timeout configured

Component: Fraud Protection Services

Symptoms:
If XMLHttpRequest's timeout is less than the configured timeout, the system reports incorrect data in alerts.

Conditions:
Short timeout property in XMLHttpRequest's response.

Impact:
Wrong alert details.

Workaround:
None.

Fix:
Alert details are no longer incorrect when XMLHttpRequest's timeout is smaller than the timeout configured.

---

678456 : ZebOS BGP peer-group configuration not fixed up on upgrade★

Component: TMOS

Symptoms:
ZebOS BGP configuration failed to load from upgrade to 13.0.0.

Conditions:
When configuration specifies neighbor peer-group inside the address-family clause

Impact:
loading of ZebOS configuration after upgrade

Workaround:
Modify the ZebOS configuration to put the neighbor peer-group clause outside of the address-family clause

Fix:
The ZebOS configuration correctly orders the neighbor peer-group clause outside of the address-family clause, and loading of the BGP configuration after upgrade is successful.

---

678337 : Route Advertisement setting for virtual-address disabled after upgrade from pre-13.0.0 versions★

Component: Local Traffic Manager

Symptoms:
When Route Advertisement setting for virtual-address is enabled in a pre-13.0.0 configuration, it becomes disabled after upgrading.

Conditions:
-- Upgrading configuration containing an enabled Route Advertisement virtual-address setting.
-- Upgrading from 13.0.0 to a later version.

Impact:
The virtual-address route-advertisement setting will be incorrect after upgrading.

Workaround:
In TMSH, after an upgrade to 13.0.0, run the following command:

modify /ltm virtual-address /<partition>/<ip address> route-advertisement selective

Fix:
Route advertisement setting is now correctly upgraded.

---

678228 : Repeated Errors in ASM Sync

Solution Article: K27568142

Component: Application Security Manager

Symptoms:
If an error is encountered when building a full sync file for an ASM enabled Device Group, any future attempts at building a sync file will continue to fail.

Conditions:
An error such as a full disk or out of memory occurs when attempting to build a sync file for an ASM enabled Device Group

Impact:
Any future attempts at building a sync file will continue to fail.

Workaround:
Restart the ASM Config processes, or clear out /ts/var/sync.

Fix:
Remnants of failed sync files are now correctly cleaned up before building a new one.

---

678001 : Websso crash due to uninitialized member in websso context object while processing a log message

Component: Access Policy Manager

Symptoms:
Websso crashes occasionally on processing a log message on TMEVT_CLOSE event. This happens when a TMEVT_CLOSE event is received without receiving a request.

Conditions:
TMEVT_CLOSE event is received without receiving a request.

Impact:
Websso process crash.

Workaround:
None.

Fix:
Websso process no longer produces a crash in rare cases when trying to write a log message when no APM log setting applied.

---

677975-1 : SSL may cause the TMM to core when forging a certificate due to race condition

Solution Article: K59237122

Component: Local Traffic Manager

Symptoms:
In SSL-O environment, due to race condition, SSL may cause the TMM to core.

Conditions:
-- After server side completes the SSL handshake.
-- Client side SSL starts to forge a server certificate.

Impact:
Some contexts may be changed due to race condition. TMM might crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes under these conditions.

---

677928 : A wrong source MAC address may be used in the outgoing IPsec encapsulated packets.

Component: TMOS

Symptoms:
A wrong source MAC address may be used in the outgoing IPsec encapsulated packets when the BIG-IP VE system is operated in Azure.

Conditions:
The BIG-IP VE system is first deployed in Azure with a single NIC. After the first reboot and then power off, a second NIC is added to the BIG-IP system. Then, an IPsec tunnel is configured to associate with a selfip on the second NIC.

Impact:
The Azure environment or a remote device may drop the outgoing IPsec encapsulated packets from the BIG-IP system because the source MAC address of the packets is wrong.

Fix:
The source MAC address of the outgoing IPsec encapsulated packets from the BIG-IP system is set correctly.

---

677526 : Memory leak may occur during connflow failures.

Component: Global Traffic Manager (DNS)

Symptoms:
Memory leak may occur during connflow failures.

Conditions:
Connflow failures occur.

Impact:
TMM memory usage grows.

Workaround:
None.

Fix:
Fixed TMM memory leak

---

677439 : FQDN ephemeral Node Address object naming change

Component: Local Traffic Manager

Symptoms:
In previous implementations of the FQDN feature (v11.6 through v13.0), ephemeral Node Address objects were tagged with a name including the FQDN that created them, for example, "www.f5.com-10.20.30.40".

The problem lies in the fact that a Node Address object may be referenced by more than one FQDN, if they happen to resolve to the same IP address.

Conditions:
This can be observed when viewing pool members for pools that contain FQDN nodes.

Impact:
Not only can it be confusing if an ephemeral Node Address object refers to an FQDN other than the one expected (because more than one FQDN may resolve to the same IP), but it may cause operational issues when the ephemeral node needs to be deleted.

Fix:
Starting in v13.1.0, ephemeral Node Address objects will be given generic names, e.g. "_auto_10.20.30.40". The linkage to the FQDN template node that created them will be logical, but not encoded in the node name.

This is largely a cosmetic change.

---

677400 : pimd daemon may exit on failover

Solution Article: K82502883

Component: Local Traffic Manager

Symptoms:
When multicast traffic is passing on a high availability (HA) pair, the pimd daemon on the unit that transitions to standby may exit and drop a core file.

Conditions:
-- Multicast routing configured.
-- PIM-Sparse Mode configured.
-- HA failover configuration.

Impact:
None. The system that goes active will reconverge, and multicast traffic will resume.

Workaround:
No workaround required.

Fix:
The pimd daemon no longer exits when an HA failover occurs.

---

677193 : ASM BD Daemon Crash

Component: Application Security Manager

Symptoms:
Under certain conditions the BD daemon used by ASM may crash

Conditions:
ASM enabled and processing traffic
More than 24 CPUs configured

Impact:
BD daemon restart, failover

Fix:
bd no longer crashes under these conditions.

---

677058 : Citrix Logon prompt with two factor auth or Logon Page agent with two password type variables write password in plain text

Component: Access Policy Manager

Symptoms:
Logon page agent with more than one password variable or Citrix logon prompt will log plain text password when debug logging is turned on for access policy.

Conditions:
This occurs when following conditions are met:

- Citrix Logon Prompt with two factor auth or Logon page agent with more than one password variable is added in the Access Policy.
- Access Policy logging is set to debug.

Impact:
APM logs plain text password when debug logging is turned on for access policy.

Workaround:
None.

Fix:
Password values are no longer written in APM logs when debug logging is enabled for access policy.

---

676982 : Active connection count increases over time, long after connections expire

Component: Local Traffic Manager

Symptoms:
- Number of active connections is increasing over time.
- Memory used by TMM increases over time.
- Potential TMM restart is possible.

Conditions:
This issue arises only when all the following conditions occur:
- Hardware is chassis type.
- There is more than one blade in service.
- A fastL4 profile is configured (e.g., using bigproto).
- SessionDB is used either by iRules or by native profile
  functionality.

Impact:
- Service may be impacted after a period.
- TMM instances may restart.

Workaround:
None.

Fix:
SessionDB-related accesses initiated via iRules are now properly cleaned up and no longer hang.

---

676914 : The SSL Session Cache can grow indefinitely if the traffic group is changed.

Component: Local Traffic Manager

Symptoms:
If there are entries in the SSL Session Cache, and the traffic group is changed, the cache might grow indefinitely.

Conditions:
-- SSL is configured.
-- Session cache has a limit on the number of entries. --
 After entries are made into the session cache, the traffic group is then changed.

Impact:
Eventually all memory will be consumed causing TMM to restart. Traffic disrupted while tmm restarts.

Workaround:
Disable the session cache.

As an alternative, after changing the traffic group, restart TMM.

Fix:
Changing the traffic group no longer causes the session cache to grow.

---

676904 : tmm may crash while printing VDI logging information

Component: Access Policy Manager

Symptoms:
tmm crashes and core dump is seen on /var/core/ directory.

Conditions:
VDI profile is attached to the virtual server.

Note: The crash might be more frequent if VDI debugging is enabled in Access profile log settings.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed the crash while using VDI profile attached to the virtual server.

---

676721 : Missing check for NULL condition causes tmm crash.

Component: Local Traffic Manager

Symptoms:
Missing check for NULL condition causes tmm crash.

Conditions:
One possible route involves load balancing failure, but there may be other paths leading to this crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM correctly checks for NULL condition to prevent the crash.

---

676705 : do not run agetty on VE without serial port

Component: TMOS

Symptoms:
The init process spawns the /sbin/agetty over and over, filling the log file daemon.log

Conditions:
VE without serial port

Impact:
high disk usage.

Workaround:
Change "respawn" to "off" in /etc/init/serial-ttySX.conf

Fix:
Serial ports are now correctly detected.

---

676690-1 : Windows Edge Client sometimes crashes when user signs out from Windows

Component: Access Policy Manager

Symptoms:
In rare cases Windows Edge Client may crash when user signs out from Windows

Conditions:
User signs out from Windows or restarts Windows while EdgeClient is running and VPN is established

Impact:
No functional impact, user see a message box with error block sign out process. When the user closes the message box, sign out process continues.

---

676300 : EPSEC binaries may fail to upgrade in some cases★

Component: Access Policy Manager

Symptoms:
Windows client may fail to upgrade endpoint security package in some cases. This happens due to a corrupted registration of old endpoint security components.

Conditions:
Corrupted registry entry related to endpoint security components.

Impact:
Client may not be able to upgrade to latest endpoint package hosted on APM.

Workaround:
Remove the following registry keys from the registry:

Note: Use extra care editing the registry. Only remove the following keys, and no others.


"HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_CLASSES_ROOT\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_CLASSES_ROOT\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_CLASSES_ROOT\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_CLASSES_ROOT\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"


"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"


"HKCU\SOFTWARE\Classes\Wow6432Node\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKCU\SOFTWARE\Classes\CLSID\{2C8FFA64-E3F7-49AE-87C2-49018FDE3AEA}"
"HKCU\SOFTWARE\Classes\Wow6432Node\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKCU\SOFTWARE\Classes\Interface\{C0A8E51C-D6A5-4BF6-8926-CAF99DE30466}"
"HKCU\SOFTWARE\Classes\Wow6432Node\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"
"HKCU\SOFTWARE\Classes\TypeLib\{1864D368-D26C-4393-A64E-C9910B7E08AE}"

Fix:
EPSEC binaries now upgrade successfully.

---

676028 : SSL forward proxy bypass may fail to release memory used for ssl_hs instances

Solution Article: K09689143

Component: Local Traffic Manager

Symptoms:
TMM leaks memory used for ssl_hs instances when using SSL forward proxy when bypass is enabled.

Conditions:
The leak can be triggered by iRules, where a duplicate forward proxy lookup is initiated and interferes with the initial asynchronous lookup.

Impact:
TMM will core after running out of memory, which impacts availability.

Workaround:
None.

Fix:
Resolved by preventing duplicate forward proxy lookup.

---

675928 : Periodic content insertion could add too many inserts to multiple flows if http request is outstanding

Component: Policy Enforcement Manager

Symptoms:
Multiple flows of the same subscriber could get insert content enabled frequently, if the requests from those flows are outstanding

Conditions:
If the http request from the subscriber is outstanding when the new flow is triggered

Impact:
PEM insert content pem_acton will be enabled on multiple flows till the first response is received

Fix:
Throttle insert content action on new flows only to periodic interval if the transaction is outstanding.

---

675718 : IPsec keeps failing to reconnect

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

Fix:
Corrected an environmental problem with the racoon daemon.

---

675597 : APM may prematurely close client-side RD Gateway connections on server-side disconnect

Component: Access Policy Manager

Symptoms:
APM may prematurely close client-side RD Gateway connections on server-side disconnect. APM log would contain 'CallOutput on empty outputSink' error message, in this case.
In rare cases, this might prevent RDP client from following RDP redirection (between RDP hosts in RDP farm), so client won't be able to connect via APM.

Conditions:
RDP server closes the connection before client.

Impact:
Rarely, this might prevent RDP client from following RDP redirection (between RDP hosts in RDP farm), so client won't be able to connect via APM.

Workaround:
None.

Fix:
Now, APM in RD Gateway role properly reports server-side disconnect to RDP client.

---

675539 : Inter-system communications targeted at a Management IP address might not work in some cases.

Component: Global Traffic Manager (DNS)

Symptoms:
Inter-system communications fail to connect to a BIG-IP system using the Management IP address.

Conditions:
This occurs if the device connection is configured between a Self IP address on one BIG-IP system and the Management IP address on another.

This occurs because the big3d daemon acts as a proxy, listening on the Management IP address and will send proper SSL connections (using SNI) to TMM (since TMM does not listen on the Management IP address).

This is not an issue if either of the following is true:

-- If the source of the connection is coming from the Management IP,
the connection is clear text. (Not SSL encrypted and thus does not use SNI)

-- The destination of the connection is a Self IP address, because TMM (via an iRule) will
handle the connection.

Impact:
Device sync operations do not work.

Workaround:
Do not use the Management IP address for between-device communications.

Fix:
The big3d proxy properly handles SSL SNI connections on the Management IP address.

---

675514 : Addition of integrity check cronjob

Component: TMOS

Symptoms:
Added daily cronjob to run F5 integrity check when BIG-IP is licensed for FIPS 140-2 compliance.

Conditions:
When BIG-IP is licensed with FIPS 140-2 compliant license, a daily cronjob has been added to check integrity of file system executables.

Impact:
A daily message will appear in /var/log/secure indicating a PASS or FAIL status of integrity check.

Workaround:
None needed.

Fix:
Added daily cronjob.

---

675399 : Network Access does not work when empty variables are assigned for WINS and DNS

Solution Article: K14304639

Component: Access Policy Manager

Symptoms:
Network Access does not work when empty variables are assigned for WINS and DNS.

Conditions:
If the admin configures empty values for WINS or DNS in the Variable Assign agent in the VPE.

Impact:
The system does not parse the XML tags correctly. Users may not be able establish VPN tunnel.

Workaround:
Do not leave the DNS or WINS values empty in the Variable assign Agent.

Fix:
APM now correctly handles the condition where an empty string is assigned for WINS and/or DNS in the Variable Assign policy agent.

---

675340 : Portal Access: non-breaking space and soft hyphen characters in JavaScript code are handled correctly

Component: Access Policy Manager

Symptoms:
Non-breaking space and soft hyphen characters may be used in JavaScript code in any place where white space is valid. These characters correspond to 0xA0 and 0xAD in Latin1 encoding scheme. If JavaScript code uses any Latin1-compatible encoding scheme and includes these characters, Portal Access may not process it correctly.

Conditions:
- JavaScript code in any Latin1-compatible encoding scheme: ISO-8859-x, Win-125x
- Non-breaking space (0xA0) and/or soft hyphen (0xAD) characters inside this code outside of comments and string constants

Impact:
JavaScript code cannot be processed by Portal Access; web application may not work correctly.

Workaround:
Use iRule to replace 0xA0 and 0xAD characters by usual space (0x20) inside JavaScript code before Portal Access processing.

Fix:
Now JavaScript code in Latin1-compatible encoding scheme with non-breaking space (0xA0) and soft hyphen (0xAD) characters is handled correctly by Portal Access.

---

675326 : TMM core with Modify Header with 'remove header' option

Solution Article: K15530703

Component: Access Policy Manager

Symptoms:
TMM core when Modify Header with 'remove header' option is used in policy before proxy select.

Conditions:
'Modify header' agent with 'remove header' option occurs before proxy select agent in per-request policy.

Impact:
TMM cores because HTTP data is not available at this point and the headers cannot be modified. Traffic flow is interrupted while TMM restarts.

Workaround:
Do not configure the per-request policy in such a way that the Modify Header agent is used before the Proxy Select agent. This is an invalid setup.

Fix:
A conditional check has been added, and the following error will be logged instead of a TMM core if the invalid configuration is used for traffic: HTTP data unavailable due to SSL Bypass mode. HTTP Header Agent unable to modify header ([header name here]) with value ([header value here]). Error: (ERR_NOT_SUPPORTED).

---

675319 : Multiple client-policy objects can be added to a connectivity profile using TMSH

Component: Access Policy Manager

Symptoms:
Using the following command makes it possible to add a client policy to a connectivity profile even if it already has one. However, each connectivity profile should only have one client policy.
tmsh modify apm profile connectivity MyConnectivityProfile client-policy add { ThisDoesntExist {} }

Conditions:
Using TMSH to modify the connectivity profile.

Impact:
The presence of the additional client-policy in a connectivity profile causes the config to have an error on loading.

Workaround:
Do not modify the connectivity profile to add client-policy.

Fix:
Now there will be an error if you attempt to modify a connectivity profile to have more than one client-policy.

---

675236 : 'Require consistent IP address' does not apply to some management GUI menu items

Solution Article: K03293523

Component: TMOS

Symptoms:
The configuration setting 'System :: Preferences :: Require A Consistent Inbound IP For the Entire Web Session' ('sys http auth-pam-validate-ip' in tmsh) does not apply to some menu items, and acts as if the setting is enabled (that a consistent IP address is required) regardless of the BIG-IP configuration.

Conditions:
BIG-IP administrator accesses the configuration utility from more than one source IP address, using the same session cookie.

Impact:
The 'sys http auth-pam-validate-ip' setting is ineffective on some menu items. These include ASM, AVR, and APM menu items.

Workaround:
Ensure the source IP address used when accessing the configuration utility does not change mid-session. This could happen if your management session is being load balanced across multiple HTTP proxies, for example.

---

675085 : When BIG-IP as SAML IdP is configured to create large assertions, occasionally BIG-IP will not send entire assertion as part of the HTTP response to the client

Component: Access Policy Manager

Symptoms:
When the BIG-IP as SAML IdP is configured to generate assertions larger than 32 KB, occasionally the BIG-IP system might not send the entire assertion as part of the HTTP response to the client, leaving the browser in a waiting state for the rest of the assertion to arrive.

Conditions:
-- The BIG-IP system is configured as SAML IdP.
-- IdP is configured to include either list of (large) attributes, with assertion size exceeding 32 KB.

Impact:
Occasionally, APM end users will not be able to receive full SAML assertion, and therefore, authentication with SAML SP will fail.

Workaround:
When applicable, reconfigure SAML attributes to reduce the size of the generated assertion, i.e., remove unnecessary attributes from the SAML configuration.

Fix:
The BIG-IP system now supports generating assertions larger than 32 KB.

---

674909-2 : Application CSS injection might break when connection is congested

Component: Fraud Protection Services

Symptoms:
Large CSS files configured for phishing protection injection in FPS (not fictive websafe CSS files) may be truncated upon response to client.

Conditions:
Inject into Application CSS enabled in Anti-Fraud Profile » Advanced » Phishing Detection

Large CSS file such as bootstrap files configured for Application CSS Locations.

Network congestion engaging TMM flow control.

Impact:
Pages may display incorrectly in client browser depending on application requirements with specific CSS. May break application functionality.

Workaround:
1) Remove affected large files from Application CSS Locations.

or

2) Disable Inject into Application CSS entirely.

Fix:
FPS now handles the case where injecting to application css was interrupted by congestion.

---

674686 : Periodic content insertion of new flows fails, if an outstanding flow is a long flow

Component: Policy Enforcement Manager

Symptoms:
If an outstanding flow with periodic insertion pem_action is very long, it prevents new flow matching the same rule from adding inert content pem_action even for a new periodic interval

Conditions:
If the outstanding flow with insert content pem_action spans multiple periodic interval.

Impact:
No content insertion during the time the long flow is outstanding for new flows matching the same rule as the long flow.

Workaround:
Long flows and short flows need to have separate rule configured

Fix:
New flows will add content insertion, if the new flow request falls in the new periodic interval.

---

674593 : APM configuration snapshot takes a long time to create

Component: Access Policy Manager

Symptoms:
It takes a long time to create the configuration snapshot for a file. This may be accompanied by MEMCACHED related log message, as shown below.

notice apmd[12928]: 0149016a:5: Initiating snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 0149016f:5: Waiting for MEMCACHED to be ready
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1273 Msg: Unable to connect to tmm (sessiondb). Trying again...
notice apmd[12928]: 01490000:5: ApmD.cpp func: "wait_for_memcached_ready()" line: 1280 Msg: Successfully connected to tmm (sessiondb)...
notice apmd[12928]: 0149016b:5: Completed snapshot creation: tmm.session.10b9e255c7bb0_28oooooooooooooooo for access profile: /Common/workspace-acess
notice apmd[12928]: 01490171:5: MEMCACHED is up

Conditions:
The issue happens if an access profile contains many resources, the resulting configuration
snapshot will have even more configuration variables.

Impact:
TMM will run out of memory If the issue persists. User will not be able to log in due to profile not found error similar to the following:

err apmd[13681]: 01490114:3: /Common/workspace-acess2:Common:a6b495ce: process_request(): Profile '/Common/workspace-acess2' was not found

Workaround:
None.

Fix:
APM policy configuration snapshot generation performance for very large configurations has been improved.

---

674527 : TCL error in ltm log when server closes connection while ASM irules are running

Component: Application Security Manager

Symptoms:
TCL error in ltm log, for example:
TCL error: /Common/bug <ASM_REQUEST_DONE> - plugin_tcl_command_execute: Command error. invoked from within "ASM::severity"

Conditions:
1. ASM irules are attached.
2. There was already one request passed to the web-server
3. Server closes connection.

Impact:
Error in ltm log.

---

674494 : BD memory leak on specific configuration and specific traffic

Component: Application Security Manager

Symptoms:
RSS memory of the bd grows.

Conditions:
-- Remote logger is configured.
-- IP has ignore logging configured.
-- Traffic is coming from the ignored logging IP.

Impact:
Potential memory exhaustion. The kernel might run out of memory and may kill bd, causing traffic disruption.

Workaround:
None.

Fix:
Freeing up the remote loggers data when deciding not to log remotly.

---

674486 : Expat Vulnerability: CVE-2017-9233

Component: TMOS

Symptoms:
An infinite loop vulnerability due to malformed XML in external entity was found in entityValueInitProcessor function affecting versions of Expat 2.2.0 and earlier.

Conditions:
Version of expat in use on BIG-IP is v2.2.0 or earlier.

Impact:
BIG-IP is vulnerable to CVE-2017-9233 via the administrative interface.

---

674410 : AD auth failures due to invalid Kerberos tickets

Component: Access Policy Manager

Symptoms:
User can not login.

Conditions:
- AAA AD server is configured on BIG-IP.
- AD Auth/Query agent is used in Access Policy.
- Cached Kerberos ticket is invalid or backend AD server is not reachable for some reason

Impact:
AD Auth/Query fails. APM end user won't be able to take successful branch in Access Policy.

Workaround:
None.

Fix:
Invalid Kerberos tickets for AD Query are now automatically renegotiated by APM.

---

674328 : Multicast UDP from BIG-IP may have incorrect checksums

Component: TMOS

Symptoms:
BIG-IP may transmit UDP datagrams with a bad checksum.

Conditions:
Outgoing link-local multicast UDP traffic from the Linux host, such as RIP.

Impact:
Packets may be dropped by adjacent devices.

Workaround:
Disable checksum offloading on the virtual NIC for affected VLANS, e.g. "ethtool --offload vlan1274 rx on tx off"

Fix:
Link-local multicast UDP packets are no longer sent with incorrect checksums.

---

674320 : Syncing a large number of folders can prevent the configuration getting saved on the peer systems

Solution Article: K11357182

Component: TMOS

Symptoms:
When syncing a large number of folders (more than 56), the configuration on the peer systems fails to save. An error similar to the following appears in the audit log, possibly followed by garbage characters:

 notice tmsh[15819]: 01420002:5: AUDIT - pid=15819 user=root folder=/Common module=(tmos)# status=[Syntax Error: "}" is missing] cmd_data=save / sys config partitions { tf01 tf02 tf03 tf04 tf05 tf06 tf07 tf08 tf09 tf10 tf11 tf12 tf13 tf14 tf15 tf16 tf17 tf18 tf19 tf20 tf21 tf22 tf23 tf24 tf25 tf26 tf27 tf28 tf29 tf30 tf31 tf32 tf33 tf34 tf35 tf36 tf37 tf38 tf39 tf40 tf41 tf42 tf43 tf44 tf45 tf46 tf47 tf48 tf49 tf50 tf51 tf52 tf53 tf54 tf55 tf56 tf57 tf58 tf59

Note: These 'tfnn' folder names are examples. The audit log will contain a list of the actual folder names. (Folders are also called 'partitions'.)

Conditions:
-- System is in a device group.
-- Sync operation occurs on the device group.
-- There are a large number of folders (more than 56).

Impact:
Configuration on peer systems in a device group does not get saved after a sync.

Workaround:
Manually save the configuration on peer systems after a sync.

Fix:
The configuration on peer systems is now saved when a large number of folders are involved in the sync.

---

674004 : tmm may crash when after deleting pool member in traffic

Solution Article: K34448924

Component: Local Traffic Manager

Symptoms:
tmm may crash when after deleting pool member that is processing traffic.

Conditions:
-- Two or more pools share the same node as pool member.
-- A pool member (with the shared node) is deleted while traffic is passing.
-- Connpool is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes when after deleting pool member while traffic is passing.

---

673974 : agetty auto detects parity on console port incorrectly

Component: TMOS

Symptoms:
With a BIG-IP system configured for a console baud rate that is different from the baud rate of the serial terminal that is plugged in to the console port, he system returns garbled characters on the screen. Changing the terminal setting to match the console baud rate has no effect after that: the BIG-IP system continues to send garbage.

Conditions:
BIG-IP system with a console at certain baud rate.
-- Plug in a serial terminal with a different baud rate.
-- Press enter several times.

Impact:
The parity detection code selects the wrong setting, leaving the console port unusable until reboot of the BIG-IP system, or after killing and restarting agetty.

Workaround:
To recover from this condition, log on to the BIG-IP system via ssh, force parity off, and kill the agetty process (assuming the console is not logged in, and is therefore running agetty).

      via ssh:

      # stty -F /dev/ttyS0 -parenb ; killall agetty

   However, this is not an ideal workaround, as a frequent reason to use the serial console is lack of network access to the device.

   In that situation, you can log on by setting the terminal to Mark parity (8 data bits, Mark parity, 1 stop bit).

Note: There is no way to mitigate the issue from the console connection itself, as agetty doesn't run while the console is logged in.

You can also reboot the BIG-IP system, reset the terminal speed on the laptop to match the console speed set on the BIG-IP system, and reconnect the laptop.

Fix:
This issue has been corrected.

---

673962 : Potential memory issue in iprepd

Solution Article: K55463371

Component: TMOS

Symptoms:
Potential memory issue in iprepd. No IP Intelligence reports in AVR.

Conditions:
This is caused by uninitialized variables.

Impact:
iprepd fails to download IP intelligence DB and subsequently AVR won't have IP Intelligence reports.

Workaround:
Restart iprepd.

Fix:
iprepd now downloads IP intelligence DB and subsequently AVR has the IP Intelligence reports.

---

673951 : Memory leak when using HTTP2 profile

Component: Local Traffic Manager

Symptoms:
Memory continues to grow despite reduced volume of traffic. Large number of spdy_frame and xdata allocated.

Conditions:
Virtual server configured with HTTP2 profile.

Impact:
Memory leak, which might eventually trigger aggressive sweeper and potential crash, resulting in failover.

Workaround:
None.

Fix:
Virtual server configured with HTTP2 profile no longer leaks memory.

---

673823 : Web UI: Unlicensed Configuration Warning for DHCP Relay configuration★

Component: Policy Enforcement Manager

Symptoms:
Unlicensed warning message 'The Unlicensed fields allow configuration on this page but does not take effect in the system' is displayed, even though the functionality works fine.

Conditions:
No PEM/AFM license.

Impact:
Incorrect information is provided in the message. Misleading message indicates that DHCP Relay functionality may not work, even though it does work. This is a cosmetic issue, and you can safely ignore the message.

Workaround:
None needed. This is a cosmetic error.

Note: Having a license for LTM is enough for DHCP Relay functionality to work. The GUI erroneously checks for the Subscriber Management license, which comes with PEM/AFM license, and displays warning message if not available. However, the lack of the Subscriber Management license is not required for DHCP Relay functionality to work, and the message should not be displayed.

Fix:
LTM license is enough for DHCP Relay functionality to work. But GUI checks for Subscriber Management license which comes with PEM/AFM license and displays warning message if not available.

---

673814-1 : Custom bidirectional persistence entries are not updated to the session timeout

Solution Article: K37822302

Component: Service Provider

Symptoms:
Custom bidirectional persistence entries will be created using the transaction timeout when processing the request, but will not be updated to the session timeout on a successful response.

Conditions:
-- Using custom bidirectional persistence.
-- Successful response message is received.

Impact:
The persistence timeout will prematurely time out.

Workaround:
Set the transaction timeout to the session timeout value.

Fix:
The persistence timeout is correctly updated to the session timeout value when a successful response message is received.

---

673692 : qkview may take up to 90 seconds longer to execute on FIPS enabled systems

Component: TMOS

Symptoms:
When FIPS is enabled, qkview will execute the sys-eicheck.py script, which can take up to 90 seconds to execute.

Conditions:
FIPS is installed, or -c is specified on qkview command line.

Impact:
qkview takes longer to execute.

Note: This extra time (90 seconds) is necessary when running qkview on a FIPS enabled system.

Workaround:
None.

Fix:
This extra time (90 seconds) is necessary when running qkview on a FIPS enabled system.

---

673683 : Periodic content insertion fails, if pem and classification profile are detached and reattached to the Listener

Component: Policy Enforcement Manager

Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.

Conditions:
When a subscriber action list have Insert content added and if pem and classification profiles are detached and re-attached to the Listener, periodic insertion may fail to insert the content. This happens when more than one subscriber is using the same policy rule and the listener.

Impact:
Periodic insert content action will fail to insert the content

Workaround:
Delete and recreate the subscriber for which insert content action no longer working

Fix:
For subscriber content insertion record lookup, use the right session id storage associated with the subscriber

---

673678 : Periodic content insertion fails, if http request/response get interleaved by second subscriber http request

Component: Policy Enforcement Manager

Symptoms:
Periodic content insertion for a subscriber may stop working after one or more insertions.

Conditions:
When a subscriber action list have Insert content added and if the request/response for that http transaction get interleaved by another subscriber request. This happens when more than one subscriber is using the same policy rule

Impact:
Periodic insert content action will fail to insert the content

Workaround:
Delete and recreate the subscriber for which insert content action no longer working

Fix:
For subscriber content insertion record lookup, use the correct session id storage associated with the subscriber.

---

673607 : Apache CVE-2017-3169

Solution Article: K83043359

---

673595 : Apache CVE-2017-3167

Solution Article: K34125394

---

673484 : IKEv2 does not support NON_FIRST_FRAGMENTS_ALSO

Solution Article: K85405312

Component: TMOS

Symptoms:
IPsec IKEv2 tunnels cannot be established when the remote peer sends a NON_FIRST_FRAGMENTS_ALSO notification as part of the child Security Association (SA) establishment. This parameter is commonly sent by ASA devices.

Conditions:
-- IPsec IKEv2 with ASA peer.
-- Remote peer sends a NON_FIRST_FRAGMENTS_ALSO notification as part of the child SA establishment.

Impact:
IKEv2 IPsec tunnels cannot be established with ASA peer.

Workaround:
Use IKEv1.

Fix:
During IPsec IKEv2 child SA establishment, the BIG-IP will ignore the NON_FIRST_FRAGMENTS_ALSO notification and will continue to establish the SA.

---

673472 : After classification rule is updated, first periodic Insert content action fails for existing subscriber

Component: Policy Enforcement Manager

Symptoms:
Immediately after the classification rule associated with a static subscriber is updated and if the action list has Insert content, the first periodic insert content action fails for the subscribers. Subsequent Insert content action will proceed as expected

Conditions:
Update of the classification rule associated with the subscribers.

Impact:
First periodic Insert content action, immediately succeeding after the update of the classification rule will fail.

Workaround:
bigstart restart tmm, after updating the classification rule with insert content action will fix the issue

Fix:
Update the record count associated with the subscriber during eval.

---

673463 : SDD v3 symmetric deduplication may start performing poorly after a failover event

Component: Wan Optimization

Symptoms:
In certain high availability (HA) configurations and after performing specific maintenance tasks involving failovers, SDD v3 symmetric deduplication may start performing poorly for some file transfers.

Conditions:
This issue occurs when all of the following conditions are met:

1) A BIG-IP HA configuration is deployed on each side of the WOM tunnel.
2) Symmetric deduplication is configured to use the SDD v3 codec.
3) The far side BIG-IP HA configuration (from the perspective of the client performing the download) is failed over.
4) Clients attempt to download files that had previously been transferred through the BIG-IP units.

Impact:
Symmetric deduplication is severely impacted (virtually no hits) for files that had previously been transferred through the units. This causes the amount of data transmitted over the WAN to increase. Files that were not transferred previously through the units are not affected by this issue.

Workaround:
To eliminate the impacted symmetric deduplication condition, restart the receiving (i.e., the near) side.

Fix:
SDD v3 symmetric deduplication no longer performs poorly after a failover event.

---

673311 : When 'Web Scraping Configuration' has 'Bot Detection' set to 'Alarm', the type=7 JavaScript challenge is sent.

Component: Application Security Manager

Symptoms:
The JavaScript challenge type=7 is sent when it should not be.

The challenge should be sent only when 'Bot Detection' is set to 'Alarm and Block' or when 'Fingerprint Usage' or 'Persistent Client Identification' is enabled in 'Web Scraping Configuration'.

Conditions:
-- ASM Policy.
-- 'Bot Detection' set to 'Alarm' in 'Web Scraping Configuration'.

Impact:
After 10 requests to a qualified URL, the JavaScript challenge type=7 is sent back.

Workaround:
None.

Fix:
Now, when using 'Web Scraping Configuration', JavaScript challenge type=7 is sent only when 'Bot Detection' is set to 'Alarm and Block' or when 'Fingerprint Usage' or 'Persistent Client Identification' is enabled in 'Web Scraping Configuration'.

---

673147 : Virtual server configuration incorrectly allows mutually exclusive iSession and OneConnect profiles.

Solution Article: K01350083

Component: Local Traffic Manager

Symptoms:
The system does not prevent you from configuring a server-side iSession profile and a OneConnect profile on the same virtual server. This is not a valid configuration. Virtual server configuration should allow either a server-side iSession profile or a OneConnect profile, but not both. Although the virtual server configuration completes, three errors are logged to /var/log/tmm:

1) notice ISESSION: 172.27.114.10.443 ! 172.27.14.10.43321: connection error: isession_setup_ssl:1645: server-side SSL hudfilter replacement failed: ERR_NOT_FOUND

2) notice hudchain contains precluded serverside filter: CONNPOOL

3) notice MCP message handling failed in 0x898c80 (16977920): Jul 7 12:34:19 - MCP Message:
notice create {
notice virtual_server_profile {
notice virtual_server_profile_vs_name "/Common/http_optimize_client"
notice virtual_server_profile_profile_name "/Common/oneconnect"
notice virtual_server_profile_object_id 159423
notice virtual_server_profile_profile_class_id profile_connpool
notice virtual_server_profile_profile_type 13
notice virtual_server_profile_profile_context 0
notice virtual_server_profile_partition_id "Common"
notice virtual_server_profile_leaf_name "http_optimize_client"
notice virtual_server_profile_folder_name "/Common"
notice virtual_server_profile_transaction_id 62
notice }
notice }

Loading a configuration containing a virtual server with both a server-side iSession profile and a OneConnect profile succeeds, but logs a mutually exclusive profile error:
    notice hudchain contains precluded serverside filter: CONNPOOL

Conditions:
Three conditions must be satisfied.
1) The BIG-IP has AAM licensed.
2) A server-side iSession profile is added to a virtual server.
3) A OneConnect profile is added to the same virtual server.
Conditions 2 and 3 can be done in either order.

Impact:
OneConnect and iSession are mutually exclusive features, because both implement connection pooling. Configuring
a virtual server with both server-side iSession and
OneConnect profiles will break connection pooling, causing
connections associated the virtual server to hang.

Workaround:
Avoid configuring both server-side iSession and a OneConnect profiles on the same virtual server, as this is never a valid configuration.

Fix:
An error is now returned for attempts to configure both a server-side iSession profile and a OneConnect profile on the same virtual server. The error message text is:
    Configuration error: A virtual server (<vs name>)
    is not allowed to have both OneConnect and iSession
    profiles.

---

673078 : TMM may crash when processing FastL4 traffic

Component: Local Traffic Manager

Symptoms:
When processing certain types of traffic with a FastL4 profile, TMM may crash

Conditions:
FastL4 profile in use

Impact:
TMM crash, resulting in a failover event

Workaround:
none

Fix:
TMM not longer crashes when processing certain types of FastL4 traffic

---

673052 : On i-Series platforms, HTTP/2 is limited to 10 streams

Component: Local Traffic Manager

Symptoms:
On i-Series platforms, HTTP/2 is limited to 10 streams by licensing.

"HTTP2 limited to 10 concurrent streams: Web Accelerator feature not licensed." appears in /var/log/ltm

Conditions:
Using an i-Series platform where WAM is unlicensable.

Impact:
HTTP/2 performance may be less than desired

Fix:
It is possible to configure HTTP/2 with more than 10 streams on i-Series platforms.

---

673027 : One extra mcpd AUDIT message logged after disabling mcpd audit logging

Component: TMOS

Symptoms:
By design, when mcpd audit logging is disabled, messages are logged to /var/log/audit, recording the fact that mcpd audit logging was disabled. After mcpd audit logging has been disabled via tmsh and the initial messages of this change are logged, the next command that modifies a configuration object will also be logged to the audit log. Afterwards, mcpd audit logging will be correctly disabled, so that no subsequent configuration changes will be logged by mcpd in the audit log.

Conditions:
Switching audit logging from enabled to disabled.

Impact:
Unexpected logging of potentially-sensitive information (such as a password in a user account object) in the audit log (/var/log/audit) may occur even though such logging has been disabled.

Workaround:
To avoid recording potentially-sensitive information in the audit log after disabling mcpd audit logging, before issuing any command that affects configuration objects containing sensitive information, issue one additional command to change a configuration object that does not contain sensitive information.

Fix:
Once mcpd audit logging is disabled, messages are no longer logged to /var/log/audit.

---

672988 : MCP memory leak when performing incremental ConfigSync

Component: TMOS

Symptoms:
MCP will leak memory when performing incremental ConfigSync operations to peers in its device group. The memory leak can be seen tmctl utility to watch the umem_alloc_80 cache over time.

This leak occurs on the device that is sending the configuration.

Conditions:
A device group that has incremental sync enabled. In versions prior to BIG-IP v13.0.0, this is controlled by the 'Full Sync' checkbox. When unchecked, the system attempts to perform incremental sync operations.

Impact:
MCP leaks a small amount of memory during each sync operation, and after an extended period of time, might eventually crash.

Workaround:
None.

Fix:
MCPD no longer leaks when performing incremental ConfigSync operations.

---

672947 : CVE-2017-2583 CVE-2017-6214 CVE-2017-7477 CVE-2017-7645 CVE-2017-7895

Component: TMOS

Symptoms:
* A flaw was found in the way Linux kernel allocates heap memory to build the scattergather list from a fragment list(skb_shinfo(skb)->frag_list) in the socket buffer(skb_buff). The heap overflow occurred if 'MAX_SKB_FRAGS + 1' parameter and 'NETIF_F_FRAGLIST' feature were used together. A remote user or process could use this flaw to potentially escalate their privilege on a system. (CVE-2017-7477, Important)

* The NFS2/3 RPC client could send long arguments to the NFS server. These encoded arguments are stored in an array of memory pages, and accessed using pointer variables. Arbitrarily long arguments could make these pointers point outside the array and cause an out-of-bounds memory access. A remote user or program could use this flaw to crash the kernel (denial of service). (CVE-2017-7645, Important)

* The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lacked certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly cause other unspecified impacts using crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c. (CVE-2017-7895, Important)

* The Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support was vulnerable to an incorrect segment selector(SS) value error. The error could occur while loading values into the SS register in long mode. A user or process inside a guest could use this flaw to crash the guest, resulting in DoS or potentially escalate their privileges inside the guest. (CVE-2017-2583, Moderate)

* A flaw was found in the Linux kernel's handling of packets with the URG flag. Applications using the splice() and tcp_splice_read() functionality could allow a remote attacker to force the kernel to enter a condition in which it could loop indefinitely. (CVE-2017-6214, Moderate)

Red Hat would like to thank Ari Kauppi for reporting CVE-2017-7895 and Xiaohann Zhang (Huawei Inc.) for reporting CVE-2017-2583.

Conditions:
* A flaw was found in the way Linux kernel allocates heap memory to build the scattergather list from a fragment list(skb_shinfo(skb)->frag_list) in the socket buffer(skb_buff). The heap overflow occurred if 'MAX_SKB_FRAGS + 1' parameter and 'NETIF_F_FRAGLIST' feature were used together. A remote user or process could use this flaw to potentially escalate their privilege on a system. (CVE-2017-7477, Important)

* The NFS2/3 RPC client could send long arguments to the NFS server. These encoded arguments are stored in an array of memory pages, and accessed using pointer variables. Arbitrarily long arguments could make these pointers point outside the array and cause an out-of-bounds memory access. A remote user or program could use this flaw to crash the kernel (denial of service). (CVE-2017-7645, Important)

* The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lacked certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly cause other unspecified impacts using crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c. (CVE-2017-7895, Important)

* The Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support was vulnerable to an incorrect segment selector(SS) value error. The error could occur while loading values into the SS register in long mode. A user or process inside a guest could use this flaw to crash the guest, resulting in DoS or potentially escalate their privileges inside the guest. (CVE-2017-2583, Moderate)

* A flaw was found in the Linux kernel's handling of packets with the URG flag. Applications using the splice() and tcp_splice_read() functionality could allow a remote attacker to force the kernel to enter a condition in which it could loop indefinitely. (CVE-2017-6214, Moderate)

Red Hat would like to thank Ari Kauppi for reporting CVE-2017-7895 and Xiaohann Zhang (Huawei Inc.) for reporting CVE-2017-2583.

Impact:
* A flaw was found in the way Linux kernel allocates heap memory to build the scattergather list from a fragment list(skb_shinfo(skb)->frag_list) in the socket buffer(skb_buff). The heap overflow occurred if 'MAX_SKB_FRAGS + 1' parameter and 'NETIF_F_FRAGLIST' feature were used together. A remote user or process could use this flaw to potentially escalate their privilege on a system. (CVE-2017-7477, Important)

* The NFS2/3 RPC client could send long arguments to the NFS server. These encoded arguments are stored in an array of memory pages, and accessed using pointer variables. Arbitrarily long arguments could make these pointers point outside the array and cause an out-of-bounds memory access. A remote user or program could use this flaw to crash the kernel (denial of service). (CVE-2017-7645, Important)

* The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lacked certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly cause other unspecified impacts using crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c. (CVE-2017-7895, Important)

* The Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support was vulnerable to an incorrect segment selector(SS) value error. The error could occur while loading values into the SS register in long mode. A user or process inside a guest could use this flaw to crash the guest, resulting in DoS or potentially escalate their privileges inside the guest. (CVE-2017-2583, Moderate)

* A flaw was found in the Linux kernel's handling of packets with the URG flag. Applications using the splice() and tcp_splice_read() functionality could allow a remote attacker to force the kernel to enter a condition in which it could loop indefinitely. (CVE-2017-6214, Moderate)

Red Hat would like to thank Ari Kauppi for reporting CVE-2017-7895 and Xiaohann Zhang (Huawei Inc.) for reporting CVE-2017-2583.

Fix:
* A flaw was found in the way Linux kernel allocates heap memory to build the scattergather list from a fragment list(skb_shinfo(skb)->frag_list) in the socket buffer(skb_buff). The heap overflow occurred if 'MAX_SKB_FRAGS + 1' parameter and 'NETIF_F_FRAGLIST' feature were used together. A remote user or process could use this flaw to potentially escalate their privilege on a system. (CVE-2017-7477, Important)

* The NFS2/3 RPC client could send long arguments to the NFS server. These encoded arguments are stored in an array of memory pages, and accessed using pointer variables. Arbitrarily long arguments could make these pointers point outside the array and cause an out-of-bounds memory access. A remote user or program could use this flaw to crash the kernel (denial of service). (CVE-2017-7645, Important)

* The NFSv2 and NFSv3 server implementations in the Linux kernel through 4.10.13 lacked certain checks for the end of a buffer. A remote attacker could trigger a pointer-arithmetic error or possibly cause other unspecified impacts using crafted requests related to fs/nfsd/nfs3xdr.c and fs/nfsd/nfsxdr.c. (CVE-2017-7895, Important)

* The Linux kernel built with the Kernel-based Virtual Machine (CONFIG_KVM) support was vulnerable to an incorrect segment selector(SS) value error. The error could occur while loading values into the SS register in long mode. A user or process inside a guest could use this flaw to crash the guest, resulting in DoS or potentially escalate their privileges inside the guest. (CVE-2017-2583, Moderate)

* A flaw was found in the Linux kernel's handling of packets with the URG flag. Applications using the splice() and tcp_splice_read() functionality could allow a remote attacker to force the kernel to enter a condition in which it could loop indefinitely. (CVE-2017-6214, Moderate)

Red Hat would like to thank Ari Kauppi for reporting CVE-2017-7895 and Xiaohann Zhang (Huawei Inc.) for reporting CVE-2017-2583.

---

672828 : Different ASM logging profiles can have cross-impact on response logging decision

Component: Application Security Manager

Symptoms:
When attaching both local ASM logging profile and remote ASM logging profile to the same virtual server, response logging may not match configuration on logging profile for the remote logger.

Conditions:
-- Have both ASM local logging profile and ASM remote logging profile attached to the same virtual server.
-- Have response logging turned on for the remote profile, but disabled on the local.

Impact:
Response is not logged for the remote profile although it is turned on in config.

Workaround:
Enable response logging for local profile.

Fix:
The system now makes separate response logging decisions between local and remote loggers.

---

672818 : When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established

Component: Access Policy Manager

Symptoms:
When 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows, VPN cannot be established.

Conditions:
-- Install Traditional Chinese Windows.
-- Change the 'Region and Language' setting format to Simplified Chinese.
-- Edge Client or browser.

Impact:
Cannot establish VPN.

Workaround:
There is no workaround if there is a to change the 'Region and language' setting must be Simplified Chinese.

Fix:
VPN can now be established when 'Region and language' format is changed to Simplified Chinese on Traditional Chinese Windows.

---

672695 : Internal perl process listening on all interfaces when ASM enabled

Component: Application Security Manager

Symptoms:
ASM configuration processes are available on unprotected network interfaces.

Conditions:
ASM provisioned

Impact:
Connections to the ASM configuration processes may interfere with normal ASM operations, leading to reduced performance

Workaround:
None

Fix:
ASM-config Event Dispatcher now listens only on protected interfaces

---

672301 : ASM crashes when using a logout object configuration in ASM policy

Component: Application Security Manager

Symptoms:
bd daemon crash and writes a core file in the /shared/core directory.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- Logout object configured in the policy.
-- System receives a POST request.

Impact:
System goes offline for a few seconds, failover occurs.

Workaround:
Remove logout object configuration from ASM policy.

Fix:
The system now handles this condition.

---

672209 : Upgrade, load config or reboot may fail if IPsec traffic-selector references default-ipsec-policy★

Solution Article: K22031410

Component: TMOS

Symptoms:
If an IPsec traffic-selector object references the default-ipsec-policy object, an upgrade to a newer version of BIG-IP software might fail during the config load stage with error logs similar to the following:

err mcpd[#]: 01070734:3: Configuration error: IPsec policy /Common/default-ipsec-policy does not exist.

emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all base " - failed. -- 01070734:3: Configuration error: IPsec policy /Common/default-ipsec-policy does not exist. Unexpected Error: Loading configuration process failed.

Conditions:
-- IPsec traffic-selector object references the default-ipsec-policy object.
-- configuration is loaded from config files, such as:
   + Performing an upgrade to a later version of BIG-IP software.
   + Loading configuration from a file (tmsh load sys config file).
   + Forcing a configuration load from files, as described in K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

Impact:
Unable to load configuration.

Workaround:
To work around this problem, use one of the following preventative actions:

-- Before upgrading, create a custom ipsec-policy (with default values) instead of default-ipsec-policy, and reference that IPsec policy in the traffic-selector.

-- Before upgrading, delete the traffic-selector attached to any default objects.


To recover from a failed upgrade or config load, use one of the following recovery actions, then restart BIG-IP (bigstart restart):

-- Edit the /config/BIG-IP_base.conf file, add a custom ipsec-policy with default values, and update the traffic-selector configuration to use this ipsec-policy:

net ipsec ipsec-policy /Common/my-ipsec-policy { }

net ipsec traffic-selector /Common/iFail {
...
ipsec-policy /Common/my-ipsec-policy
...

-- Edit the /config/BIG-IP_base.conf file, and delete the traffic-selector configuration that references the default-ipsec-policy.

Fix:
Now, the IPsec traffic-selector can reference default-ipsec-policy without configuration load errors after upgrade.

---

672063 : Misconfigured GRE tunnel and route objects may cause an ill-formed routing loop inside the TMM, resulting in a TMM crash.

Solution Article: K38335326

Component: TMOS

Symptoms:
Misconfigured GRE tunnel and route objects on the BIG-IP system might cause an ill-formed routing loop inside the TMM, resulting in a TMM crash.

The following is an example to illustrate how misconfiguration can lead to an ill-formed routing loop inside the TMM.

net tunnels tunnel gre1 {
    if-index 5472
    local-address 10.10.0.1
    mtu 1400
    profile gre
    remote-address 10.20.0.1
}

net self 10.9.0.1/24 {
    address 10.9.0.1/24
    traffic-group traffic-group-local-only
    vlan gre1
}

net route 10.20.0.0/24 {
    interface /Common/gre1
    network 10.20.0.0/24
}

In the above example, if a packet is destined for the network 10.20.0.0/24, the packet is sent over the GRE tunnel for encapsulation. After encapsulation, the destination address of the encapsulated packet is 10.20.0.1 (i.e., tunnel's remote-address) which matches the configured route again. As a result, the encapsulated packet is fed to the tunnel again and this process repeats to form a routing loop inside the TMM.

Conditions:
Misconfigured GRE tunnel and route objects, leading to an ill-formed routing loop inside the TMM. Please refer to the above example for an illustration.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
This issue is caused by misconfiguration which can be avoided. The recommendation is to examine the configuration, making sure that it does not lead to an ill-formed routing loop inside the TMM.

Fix:
The TMM has been enhanced to detect an ill-formed single-level routing loop in a tunnel setting (e.g., refer to the above example). When an ill-formed single-level routing loop is detected in a tunnel setting, the packets will be dropped and the TMM no longer crashes, and the following message is also logged in /var/log/ltm:

Tunnel output has a potential loop for remote endpoint <IP address>, tunnel name = <name>.

---

672040 : Access Policy Causing Duplicate iRule Event Execution

Component: Access Policy Manager

Symptoms:
iRule event gets triggered twice in clientless mode when access policy is executed.

Conditions:
This only occurs when using iRule in clientless-mode.

Impact:
HTTP_REQUEST event is logged twice in /var/log/ltm.

See below example:

when HTTP_REQUEST {
  HTTP::header insert {clientless-mode} 1
  set myCount [expr {$myCount + 1}]
  log local0. "Count is $myCount"
}

LTM logs:
-----------

Jul 3 12:29:35 BIG-IP10002-vcmp2 info tmm1[23908]: Rule /Common/test_irule <HTTP_REQUEST>: Count is 1
Jul 3 12:29:36 BIG-IP10002-vcmp2 info tmm1[23908]: Rule /Common/test_irule <HTTP_REQUEST>: Count is 2


When this iRule is used, you will see duplicate HTTP_REQUEST with increased count in logs. If this count is used in further calculation, it gives you incorrect result.

Fix:
HTTP_REQUEST iRule event is no longer executed multiple times when using APM clientless-mode.

---

672038 : SSH Proxy log settings change for 'partial authentication' activity

Component: Advanced Firewall Manager

Symptoms:
In previous releases, SSH Proxy logs 'partial authentication' activity based on the state of the 'Log Client Auth Success Event' and 'Log Server Auth Success Event' flags in the logging profile.

Now, 'partial authentication' activity events have their own flags in the logging profile. That means that previously recorded events related to partial authentication will not be logged until the newly provided flags are enabled.

Conditions:
Logging events relating to partial authentication.

Impact:
Items that were previously logged will not be, until these new flags are enabled.

Workaround:
None.

Fix:
In previous releases, SSH Proxy logs 'partial authentication' activity based on the state of the 'Log Client Auth Success Event' and 'Log Server Auth Success Event' flags in the logging profile.

Now, 'partial authentication' activity events have their own flags in the logging profile.

This feature introduces the following TMSH commands:
 modify security log profile logprof ssh-proxy modify { sshlog { partial-client-side-auth enabled } }
 modify security log profile logprof ssh-proxy modify { sshlog { partial-server-side-auth enabled } }

These commands control PARTIAL auths when, for example, this is present in sshd_config on the backend server:

Match User user1
        AuthenticationMethods "password,publickey"

Behavior Change:
In previous releases, SSH Proxy logs 'partial authentication' activity based on the state of the 'Log Client Auth Success Event' and 'Log Server Auth Success Event' flags in the logging profile.

Now, 'partial authentication' activity events have their own flags in the logging profile.

This feature introduces the following TMSH commands:
 modify security log profile logprof ssh-proxy modify { sshlog { partial-client-side-auth enabled } }
 modify security log profile logprof ssh-proxy modify { sshlog { partial-server-side-auth enabled } }

These commands control PARTIAL auths when, for example, this is present in sshd_config on the backend server:

Match User user1
        AuthenticationMethods "password,publickey"

---

672008 : NUL character inserted into syslog message when system time rolls over to exactly 1000000 microseconds

Solution Article: K22122208

Component: Local Traffic Manager

Symptoms:
Remote syslog logging destinations configured for RFC5424 format might receive malformed timestamp values if the log message is sent when clock rolls over to 1,000,000 microseconds exactly. The resulting log message will have a NUL character appended to the microseconds value in the log's timestamp field.

Example:
Correct timestamp: 2003-08-24T05:14:15.000000-07:00
Malformed timestamp: 2003-08-24T05:14:14.100000\00-07:00

Conditions:
-- syslog destination configured for RFC5424 format.
-- Sending log message when clock rolls over to 1,000,000 microseconds.

Impact:
Some syslog collectors may fail to parse the message, resulting in incorrect log entry or warning.

Workaround:
Change syslog destination format to use RFC3164, which does not include microsecond resolution in timestamp fields.

Fix:
The timestamp field is now formatted correctly for microseconds and seconds values. Seconds now correctly increment when microseconds equal 1,000,000.

---

671999 : Re-extract the the thales software everytime the installation script is run

Component: Local Traffic Manager

Symptoms:
If Thales has already been installed on the BIG-IP system, installing a new version does not overwrite the existing installed version.

Conditions:
/shared/nfast exists on the BIG-IP system before installing the Thales client software.

Impact:
The old version of the software will be used in the installation operation, instead of the expected new version of the software.

Workaround:
You can use either or both of the following workarounds before running the installation script:

-- Run the uninstallation script.
-- Delete the /shared/nfast folder.

Fix:
The Thales installation script now always extracts the Thales software in /shared/thales_install and overwrites the /shared/nfast directory.

Behavior Change:
Thales HSM installation script always overwrites the /shared/nfast directory.

---

671935 : Possible ephemeral port reuse.

Solution Article: K64461712

Component: Local Traffic Manager

Symptoms:
When selecting server-side source ports, the BIG-IP system favors ephemeral ports in the upper range.

Conditions:
Source ports, different from the client side, may be reselected. This is always the case when the virtual server's 'source-port change' option is enabled.

Impact:
If server connections are in the TIME_WAIT state and connection recycling is not configured, the server might reset the connection, reusing ports.

Workaround:
Disable the virtual server's 'source-port change' option to use the same source port as the connecting client.

Fix:
Now, even when the virtual server's 'source-port change' option is enabled, the system uses the same source port as the connecting client.

---

671920 : Accessing SNMP over IPv6 on non-default route domains

Component: TMOS

Symptoms:
The SNMP daemon cannot send traps to a non-default route domain destination. However, it can respond to SNMP requests over from a client that is accessed through a non-default route domain path for IPv4. For IPv6 this does not work.

Conditions:
SNMP access over IPv6 on a client accessed through a non-default route domain does not work.

Impact:
Access to SNMP must be through default route domain for IPv6.

Fix:
With this bug fix you can access SNMP from an IPv6 client on a non-default route domain. There is no plan to allow traps to be delivered to destinations on a non-default route domain.

---

671892 : AD Auth/Query may fail when cross-domain option is requested

Component: Access Policy Manager

Symptoms:
AD Auth/Query may fail when cross-domain option is enabled, and AD Trusted Domains object is configured for the agent.

Conditions:
when all of the following is true:
- AD Auth/Query is configured to use AD Trusted Domains
- cross-domain option is enabled
- user belongs to some trusted domains and AAA AD Server for that domain is a member of AD Trusted Domains
- the AAA AD Server is configured with EMPTY KDC

Impact:
the agent will fail and take fallback branch

Workaround:
for the affected AAA AD Server, please, configure KDC. it can be any acceptable value (IP, FQDN, LTM pool), but not empty

Fix:
Cross-realm AD Auth/Query now succeeds, even if the AAA AD Server has no KDC configured.

---

671883 : [APM] Ping Access Agent does not correctly handle HTTP request with invalid version

Component: Access Policy Manager

Symptoms:
Ping Access Agent processes HTTP requests based on the assumption that the version in the request will be formatted as follows: HTTP/1.0, HTTP/1.1, etc. If the version is invalid and is specificied without a slash, Ping Access Agent generates a core.

Conditions:
This occurs when both of the following conditions are met:
-- The HTTP request contains an invalid value for the HTTP version field.
-- That provided invalid value does not contain a slash (/) character.

Impact:
Ping Access Agent generates core, which might cause service outage.

Workaround:
* Write an iRule that uses HTTP request events to detect such invalid requests and to generate an error when encountered (e.g.: "ping_access_agent does not process requests with invalid HTTP version values").
* Attach the iRule to the virtual server.

With such an iRule attached to the virtual server, Ping Access Agent will continue to provide the requested service for valid requests.

Fix:
Ping Access Agent now properly handles requests with
invalid HTTP version values.

---

671880 : [APM] Ping Access Agent's internal request processing state needs improvement

Component: Access Policy Manager

Symptoms:
Ping Access Agent maintains the HTTP requests headers in a dictionary. While looking up an HTTP header, it accesses one extra element in the array.

Conditions:
The memory layout of the extra element in the dictionary has the same value as the HTTP header's name.

Impact:
ping_access_agent generates a core, which might cause a service outage.

Workaround:
None.

Fix:
APM Ping Access Agent's internal request processing state has been improved to be more robust.

---

671725 : Connection leak on standby unit

Solution Article: K19920320

Component: Local Traffic Manager

Symptoms:
High connection count on standby unit.

Conditions:
-- High availability (HA) configuration.
-- Virtual server that has the attribute 'spanning enabled'.

Impact:
Flow leak on Next Active action.

Workaround:
None.

Fix:
Connection leak on standby unit no longer occurs under these conditions.

---

671714 : Empty persistence cookie name inserted from policy can cause TMM to crash

Component: Local Traffic Manager

Symptoms:
Empty persistence cookie name inserted from policy can cause TMM to restart.

Conditions:
Empty persistence cookie name is used in a policy definition.
A connection is made that uses the policy.

Impact:
Traffic disrupted while tmm restarts

Workaround:
Use non-empty peristence cookie name in policy definition.

Fix:
Empty persistence cookie name inserted from policy no longer causes TMM to restart.

---

671638 : Memory leak when load-balancing mptcp traffic

Component: Local Traffic Manager

Symptoms:
Memory leak.

Conditions:
TCP profile with mptcp enabled handling mptcp traffic.

Impact:
Memory leak leading to eventual crash.

Fix:
Fixed memory leak.

---

671579 : Macro and macrocall creation issues when policy is in folder

Component: Access Policy Manager

Symptoms:
Attempting creation of macro or macrocall fails when the policy is located in a folder.

Conditions:
-- Access Profile or Per Rq Policy.
-- Location address is similar to the following:
 /partition/foldername/policy

Impact:
Cannot freely use VPE to edit policies.

Workaround:
To work around this:
1. Export Access Profile or Per Rq Policy.
2. Import it to root (/partition/newpolicy) of the partition.
3. Keep it under the root.

Fix:
Issue is resolved. Creation of macro or macrocalls in folders has been recovered.

---

671447-5 : ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form

Component: TMOS

Symptoms:
When using a BIG-IP system configured in an IS-IS network; adjacencies may fail to form with other vendor devices.

Conditions:
- BIG-IP configured to participate as a peer in a IS-IS network.
- IS-IS peers perform strict validation on the length of the Restart TLV.
-- The SystemID used by the BIG-IP system is of length 7 instead of 6. (ZebOS uses a 7-Byte SystemID.)

Impact:
IS-IS adjacencies may not form.

Workaround:
None.

Fix:
The BIG-IP system now uses a correct SystemID length in the Restart TLV.

---

671326 : DNS Cache debug logging might cause tmm to crash.

Solution Article: K81052338

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Cache debug logging might cause tmm to crash.

Conditions:
This occurs when the following conditions are met:

-- The dnscacheresolver.loglevel debug value is set to 1 - 5.
-- tmm.verbose is enabled.

Impact:
tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
Do not enable the DNS Cache debug log when tmm.verbose is enabled.

Fix:
DNS Cache debug logging no longer causes tmm to crash.

---

671314-2 : BIG-IP system cores when sending SIP SCTP traffic

Solution Article: K37093335

Component: TMOS

Symptoms:
Virtual servers with an SCTP profile and a SIP message-routing profile may crash the TMM.

Conditions:
This flaw affects virtual servers that pass SCTP traffic, where the SIP message-routing profile has the record-route option enabled.

Impact:
TMM crashes and fails over, disrupting traffic processing. Traffic disrupted while TMM restarts.

Workaround:
Remove the record-route option, or change the traffic to use TCP or UDP instead of SCTP.

Fix:
This crash has been fixed.

---

671236 : BGP local-as command may not work when applied to peer-group

Solution Article: K27343382

Component: TMOS

Symptoms:
Using the BGP level command neighbor <peer-group> local-as <AS> might fail to apply on peers in the peer group.

Conditions:
Applying the BGP local-as command to a peer group.
For instance:
  neighbor <peer-group> local-as <AS>.

Impact:
The command fails to apply, and the actual local AS sent to the peer is that of the BGP process and not the one specified in the command.

Workaround:
Apply the BGP local-as directly to the peer, not the peer-group.

Fix:
BGP now correctly applies the local-as settings to the peers in a peer-group.

---

671234 : HTTP Authentication agent will hang waiting on unresponsive authentication server.

Component: Access Policy Manager

Symptoms:
Some authentication requests never completes.
APMD responsiveness degrade over time and eventually restart.

Conditions:
The HTTP Authentication server must be alive enough to accept HTTP connections but busy enough to drop requests without closing connections.

Impact:
APMD responsiveness degrades over time, usually weeks, before eventually restarting.

Workaround:
Restarting the HTTP Authentication server usually releases the waiting threads and restores APMD responsiveness.
Using a BIG-IP monitor for the HTTP backend can detect the issue and allow recovery before the need for APMD to restart.

Fix:
HTTP agent now times out and returns an error when the HTTP server becomes unresponsive. This allows recovery without restarts.

Behavior Change:
The HTTP Authentication agent will time out and return an error instead of waiting forever. If enough threads were waiting, APMD performance degraded and eventually restarted.

---

671151 : Public route to excluded DNS resolved IP addresses is not added if user connects to VPN quickly after a disconnect and DNS relay proxy is running

Solution Article: K40135424

Component: Access Policy Manager

Symptoms:
Public routes to excluded domain scope resolved IP addresses (by DNS relay proxy) do not get added on the second subsequent connection, if user connects to VPN and accesses excluded domain scope host-names (so that exclude routes get added the first time), disconnects and then connects very quickly again and then accesses those same host-names.

Conditions:
- Split tunnel configuration.
- Excluded Domain scope.
- DNS relay proxy is running on the client.
- User connects to VPN the first time, accesses excluded domain scope host-names (so that exclude routes to the resolved IP addresses get added the first time), user disconnects and then connects to VPN again very quickly and accesses those same host-names.

Impact:
Depending on the configuration, the traffic to the excluded DNS may end up inside the tunnel, and if it is not reachable via tunnel, then there is no connectivity to these destinations.

For example, this might occur in a split tunnel configuration that has include scope as 0.0.0.0/0 and some exclude address space like 8.8.8.8/32 and has excluded DNS as site-not-reachable-via-tunnel.com, *.site-not-reachable-via-tunnel.com. If exclude routes are not added for IP addresses resolved for site-not-reachable-via-tunnel.com, traffic to site-not-reachable-via-tunnel.com will go inside the tunnel due to the routing table.

Workaround:
- Wait 30 seconds to 1 minute before establishing subsequent VPN connections after disconnecting. (Sometimes it takes a full minute or more for the dialer to unload.)
- After Disconnect, exit Edge Client from the system tray and start it again to establish the connection.

Fix:
The DNS Relay Proxy component now correctly handles quick connect/disconnect operations when using the Windows Edge Client.

---

671149 : Captive portal login page is not rendered until it is refreshed

Component: Access Policy Manager

Symptoms:
Sometimes Edge Client shows an error page for captive portal-redirected URLs.

Conditions:
Some captive portal pages use cloud-based authentication and network management. Such captive portals rely on several HTTP redirects and/or HTML (auto-refresh). Sometimes Edge Client fails to download the page/content from the redirected URL. In such scenarios, a full browser re-attempts and successfully downloads and displays the page, but Edge Client does not re-attempt and shows an error page.

Impact:
For the locked client, an APM end user has no access to the internet until captive portal authentication is performed and the Network Access (VPN) tunnel is created.

Workaround:
None.

Fix:
Edge Client now has a retry mechanism to access and display captive portal login pages in case the first attempt fails.

---

671112 : Internal IP Datagroups not matching against some IPv6 network addresses

Component: Local Traffic Manager

Symptoms:
The iRule class match command always returns 'not found' when trying to match an IP address against an internal datagroup for certain prefix lengths.

Conditions:
Using internal IP datagroup with IPv6 network addresses.

Impact:
iRule functions improperly.

Workaround:
None.

Fix:
Internal IP Datagroups now match IPv6 network addresses as expected.

---

671082 : snmpd constantly restarting

Component: TMOS

Symptoms:
sod is restarting snmpd, which also produces a core.
SNMP clients are unable to walk the ifTable.

Conditions:
snmpd takes too long processing a request for the ifTable because there are a large amount of vlans or vlangroups configured on the BIGIP.

Impact:
SNMP requests will not receive replies while snmpd is restarting.
SNMP clients are not able to walk the ifTable.

Fix:
Significantly reduced the time it takes snmpd to process requests for the ifTable when the number of vlan/vlangroups is high.

---

671052 : AFM NAT security RST the traffic with (FW NAT) dst_trans failed

Component: Advanced Firewall Manager

Symptoms:
In certain cases, destination translation fails with the following message: reset cause '(FW NAT) dst_trans failed'.

Conditions:
This issue may be seen with Source/Destination translation.

Impact:
Destination translation failure. In most of the cases, TMM restart resolves the issue. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fix addresses a case where one of the fields was not initialized.

---

670918 : Flash AS3 wrappers should have an additional check for the activation object

Component: Access Policy Manager

Symptoms:
Flash AS3 wrappers should have an additional check for the activation object.

Conditions:
Presence of a getlex (or [get/set]property after getpropstrict/getproperty) instruction that gets/sets the value of an variable with the some interesting name like "url" and defined on an activation object.

Example:

...
(function() {
 var url;
 (function(){return url;})();
})();
...

Impact:
Flash application malfunction.

Fix:
APM Portal Access Rewrite has been improved to handle Flash ActionScript 3 in a more robust fashion.

---

670910 : Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined

Component: Access Policy Manager

Symptoms:
Flash AS3 flash.external.ExternalInterface.call() wrapper can fail when loaderInfo object is undefined.

Conditions:
This might occur when using the following definition:

<?xml version="1.0" encoding="utf-8"?>
<s:Application xmlns:fx="http://ns.adobe.com/mxml/2009"
<-->xmlns:s="library://ns.adobe.com/flex/spark"
<-->width="100%" height="100%"
<-->minWidth="256" minHeight="64"
<-->creationComplete="initApp()">
<--><s:VGroup width="100%" height="100%" verticalAlign="middle" horizontalAlign="center">
<--><--><s:TextInput id="f_output" text="..." width="100%" />
<--><--><fx:Script><![CDATA[
<--><--><-->import flash.external.ExternalInterface;
<--><--><-->private function initApp():void {
<--><--><--><-->f_output.text = ExternalInterface.call("function(v){window.alert(/a\\dc/.toString());return '\\\\Done: '+v+' URL: '+location.href;}", "\\\\Ok?");
<--><--><-->}
<--><-->]]></fx:Script>
<--></s:VGroup>
</s:Application>

Impact:
Flash application malfunction.

Workaround:
None.

Fix:
APM Portal Access Rewrite now correctly handles flash.external.ExternalInterface.call() when the loaderInfo object is not defined.

---

670893 : Sensitive monitor parameters recorded in monitor logs

Component: Local Traffic Manager

Symptoms:
When monitor instance logging or monitor debug logging is enabled for certain monitor types, the resulting monitor instance logs may contain sensitive parameters from the monitor configuration, including:
- user-account password
- radius/diameter secret
- snmp community string

Conditions:
This may occur under the following conditions:

1. LTM monitor type is one of the following:
ldap
mssql
mysql
nntp
oracle
postgresql
radius
radius-accounting
smb
snmp-dca
snmp-dca-base
wap

On BIG-IP versions prior to v11.6.0, the LTM monitor type is one of the above, or one of the following:
ftp
imap
pop3
smtp


2. Monitor instance logging or monitor debug logging is enabled by one of the following methods:

a. Monitor instance logging is enabled by setting the 'logging' element to 'enabled' for an LTM node or pool member using the monitor.

b. Monitor debug logging is enabled by setting the 'debug' element to 'yes' for an applicable LTM monitor.

Impact:
The user-account password, radius/diameter secret, or snmp community string configured in the LTM health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors.

Workaround:
1. Do not enable monitor instance logging or monitor debug logging for affected LTM monitor types.

2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes, remove the resulting log files from the BIG-IP system after troubleshooting is completed.

Fix:
The values of monitor parameters password, secret and community will now be redacted by external monitors when monitor debugging is enabled.

Behavior Change:
The values of monitor parameters password, secret and community will now be redacted by external monitors when monitor debugging is enabled.

External monitors will no longer log all of the parameters of a monitor when the monitor is run and monitor-instance logging or monitor debug logging is enabled. If parameters information is needed for debugging purposes, this should be handled from knowledge of the monitor configuration.

---

670822 : Handle correctly long host name from SOCKS server

Component: Local Traffic Manager

Symptoms:
When SOCKS server sends long domain host name TMM may core dump.

Conditions:
When SOCKS server sends long domain host name.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed issue with SOCKS server and long domain host names.

---

670816 : HTTP/HTTPS/TCP Monitor response code for 'last fail reason' can include extra characters

Solution Article: K44519487

Component: Local Traffic Manager

Symptoms:
An HTTP/HTTPS/TCP monitor response code may contain extraneous trailing characters, such as: 'Response Code: 200 (OKxxx)' where the server response code 'OK' is appended with unrelated characters 'xxx', when the server does not include a carriage-return/line-feed after the response status line.

Conditions:
An HTTP/HTTPS/TCP monitor is configured with a receive string, and the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.

Impact:
The monitor status code displays the correct server response code, but with extraneous trailing characters appended. The monitor continues to function and respond to status changes as expected.

Workaround:
Configure HTTP/HTTPS/TCP servers to return a response that includes a carriage-return/line-feed after the response status line and before the receive string.

Fix:
HTTP/HTTPS/TCP monitor response code for 'last fail reason' no longer contains extraneous trailing characters when the server does not include a carriage-return/line-feed in the TCP segments that match the receive string.

---

670709 : ping_access_agent process may silently restart when BIG-IP VE is installed on appliance with over 24 CPU cores

Solution Article: K14321598

Component: Access Policy Manager

Symptoms:
ping_access_agent service constantly restarts on BIG-IP VE when physical appliance has over 24 CPU cores.

Conditions:
- BIG-IP is installed as VE
- Hardware on which VE is installed has 24 or more CPU cores.

Impact:
ping_access_agent may restart continuously.

Workaround:
Modify /etc/bigstart/scripts/ping_access_agent file as follows:

Existing last line:
 exec /usr/sbin/${service} -n ${cpu_count}

Replacement last line, where A is a number of running TMMs:
 exec /usr/sbin/${service} -n A

For example, when the BIG-IP VE is running 8 TMM processes, use the following example:
 exec /usr/sbin/${service} -n 8

Fix:
The BIG-IP system now limits the number of ping_access_agent worker threads to the number of running TMMs. Therefore, the process no longer unexpectedly restarts when running on an appliance with a large number of CPU cores.

---

670583 : EdgeClient does not failover when primary APM server goes down

Component: Access Policy Manager

Symptoms:
EdgeClient does not re-establish VPN when primary APM server does down.

Conditions:
Primary APM server goes down while VPN is connected.

Impact:
No VPN connectivity.

Workaround:
Disconnect and reconnect.

Fix:
F5 Edge Client now initiates a completely new user session rather than a reconnect if the primary IP address of the APM server has changed due to a failover event.

---

670501 : ASM policies are either not (fully) created or not (fully) deleted on the HA peer device

Solution Article: K85074430

Component: Application Security Manager

Symptoms:
Policies are either not (fully) created or not (fully) deleted on the peer device

Conditions:
-- Device Service Clustering configured.
-- High availability (HA) configuration with Sync-Only (no failover) device group (Auto, incremental) with ASM sync enabled.
-- Create/delete active/inactive ASM policies via TMSH/GUI.

Impact:
Policies are either not created/deleted, or not fully created/deleted.

Note: Fully created and fully deleted meaning that the following commands agree with each other:
   # tmsh list asm policy one-line all-properties
   # tmsh list asm policy one-line

Workaround:
Issue a forced full sync from the originating device to the device group.

Fix:
We have fixed the process of create/delete active/inactive ASM policies so that the actions would be correctly synced over to the peer device in a HA pair with Sync-Only (no fail-over) device group (Auto, incremental) with ASM sync enabled

---

670456 : Flash AS3 mx.core::CrossDomainRSLItem() wrapper issue with arguments number

Component: Access Policy Manager

Symptoms:
Flash AS3 mx.core::CrossDomainRSLItem() wrapper fails when being called with a number of arguments different than 7.

Conditions:
Any flash that have a call of mx.core::CrossDomainRSLItem() with a number of arguments different than 7.

Impact:
Flash application malfunction.

Fix:
APM Portal Access ActionScript 3 Flash Patching has been improved to handle mx.core::CrossDomainRSLItem() in a more flexible way.

---

670443 : Missing descriptions for SNMP OID ltmNodeAddrMonitorState and ltmNodeAddrMonitorStatus values

Solution Article: K57299401

Component: TMOS

Symptoms:
The SNMP OIDS ltmNodeAddrMonitorState and ltmNodeAddrMonitorStatus may return integer values in the range of 25-29, for which descriptions are not provided in the MIB (/usr/share/snmp/mibs/F5-BIG-IP-LOCAL-MIB.txt).

Conditions:
This is encountered when doing an snmpwalk of these OIDs.

Impact:
Meanings of integer values in the range of 25-29 are unclear for SNMP OIDS ltmNodeAddrMonitorState and ltmNodeAddrMonitorStatus.

Workaround:
For FQDN Ephemeral nodes, snmpwalk should return integer status with descriptions, such as the following:

F5-BIG-IP-LOCAL-MIB::ltmNodeAddrMonitorStatus."/Common/www.foo.com" = INTEGER: fqdnChecking(26)
F5-BIG-IP-LOCAL-MIB::ltmNodeAddrMonitorStatus."/Common/www.foo.com" = INTEGER: fqdnDown(27)
F5-BIG-IP-LOCAL-MIB::ltmNodeAddrMonitorStatus."/Common/www.foo.com" = INTEGER: fqdnUp(28)
F5-BIG-IP-LOCAL-MIB::ltmNodeAddrMonitorStatus."/Common/www.foo.com" = INTEGER: fqdnUpNoAddress(29)

F5-BIG-IP-LOCAL-MIB::ltmNodeAddrMonitorState."/Common/www.foo.com" = INTEGER: fqdnChecking(26)
F5-BIG-IP-LOCAL-MIB::ltmNodeAddrMonitorState."/Common/www.foo.com" = INTEGER: fqdnDown(27)
F5-BIG-IP-LOCAL-MIB::ltmNodeAddrMonitorState."/Common/www.foo.com" = INTEGER: fqdnUp(28)
F5-BIG-IP-LOCAL-MIB::ltmNodeAddrMonitorState."/Common/www.foo.com" = INTEGER: fqdnUpNoAddress(29)

Fix:
For FQDN Ephemeral nodes, snmpwalk now returns integer status with descriptions, such as:

F5-BIG-IP-LOCAL-MIB::ltmNodeAddrMonitorStatus."/Common/www.foo.com" = INTEGER: fqdnChecking(26)
F5-BIG-IP-LOCAL-MIB::ltmNodeAddrMonitorStatus."/Common/www.foo.com" = INTEGER: fqdnDown(27)
F5-BIG-IP-LOCAL-MIB::ltmNodeAddrMonitorStatus."/Common/www.foo.com" = INTEGER: fqdnUp(28)
F5-BIG-IP-LOCAL-MIB::ltmNodeAddrMonitorStatus."/Common/www.foo.com" = INTEGER: fqdnUpNoAddress(29)

F5-BIG-IP-LOCAL-MIB::ltmNodeAddrMonitorState."/Common/www.foo.com" = INTEGER: fqdnChecking(26)
F5-BIG-IP-LOCAL-MIB::ltmNodeAddrMonitorState."/Common/www.foo.com" = INTEGER: fqdnDown(27)
F5-BIG-IP-LOCAL-MIB::ltmNodeAddrMonitorState."/Common/www.foo.com" = INTEGER: fqdnUp(28)
F5-BIG-IP-LOCAL-MIB::ltmNodeAddrMonitorState."/Common/www.foo.com" = INTEGER: fqdnUpNoAddress(29)

---

670400-2 : SSH Proxy public key authentication can be circumvented in some cases

Component: Advanced Firewall Manager

Symptoms:
SSH Proxy public key authentication might be circumvented in some cases, allowing a user without the appropriate private key in to the back-end end SSH server.

Conditions:
Public key authentication is being used to authenticate users.

Note: This issue affects only public key authentication, so if additional forms of authentication are being used, the additional security that they provide will not be impacted.

Impact:
Unauthorized access.

Workaround:
A suggested workaround is to configure the back-end SSH server to require 2-factor authentication, or 3-factor authentication. This can be done by adding both publickey+password and publickey+keyboard-interactive as Required Authentications in the configuration file for the back-end SSH server.

See the list below of supported client method orders. Also, keep in mind that the back-end server must support all 3 authentication methods (public-key, password, and keyboard-interactive), as an existing constraint of the current SSH proxy functionality.
 
One cosmetic item to note is that, when multi-factor authentication is used, regardless of the result of the validity check of the public-key, the SSH proxy will report a 'failed' authentication to the client. However, the returned 'failed' code is merely cosmetic: the actual result of the validity check is what is used to determine whether or not the authentication succeeded.

-------
Supported client method orders:
 
publickey,keyboard-interactive
publickey,password
publickey,keyboard-interactive,password
publickey,password,keyboard-interactive
 
Any other combination of authentication methods will fail.

Fix:
Implemented stricter error handling in authentication checking.

---

670376 : CVE-2017-1000364

Solution Article: K51931024

---

670367 : On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation.

Solution Article: K39391280

Component: Access Policy Manager

Symptoms:
On large APM configurations (1000 Policies and a large number of Customization groups) mcpd gets killed before it can complete validation.

The limit of customization group object we can load(on bigip VE) is around 13K.

Conditions:
Large number of policies (thousands) and customization objects (tens of thousands).

Impact:
Unable to load configuration.

Workaround:
Turn off watchdog for mcpd via tmsh using the following command:
tmsh modify sys daemon-ha mcpd heartbeat disabled

Important! Remember to re-enable tmsh watchdog after the config loads successfully. To do so, run the following command:

tmsh modify sys daemon-ha mcpd heartbeat enabled

Fix:
Large APM configurations no longer cause mcpd restart, so configurations load as expected.

---

670258 : Multicast pings not forwarded by TMM

Component: Local Traffic Manager

Symptoms:
When multicast routing is configured, ICMP or ICMP6 pings are not forwarded by TMM even though UDP and other protocol traffic to the same group addresses works.

Conditions:
Multicast routing configured, VIP configured to forward ICMP traffic.

Impact:
Multicast group addresses cannot be reached with ICMP or ICMP6 echo requests.

Workaround:
n/a

Fix:
TMM no longer drops ping requests to multicast group addresses that should be forwarded.

---

670245 : IP forwarding virtual server drops packets with TTL of 1 in TTL preserve mode

Component: Local Traffic Manager

Symptoms:
FastL4/IP forwarding virtual server configured to preserve TTL on forwarding, drops ingress packets with a TTL of 1.

Conditions:
- FastL4 IP forwarding virtual server with a ip-ttl-mode configured to 'preserve'.
- Packets with TTL of 1.

Impact:
Packets are dropped.

Workaround:
Change TTL mode on the FastL4 profile.

Fix:
The BIG-IP system no longer drops packers with TTL of 1 when configured with TTL mode of 'preserve'.

---

670238-1 : TMM may crash due to wrong flow assigned to fragmented IPv4 packet

Solution Article: K26297385

Component: Local Traffic Manager

Symptoms:
TMM may crash due to wrong flow assigned to fragmented IPv4 packet.

Conditions:
This occurs when either of the following conditions occur:
-- The connection is re-accepted.
-- The FLOW_INIT iRule event is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes, and the correct flow is assigned.

---

670096 : TMM may crash when a DHCP virtual server is used with an iRule involving SERVER_DATA event and TCL 'after' command.

Component: Policy Enforcement Manager

Symptoms:
When the BIG-IP system is configured with a DHCP virtual server with an iRule, the TMM may crash when a DHCP server sends back multiple identical offers for a single request to the BIG-IP system within a certain period of time.

Conditions:
When the following conditions are met:

- The BIG-IP system is configured with a virtual server with a DHCP profile and an iRule involving SERVER_DATA event and Tcl 'after' command.

- A DHCP server sends back multiple identical offers for a single request to the BIG-IP system within a certain period of time.

Impact:
The TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The TMM no longer crashes.

---

670011 : SSL forward proxy does not create the server certchain when ignoring server certificates

Component: Local Traffic Manager

Symptoms:
Forward proxy not working correctly when the server certificates are ignored. SSL forward proxy does not create the server certchain when ignoring server certificates, this prevents the client side from trusting the server cert and the SSL handshake hangs and fails after timeout.

Conditions:
-- SSL forward proxy or SSL intercept is configured.
-- Ignore server certificate configured in the server SSL profile.

Impact:
Client cannot establish SSL connection with server due to SSL handshake always timing out.

Workaround:
None.

Fix:
The system now generates the server certchain (even when the server SSL profile ignores server certificates) and passes it to the client SSL, so that the client SSL can forge the cert and finish the SSL handshake.

---

669978 : SIP monitor - Via header's branch parameter collision.

Component: Service Provider

Symptoms:
When there is a failover in a high availability (HA) setup with SIP monitors, the SIP backend servers start flapping on both units. The reason this occurs is that after the failover, the two BIG-IP systems send SIP monitoring messages to the pool members with the same branch parameter on their Via headers. The backend server internal logic gets confused by the request coming from LB2 because it uses the same branch parameters of the request coming from LB1.

Conditions:
SIP branch hash string length is small enough that when sufficient SIP monitor messages were inundated, possible branch collision.

Impact:
This causes the backend server erroneously to send a response message to LB1 instead of LB2.

Workaround:
None.

Fix:
Branch collisions no longer occur in this configuration.

---

669974 : Encoding binary data using ASN1::encode may truncate result

Solution Article: K90395411

Component: Local Traffic Manager

Symptoms:
When using ASN1::encode to encode one or more values, and where the encoding of any of these values results in a representation containing a NUL ('\x0') byte, the overall result that is presented to the iRule does not include the entire set of encoded values and is truncated at the first NUL byte.

Conditions:
-- Using ASN1::encode with binary values (e.g., INTEGER).
-- Encoded results contain a NUL ('\x0') byte.

Impact:
Encoding results in the wrong/truncated value.

Workaround:
It is possible to encode the problematic values using an alternative method.

Fix:
ASN1::encode now correctly encodes binary values.

---

669888 : No distinction between IPv4 addresses and IPv6 subnet ::ffff:0:0/96

Component: TMOS

Symptoms:
The BIG-IP does not differentiate between IPv4 addresses (such as 1.2.3.4) and IPv6 addresses in the prefix ::ffff:0:0/96 (such as ::ffff:102:304, also written ::ffff:1.2.3.4). If you enter such an IPv6 address, the equivalent IPv4 address will be rendered and used.

Conditions:
Any attempt to use an IPv6 address in that subnet.

Impact:
The BIG-IP system will operate as if you entered the IPv4 address.

Workaround:
No workaround at this time.

Fix:
The differing addresses now are handled correctly. For most modules, this does not change the functionality at all. AFM is one exception; IPv6 traffic in the ::ffff:0:0/96 subnet will be treated differently than IPv4 traffic.

---

669851 : JSON encryption cannot be configured for URI's with custom ports

Component: Fraud Protection Services

Symptoms:
JSON encryption does not encrypt Asynchronous JavaScript and XML (AJAX) request data that is being sent to a URI with a port number in it.

Conditions:
An API end-point that includes a port number.

Impact:
Request data not encrypted.

Workaround:
None.

Fix:
WebSafe URL normalization now properly accounts for port numbers.

---

669739 : Potential core when using MRF SIP with SCTP

Component: Service Provider

Symptoms:
The system may core when using SCTP with MRF SIP if the outgoing connection receives more messages than it can process.

Conditions:
-- SCTP with MRF SIP configured.
-- Outgoing connection receives more messages than it can process.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
With SCTP with MRF SIP, the system better handles conditions when the outgoing connection receives more messages than it can process, so the system does not core and restart.

---

669459 : Efect of bad connection handle between APMD and memcachd

Component: Access Policy Manager

Symptoms:
When a connection handle (fd) between apmd and memcachd gets bad (someone else is using or already closed by memcachd), all worker threads gets locked out. A cleaner thread then restart APMD with an assert.

Conditions:
This is difficult to reproduce. It happens if one or more connection handle between apmd worker thread and memcachd gets misused.

Impact:
APMD gets locked down , eventually restart with a core.

Workaround:
None.

Fix:
Communication between APMD and TMM has been improved to be more tolerant of error conditions.

---

669364 : TMM core when server responds fast with server responses such as 404.

Component: Fraud Protection Services

Symptoms:
TMM core when server responds fast with server responses such as 404.

Conditions:
-- FPS gets a request with a WebSafe URL (usually global URL - declared by signatures update).
-- Server response is fast (based on URL/headers).
-- FPS need to take some action on response.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
FPS now handles these conditions without a tmm crash.

---

669306 : The HTTP_DISABLE iRule event may cause a TMM crash

Component: Local Traffic Manager

Symptoms:
The HTTP_DISABLE iRule event is invoked when the HTTP filter is enabled or disabled. If this occurs before the first HTTP request is released, then the TMM may crash.

Conditions:
-- The HTTP_DISABLE iRule event is used.
-- HTTP is disabled before the first request reaches the HTTP filter. (This might occur if TCP::collect is used, or if HTTP::disable is invoked in CLIENT_ACCEPTED.)

Impact:
A TMM core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The HTTP_DISABLE event now works in the described case without causing a TMM crash.

---

669262 : [GUI][ZoneRunner] reverse zones should be treated case insensitive when creating resource record

Solution Article: K91122850

Component: Global Traffic Manager (DNS)

Symptoms:
Creating a reverse zone in ZoneRunner ending not exactly as .arpa but with other case variations like .ARPA, resulting that zone is not treated as reverse zone.

PTR is not available from the 'Type' dropbox menu when creating new resource record for that zone:
DNS :: Zones : ZoneRunner : Resource Record List :: New Resource Record.

Conditions:
Creating a reverse zone in ZoneRunner ending not exactly as .arpa but with other case variations like .ARPA.

Impact:
Cannot create PTR resource record for the created reverse zones.

Workaround:
Create reverse zones exactly ending with .arpa.

---

669255-4 : An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms

Solution Article: K20100613

Component: TMOS

Symptoms:
If the BIG-IP configuration includes at least one enabled sFlow receiver, certain platforms will experience poor TMM performance. Symptoms will include one or more of the following:

- Higher than normal ping latency to the BIG-IP Self-IP addresses.
- Higher than normal latency for applications flowing through BIG-IP virtual servers.
- TMM clock advanced messages in the /var/log/ltm file.
- Continuous activation and then quick deactivation of the idle enforcer for all TMM instances in the /var/log/kern.log file.

Conditions:
The BIG-IP configuration must include at least one enabled sFlow receiver (it doesn't matter whether this is reachable or not) and the platform type must be one of the following:

- BIG-IP i10000 series
- BIG-IP i7000 series
- BIG-IP i5000 series
- BIG-IP i4000 series
- BIG-IP i2000 series
- VIPRION B4450 blade

Impact:
The BIG-IP system operates at a suboptimal performance level.

Workaround:
If the sFlow receiver is not strictly necessary for the correct functioning of your deployment, this can be disabled or removed to work around the issue.

Fix:
Performance is no longer degraded on certain platforms when the configuration includes enabled sFlow receivers.

---

669241 : Cannot create stateless virtual servers with ip-protocol set to 'gre'.

Component: TMOS

Symptoms:
Stateless virtual servers can be used only for UDP traffic.

Conditions:
Attempt to create a stateless virtual server with ip-protocol set to 'gre'.

Impact:
Operation does not succeed. Cannot create stateless virtual servers with ip-protocol set to 'gre'.

Workaround:
None.

Fix:
Can now create stateless virtual servers with ip-protocol set to 'gre'.

Behavior Change:
Previously, stateless virtual servers could only be used for UDP traffic.

With this enhancement, you can configure stateless virtual servers with IP protocol set to 'gre'.

---

669154 : Creating new invalid SAML IdP configuration object may cause tmm restart in rare cases.

Component: Access Policy Manager

Symptoms:
Adding new SAML IdP configuration object containing empty attribute values via tmsh may cause tmm to restart.

Conditions:
New SSO SAML configuration contains one or more attribute values containing a session variable, following by another empty value "", for example:

multi-values { "%{session.ad.last.attr.name}" "" }

Note: This is not a valid configuration: empty values must not be provided in the list of SAML attributes.

Impact:
TMM may restart when new configuration is added. Traffic disrupted while tmm restarts.

Workaround:
Remove empty attribute values from configuration.

Fix:
SAML object validation has been improved so that empty SAML SSO object attribute values will no longer be accepted.

---

669153 : On demand cert authentication does not work with Linux CLI client

Component: Access Policy Manager

Symptoms:
If access policy is configured with on demand certificate authentication, Linux CLI client continually creates new sessions on APM until sessions are exhausted.

Conditions:
All conditions should be true
1) Linux CLI client is used
2) On demand certificate authentication is configured

Impact:
Client fails to establish connection. On APM, multiple sessions are created.

Workaround:
Use F5 helper apps client to launch VPN

Fix:
Fixed an issue with on demand cert authentication not working with Linux CLI client

---

669025 : Exclude the trusted anchor certificate in hash algorithm selection when Forward Proxy forges a certificate

Solution Article: K11425420

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain except the self-signed certificate.

Some of the intermediate CA certificates in the cert chain use the SHA1 hash algorithm. This kind of intermediate CAs usually is are the BIG-IP system's ca-bundle. BIG-IP receives the cert chain including the intermediate CA and forges the cert with SHA1, which is rejected by some web clients.

Conditions:
-- The BIG-IP system is configured to use SSL Forward Proxy or SSL Intercept.
-- Some intermediate CA in the web server's cert chain is using a weak algorithm like SHA1 to sign certificates.
-- The web client rejects the weak-algorithm-signed certificate.

Impact:
Clients cannot access the web server due to SSL handshake failure.

Workaround:
None.

Fix:
This fix excludes trusted CA certificates in hash algorithm selection. This may prevent forged certificate from using SHA1 hash algorithm.

---

669021 : Application Tunnel fails to start with the following message: Failed, Couldn't open proxy server.

Component: Access Policy Manager

Symptoms:
Application Tunnel fails to start, with the following message: Failed, Couldn't open proxy server.

Also, logterminal.txt might contain multiple entries similar to the following:

2017-05-28,10:44:11:080, 2724,2500,HOST, 48, , 1801, CHostCtrl::OnTimer(), TUNNEL_SERVER_READY_CHECK - TunnelServer is ready
2017-05-28,10:44:11:095, 2724,2500,HOST, 48, , 1801, CHostCtrl::OnTimer(), TUNNEL_SERVER_READY_CHECK - TunnelServer is ready
2017-05-28,10:44:11:111, 2724,2500,HOST, 48, , 1801, CHostCtrl::OnTimer(), TUNNEL_SERVER_READY_CHECK - TunnelServer is ready

Conditions:
Conditions are undefined. If a thread running in F5 components gets blocked by something such as Anti-Virus, WM_TIMER events might cause the Microsoft Windows message queue to overfill, resulting in unexpected behavior.

Note: This is an intermittent issue. Such instances of congestion happen when a thread, typically the main thread, is blocked by some long-standing (blocking) operation and does not happen in general use.

Impact:
Application Tunnel does not start.

Workaround:
None.

Fix:
Application Tunnel client code has been improved to implement a queue overfill protection to prevent possible problems when starting the app tunnel.

---

668964 : 'bgp neighbor <peer -IP> update-source <IP>' command may apply change to all peers in peer-group

Solution Article: K81873940

Component: TMOS

Symptoms:
When running the 'bgp neighbor <peer IP> update-source <IP>' command to a single peer, the changes may be applied to all peers in peer-group, if the peer IP belongs to a peer group.

Conditions:
- Using BGP with peer-groups.
- Run 'bgp neighbor <peer IP> update-source <IP>', where <peer IP> is an IP of a peer in a peer-group.

Impact:
Changes may apply to all peers in the group.

Workaround:
Depending on the network setup, it may be possible to workaround the issue using the interface version of the command:
bgp neighbor <peer IP> update-source <vlan name>.

Fix:
The command 'bgp neighbor <peer -IP> update-source <IP>' no longer applies the change to all peers in peer-group

---

668802 : GTM link graphs fail to display in the GUI

Component: Local Traffic Manager

Symptoms:
When a BIG-IP administrator tries to view the GTM link graphs in the GUI, the system reports 'General database error retrieving information'.

statsd reports an error in /var/log/ltm

err statsd[6318]: 011b030d:3: Graph '/Common/Link_AS394043' not found

Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.
-- Trying to view the GTM link graphs in the GUI.

Impact:
Unable to view BIG-IP DNS/GTM link graphs.

Workaround:
None.

Fix:
The GTM graphs are available as expected.

---

668623 : macOS Edge client fails to detect correct system language for regions other than USA

Solution Article: K85991425

Component: Access Policy Manager

Symptoms:
macOS Edge client fails to detect correct system language for regions other than USA.

Conditions:
-- macOS Sierra.
-- Non-English language (e.g., Korean with different regions).

Impact:
Incorrect customization of Edge client for certain items, such as: logo, banner color, banner text color, and tray icon type.

Workaround:
Run one of the following command on the Terminal and re-launch Edge client:

For English:
$ defaults write -globalDomain AppleLanguages -array "en" "en-US"

For German:
$ defaults write -globalDomain AppleLanguages -array "de" "de-US"

For Korean:
$ defaults write -globalDomain AppleLanguages -array "ko" "ko-US"

For Japanese:
$ defaults write -globalDomain AppleLanguages -array "ja" "ja-US"

For French:
$ defaults write -globalDomain AppleLanguages -array "fr" "fr-US"

For Spanish:
$ defaults write -globalDomain AppleLanguages -array "es" "es-US"

For Chinese traditional:
$ defaults write -globalDomain AppleLanguages -array "zh-Hant" "zh-Hant-TW" "zh-Hant-US"

For Chinese simplified:
$ defaults write -globalDomain AppleLanguages -array "zh-Hans" "zh-Hans-US"

Fix:
Customization of the following items for Edge client now correctly reflect the region's language selection.

-- Edge client logo.
-- Banner color.
-- Banner text color.
-- Tray icon.

---

668532 : Cached stale Kerberos tickets can cause auth failures.

Component: Access Policy Manager

Symptoms:
After an upgrade, an attempt is made to update/renew an expired Kerberos ticket, and if that does not occur; it will result in stale/old Kerberos ticket causing APM end users to experience failures in authentication.

Conditions:
Kerberos tickets cannot be cleared and renewed.

Impact:
APM end users experience authentication failures and loss of connectivity.

Workaround:
Restart Kerberos Cache.

Fix:
A button is provided to be able to clear Kerberos cache from GUI. Similarly there is an option provided to clear cache using TMSH, using the following command:

 tmsh modify active-directory ad-auth-server cleanup-cache kerberos

---

668522 : bigd might try to read from a file descriptor that is not ready for read

Component: Local Traffic Manager

Symptoms:
The bigd process might consume excessive CPU resources or monitor probes might be erroneously marked as failed.

Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.).

Impact:
The bigd process might consume excessive CPU resources for for various amounts of time.

Single monitor probes might fail. Depending upon the timing of these failures, it might be possible to see monitor flapping when multiple probes for a specific monitored object happen to fail.

Workaround:
None.

Fix:
An issue was resolved where the bigd process might consume excessive CPU resources or monitor probes might be erroneously marked as failed.

---

668521 : Bigd might stall while waiting for an external monitor process to exit

Component: Local Traffic Manager

Symptoms:
The bigd process restarts due to a hearbeat failure. /var/log/ltm will contain a message similar to:
warning sod[5444]: 01140029:4: HA daemon_heartbeat bigd fails action is restart.

Conditions:
External monitors are in use. External monitors include user-defined external monitors as well as built-in external monitors (for example, SNMP, LDAP, etc.)

High system load makes this more likely to occur.

Impact:
bigd will restart due to a heartbeat failure and monitoring will be interrupted.

Workaround:
Mitigations:
-- If possible, reduce the system load on the BIG-IP system.
-- If possible, use a built-in monitor type.

Fix:
bigd no longer stalls while waiting for an external monitor process to exit.

---

668501 : HTTP2 does not handle some URIs correctly

Solution Article: K07369970

---

668434 : Trap destination network option of 'default' is not valid

Component: TMOS

Symptoms:
The GUI and TMSH include an option for trap destination network that is not valid. The option 'default' can be entered in TMSH and selected in the GUI.

In TMUI (the GUI), the system posts an error 'Required' when trying to save.

In TMSH, the system posts the following error:
01070911:3: The requested enumerated (default) is invalid (, mgmt, other) for network. This is correct functionality.

Conditions:
Select 'default' from the dropdown menu in System :: SNMP :: Traps : Destination in the GUI. Or specify 'default' in the tmsh command: modify sys snmp traps modify.

Impact:
Selecting/specifying the 'default' option results in an error. The system rejects the selection in the GUI, so 'default' cannot be selected.

Workaround:
None.

Fix:
The option 'default' was incorrectly included in TMUI, and has now been removed. Although you can still specify it in TMSH, the error message indicates that it is invalid, which is correct.

---

668419 : ClientHello sent in multiple packets results in TCP connection close

Solution Article: K53322151

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system receives ClientHello messages in multiple fragments, and the first fragment length is smaller than 8 bytes, SSL might process it as a non-SSL packet.

Conditions:
-- The system receives ClientHello messages in multiple fragments.
-- The first fragment length is smaller than 8 bytes.

Impact:
SSL might process the first fragment as a non-SSL packet, and discard it, and then tear down the TCP connection.

Workaround:
None.

Fix:
Now, if the system receives the ClientHello message in multiple fragments, and the first fragment is smaller than 8 bytes, the system waits for the whole SSL packet to arrive before processing it.

---

668352-1 : High Speed Logging unbalance in log distribution for multiple pool destination.

Component: TMOS

Symptoms:
Remote High Speed Logging may send logs in an imbalance when configured to use multiple logging pools.
The imbalance may occur if the logging destination remained idle for a while (no logs sent) after initial configuration.

Conditions:
-- Remote High Speed Logging destination configured with multiple pools.
-- The logging destination idle after initial configuration for more than 5 seconds.

Impact:
-- Log distribution imbalance.

Workaround:
There is no workaround at this time.

Fix:
Logs distributed equally on destination pools.

---

668252 : TMM crash in PEM_DIAMETER component

Solution Article: K22784428

Component: Policy Enforcement Manager

Symptoms:
TMM crashes when the route to PCRF is lost.

Conditions:
-- PEM establishes connection with the diameter endpoint (Gx / Gy).
-- The route to the diameter endpoint is lost (interface down / route deleted).

Impact:
TMM diameter module tries to communicate, does not handle the error, and crashes. Module reboot. Traffic disrupted while tmm restarts.

Workaround:
Mitigation: Ensure that the network interface configuration routing diameter packet is not manually brought down.

No workaround for externally triggered failures.

Fix:
The system now handles connections established with the diameter endpoint when the route to PCRF is lost.

---

668196 : Connection limit continues to be enforced with least-connections and pool member flap, member remains down

Component: Local Traffic Manager

Symptoms:
In rare circumstances while using least-connections load balancing with a connection limit applied, if a pool member is at the connection limit and the node is stopped and restarted, the node will remain marked down.

Conditions:
This occurs under the following circumstances:
- Least Connections (node or member).
- Connection limit is set.
- Then a pool member hits the connection limit.
- The pool member is then marked down then up (e.g., manually).

Impact:
Pool member remains marked down.

Workaround:
This condition is very rare but if it occurs you can try removing the pool member or node and re-adding it.

Fix:
Connection limit is now correctly enforced with least-connections and pool member flap, so the member no longer incorrectly remains down.

---

668048 : TMM memory leak when manually enabling/disabling pool member used as HSL destination

Component: TMOS

Symptoms:
High Speed Logging fails to free an allocated cache memory resulting in memory leak. A small linear increase in mds_btree_nodes memory utilization may occur.

Conditions:
- Remote High Speed Logging configured.
- Server-side connections dropped or closed. OR
- High Speed Logging pool members removed.

Impact:
Increase in mds_btree_nodes memory utilization.

Workaround:
There is no workaround at this time.

Fix:
High Speed Logging frees allocated memory correctly.

---

668006 : Suspended 'after' command leads to assertion if there are multiple pending events

Component: Local Traffic Manager

Symptoms:
TMM crashes when an iRule has multi-parking commands including command after.

Conditions:
-- iRule has multi-parking commands.
-- Command after is used multiple times in the iRule.

Note: The exact condition of crashing tmm is not definitive, but when the above situation is met, it could trigger this crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Depending on the iRule, (e.g., script that uses command after very heavily, very often), the usages can be combined:

after 100
after 200 { some script }

can be combined to after 300 { the script }

Fix:
Suspended 'after' command no longer leads to assertion if there are multiple pending events

---

667872 : Websafe's 'Apply cookies to base domain' feature doesn't work for non standard ports

Component: Fraud Protection Services

Symptoms:
'Apply cookies to base domain' feature doesn't work for non standard ports.

Conditions:
'Apply cookies to base domain' is enabled and
connection is over non-standard ports (not 80, 443, etc.).

Impact:
Cookies won't be applied to base domain, thus WebSafe functionality will be broken and missing cookie alerts will be sent.

Workaround:
Use only standard ports.

Fix:
FPS now correctly parses base-domain, including port (if exists).

---

667763 : APM Network Tunnel not connecting when Virtual Server has Application DoS profile

Component: Access Policy Manager

Symptoms:
APM Network Tunnel is not connecting when Virtual Server has Application DoS profile assigned to it.

Conditions:
This happens when the Virtual Server has both 'Network Access' and a DoS profile with 'Application' enabled.

Impact:
APM end users cannot connect to the Network Tunnel.

Workaround:
None.

Fix:
APM Network Tunnel can now be used on the same Virtual Server that has an Application DoS profile.

---

667662 : Autolasthop does not work for PPTP-GRE traffic.

Solution Article: K06579313

Component: Carrier-Grade NAT

Symptoms:
Autolasthop does not work for PPTP-GRE traffic.

Conditions:
Autolasthop configured for client ingress VLAN, serving PPTP-ALG traffic.

Impact:
PPTP-ALG traffic through the BIG-IP system.

Workaround:
Create static routes to return PPTP-GRE traffic back to the client network.

Fix:
Autolasthop setting works correctly for PPTP-GRE traffic.

---

667661-1 : Adding HA devices to Access Group in BIG-IQ fails with error : 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'

Solution Article: K69015104

Component: Device Management

Symptoms:
Adding a secondary HA device to Access Group fails with error 'Failed to download file (null). java.lang.IllegalArgumentException: REMOTE_SOURCE_FILE requires remoteFilePath'.

Conditions:
Fails when adding a HA device to Access Group.

Impact:
Device cannot be added to Access Group.

Workaround:
None.

Fix:
The system now gets the correct filepath from secondary HA devices so that BIG-IQ can download and manage the files.

---

667648 : TMM can crash when it exits while still processing traffic

Component: Local Traffic Manager

Symptoms:
Unexpected TMM crash during shutdown.

Conditions:
This is a randomly occurring, potentially timing-related issue that might be related to other operations also occurring during shutdown.

Impact:
Service outage due to TMM crash.

Workaround:
None.

Fix:
TMM crash no longer occurs under these conditions.

---

667627 : sudo security update

Component: TMOS

Symptoms:
A flaw was found in the way sudo parsed tty information from the process status file in the proc filesystem.
(CVE-2017-1000367)

Conditions:
A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root.

Impact:
None. The sudo configuration on BIG-IP systems does not expose this vulnerability.

Fix:
Sudo updated to resolve vulnerability

---

667600 : Default 'enabled' value for 'request-based-authentication' of Kerberos Auth agent leads to various issues.

Solution Article: K34203924

Component: Access Policy Manager

Symptoms:
The default value for 'request-based-authentication' property of Kerberos Auth agent is 'enabled'. This can lead to various issues, so most configurations require 'request-based-authentication' to be disabled.

Conditions:
Create a new Kerberos Auth agent in an Access Policy

Impact:
The 'request-based-authentication' property is 'enabled' by default, which can lead to various issues.

Workaround:
You can use either of these mitigations:
-- Disable 'request-based-authentication' manually during creation of a Kerberos Auth agent.
-- Modify the agent after it is created.

Fix:
The default value for 'request-based-authentication' property of Kerberos Auth agent is now 'disabled'. Previously, the default was 'enabled'.

Behavior Change:
The default value for 'request-based-authentication' property of Kerberos Auth agent is now 'disabled'. Previously, the default was 'enabled'. During upgrade, if you have any Kerberos Auth agents with RBA enabled, the value remains the same. However, when you create a new Kerberos Auth agent, 'request-based-authentication' is set to 'disabled' by default, and you must manually set it to 'enabled', if needed.

---

667594 : Rewrite plugin could crash on rewriting of some URLs in POST data

Component: Access Policy Manager

Symptoms:
Rewrite might crash on rewriting POST data with specific characters in the URL.

Conditions:
Rewrite of POST data with specific characters in the URL.

Impact:
Temporary outage of Portal Access services.

Workaround:
None.

Fix:
Fixed an issue which could cause crash of rewrite plugin when patching links in POST request body.

---

667577 : Access profile 'Restrict to Single Client IP' setting not enforced with DTLS tunnel

Component: Access Policy Manager

Symptoms:
After APM end users establish a session from one client IP address, if they roam and get a different client IP address, the DTLS tunnel will still be able to establish, because the system does not enforce 'Restrict to Single Client IP'.

Conditions:
The client IP used to establish the session is different from the client IP used to establish DTLS tunnel and the 'Restrict to Single Client IP' setting is enabled.

Impact:
The DTLS tunnel will be established, which allows the client to access internal network resources from forbidden subnet.

Workaround:
Disable usage of DTLS tunnel.

Fix:
The 'Restrict to Single Client IP' setting is enforced correctly for DTLS tunnel.

---

667405 : Fragemented IPsec encrypted packets with fragmented original payloads may cause memory leak in the TMM.

Component: TMOS

Symptoms:
When the BIG-IP system receives fragmented IPsec encrypted packets that contain fragmented IP packets, memory leaks may occur in the TMM.

Conditions:
The BIG-IP system receives fragmented IPsec encrypted packets that contain fragmented IP packets.

Impact:
Memory leak in the TMM.

Workaround:
None.

Fix:
No memory leak in the TMM.

---

667404 : Fragmented IP over IPsec tunnels might capture mcp flows and provoke restarts

Solution Article: K77576404

Component: TMOS

Symptoms:
If fragmented IP packets match an IPsec policy, then get forwarded to another tmm for actual processing, the flow lookup might accidentally grab a stale flow_key for another connflow, including internal MCP flows. When that happens, if IPsec does tunnel those flows, internal MCP heartbeats later miss and cause tmm restarts.

Conditions:
-- Packet fragmentation.
-- Packets are serviced by IPsec due to a matching policy for those packets.

Impact:
Tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
You can prevent this using either of the following methods:
-- If you can, arrange that fragmented packets are re-assembled before reaching IPsec policy handling.
-- Modify MTU configuration so fragmentation does not happen.

Note: There is no mitigation when fragmented packets reach IPsec and need forwarding from one tmm to another.

Fix:
Now fragmented packets are handled correctly, and other flows cannot experience interference.

---

667382 : Unable to highlight and copy session ID from Active Sessions

Component: Access Policy Manager

Symptoms:
The session ID field in Active Session page cannot be selected or copied

Conditions:
This occurs on the Access Policy :: Manage Sessions :: Active Session page.

Impact:
Cannot select or copy session ID.

Workaround:
None.

Fix:
The BIG-IP GUI now allows select/copy clipboard operations on the APM session ID screen.

---

667318 : BIG-IP DNS/GTM link graphs fail to display in the GUI.

Component: Local Traffic Manager

Symptoms:
When a BIG-IP administrator tries to view the GTM link graphs in the GUI, the system reports 'General database error retrieving information'.

statsd reports an error in /var/log/ltm

err statsd[6318]: 011b030d:3: Graph '/Common/Link_AS394043' not found

Conditions:
-- BIG-IP DNS/GTM is licensed and provisioned.
-- BIG-IP DNS/GTM links are configured.

Impact:
Unable to view BIG-IP DNS/GTM link graphs.

Workaround:
None.

Fix:
BIG-IP DNS/GTM link graphs are now available in the GUI.

---

667304 : Logon page shows 'Save Password' checkbox even if 'Allow Password Caching' is not enabled

Component: Access Policy Manager

Symptoms:
'Save Password' checkbox is shown even if the feature is not enabled.

Conditions:
-- APM end user tries to authenticate to APM/BIG-IP Server.
-- 'Save Password' is not enabled.

Impact:
APM end user receives the login page with 'Save Password' checkbox. Checking the box has no effect unless 'Save Password' is enabled.

Workaround:
None.

Fix:
'Save Password' checkbox is not shown unless the feature is enabled.

---

667302 : Cannot create CE policies when only APM is provisioned.

Component: TMOS

Symptoms:
Cannot create CE policies when only APM is provisioned because the Type select is not displayed.

Conditions:
-- Provision and license APM only (no PEM or AFM).
-- Go to Local Traffic :: Policies : Policy List.
-- Create a policy and try to change type to CE Profile.

Impact:
Cannot create CE policies.

Workaround:
Use tmsh to create CE policies when only APM is provisioned.

Fix:
Users can now create CE policies when only APM is provisioned.

---

667295 : 'RTSP::header exists' iRule command always returns True

Solution Article: K51601122

Component: Carrier-Grade NAT

Symptoms:
Using the 'RTSP::header exists' command in an iRule returns true even if the header is not present.

Conditions:
Using the 'RTSP::header exists' command in an iRule, e.g., [RTSP::header exists "Transmitting"].

Impact:
Returns 1 (TRUE) even if the header is not present. Should return 2 (ERR_NOT_FOUND) on failure.

Workaround:
None.

Fix:
The 'RTSP::header exists' command works correctly in an iRule now.

---

667278-5 : DSC connections between BIG-IP units may fail to establish

Component: TMOS

Symptoms:
The device service clustering (DSC) connection between two BIG-IP units may fail to establish. One unit will log messages similar to the following example:

-- err mcpd[7912]: 01071af4:3: Inbound CMI connection from IP (192.168.100.1) denied because it came from VLAN (v1542), not from expected VLAN (tmm).

While the unit at the other end of the connection will log messages similar to the following example:

-- notice mcpd[5730]: 01071432:5: CMI peer connection established to 192.168.200.1 port 6699 after 0 retries
May 31 20:58:04 BIG-IP-c-sea notice mcpd[5730]: 0107143c:5: Connection to CMI peer 192.168.200.1 has been removed

Conditions:
This issue occurs when the Self-IP addresses used for Config-Sync by the two BIG-IP units are not in the same IP subnet, and special routing is configured between the BIG-IP units. Examples of special routing include a gateway pool or dynamic routing configurations with multiple routes to the same destination (i.e., ECMP routing).

Impact:
Config-Sync and device discovery operations will fail between affected units.

Workaround:
You can work around this issue by using Self-IP addresses for Config-Sync that are on the same IP subnet or rely on simpler routing to achieve connectivity (i.e., a single route).

Fix:
Config-Sync and device discovery operations no longer fail.

---

667259 : Memory Leak in RAM Cache

Solution Article: K15364500

Component: Local Traffic Manager

Symptoms:
A slow increase in the magnitude of the value in the tm_header bucket of the memory_usage_stat table.

Conditions:
This occurs during a refresh of a cached document.

Impact:
A memory leak whose speed is relative to the life time of the documents in the cache, and the number of documents that can be refreshed.

Workaround:
If the document cannot be refreshed, the memory leak won't occur.

A server configuration change or a response iRule that removes the Last-Modified, Expires, and Cache-Control headers will allow the BIG-IP system to cache documents and serve them from cache, but will not attempt to refresh them and thus avoid this leak.

This workaround results in retrieving the whole document from the server when it has expired.

Fix:
Memory Leak in RAM Cache has been fixed.

---

667114 : TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.

Solution Article: K32622880

Component: TMOS

Symptoms:
TCP flows going through the IP forwarding and L2 forwarding virtual server might get very low bandwidth.

Conditions:
-- BWC policy applied.
-- TCP traffic passes through the IP forwarding or L2 forwarding virtual server.

Impact:
Lower throughput than expected.

Workaround:
When using BWC, use a proxy virtual server instead of IP forwarding or L2 forwarding virtual servers.

Fix:
TCP flows going through the IP forwarding and L2 forwarding virtual server no longer affect bandwidth.

---

667082-4 : Dynamic Routing ZebOS using ip ospf <IP> message-digest-key command may fail.

Solution Article: K21090061

Component: TMOS

Symptoms:
Failure occurs when attempting to configure or load OSPF configurations in imish using an interface-level command similar to the following:
ip ospf <IP> message-digest-key <key index> md5 <password>.

Conditions:
This occurs when using the following command:
ip ospf <IP> message-digest-key.

Impact:
The command causes an error and cannot be used or loaded. This may cause OSPFv2 adjacencies to fail.

Workaround:
If possible, use the non-IP version of the interface-level command, similar to the following:
ip ospf message-digest-key <key index> md5 <password>.

Fix:
The BIG-IP system now correctly loads the ZebOS 'ip ospf <IP> message-digest-key' interface-level command.

---

667076 : WebSocket URLs over SSL don't match when differentiate HTTP/HTTPS is disabled

Solution Article: K92494571

Component: Application Security Manager

Symptoms:
A WebSocket URL is not detected as such in the switch-protocol request.

Conditions:
-- ASM policy with 'Differentiate between HTTP/WS and HTTPS/WSS URLs' disabled.
-- Explicit WebSocket URLs, '/wss' configured.
-- The ASM policy is attached to both a non-SSL virtual server and an SSL virtual server.
-- Requests arrives, one from the SSL connection and one from the non-SSL connection.

Impact:
Over the SSL connection the request URL is not detected as '/wss' but as the wildcard URL.

Over the non-SSL connection the request will be detected as '/wss' the WebSocket URL.

Workaround:
Enable 'Differentiate between HTTP/WS and HTTPS/WSS URLs'.

Fix:
A WebSocket URL is now detected as such in the switch-protocol request.

---

667034-2 : Keylogger protection is incompatible with the jQuery plugin "capslockstate".

Component: Fraud Protection Services

Symptoms:
Keylogger protection generates random keypress events on the web page. If the jQuery plugin is in "Caps Lock" state and keylogger generates "a" (for example) then the jQuery plugin change its state back to "Caps Lock" off.

Conditions:
n/a

Impact:
Keylogger protection changes the state of the jQuery plugin ("Caps Lock" off ,"Caps Lock" on, unknown).

Workaround:
n/a

Fix:
The FPS code was aligned to the jQuery plugin so that the
jQuery plugin and keylogger protection are now in sync.

---

667028 : DNS Express does not run on i11000 platforms with htsplit disabled.

Component: Global Traffic Manager (DNS)

Symptoms:
tmm processes enter a restart loop when trying to run DNS Express (DNSX) on i11000 platforms with htsplit disabled.

Conditions:
-- i11000 platform.
-- htsplit disabled (sys db scheduler.splitplanes.ltm set to false).
-- Trying to run DNSX.

Impact:
tmm processes enter a restart loop. In this condition, DNSX does not run, though other DNS functions are unaffected.

Workaround:
Enable htsplit using the following command:

modify sys db scheduler.splitplanes.ltm value true

Fix:
tmm no longer cores under these conditions. However, you cannot use DNSX with htsplit disabled; htsplit must be enabled.

Note: DNSX works as expected with htsplit enabled, both before and after the fix.

---

667013 : Wildcard URLs with identical wildcard order will have only one of them being enforced

Solution Article: K13220614

Component: Application Security Manager

Symptoms:
Enforcement is done on only one of the wildcards with an duplicate wildcard order.

Conditions:
There are several wildcard URLs simultaneously using REST, without specifying wildcardOrder.

Impact:
Not all wildcards will be enforced.

Workaround:
Update each wildcard with a specific wildcard order.

Fix:
Enforcement is now done on all wildcards, according to new enforcement wildcard order set when applying the policy.

---

666986 : Filter by Support ID is not working in Request Log

Solution Article: K50320144

Component: Application Security Manager

Symptoms:
In some cases the Support ID of a request might be shorter than 19 digits. In this case filter by Support ID does not work in Request Logs.

Conditions:
-- Support ID is shorter than 19 digits.
-- Trying to filter by Support ID.

Impact:
Filter by Support ID is not displayed in filter bar and does not affect the list.

Workaround:
You can try to filter by last 4 digits of Support ID. Although that does not replace filter by Support ID functionality, it might help.

Fix:
Filter by Support ID works for any length but 4 digits (in this case search uses the last 4 digits; also a 4-digit Support ID is not a realistic occurrence).

---

666947 : L2 Wire global syn cookie in HW floods SYN ACK packets to both the VLANs joined in a L2 VLAN group.

Component: Local Traffic Manager

Symptoms:
Ports that are in L2 mode have learning disabled. So although HSB should tell the switch about the ingress port from which the packet came, it cannot do so in this release. That means that the SYN ACK packet will be flooded to both the VLANs. But only the client that sends that actual SYN will accept the SYN ACK, as the other interface contains the incorrect MAC addresses and will be dropped by the host connected to the second side of port.

Conditions:
Whenever AFM global syn cookie is triggered in hardware.

Impact:
Global syn-cookie does not work without a virtual server even if another global DoS vectors work without a virtual server. The system will send a spurious SYN ACK.

There may or may not be any impact, as the spurious SYN ACK packet's MAC address will not be matched and should be dropped by the host. However, there is a possibility that it might lead to flooding of SYN ACK packets when a SYN attack is ongoing.

Workaround:
None.

---

666889 : Deleting virtual server may cause tmm to segfault

Component: Local Traffic Manager

Symptoms:
Deleting virtual server may cause tmm to segfault.

Conditions:
-- Virtual server is rate-limited.
-- In-progress connections exist.
-- Virtual server is deleted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Deleting virtual server no longer causes tmm to segfault.

---

666884 : cpcfg cannot copy a configuration on a chassis platform★

Solution Article: K27056204

Component: TMOS

Symptoms:
cpcfg fails with errors similar to:

info: Getting configuration from HD1.3
info: Copying configuration to HD1.1
info: Applying configuration to HD1.1
error: status 256 returned by command: F5_INSTALL_MODE=install F5_INSTALL_SESSION_TYPE=hotfix chroot /mnt/tm_install/23102.e3MAZU /usr/local/bin/im -force /var/local/ucs/config.ucs
info: >++++ result:
info: Extracting manifest: /var/local/ucs/config.ucs
info: /shared: Not enough free space
info: 6144 bytes required
info: 0 bytes available
info: /var/local/ucs/config.ucs: Not enough free disk space to install!
info: Operation aborted.

Conditions:
Only on a chassis platform running 13.0.x.

Impact:
You cannot use cpcfg on a chassis platform.

Workaround:
Save a UCS from the source volume, reboot to the destination volume, then load that UCS file.

Fix:
cpcfg could incorrectly calculate the amount of free space available, refusing to do the copy unless the /shared filesystem had sufficient space to do the copy. This has been resolved and this free space calculation is done correctly.

---

666790 : Use HSB HiGig MAC reset to recover both FCS errors and link instability

Component: TMOS

Symptoms:
In addition to HiGig Link instability, FCS errors can be seen on internal switch and HSB Higig link. This is likely some PHY-related issues and can cause instability in communication links.

One symptom associated with this might be that a blade cannot become active and join the cluster.

Conditions:
FCS errors reported in tmm/hsbe2_internal_lbb_hgm. Traffic failure observed on some VIPs or self IPs.

Impact:
Link unstable, frame loss.
TMOS MPI and CDP packet loss and internal blade communication issues.

HSB lockup and accumulated FCS errors observed from stats and log.

Workaround:
A switch port reset might be used to recover this failure. Note, however: that procedure might cause potential HSB lockups.

Fix:
FCS errors and link instability no longer occur.

---

666783 : svpn goes into a reconnect loop when another adapter is connected after VPN is connected.

Solution Article: K11974816

Component: Access Policy Manager

Symptoms:
If you connect to VPN, and a previously disconnected network adapter (WiFi/ethernet) gets connected, then svpn goes into a reconnect loop due to routing table conflicts.

Conditions:
- Split tunnel configuration.
- 'Prohibit routing table changes during Network Access' is enabled.
- VPN is connected and a previously disconnected network adapter (WiFi/ethernet) gets connected.

Impact:
Reconnecting loop until you manually click Disconnect.

Workaround:
Disable the 'Prohibit routing table changes' option in Network Access.

Fix:
On the Mac VPN client, the svpn process no longer goes into a reconnect loop when another adapter is connected after VPN is connected.

---

666689 : Occasional "profile not found" errors following activate access policy

Component: Access Policy Manager

Symptoms:
Immediately following the applying of a modified access policy it is possible for some profiles to disappear.
It is transient and within a minute or two the profiles are available again.

Conditions:
Clicking "apply access policy" in the GUI or using tmsh to increment snapshot ids will clear the list of profiles and policies and then rebuild those lists. Authentication requests using profiles or policies not yet rebuilt returned the "profile not found" error.

Impact:
Some authentication attempts fail while the lists get rebuilt.
Retrying the authentication a minute or two later succeeds.

Workaround:
Retry the authentication.

Fix:
Applying Access Policies in APM is improved to avoid a short dead time between when the old policies are removed and the new policies are activated.

---

666616 : Some HTTP iRule commands should always return results as Tcl lists, but do not.

Solution Article: K82565029

Component: Local Traffic Manager

Symptoms:
The HTTP iRule commands behave differently if they return only a single result. They will return a Tcl string rather than a Tcl list containing a string.

Conditions:
One or more of the following HTTP iRule commands are used, and the conditions exist such that a single result is returned:
HTTP::cookie names
HTTP::cookie attribute names
HTTP::header names
HTTP::header values

Impact:
A string is returned rather than a list. This may affect Tcl code that expects the result to be a list, leading to incorrect behavior.

Workaround:
If the result is not a list, this can be detected in a Tcl script, and the result handled as a special case.

Fix:
HTTP iRule commands that return a Tcl list will do so in all cases.

---

666595 : Monitor node log fd leak by bigd instances not actively monitoring node

Component: Local Traffic Manager

Symptoms:
Each instance of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis opens a file descriptor for each node or pool member that has monitor logging enabled. However, only one instance of bigd is actively monitoring each individual node, and actively logging health monitor events to the node log. When LTM health monitors are configured with node logging enabled, the bigd daemon may leak file descriptors for the node logs when the monitor is removed from the LTM node, pool, or pool member configuration.

Note: This problem does not occur if node logging is disabled in the LTM node or pool member configuration ('logging' value set to 'disabled' in the LTM node or pool member configuration) prior to removing the monitor from the LTM node, pool or pool member configuration.

Conditions:
This may occur when the following conditions are met:
1. An LTM health monitor is assigned to an LTM node, pool or pool member with node logging enabled ('logging' value set to 'enabled' in the LTM node or pool member configuration).
2. The LTM health monitor is removed from the LTM node, pool or pool member configuration while logging is still enabled ('monitor' value set to 'none').

Impact:
When this problem occurs, the instance of bigd that is actively monitoring a particular node will close its file descriptor to that node's log file (under /var/log/monitors), but other instances of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis will leak their file descriptor to the node log.

File descriptors that are opened by the bigd daemon and not closed will count against bigd's internal file descriptor limit. This may result in file descriptor exhaustion and failure of LTM health monitoring.

Workaround:
Disable node logging (set 'logging' value to 'disabled') in the LTM node or pool member configuration prior to removing the monitor from the LTM node, pool, or pool member configuration.

Fix:
The bigd daemon no longer leaks file descriptors for monitor node logs when multiple instances of bigd are running, LTM health monitors are configured with node logging enabled, and the monitor is then removed from the LTM node, pool, or pool member configuration.

---

666523 : Added indication for requests that were logged only as sample request for the learning suggestion or were marked for delete

Component: Application Security Manager

Symptoms:
Some requests are not part of Requests log, though they are saved in the same place. BIG-IP administrator user can get access to them using Support ID.

Conditions:
-- The BIG-IP administrator opens a request using its Support ID.
-- The request being opened is marked for delete or it was logged as sample for learning suggestion, but it didn't answer to logging profile criteria.

Impact:
1. A request is visible that the BIG-IP administrator expected to be deleted (till next request log cleanup)
2. A request is visible that doesn't answer to the logging profile criteria (e.g., request is Legal, while only Illegal are logged).
3. The request accessed using the Support ID is not visible when applying other filters, e.g., when filtering by time of that request.

Workaround:
None. This is an artifact of database functionality.

Fix:
Message added to the request details explaining that this request was marked for delete or logged for learning suggestion only.

---

666454 : Edge client on Macbook Pro with touch bar cannot connect to VPN after OS X v10.12.5 update

Component: Access Policy Manager

Symptoms:
Edge client running on Macbook Pro 2016 with a touch bar interface cannot connect to VPN in a full tunneling configuration with 'Prohibit routing table modification' option selected.

Edge client's svpn.log shows an error entry similar to
2017-05-18,13:55:17:000, 16637,16638,svpn, 1, , 870, CMacOSXRouteTable::UpdateIpForwardEntry2(), EXCEPTION - write failed, 22, Invalid argument.

Conditions:
This occurs when all of the following conditions are met:
1) Edge client is running on Macbook Pro that has the iBridge interface (e.g., one with the touch bar).
2) VPN is configured in full tunneling configuration
3) Mac OS X version is v10.12.5.

Note: You can find the interface on the Macbook Pro in the Network Utility under the Info tab.

Impact:
VPN connection will fail.

Workaround:
Use one of the following workarounds:
- Disable 'Prohibit Routing table change' in the network access configuration.
- Enable 'Allow access to local subnets'.
- Enable a split tunneling configuration.

---

666406 : rpcbind was removed from the BIG-IP

Solution Article: K62832776

Component: TMOS

Symptoms:
rpcbind was being installed on the BIG-IP and it is not being used.

Conditions:
normal install

Impact:
no impact. The daemon was removed so it wouldn't require maintenance and upgrades.

Fix:
since rpcbind is not being used on the BIG-IP it was removed.

---

666401 : Memory might become corrupted when a Standby device transitions to Active during failover

Component: Local Traffic Manager

Symptoms:
When a failover event occurs with connection mirroring enabled, it is possible for memory to be corrupted when the Standby device transitions to Active.

Conditions:
-- Active-Standby high availability configuration.
-- Virtual server configured with the type set to 'Standard'.
-- Connection mirroring enabled.

Impact:
Tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Memory is no longer corrupted.

---

666285 : TIN cookie value is sent as a negative integer when Max session timeout and Inactivity timeout are set to more than 24 days in access policy.

Component: Access Policy Manager

Symptoms:
TIN cookie value is sent as a negative integer when Max Session Timeout and Inactivity Timeout are set to more than 24 days in access policy, or when Inactivity Timeout and Max Session Timeout are set to 0.

Conditions:
-- Access policy.
-- Max session timeout and Inactivity timeout values are set to more than 24 days, or to 0 (zero).

Impact:
TIN cookie value is sent as a negative integer.

Workaround:
None.

Fix:
Now the TIN cookie is properly set to a positive integer when Max Session Timeout and Inactivity Timeout are set to more than 24 days in access policy, or to 0 (zero).

---

666258 : GTM/DNS manual resume pool member not saved to config when disabled

Component: Global Traffic Manager (DNS)

Symptoms:
manual-resume disabled pool member becomes available after reboot.

Conditions:
GTM pool is configured with manual-resume enabled and its pool member was once unavailable.

Impact:
Unexpected available pool member which should be disabled.

Workaround:
After the pool member becomes disabled, manually run:
# tmsh save sys config gtm-only

---

666221 : tmm may crash from DoSL7

Component: Advanced Firewall Manager

Symptoms:
tmm crash.

Conditions:
A virtual server configured with the following:
compression profile configuration, HTTP/DoSL7 with DoSL7 iRule, RamCache.

Impact:
SIGSEGV. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a possible tmm crash.

---

666165 : iApp - f5.forward_proxy + checksum - config error upgrading from v12 to v13★

Component: TMOS

Symptoms:
v13.0.0 cli script f5.app_utils was released without a signature, causing signed iapps that refer to it to fail. 01070734:3: Configuration error: When updating status on AppTemplate ... signature verification of in
Unexpected Error: Validating configuration process failed.

Conditions:
1. Must be upgrading to 13.0.0. 2. Must have imported or created an iapp template that has a dependence, ie. tmsh::include. 3. Must have applied a checksum or signature to the imported template. Note: Deploying the iapp is not required. Config load will fail even if the iapp template is not used.

Impact:
Upgrade to v13.0.0 fails to load config.

Workaround:
Remove signatures and checksums from iApps that have script dependencies prior to upgrade.

Fix:
iApp templates and scripts are now signed.

---

666160 : L7 Policy reconfiguration causes a slow memory leak

Solution Article: K63132146

Component: Local Traffic Manager

Symptoms:
When a virtual server with a L7 policy is reconfigured, a small amount of memory is leaked.

Conditions:
A virtual server with L7 policies has a configuration change.

Impact:
The memory leak will reduce the amount of resources for the TMM.

Workaround:
None.

Fix:
L7 Policies no longer leak memory when a virtual server using them is reconfigured.

---

666118 : High CPU usage from asm_config_server

Solution Article: K58571155

Component: Application Security Manager

Symptoms:
Use of Automatic policy builder might result in high CPU usage of asm_config_server (and ASM slowdown).

Conditions:
- Automatic policy builder.
- Several entity types learning in 'Add all entities' configuration.

Impact:
ASM availability impacted.

Workaround:
- Switch to Manual policy builder.
- Set entity types learning to compact / selective / never.

Fix:
prevented policy builder unnecessary load on asm config

---

666117 : Network failover without a management address causes active-active after unit1 reboot

Component: TMOS

Symptoms:
An appliance in a Device Service Cluster may erroneously claim Active status when it is rebooted. This results in an Active/Active situation, which may resolve itself by causing a failover.

Conditions:
Device Service Cluster with only self-ips configured for the failover network.

Impact:
Unexpected failover may cause traffic interruption.

Workaround:
Configuring multiple redundant network failover paths, including the management network will reduce the possibility of this problem.

Fix:
The failover daemon has been fixed to recognize that the self-IP communication paths are non-functional while the TMM is starting up, and will not go Active until sufficient time has elapsed to conclude that the peer is not present. Since the device cannot successfully process traffic until the TMM is functional, this does not result in a delay in restoring service.

---

666112 : TMM 'DoS Layer 7' memory leak during config load

Component: Advanced Firewall Manager

Symptoms:
Degraded performance; potential eventual out-of-memory.

Note: The 'DoS Layer 7' allocations increase by 'TMM count * #domains' after each config load.

Tip: You can watch the watch the 'DoS Layer 7' allocations increase on a shell on the BIG-IP system using the following command:
# watch -n1 -- 'tmctl -s name,allocated,max_allocated,cur_allocs memory_usage_stat | grep -E "^name|---|^DoS Layer 7 "'

Conditions:
-- Provision ASM.
-- Make sure the built-in 'security dos bot-signature' are added to the config.
-- Load the config from another shell using the following command:
 tmsh load sys config

Impact:
Degraded performance; potential eventual out-of-memory.

Workaround:
None.

Fix:
Fix memory leak after each config load.

---

666058 : XenApp 6.5 published icons are not displayed on APM Webtop

Component: Access Policy Manager

Symptoms:
While publishing XenApp 6.5 resources through APM Webtop, some applications are not displaying the icons correctly.

VDI Error logs are seen as follows:
failed to handle '/f5vdi/citrix/icon/': Incorrect bitmap size"

Conditions:
-- XenApp 6.5 is used with their rollup hotfix 6 or 7.
-- Some of the third-party applications more icon bitmap information than expected.

Impact:
Icons are not displayed on the APM Webtop

Workaround:
None.

Fix:
Now APM Webtop correctly displays Citrix XenApp icons correctly regardless of the size of the bitmap data.

---

666032-2 : Secure renegotiation is set while data is not available.

Component: Local Traffic Manager

Symptoms:
Secure renegotiation is set while data is not available, which causes a crash in certain connections.

Conditions:
This occurs when handling SSL secure renegotiation in certain connections.

Impact:
Crashes happen to certain SSL connections.

Workaround:
None.

Fix:
Secure renegotiation is set while data is not available no longer causes a crash in certain connections.

---

665992 : Live Update via Proxy No Longer Works

Component: Application Security Manager

Symptoms:
BIG-IP devices that need to use a proxy server to communicate with callhome.f5.com, no longer receive, or check for, automatic updates.

Conditions:
The BIG-IP device is behind a network firewall and outbound communication must be through a proxy.

Impact:
The BIG-IP will not be able to contact the callhome server to check for, or receive, updates.

Workaround:
Updates can be downloaded manually from the F5 Downloads server and installed directly on the BIG-IP.

Fix:
Proxy settings are correctly used when contacting the F5 callhome server.

---

665924 : The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios

Component: Local Traffic Manager

Symptoms:
A TMM crash caused by a double-free of memory within the HTTP2 and SPDY filters. This crash could occur in other TMM sub-systems unrelated to HTTP2 or SPDY.

Conditions:
The HTTP2 or SPDY filter is used, together with many other TMM modules. This situation is difficult to trigger.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The HTTP2 and SPDY filters will no longer double-free memory in rare situations.

---

665906 : tmm crash in free_bufctls

Component: Local Traffic Manager

Symptoms:
tmm crashes in free_bufctls.

Conditions:
Any double-free or use-after-free issue may cause this crash.

Note: The component causing the issue may vary.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release provides improved memory handling.

---

665778 : Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.

Solution Article: K34503519

Component: iApp Technology

Symptoms:
Non-admin BIG-IP users cannot view deployed iApps, so they cannot redeploy the iApp. The system presents an error and does not allow access to the component view or the reconfiguration view. The error shown is 'An error has occurred while trying to process your request.'

Conditions:
-- Login to the BIG-IP system as a non-admin.
-- Try to view components or reconfigure iApps.

Impact:
Cannot view/re-deploy iApps.

Workaround:
Use TMSH to view/re-deploy iApps.

There are two TMUI workarounds to view/re-deploy iApps. Once you employ one of the workarounds, a Manager user can reconfigure the iApp successfully.

Note: After successful submission, the system posts the error described, and the Manager still cannot access the Component list or iApps editing screens.

-- Click on 'app_name' link anywhere in the system where iApp-related objects are listed. For example, if the iApp created a virtual server, click the Application column link on the 'Local Traffic :: Virtual Servers : Virtual Server List' page.

-- Have an Admin user provide the direct link to app. To do so, perform the following procedure:
1. Login as Admin to the BIG-IP system.
2. Navigate to iApps :: Application Services : Applications :: <app_name>.
3. Get the direct link to the app reconfigure page by hovering over the Settings icon and then clicking 'Direct link to this page'. Note: This link will work as long as 'app_name' and template name have not been modified. The URL appears similar to the following:
   https://10.10.10.10/tmui/Control/jspmap/tmui/application/reenter.jsp?mode=app&name=/ptn1/abcd.app/abcd&template_name=/Common/f5.microsoft_exchange_2010_2013_cas.v1.6.1
4. Logout as Admin and login as Manager.
5. Paste the app direct link in the browser's address bar and press Enter.

Fix:
Non-admin BIG-IP users can now view/re-deploy iApps through TMUI.

---

665732 : FastHTTP may crash when receiving a fragmented IP packet

Solution Article: K45001711

Component: Local Traffic Manager

Symptoms:
A virtual server configured to use FastHTTP may cause a TMM core if fragmented IP packets are received by the virtual. This can be observed by the following TMM log statement: panic: Assertion 'l4hdr set' failed.

Conditions:
A virtual server configured with a FastHTTP profile receiving fragmented IP packets.

Impact:
Intermittent TMM core, resulting in a TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Use a different profile than FastHTTP, such as a full proxy with TCP/HTTP filters.

Fix:
Force packet reassembly before packet is forwarded to a FastHTTP virtual.

---

665725 : Second block device image install fails to install

Solution Article: K10773217

Component: TMOS

Symptoms:
'tmsh install sys software block-device-image' fails in a vCMP guest after a previous, successful installation.

Conditions:
vCMP guest install using the command 'tmsh install sys software block-device-image' executed a second time in succession.

Impact:
After one block device install succeeds, subsequent installations will fail before rebooting.

Workaround:
Restart lind on all blades of the vCMP guest using the following command:
 clsh bigstart restart lind

Fix:
Block device image installs are now cleaned-up in vCMP guests, so the installation failure no longer occurs.

---

665656 : BWC with iSession may memory leak

Component: TMOS

Symptoms:
A memory leak may occur when BWC is configured with iSession.

Conditions:
-- BWC is configured with iSession.
-- The BWC policy is removed or reset.

Impact:
A memory leak.

Workaround:
None.

Fix:
The memory leak is prevented when BWC and iSession are configured together and a BWC policy is removed or reset.

---

665652 : Multicast traffic not forwarded to members of VLAN group

Solution Article: K41193475

Component: Local Traffic Manager

Symptoms:
Multicast traffic traversing through the BIG-IP system through a VLAN that is member of a VLAN group does not get forwarded to other members of the VLAN group.

Conditions:
Multicast traffic ingress from a VLAN in a VLAN group.

Impact:
Traffic is not forwarded to the other members of the VLAN group.

Workaround:
None.

Fix:
Multicast traffic is now correctly forwarded to members of VLAN group.

---

665611 : Cannot create a Citrix or VMware View resource from Admin UI in a non-Common partition with a non-default route domain using pool as a destination

Solution Article: K36337390

Component: Access Policy Manager

Symptoms:
Administrator cannot create a Citrix or VMware View resource from Admin UI in a non-Common partition with a non-default route domain using pool as a destination. The system posts a message similar to the following:
01070734:3: Configuration error: apm resource remote-desktop: /subpart/sec-vdi-desktop :only one destination type is supported.

Conditions:
1) Non-default partition used (i.e., not the /Common partition).
2) This non-default partition uses a non-zero route domain.
3) A pool created in this partition.

Impact:
VDI resources (Citrix/VMware View) cannot be created using Admin UI in a non-default partition with a non-zero default route domain.

Workaround:
Use TMSH to create such a resource, using a set of commands similar to the following:

In the /Common partition, run the following command:
 cd /subpart/

In subpart, run a command similar to the following:
create apm resource remote-desktop vmware-view test_res_subpart pool /subpart/pool_subpart_partition

Fix:
You can now create a Citrix or VMware View resource from Admin UI in a non-Common partition with a non-default route domain using pool as a destination

---

665430 : Endless loop of requests when Fingerprint enabled on ASM Policy and client timezone is UTC+5 and east

Component: Application Security Manager

Symptoms:
An endless loop of requests will be sent by browser when an ASM end user attempts to access a virtual server when Fingerprint is enabled on the ASM Policy.

This happen only for client systems that are located in a timezone of UTC+5 or east from that.

Conditions:
-- Fingerprint is enabled on the ASM Policy.
-- ASM end users are located in a timezone of UTC+5 or east from that.

Impact:
ASM end users are being blocked from accessing the back-end server.

Workaround:
None.

Fix:
ASM end users in timezone UTC+5 and eastward no longer experience a request loop when Fingerprint is enabled on the ASM Policy.

---

665425 : AVR Max metrics shows wrong values

Solution Article: K24182390

Component: Application Visibility and Reporting

Symptoms:
In the AVR HTTP Page, metrics Max TPS and Max Throughput display incorrect values.

Conditions:
The root-cause is 32bit overflow, so the incorrect values are displayed when there are high volumes of traffic.

Impact:
Displayed metrics do not correctly show activity.

Workaround:
There is no workaround at this time.

Fix:
Represented values are now in 64bit instead of 32bit, and correct values are displayed.

---

665416 : Old versions of APM configuration snapshots need to be reaped more aggressively if not used

Component: Access Policy Manager

Symptoms:
Currently, it takes 24 hrs for old versions of APM config snapshots that are not being used to time out and to release the memory. If access profiles are complex and are updated frequently within 24 hrs, memory resource is likely to be exhausted.

Conditions:
If access profiles are updated frequently within 24 hrs and each version of the configuration snapshot contains many variables.

Impact:
TMM may run out of memory and crash, causing service interruption.

Workaround:
None.

Fix:
Per-session access policy snapshots are now deleted after 60 minutes instead of 24 hours.

---

665347 : GTM listener object cannot be created via tmsh while in non-Common partition

Solution Article: K17060443

Component: Global Traffic Manager (DNS)

Symptoms:
Cannot use tmsh to create a GTM listener in a non-Common partition.

Conditions:
-- In a non-Common partition.
-- Create a listener using a command similar to the following:
(/Common/newpart)(tmos)# create gtm listener new address 10.2.2.2

Impact:
The listener will not be created. The system outputs an error similar to the following:
 01020036:3: The requested profile (/Common/newpart/udp_gtm_dns) was not found.

Workaround:
None.

Fix:
GTM Listener parser now correctly handles validation and selections of profiles for GTM listeners.

---

665185 : SSL handshake reference is not dropped if forward proxy certificate lookup failed

Component: Local Traffic Manager

Symptoms:
In rare cases, when forward-proxy certificate-lookup fails, the SSL handshake reference is not dropped, which can consume memory that is no longer needed.

Conditions:
Forward-proxy certificate-lookup fails; specifically, input string size is larger than maximum allowed.

Impact:
tmm memory use grows.

Workaround:
None.

Fix:
The system now drops the SSL handshake reference when when forward-proxy certificate-lookup fails. This is correct behavior.

---

665022 : Rateshaper stalls when TSO packet length exceeds max ceiling.

Solution Article: K32120323

Component: Local Traffic Manager

Symptoms:
If a TCP Segmentation Offload (TSO) packet length exceeds the rateshaper's max ceiling, it causes the flow to stall.

Conditions:
Packet length exceeds rateshaper's configured max ceiling.

Impact:
The flow stalls.

Workaround:
Increase the configured rateshaper's max ceiling value to be larger than the largest packet length.

Fix:
Rateshaper no longer stalls when TSO packet length exceeds max ceiling.

---

664930 : Policy automatic learning mode changes to manual after failover

Component: Application Security Manager

Symptoms:
Policy automatic learning mode changes to manual when a failover occurs.

Conditions:
-- ASM provisioned.
-- Device group with ASM policy sync configured for multi-blade devices.
-- ASM Policy is in automatic learning mode.
-- A failover occurs.

Impact:
The policy changes from automatic learning mode to manual.

Workaround:
None.

Fix:
Policy automatic learning mode no longer changes to manual when a failover occurs. Automatic learning mode will now be disabled only in active/active configurations.

---

664894 : PEM sessions lost when new blade is inserted in chassis

Solution Article: K11070206

Component: TMOS

Symptoms:
Inserting a blade into a chassis that is using high availability (HA) is configured for 'between clusters' can cause data loss in the SessionDB. This includes iRule table command as well as entries stored in the SessionDB from modules.

Conditions:
HA in use 'between clusters'.

Impact:
Data loss of some SessionDB entries.

Workaround:
In order to cleanly add a blade, put the setting from 'between clusters' to 'within cluster'; then add the new blade(s) to both clusters. Wait 60 seconds, then restore the HA connection to 'between clusters'

Fix:
PEM sessions are now retained when new blade is inserted in chassis when using 'between clusters'.

---

664829 : BIG-IP sometimes performs unnecessary reboot on first boot

Component: TMOS

Symptoms:
Some versions of the BIG-IP Virtual Edition (VE) software incorrectly determine that the size of its disk has changed, and re-sizes the partition table and causes a reboot to occur. This is likely to occur only on VE guests.

Conditions:
-- First boot of VE.
-- Software version that exhibits this issue.

Note: A specific software version for a specific cloud environment either always exhibit this, or never does.

Impact:
Additional, unnecessary minor filesystem size adjustment and additional time for a reboot to occur.

Workaround:
None.

Fix:
An additional, unnecessary reboot of a BIG-IP Virtual Edition during its first boot-up should no longer occur.

---

664778 : Text in 'About BIG-IP Edge Client' cannot be copied using mouse or keyboard selection

Component: Access Policy Manager

Symptoms:
You cannot use the mouse or keyboard to select or copy the text in the BIG-IP Edge Client :: About BIG-IP Edge Client, window on MacOS.

This text contains BIG-IP Edge Client version, which users sometimes need to provide for debugging.

Conditions:
Open BIG-IP Edge Client :: About BIG-IP Edge Client, and attempt to select or copy the text in this window

Impact:
Cannot copy/paste the BIG-IP Edge Client version for debugging. You must manually enter the version number.

Workaround:
Manually enter the version number.

Fix:
You can now select and copy the text in the BIG-IP Edge Client :: About BIG-IP Edge Client, window on MacOS.

---

664769 : TMM may restart when using SOCKS profile and an iRule

Solution Article: K33637041

Component: Local Traffic Manager

Symptoms:
TMM restarts when sending traffic through a SOCKS virtual server that has an attached iRule that uses certain blocking commands.

Conditions:
Virtual server has a SOCKS profile, and an iRule which triggers on the SERVER_CONNECTED event. If the iRule uses commands that block, tmm might restart.

Impact:
Unexpected tmm restart. Traffic disrupted while tmm restarts.

Workaround:
Avoid adding iRule on the SERVER_CONNECTED event, or avoid using certain iRule commands which do not complete immediately, such as 'after', 'table', 'session', and others.

Fix:
TMM no longer crashes when using SOCKS profile and serverside iRule parks.

---

664758 : URLDB SIGFPE - 'urldb tcl result not overwritten'

Component: Access Policy Manager

Symptoms:
TMM cores with the the following notice: Assertion 'urldb tcl result not overwritten' failed.

Conditions:
Use of CATEGORY::lookup iRule in a case where the system fails to resume normal traffic flow after setting the result.

Impact:
Traffic flow is interrupted while TMM restarts.

Workaround:
None.

Fix:
Added a check to ensure that upon failure to resume normal traffic flow, the result is cleared and reset so that the core does not occur.

---

664737 : Do not reboot on ctrl-alt-del

Component: TMOS

Symptoms:
BIG-IP reboots on ctrl-alt-del keys

Conditions:
VE with ctrl-alt-del keys in the video console.

Impact:
BIG-IP reboots.

Fix:
prevent reboot on ctrl-alt-del

---

664650 : Real time encryption on non-password fields

Component: Fraud Protection Services

Symptoms:
Real-time encryption for non-password field when full-AJAX encryption is enabled.

Conditions:
1. Configure specific parameter with encryption enabled.
2. The page uses AJAX.
3. Change the configured parameter value in the page after it has been populated by the end user, and then submit the page.

Impact:
when malware changes input value with JS code, the system sends this value instead of the RTE one.

Workaround:
None.

Fix:
The system now sends the real value from RTE in this case.

---

664625 : Connection resets on Virtual Server with APM Access Profile and ASM Security Policy

Solution Article: K08041607

Component: Advanced Firewall Manager

Symptoms:
Connections to a Virtual Server will be reset and not handled by the system.

Conditions:
This happens on Virtual Servers which have an APM Access Profile and an ASM Security Policy assigned to it.

Impact:
As a result, APM and ASM end users cannot access the site.

Workaround:
To prevent the problem from happening:
Add a DoS profile with 'Application' enabled to the Virtual Server.

Fix:
Virtual Servers with APM Access Profile and ASM Security Policy no longer cause connection resets.

---

664549 : TMM restart while processing rewrite filter

Component: TMOS

Symptoms:
TMM restart and failover occurs while processing rewrite filter.

Conditions:
-- Virtual server with rewrite-uri-translation profile.
-- Serverside attempts to get data from clientside when connection flow does not exist.

Impact:
TMM restart and failover. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM restart and failover no longer occurs while processing rewrite filter.

---

664535 : Diameter failure: load balancing fails when all pool members use same IP Address

Component: Service Provider

Symptoms:
Case1: Run 2 Servers with same IP but different ports. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server. Same result when use-local-connection is disabled.

Case2: Run 2 Servers with same IP but different ports but this time use MR::message route iRule command to route messages between hosts. Send 10 request from 1 client.
Result: All 10 requests from client are delivered to 1 server.

Conditions:
Load balancing scenario with single client and two pool members. The servers use same IP, different ports.

Impact:
All the requests from the same client are delivered to 1 server only.

Workaround:
Use different IP address in the pool member. Or use different IP address as the client request.

Fix:
Load balancing scenario with single client and two pool members now completes successfully even when all pool members use same IP Address.

---

664507 : When BIG-IP is used as SP with IdP-connector automation, updates to remotely published metadata may remove certificate reference from the local configuration

Component: Access Policy Manager

Symptoms:
IdP-connector automation removes certificate reference when update to metadata file is detected, and metadata file contains multiple signing certificates

Conditions:
- BIG-IP is used as SAML SP with configured IdP-connector automation via remotely published metadata.
- Remotely published SAML metadata contains multiple signing certificates.
- Remotely published SAML metadata is periodically updated.

Impact:
Certificate reference to remotely published metadata is removed from local configuration (saml-idp-connector object). As a result, assertions generated by external IdP will not be accepted until proper certificate is configured on saml-idp-connector object again.

Workaround:
When remote metadata is changed, manually update certificate reference on saml-idp-connector object.

Fix:
When changes to remotely published SAML metadata are detected by IdP-connector automation, certificate is no longer removed from saml-idp-connector object.

---

664505 : Improve error messages related to clientssl profile cert-key-chain by showing clientssl profile name

Component: TMOS

Symptoms:
When an error message related to cert-key-chain is thrown, it does not specify the name of the problematic clientSSL profile. For example, 'Client SSL profile cannot contain more than one set of same certificate/key type.'

Conditions:
When there is an error occurring in configuring a clientSSL profile or its cert-key-chain.

Impact:
Cannot determine which clientSSL profile is causing the issue when a cert-key-chain error is thrown.

Workaround:
None.

Fix:
With the fix the error message contains the name of the clientSSL profile. For example, 'Client SSL profile (/Common/cssl): cannot contain more than one set of same certificate/key type.'

---

664461 : Replacing HTTP payload can cause tmm restart

Solution Article: K16804728

Component: Local Traffic Manager

Symptoms:
Under certain conditions, using the [ HTTP::payload replace ... ] iRule can result in the tmm restarting.

Conditions:
Occurs when server response is non-chunked, does not contain a Content-Length header, an iRule adds a Content-Length header and performs an HTTP::payload replace command where the length is shorter than the original body length.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The HTTP::payload replace command no longer causes tmm restarts under certain conditions.

---

664344 : DNS resolution fails for certain hostnames On Win10 when DNS relay proxy is present and IP filtering engine is enabled for split tunnel config with no DNS include scope.

Component: Access Policy Manager

Symptoms:
DNS resolution fails for hostnames that can be resolved only by internal Network Access DNS.

DNS Relay Proxy does not properly forward DNS requests to internal DNS servers when the virtual server is accessed using a hostname.

Note: This problem does not occur when the same APM virtual server is accessed by IP address.

Conditions:
-- DNS relay proxy is present.
-- IP filtering engine is enabled.
-- Split tunnel config with no DNS-include space.
-- Access virtual server by hostname.
-- Running Microsoft Windows v10.

Impact:
-- DNS resolution does not work for hostnames that can be resolved only by internal Network Access DNS server.

-- DNS resolution (using ping or via browser) works for other hostnames that can be resolved by local DNS.

-- nslookup does not work for any hostname.

Workaround:
You can use either of the following workarounds:

Note: nslookup can be enabled only with workaround #2.

1. While specifying split tunnel configuration, make sure DNS scope is also split by specifying the include DNS scope in the configuration.

With this workaround, ping and browser work while accessing hostnames that can be resolved only by internal Network Access DNS. DNS requests received on the physical adapter will be forwarded to the internal Network Access DNS server when the scope pattern matches.


2. This workaround involves modifying the Windows Registry. Note this warning from Microsoft about modifying the registry: "Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk."
 

Add the following key:
-- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient
-- Set DWORD "EnableMultiHomedRouteConflicts" to 0 (zero).

This workaround restores Windows DNS client behavior to pre-Windows 10, so DNS relay proxy will create listeners on loopback for incoming requests, and the driver will redirect DNS requests to the listener on the loopback. The IP filtering engine allows all traffic on loopback, so DNS resolution via ping, browser, and nslookup all work as expected.

Fix:
Now the Windows Edge Client DNS Relay Proxy service correctly forwards requests to client-local DNS servers if the name resolution is not avilable on the APM-local DNS servers.

---

664057 : Upgrading GTM from pre-12.0.0 to post 12.0.0 no longer removes WideIPs without pools attached if they have an iRule attached

Component: TMOS

Symptoms:
Upgrades from pre-12.0.0 to 12.0.0 or beyond would delete WideIPs without pools attached even if they had an iRule attached.

Conditions:
Pre-12.0.0 configuration with an WideIP without any pools, but with an iRule.

Impact:
Some or all of a post-upgrade "GSLB-typed" wideip would be lost during the upgrade process.

Workaround:
Manually add missing WideIPs after upgrade.

Fix:
Fixed issue that could delete certain types of GTM WideIPs after an upgrade from a pre-12.0.0 version to a post 12.0.0 version.

---

664017 : OCSP may reject valid responses

Component: TMOS

Symptoms:
If OCSP is configured with certain responders, a valid response may be rejected with the following error:

OCSP response: got EOF

Conditions:
This is entirely dependent on the behavior of the server. If a responder sends null or blank data (but does not close the connection) OCSP simply ends the response.

Impact:
Valid OCSP responses may be rejected.

Workaround:
None.

Fix:
These responses are now accepted.

---

663974 : TMM crash when using LSN inbound connections

Component: Carrier-Grade NAT

Symptoms:
TMM might crash when using an LSN pool with inbound connections.

Conditions:
LSN inbound connections configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when using an LSN pool with inbound connections.

---

663770-1 : AFM rules are bypassed / ignored when traffic is internally forwarded to a redirected virtual server

Solution Article: K04025134

Component: Advanced Firewall Manager

Symptoms:
AFM rules are bypassed / not evaluated on the 'redirected' virtual server when the traffic is internally forwarded to that virtual server.

This is a regression from 12.1.x behavior.

Conditions:
Incoming traffic matches a virtual server and then gets internally redirected to another virtual server either via an iRule or a LTM local traffic policy.

Impact:
This has the effect of potentially negating firewall protections for the traffic that is being redirected to a different virtual server (application) if that virtual server has an AFM policy enabled on it.

Workaround:
There is no workaround at this time.

Fix:
Cause of the regression is fixed and now AFM policy is applied to traffic that is internally redirected to another virtual server (either via iRule or LTM traffic policy).

---

663748 : tmm might crash if AFM DoS address-list whitelist is present in sPVA HW platforms

Component: Advanced Firewall Manager

Symptoms:
At bootup, there is a possibility of tmm crashing while coming up when the configuration contains an AFM address-list whitelist on an sPVA hardware platform.

Conditions:
Configuration contains AFM address-list whitelist on an sPVA HW platform, and the race condition happens in which tmm and mcpd start interacting before the hardware HSB is ready.

Impact:
tmm will crash and restart. Traffic disrupted while tmm restarts.

Workaround:
Remove the AFM address-list whitelist, and then configure it once the system is up.

Fix:
TMM no longer crashes at bootup if an AFM DoS address-list whitelist is present in sPVA hardware platforms.

---

663687 : Upgrade halts when external XML schema cannot be accessed

Component: Application Security Manager

Symptoms:
If an XML profile imports external XML schema files and the external XML files cannot be accessed during upgrade, the upgrade will halt.

Conditions:
-- An XML profile imports external XML schema files.
-- The external XML files cannot be accessed during upgrade.

Impact:
ASM upgrade process does not complete.

Workaround:
Prior to upgrade, modify the XML profile to include all external imported/included files. This can be ensured by unchecking "Follow Schema Links" in the XML profile.

---

663655 : IP::intelligence and IP::reputation commands fail to return data★

Component: TMOS

Symptoms:
iRules fail to return IpRep data, logging does not occur, BIG-IP does not update the database, and IpRepd does not start on system startup. IpRep is licensed.
bigstart status iprepd returns down, not provisioned.

Conditions:
-- License IP reputation database.
-- Upgrade to v13.0.0 or later, with AFM and ASM not provisioned.

Impact:
IP::reputation and IP::intelligence iRules will not return correct data.

Workaround:
None.

---

663650 : iRules LX does not enforce best practices

Component: TMOS

Symptoms:
The UI does not enforce current best practices when processing iRules LX configuration changes.

Conditions:
iRules LX configuration modified by authenticated user

Impact:
Best practices not enforced

Workaround:
None

Fix:
Best practices are applied when processing iRules LX configuration changes.

---

663580 : logrotate does not automatically run when /var/log reaches 90% usage

Component: TMOS

Symptoms:
The alertd daemon does not run logrotate when the diskmonitor utility detects that /var/log has less than 10% free space.

Conditions:
/var/log has less than 10% free space.

Impact:
The /var/log filesystem might become completely full, preventing new log messages from being written.

Note: K8865: Overview of the diskmonitor utility (https://support.f5.com/csp/article/K8865) provides a desription for expected behavior.

Fix:
The alertd daemon now correctly recognizes the log message from diskmonitor to initiate logrotate.

---

663551 : SERVERSSL_DATA is not triggered when iRule issues [SSL::collect] in the SERVERSSL_HANDSHAKE event

Component: Local Traffic Manager

Symptoms:
If an iRule calls [SSL::collect] in the SERVERSSL_HANDSHAKE event, the expected result is that the SERVERSSL_DATA event will be raised when the serverside receives the SSL data. Then, the decrypted SSL data can be examined and manipulated.
*****************************
when SERVERSSL_HANDSHAKE {
    SSL::collect
}
when SERVERSSL_DATA {
    log local0. "ServerSSL Data"
    log local0. [SSL::payload]
    SSL::release
}
*****************************

The issue is that SERVERSSL_DATA is not raised, even when the serverside receives the SSL data when the iRule calls the [SSL::collect] in the SERVERSSL_HANDSHAKE:
****************************
when SERVERSSL_HANDSHAKE {
    SSL::collect
}
****************************

Conditions:
Calling the [SSL::collect] in the SERVERSSL_HANDSHAKE event.
****************************
when SERVERSSL_HANDSHAKE {
    SSL::collect
}
****************************

Impact:
SERVERSSL_DATA event is not raised.

Workaround:
Add the [SSL::release] command in the SERVERSSL_HANDSHAKE event.
**********************************
when SERVERSSL_HANDSHAKE {
    SSL::collect
    SSL::release
}

Fix:
SERVERSSL_DATA event is now raised when an iRule calls [SSL::collect] in the SERVERSSL_HANDSHAKE.

---

663531 : TMM crashes when PPTP finds a non-ALG flow when checking for an existing tunnel

Component: Carrier-Grade NAT

Symptoms:
TMM crashes when PPTP finds a matching non-PPTP-GRE flow when checking for an existing tunnel.

Conditions:
PPTP-ALG and CGNAT on a BIG-IP system when a GRE tunnel matches a PPTP-GRE flow

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Possible mitigation by not using a forwarding virtual for non-PPTP GRE traffic.

Fix:
The system now drops the new flow/tunnel and allow it to clean up, so TMM no longer crashes when PPTP finds a non-PPTP-GRE flow when checking for an existing tunnel.

---

663521 : Intermittent dropping of multicast packets on certain BIG-IP platforms

Component: TMOS

Symptoms:
The switch device on the VIPRION B2250 and B4300 blades and the BIG-IP 10x00, i10x00, i7x00 and i5x00 platforms might drop multicast packets under certain high traffic conditions.

Conditions:
-- Certain high-traffic conditions.
-- Running on the specified blades/platforms.

Note: These dropped packets are counted under the 'drop_out' column from 'show net interface all-properties'.

Impact:
Dropped multicast packets, possibly impacting multicast protocols.

Workaround:
None.

Behavior Change:
Under certain high traffic conditions, multicast and broadcast packets will no longer be dropped.

---

663506 : apmd crash during ldap cache initialization

Solution Article: K30533350

Component: Access Policy Manager

Symptoms:
apmd crashes.

Conditions:
- LDAP module is in use in an access policy,
- APM end-users are logging in, while administrator modifies AAA LDAP Server or LDAP Agent,
- Cache update takes a while (too many groups in domain and/or slow network).

Impact:
BIG-IP cannot process user logon request, until apmd is restarted and LDAP cache is updated

Workaround:
The best practice is to update policy/AAA LDAP Server when BIG-IP is not under load. Then make one logon manually. apmd updates caches on first APM end-user's logon. Once caches update, all the further logons should happen much faster and should not cause any problems

Fix:
APMD now handles the generation of LDAP Query / AD Query nested group cache correctly during high authentication load.

---

663492 : Reconfigured istat may stop being recomputed

Component: TMOS

Symptoms:
When an istat is configured and used, it is possible to remove and then re-add the istat such that it does not get properly updated after it is re-added.

Conditions:
When an istat is removed and re-added.

Impact:
The istat does not get properly updated; for example, a counter won't increment.

Workaround:
If a removed istat needs to be re-added, give it a new name.

Fix:
Reconfigured istat now get recomputed as expected.

---

663366 : SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.

Component: TMOS

Symptoms:
On the i4x00 and i2x00 platforms, TMM can encounter a second SEGV fault while crashing from an initial 'panic'.

Conditions:
-- i4x00 and i2x00 platforms.
-- TMM encounters a second SEGV fault while crashing from an initial 'panic'.

Impact:
TMM is crashing due to a 'panic'. No additional impact, as traffic is already disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes the driver shutdown code to prevent SEGV during TMM panic.

---

663333 : TMM may core in PBA mode id LSN pool is under provisioned or the utilization is high

Component: Carrier-Grade NAT

Symptoms:
TMM may core while trying to allocate a new block

Conditions:
If LSN pool is under provisioned OR if the utilization is high, TMM may need to send MPI messages to other TMMs to search for other blocks. The TMM may core if these operations time out

Impact:
Traffic disrupted while tmm restarts.

---

663326 : Thales HSM: "fipskey.nethsm --export" fails to make stub keys

Component: Local Traffic Manager

Symptoms:
When using "fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey" to export a key file from BIG-IP and import into HSM, the HSM fails to generate the stub key at /config/ssl/ssl.key/ on the BIG-IP system.

Conditions:
-- Thales HSM is installed.
-- Running 'fipskey.nethsm --export' to export a key file from BIG-IP and import it to the Thales HSM.

Impact:
Even the key has been stored in HSM, the BIG-IP is still unable to use it because of its lacking stub key to be configured on the BIG-IP system.

Workaround:
This can be worked around by directly using the Thales command, for example:

[root@localhost:Active:Standalone] config # generatekey --import pkcs11 certreq=yes
type: Key type? (DES3, RSA, DES2) [RSA] >
pemreadfile: PEM file containing RSA key? []
> /shared/tmp/testkey.pem
embedsavefile: Filename to write key to? []
> /config/ssl/ssl.key/thales2
plainname: Key name? [] > thales2
x509country: Country code? [] > US
x509province: State or province? [] > WA
x509locality: City or locality? [] >
x509org: Organisation? [] > F5
x509orgunit: Organisation unit? [] > AS
x509dnscommon: Domain name? [] >
x509email: Email address? [] > test@test.com
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
digest: Digest to sign cert req with? (md5, sha1, sha256, sha384, sha512)
  [default sha1] >

Fix:
When using 'fipskey.nethsm --export -i /shared/tmp/testkey.pem -o thaleskey' to export a key file from BIG-IP and import into HSM, the HSM now generates a stub key and stores it at /config/ssl/ssl.key/ on the BIG-IP system, as expected.

---

663310 : named reports "file format mismatch" when upgrading to versions with Bind 9.9.X versions for text slave zone files★

Solution Article: K50871313

Component: Global Traffic Manager

Symptoms:
named reports "file format mismatch", zone files are renamed randomly to db-XXXX files, and zone cannot be loaded.

Conditions:
-- Upgrade from BIG-IP containing pre-9.9.X versions of Bind, to BIG-IP versions with Bind versions later than 9.9.x.
-- Slave zone files are in text format.
-- No options set for masterfile-format text.

Impact:
Zones cannot be loaded.

Workaround:
Before upgrading, add the following line to the named.conf options:
masterfile-format text;

Fix:
BIND 9.9.x changes the default behavior governing the storage format of slave zone files to "raw" from "text".

On upgrade, the config needs to be parsed looking for slave zones that do not specify the masterfile-format and set them to "text".

---

663197 : Security hardening of files to prevent sensitive configuration from being stored in qkview.

Component: TMOS

Symptoms:
Sensitive configuration information, such as auth-related passwords, is being stored in cleartext in qkview files.

Conditions:
Run qkview and extract to see files with cleartext configuration information.

Impact:
Cleartext configuration information is uploaded to iHealth

Workaround:
None.

Fix:
Security hardening of files to prevent sensitive configuration from being stored in qkview. Cleartext passwords will be replaced with **** in all of the following config files while collecting in qkview:

/config/bigip/auth/pam.d/cert-ldap/system-auth.conf
/config/bigip/auth/pam.d/ldap/system-auth.conf
/config/bigip/auth/pam.d/radius/system-auth.conf
/config/bigip/auth/pam.d/tacacs/system-auth
/config/bigip/auth/pam.d/ocsp/*
/config/bigip/auth/pam.d/cc_ldap/*

---

663181 : VDI plugin-initiated connections may select inappropriate SNAT address

Component: Local Traffic Manager

Symptoms:
When the VDI plugin makes outgoing connections, the source address is selected from a SNAT pool. Should the connection pass through another matching virtual server before reaching the external network, the selected SNAT address may be inappropriate for the egress VLAN.

Conditions:
-- APM configuration.
-- VDI functionality enabled.
-- Additional virtual server matching the VDI-initiated connections.

Impact:
Return traffic from destination may not be able to return to the BIG-IP system, thus breaking the VDI functionality.

Workaround:
No workaround short of removing the additional virtual server matching the VDI traffic.

Fix:
Outgoing VDI connections now select an appropriate SNAT address even when passing through additional matching virtual servers before reaching the external network.

---

663127 : Empty attribute values in SAML Identity Provider configuration may cause error when loading configuration.

Component: Access Policy Manager

Symptoms:
Symptom will show as an error log in /var/log/apm similar to the one below:

Internal error processing sso config /Common/idp_obj_name
sso_tmconf_string_parse_list

When this error message is logged, subsequent authentication attempt using this BIG-IP as IdP object will fail.

Conditions:
SAML Identity Provider configuration is invalid: attribute contains empty value(s), for example:

apm sso saml /Common/idp_obj {
    attributes {
        {
            multi-values { "" user@f5.com }
            name User.Email
        }
    }

Impact:
Authentication will fail for users using affected SAML IdP object.

Workaround:
Manually edit bigip.conf configuration fail and remove empty value(s) in SAML attribute, e.g.:

apm sso saml /Common/idp_obj {
    attributes {
        {
            multi-values { user@f5.com }
            name User.Email
        }
    }

Fix:
Empty values in SAML attributes will no longer be accepted by validation logic.

---

663073 : GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.

Component: Global Traffic Manager (DNS)

Symptoms:
GSLB Pool member Manage page combo box has an issue that can cause the wrong pool member to be removed from the available list when adding a member to the selected list.

Conditions:
When adding a pool member via the combo box, if you click the arrow to expand the dropdown list and select a member by clicking on it, that member name is added to the text box.

If you then mouse over other members in the dropdown list, and then click the Add button, the system adds the selected member to the list, but also removes the wrong member from the combo box: more specifically, it removes the member that was last highlighted by the mouse over.

Impact:
Available pool members might be potentially lost from the combo box until a page reload.

Note: The pool members are not gone from the system; they are still present, just not displayed.

Workaround:
Either use TMSH or place the mouse cursor away from the combo box, and use the text box to narrow down the content in the dropdown list. Then use the arrow keys and the Enter key to select the desired pool member.

Fix:
Changed the behavior of the combo box when a member is selected by clicking on it in the dropdown list. Adding a selected pool member as described above will cause the combo box to correctly remove that pool member from the combo box.

---

663063 : Disabling pool member used in busy HSL TCP destination can result service disruption.

Component: TMOS

Symptoms:
Manually disabling an otherwise available pool member from a pool used as HSL TCP destination can result in tmm crash and service disruption.

This is more likely to occur when HSL destination is using 'balanced' distribution.

Conditions:
-- Busy HSL destination configured with TCP protocol, balanced distribution, and using pool.
-- Manually disabling a pool member.

Impact:
Service disruption while tmm recovers. HA fail-over event. Traffic disrupted while tmm restarts.

Workaround:
You can avoid the issue in either of these ways:
-- Do not manually disable busy pool members that can still respond to TCP handshake.
-- Disable the service on the pool member first.

Fix:
TMM crash no longer occurs when HSL TCP pool member with pending connection is manually disabled.

---

662913 : GUI LTM Virtual Server page cannot open. Virtual Server cannot be created or updated.

Solution Article: K17213048

Component: TMOS

Symptoms:
In the GUI when a user tries to create or edit a Virtual Server, the page is blank. There is an error that prevents the page from loading properly.

Conditions:
When provisioning BIG-IP with APM license.

Impact:
Users cannot access the Virtual Server page from the GUI.

Workaround:
User can create and edit the Virtual Server using TMSH command line tool.

Fix:
Resolve the error on the page that prevented it from loading.

---

662911 : SASP monitor uses same UID for all vCMP guests in a chassis or appliance

Solution Article: K93119070

Component: Local Traffic Manager

Symptoms:
The SASP GWM monitor generates the LB UID from the chassis serial number of the platform on which BIG-IP is running. All vCMP guests running on the platform attempt to use the same UID.

The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.

As a result, only one vCMP guest running on each BIG-IP appliance or VIPRION chassis is able to successfully use the SASP monitor.
- The SASP monitor running on the first vCMP guest can successfully connect to the SASP GWM.
- Subsequent SASP monitor instances running on other vCMP guests will fail to connect to the SASP GWM.

Conditions:
This occurs when multiple vCMP guests are running on a single BIG-IP appliance or VIPRION chassis, each using a SASP monitor connecting to the same SASP GWM to monitor pool member availability.

Impact:
The SASP monitor is unable to monitor pool member availability on more than one vCMP guest running on a single BIG-IP appliance or VIPRION chassis.

Workaround:
None.

Fix:
The SASP monitor can be used to monitor pool member availability on multiple vCMP guests running on a single BIG-IP appliance or VIPRION chassis.

---

662881 : L7 mirrored packets from standby to active might cause tmm core when it goes active.

Solution Article: K10443875

Component: Local Traffic Manager

Symptoms:
L7 mirrored packets from standby to active might cause tmm core when it goes active.

Conditions:
-- Spurious ACK sent to the standby unit that is mirrored over to the active unit for processing.
-- Matching connection on the active has not been fully initialized.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Spurious ACK no longer causes outage, instead the packet is dropped.

---

662816 : Monitor node log fd leak for certain monitor types

Solution Article: K61902543

Component: Local Traffic Manager

Symptoms:
When certain types of LTM health monitors are configured with node logging enabled, the bigd daemon may leak file descriptors for the node logs when the monitor is removed from the LTM node, pool or pool member configuration.

Conditions:
This may occur when:
1. One of the below-listed LTM health monitor types is assigned to an LTM node, pool, or pool member with node logging enabled ('logging' value set to 'enabled' in the LTM node or pool member configuration).
2. The LTM health monitor is removed from the LTM node, pool, or pool member configuration while logging is still enabled ('monitor' value set to 'none').

Affected LTM health monitor types include:
diameter, external, firepass, ftp, gateway_icmp, icmp, imap, ldap, module_score, mssql, mysql, nntp, oracle, pop3, postgresql, radius, radius_accounting, real_server, rpc, sasp, scripted, sip, smb, smtp, snmp_dca, snmp_dca_base, soap, virtual_location, wap, wmi.

This problem does not occur if node logging is disabled in the LTM node or pool member configuration ('logging' value set to 'disabled' in the LTM node or pool member configuration) prior to removing the monitor from the LTM node, pool, or pool member configuration.

The following LTM health monitor types are not affected:
dns, http, https, inband, mqtt, tcp, tcp_echo, tcp_half_open

Impact:
When this problem occurs, each instance of bigd running on the BIG-IP appliance or on each blade in a VIPRION chassis leaks one file descriptor for each node or pool member with monitor logging enabled.

File descriptors that are opened by the bigd daemon and not closed count against bigd's internal file descriptor limit. This can result in file descriptor exhaustion and failure of LTM health monitoring.

Workaround:
Disable node logging (set 'logging' value to 'disabled') in the LTM node or pool member configuration prior to removing the monitor from the LTM node, pool, or pool member configuration.

Fix:
The bigd daemon does not leak file descriptors for monitor node logs when certain types of LTM health monitors are configured with node logging enabled and the monitor is then removed from the LTM node, pool, or pool member configuration.

---

662682 : F5 EPI and F5 VPN cannot be downloaded on some older Firefox version like 31.7

Component: Access Policy Manager

Symptoms:
F5 EPI and F5 VPN cannot be downloaded on some older Firefox version like 31.7.

Conditions:
-- F5 EPI and F5 VPN application.
-- Network Access or endpoint checking configured on BIG-IP systems.
-- Older Firefox version like 31.7.

Impact:
Cannot download F5 EPI and F5 VPN app.

Workaround:
No workaround.

Fix:
F5 EPI and F5 VPN download is successful on older Firefox version like 31.7.

---

662663 : Decryption failure Nitrox platforms in vCMP mode

Component: Local Traffic Manager

Symptoms:
Under certain circumstances, Nitrox devices cannot not correctly decrypt records from established SSL sessions

Conditions:
Cavium Nitrox PX (Viprion Blade 2100, 4200, and 4300)
vCMP active
Small MTU

Impact:
SSL connections are terminated unexpectedly

Workaround:
Increase MSS (maximum segment size)

Fix:
SSL records are now decrypted as expected

---

662639 : Policy Sync fails when policy object include FIPS key

Component: Access Policy Manager

Symptoms:
Policy sync failed with a vague error:

err mcpd[5597]: 01071600:3: APM PSync: Atom attribute (fips_exported_key) data type (blob) in class (certificate_key_file_object) object name (/Common/fips1.key) blob value is not empty - no handler for blob Object dump: **certificate_key_file_object:/Common/fips1.key ...

Conditions:
-- Sync-only device group configuration.
-- FIPS cards in use.
-- On one device:
   + Create FIPS key and certificate:
     1. Go to System::Certificate Management::Traffic Certificate Management::SSL Certificate List::Create.
     2. For 'Security Type' field of 'Key Properties' section, select 'FIPS'.
   + Create a rewrite profile:
     1. Go to Access Policy :: Portal Access :: Rewrite :: Create New Profile.
     2. Under 'JavaPatcher Settings' select 'Signer' and 'Signer Key' to the one created above (e.g., 'fips1.crt' and 'fips1.key', respectively).
   + Create an access profile.
   + Create a virtual server and attach the access profile and rewrite profile to it.
     (Note: You must also include other dependent settings, such as a connectivity profile.)
3. Start a policy sync from the device.

Impact:
Feature failure for specific configurations.

Workaround:
None.

Fix:
Now APM policy sync succeeds even when policy includes FIPS key.

---

662372 : Uploading a new device certificate file via the GUI might not update the device certificate

Solution Article: K41250179

Component: TMOS

Symptoms:
After uploading a new device certificate via the 'Upload File' option in the GUI, the device certificate remains unchanged.

Conditions:
-- Upload a new device certificate file via the GUI.
-- There is already a file called /tmp/server.crt.

Impact:
The device certificate is not updated and no error is shown.

Workaround:
Use the 'Paste Text' option to import the certificate.

---

662364 : MRF DIAMETER: IP ToS not passing through with DIAMETER

Component: Service Provider

Symptoms:
IP layer's ToS is not passing through MRF Diameter.

Conditions:
-- The IP ToS bit is received in the clientside connection.
-- ip-tos-to-client is set as pass-through.

Impact:
The ToS from the client does not reach the server.

Workaround:
Use an iRule to preserve the ToS from the client and set it to serverside's connection.

Fix:
The ToS bit that arrives from the clientside connection is able to pass-through with Diameter MRF.

---

662281 : Inconsistencies in Automatic sync ASM Device Group

Component: Application Security Manager

Symptoms:
Some ASM calls are not propagated correctly across an automatic sync device group.

This can cause any of the following depending on the change:
A) Superfluous full syncs
B) Updating the wrong element on the remote devices
C) Missing changes on the remote devices

Conditions:
Automatic Sync is configured for a Device Group with ASM enabled.

Impact:
Any of the following depending on the change:
A) Superfluous full syncs
B) Updating the wrong element on the remote devices
C) Missing changes on the remote devices

Workaround:
Disable automatic sync on the device group, and periodically push changes manually.

Fix:
Calls are correctly propagated across Automatic sync Device Groups

---

662272 : ASM MySQL persistent query causing GUI to hang.

Component: Application Security Manager

Symptoms:
GUI access is slow.

Conditions:
This occurs when the following conditions are met:
-- Automatic Policy Builder is running with Parameter learning in Selective mode.
-- The system has already learned 10000 parameters for metachar violations.
-- There are then another 7500 pending suggestions at 100% that are not being accepted as the max has already been reached.

Impact:
Slow GUI and access to the ASM device.

Workaround:
Delete all the pending suggestions for the 'Illegal metachar in value' violation.

Fix:
MySQL query optimizations, so that ASM MySQL persistent query no longer causes GUI to hang.

---

662085 : iRules LX Workspace editor in TMUI fails to display all workspace contents after install of large Node.js packages

Component: Local Traffic Manager

Symptoms:
Using Node.js package manager (NPM) to install a large Node.js package in the TMUI results in truncated contents in the workspace.

Conditions:
Installing large Node.js packages using the TMUI.

Impact:
The workspace contents will be truncated. Some of the package contents will be missing, or boilerplate F5 elements (f5-nodejs, package.json, etc.) will not be shown.

Workaround:
None.

Note: TMSH recognizes the entire file structure of node_modules (e.g., package.json and module folders of f5-nodejs and async), but TMUI does not.

Fix:
All contents from the workspace filesystem are now shown and are editable from the TMUI.

---

662022 : The URI normalization functionality within the TMM may mishandle some malformed URIs.

Solution Article: K34514540

---

661881 : Memory and performance issues when using certain ASN.1 decoding formats in iRules

Solution Article: K00030614

Component: Local Traffic Manager

Symptoms:
Memory and performance issues when using calls to ASN1::decode with "a" or "B" characters in the format string. This occurs because these calls do not correctly free memory allocated by those functions.

Conditions:
iRules that contain calls to ASN1::decode with "a" or "B" characters in the format string.

Impact:
Memory leak, degraded performance, potential eventual out-of-memory crash.

Workaround:
None.

Note: Because of the memory leak associated with this issue, using calls to ASN1::decode with "a" or "B" characters in the format string should be avoided.

Fix:
Prevented memory leak when using calls to ASN1::decode with "a" or "B" characters in the format string.

---

660868 : Resets after adding URL Branching item

Component: Access Policy Manager

Symptoms:
Clients receiving resets, and these error logs in /var/log/apm:
Apr 25 14:23:12 ip-10-1-1-4 err tmm[12329]: 01870029:3: /Common/Allow_Access:Common:780e1b9f: [C] 10.1.10.9:57991 -> 10.1.10.102:443:ERR_NOT_FOUND: failed to find next policy item

Conditions:
A URL Branching item was added to the per-request policy. The item template for URL Branching contains single-quotes in the expression, which are considered invalid by the TCL interpreter.

Impact:
The invalid expression causes a non-recoverable failure in the control plane of TMM. Changing the expression has no effect.

Workaround:
Because of the non-recoverable failure caused by the invalid expression, there are only two workarounds:
1) Do not use the URL Branching template. Equivalent functionality is achieved by adding an empty item and using the expression builder. The templates in the expression builder are correct.
2) If a URL Branching template was already used, fix the expression by replacing all single-quotes with double-quotes. Then `bigstart restart tmm` to reset the affected part of the control plane.

Fix:
Now the URL Branching item in an APM Per-Request policy can successfully operate using templates.

---

660833 : merged repeatedly cores due to unused istats-trigger object

Component: TMOS

Symptoms:
If any of the elements of the istats-trigger configuration are not defined, this issue occurs. For example, all the elements defined in the key of the istats-trigger definition must be defined before the trigger is created.

Conditions:
The merged process continuously cores.

Impact:
merged restarts.

Workaround:
None.

---

660721 : Enforcement Readiness filter not preserved after changing page in Parameters page

Solution Article: K51431600

Component: Application Security Manager

Symptoms:
When applying the Enforcement Readiness filter from a basic filter in the Parameters page, for example, changing from page 1 to page 2, the selected filter not preserved.

Conditions:
There are at least two pages worth of parameters with selected Enforcement readiness status.

Impact:
Selected second page will be without applied filter.

Workaround:
To ensure that paging works correctly and the filter is preserved, apply Enforcement Readiness filter from advanced filter.

Fix:
Enforcement Readiness filter from basic filter is now preserved after paging.

---

660711 : MCPd might crash when user trying to import a access policy

Solution Article: K05265457

Component: Access Policy Manager

Symptoms:
MCPd restarts during importing an access policy; other daemon might also restart because of MCPd restart.

Conditions:
This occurs when an access policy uses the same agent more than once.
Importing that access policy causes MCPd to crash.

this can happen when you don’t use GUI/VPE to manage access policy but directly modify the config file in exported access policy.

Only use the GUI/VPE to manage access policies.

You should not modify the config file for an exported access policy.

Impact:
MCPd and some other daemons restart. GUI unresponsive for a while.

Workaround:
Only use the GUI/VPE to manage access policies.

You should not modify the config file for an exported access policy.

Fix:
MCP now applies appropriate validation to avoid importing invalid access policies.

---

660577 : openldap; prevent crash on rc==LDAP_SUCCESS && res==NULL

Component: TMOS

Symptoms:
openldap library routine segfaults on certain condition.

Conditions:
RST in the middle of auth process.

Impact:
apmd crashes.

Fix:
This is a preventive fix for the issue.

---

660532 : Cannot specify the event parameter for redirects on the policy rule screen.

Solution Article: K21050223

Component: Local Traffic Manager

Symptoms:
Cannot specify the event parameter for redirects on the policy rule screen.

System presents the following error: An error occurred: transaction failed:010716e2:3: Policy '/Common/Drafts/test', rule 'test-rule3'; an action precedes its conditions.

Conditions:
This occurs when setting a policy rule action's "event" parameter in the GUI when configuring redirects.

Impact:
Cannot specify the event parameter.

Workaround:
None.

Fix:
This release has an option for choosing event for redirect action.

---

660327 : Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.

Component: Application Security Manager

Symptoms:
Config load fails when attempting to load a config that was saved from before 12.1.0 on a system that was already upgraded.

This happens only if before the upgrade, there was an ASM logging profile which had both remote logging and local logging enabled on it.

In the case of a single logging profile with local-plus-remote ASM enabled on it, upon an upgrade, the logging profile is split into two profiles. One has the '_local' extension added to it. Another attempt to load the config of the pre-upgrade system will fail. This only happens when using 'load sys config' or 'load sys config file', and does not happen when using 'load sys ucs'.

Upon failure, the following error is seen on the terminal:
01070710:3: Cannot update_indexes/checkpoint DB object, class:fw_log_profile status:13 - EdbCfgObj.cpp, line 127
Unexpected Error: Loading configuration process failed.

And in /var/log/ltm:
err mcpd[6618]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:fw_log_profile status:13 - EdbCfgObj.cpp, line 127.

Conditions:
-- Using a configuration that contains a Log Profile with ASM enabled and both Remote Log and Local Log enabled.
-- Upgrade to 12.1.2 or later (Use roll-forward upgrade, or instead use clean install and afterwards load the saved config file).

Impact:
Config load fails. Upgrade fails.

Workaround:
Use one of the following Workarounds:
1.
Save the new configuration before editing and re-loading, using the following commands:
tmsh save sys config partitions all
tmsh load sys config partitions all

(Note: Saving the UCS also saves the configuration.)

2.
Instead of loading the full configuration directly, first load the base and then load the full configuration:
tmsh -c 'load sys config partitions all base; load sys config partitions all'

---

660326 : Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.★

Solution Article: K91072177

Component: Application Security Manager

Symptoms:
Upgrade fails when a websecurity profile assigned to virtual server but ASM is not provisioned.

Conditions:
-- Websecurity profile assigned to a virtual server.
-- ASM not provisioned.
-- Upgrade to v12.1.0 or later.

Impact:
Upgrade fails.

Note: Although this is an invalid configuration, upgrade should not fail.

Workaround:
There are two workarounds.
-- Provision ASM.
-- Remove all websecurity profiles (and LTM policies that control ASM) from all virtual servers

Note: The first workaround must be done before the update. The second can be done before the upgrade, or by editing the config files and re-loading config (first base, then all) using the following command:

tmsh -c 'load sys config partitions all base; load sys config partitions all'

---

660196 : Sys connection behavior change

Component: Advanced Firewall Manager

Symptoms:
tmm/mcpd might restart when retrieving a large number of flows in response to running the command 'show sys connection' without any connection specifiers.

Conditions:
-- Execution of command: show sys connection.
-- Large number of flows.

Impact:
Possible disruption of traffic while tmm/mcps restarts.

Workaround:
None.

Fix:
This issue is fixed with the addition of the keyword: max-result-limit.

In previous releases, running the command 'show sys connection' without any connection specifiers returned all current active flows/connections, irrespective of the number of connections.

With the new default behavior, the system limits the results to the first 1000 currently active flows/connections. To change this number of results returned, you can set the new keyword: max-result-limit. If there is no 'max-result-limit' specified, the system uses the default value.

You can also specify 'infinite' to return all results (the previous behavior); however, you might encounter tmm/mcpd crashes depending on platform and number of active flows/connections.

The 'max-result-limit' keyword may be used along with other connection specifiers.

In addition, in previous releases, the system posted the following confirmation question: Really display all connections? Now, this is the confirmation question: Really display x connections? (where x is either the default value 1000 or user-specified value).

Examples:

 show sys connection max-result-limit 7500
 show sys connection max-result-limit 300 cs-client-addr 10.10.62.64

Behavior Change:
In previous releases, running the command 'show sys connection' without any connection specifiers returned all current active flows/connections, irrespective of the number of connections.

With the new default behavior, the system limits the results to the first 1000 currently active flows/connections. To change this number of results returned, you can set the new keyword: max-result-limit. If there is no 'max-result-limit' specified, the system uses the default value.

You can also specify 'infinite' to return all results (the previous behavior); however, you might encounter tmm/mcpd crashes depending on platform and number of active flows/connections.

The 'max-result-limit' keyword may be used along with other connection specifiers.

In addition, in previous releases, the system posted the following confirmation question: Really display all connections? Now, this is the confirmation question: Really display x connections? (where x is either the default value 1000 or user-specified value).

Examples:

 show sys connection max-result-limit 7500
 show sys connection max-result-limit 300 cs-client-addr 10.10.62.64

---

660170 : tmm may crash at ~75% of VLAN failsafe timeout expiration

Solution Article: K28505910

Component: Local Traffic Manager

Symptoms:
When VLAN failsafe is configured, and the VLAN failsafe timeout is 3/4 expired, tmm wants to generate ICMP traffic to evoke a network response. When this occurs, the system might experience a crash.

Conditions:
- VLAN failsafe is configured on a VLAN, for example with the recommended VLAN failsafe timeout of 90 sec.
- The VLAN does not observe ARP/ndp traffic for 3/4 of the timeout, 67.5 seconds.
- ICMP traffic generated to provoke a network response can under certain circumstances cause a TMM crash.

Impact:
TMM crashes, failover is triggered, as it would with a fully expired VLAN-failsafe-timeout condition (note that failover with a fully expired VLAN failsafe is correct behavior).

Traffic on other VLANs might be disrupted while TMM restarts. (Traffic on the VLAN-failsafe-triggered VLAN is already disrupted, causing the timeout to expire.)

Workaround:
1. To allow for VLAN failsafe to be updated for any frame, run the following command with VLAN failsafe enabled, run the following command:
 tmsh modify failover.vlanfailsafe.resettimeronanyframe enable

This configuration increases the confidence that in the case of a timeout expiry a real traffic disruption is detected.

2. Set the timeout of VLAN failsafe to 4/3 of the setting you want, for example, to have a timeout setting of 90, specify 120. With this setting, failover occurs at 90 seconds for a fully quiescent network.

Note: Having a fully quiescent network is a rare occurrence and likely indicates that another issue is occurring anyway.

Fix:
Generating ICMP traffic from TMM is no longer exposed to a potential crash in an invalid configuration or a completely quiet network, when generating ICMP traffic to provoke a network response on an expiring timer of VLAN failsafe, assuming the following configuration:

- VLAN failsafe is configured.
- VLAN failsafe expired 3/4 of the configured timeout (e.g., 67.5 seconds of 90 seconds ).

---

660119 : Monitor configured with timeout large enough that the timeout plus interval is greater than 86400 seconds, the service may be incorrectly marked down.

Component: Local Traffic Manager

Symptoms:
When the monitor is configured with a timeout large enough that the timeout plus interval is greater than 86400 seconds, the service may be incorrectly marked down.

Conditions:
Monitor configured with timeout plus interval larger than 86400.

Impact:
Periodically service taken offline which may result in persistence issues or impact service availability.

Workaround:
Reduce the monitor's timeout to less than (86400 - interval).

---

659969 : tmsh command for gtm-application disabled contexts does not work with none and replace-all-with

Component: Global Traffic Manager (DNS)

Symptoms:
The command for distributed-app's disabled-contexts does not work with the options 'none' and 'replace-all-with'.

Conditions:
Issuing gtm-application disabled contexts commands including the options 'none' and 'replace-all-with'.

Impact:
Command does not complete successfully. This is an internal validation issue.

Workaround:
None.

---

659956 : tmsh stats are not one-to-one mapping to tmctl

Component: Local Traffic Manager

Symptoms:
tmsh stats doesn't have some stats while those stats exist at tmctl, such as fki_avg, fki_max, gk_avg, gk_max, dk_avg, and dk_max. At tmsh, 'find key by modulus' is shown as 'find_key', whereas it is shown as 'find_key_mod' at tmctl. This is because in tmsh it is not recommended to rename a stats item.

Conditions:
When tmsh stats command is used for pkcs11d.

Impact:
Some stats existing at tmctl are not showing up or showing differently at tmsh.

1. 'find_key' at tmsh is shown as 'find_key_mod' at tmctl. Also 'fk_*' is equivalent to 'fkm_*'
2. The following items are not as useful as the corresponding operation counts and error counts, so tmsh does not display them to keep tmsh table from being too wide.
    fki_avg fki_max gk_avg gk_max dk_avg dk_max.

Workaround:
Use tmctl if those stats not showing at tmsh are indeed needed.

Fix:
The statistics from tmctl pkcs11d_stat now matches the output of tmsh show sys nethsm pkcs11d-stat.

---

659912 : GSLB Pool Member Manage page display issues and error message

Solution Article: K81210772

Component: Global Traffic Manager (DNS)

Symptoms:
The GSLB Pool Member Manage page displays an error message 'Entry could not be matched against existing objects' when using the static-target checkbox to add a member that does not exist on the BIG-IP config.

Also when editing a pool member, the pool member's name will not be auto-selected in the combo box.

Conditions:
-- GSLB pool configured.
-- Members available for addition to the pool.

Note: This issue can happen when creating a pool in the members section as well as on the pool members manage page.

Impact:
Degraded usability.

Workaround:
Use TMSH to add a static-target and to edit pool members.

Fix:
Fixed issue with the edit button and issue that prevented adding as a static-target a GSLB pool member that was not part of the GTM config. Now, if static target is enabled, you can type the name of the target without the target being configured on the system.

---

659899 : Rare, intermittent system instability observed in dynamic load-balancing modes

Solution Article: K10589537

Component: Local Traffic Manager

Symptoms:
The dynamic pool member load-balancing modes require a precision measurement of active connection counts and/or rates. Rare, intermittent system instability has been observed in dynamic pool member selection when a new connection arrives. TMM may restart, leaving a core file.

Conditions:
LTM pool configured to use a dynamic load-balancing mode ('ltm pool NAME load-balancing-mode MODE' where MODE is one of the dynamic load-balancing modes, such as dynamic-ratio-member, least-connections-node, predictive-node, etc.). The dynamic modes use the session database to share data among all TMM instances, and under extremely rare conditions, the session database may become unreliable.

Impact:
TMM restarts and leaves a core file. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The dynamic load-balancing modes are now more tolerant of errors from the underlying session database.

---

659791 : TFO and TLP could produce a core file under specific circumstances

Solution Article: K81137982

---

659709 : Memory leak under rare conditions

Component: Local Traffic Manager

Symptoms:
Memory leak

Conditions:
-- Mirrored flow.
-- Persistence used.
-- Another error condition such as high availability (HA) channel down.

Impact:
Memory leak.

Workaround:
None.

Fix:
Memory leak is fixed.

---

659567 : iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions

Component: Policy Enforcement Manager

Symptoms:
When the RADIUS discovery virtual server and the traffic listener virtual server sit in two different route domains, the iRule command 'PEM::session info $sub subscriber-id' may not be able to fetch the subscriber-id.

Conditions:
-- Running v12.1.x or v13.0.0.
-- RADIUS server.
-- Use of iRule command PEM::session.

Impact:
'PEM::session info state/subscriber-id' commands might not return the expected session info.

Workaround:
None.

Fix:
iRule command PEM::session functions differently in 12.1.x and 13.0.0 than it did in prior versions. The commands now consider route domains.

---

659527 : Custom Predefined Reports are not displayed in ASM Analytics Schedules

Component: Application Visibility and Reporting

Symptoms:
When creating custom predefined filters, either via Requests page or via ASM Statistics, these custom reports are not displayed as part of the predefined reports list when creating/modifying an ASM Schedule.

Conditions:
Creating custom predefined filters, either via Requests page or via ASM Statistics.

Impact:
Reports created by user can not be easily used in GUI to create a scheduled report.

Workaround:
N/A

Fix:
ASM Requests/Stats pages now use the correct internal field name to store the reference to the report, thus it will be accessible by all screens.

---

659522 : Support combination of real-time and on-submit encryption

Component: Fraud Protection Services

Symptoms:
When real-time encryption is enabled and parameters that are configured with encryption are enabled, the system cannot encrypt the value populated by the script in real-time, so that parameter will be sent as plain text.

Conditions:
1. Real-time encryption enabled.
2. Parameter configured with encryption enabled.
3. The encryption-enabled parameter is populated by the script.

Impact:
FPS cannot encrypt the encryption-enabled parameter in real-time, so that parameter will be sent as plain text.

Workaround:
None.

Fix:
The system now supports the combination of real-time and on-submit encryption when using the Before Load Function: function(C){ C.XX.realTimeAndSubmitEnc = true;}.

Note: You must configure the Before Load Function because this is not the default setting.

---

659399 : HTTPS monitors might share one SSL profile

Component: Local Traffic Manager

Symptoms:
Each HTTPS monitor has its own cert, key, cipherlist, compatibility, and partition attributes for SSL-related functionality. Depending on the configuration, hardware, and number of HTTPS monitors, rolling forward a configuration with a number of HTTPS monitors might impact performance, memory usage, capacity, and compatibility.

Conditions:
These attributes of HTTPS monitors are of the same values: cert, key, cipherlist, compatibility, and partition, but occur in multiple HTTPS monitors.

Impact:
Potential impact on performance, memory usage, capacity, and compatibility as the roll-forward process creates each HTTPS monitor.

Workaround:
N/A

Fix:
To streamline the number of SSL profiles when rolling forward HTTPS monitors, if multiple HTTPS monitors contain attributes (cert, key, cipherlist, compatibility, and partition), with the same values, the monitors with same-value attributes will share one SSL profile, instead of having multiple sets of attributes, one for each HTTPS monitor.

Note: Although there are fewer SSL profiles, if you want to change any of these attributes for one specific HTTPS monitor, you might have to add an SSL profile for it.

Behavior Change:
Original behavior: Each HTTPS monitor has its own cert, key, cipherlist, compatibility, and partition attributes for SSL-related functionality.

New behavior: These SSL-related attributes are deprecated, and an SSL profile is created in lieu of those attributes.

When rolling forward, instead of creating one SSL profile for each HTTPS monitor, one SSL profile will be shared by possibly many HTTPS monitors, if the specified attributes are of the same value.

---

659371 : apmd crashes executing iRule policy evaluate

Component: Access Policy Manager

Symptoms:
Following a restart, if apmd executes an iRule policy evaluate before its reinitialization is complete, apmd can crash.

Conditions:
If apmd restarts due to a crash or explicit restart command but tmm remains active, then iRule policy evaluate commands can reach apmd before it completes initialization and it will crash.

Impact:
apmd crashes and restarts, preventing end users from logging in.

Workaround:
NOne.

Fix:
Now APMD has a more robust initialization process to ensure that it does not execute access policies from iRule commands before it is ready.

---

659281 : "Severe critical" message after failed upgrade persists even after subsequent successful config load★

Component: Application Security Manager

Symptoms:
A critical message persists in the GUI after a failed upgrade:

----------------------------------------------------------------------
ASM Critical Warning

An upgrade process was interrupted. It is very likely that ASM will start with a severe inconsistent interal state and critical errors
----------------------------------------------------------------------

Conditions:
ASM upgrade has failed.

Impact:
A critical message persists in GUI, even after a successful subsequent configuration load.

Fix:
Subsequent successful configuration load now clears failed upgrade message.

---

659173 : Diameter Message Length Limit Changed from 1024 to 4096 Bytes

Solution Article: K76352741

Component: Service Provider

Symptoms:
Diameter messages longer than 1024 might cause core dumps.

Conditions:
Using Diameter messages longer than 1024.

Impact:
Diameter MRF virtual servers.

Workaround:
Make sure messages are less than 1024 bytes.

Fix:
Messages of 4096 or fewer bytes now pass, and longer messages no longer cause core dumps.

---

659141 : Support tcpdump file has qkview extension

Solution Article: K11435321

Component: TMOS

Symptoms:
The Support tcpdump file has a qkview extension.

Conditions:
On the Support page, generate a tcpdump file.

Impact:
The tcpdump file has a qkview extension. There is no functional issue with the system; only the file extension is incorrect.

Workaround:
None.

Fix:
The Support tcpdump file now has a tcp extension.

---

658989 : Memory leak when connection terminates in iRule process

Component: Local Traffic Manager

Symptoms:
Memory leak eventually leading to alloc failure and TMM crash.

Conditions:
Connection is aborted/terminated when iRule processing is suspended for the current connection.

Impact:
Memory leak and eventual TMM restart. Traffic disrupted while tmm restarts.

Workaround:
Avoid suspend/park commands in iRule processing.

Fix:
Memory no longer leaks when connection is aborted/terminated when iRule processing is suspended.

---

658852 : Empty User-Agent in iSessions requests from APM client on Windows

Component: Access Policy Manager

Symptoms:
'User-Agent' might be empty in some '/isession' requests from APM client on Microsoft Windows. Having empty User-Agent headers is not in RFC compliance and forces some firewall to block the connection. This might result in failure to establish a VPN tunnel.

Conditions:
'/isession' requests from APM client on Windows.

Impact:
Failure to establish a VPN tunnel.

Workaround:
None.

Fix:
Now all connections from Windows APM VPN client contain 'User-Agent' headers, as expected.

---

658764-1 : Linux kernel lasthop driver memory issue

Solution Article: K43322910

---

658664 : VPN connection drops when 'prohibit routing table change' is enabled

Solution Article: K21390304

Component: Access Policy Manager

Symptoms:
When there is a brief network outage and 'prohibit routing table change' is enabled, VPN gets disconnected and no further attempts are made to re-establish the VPN connection.

Conditions:
-- A brief network outage occurs.
-- The 'prohibit routing table change' option is enabled.

Impact:
APM end users must click 'Connect' and re-authenticate in order to re-establish the VPN connection.

Workaround:
To re-establish the VPN connection, click 'Connect' and re-authenticate.

Fix:
Now the Windows Edge Client VPN connection stays active during a brief network outage, regardless of the state of the 'prohibit routing table changes' option.

---

658636-4 : When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.

Solution Article: K51355172

Component: TMOS

Symptoms:
- LTM/DNS monitors created via tmsh batch/transactions improperly escape newline characters.
- Expected escaping: \r\n
- Actual escaping: \\r\\n
- Impact: The URI sent is not correct,

Conditions:
When creating LTM or DNS monitors through batch/transaction mode when strings contain newline characters. For example, using the following commands to batch-create:

create gtm monitor http one_test_mon { send "GET / HTTP/1.0\r\nHost: abc.example.com\r\nUser-Agent: slb-healthcheck\r\nConnection: Close\r\n\r\n" recv "200"}
submit cli transaction
list gtm monitor http one_test_mon

The system creates the following monitor:

gtm monitor http one_test_mon {
    defaults-from http
    destination *:*
    interval 30
    probe-timeout 5
    recv 200
    send "GET / HTTP/1.0\\r\\nHost: abc.example.com\\r\\nUser-Agent: slb-healthcheck\\r\\nConnection: Close\\r\\n\\r\\n"

Impact:
Cannot use batch/transaction mode in TMSH to create LTM or DNS monitors. Cannot use LTM or DNS monitors created using batch/transaction mode in tmsh.

Workaround:
Create the monitor directly in tmsh without using batch/transaction mode.

---

658574 : An accelerated flow transmits packets to a stale (incorrect) destination MAC address.

Component: TMOS

Symptoms:
An accelerated flow can send to a stale destination MAC address after the ARP packet with the updated MAC address is received.

Warning: disabling auto-lasthop is not enough when they want BIG-IP to use updated destination MAC address.

Conditions:
A flow is accelerated with a destination MAC address that changes while the flow is accelerated.

Impact:
The BIG-IP system sends packets to a stale (incorrect) destination MAC address. In this case, the new MAC address is not updated for the accelerated flow and the flow will continue to send traffic using the original MAC address.

Workaround:
Disable HW acceleration. Prevent the downstream destination MAC address from changing. For example, if the downstream unit is a BIG-IP active/standby configuration, then use MAC masquerading to prevent the MAC address from changing.

---

658462 : Portal Access: tmm may crash if web application uses long cookie names and/or values

Solution Article: K10251490

Component: Access Policy Manager

Symptoms:
If JavaScript code sets a very long cookie value or uses very long cookie name (longer than 450 bytes), tmm may crash processing this cookie change.

Conditions:
-- JavaScript code sets/changes long cookie value or uses long cookie name;
-- Chrome or MS Edge browser is used.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
Use an iRule to remove 'Origin' header from any request to '/private/fm/volatile.html'.

Note: This iRule has to enable events for internal requests using 'ACCESS::restrict_irule_events enable' command.

Fix:
TMM no longer crashes when an APM Portal Access web application uses long cookie values and/or names.

---

658343 : AVR tcp-analytics: per-host RTT average may show incorrect values

Solution Article: K33043439

Component: Application Visibility and Reporting

Symptoms:
When viewing the Statistics :: Analytics :: TCP :: RTT, then selecting (in the table below the graph), View By: "Remote Host IP Address", the values presented RTT Avg (ms) may be incorrect (they could even be larger than the RTT Max column).

As values are aggregated through the data tables, the reported rtt average value becomes larger and larger.

Conditions:
AVR is provisioned, and a tcp-analytics profile is attached to a virtual server.

Impact:
The values reported in the RTT Avg column when viewing by Remote Host IP Address may be incorrect.

Workaround:
None.

Fix:
The rtt_count, rtt_max, rtt_avg, rtt_sum metrics after day aggregation and week aggregations are now correct in the day, week, month reports. The rtt_sum is now aggregated with correct value (exceed max int), as expected.

---

658315 : WebSafe Login Validation may break response

Component: Fraud Protection Services

Symptoms:
Response will be dropped, client will get an Err_Connection_Closed error

Conditions:
1. WebSafe and APM are both provisioned and enabled
2. request for a WebSafe protected URL results in successful Login Validation

Impact:
response is dropped and application breaks

Workaround:
Do Not use WebSafe's Login-Validation, when a "connection terminating" filter (like APM) enabled

Fix:
Fixed an issue with WebSafe Login Validation causing responses to be dropped.

---

658298 : SMB monitor marks node down when file not specified

Component: TMOS

Symptoms:
The smb monitor may always mark the node down when the file is not specified in the monitor config.

Conditions:
Pool member monitored with smb monitor.

Impact:
Service impact due to node being marked down.

Workaround:
Configure monitor to fetch file (authenticated).

---

658261 : TMM core after HA during GY reporting

Component: Policy Enforcement Manager

Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of GY reporting

Conditions:
-- Failover is triggered,
-- The daglib hash redistributes the subscriber DATA to different slots.
-- Existing flows continue on the slots that were allocated using the old hash of daglib.

Note: This is a rarely encountered issue that occurred in a setup with 8 slots and 750 thousand subscribers.

Impact:
Slot reboots. May trigger more hash rearrangement. Traffic disrupted while tmm restarts.

Workaround:
None.

---

658227 : Using variable substitution for Console attribute for remote-role always denies ssh access

Component: TMOS

Symptoms:
When using a remote role group to set a user's console by variable substitution from the RADIUS variable F5-LTM-User-Console, console access will be disabled no matter the value of the variable returned by the RADIUS server.

Conditions:
Remote auth using RADIUS. Remote role group configured to set console by variable substitution with F5-LTM-User-Console.

Impact:
Users who are expected to have tmsh access will not. These users will still have GUI access.

Workaround:
Use F5-LTM-User-Shell, and set the value to "tmsh" for users who need tmsh access.

Fix:
If console is set by variable substitution from F5-LTM-User-Console, and this variable is set to 1 (or Enabled), the user will have tmsh access.

---

658214 : TCP connection fail intermittently for mirrored fastl4 virtual server

Component: Local Traffic Manager

Symptoms:
In some cases, a mirrored FastL4 virtual server may fail to forward the SYN on the server-side after receiving the context-ack from the peer. Note: This is a connection-failure through the active system, not simply a failure to mirror to the peer.

Symptoms include:
-- TCP connection failures.
-- Possibly other packets lost.

Conditions:
-- FastL4 virtual server.
-- Mirroring is enabled.
-- Certain traffic interleaving might be necessary for this intermittent problem to occur.

Impact:
FastL4 mirroring does not always forward SYN to server after receiving context ACK. Connections fail.

Workaround:
Set the tm.fastl4_ack_mirror dv variable using the following command: tmsh modify sys db tm.fastl4_ack_mirror value disable.

Fix:
In this release, mirrored FastL4 virtual server now forward the SYN on the server-side after receiving the context-ack from the peer as expected.

---

658148 : TMM core after intra-chassis failover for some instances of subscriber creation

Component: Policy Enforcement Manager

Symptoms:
If intra-chassis failover is triggered in a loaded chassis, the tmm crashes in some cases of subscriber creation.

Conditions:
-- The chassis is loaded with many blades.
-- The HA configuration is intra-chassis.
-- RADIUS subscriber is added with custom attributes.
-- The subscriber attributes are corrupted or erased.

Impact:
TMM crashes. The slot reboots, potentially triggering further daglib hash changes. May result in cascading core under load. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
If intra-chassis failover is triggered in a loaded chassis, the tmm no longer crashes in some cases of subscriber creation.

---

658036 : Honoring negotiated MSS for TCP segmentation

Solution Article: K04651090

Component: TMOS

Symptoms:
Following are the symptoms:

1. When the BIG-IP system's MTUs are larger than the smallest MTU in the end-to-end path:
-- The BIG-IP system does not mark coalesced packets larger than egress MSS but smaller than egress MTU in the BIG-IP system for segmentation. Therefore, the BIG-IP system receives 'ICMP fragmentation needed' messages from an intermediate router which drops the packets when the Don't Fragment (DF) bit is set in IP header.

2. When the BIG-IP system's MTUs are less than 1500:
-- On ingress, the BIG-IP system rejects coalesced packets larger than ingress MTU and less than 1500 and having DF bit set in IP header. the BIG-IP system sends 'ICMP fragmentation needed' message to sender.

Conditions:
* Generic Receive Offload (GRO) and Large Receive Offload (LRO) for data plane interfaces are supported and enabled (both in host and guest).

* Packets are sent with DF bit set.

* For #1:
-- FastL4 profile in use.
-- The BIG-IP system's VLAN MTUs are larger than the smallest MTU in the end-to-end path.

* For #2:
-- The BIG-IP system's MTUs are set to a value that is less than 1500.
-- The packets' DF bits are set.

Impact:
No traffic or very low throughput.

Workaround:
Disable LRO and GRO for data plane interfaces using the following command:

tmsh modify sys db tm.tcplargereceiveoffload value disable.

Note: For KVM virtio devices, LRO/GRO need to be turned off in host NIC.

Fix:
The BIG-IP system fastL4 stack now uses discovered MSS to determine whether TCP segmentation is required.

---

657965 : Reassess encryption health after encrypted ajax is sent

Component: Fraud Protection Services

Symptoms:
WebSafe application layer encryption fails to decrypt data sent by ajax multiple times for a single client.

Conditions:
Failure to decrypt data that was sent by AJAX

Impact:
Decryption is likely to continue failing until the page is refreshed.

Workaround:
N/A

Fix:
Encryption health status is reassessed after ajax response.

---

657925 : Error when enabling ASM via iRule

Component: Application Security Manager

Symptoms:
The following error occurs in tmm log

err tmm3[26234]: 01220001:3: TCL error: /Common/irule_switch <HTTP_REQUEST> - while executing "ASM::disable".

Conditions:
Enabling or disabling ASM using an iRule, for example, using an iRule similar to the following:

when HTTP_REQUEST {
           ASM::disable
           if { ([IP::local_addr] equals "1.1.1.1") } {

                     ASM::enable /Common/http_asm_policy
                     log local0. "1 access"

           }
           elseif { ([IP::local_addr] equals "1.1.1.2") } {

                     ASM::enable /Common/http_asm_policy_2
                     log local0. "2 access"

           }
}

Impact:
Getting dropped request.

Workaround:
None.

Fix:
Better handling of enable/disable ASM policy via an iRule.

---

657883 : tmm cache resolver should not cache response with TTL=0

Solution Article: K34442339

Component: Local Traffic Manager

Symptoms:
tmm cache resolver caches responses with TTL=0, and it shouldn't.

Conditions:
TTL is set to 0 on the BIG-IP DNS system, so TMM will see TTL=0 from the DNS answer.

Impact:
tmm cache resolver caches responses with TTL=0.

Workaround:
None.

Fix:
The system no longer caches ttl=0 response for tmm cache resolver. This is correct behavior.

---

657858 : TMM can restart when VLAN keyed connections are disabled.

Solution Article: K85425460

Component: Local Traffic Manager

Symptoms:
TMM may restart intermittently when VLAN-keyed connections are disabled.

Conditions:
VLAN-keyed connections are disabled. Several types of traffic can cause this, including FTP traffic and multicast traffic.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None.

Fix:
Disabling VLAN-keyed connections no longer causes TMM to restart.

---

657795 : Possible performance impact on some SSL connections

Solution Article: K51498984

Component: Local Traffic Manager

Symptoms:
Some SSL connections may be delayed by almost exactly 5 seconds. The delay occurs between the SSL client hello and the server hello response from the BIG-IP system.

Conditions:
-- SSL configured on a Virtual Server. Affects VIPRION/vCMP Guests.

-- Client connects with an SSL session ID that is not in the cache, and in a very specific format that causes tmm to associate the session ID to a blade that does not exist.

Impact:
Performance may be impacted on those SSL connections.

Workaround:
Disable SSL session cache by setting cache-size to zero in the clientssl profile.

Fix:
This release fixes an issue that might cause performance impact on certain SSL connections.

---

657727 : Running tcpdump from TMSH cannot capture the local "tmm" interface

Solution Article: K39694060

Component: TMOS

Symptoms:
Cannot run tcpdump against the "tmm" interface. System posts errors similar to the following:
tcpdump: pcap_loop: Device /Common/tmm not found
tcpdump: ioctl: No such device

This occurs because the 'tmm0' interface was renamed to 'tmm' beginning in v12.1.0, but the libbigpacket conditional logic to handle "special device names" still references 'tmm0'.

Conditions:
-- When running tmsh, an environment variable ("TMOS_PATH") is set.
-- The user logs in to the CLI with a default shell of tmsh (either as configured, or with a role assigned via remote-roles), or tries to run tcpdump via tmsh.

Impact:
Cannot run tcpdump on the 'tmm' internal interface.

Workaround:
Unset the 'TMOS_PATH' environment variable before running tcpdump.

---

657713 : Gateway pool action may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart.

Component: Local Traffic Manager

Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:

-- TMM generates a core file in the /shared/core directory.
-- Your BIG-IP system logs a SIGFPE to the /var/log/tmm file at the same time TMM produces a core file and restarts.
-- In one of the /var/log/tmm log files, you may observe error messages similar to the following example:

notice panic: ../modules/hudfilter/hudfilter.c:1063: Assertion "valid node" failed.
notice ** SIGFPE **

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP system is configured to route traffic using a gateway pool.
-- The gateway pool is configured with Action On Service Down = Reject.
-- The pool monitor marks all members of the gateway pool as unavailable.
-- A connection is rejected by the gateway pool.

Impact:
The BIG-IP system temporarily fails to process traffic while the TMM process restarts. If the BIG-IP system is configured for high availability (HA), the system fails over to a peer system.

Workaround:
Set service-down-action to none or reselect.

Fix:
Gateway pool action no longer triggers TMM to produce a core file and restart.

---

657708 : Packet Tester is still available in the GUI when AFM is not provisioned

Solution Article: K50308190

Component: Advanced Firewall Manager

Symptoms:
The Packet Tester is an AFM-only tool, but is available in the GUI when AFM is not provisioned.

Conditions:
BIG-IP system with AFM not licensed.

Impact:
The packet tester is available to use when it should not be.

Workaround:
None.

Fix:
The Packet Tester is no longer available unless AFM is licensed. This is correct behavior

---

657632 : Rarely if a subscriber delete is performed following HA switchover, tmm may crash

Component: Policy Enforcement Manager

Symptoms:
If a subscriber delete is performed following a HA switchover, tmm may coredump. The probability of this scenario is rare, where a subscriber may have been freed during switchover and a subsequent forced delete command quickly follows.

Conditions:
-- A subscriber delete command followed by a HA switchover.
-- During the switchover, the subscriber was freed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now removes the subscriber index from the table if present in these cases.

---

657626 : User with role 'Manager' cannot delete/publish LTM policy.

Component: Local Traffic Manager

Symptoms:
User with role 'Manager' cannot delete/publish LTM policy.

audit.log contains a message similar to the following:
notice icrd_child[18194]: 01420002:5: AUDIT - pid=18194 user=Manager folder=/Manager module=(tmos)# status=[01070822:3: Access Denied: User (Manager) may not delete objects in partition (Common)] cmd_data=publish ltm policy /Manager/Drafts/draft-test.

Conditions:
-- User with 'Manager' role.
-- Attempting to delete or publish an LTM policy.

Impact:
Operation does not complete, and system posts error.

Workaround:
None.

---

657531 : High memory usage when using the ICAP server

Solution Article: K02310615

Component: Application Security Manager

Symptoms:
High UMU memory when using the ICAP server.

Conditions:
-- ICAP is in use.
-- There are long requests (requests longer than 128 KB) that should get to the ICAP server.

Impact:
UMU memory goes up.

Workaround:
-- Decrease the max concurrent long requests.
-- Decrease the size for the long requests buffer size.
-- Make sure the ICAP server is up and running and responding quickly (the issue will be more visible when the ICAP server is lagging).

---

657526 : Rename Remote Logging format 'Key-Value Pairs' to 'Key-Value Pairs (Splunk)'

Component: Application Security Manager

Symptoms:
'Key-Value Pairs' logging format name does not mention 'Splunk', which makes it inconsistent with 'Common Event Format (ArcSight)'.

Conditions:
This is visible in Logging Profile :: Application Security, by choosing Storage Destination: Remote Storage, and then check Logging Format

Impact:
Remote Logging format is 'Common Event Format (ArcSight)' in one case, and 'Key-Value Pairs' in the other.

Workaround:
None.

Fix:
Remote Logging format 'Key-Value Pairs' has been renamed to 'Key-Value Pairs (Splunk)'.

---

657521 : Transient error may appear in bd.log shortly after Signature Set is added to policy

Solution Article: K49102057

Component: Application Security Manager

Symptoms:
A transient error may appear in bd.log and asm.log shortly after a Signature Set is newly associated with a security policy.

In bd.log, the messages appear similar to the following:

 ECARD_POLICY|ERR |Apr 09 01:00:23.205|24966|attack_patterns.cpp:0027|signature collection with id: 13 doesn't exist
 ATTACK_SIG|ERR |Apr 09 01:00:23.205|24966|attack_patterns_funcs.cpp:0083|Signature collection id: 13 Can't be acquired

In asm.log, the messages appear similar to the following:

 info perl[20236]: 01310053:6: ASMConfig change: Policy Signature Set High Accuracy Detection Evasion Signatures [add]: Alarm was set to enabled. Policy Signature Set Name was set to High Accuracy Detection Evasion Signatures. Block was set to enabled. Learn was set to enabled. { audit: policy = /Common/policy2, username = admin, client IP = 192.168.188.44 }
 info perl[20236]: 01310053:6: ASMConfig change: Policy Signature Set High Accuracy Signatures [add]: Alarm was set to enabled. Policy Signature Set Name was set to High Accuracy Signatures. Block was set to enabled. Learn was set to enabled. { audit: policy = /Common/policy2, username = admin, client IP = 192.168.188.44 }

Conditions:
A Signature Set is newly associated with a security policy.

Impact:
A transient error may appear in bd.log and asm.log.

Workaround:
None.

Fix:
No errors appear in in bd.log after a Signature Set change.

---

657502 : JS error when leaving page opened for several minutes

Component: Fraud Protection Services

Symptoms:
Google Chrome delays JS execution when the tab is not active.
Therefore anti-debug module acts as if someone is trying to debug JS code.

Conditions:
-- JS runs in hidden tab in Google Chrome.
-- Anti-debug functionality is active.
-- Page is left open for several minutes.

Impact:
Errors in console and JS logic is incorrectly executed.

Workaround:
Identify hidden tab and pause anti-debug functionality.

Fix:
The system now correctly handles JS code running in a hidden tab and pauses anti-debug check.

---

656912 : Various NTP vulnerabilities

Solution Article: K32262483

---

656900 : Blade family migration may fail

Component: TMOS

Symptoms:
Migrating the configuration from a B2100 blade to a newer variant, as documented in the "Migrating the Configuration on B2000 Series Blades" page in the "VIPRION Systems: Blade Migration" manual, may show output indicating a failure.

Conditions:
All such blade upgrades.

Impact:
The line 'load ucs failed!' should be ignored. If the line '/var/local/ucs/upgradeConfig-your-serial-number.ucs is loaded.' is present, then the UCS load was in fact successful and you can proceed with the instructions.

Workaround:
The line 'load ucs failed!' should be ignored. If the line '/var/local/ucs/upgradeConfig-your-serial-number.ucs is loaded.' is present, then the UCS load was in fact successful and you can proceed with the instructions.

---

656872 : Rolling forward with HTTPS monitors in the configuration with mismatched keys and certs

Component: Local Traffic Manager

Symptoms:
If you roll forward, have HTTPS monitors in the configuration and use the monitor's attributes key and cert, make sure the key and cert are matching.

Currently there is no validation in the HTTPS monitor for such mismatch. This feature will deprecate these attributes and move to SSL profile instead.

If they are not matching, it will result in roll forward failure.

Conditions:
If you roll forward and have HTTPS monitors in the configuration and you are using attributes key and cert in the monitor

Impact:
If they are not matching, it will result in roll forward failure.

Workaround:
Make sure the key and cert of any HTTPS monitors are matching before you proceed to roll forward.

---

656807 : iRule DNS::ttl does not allow 0 (zero)

Component: Global Traffic Manager (DNS)

Symptoms:
DNS::rr cannot set ttl to 0. The system returns the following message: error: [internal error "unexpected return code"][DNS::ttl $rr 0].

Conditions:
-- Using iRule DNS::ttl.
-- Trying to set ttl to 0.

Impact:
DNS::rr cannot set ttl to 0, the resolver cache can't be disabled, and the system returns an error: error: [internal error "unexpected return code"][DNS::ttl $rr 0]

Workaround:
None.

Fix:
iRule DNS::ttl now allows a 0 (zero) setting. iRule with ttl 0 can now be saved as expected.

---

655807 : With QoS LB, packet rate score is calculated incorrectly and dominates the QoS score

Solution Article: K40341291

Component: Global Traffic Manager (DNS)

Symptoms:
When choosing QoS Load balance, packet rate is dominating the score.

Conditions:
QoS load balance.

Impact:
Load balance decision is mostly impacted by packet rate.

Workaround:
None.

Fix:
Corrected a calculation error for QoS score involving packet rate.

---

655793 : SSL persistence parsing issues due to SSL / TCP boundary mismatch

Component: Local Traffic Manager

Symptoms:
When the SSL client or server system is set up to send SSL messages whose boundaries do not align with underlying TCP boundaries, the parser fails when SSL persistence is enabled.

So, any SSL record spanning over multiple TCP segments (in this case it's ServerHello, Certificate, and ServerHelloDone) triggers the issue with the SSID error RST cause.

This can also result from a message size exceeding the maximum configured size (default is 32K).

Conditions:
[1] SSL persistence is enabled.
[2a] SSL message boundary does not align with underlying TCP segment boundary. One example of boundary mismatch is when the TCP MTU size is changed to a lower value (around 1200 bytes). Even then there may be specific values for which the boundaries match and parsing succeeds.
[2b] The message size is greater than the maximum configured size (default 32k).

Impact:
When the parsing fails, the SSL client or server hangs and times out. In other words, SSL traffic is affected.

The SSL parsing should succeed regardless of a match or mismatch between SSL message boundary and TCP segment boundary.

Workaround:
Disable SSL persistence.

Fix:
The system now switches the state of the SSL persistence to pass through all remaining messages, since no further parsing is needed.

---

655767 : MCPD does not prevent deleting an iRule that contains in-use procedures

Component: Local Traffic Manager

Symptoms:
If an iRule that is attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error.

MCPD contains validation that should prevent a user from deleting an iRule that is currently in use by a virtual server, e.g.:

    01070265:3: The rule (/Common/rule_uses_procs) cannot be deleted because it is in use by a virtual server (/Common/vs_http).

However, if an iRule attached to a virtual server makes a procedure call in a different iRule, it is possible to delete the different iRule with no error. This results in a configuration that will subsequently fail to load (during a config load, MCPD validation will catch this), or will fail if a full configuration sync is performed.

Conditions:
Must be using iRules that call into other iRules.

Impact:
System gets into a state where traffic may fail unexpectedly, and subsequent reboots, configuration loads, upgrades, or configuration sync operations will fail.

Workaround:
None. Use caution when deleting iRules, especially iRules that call into other iRules.

---

655724 : MSRDP persistence does not work across route domains.

Solution Article: K15695

Component: Local Traffic Manager

Symptoms:
MSRDP persistence doesn't work with non-default route domains.

Conditions:
Configure a virtual server with a MSRDP persistence profile and a pool using a non-default route domain.

Impact:
MSRDP persistence does not work.

Workaround:
Implement MSRDP persistence using iRules.

Fix:
MSRDP persistence with non-default route domains works correctly now.

---

655691 : GUI image list contains misleading 'MD5 Sum Verified' field

Component: TMOS

Symptoms:
In the GUI, images in the Image List and Hotfix List contain a field called 'MD5 Sum Verified', which is misleading since no such verification is actually done.

Conditions:
Using BIG-IP GUI and viewing the Image List and Hotfix List.

Impact:
It appears that MD5 sums are being verified when in reality much more limited tests are done.

Workaround:
N/A

Fix:
Replace 'MD5 Sum Verified' with 'BIG-IP Image Verified' in Image List and Hotfix List in BIG-IP GUI to more accurately reflect our verification procedures.

---

655671 : Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced

Component: TMOS

Symptoms:
On platforms that run the bcm56xxd daemon, the polling time that the system waits for I2C bus transactions to complete runs too long. On systems with I2C bus issues, this can lead to bcm56xxd core files, because the bcm56xxd daemon doesn't reset the watchdog so the watchdog timer kills the process.

Conditions:
This is an issue only when there is a stuck I2C bus, which occurs rarely.

Impact:
bcm56xxd process may core and restart. That typically resets the I2C bus, which resolves any issues.

Workaround:
None. Typically, the issue resolves itself.

Fix:
The number of times the bcm56xxd process polls for an I2C bus transaction to complete is reduced to prevent bcm56xxd core files.

---

655649 : BGP last update timer incorrectly resets to 0

Component: TMOS

Symptoms:
In ZebOS, every time the scan timer resets it also incorrectly resets the BGP last update timer as shown under the imish command 'sh ip route'.

Output from 'sh ip route':

4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:32
                    [20/0] via 10.10.1.6, eno33554952, 00:00:32
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:33
                    [20/0] via 10.10.1.6, eno33554952, 00:00:33
...
4054fdc0-3e51-4079-b52f-4a3b058a3f93#sh ip ro
...
B 10.30.0.0/16 [20/0] via 10.10.1.2, eno33554952, 00:00:00 <<<< shouldn't reset
                    [20/0] via 10.10.1.6, eno33554952, 00:00:00

Conditions:
Once ZebOS has learned a route from a BGP peer the route will show up under 'sh ip route' and the BGP last update timer will incorrectly reset.

Impact:
None. This is cosmetic.

Workaround:
None.

Fix:
BIG-IP no longer resets the last update time of learned routes via BGP.

---

655628 : TCP analytics does not release resources under specific sequence of packets

Component: Local Traffic Manager

Symptoms:
TCP analytics does not release memory when a specific sequence of packets is observed, and memory usage increases as more such flows occur.

Conditions:
-- A TCP analytics profile is configured to collect clientside/serverside analytics data.
-- AVR is provisioned.
-- FastL4 and HTTP profiles are configured.
-- A specific sequence of packets (on the serverside) occurs.

Impact:
Main memory occupied by TCP analytics is not released which might lead to memory exhaustion on the BIG-IP system.

Workaround:
Turn off collecting TCP analytics data for the virtual server.

Fix:
TCP analytics now releases resources properly.

---

655617 : Safari, Firefox in incognito mode on iOS device cannot pass persistent client identification challenge

Solution Article: K36442669

Component: Application Security Manager

Symptoms:
When running Safari or Firefox in incognito mode on iOS devices, browser gets TCP RST and will not be able to pass client-side challenge. The system posts the following error in tmm log: failed parsing header 3.

Conditions:
1. Web scraping is configured.
2. Persistent client identification is enabled.
3. Using Safari or Firefox on iOS devices.

Impact:
Browser cannot access the site.

Workaround:
Turn off persistent client identification.

Fix:
Safari, Firefox in incognito mode on iOS device can now pass persistent client identification challenge.

---

655507 : Rewrite may crash on empty values in Headers list of Portal Access Resource Item configuration

Solution Article: K50080455

Component: Access Policy Manager

Symptoms:
Portal Access rewrite process may crash when resource item configuration for the current request contains invalid value in Headers advanced option.

Conditions:
This can occur if the Headers options are empty, for example:
tmsh modify apm resource portal-access <resource> items modify { <resource item> { headers { {} } } }

Impact:
Rewrite crashes.

Workaround:
Fix the configuration:
1. find resource and resource item names of configuration blocks containing 'headers none' using the following command: tmsh list apm resource portal-access.
2. For each affected resource and its item, run the following command:
tmsh modify apm resource portal-access <resource> items modify { <resource item> { headers none } }

Fix:
APM Portal Access rewrite no longer crashes on invalid Custom Headers configuration.

---

655506-1 : Guest configurations with mergeable buffers disabled are not supported.

Component: TMOS

Symptoms:
Guest configurations with mergeable buffers disabled are not supported.

Conditions:
Guest configuration explicitly disables mergeable buffers:
<host mrg_rxbuf='off'/>.

Impact:
tmm core. Traffic disrupted while tmm restarts. When mergeable buffers are disabled, the 13.0.0 virtio driver crashes and the 13.1.0 driver stops processing, i.e., it does not attach to the device.

Workaround:
Do not disable mergeable buffers.

Fix:
The system now logs an alert rather than enters a restart loop.

Note: There is no plan to support disabled mergeable buffers.

---

655500-1 : Rekey SSH sessions after one hour

Component: TMOS

Symptoms:
Common Criteria requires that SSH session be rekeyed at least every hour

Conditions:
SSH connections to or from the BIG-IP system.

Impact:
SSH sessions are rekeyed in response to the quantity of data transferred, or on user demand, but not on the basis of elapsed time

Workaround:
If time-based rekeying is required in your environment, edit the SSH configuration to include a RekeyLimit with both data and time parameters using a command similar to the following:
tmsh modify sys sshd include 'RekeyLimit 256M 3600s'

Outbound SSH client connections can be modified by adding the same RekeyLimit configuration to /config/ssh/ssh_config or by including that option on the command line when calling the ssh client.

Fix:
SSH sessions are now rekeyed every hour regardless of the quantity of data transferred.

---

655470-1 : IP Intelligence logging publisher removal can cause tmm crash

Solution Article: K79924625

Component: Advanced Firewall Manager

Symptoms:
TMM restart immediately after removing global ip-intelligence logging publisher.

Conditions:
1) Global IP Intelligence logging enabled.
2) While new incoming connections are handled by the system, delete the global logging publisher using the following command:
modify security log profile global-network ip-intelligence { log-publisher none }

Impact:
Traffic disrupted while tmm restarts. This is an intermittent, timing-related issue.

Note: Because deleting the global ip-intelligence logging configuration publisher is uncommon, and might occur once, at setup, this issue is unlikely to manifest.

Workaround:
There is no workaround, other than to not delete the ip-intelligence global logging publisher when heavy traffic is being handled.

Fix:
Error handling now checks for NULL publisher and prevents the TMM restart.

---

655448 : Virtual Edition Single-process requirement not enforced

Solution Article: K80470655

Component: TMOS

Symptoms:
Although it is not a supported operation, a BIG-IP administrator can change the number of threads TMM runs per process by modifying the 'tmm.threads' db variable. Virtual Edition TMM code is written with the assumption that all TMMs run as threads in one TMM process, so modifying this variable can cause multi-process TMMs, which do not pass traffic.

Running the following command doesn't display the dataplane interfaces for one or more TMMs:
tmctl -f /var/tmstat/blade/tmm<x> -s name,if_index interface_stat

Conditions:
When tmm.threads db variable is set a value other than 0 (the default value).

Impact:
Some of the TMMs, though launched and running, do not pass traffic, resulting in degraded performance (throughput, CPS) for the assigned number of cores.

Workaround:
Do not change the tmm.threads db variable from its default value of 0.

Fix:
With this fix, any non-default value set to tmm.threads db variable is ignored.

---

655445 : Provide the ability to globally specifiy a DSCP value.

Component: Global Traffic Manager (DNS)

Symptoms:
The DSCP value is not configurable for some types of traffic, which can lead to dropped traffic during adverse network conditions.

Conditions:
Under adverse network conditions, monitor traffic can be dropped by the network.

Impact:
BIG-IP DNS incorrectly reports resources as unavailable because monitor traffic is dropped by the network due to congestion with unrelated traffic.

Workaround:
None.

Fix:
Setting the new db variable tm.egressdscp to a value other than the default value of 0, results in the system setting the DSCP value for outgoing traffic to the configured value.

---

655432 : SSL renegotiation failed intermittently with AES-GCM cipher

Solution Article: K85522235

Component: Local Traffic Manager

Symptoms:
SSL failed to renegotiate intermittently with AES-GCM cipher because IV is not properly updated when a change cipher spec message is received.

Conditions:
This failure is more likely to occur during mutual authentication.

Impact:
Some servers authenticate client using renegotiation. This issue prevents their clients from properly connecting to the servers.

Workaround:
Disable AES-GCM cipher.

Fix:
The system now properly updates AES-GCM IV when a change cipher spec message is received.

---

655421 : CVE-2016-8624 curl: Invalid URL parsing with '#'

Solution Article: K85235351

---

655382 : CVE-2016-8623 curl: Use-after-free via shared cookies

Solution Article: K84940705

---

655374 : CVE-2016-8621 curl: curl_getdate out-of-bounds read

Solution Article: K26899353

---

655371 : Fix for CVE-2016-8619 in curl

Solution Article: K46123931

---

655357 : Corrupted L2 FDB entries on B4450 blades might result in dropped traffic

Solution Article: K06245820

Component: TMOS

Symptoms:
ARP replies reach front panel port of B4450 blades but fail to reach TMMs.

This occurs because the switch in the B4450 blade has an L2 learning issue in the switch fabric that requires the system to correct the new L2 FDB entries learned on Higig trunks. The L2 module runs in poll mode by default, which is exposed to a 3-second race window in software, during which learning events in the switch hardware for a given L2 FDB entry can be lost. That can lead to corrupted L2 FDB entries and cause traffic hitting the corrupted L2 FDB entries to fail.

Conditions:
-- An L2 FDB entry is learned on Higig trunk.
-- Multiple L2 learning events happen on the L2 FDB entry during the 3-second race window in software.

Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.

Workaround:
Delete the corrupted L2 FDB entries and cause the switch to re-learn them.

To do so, identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.

Fix:
A db variable switchboard.l2.mitigation was introduced to configure this feature.

-- A value of "enable" allows packets to be forwarded in the case of corrupted L2 FDB entries. Packets will be hashed on source and destination addresses. Enabling forwarding this way is only a temporary measure.

-- A value of "monitor" does not forward packets but will count packets which were affected by corrupted L2 FDB entries. The stat table switch/l2_mitgation, updated every 11 seconds, reports packet counts. Differences in packet counts are logged to /var/log/ltm.

-- A value of "disable" disables both forwarding and packet counting. Packet counts are reset.

---

655233 : DNS Express using wrong TTL for SOA RRSIG record in NoData response

Solution Article: K93338593

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express returns an incorrect TTL for the SOA RRSIG record in a NoData response.

Conditions:
-- DNS Express configured.
-- A query that results in a NoData response and DNSSEC signing requested.

Impact:
This brings the behavior in line with RFC2308. There is no known functional impact.

Workaround:
There is no workaround.

Fix:
The TTL of the RRSIG record now matches the TTL of the covered SOA record.

---

655211 : bigd crash (SIGSEGV) when running FQDN node monitors

Component: Local Traffic Manager

Symptoms:
bigd processing FQDN node monitors may crash due to a timing issue when processing probe responses.

Conditions:
bigd is configured for FQDN node monitors.

Impact:
bigd crashes (SIGSEGV). The system restarts bigd automatically, and monitoring resumes. No other action is needed.

Workaround:
Although no workaround is available for bigd configured for FQDN node monitors, this crash occurs due to a timing issue, and should be rare.

Fix:
bigd no longer crashes (SIGSEGV) when running FQDN node monitors due to a timing issue.

---

655159 : Wrong XML profile name Request Log details for XML violation

Solution Article: K84550544

Component: Application Security Manager

Symptoms:
After system upgrade, Request Log details for XML violation show XML profile name as 'N/A'.

Conditions:
System upgrade.
Request Log details for XML violation.

Impact:
System upgrade does not synchronize properly between policy and already existing XML profiles. System functions properly on existing XML profiles, but violation report reference to the XML profile is wrong.

Workaround:
No workaround for already existing violation records.

For new violation reports, run apply policy.

Fix:
The system now uses the correct XML profile name in the Request Log details for XML violation.

---

655157 : CVE-2016-8618 curl: Double-free in curl_maprintf

Solution Article: K10196624

---

655146 : APM Profile access stats are not updated correctly

Component: Access Policy Manager

Symptoms:
The active and established sessions counts in the output of 'tmsh show apm profile access' command are not getting updated as sessions are established and terminated. At the same time, the following errors are showing up in the APM log:

err tmm1[19902]: 01490574:3: (null):Common:00000000: Could not find tmstat. (/Common/Google_vsstats_key)

Conditions:
-- When session is established and terminated.
-- Running the command: tmsh show apm profile access to view stats.

Impact:
APM profile access stats are not accurate.

Workaround:
None.

Fix:
Now the tmsh command "tmsh show apm profile access" displays the correct profile access stats.

---

655059 : TMM Crash

Solution Article: K37404773

---

655021 : BIND vulnerability CVE-2017-3138

Solution Article: K23598445

---

655005 : "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync

Solution Article: K23355841

Component: TMOS

Symptoms:
The "Inherit traffic group from current partition / path" virtual-address setting is not synchronized during an incremental sync.

Conditions:
Changing the "Inherit traffic group from current partition / path" setting and syncing to a peer unit using incremental sync.

Impact:
Peers in a Device Group will get out of sync.

Workaround:
Use a full sync instead.

Fix:
The "Inherit traffic group from current partition / path" virtual-address setting is now synchronized during an incremental sync.

---

654996 : Closed connections remains in memory

Solution Article: K50345236

Component: Application Security Manager

Symptoms:
A connection remains open, which results in memory leaks in the tmm for the connections.
The following command shows connections on traffic that was already closed: tmsh show sys conn.

Conditions:
A ASM_RESPONSE_VIOLATION iRule on the ASM-enabled virtual server.
A request with connection: close.

Impact:
Memory increase due to connections left open.

Incoming connections to the virtual server may fail and result in the BIG-IP sending a reset with a reset cause of "TCP closed".

Workaround:
If possible, remove this event from the iRule and/or add the OneConnect profile to the virtual server.

---

654981 : Local Traffic Policies operating in First Match mode do not stop executing after the first matched rule if this has no action

Component: Local Traffic Manager

Symptoms:
Local Traffic Policies configured for First Match mode may not stop executing after the first matched rule.

Conditions:
This happens when the first matched rule has no action (i.e. is set to ignore).

Impact:
This may cause Local Traffic Policies to execute an unintended action.

Workaround:
Rework the rules in your affected Local Traffic Policies so that every rule has at least one associated action.

Fix:
Execution of Local Traffic Policies now correctly stops after the first matched rule.

---

654934 : CVE-2016-8617 curl: Out-of-bounds write via unchecked multiplication

Solution Article: K44503763

---

654927 : CVE-2016-8615 curl: Cookie injection for other servers

Solution Article: K01006862

---

654926 : CVE-2016-8616 curl: Case insensitive password comparison

Solution Article: K52828640

---

654925 : Memory Leak in ASM Sync Listener Process

Solution Article: K25952033

Component: Application Security Manager

Symptoms:
Following several sync errors, a memory leak occurs in the ASM sync listener process (asm_config_server.pl).

Conditions:
-- asm-sync is enabled on an auto-sync Device Group.

-- Errors occur during attempts to sync, either due to full disk or in response to one or more of the following uses in GUI or REST API:
 + Creating/importing/deleting policies.
 + Accepting many suggestions at once.
 + Adjusting Policy Building Settings.

Impact:
RAM is increasing consumed leading to swap usage until the device reaches a panic state.

Workaround:
Restart asm_config_server on all devices using the following command:
 killall asm_config_server.pl

Fix:
Hard limits for memory size are now enforced for ASM processes. The sync listener process now shuts down and restarts after an hour of failed repeated attempts to synchronize the device group state.

---

654915 : Traffic Capturing: Pool member that has a special name (internal activity) should be exported with its name, not an IP address

Component: Application Visibility and Reporting

Symptoms:
For traffic capturing, if a pool member is assigned a special name (e.g., 'for internal activity'), the external AVR log will report the internal IP address instead of the pool member name.

Conditions:
1. Assign name to internal pool member.
2. Enable HTTP traffic capturing.
3. Allow AVR to collect HTTP statistics.
4. View pool member name in external AVR log.

Impact:
External log reports internal IP address instead of pool member name.

Workaround:
There is no workaround at this time.

Fix:
The external AVR log now reports the pool member name as expected.

---

654873 : ASM Auto-Sync Device Group

Component: Application Security Manager

Symptoms:
Some messages that were meant to be sent to peers in a device group are not successfully sent.

Conditions:
A mix of the following uses in GUI or REST API:
1) Creating/importing/deleting policies.
2) Accepting many suggestions at once.
3) Adjusting Policy Building Settings.

Impact:
1) Overuse of full sync between devices.
2) Possible inconsistencies between devices.
3) Possibility of memory leak in rare cases.

Workaround:
Use manual sync groups for ASM sync.

Fix:
Communication for auto-sync groups repaired.

---

654872 : After an upgrade, an URL from another policy's WSDL may be erroneously added after XML profile change★

Component: Application Security Manager

Symptoms:
After an upgrade, an URL from another policy's WSDL is erroneously added after modifying an XML profile.

Conditions:
An XML profile is modified following ASM upgrade.

Impact:
A URL from another policy is erroneously added to the policy.

Workaround:
The erroneously added URL should be deleted.

Fix:
URLs are added correctly as needed when XML profile is changed.

---

654764 : iControl REST cannot stay in sync if /config/f5-rest-device-id is identical on each device

Component: Device Management

Symptoms:
When deploying an application such as an iAppLX application the LX-specific configuration is not synced, and you see a sync error in /var/log/restjavad.0.log.

Conditions:
This may occur if you have a device group established, but the /config/f5-rest-device-id contains an identical device ID on each of the devices. This could be triggered in a number of ways:
- Cloning BIG-IP VMs
- Extracting the same UCS file to each of the devices, then establishing a trust group

Impact:
Restjavad is unable to synchronize across the devices, as a result iAppLX applications fail to stay in sync.

Workaround:
The first test you should do is to look at the contents of /config/f5-rest-device-id on all devices. If any of the devices contain the same ID, you can perform the following procedure to reset iControl REST trust:

Impact of procedure: the following procedure resets the rest storage which removes all iAppLX applications from your configuration. You will need to re-create and re-deploy any iAppLX applications that you had deployed.

At the command prompt, run the following:
rm /config/f5-rest-device-id; clear-rest-storage

This will cause the f5-rest-device-id file to be re-generated and will clear the rest storage, at this point the application should stay in sync across devices once you re-install and re-deploy it.

---

654599 : The GSLB Pool Member Manage page can cause Tomcat to drop the request when the Finished button is pressed

Solution Article: K74132601

Component: Global Traffic Manager (DNS)

Symptoms:
Tomcat can potentially drop requests made by the client via the Web GUI on the GSLB Pool Members Manage page.

Conditions:
The config contains a large amount (in the thousands) of GSLB virtual servers or wide IP's, resulting in the action not being completed.

Impact:
The "Finished" button on that page does not save the changes made on that page.

Workaround:
Use TMSH.

Fix:
Fixed an issue with saving GSLB data via the GUI in large configurations.

---

654566 : Incomplete files still linked in /shared/vmisolinks

Component: TMOS

Symptoms:
If copying of an image file is interrupted and leaves a partial file with a .part or .filepart extension, it is still linked in /shared/vmisolinks and synced between blades.

Conditions:
Copy of an image to /shared/images is interrupted and a file with a .part or .filepart extension is left behind.

Impact:
The corrupted copy might appear valid when it is not.

Workaround:
Delete incomplete file copies with extension .part or .filepart.

Fix:
Csyncd ignores files with extensions .part or .filepart in /shared/images.

---

654513 : APM daemon crashes when the LDAP query agent returns empty in its search results.

Solution Article: K11003951

Component: Access Policy Manager

Symptoms:
APM daemon crashes when the LDAP query agent returns no search results.

Conditions:
APM provisioned with AD authentication setup.

Impact:
APM daemon crashes, need to restart RBA and WebSSO. This is a very rarely encountered issue.

Workaround:
Add LDAP Auth agent before the LDAP query to the existing policy.

Note: Adding the extra agent, LDAP Auth agent, in the policy will preserve the functionality and features, enabling the policy to fail in LDAP Auth agent, instead of crash in LDAP Query agent.

Fix:
Now APM daemon no longer crashes when the LDAP query agent returns a specific type of null result from its search.

---

654508 : SharePoint MS-OFBA browser window displays Javascript errors

Component: Access Policy Manager

Symptoms:
SharePoint MS-OFBA browser window displays Javascript errors while doing authentication.

Conditions:
-- SharePoint Access through LTM and APM.
-- MS-OFBA iRule is used.

Impact:
JavaScript errors shown on the MS-OFBA browser window

Workaround:
None.

Fix:
Now the SharePoint MS-OFBA browser window no longer displays Javascript errors while doing authentication from Microsoft applications.

---

654485 : Portal Access: Same-origin AJAX rquest may fail if response contains non-wildcard Access-Control-Allow-Origin header

Solution Article: K85549136

Component: Access Policy Manager

Symptoms:
Same-origin AJAX request fails via Portal Access if back-end response includes Access-Control-Allow-Origin header and its value differs from '*' and request origin.

Conditions:
- Same-origin AJAX request, for example:
  GET /some/file.ext HTTP/1.1
  Host: http://example.com
  Origin: http://example.com

- Back-end response with Access-Control-Allow-Origin header:
  HTTP/1.1 200 OK
  Access-Control-Allow-Origin: http://another.com

Without Portal Access, such a response is valid and accessible to client web application, if there were no redirects. But via Portal Access, the response is rejected.

Impact:
Web application may not work correctly.

Workaround:
Use iRule to remove special query parameter 'F5_origin' from same-origin AJAX requests via Portal Access to disable CORS check emulation.

Fix:
Now same-origin AJAX requests are handled correctly in spite of Access-Control-Allow-Origin response header.

---

654368 : ClientSSL/ServerSSL profile does not report an error when a certain invalid CRL is associated with it when authentication is set to require

Component: Local Traffic Manager

Symptoms:
Error is not reported if the profile is associated with an invalid Certificate Revocation List (CRL) that is not signed by trusted CAs, if the CRL issuer has the same subject name as one of the certs in trusted CA.

Conditions:
This occurs when associating CRLs with virtual servers.

Impact:
Error is not reported for invalid CRL.

Workaround:
OpenSSL command can be used to check if the CRL is signed by trusted CA.

Fix:
Error is reported in TMM logs if the CRL is not signed by trusted CA.

---

654164 : Active flows are aborted/torn down after PEM is disabled.

Component: Policy Enforcement Manager

Symptoms:
Gradual memory leak or TMM crash may be observed.

Conditions:
Active flows passing through PEM are not aborted/torn down after PEM is disabled.

Impact:
Potential memory leak and TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Gradual memory leak or TMM crash no longer occurs if active flows are aborted/torn down after PEM is disabled.

---

654109 : Configuration loading may fail when iRules calling procs in other iRules are deleted

Solution Article: K01102467

Component: Local Traffic Manager

Symptoms:
Loading of the configuration fail with a message indicating a previously deleted iRule cannot be found:

 01020036:3: The requested rule (/Common/rule_uses_procs) was not found.

Conditions:
- iRule A is calling another iRule B using proc calls
- iRule A is attached to a virtual server.
- Detaching and deleting iRule A.
- Loading the config (or performing config sync).

Impact:
iRules are still referenced after implicit deletion (via load).
Configuration does not load.

Workaround:
Force reloading of the MCP binary database.

For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

Fix:
Configuration loading no longer fails when iRules calling procs in other iRules are deleted.

---

654086-1 : Incorrect handling of HTTP2 data frames larger than minimal frame size

Solution Article: K18323013

Component: Local Traffic Manager

Symptoms:
HTTP2 can vary frame size between 16K bytes (included) and 16 Mbytes (not included). When a client sends a data frame with a size larger than 16384 bytes, the BIG-IP system might incorrectly process it, rejecting the whole connection.

Conditions:
-- HTTP2 profile is configured on a virtual server.
-- Client sends a data frame larger than 16384 bytes, violating RFC.

Impact:
HTTP2 resets the stream; then it may reject the whole connection.

Workaround:
None.

Fix:
When a client sends HTTP2 a data frame exceeding a negotiated maximum frame size, the BIG-IP system correctly resets the stream.

---

654046 : BIG-IP as SAML IdP may fail to process signed authentication requests from some external SPs.

Component: Access Policy Manager

Symptoms:
When an external Service Provider (SP) canonicalizes authentication requests with the use of inclusive namespaces, a BIG-IP system used as SAML IdP may fail to process such requests. User's SSO will fail with following errors contained in /var/log/tmm:

err tmm1[13063]: 014d0002:3: 9c7802e1: SSOv2 Digest from SAML message is invalid
err tmm1[13063]: 014d0002:3: 9c7802e1: SSOv2 Error(12) Signature verification failed for SAML Authentication

Conditions:
- BIG-IP is used as SAML IdP.
- User performs SP-initiated SAML SSO.
- External SAML SP sends signed authentication request, in which canonicalization was done with use of inclusive namespaces.

Impact:
Users are unable to perform SAML SSO with certain external service providers.

Workaround:
None.

Fix:
Now BIG-IP APM as IdP SAML canonicalized authentication requests containing inclusive namespaces can be processed successfully.

---

654026 : No way to ensure the monitor works prior to applying the monitor to a pool

Component: TMOS

Symptoms:
There is no GUI method for ensuring that a monitor works prior to applying it to a pool.

Conditions:
Configuring a monitor to add to a pool.

Impact:
Monitor might fail. Requires external methods of determining source of failure.

Workaround:
Use tcpdump, curl, or other external method to determine why monitors are not functional.

Fix:
There is now a GUI method for ensuring that a monitor works prior to applying it to a pool.

---

654011 : Pool member's health monitors set to Member Specific does not display the active monitors

Solution Article: K33210520

Component: TMOS

Symptoms:
When you configure a pool to have member-specific health monitoring, the active monitor no longer displays in the GUI.

Conditions:
Have a pool member with Health Monitors set to Member Specific.

Impact:
The specified active monitors will be saved but won't be displayed as active.

Workaround:
Use tmsh to view a pool member's active monitors.

Fix:
Pool member's Health Monitors set to Member Specific now display active monitors.

---

654003 : Portal Access incorrectly prefers charset from meta tag over the value from header

Solution Article: K03540372

Component: Access Policy Manager

Symptoms:
If charset values in <meta> tag and Content-Type header are not equal, Portal Access prefers value from <meta> tag.

Conditions:
This occurs if you have charset values in both the <meta> tag and in the HTTP header.

Impact:
This may result in unnecessary charset conversion of page content and corruption of some characters. Some characters in rewritten page may be garbled.

Workaround:
Remove <meta> tag from affected pages with iRule or modify its value to contain correct charset.

Fix:
Now, in Portal Access charset detection, the value from Content-Type header has precedence over value from <meta> tag.

---

653993 : A specific sequence of packets to the HA listener may cause tmm to produce a core file

Solution Article: K12044607

---

653930 : Monitor with description containing backslash may fail to load.

Solution Article: K69713140

Component: Local Traffic Manager

Symptoms:
When a monitor description contains a \ (backslash) character, the system adds another backslash for every save-load operation. After enough saves/loads, the description eventually hits the maximum length, causing an error message: '01020057:3: The string with more than 65535 characters cannot be stored in a message' upon loading the config.

Conditions:
Monitor with description containing backslash.

Impact:
Configuration changes without human intervention. Potential load failure.

Workaround:
Don't use backslashes in monitor descriptions.

---

653888 : BGP advertisement-interval attribute ignored in peer group configuration

Component: TMOS

Symptoms:
BGP peer-group advertisement-interval attribute may be ignored with default settings set on individual peers belonging to the peer-group.

Conditions:
- BGP configured with peer-groups.
- advertisement-interval configured with a non-default value

Impact:
The BGP peer will have an additional statement added indicating a default value of the advertisement-interval.

Workaround:
Manually set the advertisement-interval of the peer, instead of using the peer-group for this particular setting.

Fix:
BGP advertisement-interval attribute is no longer ignored in peer group configuration

---

653879 : CVE-2017-6214

Solution Article: K81211720

---

653842 : OPSWAT inspect checks now supports privilege elevation

Component: Access Policy Manager

Symptoms:
If OPSWAT checks would require elevation or root rights for checking particular Antivirus, Firewall (or other security software) check fails.

Conditions:
* Windows/Mac client systems.
* System has security software that requires privilege elevation/root access to check its status.

Impact:
OPSWAT checks fail completely or partially (e.g., some fields are not available).

Workaround:
Important note: This workaround is recommended only for troubleshooting purposes, as using it implies security issues.

Run browser or EdgeClient on high integrity level (Windows)/under root (Mac).

Fix:
OPSWAT inspect checks now support privilege elevation via an optional F5 Inspector Service available in the Edge Client package.

-- Windows: Introduced new component to provide on-demand elevation.
-- Mac: Updated existing component to support such checks.

---

653775 : Ampersand (&) in GTM synchronization group name causes synchronization failure.

Solution Article: K05397641

Component: Global Traffic Manager (DNS)

Symptoms:
A GTM synchronization-group-name containing an ampersand (&) might cause an XML parsing failure and GTM sync groups would fail to sync.

Conditions:
A GTM synchronization group name with an ampersand (&) in the name.

Impact:
GTM sync groups does not synchronize.

Workaround:
Remove ampersand from sync group name.

Fix:
Fixed issue that prevented GTM sync groups with an ampersand (&) in the GTM synchronization-group-name from syncing.

---

653772 : fastL4 fails to evict flows from the ePVA

Component: TMOS

Symptoms:
An accelerated flow is in the ePVA with no corresponding software connection.

Conditions:
-- FastL4.
-- ePVA.
-- The other conditions under which this occurs are not well defined.

Impact:
ePVA can continuously send a packet. This might eventually result in a network outage.

Workaround:
Disable HW acceleration.

Fix:
There are now no unknown accelerated flows.

Behavior Change:
The default behavior is to ignore unknown HW accelerated flows (connections). This change will proactively evict unknown HW accelerated flows from the HW (ePVA).

---

653771 : tmm crash after per-request policy error

Component: Access Policy Manager

Symptoms:
TMM core is seen when reject ending in per-request policy encounters error.

Conditions:
The conditions which trigger this are unknown at this time, it was seen once on a per-request policy error.

Impact:
Traffic disrupted while tmm restarts.

Fix:
TMM no longer cores when reject ending encounters error in per-request policy

---

653770 : Cannot copy fields in Policy Rule section of LTM Policy rule overview page

Component: TMOS

Symptoms:
Beginning in version 13.0.0, on the LTM Policy rule overview, you cannot select and copy text. If you mouse down to click on a rule, the rule bar moves. This denotes new functionality where you can reorder rules in the list.

Conditions:
Go to Policy Rule overview and click a rule.

Impact:
Text cannot be highlighted in rule list. Copy/paste of text is not possible.

Workaround:
Use tmsh to select and copy text.

---

653746 : Unable to display detailed CPU graphs if the number of CPU is too large

Solution Article: K83324551

Component: Local Traffic Manager

Symptoms:
Cannot display detail CPU graph. Go to Statistics :: Performance. Click 'View Detail Graph' under System CPU usage. Graph cannot display. System posts the message: Error trying to access the database.

Conditions:
VIPRION with 288 CPU cores or more totaled across all blades.

Impact:
Administrator is unable to view the detail CPU graphs.

Workaround:
None.

Fix:
The GUI can now display detailed CPU graphs for 1024 cores with the default of 4 lines per graph.

---

653633 : Allowed Receiving Domain in SMTP Protocol Security is case sensitive

Component: Application Security Manager

Symptoms:
False positive disallowed receiving domain violation in the SMTP security.

Conditions:
SMTP profile is attached to a virtual with security turned on. The SMTP security has an allowed domain list and the disallowed domain violation turned on.
A transaction arrives from a domain that is in the list, but written in a different case.

Impact:
A false positive access from disallwed domain violation.

Workaround:
N/A

---

653573-3 : ADMd not cleaning up child rsync processes

Component: Anomaly Detection Services

Symptoms:
ADMd daemon on device is spinning up rsync processes and not cleaning them up properly, causing tons of this zombie processes

Conditions:
If rsync process ends via exit (in the case of some trouble)

Impact:
No technical impact, but there are many zombie processes

Workaround:
Restart admd (bigstart restart admd) to remove all existing rsync zombies.

Fix:
admd should handle SIGCHLD signal from rsync (in the case of some trouble)

---

653511 : Intermittent connection failure with SNAT/automap, SP-DAG and virtual server source-port=preserve

Solution Article: K45770397

Component: Local Traffic Manager

Symptoms:
Connections can fail intermittently when multiple clients use the same ephemeral port to connect to BIG-IP and are SNATted to the same address.

Conditions:
When SNAT/Automap is configured with SP-DAG and virtual server source-port setting is "preserve".

Impact:
Service interruption due to intermittent connection failures.

Workaround:
None.

Fix:
Connections no longer fail intermittently with SNAT/automap, SP-DAG and virtual server source-port=preserve.

---

653502 : Web UI: User not able to configure RADIUS profile for a Virtual Server when only LTM is provisioned

Solution Article: K48133828

Component: Policy Enforcement Manager

Symptoms:
RADIUS profile option is missing in Virtual server configuration page when PEM/AFM is not provisioned.

Conditions:
PEM/AFM is not provisioned.

Impact:
You cannot attach RADIUS profile to a virtual server.

Workaround:
You can configure the same from TMSH.

Fix:
The dependency on PEM/AFM module is removed so that RADIUS profile option is available even if only LTM is provisioned.

---

653495 : Incorrect SNI hostname attached to serverside connections

Component: Local Traffic Manager

Symptoms:
SNI hostname submitted to a virtual server on the client side is sent to server side, even if there is a different hostname specified in the server SSL profile.

Conditions:
-- Client side ClientHello contains SNI.

Impact:
SNI is sent from client to server without stripping or rewriting the SNI.

Workaround:
None.

Fix:
SNI hostname submitted to a virtual server on the client side is no longer sent to server side unless specifically requested (for example when forward proxy is enabled). When there is a different hostname specified in the server SSL profile the SNI is also rewritten to the specified hostname.

---

653453-4 : ARP replies reach front panel port of the B4450 blade, but fail to reach TMMs.

Solution Article: K35241150

Component: TMOS

Symptoms:
ARP replies reach the front panel port of the B4450 blade, but fail to reach TMMs. This is caused by a L2 defect in the Broadcom Trident2+ switch B4450 blade uses.

Conditions:
The switch learned a corrupted L2 FDB entry on internal HiGig trunk.

Impact:
The traffic hitting the corrupted L2 FDB entry will be dropped by the switch.

Workaround:
Identify the affected VLAN and flush L2 FDB entries on that VLAN using the following command: tmsh delete net fdb vlan {vlan_name}.

Fix:
Resolved an issue on Broadcom Trident2+ switch B4450 blades use in which ARP replies reached the front panel port, but failed to reach TMMs.

Behavior Change:
A new BigDB variable is added to control in which mode the l2xmsg module in Broadcom SDK should run.

bcm56xxd.l2xmsg.mode: poll/fifo (default)

The BIG-IP system used to always run l2xmsg module in poll mode. Now, the BIG-IP system will run l2xmsg mode in fifo by default.

---

653425 : Warning message "Windows Media Player Extension" appears on some IE browsers

Component: Advanced Firewall Manager

Symptoms:
On some rare cases of Internet Explorer users, the following warning message appears on the bottom of the page:
The previous webpage wants to run the following add-on: 'Windows Media Player Extension' from 'Microsoft Corporation'.

This happens when Device-ID is enabled in either the ASM policy or DOS profile.

Conditions:
This happens when Device-ID is enabled in either the ASM policy or DOS profile.

Impact:
Cosmetic: Warning message appears for first-time users, and not degrading performance.

Workaround:
Running the following command should prevent the warning message from appearing, without any side effects.
tmsh modify security device-id attribute att22 { collect disabled }

Fix:
The warning message "Windows Media Player Extension" no longer appears on some Internet Explorer browsers when Device-ID is enabled.

---

653376 : bgpd may crash on receiving a BGP update with >= 32 extended communities

Component: TMOS

Symptoms:
bgpd may crash when receiving a BGP update with >= 32 extended communities

Conditions:
A configured BGP peer sends a route update including and attribute containing 32 or more extended communities.

Impact:
bgpd may crash causing the BGP peering to reset

Workaround:
Ensure that peers do not send 32 or more extended communities to the BIG-IP in BGP routing updates.

Fix:
bgpd no longer crashes on receiving a BGP update with >= 32 extended communities

---

653324 : On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly

Solution Article: K87979026

Component: Access Policy Manager

Symptoms:
On macOS Sierra (10.12), Edge client shows customized icon of size 48x48 pixels scaled incorrectly; it appears very small.

Conditions:
On macOS Sierra (10.12), edge client, customized icon of size 48x48 pixels.

Impact:
This is a display issue only. There is no functional impact to the system.

Workaround:
Use a custom logo image with the pixel dimensions of 100x121 pixels.

Fix:
On macOS Sierra (10.12), Edge client now shows the customized icon of size 48x48 pixels that is now scaled correctly.

---

653292 : MySQL does not initialize correctly on first system start

Component: Application Security Manager

Symptoms:
MySQL is not yet setup, failed to initialize.
Shutting down MySQL...... SUCCESS!

Conditions:
avr or asm are provisioned

Impact:
AVR, loadmanager etc dependent on mysql are down

Workaround:
Run of 'bigstart restart mysql' should solve the issue

Fix:
Allow MySQL enough time to properly initialize

---

653285 : PEM rule deletion with HSL reporting may cause tmm coredump

Component: Policy Enforcement Manager

Symptoms:
tmm coredump caused by deletion of a PEM policy rule with HSL reporting configured and passing active traffic. tmm crash.

Conditions:
PEM policy rule with HSL reporting is deleted while passing subscriber traffic.

Impact:
tmm coredump causes traffic disruption and restart of tmm.

Workaround:
None.

Fix:
PEM rule deletion with HSL reporting no longer causes tmm coredump.

---

653228 : SNAT does not work properly on FTP VIP2VIP

Solution Article: K34312110

Component: Local Traffic Manager

Symptoms:
SNAT does not work properly on FTP VIP2VIP.

Conditions:
-- FTP communicates VIP2VIP to second virtual server.
-- SNAT is configured on second virtual server.

Impact:
SNAT does not work properly on FTP VIP2VIP on data channel.

Workaround:
Do not configure SNAT on second virtual server.

Fix:
SNAT now works properly on FTP VIP2VIP.

---

653225 : coreutils security and bug fix update

Component: TMOS

Symptoms:
A race condition was found in the way su handled the management of child processes.

Impact:
A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. (CVE-2017-2616)

Workaround:
install latest hotfix

Fix:
fixed in coreutils-8.4-46.el6

---

653224 : Multiple GnuTLS Vulnerabilities

Component: TMOS

Symptoms:
* A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients. (CVE-2016-8610)

* Multiple flaws were found in the way gnutls processed OpenPGP certificates. An attacker could create specially crafted OpenPGP certificates which, when parsed by gnutls, would cause it to crash. (CVE-2017-5335, CVE-2017-5336, CVE-2017-5337)

Conditions:
The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. GnuTLS is present on BIG-IP but is not used in TMM's handling of SSL profiles.

Impact:
* A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients. (CVE-2016-8610)

* Multiple flaws were found in the way gnutls processed OpenPGP certificates. An attacker could create specially crafted OpenPGP certificates which, when parsed by gnutls, would cause it to crash. (CVE-2017-5335, CVE-2017-5336, CVE-2017-5337)

Fix:
Resolve CVE-2016-8610, CVE-2017-5335, CVE-2017-5336, and CVE-2017-5337

---

653217 : Multiple Samba Vulnerabilities

Component: TMOS

Symptoms:
* It was found that Samba always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users. (CVE-2016-2125)

* A flaw was found in the way Samba handled PAC (Privilege Attribute Certificate) checksums. A remote, authenticated attacker could use this flaw to crash the winbindd process. (CVE-2016-2126)

Conditions:
Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information. Samba client software is present on BIG-IP systems but is not used in TMM's handling of SMB network traffic.

Impact:
* It was found that Samba always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users. (CVE-2016-2125)

* A flaw was found in the way Samba handled PAC (Privilege Attribute Certificate) checksums. A remote, authenticated attacker could use this flaw to crash the winbindd process. (CVE-2016-2126)

Fix:
Resolve CVE-2016-2125 and CVE-2016-2126

---

653017 : Bot signatures cannot be created after upgrade with DoS profile in non-Common partition

Component: Application Security Manager

Symptoms:
Bot signatures cannot be created after roll-forward upgrade of configuration with only a DoS profile in non-Common partition.

Conditions:
A DoS profile in non-Common partition has Proactive Bot Defense enabled

Impact:
Bot signatures are not created.

Workaround:
Delete DoS Profile before upgrade, and re-create after upgrade is successful.

Alternatively, another DoS Profile can be created in /Common, even if unused.

---

653014 : Apply Policy failure if an custom Blocking Page is configured with an underscore in the header name

Component: Application Security Manager

Symptoms:
An issue was introduced when dealing with custom Blocking pages containing an HTTP Header that has an underscore in the name.

Conditions:
A custom Blocking page is defined containing an HTTP Header that has an underscore in the name.

Impact:
Set Active fails

Workaround:
Use hyphens instead of underscores in the header name.

Fix:
Underscores in HTTP Headers in Blocking Response pages are handled correctly.

---

652973 : Coredump observed at system bootup time when many DHCP packets arrived at BigIP

Component: Policy Enforcement Manager

Symptoms:
During system bootup, system coredump is observed when many DHCP packets arrive before system is fully ready and many flow entry creation failures are observed

Conditions:
1)BIG-IP DHCP proxy is in forwarding mode
2)DHCP relay agent in front of BIG-IP modifies giaddr field of DHCP packets to its own IP address
3)DHCP packets arrive during system bootup and before system is fully ready(some vlans, interfaces and routes are not fully up)

Impact:
System crash and coredump

Workaround:
Make sure system has come up completely before sending DHCP packets to the box

---

652968 : IKEv2 PFS CREATE_CHILD_SA in rekey does not negotiate new keys

Solution Article: K88825548

Component: TMOS

Symptoms:
During negotiations that use CREATE_CHILD_SA, IKEv2 will fail to send a KE in the payload when PFS (perfect forward security) is used in config.

Rekey in IKEv2 does not negotiate new keys; the PFS value in phase1-perfect-forward-secrecy is used in the first exchange, then this first key is re-used in later rekey negotiation. Vendor interop problems exist when PFS is required by the other peer.

Conditions:
Define phase1-perfect-forward-secrecy with value other than none. After IPsec SAs expire or are manually deleted, the CREATE_CHILD_SA phase to negotiate new keys has no KEi payload from the BIG-IP Initiator and so no new encryption key.

Impact:
PFS settings apply only to first negotiation and not to subsequent SA rekeys. PFS is therefore absent. When the BIG-IP enters CREATE_CHILD_SA with a third party IPsec peer, negotiation will fail if the peer requires PFS. Under the same conditions, BIG-IP to BIG-IP tunnels will not fail.

Workaround:
To resolve vendor interop problems, disable PFS in the IPsec policy of both peers.

Fix:
When phase1-perfect-forward-secrecy is configured with a value other than none, the BIG-IP will now perform PFS negotiation correctly. Now rekey with CREATE_CHILD_SA generates a new key using the same DH Group as the first exchange that creates the first SA.

Note: In the ipsec-policy configuration object, the ike-phase2-perfect-forward-secrecy option is relevant only to IKEv1 and has no influence on IKEv2 PFS rekeying.

---

652935 : Exotic tmipsecd crash when internally the wrong path was used for racoon.

Component: TMOS

Symptoms:
Relaunching racoon might crash tmipsecd when internally the wrong path was used for racoon.

Conditions:
-- Racoon relaunch when tmipsecd had the wrong racoon path.
-- Using IPsec tunnels.

Impact:
Core for tmipsecd.

Workaround:
None.

Fix:
This release fixes a tmipsecd crash so it no longer occurs under these conditions.

---

652910 : Native RDP published on webtop does not connect if allowed vlans specified explicitly

Component: Access Policy Manager

Symptoms:
Native RDP hosts published on webtop does not connect if allowed vlans specified explicitly on the virtual server. It downloads the rdp file but opening the rdp file gets error message from rdp client something like "Your computer can't connect to remote computer".

Conditions:
- Native RDP host type published in webtop mode.
- RDP Virtual server specified the allowed vlans explicitly.
- MSRDP NTLM configuration is not specified in vdi profile.

Impact:
Could not connect to Native RDP host published on webtop

Workaround:
You can use either one of the below workarounds,

- Have the virtual server with "All the vlans and tunnels" configuration.

- Have MSRDP NTLM auth configuration in VDI profile which is attached to virtual server.

Fix:
Now Native Remote Desktop (RDP) resources can be delivered from APM virtual servers that have the "VLAN and Tunnel Traffic" set to a non-default value.

---

652848 : TCP DNS profile may impact performance

Component: Global Traffic Manager (DNS)

Symptoms:
Under some conditions TCP DNS profiles may impact system performance

Conditions:
TCP DNS profiles

Impact:
Performance issues

Workaround:
None

Fix:
Improve performance while using TCP DNS profiles

---

652840 : vCMP host avrd high CPU usage

Component: Application Visibility and Reporting

Symptoms:
With high vCMP guest counts, the avrd shows sustained ~90% CPU usage on the HOST primary blade.

Conditions:
For example, 48 guests on B4300 8-blade P8, or 96 guests on B4450 8-blade P8.

Impact:
The avrd will compete with the control plane threads on the guest that share the same core. The guest dataplane runs at higher priority and not impacted.

The avrd maintains a database of statistics available via the UI and 'tmsh show analytics vcmp ...'. When avrd is stopped, these statistics will not be available.

Workaround:
Run the following commands on the HOSTprimary blade:
clsh bigstart stop avrd
clsh bigstart disable avrd

Fix:
The avrd no longer shows sustained ~90% CPU usage on the HOST primary blade with high vCMP guest counts.

---

652799 : When BIG-IP is used on an appliance with over 24 CPU cores (or VE on a HW platform with over 24 CPU cores) some processes may be constantly restarting until disabled.

Component: Access Policy Manager

Symptoms:
ping_access_agent may be constantly restarting on BIG-IP appliance that has over 24 CPU cores.

Conditions:
-- BIG-IP appliance has over 24 CPU cores or VE platform has over 24 CPU cores.
-- APM is provisioned.

Impact:
PingAccess integration functionality will not be accessible to the users.

Workaround:
If PingAccess functionality is not required - disable process by running 'bigstart stop ping_access_agent'.


If PingAccess functionality is needed:

1. Stop ping_access_agent by running "bigstart stop ping_access_agent'.

2. Modify file '/etc/bigstart/scripts/ping_access_agent' as follows:

a) Replace line:
 cpu_count=$(get_number_cpu)

with line:
 tmm_count=$(get_tmm_count)

b) Replace line:
 exec /usr/sbin/${service} -n ${cpu_count}

with line:
 exec /usr/sbin/${service} -n ${tmm_count}

3. Save the file, and restart the process by running 'bigstart start ping_access_agent'.

Fix:
ping_access_agent no longer restarts when used on a platform with over 24 CPU cores and under 64 CPU cores.

---

652689 : Displaying 100G interfaces

Solution Article: K14243280

Component: TMOS

Symptoms:
Interfaces' Active Media Type and Media Speed rows display none.

Conditions:
Having a server with 100G interfaces.

Impact:
Cannot use GUI to determine interfaces' Active Media Type and Media Speed.

Workaround:
Use tmsh to see the affected interface.

Fix:
100G interfaces now display correctly.

---

652671 : Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit.

Solution Article: K31326690

Component: TMOS

Symptoms:
Provisioning mgmt plane to "large" and performing a config sync, might cause an outage on the peer unit. When provision.extramb is synced to the peer unit, mprov is called, which restarts tmm.

Conditions:
-- Configure two devices in a sync group.
-- tmsh modify sys db provision.extramb value 150.
-- Sync to peer unit.

Impact:
TMM restarts on the peer unit. Traffic halted while tmm restarts.

Workaround:
None.

Fix:
The provision.extramb and provision.tomcat.extramb DB keys no longer ConfigSync, which prevents TMM restarting on peer devices after a change is made to the management subsystem provisioning and then performing a ConfigSync.

Behavior Change:
The provision.extramb and provision.tomcat.extramb DB keys no longer ConfigSync between devices.

---

652638 : php - Fix DOS vulnerability in gdImageCreateFromGd2Ctx()

Component: TMOS

Symptoms:
The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.

Impact:
The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.

Fix:
install latest hotfix/image

---

652585 : BWC statistics include active and inactive policy counts.

Component: TMOS

Symptoms:
BWC statistics do not include active and inactive policy counts.

Conditions:
BWC is provisioned on the BIG-IP systems.

Impact:
Lack of statistics makes diagnostics more difficult.

Workaround:
None.

Fix:
Additional statistics were added to highlight active and inactive BWC policies.

---

652539-5 : Multiple Bash Vulnerabilities

Component: TMOS

Symptoms:
* An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances.
(CVE-2016-0634)

* An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543)

* A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401)

Conditions:
The Bourne-again shell is the default shell for BIG-IP users with advanced shell access.

Impact:
* An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances.
(CVE-2016-0634)

* An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543)

* A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401)

Fix:
Resolve CVE-2016-0634, CVE-2016-7543, and CVE-2016-9401

---

652535-3 : HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.

Solution Article: K54443700

Component: Local Traffic Manager

Symptoms:
HTTP/2 RST_STREAM is seen with PROTOCOL_ERROR when frame header is fragmented.

Conditions:
HTTP/2 profile is enabled on the virtual. The frame header gets fragmented because of TCP segmentation.

Impact:
HTTP/2 stream is reset.

Workaround:
None.

Fix:
HTTP/2 parser changed to handle header splitting across multiple buffers.

---

652484-1 : tmsh show net f5optics shows information for only 1 chassis slot in a cluster

Component: TMOS

Symptoms:
When you run tmsh show net f5optics, f5optics version information is displayed for one blade of a multi-blade chassis.

Conditions:
This occurs when running the tmsh show net f5optics command on VIPRION.

Impact:
The f5optics version is not displayed for all of the blades.

Fix:
f5optics version information for all blades within a chsasis is displayed when the user issues tmsh show net f5optics from the primary blade.

---

652480 : C3D feature needs control plane support, SNMP, tmsh and iControl

Component: Local Traffic Manager

Symptoms:
Client Certificate Constrained Delegation Support (C3D) feature needs control plane support, SNMP, TMSH, and iControl.

Conditions:
Using C3D.

Impact:
Needs iControl, SNMP and TMSH support.

Workaround:
None.

Fix:
Client Certificate Constrained Delegation Support (C3D) is now supported from iControl, by SNMP, and in TMSH.

---

652445 : SAN with uppercase names result in case-sensitive match or will not match

Solution Article: K87541959

Component: Local Traffic Manager

Symptoms:
SSL certificates with SAN domain names with uppercase characters will fail to match SNI requests for that domain name.

Conditions:
Multiple client-ssl profiles configured with SNI associated with a single virtual where the SAN (Subject Alternative Name) contains DNS names with uppercase characters.

Impact:
SNI does not match, resulting in the wrong certificate being returned to the client, which potentially results in a security warning in the client application due to a non-matching domain.

Workaround:
Use lowercase characters for SAN domain names in SSL certificates.

Fix:
SNI match is now case-insensitive.

---

652442 : Portal Access might incorrectly rewrite certain JavaScript constructor calls

Component: Access Policy Manager

Symptoms:
The Portal Access module transforms intranet web application code to make it accessible via an APM virtual server. One of these transformations might incorrectly rewrite certain JavaScript constructor calls, though you might not see any immediate visible effect.

Conditions:
The issue affects execution of expressions similar to 'new obj[property]' with certain property names in the web-application JavaScript code.

Impact:
When Portal Access accesses the intranet application containing such code, 'obj.property' might be called instead of being constructed. As a result, the application might fail with a very obscure and difficult to diagnose errors.

Workaround:
Use an iRule for each specific case. There is no global workaround.

Fix:
Now Portal Access rewrite has improved rewriting of certain JavaScript expressions.

---

652278 : dwbld memory leak when AFM/ASM is provisioned

Component: Advanced Firewall Manager

Symptoms:
After many hours of system uptime, the dwbld process is consuming more memory than expected. dwbld is one of the service daemons started when AFM or ASM is provisioned.

Conditions:
AFM or ASM provisioning.

Impact:
Memory leak affects overall system performance.

dwbld gradually leaks memory even when idle. This causes system going low on resident memory and affects performance of rest of the system.

Workaround:
Periodically run the following command:
 bigstart restart dwbld.

Fix:
The dwbld memory leak was identified and fixed.

---

652260 : Enhanced data integrity alerts should not contain username value

Component: Fraud Protection Services

Symptoms:
When the system detects modification of the username field, it sends the username value in the alert.

Conditions:
1. Enhanced data integrity enabled.
2. There is parameter configured as 'Identify as username'.

Impact:
Username value will be sent in the alert.

Workaround:
There is no workaround at this time.

Fix:
Now, when the system detects modification of the username field, it does not send the username value in the alert.

---

652223 : BWC: Non-TCP data going through Category can make policy active

Solution Article: K50325308

Component: TMOS

Symptoms:
When category is set at lower rate than 100% of the user rate, and traffic going through the category is non-TCP, and the amount of data is 150% of the instance rate, then that can create policy to be active, lowering the overall bandwidth.

Conditions:
This occurs when all of the following conditions are met:
-- Category rate is less than max-user-rate
-- Traffic is non-TCP data.
-- Amount of data passing is 150% of max-user-rate.

Impact:
BWC dynamic policy cannot achieve 100% of max-rate.

Workaround:
Increase the max-rate of any dynamic policy, and add an additional static policy set to the max-rate expected from the dynamic policy.

Note: There is no actual fix for this issue except for not using UDP traffic in categories, if the amount of traffic on that UDP category is expected to exceed 150%, or over to the maximum fair rate provided by the BWC instance. Note that the PEM subscriber and BWC instance have 1-1 relationship.

---

652200 : Failure to update ASM enforcer about account change.

Solution Article: K81349220

Component: Application Security Manager

Symptoms:
There is an error updating BD with the following information:
Errors:
------------
  bd_agent|ERR|...|F5::BdAgent::handle_bd_pipe_message,,Some records sent to enforcer were not handled

  ECARD|ERR |...|account_id_table_management.cpp:0222|Failed to PUT table
  ECARD|ERR |...|temp_func.c:0850|CONFIG_TYPE_ACCOUNTS message had errors in block_index: 0. status=9
-------------

Conditions:
In a high availability environment (with manual failover and ASM) with a UCS load that contains policies with the same names.

Impact:
Traffic is blocked due to Unknown HTTP selector

Workaround:
Use one of the following Workaround:
A) Deactivate and reactivate the affected policy.
B) Restart ASM on the affected device.

Fix:
The system now correctly handles a UCS containing policies with the same names in a high availability environment (with manual failover and ASM).

---

652146 : Email agent does not send email if the remote server does not provide a 200 OK response to VRFY request.

Component: Access Policy Manager

Symptoms:
Access Policy Email Agent does not send email if the remote server does not provide a 200 OK response to VRFY request.

Conditions:
The version of CURL included in 13.0.0 uses VRFY requests to confirm recipients are valid before sending mail. Many servers consider VRFY a potential leak of information and will respond '252 - Not verified' and the BIG-IP system will not send the message.

Impact:
The Access Policy Email Agent does not send mail messages or log an error about mail not being sent.

Workaround:
None.

Fix:
The APM Email agent (v13.0.0 and later) will:

1. Connect to SMTP server.
2. Based on SMTP server capability (EHLO response?) / or blindly (just send it) try to verify all the addresses configured (one by one).
3. If there is a positive response (2yz), send the mails.
4. If there is no positive response, simply don't send mails to configured address(es).
5. If there is no response (e.g., times out before getting a response), simply do not send mails to configured addresses.

Behavior Change:
The APM Email agent (v13.0.0 and later) will:

1. Connect to SMTP server.
2. Based on SMTP server capability (EHLO response?) / or blindly (just send it) try to verify all the addresses configured (one by one).
3. If there is a positive response (2yz), send the mails.
4. If there is no positive response, simply don't send mails to configured address(es).
5. If there is no response (e.g., times out before getting a response), simply do not send mails to configured addresses.

---

652094 : Improve traffic disaggregation for uncommon IP protocols

Component: TMOS

Symptoms:
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default.

Conditions:
Traffic of uncommon IP protocols on VLAN configured with default DAG.

Impact:
Traffic for uncommon IP protocols not distributed evenly among available processing units.

Workaround:
None.

Fix:
The system now correctly distributes traffic for uncommon IP protocols based on src IP and dest IP.

Behavior Change:
The traffic of uncommon IP protocols on VLAN running default DAG is sent to one TMM by default. This DAG enhancement allows the default DAG to disaggregate traffic of uncommon IP protocols based on src IP and dest IP. Two more DB variables are added to control DAG behavior for uncommon IP protocols.

ipproto.lookupip: enable/disable (default)
ah.lookupip: enable/disable (default)

Setting ipproto.lookupip to enable will disaggregate uncommon IP protocols based on src IP and dest IP. DB ipproto.lookupip applies to all IP protocols except for TCP, UDP, SCTP, IGMP, AH, ESP, GRE, ICMP, ICMPv6.

Setting ah.lookupip to enable will disaggregate AH traffic based on src IP and dest IP.

---

652080 : LTM Policy blocks a URL containing pound/hash (#) character

Component: Local Traffic Manager

Symptoms:
The issue occurs when user specifies a URL in an LTM Policy where the path contains the hash (#) character. This character was not considered to be valid, and so the valid-character checking logic treats the URL as invalid.

Conditions:
User specifies a URL, say for forwarding a redirect, that contains a hash (#) character. For example, defining a policy to redirect user connections to a URL like:
   http://www.example.com/path1/path2/#/otherpath

Impact:
User is unable to specify a URL containing the hash (#) character.

Workaround:
In some instances, it may be possible to substitute the hash character (#) with its URL-encoded equivalent (%23).

Fix:
URLs used in LTM Policies correctly treat the hash character (#) as an allowed character.

---

652056 : [api-status-warning] are generated at stderr and /var/log/ltm when listing config in tmsh from top level namespace or at module level

Component: TMOS

Symptoms:
tmsh list at the top namespace or at module level or mode level generates unexpected [api-status-warning] messages.

(tmos)# list << top namespace
(tmos)# list ltm << ltm module
(tmos)# list ltm profile << profile mode

Each of the three illustrative examples generates unexpected [api-status-warning] messages at stderr and /var/log/ltm.

The warnings are expected only at component level.

The following example uses fastl4 as the component:

(tmos)# list ltm profile fastl4 myfast
[api-status-warning] ltm/profile/fastl4, properties : deprecated : software-syn-cookie <<— warning message; as expected
ltm profile fastl4 myfast {
    app-service none
    software-syn-cookie enabled
}

Conditions:
This occurs when typing "y" when being prompted to list all items:

(tmos)# list

Display all 155 items? (y/n) y
[api-status-warning] ltm/profile/fastl4, properties : deprecated : software-syn-cookie <<< unexpected warnings

These are displayed for several commands that give API warnings.

Impact:
Excessive [api-status-warning] at stderr and /var/log/ltm for tmsh list commands. These are spurious and can be ignored.

Workaround:
None.

Fix:
[api-status-warning] messages will be generated at stderr and /var/log/ltm with tmsh list for the specific component.

---

652052 : PEM:sessions iRule made the order of parameters strict

Component: Policy Enforcement Manager

Symptoms:
In the versions before 12.0, the order of parameters for "PEM::SESSIONS" rule was flexible. It was made strict because of the new validation infrastructure in 12.0. This breaks some existing iRules.

The system will report a validation error such as:

01070151:3: Rule [/Common/test_irule] error: /Common/test_irule:2: error: ["invalid argument subscriber-type"][PEM::session create $ip subscriber-type e164 user-name $user imsi $imsi subscriber-id $callingstationid]

Conditions:
Some parameters, for example, subscriber-id come before the parameter user-name.

Impact:
Configuration that was valid in earlier versions is not accepted in newer versions. This may result in the configuration failing to load during an upgrade and return an MCP validation error.

Workaround:
Change the order of the parameters.

---

652048 : TMSH save sys config contains [api-status-warning] that do not correspond to any configuration instances

Component: TMOS

Symptoms:
There are multiple [api-status-warning] logs in /var/log/ltm present. Of these warnings the following do not correspond to existing configuration objects:

warning tmsh[1598]: 01420013:4: [api-status-warning] ltm/classification/url-cat-policy is deprecated.
warning tmsh[1598]: 01420013:4: [api-status-warning] sys/crypto/ca-bundle-manager is early_access.


Logs were generated based off the type, even though there are no instances of that type present. For example: sys/crypto/ca-bundle-manager type is early-access, but there is no instance of this type; still the warning is generated. This is unexpected behavior. Similarly unexpected warning for ltm/classification/url-cat-policy.

These [api-status-warning] messages should be created only for types that have been instantiated.

Conditions:
Issue a tmsh save sys config command. Look at the logs in /var/log/ltm corresponding to this operation.

Impact:
Excessive [api-status-warning] log message in /var/log/ltm file. The warnings can be ignored.

Workaround:
None.

Fix:
Fixed generation of [api-status-warning] messages in /var/log/ltm. These logs were generated for tmsh save sys config operation.

---

652004 : Show /apm access-info all-properties causes memory leaks in tmm

Solution Article: K45320415

Component: Access Policy Manager

Symptoms:
When tmsh is used to view session information, memory will leak on each request to pull the session information from tmm. This is a small leak but can be significant issue when all sessions are examined or the sessions are examined multiple times in a short time interval.

Conditions:
when using show /apm access-info all-properties

Impact:
Memory will leak in tmm daemons. This affects all modules that use tmm.

Workaround:
The only workaround is not to use the mcp interface by tmm daemon, or to restart the tmms periodically after using the interface multiple times.

Fix:
Accessing APM session variables via tmsh (e.g., 'tmsh show /apm access-info all-properties') no longer causes a small TMM memory leak.

---

651961 : AVR is not called for DNS packets when AFM is not provisioned.

Component: Advanced Firewall Manager

Symptoms:
AVR DNS analytics are not available with avr-dnsstat-sample-rate setting to non-zero on the DNS profile when AFM is not provisioned.

Note that in v13, when AFM is provisioned, the dns profile option "enable-dns-firewall" must also be set to yes (This is "DNS >> Delivery : Profiles : DNS ›› Properties : <profile name> in the GUI), and a DOS profile (security dos profile) must be associated with the virtual server.

In addition, for all BigIP versions, the dns profile must have avr-dnsstat-sample-rate set to a non-zero value in order for AVR to collect statistics.

Indications that no data was collected would be:

In the GUI: Statistics :: Analytics :: DNS returns a message similar to the following: There is no data to display either due to the lack of relevant traffic, or due to the settings of the filter.

In tmsh:

  # tmsh show analytics dns report view-by domain-name
   ----------------------
   Analytics query result
   ----------------------
   No data available

Conditions:
-- AFM is not provisioned (or AFM is provisioned, but enable-dns-firewall is not enabled in the DNS profile, and/or a security DOS profile is not associated with the gtm listener)

-- DNS traffic is received by the BigIP

Impact:
No DNS analytics data available. Cannot see AVR data for DNS resolutions.

Workaround:
None.

Fix:
AVR DNS analytics are now available with avr-dnsstat-sample-rate setting to non-zero on the DNS profile when AFM is not provisioned.

---

651953 : Thales nethsm install script can configure BIG-IP for softcard/OCS keys

Component: Local Traffic Manager

Symptoms:
The Thales nethsm installation script configures the BIG-IP only for using module protected keys. To use OCS keys or softcards instead (only one protection type can be used at one time), you must manually configure the BIG-IP system after the installation script finishes.

Conditions:
Want to use softcard or OCS protected keys in a BIG-IP configuration.

Impact:
Must take additional steps after installing the Thales HSM client software.

Workaround:
Manually configure the BIG-IP system to use OCS/softcard protected keys after installing the client software with the script.

Fix:
The Thales nethsm installation script can now configure the BIG-IP system to use OCS or softcard protected keys as part of installation, instead of requiring additional steps after the script completes.

---

651951 : Failure to use REST services on BIG-IP without 'admin' user

Solution Article: K32065842

Component: Device Management

Symptoms:
Cannot use BIG-IP REST services such as BIG-IQ management and iApps LX, unless there is an administrator user named 'admin'.

Conditions:
The user name of the administrator account has been changed to anything other than 'admin'.

Impact:
Unable to use REST services such as BIG-IQ management and iApps LX.

Workaround:
Name the administrator 'admin'.

Fix:
REST services can now be used by admin users with names other than 'admin'.

---

651947 : Token validate response session variables created with no prefix might collide with other session variables.

Component: Access Policy Manager

Symptoms:
Token validate responses create session variables without any sub-prefix, which may result in collisions with other session variables.

Conditions:
Executing policy containing 'introspect' session variables such as 'authresult' and 'errMsg'.

Impact:
May collide with other session variables. If they collide with token introspect responses, one or the other will be overwritten, depending on the order in which the variables are executed.

Workaround:
None.

Fix:
Now the APM OAuth Token validate response creates session variables with the prefix 'introspect' for introspect response specific session variables. This eliminates potential conflict with overwriting previous session variables.

Upgrade Note: If you have existing access policy rules based on introspect response session variables, you must update the rule to use the new variable names.

---

651910 : When we upgrade from 12.* to 13.0+ you cannot change the "Enable Access System Logs" and "Enable URL Request Logs" properties via the UI

Component: Access Policy Manager

Symptoms:
You cannot change the "Enable Access System Logs" and "Enable URL Request Logs" properties via the UI.

Conditions:
After upgrade from 12.* to 13.0+

Impact:
You cannot change the "Enable Access System Logs" and "Enable URL Request Logs" properties via the UI.

Workaround:
Manually add the properties via tmsh:
(assuming affected log setting is abc)

modify log-setting abc access add { general-log { publisher sys-db-access-publisher } }
modify log-setting abc url-filters add { test_logsetting_swg { enabled true publisher sys-db-access-publisher }}

Fix:
Now it is possible to use the GUI to successfully use and configure log-setting objects that were created with tmsh.

---

651901 : Removed unnecessary ASSERTs in MPTCP code

Component: Local Traffic Manager

Symptoms:
There are many scenarios that call ASSERT in the MPTCP code, many of which can be handled without using ASSERT.

Conditions:
A virtual server is configured with a TCP profile with MPTCP enabled.

Impact:
If an ASSERT fails, traffic is disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
Replaced many ASSERTs with other mitigations that allow TMM to continue running.

---

651889 : persist record may be inconsistent after a virtual hit rate limit

Component: Local Traffic Manager

Symptoms:
persist record may be inconsistent after a virtual hit rate limit

Conditions:
A virtual with rate limit set.
persist is enabled.

Impact:
persist behavior will be impacted.

Workaround:
disable rate limit on virtual

Fix:
The problem is fixed.

---

651886 : Certain FIX messages are dropped

Component: Service Provider

Symptoms:
When a FIX message is received with a length, checksum, or message type field containing leading zeros, the message may be dropped.

Conditions:
This bug affects all FIX messages having a length (tag 9), checksum (tag 10) or message type (tag 35) field that contains at least one leading zero. Certain third-party FIX protocol implementations are known to insert leading zeros in these fields.

Impact:
FIX messages from these products cannot be processed by the FIX profile in BIG-IP.

Fix:
Valid Financial Information eXchange protocol messages are no longer rejected

---

651875 : GSLB Server properties page should show the iQuery section when type is BIG-IP System

Component: Global Traffic Manager (DNS)

Symptoms:
The iQuery section does not display on the GSLB Server properties page in the Web GUI.

Conditions:
There must be a GSLB Server created and configured to be of type BIG-IP System.

Impact:
The iQuery section does not display when it should on the properties page in the Web GUI.

Workaround:
the iQuery settings can be changed via TMSH.

Fix:
The iQuery section not properly display on a GSLB Server properties page.

---

651861 : GUI: When configuring Gx protocol profile message, not able to keep Subscriber Attribute value empty.

Component: Policy Enforcement Manager

Symptoms:
User can not configure Gx protocol profile message from GUI with empty Subscriber Attribute.

Conditions:
When trying to create Subscription-Id-Type and specifying default value, there is no way in the GUI to keep Subscriber Attribute field empty when creating a new Gx Message.
The field is always pre-filled with first subscriber attribute from the list - while there should be option of empty value.
The help of default value says - The subscriber attribute has precedence over the default value.
And indeed, the value of this attribute is influenced by the Subscriber Attribute chosen and default value is not used.

Impact:
User can not configure Gx protocol profile message from GUI with empty Subscriber Attribute. The subscriber attribute is always set to one of the attributes in the dropdown list.

Workaround:
User can configure Gx protocol profile message with empty Subscriber Attribute from CLI.

Fix:
'None' option is added in the Subscriber Attribute dropdown which sets its value as empty.

---

651828 : [Chrome] Web application's pop up window is blank

Component: Access Policy Manager

Symptoms:
Web application's pop up window is blank

Conditions:
Web application code opens new window and then populates it using document.write()

Impact:
Web application malfunction is likely

Workaround:
Custom iRule can be used

Fix:
APM Portal Access now successfully handles document.write() in new open window.

---

651826 : SPI fields of IPsec ike-sa, byte order of displayed numbers rendered incorrectly

Component: TMOS

Symptoms:
When checking the SPI fields of an IKEv2 IPsec SA, the byte order of the displayed number is rendered incorrectly. The SPI details are seen in "tmsh show net ipsec ike-sa all-properties".

For example, the BIG-IP will render this:
Spi(local): 0x3c4742cab016098c
Spi(Remote): 0x959f0a013581e25d

When the actual SPIs viewed on the peer device are:
Local spi: 5DE28135010A9F95
Remote spi: 8C0916B0CA42473C

Conditions:
IKEv2 IPsec SAs are established or attempting to be established.

Impact:
Can confuse a BIG-IP Administrator who is attempting to verify that IPsec peers have the same SAs.

Workaround:
Rearrange the SPI numbers manually or examine the ipsec.log to see the established SA SPI numbers.

Fix:
The correct SPI numbers are displayed when running the "tmsh show net ipsec ike-sa all-properties" command. Note that this command only shows IKEv2 SAs.

---

651772 : IPv6 host traffic may use incorrect IPv6 and MAC address after route updates

Component: Local Traffic Manager

Symptoms:
IPv6 traffic generated from the host, either from a host daemon, monitors, or from the command line, may use an MAC and IPv6 source address from a different VLAN.

Conditions:
- Multiple vlans with IPv6 configured addresses.
- Multiple routes to the same destination, either the same or more specific, default routes, etc. that cover the traffic destination.
- Changes in routes that will cause the traffic to the destination to shift from one vlan and gateway to another. This can be typically observed with dynamic routing updates.

Impact:
Traffic to the destination may fail due to using incorrect source IPv6/MAC address.
This may cause monitor traffic to fail.

Workaround:
Continuous traffic to the IPv6 link-local nexthops can avoid this issue.
This may be achieved by a script or an external monitor pinging the nexthop link-local address using the specific vlan.

Fix:
IPv6 host traffic no longer use incorrect IPv6 and MAC address after route updates.

Behavior Change:
Introduction of sys db ipv6.host.router_probe_interval, to control sysctl net.ipv6.conf.default.router_probe_interval value. This value is default to 5s.

---

651681-1 : Orphaned bigd instances may exist (within multi-process bigd)

Solution Article: K49562354

Component: Local Traffic Manager

Symptoms:
When multi-process 'bigd' is configured, orphaned 'bigd' instances may be exit; such as an orphaned 'bigd.1' alongside the active 'bigd.1'.

Conditions:
-- db variable Bigd.NumProcs to 2 or higher.
-- System monitors with long timeouts (such as ~183 seconds or longer), might also be relevant.

When 'bigd' manages monitor configurations that results in no monitoring activity for a long time (such as due to long monitor timeouts), the operating system may temporarily suspend (and later resume) the 'bigd' process. The system might treat the 'bigd' process as if it were "hung", and start another 'bigd' instance without explicitly terminating the suspended 'bigd' process.

Impact:
The suspended 'bigd' process consumes process memory. The process might be suspended (consuming no CPU resources), or running, which might result in "double-monitoring" the resources assigned to that 'bigd' process.

Note: If double-monitoring occurs, monitor status should be correct, but the double-monitoring unnecessarily consumes extra resources.

Workaround:
Configure 'bigd' to run as a single process. To do so, set the db variable Bigd.NumProcs to 1.

Shortening monitor timeouts can reduce the possibility of a 'bigd' process being (temporarily) suspended by the operating system.

Fix:
Multi-process 'bigd' no longer produces orphaned (suspended) process instances.

---

651651 : bigd can crash when a DNS response does not match the expected value

Solution Article: K54604320

Component: Local Traffic Manager

Symptoms:
bigd can crash when a response returned from a DNS request does not match the expected value.

Conditions:
Monitoring DNS server(s), or using FQDN.

Impact:
Potential bigd core and restart; may cause endless restart loop as long as DNS monitor instance is configured.

Workaround:
No workaround at this time.

Fix:
Prevented bigd from crashing when a response returned from a DNS request does not match the expected value.

---

651640 : queue full dropped messages incorrectly counted as responses

Component: Service Provider

Symptoms:
negative number of active response messages reported on sipsession profile stats

Conditions:
If a request message is dropped because the sip filter's ingress message queue is full, the wrong stats is incremented

Impact:
Counting the dropped request messages as response messages causes the calculation of the accepted response messages to be incorrectly calculated, thus producing a negative value.

Fix:
correct stats fields are incremented

---

651627-1 : IP addresses may appear "Aggregated" in "COMMON" section of dashboard but not Aggregated when applying module-specific filter

Component: Application Visibility and Reporting

Symptoms:
Some IP addresses may appear as "Aggregated" in the "COMMON" section of the dashboard but not Aggregated when applying a module-specific filter.

This occurs because lack of memory space causes information to be aggregated in the "COMMON" section before being aggregated in the module-specific DB.

Conditions:
A lot of diverse traffic (for some module) from many IP addresses (for example) on a system with a small amount of memory allocated for AVR.

Impact:
User sees a specific number (x) of IP addresses upon landing on the dashboard with "Aggregated" IP addresses, but when selecting a module-specific filter, statistics show a number plus another number (x+y) IP addresses (that is, essentially not aggregated).

Workaround:
Provision more memory to AVR.

Fix:
With this fix, aggregation does not happen in COMMON before it happens in the specific module. This is correct behavior.

---

651599 : /shared/em/ssl.crt are not collected as part of qkview

Solution Article: K78500502

Component: TMOS

Symptoms:
Enterprise Manager (EM) pushes certificates to /shared/em/ssl.crt on the BIG-IP system. In previous versions, qkview collected these certs. These certs are required to debug EM-related issues. In versions 12.x.x, these certs are not collected.

Conditions:
Running qkview on a BIG-IP system.
Running versions 12.x.x.

Impact:
No functional impact. Qkview does not include these additional certificates from the BIG-IP system.

Workaround:
N/A

Fix:
Qkview again collects the certificates that Enterprise Manager (EM) pushes to /shared/em/ssl.crt on the BIG-IP system.

---

651585 : ASM policy history GUI Validation Errors

Component: Application Security Manager

Symptoms:
Empty extractions are not removed when deleting URL or filetype in ASM policies.

Conditions:
-- Create extraction with filetype.
-- Remove filetype from allowed filetypes list.

Impact:
Empty extraction remains. This is benign, it does not affect enforcement on the policy.

Workaround:
None.

Fix:
Empty extractions are now removed along with URL or filetype in ASM policies.

---

651541 : Changes to the HTTP profile do not trigger validation for virtual servers using that profile

Solution Article: K83955631

Component: Local Traffic Manager

Symptoms:
Changing the HTTP profile does not trigger validation for virtual servers, so no inter-profile dependencies are checked.

Conditions:
Using an HTTP profile with a virtual server that uses other profiles that have settings that are mutually exclusive with those of the HTTP profile.

Impact:
The system will be in an invalid state. One immediate way this can be seen is when syncing to a peer. The sync operation does not complete as expected.

Workaround:
Use the error messages in the logs to determine how to change the configuration to return the system to a valid state.

Fix:
Changing the HTTP profile now triggers validation of all virtual servers using that profile.

---

651395 : DoS Network, SIP and DNS logs in the GUI do not show destination address and port

Solution Article: K30953380

Component: Advanced Firewall Manager

Symptoms:
The destination address and port were not showing up on DoS Network, SIP and DNS logs the UI.

Conditions:
Viewing DoS Network, SIP and DNS logs in the GUI.

Impact:
The destination address and port do not show up in the GUI error logs.

Workaround:
None.

Fix:
The destination address and port will now show up on the UI error logs for DoS DNS, SIP and Network.

---

651229 : tmm may restart when SAML SLO is initiated by SP using redirect binding

Solution Article: K14429395

Component: Access Policy Manager

Symptoms:
When the BIG-IP system is configured as SAML SP, there are two bindings supported for SLO profile: HTTP-Redirect and HTTP-POST (default option). If the BIG-IP system is configured to initiate SAML SP SLO profile with redirect binding - tmm may restart.

Conditions:
-- Configure the BIG-IP system as SAML SP.
-- Configure HTTP-Redirect binding for SLO profile.
-- Initiate SLO on SAML SP.

Impact:
tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
Reconfigure the BIG-IP system to use HTTP-POST binding for SLO profile. Configuration should be changed on IDP connector objects.

Fix:
tmm no longer restarts when SAML SLO is initiated by SP using redirect binding.

---

651221 : Parsing certain URIs may cause the TMM to produce a core file.

Solution Article: K25033460

---

651173-1 : Security hardening of qkview

Component: TMOS

Symptoms:
qkview may collect sensitive information from BIG-IP system.

Conditions:
Collecting qkview.

Impact:
qkview may collect sensitive information.

Workaround:
None.

Fix:
qkview no longer collects sensitive information

---

651155 : HSB continually logs 'loopback ring 0 tx not active'

Component: TMOS

Symptoms:
In the TMM log files, HSB reports that 'loopback ring 0 tx not active'.

Conditions:
Unknown.

Impact:
Excessive logging. This may also cause an HSB lockup to not be detected.

Workaround:
None.

---

651136 : ReqLog profile on FTP virtual server with default profile can result in service disruption.

Solution Article: K36893451

Component: TMOS

Symptoms:
When FTP's control channel and data channel arrive on different TMMs, ReqLog profile may fail to identify data channel's listener.

Conditions:
Default inherit FTP profile virtual server configured with ReqLog profile.

Impact:
Service disruption, fail-over event.

Workaround:
Create non-inheriting FTP profile for FTP virtual server with ReqLog profile.

Fix:
ReqLog now successfully finds appropriate listener.

---

651135 : LTM Policy error when rule names contain slash (/) character★

Component: Local Traffic Manager

Symptoms:
Beginning with v12.0.0, there has been additional validation for LTM Policy rule names to allow only certain valid characters. Prior to v13.1.0, the slash (/) character was included in the set of valid characters.

But because the slash character is used as a delimiter in the BIG-IP virtual path hierarchy (e.g., /Common/my_policy/my_rule), extra slashes in a rule name causes validation problems because the rule appears to the system as having additional path segments.

Conditions:
LTM Policy rule contains the slash (/) character.

Impact:
Configuration will not load.
Configuration may load, but admin GUI may not show policy rule.

Workaround:
In the bigip.conf file, the LTM Policy rule names can be manually edited to either remove the illegal character or to substitute a valid character.

For example, the following policy won't load because the rule name contains a slash (/) character:
   
    ltm policy mypolicy {
    ...
       rules {
          /testperson/a {
    ...
    }

But it will load when the slash (/) characters are changed to a legal character, such as underscores (_):
    ltm policy mypolicy {
    ...
       rules {
          _testperson_a {
    ...
    }

Fix:
For upgraded configurations, the roll-forward process will automatically translate slash (/) to underscore (_) in LTM Policy rule names. When creating new rules, validation will not succeed if a rule name contains an illegal character, such as a slash, so the issue will be prevented.

---

651084 : 'tmsh show sys memory raw' command shows a slow build up of memory usage.

Component: TMOS

Symptoms:
The usage of istats_incr and istats_set commands do not release memory used during the processing of those commands. TMM might eventually core.

Conditions:
-- Configure SSL Orchestrator.
-- Use istats_incr and istats_set commands.

Impact:
Heap memory usage goes up. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The usage of istats_incr and istats_set commands now release memory used during the processing of those commands, so TMM no longer cores.

---

651067 : SSL/TLS-based monitors now use ServerSSL profiles

Component: Local Traffic Manager

Symptoms:
The configuration of SSL/TLS-based monitors might differ from how SSL/TLS is configured for other objects, such as SSL/TLS-based virtual servers.

Conditions:
This applies to SSL/TLS-based monitors.

Impact:
Inconsistent configuration.

Workaround:
None.

Fix:
In this release, instead of specifying ciphers, certificates, keys, and SSL options via explicit parameters, an SSL-based monitor (HTTPS/TCP plus SSL) is configured with a ServerSSL Profile. This profile contain all of the necessary settings. The ciphers, certificates, and keys are directly analogous to the those in the previous method of monitor configuration. SSL/TLS options may be specified in a more fine-grained fashion than the previous method, which enabled all compatibility options, or disabled all of them.

Behavior Change:
Previous versions of LTM monitors used explicit SSL/TLS settings for ciphers, certificates, and keys, as well as whether to enable compatibility options.

In all prior releases, SSL options on HTTPS monitors were specified explicitly. With this change, HTTPS monitors get their SSL options from a named Server SSL Profile.

The following options are retrieved from the profile:
-- Cipher string or cipher group.
-- Optional certificate and/or key.
-- SSL Options.

In prior releases, a compatibility flag could be enabled or disabled. When enabled, it turned on all SSL compatibility options; when disabled, all were turned off. With this change, individual SSL options can be specified in the profile.

---

651005 : FTP data connection may use incorrect auto-lasthop settings.

Component: Local Traffic Manager

Symptoms:
Due to known issue FTP data connection may fail to use auto-lasthop settings configured on the virtual server and use a value configured on VLAN level instead.

Conditions:
With the configuration below, FTP data connection will fail to use auto-lasthop:
(1)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'enable'

(2)
- Global auto-lasthop set to 'disable'
- VLAN auto-lasthop set to 'disable'
- Virtual server auto-lasthop set to 'enable'

With the configuration below, FTP data connection will improperly use the auto-lasthop:
(1)
- Global auto-lasthop set to 'enable'
- VLAN auto-lasthop set to 'default'
- Virtual server auto-lasthop set to 'disable'

(2)
- VLAN auto-lasthop set to 'enable'
- Virtual server auto-lasthop set to 'disable'

Impact:
FTP data connection may fail to be established.

Workaround:
Use routing instead of auto-lasthop.
(or) Enable auto-lasthop on VLAN level.

---

651001 : massive prints in tmm log: "could not find conf for profile crc"

Component: Advanced Firewall Manager

Symptoms:
Massive messages in tmm log:
"could not find conf for profile crc"

messages are shown while traffic is passing.

Conditions:
1. Have dos profile attached to vs. dos profile does not have dos application enabled.
2. Have ASM policy attached to VS with Web Scraping on/session hijacking/session awarness with DID collection/brute force with DID collection.

Impact:
Massive prints in tmm log that can cause tmm to abort. Traffic disrupted while tmm restarts.

Workaround:
Have DOS application enabled (even if doing nothing).

Fix:
disable prints.

---

650450-1 : After upgrade to v13.0.0, users may be met with a javascript error on the logon page or other APM pages

Component: Access Policy Manager

Symptoms:
BIG-IP APM v13.0.0 has modified javascript to better handle more flexible session timeout parameters. This necessitated a modification in the timeout code in APM.

Unfortunately, that means that after upgrade, your users may receive a script error: 'APMSessionTimeout is undefined' when using the F5 Edge Client, or when using a browser that has the old code cached.

Conditions:
Upgrade to BIG-IP APM v13.0.0 with a login page or other Policy Item that presents a GUI to end users connecting using the F5 Edge Client or a browser with the previous version's timeout javascript code cached.

Impact:
Users receive confusing script errors in Edge Client or their web browser.

Workaround:
Use one of the following workarounds. Note: If possible, use the first one. Only perform the manual workaround if the first one is not possible.

-- Check the Knowledgebase Article (https://support.f5.com/csp/article/K91200585) to determine available fix versions, and then contact F5 Networks Technical Support to obtain any available Engineering Hotfix or version Hotfix to address this issue.

-- Perform this manual workaround:

First, locate the items such as Logon Page and add a '?13' after the include for session_check.js.
For example, the following steps:
1. Logon to the GUI as Admin.
2. Click Profiles/Policies :: Customization :: Advanced.
3. Navigate to your Access Policy.
4. Navigate to Access Policy, then to the page that has the issue, such as Logon Page.
Note: The page is "logon.inc" for a logon page.
5. Locate the following line:

<script language="JavaScript" src="/public/include/js/session_check.js" ></script>.

6. Insert ?13 after session_check.js in the script language line, for example:

<script language="JavaScript" src="/public/include/js/session_check.js?13" ></script>.

7. Click Save Draft.
8. Click Save.

Note: Using the specific text "13" in "?13" isn't critical; it just must be some text.

Fix:
End users with Edge Client or other browser no longer receive javascript errors.

---

650422 : TMM core after a switchover involving GY quota reporting

Component: Policy Enforcement Manager

Symptoms:
Core dump in the code path for async subscriber lookup causes core-dump.

Conditions:
This core happens in an intra-chassis HA configuration, if GY is configured & HA switchover is forced.

Impact:
An initial coredump (or HA switchover) forces multiple core dumps. Traffic disrupted while tmm restarts.

---

650349-1 : Creation or reconfiguration of iApps will fail if logging is configured

Solution Article: K50168519

Component: TMOS

Symptoms:
If logging destination of any type is configured (ArcSight, IPFIX, remote high speed logging, etc.), creation or reconfiguration of iApps will fail. The following error will be reported in /var/log/webui.log and displayed in the GUI: The connection to mcpd has been lost, try again.

Conditions:
Logging is configured: filter, destination, and publisher.

Impact:
Cannot create new iApps or reconfigure existing ones.

Workaround:
Remove logging configuration.

Fix:
Can now create or reconfigure iApps if logging is configured.

---

650317 : The TMM on the next-active panics with message: "Missing oneconnect HA context"

Component: Local Traffic Manager

Symptoms:
The next-active TMM panics with message: "Missing oneconnect HA context" on a virtual which doesn't have one-connect on the active.

Conditions:
A mirrored virtual is configured with one-connect on the next-active but no one-connect profile is present on the active. This can occur when the config-sync connection between peers is down or auto-sync on the device group is disabled. The next-active expects a one-connect HA context but the active does not send it.

Impact:
Connections on the active are not mirrored while the next-active restarts.

Workaround:
Resolving configuration differences between the active and next-active will prevent this panic.

Fix:
Mirrored connections which fail to find an HA context on the next-active are not established on the next-active.

---

650292 : DNS transparent cache can return non-recursive results for recursive queries

Component: Global Traffic Manager (DNS)

Symptoms:
If a non recursive query is cached by the DNS transparent cache, subsequent recursive queries provide the non-recursive answer.

Conditions:
DNS transparent cache that receives a non-recursive query whose result is stored in the cache.

Impact:
Non recursive responses for recursive requests.

Workaround:
An iRule can be attached to the listener to disable the cache if the "rd bit" is not set in the DNS request.

Fix:
The RD bit is now handled as expected. If a recursive request is received, a non-recursive cached entry is ignored, and replaced, when the recursive request is answered.

---

650286-1 : REST asynchronous tasks permissions issues

Solution Article: K24465120

---

650152 : Support AES-GCM acceleration in Nitrox PX wlite VCMP platforms

Component: Local Traffic Manager

Symptoms:
In Nitrox PX platforms, vCMP guests can't accelerate AES-GCM traffic, which might cause high CPU usage.

Conditions:
For those vCMP guests deployed on Nitrox PX-based platforms, and SSL cipher is configured to use AES-GCM.

The following blades support the Nitrox PX and vCMP combination: VIPRION B4200, B4300, B2100, and B2150 blades.

Impact:
High CPU usage.

Workaround:
No workaround.

Fix:
Added AES-GCM hardware acceleration support for Nitrox PX-based vCMP.

---

650074 : Changed Format of RAM Cache REST Status output.

Component: Local Traffic Manager

Symptoms:
The REST API returned cache contents in displayable form, not tagged field form.

Conditions:
Using REST API.

Impact:
Text must be parsed as if the caller plans to post-process it.

Workaround:
To present the data in some other format, the text can be displayed as is, but must be parsed as if the caller plans to post-process it.

Fix:
Now RAM Cache REST Status output is returned in field format, and must be parsed by a JSON parser and formatted for display. If you were using the previous format, you must now parse the JSON and re-format the data for display.

Behavior Change:
REST API calls for ramcache stats now returns data as formatted JSON.

---

650070 : iRule that uses ASM violation details may cause the system to reset the request

Component: Application Security Manager

Symptoms:
When an iRule attempts to use the violation details such as attackSignature or MaliciousFingerprint, in some cases a legal request will be reset.

Conditions:
-- An ASM iRule that uses violation details is attached to the virtual server.
-- The request contains the violation

Impact:
A legal request is being reset.

Workaround:
None.

Fix:
iRule that uses ASM violation details no longer causes the system to reset the request.

---

650059 : TMM may crash when processing VPN traffic

Solution Article: K20087443

---

650019 : The commented-out sample functions in audit_forwarder.tcl are incorrect

Component: TMOS

Symptoms:
The commented-out sample "Transform" functions in audit_forwarder.tcl are not correct and should not be used.

Conditions:
Attempting to write your own Transform function in audit_forwarder.tcl using the examples.

Impact:
The Transform function may not work if the examples are followed.

Workaround:
Use the default Transform function as a starting point instead of one of the examples.

Fix:
Updated the example functions in audit_forwarder.tcl

---

650010 : Improve the detection of browsers used for web scraping

Component: Advanced Firewall Manager

Symptoms:
Some browsers used for web scraping are not always detected.

Conditions:
This is when Proactive Bot Defense is enabled.

Impact:
Some browsers used for web scraping are not detected and not reported in the logs.

Workaround:
None.

Fix:
Improved the detection of browsers used for web scraping.

---

650002 : tzdata bug fix and enhancement update

Component: TMOS

Symptoms:
There have been changes to timezone data that impact tzdata packages:

* Mongolia no longer observes Daylight Saving Time (DST).

* The Magallanes Region of Chile has moved from a UTC-04/-03 scheme to UTC-03 all year. Starting 2017-05-13 at 23:00, the clocks for the Magallanes Region will differ from America/Santiago.

Conditions:
-- Mongolia during DST portion of the year.
-- Comparing clock times in the America/Santiago zone with those in the Magallanes Region.

Impact:
Timezone data provided in tzdata will not match the area's time. Clocks for the Magallanes Region will differ from America/Santiago (its current timezone).

Workaround:
None.

Fix:
To accommodate for Mongolia no longer observing DST, the new America/Punta_Arenas zone was created. Changes were also made to support other timezone changes.

* The zone1970.tab file has been added to the list of files to be installed with the tzdata packages installation.

Note: Users of tzdata are advised to upgrade tzdata to zdata-2017b-1.el6

---

649987 : GUI LTM UDP profile missing Max Buffer Bytes and Max Buffer Packets setting

Component: TMOS

Symptoms:
You are unable to set the Max Buffer Bytes (buf_max_bytes) and Max Buffer Packets (buf_max_pkts) on a UDP profile.

Conditions:
Create/edit an LTM UDP profile via the GUI. The Max Buffer Bytes (buf_max_bytes) and Max Buffer Packets (buf_max_pkts) is not in the GUI.

Impact:
You cannot set the Max Buffer Bytes (buf_max_bytes) and Max Buffer Packets (buf_max_pkts) set in the GUI.

Workaround:
You need to use tmsh tool to set the Max Buffer Bytes (buf_max_bytes) and Max Buffer Packets (buf_max_pkts) values.

Fix:
Expose the Max Buffer Bytes (buf_max_bytes) and Max Buffer Packets (buf_max_pkts) values to be set in the GUI.

---

649986 : buffer-max-packets default value is 0, not 10 as stated in tmsh documentation

Component: Local Traffic Manager

Symptoms:
tmsh documentation of UDP profile option buffer-max-packets states:
"Specifies ingress buffer packet limit. The default value is 10. Maximum allowed value is 255."
Actual value by design is 0.

Conditions:
Viewing tmsh command line help for UDP profile option buffer-max-packets.

Impact:
Incorrect default value is stated.

Workaround:
The correct default value for UDP profile option buffer-max-packets is 0.

Fix:
Now, tmsh documentation of UDP profile option buffer-max-packets has been corrected to state:
"Specifies ingress buffer packet limit. The default value is 0. Maximum allowed value is 255."

---

649949 : Intermittent failure to do a clean install on iSeries platforms from USB DVD-ROM★

Component: TMOS

Symptoms:
Following the instructions at https://support.f5.com/csp/article/K13117 will occasionally fail on iSeries platforms, with the system being unable to find the installation media.

If this happens, running the following command will fail.

  image2disk --instslot=HD1.1 --setdefault --nosaveconfig

Conditions:
This can occur on iSeries platforms while performing a clean installation.

Impact:
The /dev/cdrom softlink points to the virtual CD-ROM drive in iSeries platforms instead of the physical USB DVD-ROM drive. This prevents image2disk from automatically finding the installation media.

Workaround:
After the failure, while in MOS, determine USB CDROM device name, mount it, and tell image2disk specifically where it is:

bash (try 'info') / > dmesg | grep "sr0\|sr1"
sr0: scsi3-mmc drive: 62x/62x writer dvd-ram cd/rw xa/form2 cdda tray <-- cdrom name
sr 6:0:0:0: Attached scsi CD-ROM sr0
sr1: scsi-1 drive
sr 7:0:0:0: Attached scsi CD-ROM sr1

bash (try 'info') / > mount -r -t iso9660 /dev/srX /cdserver
bash (try 'info') / > image2disk --instslot=HD1.1 --nosaveconfig /cdserver

In the mount command, replace "/dev/srX" with whichever device is the physical drive.

---

649933 : Fragmented RADIUS messages may be dropped

Component: Service Provider

Symptoms:
Large RADIUS messages may be dropped when processed by iRules.

Conditions:
This occurs when a RADIUS message that exceeds 2048 bytes is processed by an iRule containing the RADIUS::avp command.

Impact:
The RADIUS message will be dropped, and an error will be logged that resembles:

Illegal argument (line 1) (line 1) invoked from within "RADIUS::avp 61 "integer""

Workaround:
Remove RADIUS::avp commands from iRules processing large messages, or ensure that no RADIUS client or server will send large messages.

---

649929 : saml_sp_connector not properly deleted in a transaction that removes the saml resource and servers referring to it

Component: Access Policy Manager

Symptoms:
Cannot delete saml_sp_connector from a transaction even when all related objects are specified.

Conditions:
When deleting saml_sp_connector from a transaction along their associated objects.

Impact:
Cannot delete saml_sp_connector and associated objects.

Workaround:
Delete objects in the following order:
SSOResource
SSOSAMLConfig
SPConnector

Fix:
The apm sso saml_sp_connector object can now be deleted from a transaction involving all the related objects regardless of the order in which the objects are specified.

---

649907 : BIND vulnerability CVE-2017-3137

Solution Article: K30164784

---

649904 : BIND vulnerability CVE-2017-3136

Solution Article: K23598445

---

649866 : fsck should not run during first boot on public clouds

Component: TMOS

Symptoms:
Although it is not needed, filesystem check runs during the first boot. This increases the boot time, especially for images that were created more than 180 days before the first boot, because twice year, booting up runs a more comprehensive fsck operation.

Conditions:
This occurs when booting up public cloud configurations of Virtual Edition (VE).

Impact:
Potentially unacceptable long boot times.

Workaround:
None.

Fix:
fsck does not run during first boot on public cloud configurations of VE. Running fsck is postponed until the second boot. If the more comprehensive fsck operation is required, it runs during the second boot as well.

---

649759 : ssmtp RewriteDomain setting is set to the empty string.

Solution Article: K15188934

Component: TMOS

Symptoms:
The ssmtp RewriteDomain setting is set to the empty string. Therefore, the From address in any email sent by the BIG-IP has an empty domain.

Conditions:
This applies when the 'sys outbound-smtp rewrite-domain' setting is unset.

Impact:
It is difficult to determine the originating device for system email.

Workaround:
Set the 'sys outbound-smtp rewrite-domain' to the local hostname.

Fix:
The ssmtp RewriteDomain setting is no longer set to the empty string. If 'sys outbound-smtp rewrite-domain' is unset, no rewriting will occur and the From address will have the hostname as its domain.

---

649617 : qkview improvement for OVSDB management

Component: TMOS

Symptoms:
The user can configure ovsdb-server in the BIG-IP system to communicate with an OVSDB-capable controller.

If the user wants the BIG-IP system to connect to an OVSDB-capable controller via a SSL connection, the user needs to configure a certificate and a certificate key in the TMSH command "sys management-ovsdb". Later on, if the user invokes qkview to collect system information, the configured certificate key can be collected in qkview.

Conditions:
The following conditions need to be met:

- BIG-IP has the SDN services license.

- The TMSH command "sys management-ovsdb" is set to "enabled". Note that this is set to "disabled" by default.

- The TMSH command "sys management-ovsdb cert-key-file" is set to a certificate key. Note that this is set to "none" by default.

Impact:
If the user invokes qkview to collect system information, the certificate key configured in the command "sys management-ovsdb cert-key-file" will be collected in qkview.

Workaround:
If OVSDB management is currently set to "enabled" in the BIG-IP system, then the user can reset "sys management-ovsdb cert-file" and "sys management-ovsdb cert-key-file" to "none" before calling qkview to collect system information.

In general, if OVSDB management has ever been set to "enabled", the user with the bash shell access can check if the file /var/run/openvswitch/BIG-IP_ovs_cert_key exists and delete it before calling qkview to collect system information.

Fix:
The certificate key configured in the "sys management-ovsdb" will not be collected when invoking qkview.

---

649613 : Multiple UDP/TCP packets packed into one DTLS Record

Component: Access Policy Manager

Symptoms:
The system converts the server provided packet into PPP buffers. These PPP packets are used to pack into DTLS records. Currently there is a limit of about 14 KB of DTLS records, such that the system can pack multiple PPP records into one DTLS record.

However, creating bigger DTLS record can cause server IP Fragmentation. In the lossy environment, losing one IP fragment can cause the complete DTLS record to be lost, resulting in poor performance.

Conditions:
Multiple UDP/TCP packets packed into one DTLS Record.

Impact:
In networks with packet losses, the APM end-user application might suffer poor network performance.

Workaround:
None.

Fix:
DTLS performance has been improved in lossy or high latency networks by optimizing the number of encoded ppp records inside of DTLS records.

---

649571 : Limits set in Server SSL Profile are not enforced if the server ignores BIG-IP's renegotiation ClientHello

Component: Local Traffic Manager

Symptoms:
The BIG-IP system does not act on the absence of renegotiation.

Conditions:
A BIG-IP system acts as TLS client, a TLS server ignores renegotiation request. Finite TLS session data or time limits are configured in Server SSL Profile on the BIG-IP system.

An example of such a TLS server is Apache/2.4.10 on Fedora Linux.

Impact:
Limits, such as data limits ("Renegotiate Size" in Server SSL) or time limits ("Renegotiate Period" in Server SSL) are not enforced with finite "Handshake Timeout".

Workaround:
None.

Fix:
BIG-IP system acting as TLS client (Server SSL Profile) now shuts down the connection if a TLS server did not continue with TLS renegotiation within "Handshake Timeout" seconds after the ClientHello, corresponding to the renegotiation initiation, was sent by the BIG-IP system.

---

649564 : Crash related to GTM monitors with long RECV strings

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd core dump related to GTM monitors with long RECV strings.

Conditions:
Sufficiently large RECV (receive) string on a GTM Monitor.

Impact:
Core dump. Traffic might be disrupted while gtmd restarts.

Workaround:
None.

Fix:
Fixed an issue relating to a crash when a GTM monitor has a sufficiently large receive string configured.

---

649513 : IP Intelligence: Policy diff doesn't work for categories

Component: Application Security Manager

Symptoms:
no validation for existence of fields for a nested struct

Conditions:
create 2 policies.
create difference in nested structs.

Impact:
compare policies with nested structs will not work as expected.

Fix:
add validation for existence of fields for a nested struct

---

649441 : Classification memory allocation

Component: Traffic Classification Engine

Symptoms:
Classification library ('CE') allocates an extra 2 KB of memory per flow and never used it.

Conditions:
Classification and HTTP profile attached to Virtual Server.

Impact:
High memory footprint for heavily loaded systems.

Workaround:
Install latest Classification Update Package ('IM Package').

Fix:
The software now uses the latest Classification Update Package ('IM Package'), so the issue no longer occurs.

---

649369 : DES, 3DES and HIGH cipher string includes/excludes wrong ciphers

Component: Local Traffic Manager

Symptoms:
When cipher string contains "DES", 3DES ciphers are also included. The keyword "3DES" does not impact the included/excluded ciphers. HIGH no longer includes 3DES ciphers.

Conditions:
Cipher string contains DES, 3DES and/or HIGH.

Impact:
Additional ciphers being offered to the client or ciphers not being omitted.

Behavior Change:
3DES ciphers moved from "high" to "medium".

---

649342 : No port configuration on the OAuth Client agent redirection uri

Component: Access Policy Manager

Symptoms:
Configuring port using number or session variable on the OAuth Client agent redirection URI is not allowed.

Conditions:
If HTTPS port is different from 443 then, redirection URI needs to specify port using port number or port session variable.

Impact:
OAuth Client redirection URI cannot be modified to contain custom HTTPS port number

Workaround:
Create a session variable containing both fqdn and custom port number and specify that in client redirection URI in OAuth Client agent.

Fix:
Now the OAuth Client agent redirection URI accepts session variables for configuration of hostname and port, for example:
https://%{session.server.network.name}:%{session.server.network.port}/oauth/client/redirect’.

---

649336 : AVR doesn't display units for "Avg Read Latency" measurement

Component: Application Visibility and Reporting

Symptoms:
AVR doesn't display units for 'Avg Read Latency'.

Conditions:
AVR, ASM, DoS, or AFM are provisioned.

Impact:
No units are displayed.

Workaround:
1. edit the following file: /etc/avr/monpd/monp_disk_info_measures.cfg
2. add the following line at line 63: "units=microsecond"
3. restart monpd.

Fix:
Added units (microsecond) to AVR report.

---

649315 : Display OCSP configuration change as warning message on the screen during upgrade

Component: TMOS

Symptoms:
Beginning in v13.0.0, there is a configuration change that occurs on migration on OCSP stapling. The migration is gracefully handled during upgrade.

Conditions:
-- Upgrading from older version (earlier than 13.0.0) to newer version (greater than, or equal to 13.0.0).
-- There exists a clientSSL profile with OCSP stapling enabled.

Impact:
There are no warning messages, so you might not notice the configuration change during upgrade, which might lead to confusion.

Workaround:
None.

Fix:
Instead of messages only in ltm.log, the system now displays the configuration changes as warning message during upgrade. These messages appear similar to the following

 warning mcpd[6094]: 0107185a:4: Warning generated, for version 13.1.0 or greater : Setting strict-responder-certificate-check to true in OCSP object (/Common/ocsp1) as its default value is changed to true.
 warning mcpd[6094]: 01071859:4: Warning generated : Upgrading OCSP certificate validator (/Common/ocsp_https): Deprecating the OSCP certificate validator because its responder URL (https://responder.url) is not HTTP-based.
 notice mcpd[6094]: 01071bb6:5: Upgrading ClientSSL (/Common/cssl1) CertKeyChain (/Common/server_1.crt): successfully attached OCSP configuration (/Common/ocsp1) to the certificate (/Common/server_1.crt), and enabled OCSP stapling.
 warning mcpd[6094]: 01071859:4: Warning generated : Upgrading ClientSSL (/Common/cssl2) CertKeyChain (/Common/server_2.crt): OCSP stapling is changed to disabled during upgrade - the certificate chain (/Common/c3d_ca.crt) is configured but is not a valid issuer of the certificate (/Common/server_2.crt). Please configure a valid issuer for the certificate or make sure that the certificate file contains its own issuer certificate.
 warning mcpd[6094]: 01071859:4: Warning generated : Upgrading ClientSSL (/Common/cssl3) CertKeyChain (/Common/server_2.crt): OCSP stapling is changed to disabled during upgrade because the OCSP validator (/Common/ocsp_https) has been deprecated during upgrade. Please check previous warning messages or ltm logs for the deprecation reason.
  mcpd[6094]: 01071859:4: Warning generated : Upgrading ClientSSL (/Common/cssl4) CertKeyChain (/Common/server_1.crt): the clientSSL profile is now using /Common/ocsp1 for OCSP stapling instead of using /Common/ocsp3 because the certificate (/Common/server_1.crt) has been successfully associated with OCSP validator (/Common/ocsp1) during upgrade.
 warning mcpd[6094]: 01071859:4: Warning generated : Upgrading ClientSSL (/Common/cssl5) CertKeyChain (/Common/server_2.crt): OCSP stapling is changed to disabled during upgrade - unable to find an HTTP-based OCSP responder's URL in the AIA (Authority Information Access) extension of the certificate (/Common/server_2.crt) or the configuration of the OCSP validator (/Common/ocsp3).

Behavior Change:
Instead of messages only in ltm.log, the system now displays the configuration changes as warning message during upgrade. These messages appear similar to the following

 warning mcpd[6094]: 0107185a:4: Warning generated, for version 13.1.0 or greater : Setting strict-responder-certificate-check to true in OCSP object (/Common/ocsp1) as its default value is changed to true.
 warning mcpd[6094]: 01071859:4: Warning generated : Upgrading OCSP certificate validator (/Common/ocsp_https): Deprecating the OSCP certificate validator because its responder URL (https://responder.url) is not HTTP-based.
 notice mcpd[6094]: 01071bb6:5: Upgrading ClientSSL (/Common/cssl1) CertKeyChain (/Common/server_1.crt): successfully attached OCSP configuration (/Common/ocsp1) to the certificate (/Common/server_1.crt), and enabled OCSP stapling.
 warning mcpd[6094]: 01071859:4: Warning generated : Upgrading ClientSSL (/Common/cssl2) CertKeyChain (/Common/server_2.crt): OCSP stapling is changed to disabled during upgrade - the certificate chain (/Common/c3d_ca.crt) is configured but is not a valid issuer of the certificate (/Common/server_2.crt). Please configure a valid issuer for the certificate or make sure that the certificate file contains its own issuer certificate.
 warning mcpd[6094]: 01071859:4: Warning generated : Upgrading ClientSSL (/Common/cssl3) CertKeyChain (/Common/server_2.crt): OCSP stapling is changed to disabled during upgrade because the OCSP validator (/Common/ocsp_https) has been deprecated during upgrade. Please check previous warning messages or ltm logs for the deprecation reason.
  mcpd[6094]: 01071859:4: Warning generated : Upgrading ClientSSL (/Common/cssl4) CertKeyChain (/Common/server_1.crt): the clientSSL profile is now using /Common/ocsp1 for OCSP stapling instead of using /Common/ocsp3 because the certificate (/Common/server_1.crt) has been successfully associated with OCSP validator (/Common/ocsp1) during upgrade.
 warning mcpd[6094]: 01071859:4: Warning generated : Upgrading ClientSSL (/Common/cssl5) CertKeyChain (/Common/server_2.crt): OCSP stapling is changed to disabled during upgrade - unable to find an HTTP-based OCSP responder's URL in the AIA (Authority Information Access) extension of the certificate (/Common/server_2.crt) or the configuration of the OCSP validator (/Common/ocsp3).

---

649234 : TMM crash from a possible memory corruption.

Component: Access Policy Manager

Symptoms:
When APM resumes an iRule event from an asynchronous session data lookup, the resumption fails due to a bad memory access resulting in a crash.

Conditions:
The following must be true for this to happen:
- APM provisioned and licensed.
- Use of APM iRule events.
- Session data lookup from iRule events.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Access to an invalid or stale Access session result from custom iRules no longer causes TMM crash.

---

649220 : Filterable rule's pools

Component: TMOS

Symptoms:
The list of pools on a policy rule cannot be filtered, and is unwieldy to use when there are a large number of pools.

Conditions:
This occurs when looking at the policy rule list and there are a large number of pools.

Impact:
Configurations containing many pools may result in time-consuming efforts to choose the appropriate pool.

Workaround:
None needed. This is a cosmetic issue.

Fix:
Policy rule's pools can now be filtered.

---

649180 : Attack Signatures do not mention 'Cookie' in Signature Scope field

Component: Application Security Manager

Symptoms:
Attack Signatures that include Parameter/Cookies in their scope, do not mention 'Cookie' in Signature Scope field, on the Attack Signature Properties page.

Conditions:
Viewing the description of any Attack Signature that has Parameter/Cookie in its scope.

Impact:
The description lacks the word 'Cookie'. Because of this, you might be mislead and create faulty signatures.

Workaround:
None.

Fix:
When filtering Attack Signature by Signature Scope that includes Parameter/Cookie property, The 'Cookie' property now appears.

---

649177 : Testing for connection to SMTP Server always returns "OK"

Solution Article: K54018808

Component: Application Visibility and Reporting

Symptoms:
When you click the SMTP GUI config "Test Connection" button it always gives green "OK" response, even if there is no network, or if the DNS response is NXDomain.

Conditions:
This is encountered when testing the SMTP connection using the GUI.

Impact:
Validation of SMTP server availability is incorrect

Workaround:
You can test SMTP at the command line by attempting to send a test email, as in this example (substitute user@example.com with your valid email address):

# echo "ssmtp test mail" | mail -vs "Test email" user@example.com

Fix:
The 'Test Connection' button for the SMTP server configuration reports errors as expected.

---

649171 : tmm core in iRule with unreachable remote address

Component: Local Traffic Manager

Symptoms:
TCP::unused_port <remote_addr> <remote_port> <local_addr> [<hint_port>] with a non reachable remote_addr, tmm cores

Conditions:
This occurs when using TCP::unused_port in an iRule and the remote address is not reachable

Impact:
Traffic disrupted while tmm restarts.

Workaround:
create faux route for the destination address

---

648990-2 : Serverside SSL renegotiation does not occur after block cipher data limit is exceeded

Component: Local Traffic Manager

Symptoms:
If you have a virtual server with a serverssl profile configured that serves large (>2GB) files, you may see these errors in /var/log/ltm:

info tmm[17859]: 01260034:6: Block cipher data limit exceeded.

Conditions:
This occurs when a serverssl profile is in use, and the server-side traffic exceeds 2GB.

Impact:
Serverssl renegotiation does not occur, log message is displayed.

---

648954 : Configuration validation (e.g., ConfigSync) may fail after an iRule is deleted, if the iRule made procedure calls

Component: Local Traffic Manager

Symptoms:
Configuration validation fails spuriously, including potentially as a result of a ConfigSync or modifying an iRule, with an error similar to the following:

    01020036:3: The requested rule (/Common/rule_uses_procs) was not found.

Referencing an iRule that previously existed, but has been deleted (or is being deleted as a result of a ConfigSync).

Conditions:
-- iRule using procedures in a different iRule.
-- iRule attached to virtual server.

Impact:
iRule procs are still referenced after deletion. Configuration validation fails spuriously.

Workaround:
Force reloading of the MCP binary database.

For specific steps, see K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

---

648902 : TMM crashes after changing VLAN tag to 'any'

Component: Local Traffic Manager

Symptoms:
The VLAN tag cannot be modified to or from the value of 4096.

Conditions:
Modify VLAN tag from 4096 or to 4096.

Impact:
Cannot modify VLAN tag from 4096 or to 4096.

Workaround:
To modify the VLAN tag of an existing VLAN to or from the value of 4096, delete the VLAN and re-create it with the desired VLAN tag value.

Fix:
Validation now prevents changing to/from tag 'any' (4096) so this issue doesn't occur.

---

648873 : Traffic-group failover-objects cannot be retrieved via iControl REST

Solution Article: K93513131

Component: TMOS

Symptoms:
When issuing a GET you get the following error message:
List property is not implemented! Detail [cm traffic-group failover-objects {...}].

(The ... represents the data that was presented as a list property.)

Conditions:
Trying to use iControl REST for getting failover-objects associated to floating traffic-groups

Impact:
No access to list of failover-objects associated to an specific floating traffic-group via the iControl REST interface

Workaround:
Use a different user interface (tmsh or GUI).

Fix:
Traffic-group failover-objects can now be retrieved via iControl REST

---

648867 : Kernel vulnerability: CVE-2017-6074

Solution Article: K82508682

---

648806 : Invalid "with the first highest ratio counter" logging for pool member ratio load balance

Component: Global Traffic Manager (DNS)

Symptoms:
Invalid value for "with the first highest ratio counter" for wideip load balancing decision is logged.

Conditions:
Enabled logging for wideip load balancing decision.

Impact:
Invalid value is logged for "with the first highest ratio counter".

---

648786 : TMM crashes when categorizing long URLs

Component: Traffic Classification Engine

Symptoms:
TMM crashes when categorizing long URLs.

Conditions:
URL categorization with long URLs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM now can handle really long URLs for URL categorization.

---

648766 : DNS Express responses missing SOA record in NoData responses if CNAMEs present

Solution Article: K57853542

Component: Global Traffic Manager (DNS)

Symptoms:
A valid NoData response can contain CNAMEs if a partial chase occurred without final resolution. DNS Express is not including the expected SOA record in this scenario.

Conditions:
-- DNS Express configured.
-- Partial CNAME chase resulting in incomplete resolution.

Impact:
A valid DNS response with a a partial chase but missing the SOA record may not be considered authoritative due to the missing record.

Workaround:
None.

Fix:
The SOA record is now included as appropriate.

---

648715 : BIG-IP i2x00 and ix4x00 platforms send LLDP, STP, and LACP PDUs with a VLAN tag of 0

Solution Article: K45001725

Component: Local Traffic Manager

Symptoms:
LACP, STP, and LLDP PDUs sent from either of the i2x00 or i4x00 platforms have a VLAN tag added to the PDU when they shouldn't.

Conditions:
Provision any of the three protocols: LLDP, STP, or LACP and the PDU sent by the BIG-IP will incorrectly have a VLAN tag with a tag-id of 0 added to the PDU.

Impact:
Some 3rd party devices may reject the packet. This will adversely affect operation of the affected protocol.

Workaround:
None.

Fix:
This release ensures that the VLAN tag is stripped before the PDU is sent onto the wire.

---

648700 : Verification of peer certificate chain may return incorrect result.

Component: Local Traffic Manager

Symptoms:
When a certificate chain is made up of multiple certificates, the verification of the chain may be wrong.

Conditions:
This happens when the 'untrusted-cert-response-control' and 'expire-cert-response-control' are both set to 'ignore' on server SSL profile, and 'sys db tmm.ssl.servercert_softval' is 'enable'.

Impact:
When the condition matches, the 'SSL::verify_result' may return the wrong result.

Workaround:
None.

Fix:
'SSL::verify_result' returns the correct result.

---

648639 : TS cookie name contains NULL or other raw byte

Component: Application Security Manager

Symptoms:
The TS cookie name may intermittently contain NULL.

Conditions:
This can occur intermittently when ASM is provisioned and has a unique combination of security policy name and the server's cookie attributes (path and domain).

Impact:
False positives triggered on modified domain cookies.

Workaround:
To resolve this, change the policy security name.

Fix:
Fixed an issue with the TS cookie name length.

---

648544 : HSB transmitter failure may occur when global COS queues enabled

Component: TMOS

Symptoms:
An HSB transmitter failure may occur if global COS queues enabled. The HSB transmitter failure is logged in the TMM log files.

Conditions:
With global COS queues enabled, the HSB's watchdog loopback packets are sent on HSB ring 2, instead of ring 0. If HSB ring 2 is heavily utilized, this could cause the loopback packets to be dropped. If this occurs, then the watchdog may trigger an HSB transmitter failure.

Impact:
If this issue occurs then the BIG-IP is rebooted.

Workaround:
Do not use global COS queues.

Fix:
Loopback packet priority is now set during runtime to guarantee transmit on mgmt ring 0.

---

648317 : Upgrade to 13.0.0 on B2100/B2150 with IOMMU enabled prevents vCMP guests from starting★

Component: TMOS

Symptoms:
vCMP guests will fail to start on B2100 and B2150 when the user had enabled the input/ output memory management unit (IOMMU) before upgrading.

Conditions:
* Run a pre-13.0.0 version of the software.
* Run on a VIPRION B2100/B2150 blade.
* Enable IOMMU before upgrading, using the following command: sys db kernel.iommu.
* Upgrade to 13.0.0.
* vCMP is provisioned.

Impact:
Cannot deploy vCMP guests.

Workaround:
Use the grub_open and grub_close commands to manually add "intel_iommu=on" to their kernel command line, as follows:

~$ grub_open
/var/run/grub.conf.mdfy.24145
~$ <edit the file above>
~$ grub_close

Fix:
Upgrade on VIPRION B2100/B2150 blades with IOMMU enabled no longer prevents vCMP guests from starting.

---

648316-1 : Flows using DEFLATE decompresion can generate error message during flow tear-down.

Component: TMOS

Symptoms:
Repeated entries in the ltm log will show a completion-code error (comp_code=4) as in the following:

  Zip engine ctx eviction (comp_code=4): ctx dropped.

Conditions:
The problem occurs when a flow that requests DEFLATE decompression is terminated when the compression engine is still in the middle of working on an incomplete DEFLATE block.

Impact:
False errors can appear:
  o In fields of tmctl rst_cause_stat table, false stats counters will increment for compression and packet errors.
  o Log entries with the "Zip engine... (comp_code=4)" appear in ltm log.

Monitors observing the ltm log or stats in the tmctl rst_cause_stat table will see false positives.

Workaround:
Disable hardware acceleration.

Fix:
A new tcl variable, nitrox::comp_suppress_itrunc, was added. It defaults to NO which yields legacy behavior. Setting it to YES causes comp_code=4 (ITRUNC) errors to not propagate as an error.

To enable the feature, add the following line to /config/tmm_init.tcl:

    nitrox::comp_suppress_itrunc yes

You will have to restart tmm for the change to take effect.

---

648286 : GSLB Pool Member Manage page fails to auto-select next available VS/WiP after pressing the add button.

Component: Global Traffic Manager (DNS)

Symptoms:
The combobox does not auto-select the next entry in the list of virtual servers/wide IPs after pressing the Add button and successfully adding an entry to the member list.

Conditions:
-- Have at least two entries in the combobox.
-- Add one of the entries to the member list.

Impact:
The other entry is not selected automatically (as it was in BIG-IP versions 12.1 and earlier). Must manually select each entry to add to the member list.

Loss of functionality from earlier releases.

Workaround:
Manually select each entry to add to the member list.

Fix:
Restored behavior that selects the next available entry in list after pressing the Add button on GSLB Pool's Member manage page.

---

648245 : When using a route TMM may use a smaller MTU

Solution Article: K29101604

Component: Local Traffic Manager

Symptoms:
TMM uses a smaller MTU when connecting to a device via a configured route.

Conditions:
- Larger than 1500 bytes MTU configured on VLAN.
- Static, or dynamically learned route, to a destination, with no specific MTU defined.

Impact:
Effective MTU when using the route will be limited to 1500 bytes. This includes derived MSS in TCP connections.

Workaround:
Specify the required MTU on routes.

Fix:
TMM now by default uses VLAN-configured MTU when using a route to a destination.

---

648083 : Argument of indirectly referenced eval() was not rewritten

Solution Article: K83700745

Component: Access Policy Manager

Symptoms:
Errors indicated by web-application.
Other potential symptoms include incorrect rendering for some pages and/or links not rewritten in web applications.

Conditions:
Using indirect references to native eval function in web-application code.

For example. using a function in web-application's code similar to the following:

function f(n) {
  var e = eval;
  return e(n);
}
f(some_text)

Impact:
Application does not work correctly via Portal Access.

Workaround:
Use a custom iRule.

Fix:
Now Portal Access supports calling eval() using indirect references. This improves web app compatibility.

---

648060 : EdgeClient locked mode exclusion list admin UI doesn't allow underscore character

Solution Article: K85067418

Component: Access Policy Manager

Symptoms:
EdgeClient locked mode exclusion list admin UI doesn't allow underscore character

Conditions:
An administrator is trying to configure EdgeClient locked mode exclusion list with hostname containing underscore character ('_').

Impact:
Hostnames with underscore are not allowed in the list, and you can't whitelist them

Workaround:
Exclusion list feature for locked mode is also configurable using local registry on the client machine, registry configuration allows underscore characters.

To add my_domain.com to the exclusion list please create registry key (key, not value) under key
HKLM\SOFTWARE\WOW6432Node\F5 Networks\RemoteAccess\AlwaysConnected\Exclusions, e.g. HKLM\SOFTWARE\WOW6432Node\F5 Networks\RemoteAccess\AlwaysConnected\Exclusions\my_domain.com\

Fix:
Now admin UI allows you to specify underscore characters in Edge Client locked mode exclusion list

---

648056 : bcm56xxd core when configuring QinQ VLAN with vCMP provisioned.

Component: TMOS

Symptoms:
bcm56xxd constantly crashes, device goes off-line.

Conditions:
Reboot the system with QinQ VLANs configured and vCMP provisioned.

Impact:
Device goes off-line.

Workaround:
None.

Fix:
bcm56xxd no longer crashes when QinQ VLANs are configured and vCMP provisioned.

---

648053 : Rewrite plugin may crash on some JavaScript files

Component: Access Policy Manager

Symptoms:
Rewrite plugin may crash parsing JavaScript files in US ASCII encoding.

Conditions:
JavaScript file in US ASCII encoding (not in UTF-8).

Impact:
Rewrite plugin may crash parsing this file. No response is sent to client.

Workaround:
It is possible to change/add 'charset' parameter in response header 'Content-type' to 'UTF-8' by iRule.

Fix:
Now Portal Access rewrite correctly handles JavaScript data if the web page uses US ASCII encoding.

---

648037 : LB::reselect iRule on a virtual with the HTTP profile can cause a tmm crash

Component: Local Traffic Manager

Symptoms:
tmm crashes after the LB::reselect iRule fails to connect to the server.

Conditions:
This issue can occur when a virtual server is configured with HTTP and the LB::reselect iRule. If the LB::reselect fails to connect to the server and there is not a monitor on the pool, tmm will crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure a monitor for the pool.

Fix:
Fixed a tmm crash related to LB::reselect

---

648008 : bd keeps coring after upgrade to 12.1.2 or later★

Solution Article: K70289415

Component: Application Security Manager

Symptoms:
Pre-existing traffic data files from a previous attempt to perform a roll-forward/upgrade remain on the disk under /var/asmdata1/traffic_data, even after you set ucs.asm.traffic_data.save to disable. The qkview contains errors such as the following.
--
ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined
--

Conditions:
This can occur after upgrading ASM to 12.1.2 or later, and rolling forward the configuration.

Impact:
The ASM enforcer application continually fails, causing unit instability.

Workaround:
Upgrade by saving a UCS on 12.1.0, performing a clean install of 12.1.2, and then loading the UCS onto 12.1.2 (or later).

In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which works around the error, so the UCS can load without error.

This can be set by:
    # tmsh modify sys db ucs.asm.traffic_data.load value never

Fix:
/var/asmdata1/traffic_data is now cleared as part of UCS load cleanup, so the issue no longer occurs.

---

647988 : HSL Balanced distribution to Two-member pool may not be balanced correctly.

Solution Article: K15331432

Component: TMOS

Symptoms:
When configuring a two-member pool as HSL destination and using "balanced" distribution, logs from iRule HSL::send may end up balanced to a single pool member.

Conditions:
- Two-member pool configured as remote-high-speed-log destination.
- The remote-high-speed-log distribution is set to "balanced"
- Data-Plane logging using for example but not limited to: iRule HSL::send.

Impact:
Log message may not be distributed correctly resulting in more load on a single pool member.

Workaround:
None.

Fix:
Logs are distributed more equally on pool members in "balanced" distribution HSL.

---

647972 : inconsistent attribute naming in sys connection

Component: TMOS

Symptoms:
The TMSH command "show sys connection" returns the idle time of a connection. However, its manpage refers to this as "age." Age is actually the minimum idle time.

Conditions:
Man page and TMSH command have different names for the same attribute.

Impact:
Different names in attribute might be confusing.

Workaround:
N/A.

Fix:
The "age" label is now "minimum idle time" in the man page.

---

647962 : B2250: Interface is dropping traffic in passive mode

Component: Local Traffic Manager

Symptoms:
Passive mode is a new mode of operation introduced in BIG-IP version 13.0.0. In this mode of operation, the BIG-IP system processes data offline to detect DoS attacks and/or to collect HTTP analytics data, etc.

The results are reported by the BIG-IP system might not be accurate.

Conditions:
-- Device is operating on passive mode data.
-- VIPRION 2250 blade.

Impact:
This will impact BIG-IP system's ability to operate in passive mode.

Workaround:
None.

Fix:
Passive mode is now fully supported on the B2250.

---

647944 : MCP may crash when making specific changes to a FIX profile attached to more than one virtual server

Component: TMOS

Symptoms:
When a FIX profile is attached to more than one virtual server, making specific edits to the profile may result in MCP crashing and restarting.

Conditions:
A FIX profile is be in use and attached to more than one virtual server. You then edit the profile (and click "Update") in this order:

- Change the Error Action from "Don't Forward" to "Drop Connection"
- Add a new mapping to the Sender and Tag Substitution Data Group Mapping.

Impact:
Traffic disrupted while mcpd restarts.

Fix:
Prevented MCP from crashing when the FIX profile is edited.

---

647834 : Failover DB variables do not correctly implement 'reset-to-default'

Component: TMOS

Symptoms:
When the 'modify sys db' command option 'reset-to-default' is issued, the new value does not take effect, even though 'list sys db' displays the desired value.

Conditions:
This is known to affect at least the following failover-related DB variables:

log.failover.level
failover.nettimeoutsec
failover.debug
failover.usetty01
failover.rebootviasod
failover.packetcheck
failover.packetchecklog
failover.secure
mysqlhad.heartbeattimeout
mysqlhad.debug
mysqldfailure.enabled
mysqldfailure.haaction.primary
mysqldfailure.haaction.secondary

Impact:
The configuration change does not take effect.

Workaround:
Explicitly set the DB variable to the desired value.

Fix:
reset-to-default restores the default values.

---

647828 : Historical session data in db and inconsistent GUI info

Component: Application Security Manager

Symptoms:
You notice a lot of session tracking data in your new ASM deployment, showing blocked requests, particularly on one of the high availability peers.

Conditions:
Enabling Session Tracking and setting "Block All Period" .
Block All data points defaults to persist infinitely (with no expiration period).

Impact:
The records of session tracking are never cleaned up, which can present confusing session data.

Workaround:
Clear all session tracking data points (or as many as possible) and prevent them from accumulating.

A) To prevent data points from accumulating, consider setting the blocking period to the default of 600 seconds (5 minutes) instead of 'infinite'.

B) There is no option of clearing out all data points for a given policy in the GUI. This example provides one-line commands to do so.

-- Run the following two commands sequentially, to clear out the data points of a specific policy.
-- Apply that procedure for as many policies as possible.

For example, given a policy id of 13, the following commands replace 13 (at '{ policy_id => 13 }') with the required policy id:
------------------
perl -MF5::ASMConfig::Entity::Policy -MF5::ASMConfig::Entity::SessionAwarenessDataPoint -e 'F5::ASMConfig::Entity::SessionAwarenessDataPoint->delete_many(dbh => F5::DbUtils::get_dbh(), policy => F5::ASMConfig::Entity::Policy->new(dbh => F5::DbUtils::get_dbh(), get_criteria => { policy_id => 13 }), master_keys => 1)'

perl -MF5::ASMConfig::Entity::Policy -MF5::ASMConfig::Entity::SessionAwarenessDataPoint -e 'F5::ASMConfig::Entity::SessionAwarenessDataPoint->reload_session_db(dbh => F5::DbUtils::get_dbh(), policy => F5::ASMConfig::Entity::Policy->new(dbh => F5::DbUtils::get_dbh(), get_criteria => { policy_id => 13 }), delete_existing => 1)'
------------------

Fix:
Session Awareness Statuses are now cleaned after the expiration period, so this issue no longer occurs.

---

647812 : /tmp/wccp.log file grows unbounded

Component: TMOS

Symptoms:
WCCP uses /tmp/wccp.log as output for Diagnostic information,
independent of log level or db key. This file can grow unbounded if there are never any WCCP packets sent. If packets are sent the file is cleaned up automatically.

Conditions:
This can occur if WCCP is configured but never goes beyond negotiation.

Impact:
/tmp/wccp.log grows unbounded, filling up the disk.

---

647803 : Multiple requests from server may cause RTSP connection to stall

Component: Service Provider

Symptoms:
When multiple requests are sent from the server before receiving response or further requests from the client, the RTSP connection may stall.

Conditions:
Virtual is configured with the RTSP profile and multiple requests are sent from the server before receiving response or further requests from the client.

Impact:
RTSP connection stalls.

---

647757 : RATE-SHAPER:Fred not properly initialized may halt traffic

Solution Article: K96395052

Component: Local Traffic Manager

Symptoms:
RATE-SHAPER:Fred is not properly initialized and might halt traffic.

Conditions:
Initialize RATE-SHAPER:Fred as the drop policy using its default properties.

Impact:
Traffic is halted.

Workaround:
There are two possible workarounds:
-- Initialize the drop policy fred to the value of 9999 instead of default 0.
-- Use RED as drop policy instead of fred.

---

647706 : iOS RDP client fails to connect to RD Connection Broker via APM's Native RDP resource

Component: Access Policy Manager

Symptoms:
iOS RDP client fails to connect to Windows Server 2012/2016 with RD Connection Broker role installed via APM's Native RDP resource.
When user launches Native RDP resource from APM Webtop, RDP client shows following error messages:
-- Can't connect to the Remote Desktop Gateway. Contact your network administrator for assistance. (Error code: 0x03000008).
-- Disconnected from server vpn.example.com with error code 0x00000003.

Conditions:
Using iOS client to connect to Windows Server 2012/2016 with RD Connection Broker role installed via APM's Native RDP resource.

Impact:
Connection from RD client to Terminal Server via BIG-IP APM fails.

Workaround:
iOS does not work in this case, but you can connect using a client device besides iOS such as Android.

Fix:
iOS RDP client now can connect to Windows Server 2012/2016 with RD Connection Broker role installed via APM's Native RDP resource.

---

647645 : Accessing SAML Resource may cause reset connection when SSO on access profile contains v1 (NTLM, form based) configuration

Component: Access Policy Manager

Symptoms:
Accessing SAML Resource causes RST when Single Sign-On (SSO) on access profile contains V1 configuration (NTLM, form based).

Conditions:
All of the following:
- BIG-IP system is configured and used as SAML Identity Provider.
- In-use access profile has both: 1) V1 SSL attached (NTLM, form based) and SAML resources assigned on access policy.
- APM end user performs IdP-initiated SAML WebSSO by clicking published SAML resource on the webtop.

Impact:
TCP connection to the client is reset. As a result, APM end user is not able to perform IdP-initiated SAML WebSSO.

Workaround:
None.

Fix:
Assigning V1 SSO profile on access policy no longer causes a connection reset when APM end user performs IdP-initiated SAML WebSSO by clicking published SAML resource on the webtop.

---

647625 : L7 Policy state may be corrupted in rare occasions

Component: Local Traffic Manager

Symptoms:
The TMM may crash due to a conflict in L7 Policy state between the client and server-side connections.

Conditions:
When a virtual server configuration is changed together with policy configurations.

One-Connect is used on the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The TMM no longer crashes due to the client-side and server-side L7 Policy state being out of sync after a configuration change.

---

647158 : Internal virtual server inherits CMP hash mode from parent virtual server

Solution Article: K76581555

Component: Service Provider

Symptoms:
An internal virtual server might behave in unexpected ways, such as abort a client connection before connecting to the server.

Conditions:
Virtual server with request-adapt or response-adapt profile and a vlan with 'cmp-hash' mode 'src-ip'.
Internal virtual server without a VLAN or 'cmp-hash' setting.

Impact:
The internal virtual server might sometimes abort when attempting to make a connection to the server. This occurs after a successful load-balance pick indicated by the LB_SELECTED event, but before a TCP SYN packet is sent to the server. As a result the parent virtual performs the service-down-action configured in the request-adapt or response-adapt profile.

Workaround:
If possible, do not use the cmp-hash mode 'src-ip'.

Fix:
An internal virtual server is not affected by any 'cmp-hash' mode setting in the parent virtual server.

---

647151 : CPU overtemp condition threshold is 75C

Component: TMOS

Symptoms:
A CPU overtemp condition is logged when a B4450 CPU reaches 75C.

Conditions:
CPU temperature is only 75C and ambient temperature in the blade is in the normal range.

Impact:
Since the temperature threshold is set too low, the warning does not indicate an actual problem.

Workaround:
None.

Fix:
The fix raises the CPU overtemp threshold to 88C for B4450. With the fix, the warning should be considered valid.

---

647137-1 : bigd/tmm con vCMP guests

Component: Local Traffic Manager

Symptoms:
bigd/tmm con vCMP guests.

Conditions:
Set up vCMP guest on VIPRION B2100, B4200, or B4300 blades.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
This release corrects this issue so the crash no longer occurs.

---

647108 : Deletion of saml-idp-connector may fail depending on the order in which related objects are deleted within a transaction

Component: Access Policy Manager

Symptoms:
The system posts messages similar to the following even when the server associated to the connector is also being deleted in the same transaction:
01070734:3: Configuration error: apm aaa saml-idp-connector: Cannot delete saml-idp-connector /Common/saml_connector because it is being used by aaa-saml-server (/Common/saml_server_test1

Conditions:
When deleting saml-idp-connector first then the associated saml server.

Impact:
Cannot delete saml-idp-connector and associated server in that specific order.

Workaround:
Delete saml server first and then delete the saml connector.

Fix:
Now saml-idp-connector can be deleted with associated objects in any order from a transaction.

---

647091 : EPSEC installation failure reason is not logged in certain conditions.

Component: Access Policy Manager

Symptoms:
EPSEC installation fails with no specific reason provided in the error message.

Conditions:
This happens only when there is a version mismatch between the EPSEC RPM's database and the shared RPM database on the BIG-IP system.

Often this happens if a switchboot is issued to activate an earlier version of BIG-IP software from a later version. The RPM database is shared, so on a switchboot, the RPM database version is not downgraded. This causes the subsequent EPSEC installation to fail. Although this is expected behavior, the reason for failure is not logged.

Impact:
Difficult to debug actual EPSEC installation failure reason.

Workaround:
None.

Fix:
The system now logs the EPSEC installation failure reason.

---

647071 : Stats for SNATs do not work when configured in a non-zero route domain

Component: Local Traffic Manager

Symptoms:
When creating SNAT in a Route Domain different from 0, the command 'tmsh show ltm snat' does not report any statistics.

Conditions:
This occurs on all SNATs in a route domain other than 0.

Impact:
No statistics for the SNATs

Workaround:
None.

Fix:
Stats for SNATs now work when configured in a non-zero route domain.

---

646928 : Landing URI incorrect when changing URI

Component: Access Policy Manager

Symptoms:
User accesses resource1, and an access policy starts. Before the policy completes, the user changes to resource2. There is a warning page that the session already exists, and the user clicks to create a new session. After the policy completes, the user is directed to the landing URI of the resource1.

Conditions:
Attempting to change landing URI in the middle of an access policy

Impact:
End-user is inconveniently directed to the first resource instead of the second.

Fix:
Now the "To open a new session, please click here." link on the APM logout page reflects the last used landing URI rather than the first used landing URI.

---

646890 : IKEv1 auth alg for ike-phase2-auth-algorithm sha256, sha384, and sha512

Solution Article: K12068427

Component: TMOS

Symptoms:
Changing the IKEv1 phase2 authentication algorithm to sha256, sha384, or sha512 does not work immediately, without a restart of the tmipsecd daemon.

Conditions:
If you change the ike-phase2-auth-algorithm attribute (inside an instance of ipsec-policy) to a value of sha256, sha384, or sha512, this causes a parse error when received by racoon. Thus the change does not take affect without a racoon restart.

Impact:
Cannot switch IKEv1 ipsec-policy to sha256, sha384, or sha512 authentication without either restarting BIG-IP or restarting tmipsecd.

Workaround:
Restarting the tmipsecd daemon causes a restart of all racoon processes, which causes the config to be re-read and then IKEv1 IPsec works correctly with SHA authentication algorithms.

Fix:
Now tmipsecd sends the correct incremental config description of SHA authentication algorithms to racoon, so that IKEv1 ipsec-policy reconfiguration works immediately without requiring a restart of tmipsecd.

---

646804 : call to tmctl in diskmonitor for the tmstat vmcp_stat table results in error: tmctl: vcmp_stat: No such table.

Component: TMOS

Symptoms:
diskmonitor added monitoring functionality for VM disks. As a result there is an call to tmctl in diskmonitor for the tmstat vmcp_stat table.

However, this call is also done on non-vCMP systems, which results in an error: tmctl: vcmp_stat: No such table.

Conditions:
Run diskmonitor on a non-vCMP system.

Impact:
The system posts the following error: tmctl: vcmp_stat: No such table. There is no functional issue when receiving this message on non-vCMP systems, so you can disregard the message.

Workaround:
None.

---

646800 : A part of the request is not sent to ICAP server in a specific case

Component: Application Security Manager

Symptoms:
The portion of the request that is not sent is not checked for viruses

Conditions:
ICAP is configured.

Impact:
There might be a false negative on anti-virus check

Workaround:
N/A

---

646782 : AFM TCP push flood DoS vector is not working with DoS auto detection

Component: Advanced Firewall Manager

Symptoms:
AFM TCP push flood DoS vector is not working with DoS auto detection.

Conditions:
-- Setting DoS auto detection for TCP push flood DoS vector.
-- Configured for AFM.

Impact:
No DoS auto detection for TCP push flood DoS vector.

Workaround:
None.

Fix:
TCP push flood DoS vector is working with auto detection mode.

---

646760-1 : Common Criteria Mode Disrupts Administrative SSH Access

Component: TMOS

Symptoms:
If Common Criteria mode is enabled the administrative SSH interface on BIG-IP may become unavailable

Conditions:
CC-mode enabled

Impact:
SSH interface not available

Fix:
Correct SSH configuration when in CC mode

---

646643 : HA standby virtual server with non-default lasthop settings may crash.

Component: Local Traffic Manager

Symptoms:
A long-running high availability (HA) Standby Virtual Server with non-default lasthop settings may crash TMM.

Conditions:
-- HA standby virtual server is configured on the system with non-default lasthop configurations (e.g., lasthop pools or autolasthop disabled, etc).

-- That virtual server receives more than 2 billion connections (2 billion is the maximum value of a 32-bit integer).

Impact:
TMM on the next-active device crashes. The Active device is not affected. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
HA standby virtual server configured with non-default lasthop configurations no longer crashes.

---

646615 : Improved default storage size for DNS Express database

Component: Global Traffic Manager (DNS)

Symptoms:
A tweak has been made to the DNS Express database to improve the initial database size.

Conditions:
DNS Express with configured zones.

Impact:
Possibly reduced database size.

Workaround:
N/A as this is an improvement.

Fix:
A tweak has been made to the DNS Express database to improve the initial database size.

---

646604 : Client connection may hang when NTLM and OneConnect profiles used together

Component: Local Traffic Manager

Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.

Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.

Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.

Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.

Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.

---

646581 : Unnecessary disk monitor warnings for /var/asmdata1 on large platforms

Component: Application Security Manager

Symptoms:
On large platforms, when you are logged into the console you see the following warning displayed frequently: "Disk partition /var/asmdata1 has less than 30% free"

Conditions:
ASM is installed with large platform configuration (such as on 6900).

Impact:
Disk usage warning is displayed frequently. Since ASM will likely reach expected disk utilization of greater than 70% during normal operation on large platforms, the threshold is set too low.

Workaround:
Reduce the percentage at which disk monitor alerts for /var/asmdata1:

tmsh modify sys db platform.diskmonitor.limitwarn.var_asmdata1 value 15
tmsh modify sys db platform.diskmonitor.limitalert.var_asmdata1 value 10

---

646572 : Multiple log messages 'Async process socket is full' written to asm_config_server.log

Component: Application Security Manager

Symptoms:
While under CPU load, ASM policy adjustments by Automatic Policy Builder causes a flood of the following log message: Async process socket is full.

Conditions:
-- Device is under CPU load.
-- Automatic Policy Builder requests ASM policy adjustments.

Impact:
A flood of 'Async process socket is full' messages are written to /var/log/ts/asm_config_server.log.

Workaround:
None.

Fix:
'Async process socket is full' log messages are now throttled.

---

646563 : AVR external log should have the option to start publishing at random time

Component: Application Visibility and Reporting

Symptoms:
Every 5 minutes (or avrd interval), avrd sends entire external log.

If you have many BIG-IP systems, this can cause a spike in the syslog server.

Conditions:
This can occur intermittently when sending AVR data to external log servers.

Impact:
All logging is done at the same avrd interval, which can overload the external log servers.

Workaround:
There is no workaround at this time.

Fix:
A new DB variable was added: Avr.AddRandomDelayBeforeSnapshot.

If the DB variable is set to 'enable', avrd will add a random interval before sending data to the external log server.

The interval max value will be: ((avrd interval) / 2).

---

646500 : System Log is not visible for ASM-related user roles

Component: TMOS

Symptoms:
System Log is not visible for ASM-related user roles, even though the ui.logaccess db key is already set to enabled.

Conditions:
-- User is logged in as security editor or security admin.
-- The ui.logaccess key is enabled.

Impact:
Cannot access the system log from the GUI menu.

Workaround:
None.

Fix:
The system log menu is now shown when ui.logaccess db key is enabled.

---

646495 : BIG-IP may send oversized TCP segments on traffic it originates

Component: Local Traffic Manager

Symptoms:
Traffic from the Linux host on BIG-IP may send TCP segments larger than the advertised TCP MSS of a remote host.

Conditions:
Received TCP MSS (plus protocol overhead) smaller than configured MTU of interface.
Linux host sending large TCP segments, such as SNMP getbulk replies.

Impact:
TMM may send traffic to a TCP host that exceeds the host's advertised MTU.

Workaround:
disable segmentation offload for the nvic

Fix:
BIG-IP no longer originates traffic to TCP hosts that exceed that host's advertised MTU.

---

645805-3 : LACP PDUs generated by lacpd on i4x00/i2x00 platforms contain bad ethernet src mac address

Component: TMOS

Symptoms:
LACP PDUs generated by the 'lacpd' on the i4x00 & i2x00 platforms contain the wrong Ethernet source MAC address.

Conditions:
LACP configured on an trunk interface on i4x00 or i2x00 platforms.

Impact:
Some Cisco and Juniper switches discard these PDUs. They send PDUs as if the BIG-IP is not transmitting with a all-zeros 'Partner' section System ID. This renders LACP inoperable, and simply does nothing if the far end is configured for 'Passive'.

Fix:
Insure correct Source MAC address is inserted into the PDU.

---

645750 : EdgeClient doesn't notify the user when it's time to interact with the logon page.

Solution Article: K85023830

Component: Access Policy Manager

Symptoms:
EdgeClient doesn't notify the user when it's time to interact with the logon page.

Conditions:
When EdgeClient is minimized to the tray and the page requires user interaction no notification is shown.

Impact:
User may not know that EdgeClient is waiting for the input, hence VPN connection isn't established until user provides credentials

Workaround:
In the current Access Policy for each logon-page-and-language combination:
 * Go to advanced logon page customization.
 * Open the source code.
 * Find the following line:
   'externalWebHost.webLogonNotifyUser();'
 * Replace it with the following line:
   'externalWebHost.WebLogonNotifyUser();'

Note the uppercase 'W' at the beginning of 'WebLogonNotifyUser' replace string.

Fix:
Now Edge Client correctly notifies the user when it's time to interact with the logon page to perform authentication.

---

645729 : SSL connection is not mirrored if ssl session cache is cleared and resume attempted

Component: Local Traffic Manager

Symptoms:
SSL connection is not mirrored if ssl session cache is cleared before attempting to resume the ssl connection.

Conditions:
A previous ssl session is attempting to resume the connection after the ssl session cache has been cleared.

Impact:
Connection is established but is not mirrored.

Workaround:
Could be avoided by disabling ssl session cache.

Fix:
SSL connection is not mirrored if ssl session cache is cleared before attempting to resume the ssl connection.

---

645723 : Dynamic routing update can delete admin ip route from the kernel

Solution Article: K74371937

Component: TMOS

Symptoms:
Routes obtained from dynamic routing (BGP, etc.) can replace existing management route for the admin IP address, making the BIG-IP lose its management route. Static routes created via TMSH can replace management route.

Conditions:
Using TMSH to create "net route" that matches management network, or dynamic routing accepts a route that matches the management network.

Impact:
Losing the management network route, and potential loss of access to the BIG-IP via the management network.

Workaround:
Don't accept route updates for the management network. Don't create static routes for the management network.

Fix:
Management network admin IP address is now protected from being overwritten.

---

645717-2 : UCS load does not set directory owner

Component: TMOS

Symptoms:
When loading a UCS file the directory /etc/ssh will become owned by the first user in the UCS with an .authorized_keys file.

Conditions:
UCS loaded that contains users with .authorized_key files

Impact:
Ownership of /etc/ssh is set to a non-root user after UCS load. This does not interfere with normal system operation or SSH authentication but does not follow secure coding practices

Workaround:
Ownership of on /etc/ssh can be restored with the command: chown root /etc/ssh

Fix:
UCS load now explicitly sets ownership of the /etc/ssh directory to root.

---

645684 : Flash application components are loaded into wrong ApplicationDomain after Portal Access rewriting.

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application components are loaded into incorrect ApplicationDomain and in some rare cases this may cause errors in application.

Conditions:
This can occur when viewing Flash video while connected to APM.

Impact:
Flash applications might fail to render through Portal Access.

Workaround:
None

Fix:
Flash files accessed through Portal Access are now loading components into correct Application Domain. This improves compatibility with Flash apps.

---

645615 : zxfrd may fail and restart after multiple failovers between blades in a chassis.

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd may fail and restart after multiple failovers between blades in a single chassis.

Conditions:
DNS Express must be configured in a multi-blade chassis. If a blade transitions from active to backup to active states and the DNS Express (tmmdns.bin) database has been re-created while the blade was in backup status, zxfrd may fail when attempting to reference old data.

Impact:
zxfrd will create a core file and restart, picking up where it left off.

Workaround:
None.

Fix:
The cause of the failure is now addressed.

---

645490 : profile_clientssl should not be used with a transport-config

Component: Service Provider

Symptoms:
transport-config objects define outgoing connections. Clientssl profile configures ssl compression for incoming connections. Thus adding a clientssl profile to a transport config has no effect

Conditions:
clientssl profile defined in a transport-config object

Impact:
The clientssl profile will not be used

Workaround:
do not include a clientssl profile in a transport-config object

Fix:
profile validation has been improved to not allow adding a clientssl profile to a transport-config object.

---

645225 : GUI Pool Member statistics to be reset individually

Solution Article: K91019134

Component: TMOS

Symptoms:
GUI statistics page reset pool member stats is resetting the stats for the pool and all members.

Conditions:
When there is a pool member with traffic statistics and user wants to reset the pool member's statistics, the GUI resets at the pool level.

Impact:
All pool members statistics are reset.

Workaround:
Use tmsh to reset individual pool member statistics.

Fix:
The GUI now deletes each pool member's statistics independently rather than at the pool level. This is correct behavior.

---

645206 : Missing cipher suites in outgoing LDAP TLS ClientHello★

Solution Article: K23105004

Component: TMOS

Symptoms:
BIG-IP drops all SHA256 and SHA384 ciphers in the advertised ciphers list in the Client Hello when initiating LDAP/TLS with a pool member (in the case of a monitor). The same behavior is also seen for BIG-IP system auth via LDAP or AD when TLS is used.

Conditions:
You have LDAP servers requiring SHA256 and SHA384 ciphers for LDAP/TLS authentication.

Impact:
Servers requiring SHA for LDAP/TLS authentication will no longer be able to authenticate. This could suddenly break LDAP auth if you are upgrading from version 11.x where SHA256 and SHA384 existed.

Workaround:
Configure LDAP servers not to be dependent on SHA256 and SHA384 ciphers.

Fix:
The BIG-IP system now supports SHA256 and SHA384 ciphers in the advertised ciphers list in the Client Hello when initiating LDAP/TLS with a pool member (in the case of a monitor). You also see the same behavior for the BIG-IP system auth by way of LDAP or AD when TLS is used.

Behavior Change:
The BIG-IP system now supports SHA256 and SHA384 ciphers in the advertised ciphers list in the Client Hello when initiating LDAP/TLS with a pool member (in the case of a monitor). You also see the same behavior for the BIG-IP system auth by way of LDAP or AD when TLS is used.

---

645203 : Configuration load fails after upgrade when a SAML SSO config object is put in a sync-only device group★

Solution Article: K72361514

Component: Access Policy Manager

Symptoms:
Configuration load fails after upgrading BIG-IP from a previous version. The system posts an error similar to the following:

01070734:3: Configuration error: Invalid Devicegroup Reference. The sso_config_saml (/Common/Auth/<object>) requires apm_log_config (/Common/sso-log-setting-Notice) to be syncd to the same devices
Unexpected Error: Loading configuration process failed.

Conditions:
When a SAML SSO config object or a Form-Based SSO config object is configured in a folder and that folder is in a Sync-Only device group. When upgrading with the existing configuration, the configuration load will fail.

Impact:
The configuration does not load.

Workaround:
1. Disassociate the folder from Sync-Only device group using the following commands:
 
tmsh modify sys folder <folder name> device-group none
tmsh save sys config.
 
2. Upgrade and verify config loads.
 
3. Create log-setting in each folder.
 
root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common)(tmos)# cd <folder name>/
root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common/<folder name>)(tmos)# create apm log-setting sso-log-setting-Notice { access add { general-log { log-level { access-control notice } publisher sys-sso-access-publisher } } }

Repeat this step for each log level: Alert, Critical, Debug, Emergency, Error, Informational, Notice, Warning, and use the appropriate log level accordingly.

4. Modify SSO log-settings to use log-setting created under the folder (<folder name>), according to their previous log level before upgrading. For example,
 
root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common)(tmos)# modify apm sso saml <folder name>/<sso object name> apm-log-config <folder name>/sso-log-setting-Notice
 
5. Associate Sync-Only device group SO1 to folder, as shown in the following example:
 
root@(temp12)(cfg-sync In Sync (Sync Only))(/S1-green-P:Active)(/Common)(tmos)# modify sys folder <folder name>/ device-group <DG name>
 
6. Verify config load.

Fix:
Configuration load now completes successfully after upgrade when a SAML SSO config object is put in a sync-only device group.

---

645197 : Monitors receiving unique HTTP "success" response codes may stop monitoring after status change

Component: Local Traffic Manager

Symptoms:
Monitors that return unique HTTP/1.1 200 codes (indicating success) will accumulate in the monitor history; upon monitor status change (such as to "fail"), this history is sent (from 'bigd' to 'mcpd') to indicate that monitor's new-status, plus historical context. This history may grow too large if no monitor status is detected for an extended time (such as days or weeks) when unique status codes are returned from the web server and accumulated in the history. Upon a monitor status change (such as from "success" to "fail"), notification from 'bigd' to 'mcpd' will fail due to this too-large history, resulting in the monitor remaining in its previous state (i.e., "success"). 'bigd' properly records the monitor status and continues to monitor; but 'mcpd' was not notified of that status change (due to message-send failure from the history being too large).

This is typically not an issue when the web server returns the same HTTP/1.1 200 code (indicating "success"), as 'bigd' will elide/merge the response-value into the monitor history (so the history does not continue to grow). However, for web servers generating a unique value for each success code (for example, by appending an always-unique transaction ID to the end of the HTTP/1.1 200 response), the history will continue to grow for that monitor until a status-change is detected.

Conditions:
Web server returns unique HTTP/1.1 200 (success) codes; and success history is accumulated for that monitor without status-change for extended time (typically days-or-weeks); followed by a monitor status change (such as from "success" to "fail").

Impact:
The monitor will remain in the "success" state, as the status-change will be "lost" ('bigd' properly recognizes the changed monitor status, but 'mcpd' is not notified of the change). The system may eventually self-correct, such as when 'bigd' detects further monitor status changes, and again forwards status-change notifications for that monitor to 'mcpd'.

Workaround:
Modify the web server configuration to not respond with unique HTTP/1.1 200 codes; thus, receiving the same return-code will elide/merge with previously accumulated values in the monitor history.

Fix:
HTTP/1.1 200 codes with unique values accumulate for limited history, rather than unbounded history, such that monitor status change notifications are always recorded.

---

645179 : Traffic group becomes active on more than one BIG-IP after a long uptime

Component: TMOS

Symptoms:
Traffic-groups become active/active for 30 seconds after a long uptime interval.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.

For example:

-- For 7 traffic groups, the interval is ~710 days.
-- For 15 traffic groups, the interval is ~331 days.

Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.

Impact:
Outage due to traffic-group members being active on both systems at the same time.

Workaround:
There is no workaround.

The only option is to reboot all the BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.

Fix:
Traffic groups no longer becomes active on more than one BIG-IP system in a device group after a long uptime interval.

---

645148 : MRF Diameter: persistence entry not created if message routed via iRule command

Component: Service Provider

Symptoms:
MRF Diameter route table implementation does not add a persistence entry if the message is routed via an iRule.

Conditions:
-- MRF Diameter configured.
-- Message is routed via an iRule.

Impact:
A Diameter persistence entry will not be created. Since MRF Diameter persistence may be bidirectional, not having the persistence entry will keep message flowing in the opposite direction from being automatically routed via persistence.

Workaround:
Use an iRule to route messages directed towards the original client.

Fix:
MRF Diameter will add a persistence entry for message routed via an iRule.

---

645101 : OpenSSL vulnerability CVE-2017-3732

Solution Article: K44512851

---

645058 : Modifying SSL profiles in GUI may fail when key is protected by passphrase

Solution Article: K93819312

Component: Local Traffic Manager

Symptoms:
When a client SSL profile has a Certificate Key Chain (CKC) entry with a passphrase-protected key, attempting to modify/update the profile via the GUI may fail, and produce an error similar to the following:

01070313:3: Error reading key PEM file <Key_File_Path> for profile <Profile_Name>: error:0906A068:PEM routines:PEM_do_header:bad password read.

This can occur even when the passphrase already in the SSL profile is correct.

Conditions:
Upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.

Alternately, creating an SSL profile with a custom cert-key-chain name that references a passphrase-protected key, e.g.:

tmsh create ltm profile client-ssl example-profile defaults-from clientssl cert-key-chain replace-all-with { no { cert protected.crt key protected.key passphrase password } }

Impact:
User cannot update client SSL profile via the GUI.

Workaround:
Modifications to the profile can be made from tmsh. Alternately, delete the CKC and recreate it.

Fix:
User can now update client SSL profile after upgrading a BIG-IP system from a version prior to BIG-IP v11.5.0 to v11.5.0 or later, while having a passphrase-protected key specified in the profile.

---

645036-1 : Removing pool from virtual server does not update its status

Solution Article: K85772089

Component: Local Traffic Manager

Symptoms:
Removing a pool from a virtual server does not update the virtual server's status.

Conditions:
1) Create a pool and assign a monitor to it.
2) Ensure the pool goes green.
3) Create a virtual server without assigning the pool to it.
4) Ensure the virtual server stays blue (unknown).
5) Associate the pool to the virtual server.
6) Ensure the virtual server goes green (available).
7) Remove the pool from the virtual server.
8) The virtual server should go back to blue (unknown); however, it doesn't and stays green.

Impact:
The virtual will appear to be associated with a monitored pool when it is not. This should have no functional impact on the virtual server, since a virtual server without a pool has no traffic to pass, and associating a pool with the virtual server will reflect the pool status.

Workaround:
Restart the BIG-IP system. The status should be blue/unchecked once again after the BIG-IP is restarted.

Note: Restarting the BIG-IP system might have an impact on existing traffic. Because this issue is cosmetic, this workaround is not recommended for BIG-IP systems in production.

Fix:
Associating a pool with the virtual server now correctly updates the virtual server status.

---

644979 : Errors not logged from hourly 1k key generation cron job

Solution Article: K02641631

Component: TMOS

Symptoms:
Errors from the 1k key generation hourly cron job do not get logged as intended from the hourly 1024-bit key generation task.

Conditions:
This occurs during hourly generation of ephemeral keys.

Impact:
Errors from the 1k key generation hourly cron job do not get logged, and hourly generation of ephemeral keys fails.

Workaround:
Change "loggcercmd" to "loggercmd" in /etc/cron.hourly/genkeys-1024.

Fix:
Errors from the 1k key generation hourly cron job now get logged as intended from the hourly 1024-bit key generation task.

---

644975 : /var/log/maillog contains errors when ssmtp is not configured to use a valid mailhost

Solution Article: K09554025

Component: TMOS

Symptoms:
Entries in /var/log/maillog similar to the following:
err sSMTP[25793]: Unable to connect to "localhost" port 25.

Conditions:
This happens when certain crontab configuration files do not specify MAILTO="" at the top, and some of the scripts appearing in those files output something to STDOUT or STDERR. This causes the system to try to send an email with that output, which will fail when ssmtp is not configured to use a valid mailhost.

Impact:
Error messages logged to /var/log/maillog. Note that the maillog file is rotated so it doesn't fill up the /var/log volume.

Workaround:
1) Run the "crontab -e -u root" command; this will open the root user's crontab configuration in your default text editor.

2) Move the MAILTO="" line to the top of the file, right under the "# cron tab for root" banner.

3) Save the file and exit the text editor to install the root user's new crontab configuration.

4) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/crontab file.

5) Using a text editor of your choice, replace MAILTO=root with MAILTO="" in the /etc/cron.d/0hourly file.

6) To verify that MAILTO=root does not appear anywhere else, run the following command: grep -i -r mailto /etc/cron*.

7) If the previous command shows MAILTO=root still appears in some files, also modify those file so that MAILTO=root becomes MAILTO="".

Fix:
The crontab configuration files now specify MAILTO="" at the top, so the /var/log/maillog errors no longer occur.

---

644970 : Editing a virtual server config loses SSL encryption on iSession connections

Component: Wan Optimization Manager

Symptoms:
Editing a virtual server configuration causes iSession connection resets or unencrypted iSession connections to be established, because the virtual server's dynamically configured default server-ssl profile has been deleted.

Conditions:
A virtual server has a server-side iSession profile with data-encrypt enabled. This virtual server also lacks client-ssl and server-ssl profiles.

Impact:
After editing the virtual server, iSession connections fail to be established if the destination iSession listener has a client-ssl profile with allow-non-ssl disabled. If the destination iSession listener has allow-non-ssl enabled, unencrypted iSession connections are established.

Workaround:
Modify the virtual server's configured server-side iSession profile. For example toggle the iSession profile from A to B and then back to A.

Fix:
Editing a virtual server configuration no longer deletes
an iSession dynamically configured default server-ssl profile.

---

644950 : GUI LTM Monitors to show related Pools for Pool Members

Component: TMOS

Symptoms:
Monitor/Instances page only list Pool Members and not their related Pools.

Conditions:
Assign a monitor to a pool member. Only the pool member is listed on the Monitor/Instances page.

Impact:
It is difficult to determine which pool the pool member is related to.

Workaround:
You can search within each pool to find the pool member.

Fix:
Change page to show related pool on the same page.

---

644904 : tcpdump 4.9

Solution Article: K55129614

---

644873 : ssldump can fail to decrypt captures with certain TCP segmenting

Solution Article: K97237310

Component: Local Traffic Manager

Symptoms:
ssldump fails to decrypt a capture. In rare circumstances, ssldump can crash.

The ssldump might display output similar to the following:
1 25 0.4781 (0.0000) S>CShort record
Unknown SSL content type 224
1 26 0.4781 (0.0000) S>CShort record
Unknown SSL content type 142
...
1 30 0.4781 (0.0000) S>CShort record
1 31 0.6141 (0.1359) S>CV231.213(45857) application_data

Conditions:
ssldump is decrypting traffic where an SSL record header spans TCP segments.

Impact:
ssldump can fail to fully decrypt the capture starting at the frame where the SSL record spans a TCP segment. Depending on the remaining data in the TCP stream, ssldump can crash.

Workaround:
None.

Fix:
ssldump now successfully decrypt a capture, so ssldump no longer crashes.

---

644870-1 : Improvements of protocol for sending data to AppIQ offbox via TCP

Component: Application Visibility and Reporting

Symptoms:
BIG-IP fails to handle these cases:
1. One AppIQ node is down, and so TCP connection need to be established to another node in AppIQ.
2. All nodes are down, no TCP connection can be established. The number of retries in this case need to be limited per snapshot, so resources are not consumed on the BIG-IP side if AppIQ system is down (current logic is a retry to open connection for every message, need to have few retries per snapshot).

Conditions:
BIG-IP is configured to send statistics to offbox via TCP protocol.

Impact:
1. Data are not sent when they can be sent (to another AppIQ node)
2. BIG-IP resources are consumed by multiple number of reties.
3. When TCP connections can't be established the systen doesn't free connection file descriptors, so at some point the avrd process goes out of file descriptors.

Fix:
1. Added an ability to configure multiple AppIQ IP addresses in external text file /etc/avr/ecm_ip_list.cfg
2. For every type of messages (tmstat, stst snapshots, etc.) BIG-IP makes only 2 attempts to reconnect to every IP provided. If it can't establish connection it doesn't try to send the messages of this type.
3. File descriptors are freed after every not successful connection attempt.
4. An upgrade mechanism for /etc/avr/ecm_ip_list.cfg is implemented.

Behavior Change:
1. Added an ability to configure multiple AppIQ IP addresses in external text file /etc/avr/ecm_ip_list.cfg
2. For every type of messages (tmstat, stst snapshots, etc.) BIG-IP makes only 2 attempts to reconnect to every IP provided. If it can't establish connection it doesn't try to send the messages of this type.
3. File descriptors are freed after every not successful connection attempt.
4. An upgrade mechanism for /etc/avr/ecm_ip_list.cfg is implemented.

---

644855 : irules with commands which may suspend processing cannot be used with proactive bot defense

Component: Advanced Firewall Manager

Symptoms:
A request is dropped.

Conditions:
1. The proactive bot defense is assigned to the virtual.
2. An iRule which suspends processing is assigned to the virtual. (includes a command like the "after" commands")

For more information on which TCL commands park, see K12962: Some iRule commands temporarily suspend iRule processing, available at https://support.f5.com/csp/article/K12962

Impact:
All requests which issue the proactive bot defense and the iRule will get dropped.

Workaround:
N/A

Fix:
irules which suspends the execution won't cause a request drop when the proactive bot defense is assigned.

---

644851 : Websockets closes connection on receiving a close frame from one of the peers

Component: Local Traffic Manager

Symptoms:
Websocket connection should be closed once an endpoint has both sent and received a Close control frame. BIG-IP closes connection on receiving a close frame from peer and does not wait for close frame from other endpoint. This results in data sent in the other direction to be dropped.

Conditions:
Websocket and HTTP profile are attached to the virtual.

Impact:
One endpoint sends a Websocket Close control frame. Other endpoint continues sending data which is dropped by BIG-IP.

Fix:
Half-close of connection will be triggered instead of closing the connection entirely.

---

644817 : Unexpected behaviour during a DNS(GTM) server creation with wrong option in product field: nullGeneral database error.

Component: Global Traffic Manager (DNS)

Symptoms:
On a GSLB Server create page, in the Product dropdown, you are able to select a separator option which causes an error when pressing the Finished button.

Conditions:
This occurs when you pick the separator option "-----------" in the product dropdown.

Impact:
Null General Database error is thrown.

Workaround:
Avoid picking the separator option as GSLB Server product type.

Fix:
The separator option is now non-selectable.

---

644805-1 : Kernel.el7.2: BIG-IP VIPRION B4450 - ACPI complaints about unpopulated cpu cores

Component: TMOS

Symptoms:
Due to the way modern Intel Haswell CPU BIOSes are typically configured, the BIOS presents an ACPI table, which includes details for unpopulated CPU sockets and on each socket unpopulated CPU cores.

Note: This is not F5-platform-specific, as the same can be seen on many high-end servers.

For physical cpu socket#0 and socket#1, the actual number of CPUs is 24 per socket. The possible number of CPUs is 36 per socket. For unpopulated socket#2 and socket#3, the actual number of CPUs is 0. The symptom is dmesg output similar to the following:


[ 3.198255] ACPI: \_SB_.SCK0.CP18: failed to get CPU physical ID.
[ 3.198266] ACPI: \_SB_.SCK0.CP19: failed to get CPU physical ID.
[ 3.198276] ACPI: \_SB_.SCK0.CP1A: failed to get CPU physical ID.
[ 3.198286] ACPI: \_SB_.SCK0.CP1B: failed to get CPU physical ID.
[ 3.198296] ACPI: \_SB_.SCK0.CP1C: failed to get CPU physical ID.
[ 3.198306] ACPI: \_SB_.SCK0.CP1D: failed to get CPU physical ID.
[ 3.198316] ACPI: \_SB_.SCK0.CP1E: failed to get CPU physical ID.
[ 3.198326] ACPI: \_SB_.SCK0.CP1F: failed to get CPU physical ID.
[ 3.198336] ACPI: \_SB_.SCK0.CP20: failed to get CPU physical ID.
[ 3.198346] ACPI: \_SB_.SCK0.CP21: failed to get CPU physical ID.
[ 3.198356] ACPI: \_SB_.SCK0.CP22: failed to get CPU physical ID.
[ 3.198366] ACPI: \_SB_.SCK0.CP23: failed to get CPU physical ID.

...

The normal at-boot dmesg output should show 96 lines of output since the maximum populated would be 4 * 36 which is 144, but there are only 48 CPUs present.

Conditions:
Booting of BIG-IP 7.2 kernels on VIPRION B4450 blades will show this routinely at each boot.

Impact:
None. This is purely cosmetic output due to to how the BIOS is configured.

There is nothing functionally wrong; the messages are simply diagnostic output that appears in dmesg output. The messages can be safely ignored.

Workaround:
None.

Fix:
The system now silences the cosmetic 'failed to get CPU physical ID' messages for the Intel Haswell BIOS.

---

644799 : TMM may crash when the BIG-IP system processes CGNAT traffic.

Solution Article: K42882011

Component: TMOS

Symptoms:
TMM may crash when the BIG-IP system processes CGNAT traffic.

Conditions:
A TMM connflow related to CGNAT traffic is expired.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when the BIG-IP system processes CGNAT traffic.

---

644725 : Configuration changes while removing ASM from the virtual server may cause graceful ASM restart

Solution Article: K01914292

Component: Application Security Manager

Symptoms:
Configuration changes while removing ASM from the virtual server may cause graceful ASM restart.

Conditions:
A reconfiguration / headers configuration happens while the ASM is removed from a VIP. This may happen especially in scripts that create a config or remove a config.

Impact:
ASM restarts. The system goes offline. A failover may happen.

Workaround:
Ensure that there is some time between setting a configuration to removing ASM from the VIP.

---

644723-3 : cm56xxd logs link 'DOWN' message when an interface is admin DISABLED

Component: TMOS

Symptoms:
If you disable an interface, the interface is erroneously logged as DOWN:

Feb 12 23:14:09 i5800-R18-S30 info bcm56xxd[8210]: 012c0015:6: Link: 1.1 is DOWN

Conditions:
This is logged when disabling an interface.

Impact:
Log message says the interface is DOWN, it should say DISABLED.

---

644693 : Fix for multiple CVE for openjdk-1.7.0

Solution Article: K15518610

---

644565 : MRF Message metadata lost when routing message to a connection on a different TMM

Component: Service Provider

Symptoms:
The system might choose to create a new outgoing connection when there is an available exiting connection that can be used.

Conditions:
When a message is forwarded to another TMM for delivery, an internal state might be lost.

Impact:
Messages should be delivered correctly as the metadata is lost after routing. There might be an impact if routing is retried and the ignore-peer-port setting is lost. This might cause a new connection to be created when an available existing connection exists.

Workaround:
None.

Fix:
The system now ensures that the ignore-peer-port flag is preserved when forwarding a message to a connection on another TMM.

---

644537 : Some temporary files created by ASM have write permissions for all users.

Component: Application Security Manager

Symptoms:
Some temporary files created by ASM have write permissions for all users.

Conditions:
No specific conditions.

Impact:
Temporary files with write permission for all raise risk of being changed by other processes.

Workaround:
None.

Fix:
Temporary files created by ASM now have write permissions only for the relevant users.

---

644517 : LTM 12.1.1 - f5.http iapp enables mirroring based on inverse of cm_sync_status

Component: TMOS

Symptoms:
The logic for ltm virtual mirror enable/disable is inverted such that it is enabled in standalone mode and disabled in a cluster.

Conditions:
This occurs if you are using cluster mode with f5.http, f5.sharepoint_2010, f5.bea_weblogic, and other http-based iApps.

Impact:
Mirroring is not enabled in cluster mode.

Workaround:
Disable strict-updates and modify the virtual.

Fix:
Fix corrects mirror configuration in HTTP-based iApp deployments.

---

644490 : Finisar 100G LR4 values need to be revised in f5optics

Component: TMOS

Symptoms:
The original tuning values for the Finisar 100G LR4 optics don't support module tuning. You might see FCS errors.

Conditions:
FCS errors can be observed with the shipping Finisar 100G LR4 tuning values.

Impact:
Occasional packet loss at the 100G physical layer.

Workaround:
Use 100G SR4 optics modules on the link if possible.

Fix:
FCS errors no longer occur using the latest Finisar 100G LR4 tuning values.

For information on installing and using the latest f5optics package (build 48.0 or later) that contains these tuning values, see F5 Platforms: Accessories (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/f5-plat-accessories.html).

---

644489 : Unencrypted iSession connection established even though data-encrypt configured in profile

Solution Article: K14899014

Component: Wan Optimization Manager

Symptoms:
iSession connections may be intermittently established as unencrypted even though they are configured to be secure.

Conditions:
Either of two scenarios can result in an unencrypted iSession connection being established:
    1) An error occurs during dynamic server-ssl profile replacement.
    2) Both the WOM local-endpoint and destination WOM remote-endpoint lack server-ssl profiles.

In both cases the virtual server must have a server-side iSession profile with data-encrypt enabled and the remote virtual must have a client-ssl profile with allow-non-ssl enabled.

Impact:
An unencrypted iSession connection may be established which is inconsistent with configuring data-encrypt as enabled in the sever-side iSession profile.

Workaround:
Configure the client-ssl profile with allow-non-ssl disabled (the default value) to reject non-SSL connections.

Fix:
The outgoing connection is aborted if the server-side iSession profile is configured with data-encrypt enabled and either of the two following scenarios occurs:
    1) The destination remote-endpoint and the local-endpoint lack server-ssl profiles.
    2) An error occurs during dynamic server-ssl profile replacement.

---

644447 : sync_zones script increasingly consumes memory when there is network connectivity failure

Component: Global Traffic Manager (DNS)

Symptoms:
sync_zones memory usage exponentially increases during network disruption

Conditions:
Network interruption occurs during the "Retrieving remote DNS/named configuration" stage of a gtm_add operation.

Impact:
Memory increases exponentially, potentially resulting in an eventual out-of-memory condition.

Workaround:
None.

Fix:
sync_zones script now exits successfully at network failure.

---

644418 : Do not consider self-signed certificate in hash algorithm selection when Forward Proxy forges a certificate

Component: Local Traffic Manager

Symptoms:
SSL Forward Proxy signs a forged certificate with a hash algorithm. This selected hash algorithm is the weakest algorithm from the certificates in the server certificate chain including the self-signed certificate.
Many of the self-signed certificates use the SHA1 hash algorithm, which is not acceptable to many sites. The SSL handshake may be rejected.

Conditions:
This may occur when SSL Forward Proxy is in use.

Impact:
Forged certificate with SHA1 hash algorithm may be rejected during SSL handshake and the SSL handshake will then fail.

Workaround:
None.

Fix:
In this release, the system excludes self-signed certificates in hash algorithm selection (which is correct behavior). This may prevent forged certificate from using SHA1 hash algorithm

---

644416 : iControl REST receives error code '500' and 'Internal error occurred' in the return for the list (GET) for /mgmt/tm/sys/crypto/cert

Solution Article: K29545416

Component: TMOS

Symptoms:
BIG-IP returns error code '500' and 'Internal error occurred' messages followed by the certificate's properties when you attempt to list (GET) the certificate's properties via sys/crypto/cert using iControl REST, for example, using the following command:
'curl -sk -u admin:admin https://10.10.10.10/mgmt/tm/sys/crypto/cert/dummy.crt | ~/bin/jq-linux64-icontrol-rest'.

Conditions:
The issue is seen when both of the following conditions are met:
1. The certificate is not self-signed and has an OCSP validator assigned to it.
2. /mgmt/tm/sys/crypto/cert is used to obtain the certificate's content.

Impact:
The certificate's properties are printed after error messages and cannot be properly parsed by JSON parser.

Workaround:
This is a cosmetic issue, because the certificate's properties are still printed.

Fix:
The certificate's properties are now properly output via iControl REST.

---

644404 : Extracting SSD from system leads to Emergency LCD alert★

Component: TMOS

Symptoms:
When an SSD in a dual-SSD system configuration is extracted, an emergency alert may be issued on the LCD. This does not match the actual severity (Warning) as reported in the LTM log.

Conditions:
Dual SSDs in any BIG-IP system where one has been selected for removal.

Impact:
LCD reports an Emergency-level alert, which does not match the actual Warning severity reported in the LTM log.

Workaround:
Clear the Emergency alert from the LCD.

Fix:
The classification for SSD removal has been changed to 'Warning' to match the LTM log level.

---

644282 : Incorrectly formatted log entry for Route

Solution Article: K88633423

Component: Local Traffic Manager

Symptoms:
Some TMM log entries for routes are incorrectly formatted.

Conditions:
TMM log entries for when routes are reachable, unreadable are incorrectly formatted for prefix information.

Impact:
Cosmetic, no functional impact.

Workaround:
None.

Fix:
The route logging call now correctly includes the route-domain.

---

644220 : Flawed logic when retrieving an LTM Virtual Server's assigned Link on the LTM Virtual Server Properties page

Component: Global Traffic Manager (DNS)

Symptoms:
Under LTM :: Virtual Servers :: Properties, the "Link" value sometimes displays "none" when it should display an actual link name.

Conditions:
This happens under certain configuration of Self IP / GTM Servers / GTM Links / LTM Virtual Servers.

Impact:
When conditions are met, the Virtual Server's link information displayed is not correct.

Workaround:
None.

Fix:
Virtual Server's assigned Link on the LTM Virtual Server Properties page is now displayed correctly.

---

644184 : ZebOS daemons hang while AgentX SNMP daemon is waiting.

Solution Article: K36427438

Component: TMOS

Symptoms:
ZebOS daemons hang while AgentX SNMP daemon is unresponsive.

Conditions:
- Dynamic routing is enabled.
- SNMP is enabled.
- SNMP is unresponsive which could be caused by several issues such as snmpd calling an external script that takes several moments to return or mcpd is slow to respond to snmpd queries.

Impact:
Dynamic routing may be halted for the duration of AgentX daemon being busy.

Workaround:
If snmpd is calling external scripts that take several moments to return, then stop using the external script.

Fix:
ZebOS daemons no longer hangs while AgentX is waiting.

---

644112-1 : Permanent connections may be expired when endpoint becomes unreachable

Solution Article: K56150996

Component: Local Traffic Manager

Symptoms:
Permanent connections, such as those used between tunnel endpoints, can be deleted when the route to the remote endpoint is removed.

Conditions:
-- Permanent connection, such as a tunnel.
-- Routing updates, either from explicit static or dynamic routes, or modifying self IP addresses.

Impact:
Tunnel, or other affected connection, will not pass traffic.

Workaround:
Remove and re-add the affected connection: e.g., delete and re-configure tunnel.

Fix:
Routing updates can no longer lead to expired permanent connections.

---

643860 : Attempt to read or write to the file /dev/vnic can cause TMM to restart and TMM may not startup properly

Component: Local Traffic Manager

Symptoms:
There is no indication that mcpd has restarted, but the system logs messages similar to the following:

-- In /var/log/tmm:
  notice MCP connection expired early in startup; retrying.

In/var/log/ltm:
  mcpd[5747]: 01070406:5: Removed publication with publisher id TMM1.

Conditions:
The file /dev/vnic is opened by something other than BIG-IP programs.

Impact:
The TMM processes will restart and fail to come up properly.

Workaround:
To recover, reboot the system.

Note: Do not perform file open operations on /dev/vnic. There is no need to.

---

643839 : lind log levels Alert, Emergency, Verbose not configurable

Component: TMOS

Symptoms:
When attempting to configure the sys db variable "log.lind.level" through tmsh, the following options are presented:
  Alert
  Critical
  Debug
  Emergency
  Error
  Informational
  Notice
  Verbose
  Warning

However, only the following options can be configured via tmsh:
  Critical
  Debug
  Error
  Informational
  Notice
  Warning

Attempting to configure the Alert, Emergency, or Verbose log levels produces and error like the following:

01070911:3: The requested enumerated (alert) is invalid (critical, error, warning, notice, informational, debug) for loglevel in daemon_lind (/Common/daemon_lind).

Conditions:
This occurs when you attempt to configure the "log.lind.level" sys db variable through tmsh.

Impact:
Unable to configure the Alert, Emergency, or Verbose log levels for the lind daemon.

Workaround:
Use one of the supported log levels to configure the "log.lind.level" sys db variable:
  Critical
  Debug
  Error
  Informational
  Notice
  Warning

Fix:
The "log.lind.level" sys db variable can now be configured for all logging levels supported by the lind daemon:
  Alert
  Critical
  Debug
  Emergency
  Error
  Informational
  Notice
  Verbose
  Warning

---

643813 : ZoneRunner does not properly process $ORIGIN directives

Solution Article: K32906881

Component: Global Traffic Manager

Symptoms:
During an import zone operation, ZoneRunner incorrectly associates the "@" directive with the zone name and not $ORIGIN specified.

Conditions:
If the zone file to be imported contains the $ORIGIN directive, the following "@" directives will reference the zone name, which is incorrect.

Impact:
Zones will not be imported correctly.

Workaround:
Use the named-compilezone tool to "normalize" the zone file before importing into ZoneRunner.

The syntax for this command is similar to the following:
named-compilezone -s full -o outputfilename zone_name input.file
(For information about the other available options, see the named-compilezone tool's man page.)

For example, given a zone file named example.com.file that contains the following information:

"example.com"
$TTL 3600
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
@ IN NS ns1.example.com.
ns1.example.com. IN A 1.1.1.1
$ORIGIN alpha.example.com.
@ IN A 2.2.2.2
$ORIGIN bravo.example.com.
@ IN A 3.3.3.3

The command is as follows:

named-compilezone -s full -o example.com.file.full example.com example.com.file

The contents of the new file are:
example.com. 86400 IN SOA ns1.example.com. hostmaster.ns1.example.com. 2017020201 10800 3600 604800 86400
example.com. 3600 IN NS ns1.example.com.
alpha.example.com. 3600 IN A 2.2.2.2
bravo.example.com. 3600 IN A 3.3.3.3
ns1.example.com. 3600 IN A 1.1.1.1

Which is correct. This file can then be used to import into ZoneRunner.

---

643783 : TMM crash when sweeper in aggressive mode touches a Tcl execution Diameter connflow.

Component: Policy Enforcement Manager

Symptoms:
TMM crashes, resulting in potential loss of service.

Conditions:
Diameter is configured, and the sweeper in aggressive mode hits the Tcl execution Diameter connflow.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when sweeper in aggressive mode touches a Tcl execution Diameter connflow.

---

643777 : LTM policies with more than one IP address in TCP address match may fail

Solution Article: K27629542

Component: Local Traffic Manager

Symptoms:
An LTM policy using a rule that attempts to match based on a list of IP addresses may fail if more than one IP address is used.

Conditions:
LTM policy rule with a 'tcp match address' statement that attempts to match against more than one IP address.

Impact:
The action configured with the match may not be taken.

Workaround:
Use one of the following workarounds:
- Use a subnet instead of single IP addresses.
- Use a datagroup with the list of IP addresses to match.
* Datagroup option available beginning in v13.0.0.

Fix:
The BIG-IP system now correctly matches several IP addresses in LTM policies.

---

643768-2 : Invalid entries in SNMP allowed-address and SNMP community fields can cause upgrade failure.★

Component: TMOS

Symptoms:
If there are invalid entries in the SNMP allowed-address field, or in the SNMP communities source field, upgrade to v13.0.0 fails to load the configuration on validation of the input, with this error signature:

01070911:3: The requested host (<host-ip-address>) is invalid for allow in snmpd (/Common/snmpd),
Unexpected Error: Loading configuration process failed.

Conditions:
This can happen when upgrading from a release older than 13.0.0, and there is an invalid entry in the SNMP allowed-address field or communities source field, such as:

sys snmp {
    allowed-address { 1.0.0.0/2.0.0.0 "1.1.1.1 2.2.2.2" 3.3.3.3,4.4.4.4 }
    communities {
        /Common/test {
            community-name test
            source 1.0.0.0/foo
        }
    }
}

Impact:
Upgrade to 13.0.0 fails if the configuration contains these invalid values, due to input validation that was added in this version.

Workaround:
Remove the invalid entries from these 2 field types before doing an upgrade to 13.0.0.

Fix:
The fix removes the invalid entries from the configuration on upgrade automatically.

---

643752 : Specific configuration change sequence crashes TMM

Component: Advanced Firewall Manager

Symptoms:
TMM crashes while making a configuration change.

Conditions:
1. insert ip "::" and "::/128" to ip list in dos profile.
2. remove it
3. insert it again.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A

Fix:
Fixed a configuration crash sequence scenario

---

643733 : ssldump crashes when processing out-of-order packet

Component: Local Traffic Manager

Symptoms:
ssldump crashes when processing packet capture.

Conditions:
Packet capture contains out-of-order SSLv2 client handshake hello message; i.e. client hello packet comes after server hello packet.

Impact:
This should be a rare case. If crash happens, it makes traffic analysis more difficult.

Workaround:
Wireshark provides similar functionality.

Fix:
Fix crash; enable processing of out-of-order SSLv2 hello message.

---

643673 : Creating a route domain with error on GUI gives incorrect error message

Solution Article: K34307244

Component: TMOS

Symptoms:
Creating a route domain with a blank 'ID' row (a required field) returns a 'General Database Error' instead of a required field error. This also results in loss of previous changes. You must start over to create the route domain.

Conditions:
Creating a blank route domain occurs when clicking the 'Finished' button when the ID field is blank.

Impact:
Clicking the 'Finished' button when the ID field is blank, any previous changes are lost when then General Database Error is returned.

Workaround:
Fill in the ID field before clicking the 'Finished' button

Fix:
Now if the ID field is left blank, the user is presented with the expected required field' error and previous changes are preserved.

---

643646 : Add a new configuration option in tmsh to disallow exporting of private keys in iControl and GUI

Component: TMOS

Symptoms:
The system currently offers a variety of key and certificate export functionalities through iControl and GUI. However, there is no way for administrators to disallow exporting of private keys in iControl and GUI.

Conditions:
Using iControl and GUI to export of private keys.

Impact:
No way to prevent exporting of private keys.

Workaround:
None.

Fix:
By default, key export is enabled. Now an administrator can disable key export by using the tmsh command below.

tmsh modify sys crypto allow-key-export value disabled

Behavior Change:
There is a new configuration option to disallow exporting of private keys in iControl and GUI. By default key export is enabled. Now an administrator can disable key export by using the following tmsh command:

tmsh modify sys crypto allow-key-export value disabled

---

643602 : 'Select All' checkbox selects items on hidden pages

Component: Fraud Protection Services

Symptoms:
In FPS GUI, clicking 'Select All' when the list contains more than 10 items, selects all items and not just the items on the current page, as expected.

Conditions:
-- FPS provisioned and licensed.
-- Check 'Select All' and click Delete on a list page containing enough items to span more than one page, for example:

On the Security :: Fraud Protection Service :: Anti-Fraud Profile :: Mobile Security :: Man in the Middle Detection page, add 20 domains. This creates two pages of domains on the list page. When you then check 'Select all' and click Delete, all 20 domains are deleted instead of the expected 10 visible on the page.

Impact:
Unexpected behavior: items are deleted from pages that are not visible.

Workaround:
Check one or more items individually for deletion.

Fix:
Clicking the 'Select All' checkbox now selects all items on the currently visible page.

---

643582 : Config load with large ssl profile configuration may cause tmm restart

Component: Local Traffic Manager

Symptoms:
When doing a config load with a large number of ssl profiles tmm may become busy enough to cause mcp tcp connection to go down and cause tmm restart.

Conditions:
Doing a full config load with large number of ssl profiles.

Impact:
Possible tmm restart.

Workaround:
Doing incremental sync of changes can avoid this issue.

Fix:
A full configuration reload with large number of ssl profiles may cause tmm restart.

---

643554 : OpenSSL vulnerabilities - OpenSSL 1.0.2k library update

Solution Article: K37526132 K44512851 K43570545

---

643547 : APMD initialization may fail when large number of access policy agents are configured in access policies installed on BIG-IP

Solution Article: K43036745

Component: Access Policy Manager

Symptoms:
Requests to /my.policy are not getting HTTP responses.

Log file '/var/log/apm' contains large number of error messages about failed XML data creation:

err apmd[5076]: 01490207:3: SAML Agent XML thread specific data creation error: ERR_FAIL.

Conditions:
The BIG-IP system is used with APM provisioned, and there are a large number of access policy agents configured across all access policies.

The issue occurs only at APMD startup time, e.g., when the BIG-IP system is reloaded, a new image is installed, or the apmd service is manually restarted.

When issue happens /var/log/apm will contain a large number of similar error messages :

 err apmd[5076]: 01490207:3: SAML Agent XML thread specific data creation error: ERR_FAIL

Impact:
APMD will not able to process any requests.

Workaround:
For some configurations and platforms, you can use the following steps to recover:

- Remove all unused access policies (if applicable).
- Restart apmd.

Fix:
Now APMD initialization will no longer fail at XML initialization when a large number of access policies/agents are present in the configuration.

---

643459 : Unable to login to BIG-IP Configuration Utility when BIG-IP is behind a Reverse proxy

Solution Article: K81809012

Component: TMOS

Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you are not able to log in to the Configuration Utility. Instead you will see a login error, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP.

Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.

Impact:
You are unable to login to the Configuration Utility.

Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP in the Referer header.

Behavior Change:
Customers who are utilizing the BIG-IP Configuration Utility behind a reverse proxy that does not transparently set the Referer header will be unable log in.
Prior to the change, there were no restrictions on logging in.

---

643457 : Config load failure with connectivity resource name the same as a SAML Resource★

Component: Access Policy Manager

Symptoms:
A SAML Resource with the same name as another connectivity resource or webtop link is allowed to be created. The other way around is not allowed. An MCP error is thrown if you try to create a connectivity resource object (ex: Portal Access) or a webtop link having the same name as a SAML Resource. The error looks similar to the following example:
 The connectivity resource name (/Common/<resource>) is already assigned to another connectivity resource.

On saving such a configuration (SAML Resource name same as another connectivity resource or webtop link), and loading it, there is an error.

Conditions:
1. Create a SAML Resource with the same name as another connectivity resource or a webtop link.

2. Save sys config.

3. Load sys config.

Impact:
Configuration fails to load. This causes failure in licensing, upgrading and importing configurations.

Workaround:
The workaround is to not create a SAML Resource with the same name as another connectivity resource or a webtop link.

Fix:
Validation for SAML Resource name now checks that the name is not assigned to another connectivity resource or webtop link object. Object name must be unique among all (connectivity_resource objects and webtop link objects). Connectivity resource objects are - saml resource, portal access, app-tunnel, remote desktop, network-access. This validation is enforced in both TMUI and TMSH.

---

643411 : High memory usage for avrd statistics

Solution Article: K59119323

Component: Application Visibility and Reporting

Symptoms:
On B4450 blade, the avrd log receives constant error messages similar to the following in ltm.log/avrd.log:


 err merged[40445]: 011b0900:3: TMSTAT error tmstat_create_scripts: Resource temporarily unavailable.

 User timeout 5 is reached
 failed subscribe to avr_blade:

Conditions:
Configuration includes:
1. DoS profile enabled for L7 and L3-4.
2. ASM policy is attached.
3. AVR profile with traffic capture is enabled, with remote logger profile.
4. Off-system processing is enabled.

Impact:
This causes an increase in tmstat memory usage.

Workaround:
There is no workaround at this time.

Fix:
Source of error message is fixed, avrd log no longer receives constant error messages.

---

643404 : "tmsh system software status" does not display properly in a specific cc-mode situation★

Solution Article: K30014507

Component: TMOS

Symptoms:
If software image verification is enabled, the system must first verify a software archive with a cryptographic signature file before using it. If that file is not available, the software change will (intentionally) not proceed. It is also intended that "tmsh system software status" will explain the condition. But instead, it shows "failed (reason unknown)"

Conditions:
Trying to initiate a software change, but there is no signature file available that corresponds to the selected software archive if any of the following is also true:
-- The system is in Common Criteria mode (db var Security.CommonCriteria).
-- The system is in FIPS compliance mode (db var security.fips140.compliance).
-- Signature checking is manually enabled (db var LiveInstall.CheckSig).

Impact:
It is difficult to ascertain why the software change cannot be made.

Workaround:
The installation logs a more detailed explanation for the failure. In the case of Common Criteria mode, it is essential to have the signature file in the same images directory as the .iso image you intend to install.

To do so, copy the .sig file from the F5 Downloads site to the image location, and try the installation again.

Fix:
The "tmsh system software status" now displays the relevant issue, for example:
failed (No signature verification possible for image /shared/images/BIG-IP-12.1.2.0.0.249.iso). Although you must still download the .sig file from F5 Downloads, it's clear what the failure is and what to do next.

---

643396 : Using FLOW_INIT iRule may lead to TMM memory leak or crash

Solution Article: K34553627

Component: Local Traffic Manager

Symptoms:
Memory leak in TMM or even crash may be observed if using FLOW_INIT event in iRules.

Conditions:
iRule triggered by FLOW_INIT event is in use. Note: The leak is difficult to observe, and the crash requires specific steps, so encountering this issue is relatively uncommon.

Impact:
TMM memory leak or crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed a memory leak in the FLOW_INIT iRule event.

---

643375 : tmm might crash with SIGSEGV when the system receives an unexpectedly large amount of input.

Component: Local Traffic Manager

Symptoms:
tmm might crash with SIGSEGV when the system receives an unexpectedly large amount of input.

Conditions:
This occurs when a very large xbuf containing an excessive amount of xfrags is processed.

Impact:
tmm may core dump and restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now gracefully handles unexpectedly large amounts of input and either consumes an appropriate amount in a safe manner, or gracefully fails.

---

643327-1 : DoS Visibility Attacks Graph tooltip does not provide sufficient information

Component: Application Visibility and Reporting

Symptoms:
Attacks Graph tooltip lacks relevant information.

Conditions:
This can be seen when looking at the Attacks Graph tooltip.

Impact:
Cannot determine the function of the DoS Visibility Attacks Graph.

Workaround:
N/A

Fix:
A detailed tooltip was added with details about the pointed attack.

---

643325-1 : Tooltips and help hints are inconsistent across the page

Component: Application Visibility and Reporting

Symptoms:
Help tooltips on the (i) icon are not consistent.

Conditions:
This can be seen when looking at the Dos Visibility page.

Impact:
Some widgets have the tooltip, others don't.

Workaround:
N/A

Fix:
More tooltips were added and text was revised.

---

643210 : Restarting MCPD on Secondary Slot of Chassis causes deletion of netHSM keys on SafeNet HSM

Component: Local Traffic Manager

Symptoms:
When mcpd (re)starts on a secondary slot, part of the initialization process triggers the delete of any netHSM keys on the SafeNet HSM.

Conditions:
This occurs on a chassis that is configured to use a SafeNet netHSM.

Impact:
The key is removed from the HSM and must be reimported to the HSM from a backup, if it exists.

Workaround:
When rebooting a secondary blade, temporarily remove the BIG-IP from the network it uses to connect to the SafeNet HSM. Once the BIG-IP is Active, it is safe to reconnect it to the network.

Fix:
The BIG-IP no longer deletes keys from the Safenet HSM when the key is deleted from the BIG-IP system. Now, you must manually delete keys using fipskey.nethsm or 'cmu delete'.

Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.

Behavior Change:
Beginning with this release, the BIG-IP system will not delete a key from the SafeNet HSM when you delete the corresponding key on the BIG-IP system: You must manually delete the key on the HSM using either fipskey.nethsm or 'cmu delete'.

Important! Delete operations cannot be undone. Before deleting keys on the HSM using one of these commands, make sure that the key is not used by any BIG-IP, because the key deletion on the HSM is irreversible.

---

643187 : BIND vulnerability CVE-2017-3135

Solution Article: K80533167

---

643150 : VE: Native drivers are allowed when single NIC is provisioned

Component: TMOS

Symptoms:
On TMM restart/stop/start, existing management connections to BIG-IP will be lost.

Conditions:
1. Single NIC is enabled.
2. Intel Fortville (XL710) NICs are used.
OR
VIRTIO NICs are used and TMM is using native drivers (not UNIC).

Impact:
Management access to BIG-IP is lost on TMM restart/stop/start. However, once TMM is up again or stopped, connection can be reestablished.

Workaround:
None

Fix:
VE: Native drivers won't be used for interface 1.0 when single NIC is provisioned.

---

643143 : ARP and NDP packets should be QoS/DSCP marked on egress

Component: Local Traffic Manager

Symptoms:
There is currently no way to prioritize ARP/NDP traffic on BIG-IP or configure QoS on TMM-originated ARP/NDP packets.

Conditions:
ARP and/or NDP is in use.

Impact:
When the BIG-IP system's CPU is saturated, there is a possibility that ARP and NDP packets might be dropped.

Workaround:
N/A

Fix:
You can now configure QoS on TMM-originated ARP/NDP packets.

To have ARP and NDP packets be treated with high priority internally within the BIG-IP system, set the following database keys to 'high':
-- arp.priority
-- ipv6.nbr.priority

To explicitly assign the 802.1p/q priority (QoS bits), set the following database keys:
-- arp.vlanpriority
-- ipv6.nbr.vlanpriority

Note: The 802.1q/p QoS priority applies to queries that originate on the BIG-IP system. Replies generated by BIG-IP will preserve the QoS value received in the request.

These variables are set with the following commands:

tmsh modify sys db arp.priority value (normal|high)
tmsh modify sys db arp.vlanpriority value [-1-7]
tmsh modify sys db ipv6.nbr.priority value (normal|high)
tmsh modify sys db ipv6.nbr.vlanpriority value [-1-7]

Behavior Change:
You can now configure QoS on TMM-originated ARP/NDP packets.

To have ARP and NDP packets be treated with high priority internally within the BIG-IP system, set the following database keys to 'high':
-- arp.priority
-- ipv6.nbr.priority

To explicitly assign the 802.1p/q priority (QoS bits), set the following database keys:
-- arp.vlanpriority
-- ipv6.nbr.vlanpriority

Note: The 802.1q/p QoS priority applies to queries that originate on the BIG-IP system. Replies generated by BIG-IP will preserve the QoS value received in the request.

These variables are set with the following commands:

tmsh modify sys db arp.priority value (normal|high)
tmsh modify sys db arp.vlanpriority value [-1-7]
tmsh modify sys db ipv6.nbr.priority value (normal|high)
tmsh modify sys db ipv6.nbr.vlanpriority value [-1-7]

---

643121 : Failed installation volumes cannot be deleted in the GUI.

Component: TMOS

Symptoms:
Failed installation volumes aren't displayed under Disk Management and, therefore, cannot be deleted.

Conditions:
Have a failed installation volume.

Impact:
Cannot use the GUI to delete

Workaround:
Use tmsh to delete failed installation volumes using a command similar to the following:
tmsh delete /sys software volume <HDx.y>.

For example, to delete software volume HD1.0, use the following command:
tmsh delete /sys software volume HD1.0.

Fix:
Failed installation volumes can now be deleted in the GUI.

---

643054 : ARP and NDP packets should be CoS marked by the swtich on ingress

Component: Local Traffic Manager

Symptoms:
When ARP and NDP requests are dropped, ARP caches can time out, and peer nodes may fail to resolve the BIG-IP system's self-IP addresses or virtual servers.

Conditions:
TMM0 is saturated and dropping packets.

Impact:
ARP requests can be dropped, and peer devices, such as routers and monitored devices, can fail to resolve the BIG-IP system's address.

Workaround:
None.

Behavior Change:
Two DB variables are added to raise the internal traffic priority for ingress ARP/NDP packets in switch.

arp.priority : high/normal(default)
ipv6.nbr.priority : high/normal(default)

Setting arp.priority to high raises ARP packet priority.
Setting ipv6.nbr.priority to high raises NDP packet priority.

---

643053 : Mac OS X Edge client fails to reconnect in some rare cases

Component: Access Policy Manager

Symptoms:
Mac OS X Edge client fails to reconnect when the landing virtual server redirects to a new virtual server that doesn't have any server defined in its connectivity profile.

Conditions:
-- Mac Edge client is used to establish VPN through an APM that redirects the client to another APM.
-- The second APM has no servers configured in its server list in connectivity profile

Impact:
Edge client will fail to reconnect.

Workaround:
Configure at least one server in the servlist in connectivity profile.

Fix:
Now the Mac OS X Edge client reconnects successfully in the case that a reconnect operation results in a redirect to a virtual server whose associated connectivity profile lacks a server list.

---

643041 : Less than optimal interaction between OneConnect and proxy MSS

Solution Article: K64451315

Component: Local Traffic Manager

Symptoms:
When a client with low MSS is the first to establish a OneConnect flow pair and proxy MSS is enabled, the serverside will share the same low MSS. Successive connections from full-MSS clients may utilize this server-side flow, resulting in suboptimal throughput.

Conditions:
Configure a virtual server with both OneConnect and proxy MSS. Note: Proxy MSS is enabled by default beginning with v12.1.0.

Impact:
Decreased throughput, possible congestion due to small segments.

Workaround:
In some instances, it may be sufficient to disable proxy MSS. This too has the potential to increase segment count and decrease throughput.

Fix:
This release provides improved interaction between OneConnect and proxy MSS.

---

643034 : Turn off TCP Proxy ICMP forwarding by default

Component: Local Traffic Manager

Symptoms:
Forwarding of ICMP PMTU messages through the BIG-IP can negatively impact performance if OneConnect or SNAT functionality is active.

Conditions:
Forwarding of ICMP PMTU messages through the BIG-IP when OneConnect or SNAT are active.

Impact:
Peers use suboptimal Path Maximum Transmission Units (PMTUs).

Workaround:
For TCP and UDP proxies, ensure proxy-mss is disabled in the profile.

OR

Disable MTU caching on pool members.

Fix:
There are legitimate reasons to forward ICMP messages through BIG-IP, so in some cases mitigation must occur at pool members. However, we have introduced more control (tm.tcp.enforcepathmtu) to tune this more precisely.

Behavior Change:
The default behavior on TCP proxies is now to not forward ICMP messages, restoring the default from TMOS 12.0.0 and earlier.

For TCP proxies to forward ICMP PMTU messages now requires BOTH proxy-mss 'enabled' in the TCP profile (which is the default setting) and 'tm.tcp.enforcepathmtu' set to 'enabled' (not the default).

---

642990 : Processes started from interactive shells do not generate core files when they crash

Solution Article: K05304332

Component: TMOS

Symptoms:
ulimit -c is set to 0 by default for login shells. This means that if a process crashes, and the process was started from an interactive session (e.g., via SSH or the console), it will not generate a core file.

This behavior does not affect core system daemons such as TMM, MCPD, etc.

Conditions:
This occurs in the default configuration.

Impact:
Processes run/started from an interactive session (e.g., via SSH or the console) that crash will not generate core files.

Workaround:
At a bash shell, set the core file limit for the current shell (and child processes) to "unlimited" by running the following command:

    ulimit -c unlimited

Fix:
Processes that start from interactive sessions will now generate core files when they crash. The "bigstart" command ensures that the default core file limit is '0' for system services managed via sysvinit, even if restarted by an administrator.

---

642983 : Update to max message size limit doesn't work sometimes

Solution Article: K94534313

Component: Device Management

Symptoms:
There is a cap on all REST request/response message size. By default it is set to 32 MB, and you can modify it to higher limit using /mgmt/shared/server/messaging/settings/8100 REST endpoint. But the REST framework may not apply this change.

When this occurs, you will see 501 Bad Gateway error from Apache and error message link "java.lang.IllegalArgumentException: 47177925 is more than 33554432" in restjavad log (/var/log/restjavad.0.log).

Conditions:
This can occur when requesting or receiving more than 32 MB of data via iControl REST.

Impact:
REST framework applies message body limit only on incoming request and response. If incoming request results in requests to iControl REST or restnoded, the same settings (message body limit) are not applied.

Workaround:
None.

Fix:
Messaging settings are applied on requests/responses, rather than on RestServer as forwarded outgoing requests/responses will not have server instance attached to request.

---

642982 : tmrouted may continually restart after upgrade, adding or renaming an interface★

Component: TMOS

Symptoms:
tmrouted continually restarts when it fails to resolve the interface index for a VLAN, VLAN group, or tunnel.

Conditions:
-- Dynamic routing configured.
-- Non-default partition name or VLAN names greater than 15 characters.

Impact:
Dynamic routing does not function. This may include monitors not functioning properly and marking pool members down incorrectly.

Workaround:
Shorten VLAN, VLAN group, or tunnel name, or move the interface into the Common partition.

Fix:
tmrouted no longer restarts when using long VLAN, VLAN group, or tunnel names in a non-default partition.

---

642926 : Increased MySQL Memory usage when APM is provisioned on lower-end systems.

Component: Access Policy Manager

Symptoms:
You may notice mysql process continuously consuming high amount of CPU and memory resources when APM is provisioned. This can be seen in the results of 'top' command where mysql will be continuously listed. The issue applies to BIG-IP with 32 GB or less system memory available.

Conditions:
When APM module is provisioned, if either of the following is true:
* logging configuration uses on-box publisher and log-level setting leads to high amount of logging data (e.g., DEBUG).
* LocalDB or OAuth Authorization server is configured with a DB instance and traffic is being processed.

Impact:
You may notice general performance issues on BIG-IP systems with system memory 32 GB or lower when MySQL usage is high.

Workaround:
1) Remove following 2 lines from file '/var/lib/mysql/cnf/apm.cnf' --
     innodb_buffer_pool_size = 1G
     sort_buffer_size = 256M
   and save file before exiting.
2) Restart MySQL service using -- 'bigstart restart mysql'

Fix:
MySQL configuration when APM is provisioned now works as expected on lower-memory BIG-IP systems.

---

642874 : Ready to be Enforced filter for Policy Signatures returns too many signatures

Solution Article: K15329152

Component: Application Security Manager

Symptoms:
Signatures that have not passed the staging period are shown when the filter is set to only show those that are ready to be enforced.

Conditions:
Signatures exist on a policy that have not passed their staging period and have no learning suggestions for them.

Impact:
Incorrect results are shown as a result of the filter.

Workaround:
The result should be inspected to see if the staging period has passed for each individual signature.

Fix:
The "Ready to be Enforced" filter works correctly.

---

642786 : TMM may drop tunneled traffic when the sys db variable 'connection.vlankeyed' is set to 'disable'.

Solution Article: K01833444

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may drop tunneled traffic destined for it, even though the corresponding tunnel is created correctly.

Conditions:
The local-address of a tunnel is resided in a non-default route-domain and the sys db variable 'connection.vlankeyed' is set to 'disable'. Note that the default setting of that sys db variable is 'enable'.

Impact:
The BIG-IP system may drop tunneled traffic.

Workaround:
None.

Fix:
The BIG-IP system no longer drops tunneled traffic.

---

642703 : Formatting installation using software v12.1.2 or v13.0.0 fails for i5000, i7000, i10000, i11000, i12000 platforms.★

Component: TMOS

Symptoms:
Installation from external media (PXE or USB) fails with error:

error: status 768 returned by command: /sbin/lvcreate -L -4719088K -n dat.share vg-db-cpmirror
info: >++++ result:
info: Negative size is invalid
info: Run `lvcreate --help' for more information.
info: >----
error: MultiVolume_add cpmirror.dat.share failed.

Conditions:
-- i5000, i7000, i10000, i11000, and i12000 platforms.
-- Installation from external media (PXE or USB).
-- Running software v12.1.2 or v13.0.0.

Impact:
System is non-functional. It will not work at all, until an 'installation from external media' is performed. There is no software on the system because the operation failed during the early stages of a formatting installation.

Workaround:
Use an earlier version for the formatting installation, such as 12.1.1, and then upgrade to the target version.

Fix:
The error no longer occurs; the formatting installation succeeds.

---

642659 : Multiple LibTIFF Vulnerabilities

Solution Article: K34527393

---

642449-1 : Standard deviation for Request Duration is calculated incorrectly

Component: Application Visibility and Reporting

Symptoms:
In the HSL report, the Standard deviation for Request Duration is incorrect.

Conditions:
There are requests sent with delay reported in AVR reports.

Impact:
Wrong data in AVR reports. Standard deviation should be not 0 (zero), but it is reported as 0.

Workaround:
None.

Fix:
Fixed an issue with standard deviaiton calculation.

---

642422 : BFD may not remove dependant static routes when peer sends BFD Admin-Down

Component: TMOS

Symptoms:
As a result of a known issue, the BFD feature used in an Dynamic routing configuration, may not remove static routes when configured to be dependant on the liveliness of the BFD peer.

Conditions:
- BFD configured and up.
- Static route configured and dependant on the BFD status of the BFD peer.
- BFD peer enters maintenance mode by user configuration, setting the BFD session to admin-down.

Impact:
Static route may not be removed on BFD session configured by peer to be and traffic may still be routed.

Fix:
BFD now correctly removes dependant static routes on reception of BFD admin-down.

---

642400 : Path MTU discovery occasionally fails

Component: Local Traffic Manager

Symptoms:
Connections using a TCP profile that receive an ICMP needsfrag message may incorrectly ignore the message. This may cause Path MTU discovery to fail.

Conditions:
TCP profile assigned to VIP. Smaller MTU on data path than on TCP endpoints.

Impact:
The connection may stall as large TCP segments are continually retransmitted.

Workaround:
Configure the MSS in the TCP profile to match the lowest MSS. Use or disable Path MTU discovery with the tm.pathmtudiscovery database key.

Fix:
Path MTU discovery functions correctly with the TCP profile.

---

642330-1 : GTM Monitor with send/receive string containing double-quote may cause upgrade to fail.★

Component: Global Traffic Manager

Symptoms:
When you upgrade from an affected version, the config gets saved before moving to the new version, thus dropping the enclosing quotes and causing a load failure when booting into the new version.

Conditions:
Configuration where monitor string contains \" (backslash double-quote) but does not contain one of the following characters: ' (single quote), | (pipe), { (open brace), } (close brace), ; (semicolon), # (hashtag), literal newline, or literal space.

Impact:
Configuration fails to load.

Workaround:
Manually edit each string in the BIG-IP_gtm.conf to include enclosing quotes in order to get the config to load the first time.

Fix:
Configs load successfully after upgrade. Surrounding quotes, if missing, are added to strings in the BIG-IP_gtm.conf file after upgrade. For example:
\"service_status\":\"on\".+\"maintenance\":\"off\" in the recv, send recv-disable and username fields. Output of list gtm monitor and bigip.conf match. Reloading the same config via tmsh does not cause unintentional changes, such as losing a level of escape in monitor strings.

---

642314 : CNAME ending with dot in pool causes validation problems after upgrade from 11.x to 12.x or v13.x★

Solution Article: K24276198

Component: TMOS

Symptoms:
gtm config load failure after upgrade from v11.x to v12.x or v13.x.

Conditions:
Create GTM pool with canonical-name ending with dot - for example "cname-with-dot.com." in v11.x and then upgrade to v12.x or v13.x.

Impact:
gtm config load failure after upgrade.

Workaround:
Remove trailing dots or set "Domain Validation" to "none".

Fix:
Upgrading from 11.x to 12.x or 13.x with GTM Pool with canonical-name removes trailing FQDN dot.

---

642298 : Unable to create a bidirectional custom persistence record in MRF SIP

Component: Service Provider

Symptoms:
Setting a persistence key via iRule sets the persistence entry as uni-directional

Conditions:
Setting a persistence key via iRule sets the persistence entry as uni-directional

Impact:
Custom SIP persistence entries cannot be bidirectional.

Fix:
This change adds a new SIP::persist key to set or reset the persistence entry as bidirectional.

---

642221 : Incorrect entity is used when exporting TCP analytics from GUI

Component: Application Visibility and Reporting

Symptoms:
When exporting statistics from the TCP Analytics page, the resulted data is for the default "view by" entity rather than the one that's actually selected

Conditions:
This occurs in Statistics :: Analytics : TCP, when you are viewing any dimension other than the default, and clicking Export.

Impact:
Incorrect data is being exported.

Workaround:
Use tmsh.

Fix:
The correct entity is now used when exporting TCP analytics from GUI, so the correct data is being exported.

---

642211 : Warning logged when GENERICMESSAGE::message drop iRule command used

Component: Service Provider

Symptoms:
When submitting an iRule script using GENERICMESSAGE::message drop iRule command, a warning message is returned.

Conditions:
This occurs when saving an iRule that contains GENERICMESSAGE::message drop.

Impact:
A warning message is returned.

Workaround:
NA

Fix:
iRule validation was improved to allow GENERICMESSAGE::message drop commands.

---

642185 : Add support for IBM AppScan scanner schema changes

Component: Application Security Manager

Symptoms:
IBM AppScan changed schema for its report file.

Conditions:
Using IBM AppScan for reporting.

Impact:
Data from new IBM AppScan scanner report file is not extracted properly for URL, parameters and cookies.

Workaround:
None.

Fix:
Added support for IBM AppScan scanner schema changes.

---

642119 : Websocket URLs can't be explicitly excluded per attack signature

Component: Application Security Manager

Symptoms:
A signature matches a websocket URL where it is defined as an excluded signature on the URL.

Conditions:
A websocket URL has a signature defined as excluded on this URL.

Impact:
A false positive signature match

Workaround:
disable the signature on the policy level when applicable.

Fix:
Signatures can now be excluded on the websocket URLs.

---

642039 : TMM core when persist is enabled for wideip with certain iRule commands triggered.

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV.

Conditions:
This occurs when persist is enabled for wideip, and an iRule with the following commands triggered:
forward
reject
drop
discard
noerror
host

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable persist on wideip.

Note: Although this is not an ideal workaround, it provides a way that to use those iRule commands without causing a tmm core.

Fix:
TMM no longer coreswhen persist is enabled for wideip with certain iRule commands triggered.

---

641963-1 : Average CPU usage is calculated differently in DOS Visability page

Component: Application Visibility and Reporting

Symptoms:
On systems with HT Split CPU the Average CPU usage shown in DOS Visibility page was calculated as average of all available CPU-s. On other hand, on other screens it is calculated as an average of maximum of data plane and control plane CPU-s. It causes inconsistency in displayed data.

Conditions:
HT Split is enabled on the system (tmsh list sys db scheduler.splitplanes.ltm results in "True")

Impact:
Inconsistency in CPU usage values displayed in DOS Visibility and other screens

Fix:
After the fix on systems with HT Split average CPU usage is calculated only for data plane CPU-s. The GUI title is changed correspondingly.

---

641886 : 'SELinux targeted policy relabel is required' message

Component: TMOS

Symptoms:
'SELinux targeted policy relabel is required' message appears at initial bootup. The system posts messages similar to the following:

*** Warning -- SELinux targeted policy relabel is required.
*** Relabeling could take a very long time, depending on file
*** system size and speed of hard drives.

Conditions:
Install new software, reboot, watch the console.

Impact:
The indication of a 'warning' might be concerning. However, there is no impact to the functionality of the system. SELinux relabel always happens on first boot. It is a necessary and planned task and should be reported as an informational message instead of a warning.

Workaround:
None needed. This is a cosmetic issue only.

Fix:
The SELinux relabel task message is now just an informational message.

---

641869 : Assertion "vmem_hashlist_remove not found" failed.

Component: Local Traffic Manager

Symptoms:
TMM cores with the following assertion: "vmem_hashlist_remove not found" failed.

Conditions:
It is unknown what leads to that situation directly.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The memory function fails the allocation gracefully.

---

641835 : 3DES Ciphers have been removed from the SSL DEFAULT cipher list

Component: Local Traffic Manager

Symptoms:
3DES has been shown to be a weak cipher. As such, we removed it from the DEFAULT SSL cipher list (both clientssl and serverssl). On some older devices that can mean a connection is not possible.

Conditions:
Older SSL Clients and Servers might not be able to connect to the BIG-IP without a cipher list change.

Impact:
Service disruption

Workaround:
Not really a defect - the solution is to change the cipher string to "DEFAULT:3DES"

---

641612 : APM crash

Solution Article: K87141725

---

641587 : request-adapt or response-adapt should be disabled by HTTP::disable

Solution Article: K81048052

Component: Service Provider

Symptoms:
When the HTTP profile is disabled by an iRule in events such as the CLIENT_ACCEPTED event, it is not possible to use ADAPT::enable to disable the adaptation. You might assume that because ADAPT depends on HTTP, it would naturally be disabled along with HTTP, but it is not.

Conditions:
Virtual server with HTTP profile and also Request Adapt and/or Response Adapt profile.
An iRule uses HTTP::disable to (for example) pass non-HTTP traffic.

Impact:
Despite HTTP being disabled, ADAPT attempts to handle ingress traffic, without parsed HTTP headers, so will fail. It is possible ADAPT will buffer ingress traffic indefinitely because it does not receive an expected message from the HTTP filter.

Workaround:
Disable request-adapt and/or response-adapt in the profile. When HTTP traffic is to be handled, have an iRule on the HTTP_REQUEST or HTTP_RESPONSE event call "ADAPT::enable true".

Fix:
The HTTP::disable command implicitly disables any corresponding request or response adaptation. This is correct behavior.

---

641559 : Session-based brute force resets failed logins counter upon successful login

Component: Application Security Manager

Symptoms:
ASM counts failed login attempts per session (browser cookie) and blocks an end user if the number of failed exceeds a predefined threshold (default 5). If an ASM end user makes a successful login before the number of failed attempts reaches the threshold, the counter of failed attempts resets to zero.

Conditions:
ASM policy attached on the virtual server and brute force session-based feature is configured along with the login page.

Impact:
An ASM end user allowed to do a number of failed logins higher than threshold. This happens only in when that APM end user sent a successful login before number of failures hits the threshold.

Workaround:
None.

Fix:
Session-based brute force now handles this issue.

---

641547 : Possible dead-lock on accept of multiple suggestions at once

Component: Application Security Manager

Symptoms:
When accepting multiple suggestions at once it's possible that action fails

Conditions:
Accept of multiple suggestions for the same entities

Impact:
Action fails

Workaround:
One-by-one accept always works

Fix:
Multiple accept mechanism improve to prevent possible dead-locks

---

641512 : DNSSEC key generations fail with lots of invalid SSL traffic

Component: Local Traffic Manager

Symptoms:
DNSSEC keys can rollover periodically. This will fail, leading to no keys to sign DNSSEC queries (no RRSIG records) when the BIG-IP is handling a lot of SSL traffic with invalid certificates.

The system posts the following log signature in /var/log/ltm:
err tmm1[12393]: 01010228:3: DNSSEC: Could not initialize cipher context for key /Common/x1-zsk.

Conditions:
DNSSEC keys configured with periodic rollover. The certificate path queues an error (situations include but not limited to lots of SSL traffic with invalid certificates).

Impact:
DNSSEC key generations fail to be accepted by the TMM so that when the prior generation expires there is no valid certificate to sign DNSSEC queries.

Workaround:
Restart the TMM after the new key generation is created.

Fix:
DNSSEC key generations now complete successfully, even with a lot of SSL traffic with invalid certificates.

---

641491 : TMM core while running iRule LB::status pool poolname member ip port

Component: Local Traffic Manager

Symptoms:
An iRule response to a DNS request may trigger the Traffic Management Microkernel (TMM) to produce a core file and restart. As a result of this issue, you may encounter one or more of the following symptoms:

-- The BIG-IP system may temporarily fail to process traffic as it recovers from the TMM restart, and devices configured as an HA pair may fail over.
-- The BIG-IP system generates a TMM core file to the /shared/core directory.

Conditions:
This issue occurs when all of the following conditions are met:

-- Your BIG-IP DNS system is configured with a wide IP that utilizes an iRule.
-- The iRule uses the DNS_REQUEST event command LB::status to check a pool member status.
-- The iRule pool address and port are separated by white space.

Example iRule syntax:

gtm rule pool_member_selection {
    when DNS_REQUEST {
        LB::status pool pool-one member 10.0.0.10 80
    }
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use format 'ip:port' or vsname instead of 'ip port. Following are two examples:
1.
gtm rule rule_crash_test {
    when DNS_REQUEST {
        LB::status pool pool-one member 10.2.108.100:80
    }
}

2.
gtm rule rule_crash_test {
    when DNS_REQUEST {
        LB::status pool pool-one member pool_vs_name
    }
}

Fix:
An iRule response to a DNS request no longer triggers TMM to produce a core file and restart.

---

641482 : Subscriber remains in delete pending state until CCR-t ack has success as result code is received

Component: Policy Enforcement Manager

Symptoms:
BIG-IP subscriber session will remain in delete pending (stale) state if the Result-code received Acknowledgement from Gx or Gy and is marked as Failure for CCR-T request.

Conditions:
The stale session happens, during subscriber termination and if any CCR-T request for Gx or Gy receives an acknowledgement with non-SUCCESS in Result-code AVP

Impact:
The subscriber session in BIG-IP will stay in delete pending state (stale)

Workaround:
A tmm restart will cleanup all the stale sessions

Fix:
Fix will cleanup the session if a CCR-T acknowledgement is received irrespective of the Result-code AVP

---

641445 : iControl improvements

Solution Article: K22317030

---

641390 : Backslash removal in LTM monitors after upgrade★

Component: TMOS

Symptoms:
After upgrading, BIG-IP fails to load the configuration and reports that a monitor failed to load.

Conditions:
This can occur on upgrade, with specific backslash escaping in LTM monitors. Note: This issue is specific to LTM monitors. It does not occur in BIG-IP DNS monitors.

For example, to have two backslashes in the value, you specify three backslashes. The first backslash is the 'escape' character.

ltm monitor https /Common/my_https {
    adaptive disabled
    cipherlist DEFAULT:+SHA:+3DES:+kEDH
    compatibility enabled
    defaults-from /Common/https
    destination *:*
    interval 5
    ip-dscp 0
    recv "Test string"
    recv-disable \\\"Test\\\"me\\\" <-- pertinent string value (can be in recv, send or username attributes too).
    send Test
    time-until-up 0
    timeout 16
    username test\\\"me
}

Impact:
The monitor fails to load.

Workaround:
Manually correct the string to be the way it was before upgrade, then the configuration will load.

Fix:
Upgrade no longer results in incorrectly removing backslashes for some LTM monitor attributes.

---

641360 : SOCKS proxy protocol error

Solution Article: K30201296

---

641311 : perl-XML-Twig vulnerability CVE-2016-9180

Solution Article: K08383757

---

641307 : Response Page contents are corrupted by XML policy import for non-UTF-8 policies

Component: Application Security Manager

Symptoms:
If non-UTF-8 policy has Response Pages configured with non-ASCII characters, the Response Page contents will be corrupted by an XML export/import.

Conditions:
1) Response pages are configured with Non-ASCII characters in a non-UTF-8 Policy.
2) The Policy is exported via XML export.

Impact:
Response Page contents are corrupted

Workaround:
1) Use binary policy export/import for non-UTF-8 policies.
or
2) Encode the non-ascii characters using the html entities/code representations of them. (Example: 日本語 -> &#26085;&#26412;&#35486;)

Fix:
Response Page contents are correctly exported.

---

641273 : port-fwd-mode mode configuration object value

Component: Local Traffic Manager

Symptoms:
The port-fwd-mode object value of an interface object is not reset to the default value on loading a UCS.

Conditions:
Saved configuration / UCS must have port-fwd-mode in default (l3) state, and the current configuration must have port-fwd-mode set to "passive" mode.

Impact:
port-fwd-mode will continue to stay in the non-default state of "passive".

Workaround:
reconfigure the port-fwd-mode to the right value and save the configuration.

---

641126 : Edge Client now can launch administrator-defined script on session termination

Component: Access Policy Manager

Symptoms:
Cannot configure Edge Client to launch administrator-defined script on session termination.

Conditions:
-- EdgeClient is used (Mac/Windows).
-- Administrator-configured script.
-- Session termination.

Impact:
Edge Client cannot launch administrator-defined script on session termination.

Workaround:
None.

Fix:
Edge Client on Apple Macintosh and Microsoft Windows now can launch administrator-defined script on session termination. Each time Edge Client closes an APM session, the configured script is invoked, except on Windows when a user logs in from Windows.

---

641099 : Displaying warning when Packet Filtering is disabled since Rules won't apply

Component: TMOS

Symptoms:
There is no visibility that, when Packet Filtering is disabled , Rules don't apply.

Conditions:
Packet Filtering is disabled.

Impact:
Rules can be managed but they won't apply.

Fix:
A warning is displayed when when Packet Filtering is disabled since Rules won't apply.

---

641083 : Policy Builder Persistence is not saved while config events are received

Component: Application Security Manager

Symptoms:
Policy Builder Persistence is not saved while config events are received.

Conditions:
This occurs when there are many changes made to the policy.

Impact:
Statistics are lost after pabnagd restarts.

Workaround:
None.

Fix:
Persistence is now saved every 24 hours.

---

641013 : GRE tunnel traffic pinned to one TMM

Component: TMOS

Symptoms:
GRE tunnel traffic can be sent to one TMM if BIG-IP doesn't proxy the GRE tunnel and uses forwarding virtual to handle GRE tunnel traffic.

Conditions:
Use forwarding virtual to handle GRE tunnel traffic.

Impact:
GRE tunnel traffic can overwhelm the one TMM and cause performance degradation.

Workaround:
None.

Fix:
Improved GRE tunnel traffic handling so traffic does not overwhelm one TMM and cause performance degradation.

---

641001-1 : BWC: dynamic policy category sees lower bandwidth than expected in Congested policies

Component: TMOS

Symptoms:
When BWC policy is configured with category that is configured at lower rate than max-user-rate, when the system is congested, the system might experience lower bandwidth and is not able to fill the pipe.

Conditions:
BWC dynamic policy configured with category.
The number of sessions created is greater than max-rate/max-user-rate, utilizing all the policies.


For example: max-rate=10mbps, max user rate=5mbps, cat rate=3mbps.

Impact:
Lower bandwidth is seen.

Workaround:
Configure categories at the same rate as that of max-user-rate.

Fix:
BWC: dynamic policy category now sees the same or better bandwidth.

---

640924 : On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are scaled incorrectly

Component: Access Policy Manager

Symptoms:
On macOS Sierra (10.12) LED icons on Edge client's main UI, the buttons (Auto-Connect, Connect, Disconnect) are scaled incorrectly.

Conditions:
macOS Sierra (10.12.x) and Edge client application.

Impact:
This is a display issue only. There is no functional impact to the system.

Workaround:
N/A

Fix:
On macOS Sierra (10.12) LED icons on Edge client's main UI buttons (connect, disconnect and auto-connect) are now scaled correctly.

---

640903 : Inbound WideIP list page on Link Controller takes a long time to load when displaying 50+ records per screen

Component: Global Traffic Manager (DNS)

Symptoms:
Extremely long page load on Link Controller Inbound Wide IP list page.

Conditions:
The preference settings "Records per screen" must be a high value. 50 or more will start causing the page to load very slowly.

Impact:
Extremely long page load time.

Workaround:
Prior to the fix, the workaround is to set the preference settings "Records per screen" to a low value. The default value of 10 is fine.

Fix:
The page can now load hundreds of records on a single screen under 3 seconds.

---

640863 : Disabling partition selector in DNS Resolver's Forward Zones

Solution Article: K29231946

Component: TMOS

Symptoms:
The partition selector is enabled in DNS Resolver's Forward Zones.

Conditions:
Having Forward Zones in DNS Resolvers inside different partitions.

Impact:
Changing the partition in the Forward Zones page may error out.

Workaround:
Change the partition in the DNS Resolver List or use tmsh.

Fix:
The partition selector in DNS Resolver's Forward Zones has been disabled.

---

640829 : bd crash scenario

Component: Application Security Manager

Symptoms:
The bd crashes, switch-over, some traffic outage.

Conditions:
A specific cross domain configuration exists. Specific traffic scenario happens.

Impact:
The bd crashes, switch-over, some traffic outage.

Workaround:
None.

Fix:
Fixed a bd crash scenario.

---

640824 : Upgrade fails with "DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined" errors in ASM log★

Component: Application Security Manager

Symptoms:
Upon first start after upgrade, the following error messages appear in asm log:
-------------------------
notice boot_marker : ---===[ HD1.2 - BIG-IP 12.1.1 Build 0.0.184 <HD1.2> ]===---
info set_ibdata1_size.pl[18523]: Setting ibdata1 size finished successfully, a new size is: 8466M
info tsconfig.pl[21351]: ASM initial configration script launched
info tsconfig.pl[21351]: ASM initial configration script finished
info asm_start[19802]: ASM config loaded

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Too many partitions (including subpartitions) were defined

crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::DbUpgrade::__ANON__): DBD::mysql::db do failed: Cannot remove all partitions, use DROP TABLE instead

 crit perl[19802]: 01310027:2: ASM subsystem error (asm_start,F5::ConfigSync::load_traffic_data): Could not import table data PRX.REQUEST_LOG - ASM configuration save aborted

info perl[21860]: 01310053:6: ASM starting
-------------------------

Conditions:
-- ASM provisioned.
-- Local request logging enabled.
-- Upgrade of a maintenance release, hotfix, or engineering hotfix.

Impact:
Upgrade fails.

Workaround:
Upgrade by the means of saving a UCS, performing a clean install and then loading the UCS.

In the manual save/load UCS process, the upgrade of the Request Log can be disabled, which will workaround the error and the UCS will load fine.

There are two options to disable the upgrade of the Request Log, when upgrading by the means of a UCS:
-------------------
1) Do not load a Request Log, when loading a UCS:
    # tmsh modify sys db ucs.asm.traffic_data.load value never

2) Do not save a Request Log, when saving a UCS:
    # tmsh modify sys db ucs.asm.traffic_data.save value disable
-------------------

Fix:
Roll-forward upgrade including traffic data now works correctly.

---

640809 : Merged constantly restarts★

Solution Article: K79892782

Component: Local Traffic Manager

Symptoms:
Merged constantly restarts. This may occur on upgrade or after merged restarts after enabling debug logging.

The system logs the following error signature in /var/log/user.log:

err merged[27984]: isc/libev evGetNext: Bad File Descriptor: 5, errno: 9 Bad file descriptor.
notice logger: Started writing core file: /var/core/merged.bld0.0.249.core.gz for PID 27984.

Conditions:
log-config filter level is debug and merged restarts.

Note: 'level debug' is the default for a log-config filter therefore the following would be debug logging:

sys log-config filter myfilter {
    publisher mypub
}

Impact:
Merged restarting may impact stats collection. This can also impact qkview generation, the statistics may be corrupt or missing, GUI might return "General database error retrieving information."

Workaround:
If you are encountering this, you can run the following tmsh commands to set the log level to the warning level.

Impact of procedure: This will disable debug logging of merged.

tmsh modify sys log-config filter <HSL-Filter-Name> level warn
tmsh save sys config

---

640751 : No PCRE Validation Performed For Regular Expression Parameters

Component: Application Security Manager

Symptoms:
If a Parameter is configured to match a specified regular expression, but the regular expression is misconfigured, there is no error presented to the user, and there is no regexp enforcement for the parameter.

The following log can be observed in bd.log
"PCRE compilation failed at offset 12: PCRE does not support \L, \l, \N, \U, or \u"

Conditions:
A non-PCRE regular expression is configured for a Parameter.

Impact:
No Regular Expression enforcement is performed.

---

640626 : Added more error checking and reporting to RAM Cache TMSH commands

Solution Article: K20300705

Component: Local Traffic Manager

Symptoms:
Confusing results for some 'tmsh ramcache' commands.

Conditions:
This occurs in either of the following scenarios:
-- There is more than one profile name when issuing a command.
-- A profile name is not valid.

Impact:
Some commands do not execute as expected, or there is no indication that the command executed, but did nothing.

Workaround:
Use tab completion when entering a profile name, and never try to enter more than one profile name in a RAM cache command.

Fix:
The use of multiple profile names in a RAM cache command will now give an error message and do nothing. An invalid profile name will return an error, and again, do nothing.

---

640565 : Incorrect packet size sent to clone pool member

Solution Article: K11564859

Component: Local Traffic Manager

Symptoms:
Cloned packets do not obey the egress interface MTU, and clone pool members may get traffic exceeding the link MTU.

Conditions:
Clone pool is configured on a virtual server.

Impact:
Clone pool members may get traffic exceeding the link MTU.

Workaround:
Disable TSO using the following tmsh command:
tmsh modify sys db tm.tcpsegmentationoffload value disable.

---

640521 : EdgeClient does not render Captive Portal login page which uses jQuery library for mobile devices

Component: Access Policy Manager

Symptoms:
Connect to a public network which has Captive Portal and the Captive Portal uses jQuery library for mobile devices. EdgeClient does not render login page for such Captive Portal.

Conditions:
Use public network with Captive Portal that uses jQuery library for mobile devices.

Impact:
EdgeClient can not establish VPN connection.

Workaround:
Use a browser to authenticate to Captive Portal. For locked client, there is no suitable workaround.

Fix:
Now Edge Client can successfully interact with a greater number of wifi captive portals.

---

640493 : Bash vulnerability CVE-2016-7543

Solution Article: K73705133

---

640489-1 : iSeries LCD alerts screen returns to splash screen intermittently

Solution Article: K53571714

Component: TMOS

Symptoms:
If there is a pending alert and the LCD remains on the alerts screen for an extended period of time, when you attempt to view the alerts for a particular severity (critical, error, warning, etc), the system re-directs to the splash screen instead of to the screen with a list of alerts.

Conditions:
-- An alert is pending.
-- The LCD remains on the alerts screen for a long time (e.g., 1-2 minutes).
-- Navigate to one of the alert levels to view the pending alerts.
-- The LCD displays the splash screen instead of a list of alerts.

Impact:
The system returns to the splash screen instead of a list of alerts.

Workaround:
Navigate back to the alerts screen and select an alert severity to get a list of alerts.

---

640457 : Session Creation failure after HA

Component: Policy Enforcement Manager

Symptoms:
Under some HA scenarios, the subscriber session will be lost. If such a deleted session is added (the same subscriber-id), the addition attempt fails.

Conditions:
Intra-chassis HA is configured. One of the blades goes down & comes back up very rapidly & some subscriber sessions are lost.
An attempt to add the lost subscriber again fails.

Impact:
A set of subscribers lost during HA will never be added back.

Workaround:
No workaround.

---

640407 : Usage of iRule commands that try to get or set connection state during CLIENT_CLOSED iRule event may core with MRF

Solution Article: K41344483

Component: Service Provider

Symptoms:
A core may occur with message routing framework (MRF) virtuals or transport-config connections if trying to use certain iRule commands during CLIENT_CLOSED event.

Conditions:
Use of an iRule command that gets or sets state in a MRF protocol filter or MR proxy during CLIENT_CLOSED iRule event may core. This is because CLIENT_CLOSED event is raised after all state has been freed for the current connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use iRule command to get or set state during CLIENT_CLOSED iRule event.

---

640399 : New ICAP logging subset and messages

Component: Service Provider

Symptoms:
Cannot turn on logging for the ICAP filter on the internal virtual server.

Conditions:
-- Internal virtual server.
-- ICAP profile.

Impact:
You are unable to enable diagnostic logging for ICAP.

Workaround:
None.

Fix:
New ICAP log messages are available to help with debugging. ICAP log messages appear in /var/log/ltm. The log level may be adjusted with the DB variable log.icap.level (default is 'notice').

Behavior Change:
A new logging subset 'icap' has been added.
Some ICAP log messages have been added.
ICAP log messages appear in /var/log/ltm.
Log level is controlled by DB variable log.icap.level. Default is 'notice'.

---

640384 : New iRule options for MR::message route command

Component: Service Provider

Symptoms:
When routing a message via the MR::message route command, the connection-mode and max-connections attributes are not settable.

Conditions:
This is encountered when using the MR::message or MR::peer iRule commands and you wish to set the connection mode or max connections.

Impact:
For applications where other connection-modes are required (for example PER_CLIENT), it is not possible to implement via iRule.

Workaround:
NA

Fix:
New keywords added to MR::message route command to allow specification of the connection-mode and max-connections attributes of the temporary route added to the message.

---

640369 : TMM may incorrectly respond to ICMPv6 echo via auto-lasthop when disabled on the vlan

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, TMM may respond to an ICMPv6 echo request using the auto-lasthop mechanism, when this has been disabled on the vlan.

Conditions:
- Auto-lasthop disabled on the ingress vlan
- ICMPv6 echo request for a self-IP on the ingress vlan.
- Route to the client IP address via a different vlan

TMM may respond directly using the auto-lasthop feature and not via the route lookup.

Impact:
Traffic may not follow the expected path.

Fix:
TMM now correctly uses the configured option for auto-lashop and ICMPv6 traffic

---

640352 : Connflow can be leaked when DHCP proxy in forwarding mode with giaddr set in DHCP renewal packet

Component: Local Traffic Manager

Symptoms:
Connflow entry memory are leaked when BIG-IP DHCP proxy is configured in forwarding mode and the DHCP relay agent between
the DHCP client and the BIG-IP system sets giaddr field to itself after connflows created are aged out in a particular order.

Conditions:
1) BIG-IP DHCP proxy is configured in forwarding mode.
2) DHCP relay agent sits between the DHCP client and the BIG-IP system sets giaddr field in DHCP renewal packet to itself (this has been observed in Cisco devices), so that DHCP renewal packet will be sent to a relay agent by DHCP servers.
3) Connflow created to giaddr(relay agent) ages out before
connflows created to DHCP clients.

Impact:
Some connflows are not freed. Memory leak occurs. Eventually memory is exhausted.

Workaround:
None.

Fix:
Ref count handing for giaddr connflows are now decremented when the client side connflow is removed, preventing the memory leak.

---

640298 : iOS Edge Client is not able to establish per-app VPN connections with APM when it has VPE with iRule event agent without assigned webtop resource.

Solution Article: K54188582

Component: Access Policy Manager

Symptoms:
iOS Edge Client is not able to establish per-app VPN connections with APM when it has VPE with iRule event agent without assigned webtop resource.

Conditions:
VPE with iRule event agent without assigned webtop resource.

Impact:
Cannot use iOS Edge Client to establish per-app VPN connections.

Workaround:
Add resource assignment agent with webtop resource.

Fix:
Now the iOS Edge Client can successfully connect to a per-session access policy that contains an iRule Event agent and not a Resource Assign agent.

---

640290 : Custom headers configuration issue

Component: Application Security Manager

Symptoms:
Headers in the custom headers list are not seen as custom headers.

Conditions:
Configuration is updated by adding and removing custom headers.

Impact:
The incorrect XFF IP is reported. False positive geolocations and other violations.

Workaround:
Once the custom header table is updated, issue the following command:
bigstart restart asm

Fix:
Fixed custom header configuration issue.

---

640031 : RedHat: bash bug fix update - RHBA-2017-0038

Component: TMOS

Symptoms:
When bash expands a parameter stored in a string that exceeds the memory allocation limit for string expansion, it crashes with a segmentation fault error.

Conditions:
Bash expands a parameter stored in a string that exceeds the memory allocation limit for string expansion.

Impact:
Bash crashes with a segmentation fault error, and the command fails.

Workaround:
None.

Fix:
With this update (bash-4.1.2-41.el6_8), the string expansion code has been updated, and bash now exits gracefully with an error message instead of crashing when a string is too long to expand.

---

640029 : db4 bug fix update - RHBA-2017-0035

Component: TMOS

Symptoms:
The db4 utility does not free unused mutexes properly when running the db_verify command, and can exit with an error.

Conditions:
This occurs when the system internally runs the db_verify command.

Impact:
db4 utility might run out of resources for new mutexes.

Workaround:
None. This is a Red Hat software issue.

Fix:
With this update, the mutexes are properly freed and the db4 utility does not run out of resources for new mutexes.

---

640027 : ORBit2 bug fix update - RHBA-2017-0033

Component: TMOS

Symptoms:
When logging in and out, linc socket files might accumulate in the /tmp/orbit-[username]/ directory. Consequently, the /tmp file system quickly becomes full, which in some cases causes processes running on the system to fail.

Conditions:
Logging in and out.

Impact:
The /tmp file system fills up, which might cause running processes to fail.

Workaround:
None. This is a Red Hat software issue.

Fix:
Linc socket files no longer accumulate in the /tmp/orbit-[username]/ directory when logging in and out, so any previously associated failures no longer occur.

---

640006 : Unable to add bait using the GUI if baits already added via tmsh

Component: Fraud Protection Services

Symptoms:
Unable to add baits using the GUI if baits previously added via tmsh contain "bait_" in the name.

Conditions:
License and provision FPS.
Use tmsh to add baits whose names contain "bait_".

Impact:
May affect detection of certain malware.

Workaround:
Use tmsh to add baits.

Fix:
GUI now allows adding baits even if existing bait names contain "bait_".

---

639932 : VADC: link status of a XL710 SR-IOV interface does not reflect the state of the physical link

Component: TMOS

Symptoms:
In VADC, link status always reports UP for one or more SR-IOV Intel XL710 virtual function interfaces (1.1, 1.2, etc.).

Conditions:
The VADC interfaces (1.1, 1.2, etc.) do not reflect the state of the physical link controlled by the hypervisor.

Impact:
This hinders troubleshooting traffic from the guest.

---

639929 : Session variable replace with value containing these characters ' " & < > = may case tmm crash

Component: Access Policy Manager

Symptoms:
TMM crash with session variable replace with value containing these characters ' " & < > =

Conditions:
Session variable replace with value containing these characters ' " & < > =

Impact:
Traffic disrupted while tmm restarts.

Workaround:
avoid session variable values containing ' " & < > = if possible. Otherwise, there is no workaround.

Fix:
Session variable overwrite operation with value containing special characters now works correctly

---

639774 : mysqld.err rollover log files are not collected by qkview

Solution Article: K30598276

Component: TMOS

Symptoms:
Only the file /var/lib/mysql/mysqld.err is collected in qkview without truncation rules normally used for log files. Also, the mysqld.err.1 and mysqld.err.2.gz, etc are not collected at all.

Conditions:
This occurs when generating a qkview.

Impact:
You cannot see other mysqld.err rollover files in the qkview, and since the one mysqld.err file might be huge (larger than 2 GB) the output of qkview will be unusable.

Workaround:
The missing files must be manually copied into the qkview output. If the mysqld.err is greater than 2 GB in size, it must first be truncated to smaller than 2 GB.

Fix:
With this fix, the files /usr/lib/mysql/mysqld.err and associated rollover files (up through .7.gz) will be collected by qkview. Also the truncation/transformation rules that are used for log files will also apply (using -s <size> to modify default behavior), meaning that files greater than 5 MB (by default) will be truncated and there is a maximum limit of 75 MB for any given log file (using -s0).

---

639767 : Policy with Session Awareness Statuses may fail to export

Component: Application Security Manager

Symptoms:
ASM policy with many Session Awareness Statuses may fail to export.

Conditions:
There are many Session Awareness Statuses configured for the policy.

Impact:
ASM policy export will fail.

Workaround:
Remove all Session Awareness Statuses before export.

Fix:
ASM policy export only includes Session Awareness Statuses set to "Block All", and completes reliably.

---

639764 : Crash when searching external data-groups with records that do not have values

Component: Local Traffic Manager

Symptoms:
The TMM may crash when search through an external data-group that has at least one value with empty value.

Conditions:
For example, this occurs if data-group is defined as follows:
the key for network 10.40.0.0/13 has no value:
network 10.0.0.0/9 := "network 10.0.0.0/9",
network 10.40.0.0/13,
network 10.10.0.0/17 := "network 10.10.0.0/17",

A search in the data-group above with -value or -element options where at least one of the result records has no value will most likely result in a TMM crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Make sure that every record in the external data-groups has a value.

Fix:
Searching values in an external data-group where result will contain at least one value with an empty value no longer results in a TMM crash. A -value search will yield an empty string for the records that do not have a value.

---

639750 : username aliases are not supported

Component: Fraud Protection Services

Symptoms:
in is a common practice to use aliases for username. for example, an app might allow users to login with either their ID, cell number, or nickname.
WebSafe doesn't support username aliases.

Conditions:
This is encountered when your application uses username aliases.

Impact:
You are unable to use username aliases in your applications.

Workaround:
None.

Fix:
providing new ANTIFRAUD irule command for setting username (replace username alias with the "real" username)

---

639744 : Memory leak in STREAM::expression iRule

Solution Article: K84228882

Component: Local Traffic Manager

Symptoms:
If you are using the STREAM::expression iRule with APM, the stream filter can leak memory.

Conditions:
This can occur when using the STREAM::expression iRule with an APM virtual.

Impact:
This causes a memory leak in tmm.

Workaround:
None.

Fix:
This release fixes a memory leak in STREAM::expression iRule.

---

639729 : Request validation failure in AFM UI Policy Editor

Solution Article: K39428424

---

639674 : Blackhole management routes don't work

Component: TMOS

Symptoms:
When a management route of type blackhole is added, Linux does not end up with any blackhole routes. For the default route, nothing is created. For more specific routes, an interface route out the management interface is created.

Conditions:
Creating a blackhole management route.

Impact:
Management traffic will not be ignored and sent to the blackhole management route.

Workaround:
None.

Fix:
BIG-IP now allows blackhole management routes to be created.

---

639630 : Searching for signatures with overrides in the policy returns incorrect results

Component: Application Security Manager

Symptoms:
1) Searching for Policy Attack Signatures with Overrides "On URLs" or "On HTTP headers" then all signatures are shown, regardless of whether they have overrides or not.
2) Searching for Policy Attack Signatures with Overrides "On XML profiles"/"On JSON profiles"/"On GWT profiles"/"On Plain Text profiles" then no signatures are shown, regardless of whether they have overrides or not.

Conditions:
Signature specific overrides are applied on URLs, Headers, or Content Profiles.

Impact:
No easy way to search for which signatures have overrides defined.

Workaround:
None.

Fix:
Searching for signatures with overrides now works correctly.

---

639575 : Using libtar with files larger than 2 GB will create an unusable tarball

Component: TMOS

Symptoms:
Programs such as qkview will create a .tar file (tarball) using libtar and if any of the files collected is greater than 2 GB, the output tar file cannot be read by /bin/tar.

Conditions:
The file collected via libtar (e.g., by qkview or other program dynamically linking with /usr/lib/libtar-1.2.11) is greater than 2 GB.

Impact:
You will be unable to submit a qkview to iHealth for analysis. Other applications using libtar will produce invalid tar files.

Workaround:
The qkview tarball can be extracted with /usr/bin/libtar, but the offending file will be a zero-length file. Alternatively, the offending file that is greater than 2 GB must be removed from the system prior to running qkview or other program that uses libtar.

Fix:
With the fix to 3rd party software, libtar, programs using libtar no longer create an unusable tarball when dealing with files larger than 2 GB.

---

639516 : Improve traffic distribution on backplane links

Component: TMOS

Symptoms:
For chassis based platforms such as 2400 and 4800, there is a primary link and a secondary link from a blade to every other blade in the chassis. Both hidden links form a trunk. Sometimes the traffic is not divided between both links in a uniform way.

Conditions:
The exact condition under which this occurs is not well defined, but depends on the traffic.

Impact:
One link may be quite busy, while the other link is relatively idle.

Workaround:
None.

Fix:
The fix improves the hashing algorithm such that traffic is distributed between both links in a more uniform way.

---

639505 : BGP may not send all configured aggregate routes

Component: TMOS

Symptoms:
As a result of a known issue, BGP may not send all configured Aggregate routes if one is a supernet of another.

Conditions:
- BGP established sessions.
 - BGP configuration contains several aggregate routes, one or more being a supernet of others.

Impact:
The smaller prefix aggregate (least specific), may not be sent to the BGP peer.

Fix:
BGP now sends all configured aggregates

Behavior Change:
BGP now sends all configured aggregates, even if one is supernetwork of another.

---

639500 : BD crash fix

Component: Application Security Manager

Symptoms:
A crash of the bd daemon.

Conditions:
Specific configuration and traffic.

Impact:
Traffic resets and /or failover.

Workaround:
N/A

Fix:
BD crash scenario was fixed.

---

639486 : TMM crash due to PEM usage reporting after a CMP state change.

Component: Policy Enforcement Manager

Symptoms:
TMM crash due to a code assertion resulting in potential loss of service.

Conditions:
A CMP state change due to a card reboot, disable, enable, insert or remove should have occurred while or right before a PEM usage reporting action.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Instead of asserting, handled the error condition gracefully.

---

639411 : Explicit URLs are shown if Wildcard URLs Order is on.

Component: Fraud Protection Services

Symptoms:
Explicit URLs are shown if Wildcard URLs Order is on.

Conditions:
Provision and license FPS.
Add several Explicit URLs and Wildcard URLs.

Impact:
Although only Wildcard URLs should show, the system also shows Explicit URLs in the FPS GUI.

Workaround:
This is a cosmetic issue that does not indicate an issue.

Fix:
Explicit URLs no longer appear if Wildcard URLs Order is on. This is correct behavior.

---

639395 : AVR does not display 'Max read latency' units.

Component: Application Visibility and Reporting

Symptoms:
AVR does not display units for 'Max Read Latency'.

Conditions:
AVR, ASM, DoS, or AFM are provisioned.

Impact:
No units are displayed.

Workaround:
1. Edit the following file: /etc/avr/monpd/monp_disk_info_measures.cfg.
2. Add the following line at line 63: units=microsecond.
3. Restart monpd.

Fix:
Added units (microsecond) to AVR report.

---

639383-1 : ILX HTTP headerNames are not being properly treated as case insensitive

Component: Local Traffic Manager

Symptoms:
ILX HTTP headerNames are treated as case-sensitive. They should be treated as case-insensitive.

Conditions:
Using an ILX plugin with a virtual server that has an HTTP profile.

Impact:
The ILX plugin must be written to be aware of case when handling HTTP headerNames.

Workaround:
None.

Fix:
headerNames are now handled as case-insensitive.

---

639349 : LTM 11.6.1 - Weblogic iApp inserts WL-Proxy-Client-IP header with route domain

Component: TMOS

Symptoms:
iApp incorrectly uses the entire IP address string, including route domain [IP::client_addr], when constructing the WL-ProxyClient-IP header via an iRule. Route domain suffix should be stripped.

Conditions:
This occurs if you add a route domain to incoming client traffic and deploy the f5.bea_weblogic iApp template.

Impact:
Weblogic servers fail to parse the packet header.

Workaround:
Modify the irule to use [getfield [IP::client_addr] "%" 1]

Fix:
Fix builds the correct irule for handling route domains in Weblogic deployments.

---

639288 : OAuth Authorization Server - OAuth Profile is not listing associated Access Profiles appropriately.

Component: Access Policy Manager

Symptoms:
OAuth Authorization Server - OAuth Profile is not listing associated Access Profiles appropriately. The Access Profiles list shows duplicate OAuth profile names.

Conditions:
An OAuth profile is associated with multiple Access Profile.

Impact:
Selection of Access Profile (i.e., clicking link) on OAuth Profiles list, doesn't show the expected Access Profile properties page.

Workaround:
Switch to Access profiles list page and select the profile directly.

Fix:
Now the GUI displays associated Access Profiles with the OAuth profile on OAuth Profiles list page correctly.

---

639283 : Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate

Component: Access Policy Manager

Symptoms:
Custom Dialer/Windows logon integration doesn't work against Virtual Server with untrusted SSL certificate

Conditions:
* Virtual Server has untrusted certificate
* Using Custom Dialer or Windows logon integration features on client machine for establishing secure VPN

Impact:
Windows logon integration doesn't work. Cannot establish secure VPN connection before logging in to the machine.

Custom dialer doesn't work. Cannot establish secure VPN using Dial-up entry.

Workaround:
- Install trusted certificate to Virtual Server or whitelist untrusted certificate on the client machine.
or
- Use Edge Client to establish secure VPN connection.

Fix:
The Custom Dialer/Windows Logon Integration feature now shows a certificate warning when the certificate is untrusted by the client. This allows the logon to proceed if the user accepts the certificate.

---

639236 : Parser doesn't accept Contact header with expires value set to 0 that is not the last attribute

Solution Article: K66947004

Component: Service Provider

Symptoms:
Incoming SIP REGISTER messages are rejected by the SIP MRF parser when they contain Contact header expires value set to 0 that is not the last attribute

Conditions:
If the Contact header has an expires value of 0 and it's not the last attribute, for example:
Contact: <sip:+414000400@10.0.0.42:5060>;expires=0;q=0.1.

Impact:
REGISTER is rejected with a '400 Bad request' error message

Workaround:
None.

Fix:
Updated SIP parser to handle a Contact header with an expires value set to 0 that is not the last attribute.

---

639049 : Virtual Server creation ignores translate-address setting with wild card destination

Component: TMOS

Symptoms:
translate-address attribute ignored during virtual server creation, when destination is all zeroes and net mask is not specified.

Conditions:
Creating virtual server with wild card destination, no net mask, and translate-address set to enabled.

Impact:
translate-address can only be set to disabled during creation.

Workaround:
Either set translate-address after creation, or specify net mask for virtual server creation.

Fix:
Translate-address flag will now be honored when set while creating virtual server.

---

639039 : Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons

Solution Article: K33754014

Component: Local Traffic Manager

Symptoms:
Changing the BIG-IP host name causes tmrouted to restart the dynamic routing daemons.

Conditions:
Dynamic routing in use, and you change the host name of the BIG-IP.

Impact:
Dynamic routing information is lost and must be relearned.

Workaround:
When using dynamic routing, only change the host name during a maintenance window.

---

638997 : Reboot required after disk size modification in a running BIG-IP VE instance.

Component: TMOS

Symptoms:
- BIG-IP VE supports disk size modification during the lifetime of a running instance to expand or reduce the disk size that was allocated at the time of deployment.

- A reboot is required after any such modification in the disk size for the changes to take effect. In previous versions, the reboot happened automatically but an affected BIG-IP VE will not have the reboot happening automatically.

- Due to the lack of reboot, changes in disk size do not take effect on the BIG-IP system.

Conditions:
Modifying disk size in a running BIG-IP VE instance.

Impact:
Changes in the disk size do not take effect till BIG-IP system is rebooted.

Workaround:
Manually reboot the running BIG-IP VE instance after making changes in disk size.

Fix:
Reboot required after disk size modification in a BIG-IP VE instance.

---

638967 : SSL Forward Proxy not to cache forged certificate if soft_vfyresult indicating an 'untrusted CA' or 'expired cert'

Component: Local Traffic Manager

Symptoms:
The system caches a forged certificate when Forward Proxy (FWDP) server-side soft_vfyresult shows an untrusted CA or an expired cert. There is no method of overriding that behavior.

Conditions:
Using FWDP.
Server-side soft_vfyresult shows an untrusted CA or an expired cert.

Impact:
No method to override the caching behavior.

Workaround:
None.

Fix:
In this release, you can configure SSL forward proxy to not cache the forged certificate on the client side if the server-side SSL enables the sys db variable tmm.ssl.servercert_softval and the backend server certificate soft verify_result showing a 'untrusted CA' or 'expired certificate'.

Behavior Change:
In this release, you can configure SSL forward proxy to not cache the forged certificate on the client side if the server-side SSL enables the sys db variable tmm.ssl.servercert_softval and the backend server certificate soft verify_result showing a 'untrusted CA' or 'expired certificate'.

---

638960 : A subset of the BIG-IP default profiles can be incorrectly deleted

Component: TMOS

Symptoms:
On the BIG-IP system, default profiles should not be deletable. However, the system incorrectly allows a subset of them to be deleted. Known affected profiles include all default persistence and http profiles.

Conditions:
The issue occurs when someone attempts to delete a susceptible profile via TMSH, iControl SOAP or iControl REST. The issue does not occur when using the WebUI (where susceptible profiles are not selectable for deletion).

Impact:
If a default profile is missing from the configuration, several issues may arise. For instance, the configuration may fail to load or save, and the WebUI may fail to display certain screens.

Fix:
The system no longer allows certain default profiles to be deleted.

---

638825 : SNMP Get of sysInterfaceMediaActiveSpeed returns wrong value for 100000SR4-FD

Component: TMOS

Symptoms:
Value returned for sysInterfaceMediaActiveSpeed OID has value of 80 for interface with type 100000SR4-FD instead of value of 100000.

Conditions:
This always occurs for this type of interface.

Impact:
User sees wrong value for this interface in SNMP get. Value is correct in tmsh 'show net interface'.

Workaround:
Use tmsh to obtain the value by running the following command: show net interface. Note: There is no workaround in SNMP.

---

638799 : Per-request policy branch expression evaluation fails

Component: Access Policy Manager

Symptoms:
Per-request policy branch expression evaluation fails and you see the following in /var/log/ltm:

info tmm[20278]: 01870007:6: /Common/<policy>:Common:640446c9: Executed expression (expr { [mcget {perflow.category_lookup.failure}] == 1 || [mcget {perflow.response_analytics.failure}] == 1 }) from policy item (Category Lookup) with return value (Failed)

Conditions:
Per-request policy branch expression evaluation fails for any non-Access (non-APM) iRule events that are attached to the virtual server.


The evaluation does not trigger for some requests when, in the same connection, the virtual server gets a request for an internal Access whitelisted URL, and then request for backend resource URIs.

Impact:
Per-request policy branch expression evaluation fails. If Access gets a request for whitelisted URL, the system disables all iRule events except the following:

   #define ACCESS_ALLOWED_IRULE_EVENTS ( \
       ((UINT64)1 << TCLRULE_ACCESS_SESSION_STARTED) | \
       ((UINT64)1 << TCLRULE_ACCESS_SESSION_CLOSED) | \
       ((UINT64)1 << TCLRULE_ACCESS_POLICY_AGENT_EVENT) | \
       ((UINT64)1 << TCLRULE_ACCESS_POLICY_COMPLETED))

Workaround:
None.

Fix:
Per-request policy branch expression evaluation now complete successfully for non-Access (non-APM) iRule events that are attached to the virtual server.

---

638715 : Multiple Diameter monitors to same server ip/port may race on PID file

Component: Local Traffic Manager

Symptoms:
Two 'Diameter_monitor' instances probing the same server (IP/port) from different pools may interfere with each other, causing one of the monitor instances to fail. This is caused by a possible race in creating a PID file for this 'Diameter_monitor' configuration.

Conditions:
Configuration with multiple Diameter monitors probing the same server IP/port.

Impact:
One Diameter monitor may fail, while the other Diameter monitor to the same server IP/port succeeds. On subsequent probe-retry, the failed monitor may now succeed.

Workaround:
A possible work-around is to establish different monitor periods for the two pools (such as 28 seconds and 31 seconds), so a simultaneous probe-collision will fail one monitor once, which upon retry will succeed (as three monitor failures are required for a virtual server to be marked down).

Fix:
The fix includes the monitor-template name in the generation of the PID file, which ensures multiple Diameter monitor instances probing the same server (IP/port) do not interfere with each other.

---

638629 : Bot can be classified as human

Component: Application Security Manager

Symptoms:
A bot is classified as human in a rare case.

Conditions:
Web scraping is turned on. The CSHUI is tried on the user.

Impact:
Bot traffic gets classified as human by ASM.

Workaround:
N/a

Fix:
Fixed the CSHUI algorithm to have better bot detection.

---

638594 : TMM crash when handling unknown Gx messages.

Component: Policy Enforcement Manager

Symptoms:
TMM crash resulting in potential loss of service.

Conditions:
PCRF sends unsupported Gx messages to PEM.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Add support for identifying unknown messages types and handle them gracefully.

---

638576 : Modified ASM Cookie violation is off by default

Component: Application Security Manager

Symptoms:
Modified ASM Cookie violation is not active by default when creating a new policy.

Conditions:
This occurs when creating a new policy.

Impact:
The Modified ASM Cookie Violation isn't enabled.

Workaround:
Manually enable the Modified ASM Cookie Violation.

Fix:
Modified ASM Cookie violation will be activated in new Policy.

---

638573 : SPM and Subscriber Management profile modifications are incorrectly allowed at the PEM Data plane listener level.

Component: Policy Enforcement Manager

Symptoms:
While the PEM listener shows the modified profiles, the underyling listeners do not.

Conditions:
PEM Data plane listeners need to be present.

Impact:
Inconsistency between administrative and operational configuration.

Workaround:
Modify the profiles of the underyling virtuals to those of the PEM data plane listener.

Fix:
Modification of SPM and Subscriber Management profiles at the PEM Data plane listener level is now prevented.

---

638556 : PHP Vulnerability: CVE-2016-10045

Solution Article: K73926196

---

638495 : Auto-thresholds are not applied for two vectors on per-VS DNS/SIP DoS profile

Component: Advanced Firewall Manager

Symptoms:
Auto-thresholds are not applied for two vectors on per-VS DNS/SIP DoS profile.

Conditions:
DNS and SIP DoS profiles have enabled all vectors that have auto-thresholds support.

Impact:
No auto-threshold detection for SIP OTHER DOS, SIP PRACK method DOS, DNS IXFR query DOS, DNS OTHER DOS.

Workaround:
None.

Fix:
Auto-thresholds now work for all expected vectors on per-VS DNS/SIP DoS profile.

---

638219-1 : L4 BDoS incorrectly learns traffic after learning period in learn-only mode

Component: Advanced Firewall Manager

Symptoms:
L4 BDoS incorrectly learns traffic after learning period in learn-only mode.

Conditions:
-- L4 BDoS.
-- Learn-only mode.
-- Expired learning period.

Impact:
Traffic that has already been learned is learned again.

Workaround:
None.

Fix:
The delayed threshold is now propagated (at least once) after the traffic stops and then delayed threshold is reset so that traffic is learned as expected.

---

638170 : Pagination broken or missing while viewing pool statistics for GTM wideip

Solution Article: K36455356

Component: Global Traffic Manager (DNS)

Symptoms:
Error occurs while viewing pool statistics for GTM wideip if the number of pools are more than what can be displayed in a single screen.

Conditions:
When the number of pools are more than what can be displayed as specified in the System :: Preferences :: Record Per Screen setting.

Impact:
Unable to view the statistics of GTM wideip pools beyond those displayed on the screen.

Workaround:
Increase the number of Records Per Screen (System :: Preferences :: Records Per Screen) to a number larger than the number of pools in the GTM wideip.

Fix:
Can now view the statistics of GTM wideip pools beyond those displayed on the initial screen.

---

638115 : DoS Visibility page on a system under stress can cause GUI timeouts and disconnections

Component: Application Visibility and Reporting

Symptoms:
On a system with a lot of AVR related data for DoS Attacks, it might take a while to load the data needed for display on DoS Visibility pages. GUI queries the backend for all the required data simultaneously, which can cause the web server to attempt to handle too many open connections, and result high CPU usage.

Conditions:
Large amounts of data for DoS Attacks

Impact:
Instability in GUI usage. Performance degradation. Potential disconnections.

Workaround:
None.

Fix:
Optimizations were done both on the back-end/database side and on the GUI side. GUI will now throttle its queries to the server.

---

638086 : Data publisher not found or not implemented when processing request

Component: TMOS

Symptoms:
The system logs the following message to /var/log/ltm with level 'warning: Data publisher not found or not implemented when processing request.

Conditions:
This occurs when a client requests information that is provided by a publisher via mcpd proxy before the publisher registers with mcpd.

Impact:
It may raise concerns that something is actually wrong when in fact it is a timing issue.

Workaround:
None.

Fix:
The message is now logged with a notice level instead of a warning level.

---

637994 : Safenet keys now use SHA-256 digest instead of SHA-1 digest.

Component: Local Traffic Manager

Symptoms:
SafeNet keys originally defaulted to using a SHA-1 digest. Using SHA-1 is no longer recommended.

Conditions:
Make a SafeNet key using fipskey.nethsm.

Impact:
Keys use a less secure digest.

Workaround:
None.

Fix:
SafeNet keys, when made via tmsh, now use sha-256 as the digest algorithm. Prior to this, SafeNet keys would use SHA-1 for the digest.

---

637745 : Edge client may terminate session sooner than what is specified in inactivity timeout

Component: Access Policy Manager

Symptoms:
In some cases, APM session may be terminated in 15 minutes even if inactivity timeout is much longer

Conditions:
- Inactivity timeout on APM is set to more than 15 minutes.
- Edge client is unable to re-establish VPN session for 15 minutes.

Impact:
APM session will be terminated and user will be required to authenticate again.

Workaround:
None.

Fix:
Now Edge Client will not blindly terminate the session in the face of 15 minutes of network connection failure. Instead, it will attempt to re-establish the VPN connection using the existing APM user session if that session's maximum timeout value is not yet reached.

---

637666 : PHP Vulnerability: CVE-2016-10033

Solution Article: K74977440

---

637664 : Vector (multi-options) lists values are not inherited if parent profile is changed.

Component: Fraud Protection Services

Symptoms:
Vector (multi-options) lists values, (like "Application CSS Locations" or "Allow URLs from these external domains") are not inherited if parent profile is changed.

Conditions:
Provision and license FPS.
Create 2 or more Anti-Fraud profiles.

Impact:
Can cause a mismatched configuration.

Workaround:
Manually fill the appropriate values or use tmsh or Rest API to edit those values.

Fix:
Vectors now inherit values from parent profile.

---

637561 : Wildcard wideips not handling matching queries after tmsh load sys from gtm conf file twice

Component: TMOS

Symptoms:
The wildcard wideip is not functioning as a wildcard wideip, but as a regular wideip.

Conditions:
Run tmsh load after the wildcard wideip is created:
# tmsh load sys conf gtm-only.

Impact:
Wildcard wideips are not returning wildcard requests correctly.

Workaround:
reload mcpdb using commands:
# touch /service/mcpd/forceload
# bigstart restart mcpd

Fix:
Wildcard wideips now handle matching queries after tmsh load sys from gtm conf file twice.

---

637516 : Copying a Child Security Policy as a Parent Security Policy Leaves Elements Uneditable

Component: Application Security Manager

Symptoms:
If a Parent copy is made Security Policy that had inherited elements, those elements may not be editable in the new Parent Policy.

Conditions:
A Parent copy is made Security Policy that had inherited elements.

Impact:
Elements may not be editable in the new Parent Policy.

Workaround:
Export the policy as XML and import it as a Parent Policy.

Fix:
Copying a Child Security Policy as a Parent Security Policy now allows editing of settings.

---

637308 : apmd may crash when HTTP Auth agent is used in an Access Policy

Component: Access Policy Manager

Symptoms:
apmd may crash when HTTP Auth agent is used in an Access Policy.

Conditions:
This might occur on heavy load, when AAA HTTP Server is configured in 'Form based' or 'Custom body' mode.

The probability of occurrence is greater if there are session variables specified in the AAA HTTP Server configuration.

Impact:
apmd daemon crash. APM cannot process requests until apmd starts up again.

Workaround:
Use basic auth, or do not use HTTP Auth.

Fix:
apmd no longer crashes when HTTP Auth agent is used in an Access Policy.

---

637227 : DNS Validating Resolver produces inconsistent results with DNS64 configurations.

Solution Article: K60414305

Component: Global Traffic Manager (DNS)

Symptoms:
A DNS Validating Resolver incorrectly validates DNS responses received from A queries made as a result of a front-end AAAA query received on a profile with DNS64 configured.

A SERVFAIL response may be sent to the client unless the Validating Resolver cache has previously successfully validated a front-end A query. In this scenario where the A records already exist in the cache, the expected DNS64 AAAA records are synthesized.

Conditions:
This issue may be observed with a DNS Validating Resolver configured on a DNS profile with DNS64 configured when processing AAAA queries.

Impact:
Incorrect SERVFAIL responses for AAAA queries that should get valid responses.

Workaround:
None.

Fix:
DNS validation now occurs as expected, resulting in valid answers to AAAA queries.

---

637181 : VIP-on-VIP traffic may stall after routing updates

Component: Local Traffic Manager

Symptoms:
After a routing update traffic for an existing connection sent to a VIP-on-VIP virtual server may be sent directly to the destination address instead of to the inner virtual server.

Conditions:
VIP-on-VIP configuration and static or dynamic routing changes.

Impact:
Existing connections to the outer VIP may stall.

Workaround:
None.

Fix:
Connections to VIP-on-VIP virtual servers no longer stall after routing updates.

---

637141 : TMM core after deleting POLICY and executing command: show net ipsec ike-sa.

Component: TMOS

Symptoms:
TMM core after deleting POLICY and executing the following command: show net ipsec ike-sa.

Conditions:
-- IKEv1 configured and tunnel established.
-- Traffic is running.
-- IKEv1 peer reconfigured with proxy support as disabled.

Impact:
TMM cores after some hours, or immediately after running the command: show net ipsec ike-sa. Traffic disrupted while tmm restarts.

Workaround:
Do not delete a policy while an IPsec connection is active.

Fix:
TMM no longer cores after deleting POLICY and executing the following command: show net ipsec ike-sa.

---

637094-1 : The iRules LX streaming external data-group API may incorrectly not find a match.

Component: Local Traffic Manager

Symptoms:
The iRules LX streaming data-group API for external data-groups may incorrectly not find a match when the following commands are used:
- searchStartsWith (case insensitive search only)
- matchEndsWith/searchEndsWith (any search types).
- matchContains/searchContains (any search types).

The following commands are not affected:
- matchEquals/searchEquals.
- matchStartsWith.

Conditions:
There are no conditions for the failure. Using the specified commands will most likely fail. Note: If the data-group is relatively small in size (e.g., approximately 10 records), it is possible that the issue will not happen.

Impact:
The specified commands will incorrectly not find a match when there is one.

Workaround:
None.

Fix:
The iRules LX streaming external data-group API now correctly find a match when the following commands are used:
- searchStartsWith (case insensitive search only).
- matchEndsWith/searchEndsWith (any search types).
- matchContains/searchContains (any search types).
.

---

637069 : BIG-IP unstable when SCTP tx_chunks and rx_chunks configuration values are set incorrectly

Solution Article: K85255027

Component: TMOS

Symptoms:
The BIG-IP crashes repeatedly when attempting to establish an SCTP association.

Conditions:
When the values 'tx_chunks' or 'rx_chunks' in an SCTP profile are set to an integer multiple of 65,536, the BIG-IP will crash during traffic processing.

Impact:
Traffic processing will be disrupted as the BIG-IP restarts, and the SCTP virtual server may be unusable for the entire time that the profile misconfiguration is in place.

Workaround:
Set the tx_chunks and rx_chunks values in the SCTP profile to no more than 65,535 and no less than 1.

Fix:
Validation has been added so SCTP tx_chunks and rx_chunks configuration values cannot be set to more than 65,535 or less than 1.

---

636866 : OAuth Client/RS secret issue with export/import

Component: Access Policy Manager

Symptoms:
When the access profile with a OAuth Client/RS agent is configured, the OAuth server objects has a client secret and/or resource server secret to be configured.
When such an access profile is exported and then imported, the client secret or resource server secret may not be imported properly.

Conditions:
In OAuth client/RS use case, when an access profile is configured with OAuth client or Scope Agent.

Impact:
The APM OAuth client or Scope Agent may not run properly and end up in the fallback branch.

Workaround:
After importing the access profile, the OAuth server object needs to be modified with the proper client secret or resource server secret.

Fix:
Now Per-request access policies that include objects with encrypted information such as client or resource server secrets, RADIUS secrets, and the like are imported and exported correctly.

---

636853 : Under some conditions, a change in the order of GTM topology records does not take effect.

Component: Global Traffic Manager (DNS)

Symptoms:
A change in the order of topology records does not take effect in GTM until the configuration is reloaded or a topology record is added or deleted.

Conditions:
This occurs only when Longest Match is disabled and the order of topology records is changed without adding or deleting records.

Impact:
In certain configurations, the topology load balancing decision may not be made correctly.

Workaround:
Reload the GTM configuration or add/delete a topology record.

Fix:
Changes in the order of topology records now take effect immediately.

---

636790 : Manager role has Create, Update, and Release access to Datacenter/links/servers/prober-pool/Topology objects but throws general error when complete.

Component: Global Traffic Manager (DNS)

Symptoms:
While logged in as a Manager role, if a user attempts to modify an object this role does not have access to, the GUI will post a validation error.

Conditions:
This occurs when users in the Manager role make changes to Datacenter links/servers/prober-pool/Topology.

Impact:
The system posts generic validation errors when Create, Update, Delete actions are initiated by a user without proper permissions. These permissions are not allowed for the Manager, but the GUI makes it appear as if they are.

Workaround:
None.

Fix:
The GUI now properly hides or disables the action buttons if a user does not have proper permissions to perform the action.

---

636744 : IKEv1 phase 2 SAs not deleted

Solution Article: K16918340

Component: TMOS

Symptoms:
The BIG-IP system will not start phase 1 or phase 2 ISAKMP negotiation after an Active -> Standby -> Active failover within a short period of time.

Conditions:
The HA Active BIG-IP system goes Standby and then becomes Active again within the phase 2 lifetime.

Impact:
IPsec tunnel(s) is/are not initiated by the BIG-IP system. Network connectivity is broken between the private networks.

Workaround:
Option 1: Switch to IKEv2 and 12.x, which skips the problem altogether. This combination will mirror the SAs and so deleting existing SAs upon failover is not required.

Option 2: Edit /config/failover/active and add the following two lines at the end:

logger -p local0.notice "Employ ID636744 workaround. Purge IPsec phase2 SAs."
tmsh delete net ipsec ipsec-sa

---

636702 : BIND vulnerability CVE-2016-9444

Solution Article: K40181790

---

636700 : BIND vulnerability CVE-2016-9147

Solution Article: K02138183

---

636699 : BIND vulnerability CVE-2016-9131

Solution Article: K86272821

---

636693 : The WCCP client source-ip mask may now be configured.

Component: Wan Optimization Manager

Symptoms:
The BIG-IP system sends a source-ip mask of 0x0 which does not permit the Web Cache Communication Protocol (WCCP) server to load balance connections across multiple WCCP clients, i.e., BIG-IP systems.

Conditions:
Using WCCP on the BIG-IP system.

Impact:
The BIG-IP system with the longest WCCP connection uptime will handle all traffic.

Workaround:
None.

Fix:
The source-ip mask may now be configured via tmsh for WCCP.

---

636669 : bd log are full of 'Can't run patterns' messages

Component: Application Security Manager

Symptoms:
The bd log are getting filled up with 'Can't run patterns' messages. A core might occur due to the i/o outage. General traffic disturbance/slowness might occur.

Conditions:
Configuration change that relates to attack patterns happens while there is heavy traffic.

Impact:
Potential traffic outage/slowness. 'Can't run patterns' messages filling up the bd log file.

Workaround:
None.

Fix:
Fixed log throttling issue related to attack patterns configuration change.

---

636666 : New Threat Categories Identification in IP Intelligence Subscription Service

Component: TMOS

Symptoms:
There are two new threat categories detected by Webroot, but they are not supported in IP Intelligence service.

Conditions:
The system uses the Webroot SDK to download IP addresses with threats from Webroot server.

Impact:
Cannot block IP addresses from these new categories and cannot distinguish them from existing categories.

Workaround:
None.

Fix:
Mobile threats and tor proxies are added to the IP Address Intelligence Categories options while illegal websites were removed.

---

636633 : DHCP: DHCP PEM sessions are not cleared (until idle timeout) after ip release from client in some cases

Component: Policy Enforcement Manager

Symptoms:
In some scenario, DHCP IP release messages received by BIG-IP do not trigger corresponding PEM sesssions to be removed from sessionDB. These sessions will removed after timeout.

Conditions:
1)RUN DHCP DORA process to create PEM sessions via DHCP(relay or forwarding mode)
2)Wait for sometime (1-2 minutes)
3)Send DHCP renewal message to BigIP.
5)Send DHCP release message to BigIP.
6)Check sessionDb to see if the corresponcing PEM session is deleted.

The problem only happens if the DHCP renewal/release did arrive at the tmm where sessionDB is located.

Impact:
Session deletion will not happen immediately.
But client does not typically send DHCP release, so the chance
for this to happen in real-world environments is small.

Workaround:
1)Delete PEM session manually or
2)Wait for PEM session to timeout

Fix:
Remove PEM session from sessionDB regardless which tmm DHCP IP release is reveived

---

636573 : After changing ike-peer change from IKEv2 to IKEv1 racoon does not get updated.

Solution Article: K75870356

Component: TMOS

Symptoms:
1. Two peers, one with IKEv2 ike-peer configured and the other with IKEv1 ike-peer configured.
2. Reboot IKEv2 peer.
3. Attempt to initiate tunnel from IKEv2 peer side. Won't work (that's expected).
4. Correct the IKEv2 peer to use IKEv1.
5. Attempt to initiate tunnel from 'new' IKEv1 peer side. Won't work (no policy found is logged).

Still cannot initiate tunnel after switching from IKEv2 to IKEv1.

Conditions:
Changing IKE version from IKEv2 to IKEv1.

Impact:
IPsec does not work.
You must reconfigure the two ike-peers from the start, or restart tmipsecd.

Workaround:
Configure the IKE peers to use IKEv1 at initial configuration, or restart tmipsecd after changing the configuration from IKEv2 to IKEv1.

Fix:
IPsec now supports changing the configuration from IKEv1 to IKEv2 after initial configuration setup.

---

636520 : Detail missing from power supply 'Bad' status log messages

Solution Article: K88813435

Component: TMOS

Symptoms:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, no detail is included which indicates which characteristic of the power supply's state is resulting in a 'Bad' overall status for the power supply.
In this scenario, the message logged at default logging level contains information similar to the following:
... crit chmand[...]: 012a0013:2: Blade 0 hardware sensor critical alarm: Power Supply 2 GPIO status(SPAFFIV03G): Bad

Conditions:
This occurs when the system posts an internal hardware sensor alert.

Impact:
Unable to diagnose cause of 'Bad' power supply status at default logging level to determine whether the probable cause is due to a power supply hardware fault or a possible external power source issue.

Workaround:
If power supply errors continue to be logged:

1. Set the libhal logging level to 'Debug':
tmsh mod sys db log.libhal.level { value "Debug" }

2. Let the system run in this configuration for at least a few minutes to collect a number of chmand error logs, such as:
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x3 pin:0x2 action:0xd
... debug chmand[...]: 012a0007:7: Received Sensor Alert: sensor id 0x16f slot 0xff
... debug chmand[...]: 012a0007:7: Power Supply 1 alert objid:0x16f local:1 status:0x1 pin:0x2 action:0x3.

3. Set the libhal logging level back to 'Notice':
tmsh mod sys db log.libhal.level { value "Notice" }

4. Take a qkview or an archive of /var/log/ltm, and engage F5 Professional Services for further analysis.

Fix:
When an internal hardware sensor alert is received indicating a 'Bad' power supply status, additional detail is now logged to help identify the cause of the 'Bad' overall status for the power supply.

---

636377 : Some metric terms are confusing.

Component: Application Visibility and Reporting

Symptoms:
Metric names are unclear in the TCP Analytics profile ('Denied Accepts', 'Accepted Connections').

Conditions:
This occurs in the GUI, in tmsh, and when using REST.

Impact:
The terms are confusing. Denied Accepts is intended to mean that the connection was not accepted, and Accepted Connections was intended to mean that the connection was accepted.

Workaround:
None needed. This is a cosmetic issue.

Fix:
The metric names are renamed as follows.
On GUI:
1. 'Denied Accepts' is now 'Not Accepted'.
2. 'Accepted Connections' is now 'Accepted'.

On tmsh:
1. 'accepts' is now 'accepted'.
2. 'accept_fails' is now 'not-accepted'.

The changes appear in the following locations:
1. GUI:
    a. Statistics :: Analytics : Virtual Servers : TCP : Connections.
    b. Statistics :: Analytics : Virtual Servers : UDP : Connections.

2. tmsh:
    a. show analytics tcp report view-by <entity> measures { ... }.
    b. show analytics udp report view-by <entity> measures { ... }.

---

636289 : Fixed a memory issue while handling TCP::congestion iRule

Component: Local Traffic Manager

Symptoms:
Increased memory usage in tmm.

Conditions:
TCP::congestion highspeed iRule is executed for the TCP connection. The issue is only observed for highspeed congestion control.

Impact:
The memory allocated for congestion control is not freed.

Workaround:
If it is desired to use highspeed congestion control under some conditions, it is possible to start with highspeed by choosing highspeed congestion control in the TCP profile and switch to other desired congestion control when condition does not hold. With this workaround, once congestion control is changed to something other than highspeed, it is not possible to switch back to highspeed again.

Fix:
Improved memory utilization while using TCP::congestion iRule.

---

636254 : Cannot reinitiate a sync on a target device when sync is completed

Component: Access Policy Manager

Symptoms:
After a policy sync is successful, re-initating a sync fails with the following error:
"PolicySyncMgr: Sync already in progress for policy xxx"

Conditions:
This occurs rarely when performing a sync after a successful sync.

Impact:
You cannot re-sync a policy. This is a rare occurrence, and after waiting a small amount of time sync should start working again.

Fix:
Now APM Policy Sync no longer hangs in rare cases with the message: "PolicySyncMgr: Sync already in progress for policy xxx"

---

636167 : checkcert utility does not process certificates that reside outside of /Common partition

Component: TMOS

Symptoms:
The checkcert utility does not process certificates that reside outside of /Common partition.

Conditions:
One or more certificates reside outside of /Common partition.

Impact:
Certificates that reside outside of /Common partition may expire without notifying end-administrator.

Workaround:
None.

Fix:
The checkcert utility now processes certificates that reside in any partition on the BIG-IP system, not just the ones in the /Common partition.

---

636160 : Clicking on the Validation timeout and Idle Timeout column headers would result in an error

Solution Article: K21310670

Component: Access Policy Manager

Symptoms:
If you click on the Validation timeout and Idle Timeout columns under Overview/Access Sessions (formerly Managed Sessions), it will result in a general database error.

Conditions:
Click on the Column header of the 2 columns (Validation timeout and Idle Timeout) to try and sort them.

Impact:
The access sessions page will be unusable in the current session.

Workaround:
If the error occurs, use this to recover:

1. Logout of the BIG-IP session.
2. Clear the browser cache.
3. Login again.

Fix:
In the session viewer GUI, the Validation Timeout and the Idle timeout are no longer sortable, since they are not relevant to the session data. They are relevant to the sub-session data, which is displayed only if it exists under the corresponding session as leaf nodes.

---

636149-2 : Multiple monitor response codes to single monitor probe failure

Component: Local Traffic Manager

Symptoms:
A monitor probe failure to a monitor (such as HTTP) will be logged to '/var/log/ltm' when the probed resource is unavailable. In some cases for a probe resulting in an 'Unable to connect' error, multiple log entries will be made, with the *last* log entry being the error that triggered the log entry. The other monitor entries made during this event are not specifically relevant, as they are "stale" and due to previous monitor probe behavior that was previously logged.

This is due to an error where the 'Could not connect' event appends a previous error message, rather than overwriting a possibly-present previous error message.

Conditions:
A monitor probe to a monitor is attempted (such as over HTTP), resulting in an "Unable to connect" failure; and where that specific monitor previously reported an error (which is now appended).

Impact:
No system behavior is affected, but multiple log entries are made. The *final* log entry of "Could not connect" or "Unable to connect" is relevant, while the possible multiple log entries immediately above are "stale" and not relevant (as they are due to a previous issue that was previously successfully logged).

Workaround:
For an external monitor that generates a 'Could not connect' or 'Unable to connect' error, user should consider only the last-line for the '/var/log/ltm' log entry, and ignore possibly-present log entries associated with that specific monitor that might be appear immediately above the 'Could not connect' line.

Fix:
The code fix is to "clear" previous monitor-log errors when reporting a 'Could not connect' error, rather than appending a previous error that might be present.

---

636104-1 : If pool member is defined with port 0, member may not be visible on the HTTP dimension pane.

Component: Application Visibility and Reporting

Symptoms:
You are unable to see the pool member under the HTTP "pool" dimension.

Conditions:
Pool member is defined with port 0 and traffic is being sent to e.g. port 80.

Impact:
Not seeing the pool member under the HTTP "pool" dimension.

Workaround:
You can define a temporary pool member with the port that is being used (e.g. 80) and delete it after that.
But once defined once, it will go to the DB and will be shown from that point.
This is a partial workaround since it needs to be done for every port that is being used in traffic.

---

636044 : Large number of glob patterns affects custom category lookup performance

Component: Access Policy Manager

Symptoms:
The number of glob patterns in a custom category linearly affects custom category lookup compute times. For example, twice as many glob patterns will roughly double the CPU resources required to compute a match.

Conditions:
A large number of custom category glob patterns. The precise number is not so important as the observed effect of slow response times. However, more than 1000 glob patterns is known to cause a significant observed performance degradation.

Impact:
Slow response times to HTTP requests.

Workaround:
It may be possible to compress the large collection of glob patterns into fewer patterns.

Fix:
Glob pattern matching has been extended to be context sensitive. If the pattern includes the marker "://", a glob immediately before it is restricted to the scheme, and a glob immediately after it is restricted to the hostname. If the match can be satisfied with prefix matching, the pattern will be processed with a prefix comparison rather than as a glob. Also, multiple glob patterns are combined together to create a more optimal match pattern. If custom categories patterns use the context sensitive feature, custom category lookup will be optimized.

---

636031 : GUI LTM Monitor Configuration String adding CR for type Oracle

Solution Article: K23313837

Component: TMOS

Symptoms:
If the value entered in for the Configuration String textbox wraps in the GUI, a CR character is added to the configuration file.

Conditions:
Create or edit an LTM Monitor type Oracle. Enter a value in the Configuration String textbox so that it wraps to the next line. Click Finish/Update.

Impact:
The /config/bigip.conf file contains CR characters in the file.

Workaround:
Manually edit the /config/bigip.conf file and remove the CR characters.

Fix:
The GUI now handles wrapping text in the Configuration String textbox of an LTM monitor, so no CR character is added incorrectly.

---

636016-1 : VADC: when using an Intel XL710 SR-IOV nic a bigstart restart can re-order the interfaces and impact traffic

Component: TMOS

Symptoms:
After a bigstart restart, traffic no longer flows because interface ordering can change.

Conditions:
A Virtual Edition configuration with more than one XL710 SR-IOV interface.

Impact:
The VLANs will be assigned to the wrong interfaces, network traffic is blocked.

Workaround:
If VLANs do not exist or the config is not saved before bigstart restart, there is nothing to be done except assigning the right VLAN to the desired interface (1.X) after restart. The MAC address of interfaces can be used to identify the desired interface.

If a config with VLANs is saved before bigstart restart, run the following command:
-- bigstart stop (this brings the data plane ethX devices down)
-- f5-swap-eth -s (this reassigns the interfaces)
-- bigstart start (this restarts the system).

Or you can reboot the guest.

---

635999 : Portal Access: URL with backslashes in query/fragment parts may not work correctly

Component: Access Policy Manager

Symptoms:
If a URL contains backslashes in the query and/or in fragment parts, it may not be handled correctly in some cases for Internet Explorer and Chrome.

Conditions:
- HTML page with dynamically generated URL with backslashes in query and/or fragment parts, for example:
   http://example.com/some/file.html?param=aaa\bbb.
- Internet Explorer or Chrome browser.

Impact:
Query and/or fragment part of this URL may be mangled by replacing backslashes. In the example, the query part may be converted to the following string:
   ?param=aaa/bbb.
This may lead to incorrect behavior of web applications.

Workaround:
Use an iRule to correct query/fragment part string.

Fix:
Now URLs with backslashes in query and/or fragment parts are handled correctly by Portal Access.

---

635972 : Missing icons from custom fonts

Component: Access Policy Manager

Symptoms:
You may experience a missing icon that resides in custom fonts when using Internet Explorer and the client caching type is not set to "preserve".

Conditions:
- Internet Explorer.
- The client caching type is not set to "preserve".

Impact:
Page rendering. Not affects functionality.

Workaround:
Set the client caching type to "preserve" for fonts.

Fix:
Now icons are rendered correctly with Portal Access to Microsoft OWA 2016. A Hardcoded rule to preserve client side caching for fonts when it is enabled for CSS has been added.

---

635754 : Wildcard URL pattern match works inncorectly in Traffic Learning

Solution Article: K65531575

Component: Application Security Manager

Symptoms:
In the policy with URL learning mode set to ALWAYS, wildcard URL matching for *.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]" will prevent you from adding other wildcard destinations using policy builder.

Conditions:
Policy builder enabled. PolicyBuilder creates the wildcard urls "*.[Pp][Nn][Gg]", "*.[Jj][Pp][Gg]", "*.[Gg][Ii][Ff]".
If you need to manually create another wildcard url "/polo/images/*", the pattern match will be incorrect and you will not be able to accept the learning suggestion.

Impact:
You will not be able to accept the learning suggestion to the correct wildcard URL.

Workaround:
In order to get suggestions on the correct wildcard match, remove "png" from the URL list in the policy: To do so, navigate to Security :: Application Security :: Policy Building :: Learning and Blocking Settings :: URLs :: File types for which wildcard HTTP URLs will be configured (e.g., *.jpg).

Also make sure that you have correct wildcard order. Go to
Security :: Application Security :: URLs :: Wildcards Order :: HTTP URLs.

"/polo/images/*" should be above "*.[Pp][Nn][Gg]" in the list. If it is not, move it using "Up" button".

Fix:
Wildcard URL pattern match now works as expected in Traffic Learning

---

635703 : Interface description may cause some interface level commands to be removed

Component: TMOS

Symptoms:
Adding a description to the interface from within ZebOS may cause interface level routing protocol commands to be lost on restart.

Conditions:
- Add interface level description to a configuration with interface level routing protocol commands.
- Restart services, tmrouted, or reboot.

Impact:
Interface level commands after the description will not appear in the imish running config and will not be loaded/functional.

Workaround:
To prevent this issue, do not use interface-level descriptions.

If the issue has already occurred, and the configuration is not loading, you can manually correct it using the following procedure:
1. Stop tmrouted using the following command: bigstart stop tmrouted
2. Edit the ZebOS.conf from the corresponding route-domain file manually and remove the interface-level 'description' and 'no shutdown' commands.
3. Restart tmrouted using the following command: bigstart restart tmrouted.

Note: Performing the workaround procedure will temporarily disrupt dynamic routing, so care and adequate planning must be taken into consideration.

Fix:
Routing protocol interface commands are no longer lost with the addition of interface descriptions.

---

635680 : Link to DoS Visibility from a signature page starts with incorrect time-range

Component: Application Visibility and Reporting

Symptoms:
Link to DoS Visibility from a signature page starts with incorrect time-range

Conditions:
This can occur on the Security :: DoS Protection : Behavioral Signatures page

Impact:
Data is displayed for Last Hour, even though the signature might have been older

Workaround:
Change the time-range manually

Fix:
Correct time-range is loaded

---

635435 : DPD transmit timer has big variations

Component: TMOS

Symptoms:
DPD transmit timer had variation about 5 sec and it is OK for big values (like 60 sec) but too big for small values (like 6 sec)

Conditions:
small values of DPD timer make this problem visible

Impact:
This problem have (almost) no impacts.
The timer variations are visible on tcpdump or highest log level.
There is no real functionality effect.

Workaround:
Mostly cosmetic, does not require mitigation.

Fix:
After the fix the timer variations became dependable of the basic value and it looks good now.

---

635314 : vim Vulnerability: CVE-2016-1248

Solution Article: K22183127

---

635275 : Prefer P-256 to P-384 for ECDHE in client SSL, except when the server static key security is matching P-384

Component: Local Traffic Manager

Symptoms:
The BIG-IP system honors client preferences and prefers P-384 if a TLS client instructed the BIG-IP TLS server to do so.

Conditions:
When client supports both curve P-256 and P-384 for ECDHE in client-ssl profile

Impact:
The BIG-IP system prefers P-384 over P-256.

Workaround:
None.

Fix:
The new behavior follows these evaluation steps:
(1) For static key exchange ECDH-ECDSA/ECDH-RSA, always get the curve ID from certificate.
(2) If the server static key (sent in X.509 cert to the client) is RSA 4K or ECDSA P-384, and if P-384 is included by the client in elliptic_curve_list, use P-384.
(3) Otherwise, if client elliptic_curve_list has P-256, use it.
(4) Otherwise, if client elliptic_curve_list has P-384, use it.
(5) Otherwise, no ECDHE ciphersuite can be used.

Behavior Change:
In previous releases, the BIG-IP system honored client preferences and preferred P-384 if a TLS client instructed the BIG-IP TLS server to do so.

The new behavior follows these evaluation steps:
(1) For static key exchange ECDH-ECDSA/ECDH-RSA, always get the curve ID from certificate.
(2) If the server static key (sent in X.509 cert to the client) is RSA 4K or ECDSA P-384, and if P-384 is included by the client in elliptic_curve_list, use P-384.
(3) Otherwise, if client elliptic_curve_list has P-256, use it.
(4) Otherwise, if client elliptic_curve_list has P-384, use it.
(5) Otherwise, no ECDHE ciphersuite can be used.

---

635267 : Fallback persistence not configurable in f5.http iApp

Component: TMOS

Symptoms:
Fallback-persistence is currently set to best-practice by the iApp. This might not match the application's requirement and could result in unexpected application behavior.

Conditions:
Use f5.http iApp template and require atypical fallback-persistence configuration.

Impact:
Might result in confusion because the application does not require the atypical fallback-persistence configuration.

Workaround:
Disable strict-updates and force the desired fallback-persistence setting.

Fix:
Support selection of fallback-persistence in f5.http iApp template.

---

635257 : Inconsistencies in Gx usage record creation.

Solution Article: K41151808

Component: Policy Enforcement Manager

Symptoms:
Duplicate usage records may be created or expected usage records may be missing.

Conditions:
A subscriber session is associated with the following policies:

1. At least 1 PEM policy with multiple rules containing the same usage monitoring key and applicationId or URLcat filter will result in the creation of duplicate usage records.

2. At least 2 PEM policies containing one or more rules with the same MK across policies will result in failure to create expected usage records.

Impact:
Failure to create usage records. Duplicate usage records will reduce the effective usage records supported per session. Both can result in inconsistencies with billing use cases.

Workaround:
To prevent duplicate usage records, do not create PEM policies with multiple rules that have the same usage monitoring key and applicationId or UrlCat filter.

To make sure all expected usage records are created, do not use the same monitoring key across multiple policies for the same subscriber.

Fix:
Checks to create usage records are now done using the same keys that are used to create them, so there are no duplicate usage records created or expected usage records missing.

---

635233 : Missing some Custom AVPs in CCRu for non-existent policy and CCRt messages

Component: Policy Enforcement Manager

Symptoms:
CCR-u send in response to a non-existent policy may be missing some of the custom AVPs such as IMSI, E164 etc even if the AVPs are marked mandatory. The same will be true in the case of CCR-t.

Conditions:
This situation happens in the case when BIG-IP send a CCR-u when the policy name received from PCRF is non-existent in bigip. Also in the case of CCR-t

Impact:
CCR-u and CCR-t may miss some of the subscriber attributes such as IMSI, E164

Workaround:
No Workaround

Fix:
Add the custom AVPs in the case of CCR-u as well CCR-t, if those attributes are enabled for reporting in the protocol profile

---

635116 : Memory leak when using replicated remote high-speed logging.

Component: TMOS

Symptoms:
As a result of a known issue when a system uses a High Speed Logging (HSL) configuration with replication across the HSL pool TMM may leak memory.

Conditions:
Remote HSL setup with distribution set to replicated in the log destination configuration.
More than one poolmember, and one of them becomes unavailable.

Impact:
TMM will leak memory at a rate proportional to the amount of logging.
Over time this may cause an outage should TMM run out of memory.

Workaround:
Do not use replication in the HSL destination configuration.

Fix:
TMM no longer leaks memory when using a replicated HSL setup.

---

635111 : New Application Ready Templates Available

Component: Application Security Manager

Symptoms:
Application Ready Templates for Drupal, Joomla, and Wordpress were missing from the 13.0.0 release.

Conditions:
None.

Impact:
Predefined templates for Drupal, Joomla, and Wordpress were missing.

Workaround:
Templates could be downloaded from https://devcentral.f5.com/d/new-asm-templates

Fix:
Application Ready Templates for Drupal, Joomla, and Wordpress are now available in policy creation.

---

634779 : In SSL Forward Proxy, an uninitialized variable may overflow a buffer and cause TMM to produce a core file

Solution Article: K43945001

---

634576-1 : TMM core in per-request policy

Solution Article: K48181045

Component: Access Policy Manager

Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.

Conditions:
APM or SWG per-request policy with reject ending.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when per-request policy encounters reject ending.

---

634257 : Missing Strong Integrity Parameter alert score is always 0

Component: Fraud Protection Services

Symptoms:
Missing Strong Integrity Parameter alert score is always 0.

Conditions:
Using FPS.
Alert score.

Impact:
Incorrect alerts score in dashboard, which invalidates auto transaction rules.

Workaround:
None.

Fix:
Missing Strong Integrity Parameter alert score is now set.

---

634117 : Disabling IKE peers has no effect

Solution Article: K33241169

Component: TMOS

Symptoms:
Disabling an IKE peer using a checkbox in the GUI has no effect, and traffic continues.

Conditions:
This is encountered when disabling IKE peers in the GUI.

Impact:
IKE peer does not get disabled as expected, so new connections may be established. Traffic continues when the ike-peers have been disabled.

Workaround:
Although it is not possible to disable the peer, you can still delete it.

Fix:
You can now disable a peer without having to totally delete it. When a peer is disabled, no new connection will be allowed. Basically a disabled peer is treated as not existing, as if you had deleted it instead, but you can enable it without having to add it, as you would if it actually had been deleted.

---

634085 : IPsec tmm assert "ike_ctx tag"

Component: TMOS

Symptoms:
The tmm asserts with the message "ike_ctx tag."

Conditions:
It looks to be happening only on VE with ikev2 and ipv4, and the probable cause is timing related corruptions.

Impact:
Traffic disrupted while tmm restarts.

Fix:
The "ike_ctx tag" assert was replaced with an OOPS and the system logs the error and continues.

---

634078 : MRF: Routing using a virtual with SNAT set to none may select a source port of zero

Component: Service Provider

Symptoms:
If a virtual server has a SNAT setting of none and the 'source-port' attribute set to 'preserve' or 'preserve-strict', the outgoing connection will be created with a source port of zero (0) instead of the remote port of the originating connection.

Conditions:
This occurs when a message routing SIP profile is in use.

Impact:
Source port is set to 0.

Workaround:
None.

Fix:
Source port is now set to the source port of the client when SNAT is set to none. This is correct behavior.

---

634054 : Use GUI/iControl to manage key/cert for Thales users

Component: Local Traffic Manager

Symptoms:
No support for the use of SSL key/cert management via GUI/iControl when Thales netHSM is adopted.

Conditions:
When Thales is used as netHSM to work with the BIG-IP system.

Impact:
Thales users cannot use GUI/iControl to manage SSL key/cert.

Workaround:
Thales users have to use fipskey.nethsm - a standalone wrapper program of Thales provided utility - to create netHSM key and certificate.

Fix:
This release implements the native PKCS#11 API based key management for netHSM vendors. With this fix, all netHSM users including Thales users are able to use tmsh command to manage key/cert.

---

634023 : Use tmsh to create key and certificate based on Thales netHSM

Component: Local Traffic Manager

Symptoms:
There are no tmsh commands for key/cert management for Thales.

Conditions:
When Thales is used as netHSM to work with the BIG-IP system.

Impact:
Must use fipskey.nethsm (a standalone wrapper program for the Thales-provided utility) to create Thales netHSM keys and certificates.

Workaround:
Use fipskey.nethsm to create netHSM keys and certificates.

Fix:
The system now supports native PKCS#11 API based key management for netHSM vendors. With this fix, all netHSM users including Thales users are able to use tmsh command to manage keys and certificates.

---

634022 : Active Directory authentication with Step-Up-Auth has degraded performance.

Component: Performance

Symptoms:
When using Active Directory to perform Step-Up-Authentication with APM, the number of authentications per second that APM can sustain is lower than what could be achieved with earlier releases. This is observed only on certain high end appliance platforms.

Conditions:
All the following must be true:
- APM is provisioned and configured to provide authentication services via the per-request access policy.
- Active Directory is used as the authentication method.
- A relatively high rate of authentication exists.
- One of the following BIG-IP appliances is in use:
  i108xx
  i78xx
  10xxx

Impact:
Performance in terms of authentications per second is degraded.

Workaround:
None.

Fix:
None.

---

634015 : Potential TMM crash due to a PEM policy content triggered buffer overflow

Component: Policy Enforcement Manager

Symptoms:
Failure to add a PEM policy to a subscriber session in addition to a TMM crash.

Conditions:
PEM configured with a large number of policy rules that goes beyond the maximum supported PEM resources.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Buffer allocation checks have been added in that result in an error log along in case of a buffer overflow.

---

633985 : CS challenged URL is rejected on complex CPM/irule configurations

Component: Application Security Manager

Symptoms:
A request is rejected.

Conditions:
CS challege is happening.
There is a complex CPM configuration or an irule.

Impact:
The request is rejected.

Workaround:
N/A

Fix:
Request is not rejected in complex CPM configuration.

---

633879 : Fix IKEv1 md5 phase1 hash algorithm so config takes effect

Component: TMOS

Symptoms:
BIG-IP does not recognize the choice of md5 as hash algorithm in phase1 negotiation for IKEv1, but the GUI indicates it is available and configured.

Conditions:
Using either the command line or web UI to change hash algorithm to md5 in IKEv1 phase1.

Impact:
You are unable to configure md5 as hash algorithm in IKEv1, despite the UI and command line indicating this as an option.

Workaround:
You may be able to select md5, then save and then restart, this would set up the daemon from a config file instead of via incremental config parsing. So while it would not work right after being changed in the UI, the md5 option may work after a restart.

Fix:
The choice of md5 for hash algorithm now works correctly and immediately for an IKEv1 peer. The message causing this is now parsed correctly so md5 is recognized and used.

---

633723 : New diagnostics run when a crypto HA failure occurs and crypto.ha.action is reboot

Component: Local Traffic Manager

Symptoms:
A new db variable has been added to print diagnostic information when Cavium Nitrox devices encounter a "request queue stuck" error.

Conditions:
A Cavium Nitrox "request queue stuck" error occurs and the db variable "crypto.ha.action" is set to reboot.

I.e., when log message such as:
Feb 27 07:39:07 localhost crit tmm1[19936]: 01010260:2: Hardware Error(Co-Processor): cn1 request queue stuck

Impact:
Under the above conditions, the system will automatically run "nitrox_diag" to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

The system will immediately failover to the standby system, but will then spend approximately one minute gathering diagnostic information beffore rebooting.

See https://support.f5.com/csp/article/K95944198 for more information about nitrox_diag.

Behavior Change:
Under rare conditions, the system will take approximately one additional minute to reboot.

If a Cavium Nitrox "request queue stuck" error occurs and the db variable "crypto.ha.action" is set to reboot, the system will automatically run "nitrox_diag" to collect diagnostic information to help F5 determine the cause of the queue stuck error before rebooting.

When the error happens, failover to the standby system will still happen immediately. The delay is only on rebooting the system which has already gone to standby mode.

---

633582 : UI: TMSH - Classification, URL categorization and Flow criteria options must not be allowed to be configured for PEM rule when tethering detection is enabled

Component: Policy Enforcement Manager

Symptoms:
CLI: Classification, URL categorization and Flow criteria options can be configured for PEM rule when tethering detection is enabled.

Conditions:
Tethering detection is enabled for PEM rule and user adds Classification, URL categorization and Flow filters from CLI.

Impact:
None. The classification, URL and flow filters are ignored in a flow if dtos/tethering detection is enabled.

Workaround:
Use GUI. If CLI is used, do not configure Classification, URL categorization and Flow criteria options for PEM rule when dtos/tethering detection is enabled.

Fix:
UI: TMSH - Classification, URL categorization and Flow criteria options are no longer allowed to be configured for PEM rule when tethering detection is enabled. This is correct behavior.

---

633566 : tmm crash with Nitrox

Component: Local Traffic Manager

Symptoms:
Under a rare condition, some of Nitrox PX devices can't be attached in vCMP host, tmm could crash due to SIGSEGV.

Conditions:
Some of Nitrox PX devices can't be attached in vCMP host.

Impact:
tmm running on vCMP host crashes, not able to process traffic. Traffic disrupted while tmm restarts.

Workaround:
Reboot blade.

Fix:
Add protection to tolerate hardware failure.

---

633564 : Route unavailable when static route depends on another static route

Component: Local Traffic Manager

Symptoms:
Static route on the BIG-IP becomes unavailable after TMM restart, even though it's configured, and shows up in "list net route".

Conditions:
This occurs after restart, when a static route exists that depends on another static route. For example, a gateway route depends on an interface route.

Impact:
Route unavailable for use, traffic depends on the route is dropped if there are no alternate routes.

Workaround:
Removed the broken static route, and re-add it again.

Fix:
Route inter-dependencies no longer cause static routes to be unavailable after restart.

---

633464-1 : Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.

Component: Local Traffic Manager

Symptoms:
Content-length header is not passed on to the client when HTTP/2 profile is attached to virtual.

Conditions:
HTTP/2 profile is attached to the virtual. Content-length header is sent by the server.

Impact:
If a client application requires the content length for HTTP/2, the application does not function as expected.

Workaround:
None.

Fix:
There is now a profile option to control whether the Content-length header is passed on to the client.

---

633454 : Older versions of Chrome get blocked when Proactive Bot Defense is enabled.

Component: Advanced Firewall Manager

Symptoms:
Older versions of Chrome get blocked when Proactive Bot Defense is enabled.

Conditions:
-- Versions of Chrome older than version 53.
-- Proactive Bot Defense is enabled.

Impact:
Browser gets blocked.

Workaround:
Use one of the following workarounds:

-- Use a version of Chrome that is version 53 or later.
-- Use a different browser.

Fix:
Versions of Chrome older than version 53 no longer get blocked when Proactive Bot Defense is enabled.

---

633445 : False-Positive Data Integrity alert is sent when user credentials are "auto-filled"

Component: Fraud Protection Services

Symptoms:
When the user credentials are auto-populated by the browser (in case it uses the browser password manager), FPS sends false-positive Data Integrity alerts.

Conditions:
1. Enhanced data integrity - Enabled.
2. User uses browser password manager to auto-populate credentials.

Impact:
FPS sends false-positive Data Integrity alerts.

Workaround:
None.

Fix:
FPS no longer sends false-positive Data Integrity alerts user credentials are "auto-filled".

---

633413 : IPv6 addr can't be deleted; not able to add ports to addr in DataGroup object in GUI

Component: TMOS

Symptoms:
IPv6 addr can't be deleted; not able to add ports to addr in a data-group using the GUI. System posts an error similar to the following:
err mcpd[31438]: 01070378:3: The requested data group IP member network address (10.10.12.184) does match the netmask (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff).

Conditions:
Modify IPv6 data-group in the GUI on the Local Traffic :: iRules :: Data Group List.

Impact:
Get error with unrelated IPv4 address.

Workaround:
Use tmsh to delete data group IP addresses in an iRules data group.

Fix:
You can now add/remove/edit IPv6 and IPv4 within an existing iRules data group.

---

633402 : In rare circumstances, the use of persistence can cause a TMM memory leak.

Component: Local Traffic Manager

Symptoms:
TMM leaks memory in the 'tcl' subsystem.

This can be observed, for example, by monitoring the output of the 'tmsh show sys memory' command over time.

Conditions:
Currently, the only known circumstance is when all of the following conditions apply:

- You have a standard UDP virtual server.
- You have an iRule calling the 'persist' command under 'CLIENT_DATA'.
- Load balancing of the UDP flow fails as the assigned pool has no available members.

Impact:
As TMM memory utilization grows, TMM will first attempt to free up memory by removing idle flows. As a result, you may experience flows are expired before their configured idle timeout.

Ultimately, TMM can crash if it is unable to allocate memory. Traffic will be disrupted while TMM restarts.

Workaround:
Within the context of the known circumstance, you can work around this issue by moving the 'persist' command to the 'CLIENT_ACCEPTED' event.

---

633400 : Deterministic NAT configuration log may be truncated

Component: Carrier-Grade NAT

Symptoms:
Deterministic NAT configuration log may be truncated. The "src" line of the configuration log may be truncated at 250 characters, even if the list of source ranges exceeds 250 characters.

Conditions:
Deterministic NAT with many source ranges in use, and DNAT configuration logged to /var/log/ltm.

Impact:
Reverse mapping using the dnatutil tool may fail.

Workaround:
The reverse mapping can still be done if the configuration text is manually edited to include all source ranges in use. This can be done by moving the configuration text into a separate file, and editing the "src" line to include all addresses in use. Using the edited configuration, dnatutil will return the correct result.

---

633391 : GUI Error trying to modify IP Data-Group

Component: TMOS

Symptoms:
While trying to add/remove/edit IPv6&IPv4 within an existing data group list for iRules, the properties page throws a parsing error.

Conditions:
Try to modify the value field under Address Records Row whether string/int, and click Update

Impact:
There is an "Error parsing IP address" messave at the top of the page. You cannot modify internal data groups using GUI. You can delete and re-create the entry, but cannot modify it.

Workaround:
Use tmsh to modify the record field of the data groups.

Fix:
You can now modify the IPv6&IPv4 value within an existing data group.

Behavior Change:
users would be able to modify and update data groups

---

633384 : AD/LDAP Resource Mapping should match against group name with trailing comma

Component: Access Policy Manager

Symptoms:
In APD during AD/LDAP Resource Mapping 'Group' will be ocasionally matched to 'Group1' because CN=Group matches CN=Group1.

Conditions:
AD/LDAP Resource Mapping.

Impact:
Some group mappings are incorrect.

Workaround:
None.

Fix:
Now LDAP and AD group matching are performed using a substring match with a trailing comma delimiter to avoid improper group matching. Specifically, "CN=Group," is matched rather than "CN=Group" so "CN=Group1," does not result in an incorrect match.

---

633349-1 : localdbmgr hangs and eventually crashes

Component: Access Policy Manager

Symptoms:
localdbmgr hangs and eventually crashes due to a rare condition where the program is trapped inside an internal infinite loop upon logging configuration changes.

Conditions:
Rare condition upon logging configuration changes, or when localdbmgr loads existing config upon start / restart.

Impact:
localdbmgr crashes.

Workaround:
localdbmgr restarts and recovers from this crash.

Fix:
Added safety check in logging configuration code to protect against unwanted config insertions.

---

633333 : During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent

Component: Local Traffic Manager

Symptoms:
During an MPTCP connection, the serverside connection will occasionally be aborted before all data has been sent.

Conditions:
A TCP profile with Multipath TCP enabled is attached to a virtual server, and an MPTCP connection is established.

Impact:
The serverside connection is reset before all data has been sent, causing the tail end of the data stream to not be proxied.

Workaround:
There is no workaround

Fix:
Fixed sequence of events on connection closure.

---

633313 : Config load failure can be caused by changing the mgmt shared settings api-status availability settings

Component: TMOS

Symptoms:
A config load failure can be caused by changing the mgmt shared settings api-status availability settings.

Conditions:
This might occur in the following configuration:

(tmos)# list mgmt shared settings api-status availability deprecatedApiAllowed
{
    deprecatedApiAllowed true
}

(tmos)# list ltm profile fastl4 fastl4_1
[api-status-warning] ltm/profile/fastl4, properties : deprecated : software-syn-cookie
ltm profile fastl4 fastl4_1 {
    app-service none
    software-syn-cookie enabled
}

tmos)# list ltm virtual my_vs
ltm virtual my_vs {
    destination 0.0.0.0:any
    mask any
    profiles {
        dos { }
        fastl4_1 { }
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vs-index 4
}

(tmos)# save sys config
Saving running configuration...
  /config/bigip.conf
  /config/bigip_base.conf
  /config/bigip_user.conf
Saving Ethernet mapping...done

(tmos)# modify mgmt shared settings api-status availability deprecatedApiAllowed false
(tmos)# q
(tmos)# load sys config
...
01020036:3: The requested profile (/Common/fastl4_1) was not found.
Unexpected Error: Loading configuration process failed.

Changing the mgmt:shared:settings:api-status:availability:deprecatedApiAllowed to false, makes the validation more restrictive.

This causes the prior saved configuration fail to load.

Note: ltm profile fastl4 and ltm virtual my_vs are for illustrative purposes only. The same issue can occur for other elements with deprecated apiStatus.

Impact:
tmsh load sys config fails.

Workaround:
To have subsequent tmsh load sys config operations succeed, run the following commands:
#tmsh modify mgmt shared settings api-status availability deprecatedApiAllowed true
#tmsh save sys config

---

633181 : A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section

Component: TMOS

Symptoms:
Certificate signing requests generated from the Configuration Utility or in tmsh on affected versions may have an empty 'Attributes' or 'Requested Extensions' section if no data was supplied for these fields during CSR generation. The correct behavior is to supply an empty set (a0:00) for the Attributes section and to omit the 'Requested Extensions' section if no data were supplied for these fields.

Conditions:
- Running an affected version of BIG-IP software
- Using tmsh or the Configuration Utility to generate the CSR
- Not filling in 'E-mail Address' and/or 'Subject Alternative Name' sections while generating the CSR

Impact:
Impact varies according to the CA signing the request. An empty attribute section is generally well-tolerated but may be incompatible with some CA's.

Workaround:
Use openssl from the bash command line to generate CSR's.
Solution article K14534 contains the appropriate procedure.

---

633091-1 : Avr debug messages are printed to screen when saving/loading sys config

Component: TMOS

Symptoms:
Avr debug messages are printed to screen

Conditions:
When running:
tmsh save sys ucs someUcs
or
tmsh load sys ucs someUcs

Impact:
You see debug messages, these can be ignored.

Workaround:
No workaround

Fix:
Run tmsh save/load sys ucs someUcs
and verify avr messages are not printed.
Example of debug message:
11:24:42 Running cs_save_pre_script on Mon Dec 12 11:24:42 PST 2016

---

632958 : APM MIB gauges not reset on standby device

Component: Access Policy Manager

Symptoms:
The following MIB gauges are not reset after the device transitions from active to standby:

F5-BIG-IP-APM-MIB::apmAccessStatCurrentActiveSessions
F5-BIG-IP-APM-MIB::apmAccessStatCurrentEndedSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentActiveSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentPendingSessions
F5-BIG-IP-APM-MIB::apmPaStatCurrentCompletedSessions

Conditions:
After failover happens

Impact:
Since these gauges represent current session counts, administrator may not be able to identify the active device by looking at these gauges.

Fix:
Now the SNMP counters and statistics for APM sessions are reset to 0 when a device transitions from active to standby. This change impacts both SNMP and command "tmsh show apm profile access".

---

632901 : JET documentation incorrect for RESOLV::lookup

Component: Local Traffic Manager

Symptoms:
JET documentation for the iRule command RESOLV::lookup contains a description of a bug where PTR records are not being cached. The documentation includes a workaround for this bug. However, the bug no longer exists.

Conditions:
tmsh help ltm rule command RESOLV::lookup | grep "Note: The results" -A6

Impact:
Jet documentation mentions a resolution to a bug that no longer exists.

Workaround:
None. This is a cosmetic issue that you can safely ignore.

Fix:
The JET documentation has been updated.

---

632875 : Non-Administrator TMSH users no longer allowed to run dig

Component: Global Traffic Manager

Symptoms:
TMSH users without the Administrator role are allowed to run dig, which may allow access to files in the local filesystem.

Conditions:
Execute dig via TMSH

Impact:
File access restrictions for TMSH users without the Administrator role are not properly enforced when executing the dig command.

Fix:
TMSH users who are do not have Administrator roles can no longer run the dig utility through TMSH.

Behavior Change:
dig command is no longer allowed to be run through TMSH by non-admin users.

---

632838 : Deterministic NAT performance may be degraded

Component: Performance

Symptoms:
Deterministic NAT performance may be degraded compared to performance in 12.1.x.

Conditions:
Deterministic NAT configuration in use in version 13.0.

Impact:
CPU utilization will be higher, and the system may pass traffic with less speed.

Workaround:
Enable the db variable pva.fwdaccel to see DNAT performance improve with a fastL4 profile.

Fix:
Deterministic NAT performance and scalability is improved relative to 13.0.0. Forward flow acceleration is always on for Deterministic NAT.

---

632824 : SSL TPS limit can be reached if the system clock is adjusted

Solution Article: K00722715

Component: Local Traffic Manager

Symptoms:
If you adjust the system clock you will occasionally get error messages of the form "SSL transaction (TPS) rate limit reached". (For the intended feature of this message, see K7747: Error Message: SSL transaction (TPS) rate limit reached https://support.f5.com/csp/article/K7747.)

Conditions:
Occurs when you adjust the system clock.

Impact:
When the message occurs, the connection and often several subsequent connections are dropped.

Workaround:
None.

Fix:
The message no longer occurs when the system clock is changed and only occurs when system legitimately reaches the SSL TPS limit.

---

632668 : When a BIG-IP using BFD sessions is forced offline, the system continues to send "State Up" BFD packets for ~30 seconds

Component: TMOS

Symptoms:
When a BIG-IP using statically configured BFD sessions (i.e. "bfd session <IP> <IP>" in the ZebOS configuration) is forced offline, it continues to send "State Up" BFD packets for an additional ~30 seconds.

Conditions:
System is using statically configured BFD sessions. System is forced offline.

Impact:
The BFD peer thinks the BIG-IP is still online and may send packets to it.

Fix:
Ensure BFD "State Up" packets are not sent when the BIG-IP is forced offline.

---

632658 : Enable SIP::persist command to operate during SIP_RESPONSE event

Component: Service Provider

Symptoms:
Without this change, it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Conditions:
It is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Impact:
it is not possible to change the timeout of a SIP persistence entry during SIP response message processing.

Workaround:
NA

Fix:
It is possible to change the timeout of a SIP persistence entry during SIP response message processing.

---

632575 : SNAT creates duplicate snat-translation object - configuration load fails

Solution Article: K19415206

Component: Local Traffic Manager

Symptoms:
Loading a configuration file fails after creating a SNAT with the same translation address as an existing snat-translation object.

The system posts the following error:
Invalid SNAT Translation, the IP address 4.4.4.4 already exists.
Unexpected Error: Loading configuration process failed.

Conditions:
A SNAT is created with a translation address that is already used by a snat-translation object. This creates a new translation-address object with a duplicate translation address. Loading the configuration file results in a failure.

Impact:
Configuration files will be saved without error, but loading the configuration file will fail.

Cannot load the configuration once saved, and must manually change the configuration files in order to get it to load.

Workaround:
Manually modify the configuration file to remove the duplicate snat-translation object. Make sure that the SNAT references the correct translation-object. Save and load the configuration file.

Fix:
The system no longer creates duplicate snat-translation objects that cause configuration load failure. Instead, the system now performs SNAT Validation that queries for existing trans_addr using address before creating a new one.

---

632546 : Window.error handler is called when alert size is too large

Component: Fraud Protection Services

Symptoms:
When large HTML code is attached to alerts, the page's Window.error handler may be called.

Conditions:
"attach HTML to alerts" is enabled.
The page's JavaScript assigns an "onError" listener on the window object.

Impact:
onError handler will be called.

Workaround:
Disable "attach HTML to alerts" on affected pages.

Fix:
onError handler is no longer triggered

---

632504 : APM Policy Sync: Non-LSO resources such as webtop are listed under dynamic resource list

Solution Article: K31277424

Component: Access Policy Manager

Symptoms:
Non-LSO resources such as webtop, even they are assigned via a normal resource assign agent, are listed under dynamic resource as opposed to static one.

Conditions:
- Create a webtop resource.
- Create an access profile.
- Launch VPE to assign webtop resource via a normal resource assign agent ("Advanced Resource Assign").
- Click on "Sync policy" button to bring up the policy sync dialog, click on "Advanced Settings" drop-down button and select "Static resources".

Impact:
No impact when default settings are configured for policy sync. Only in advanced setting is it confusing that a static resource is only listed in the dynamic resource list, with a prompt to include it as dynamic resource. Doing so does not cause any harm, but is unnecessary.

Workaround:
If it is a static resource, do not select it as dynamic resource.

Fix:
Static non-LSO resources such as webtop will be listed in static resource list in the advanced setting dialog for policy sync.

---

632499 : APM Policy Sync: Resources under webtop section are not sync'ed automatically

Solution Article: K70551821

Component: Access Policy Manager

Symptoms:
Resources put under webtop section such as webtop link, portal access requires to be included as dynamic resource or else sync will fail.

Conditions:
- Create a webtop section source such as portal access.
- Create a webtop section and add the above-create portal access to it.
- Create an access profile and add the webtop section resource via a resource assign agent in VPE.
- Sync the profile.

Impact:
Sync will fail and some configured resources will not be available on the other devices.

Workaround:
Includes those resources as dynamic resources in Policy Sync advanced settings.

Fix:
Now administrators can sync access profiles with resources under webtop sections without including them manually as dynamic resources.

---

632388 : Sync all autodos history files from active to standby units every 5 mins

Component: Advanced Firewall Manager

Symptoms:
In a high availability (HA) environment, MCP usage increases to 100% every 5 minutes on active devices and 65% on standby devices, which can negatively impact GUI performance. This occurs because the autodosd daemon individually syncs each autodos history file every 5 minutes. (The autodosd daemon is a control plane process which supports the BIG-IP AFM DoS Auto Threshold feature.)

Conditions:
-- AFM provisioned.
-- HA configured.

Impact:
Performance of the BIG-IP system can temporarily be impacted.

Workaround:
None.

Fix:
The system now uses one sync transaction to sync all autodos history files together from active to standby devices every five mins, so the performance impact is avoided.

---

632366 : Prevent a spurious Broadcom switch driver failure.

Component: TMOS

Symptoms:
When a high volume traffic is sent to a BIG-IP system, the Broadcom network switch driver might fail. The failure occurs because the switch driver is preempted (by tmm) from completing a long chip reprogramming routine and touching a watchdog. Sod, which monitors the watchdog, thinks the switch driver has become nonfunctional and kills it.

Conditions:
A very high volume traffic is sent to a BIG-IP system under certain circumstances.

Impact:
Potential eventual system outage if the Broadcom switch driver fails.

Workaround:
None.

Fix:
A spurious Broadcom switch driver failure is not possible anymore.

---

632344 : POP DIRECTIONAL FORMATTING causes false positive

Component: Application Security Manager

Symptoms:
ASM reports false positive violation for the XML request.

Conditions:
This occurs when using "%E2%80%AC" POP DIRECTIONAL FORMATTING as a input in the XML request.

Impact:
When one of the following 3 byte chars arrives to the XML parser, the payload considered as malformed XML:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).

Workaround:
None.

Fix:
This release now supports the following 3 byte chars within the XML parser:
LEFT-TO-RIGHT EMBEDDING (202a).
RIGHT-TO-LEFT EMBEDDING (202b).
POP DIRECTIONAL FORMATTING(202c).

---

632326 : relax_unicode_in_xml/json internal may still trigger a false positive Malformed XML violation

Component: Application Security Manager

Symptoms:
You observe Malformed XML violations on valid XML, even with the relax_unicode_in_xml flag set. The same can apply to JSON with the relax_unicode_in_json flag.

Conditions:
Valid XML containing unicode characters is passed through ASM, and the relax_unicode_in_xml flag is enabled.

Impact:
False positive Malformed XML violations may still be reported.

Workaround:
N/A

Fix:
XML and JSON unicode now operates as expected when using the relax_unicode_in_xml or relax_unicode_in_json internal parameter.
To set these parameters, run the following commands:
/usr/share/ts/bin/add_del_internal add relax_unicode_in_xml 1.
/usr/share/ts/bin/add_del_internal add relax_unicode_in_json 1.
bigstart restart asm.

---

632069 : Sudo vulnerabilities: CVE-2016-7032, CVE-2016-7076

Component: TMOS

Symptoms:
On VE platforms, under certain conditions, the sudo utility does not correctly enforce all restrictions specified in its configuration file.

Conditions:
VE platform
Authenticated user with advanced shell access

Impact:
BIG-IP does not depend on the restrictions related to these vulnerabilities, and sudo is only present on VE platforms. Only VE users who have modified the sudo configuration by editing its configuration file directly are impacted.

Fix:
Update sudo package to improve security

---

632060 : restjavad is unable to read the dtca.key files resulting in Error: Failed to read key: invalid header★

Component: iApp Technology

Symptoms:
when upgrading to 12.1.1, 12.1.2 or 13.0 releases, executing a command similar to

curl -k -u admin:admin https://127.0.0.1:443/mgmt/shared/device-discovery-tasks causes the following error:

"errorMessage": "Could not connect to host 10.0.0.160. Please ensure there are no licensing, firewall, port lockdown or network connectivity issues. Error: Failed to read key /config/filestore/files_d/Common_d/trust_certificate_key_d/:Common:dtca.key_12100_2: invalid header",

Conditions:
Upgrading from releases prior to 12.1.1 to 12.1.1 or 12.1.2 or 13.0

Impact:
if your device has an iApps LX application, then that application sill not synchronize to the standby device. So if a failover occurs, then the iApps LX application will seem to disappear, and traffic will not pass through the application.

Workaround:
If you have upgraded and are in this condition, and you need to use iAppsLX, you can perform the following procedure to recover.

Impact of procedure: this procedure disables HA and requires you to rebuild your HA environment. You only need to use this procedure if you absolutely need to run an iAppLX.

1. Reset device trust, then re-establish device trust, your device group(s), and your traffic group(s)
2. At the BIG-IP command line for each of the devices, run the following command:
clear-rest-storage

Fix:
Upgrade to 13.1 or 13.0.x hot fix

---

631862 : Stream is not finalized when OWS response has Transfer-Encoding header with zero-size chunk

Component: Local Traffic Manager

Symptoms:
When OWS sends a chunked response and the only chunk has a zero size, HTTP2 profile receives neither the response's body nor indication that the response has zero size.

Conditions:
A virtual server must have HTTP2 profile, and OWS must serve a response with Transfer-Encoding: chunked and a zero size chunk (empty body).

Impact:
On a stream with such response, BIG-IP doesn't generate a frame which would have END_STREAM flag. Some browsers may not handle the response properly. For example, a redirect may not be performed when the stream is not finalized. It results in incorrect page rendering on a client.

Workaround:
Use following iRule for broken URLs:

when HTTP_RESPONSE {
  if {[HTTP::header exists "Transfer-Encoding"] && [HTTP::status] eq 301} {
    HTTP::respond 301 -version 1.1 noserver Location [HTTP::header Location] Date [HTTP::header Date] Content-Type [HTTP::header Content-Type] Connection [HTTP::header Connection]
  }
}

A condition may be changed to narrow the iRule for specific URLs.
HTTP::respond may be modified to include other important headers and serve a proper status code.

Fix:
When OWS serves Transfer-Encoding chunked with zero size chuck, BIG-IP properly handles the response and sends END_STREAM flag finalizing the response.

---

631715 : ASM::disable does not disable client side challenges

Component: Application Security Manager

Symptoms:
ASM::disable command was run but a challenge was still sent.

Conditions:
irule with ASM::disable. CS or DID challenge is configured.

Impact:
An unexpected JS challenge arrives

Workaround:
N/A

Fix:
Challenges are now not sent when ASM::disable command happens.

---

631688 : Multiple NTP vulnerabilities

Solution Article: K55405388 K87922456 K63326092 K51444934 K80996302

---

631334-1 : TMSH does not preserve \? for config save/load operations

Component: TMOS

Symptoms:
TMSH strips the escape characters for literal strings '\?' to be '?' or '\[' to be '[' in ltm monitor send/recv strings.

Conditions:
This condition manifests whenever the send/recv string in LTM monitor contains '\?' (backslash-question mark) or '\[' (backslash-open square bracket).

Impact:
This might cause the BIG-IP system to load incorrect monitor send/recv strings.

Workaround:
Use [] (open square bracket-close square bracket) in these cases, for example:

[?] [[]

Or simply avoid using '\' (backslash) in front of '?' (question mark) or in front of '[' (open square bracket) to indicate a literal string.

---

631172 : GUI user logged off when idle for 30 minutes, even when longer timeout is set

Component: TMOS

Symptoms:
GUI user is auto-logged off when idle for 30 minutes, even though the configured idle timeout is longer.

Conditions:
User logged in to gui and idle for 20-30 minutes

Impact:
User is logged out of the GUI.

Workaround:
None.

Fix:
GUI user is no longer auto-logged off when idle for 30 minutes when the configured idle timeout is longer.

---

630961 : Sorting Policy Sync's 'Static' or 'Dynamic' list of objects based on their 'LSO' or 'Dynamic' attribute, leads to unexpected behavior

Component: Access Policy Manager

Symptoms:
For the Policy Sync :: Static and Dynamic list of objects, clicking the Location Specific Column header does not sort the data, but instead toggles the checkboxes in the Location Specific column.

Conditions:
Clicking the Location Specific Column header on the Policy Sync's list of objects.

Impact:
Checkboxes are toggled in the Location Specific column.

Workaround:
None.

Fix:
The ambiguity of the behavior when the LSO column header was clicked, was removed by providing a checkbox in the LSO Column header. This allows the user to select the LSO checkbox in multiple rows at a time.

---

630795 : No guestagentd entry in merged.conf

Component: TMOS

Symptoms:
There is no entry in guestagentd in merged.conf. This results in this error in the ltm log whenever merged starts up:

"Process managed by runsv is not in /config/merged.conf: guestagentd"

Conditions:
This is encountered whenever merged starts.

Impact:
In addition, for stats purposes, the proc_stat and plane_proc_stat tables are affected. If the pid changes (for whatever reason) BIG-IP will not have the assignments to the right process information.

Workaround:
Add guestagentd entry to merged.conf

Fix:
Add guestagentd entry to merged.conf

---

630699 : Preserve original umask of /etc/hosts file

Component: Access Policy Manager

Symptoms:
CLI VPN client changes umask of /etc/hosts to 077. After disconnecting from VPN, the umask is not restored back to the original.

Conditions:
CLI VPN client is used to establish VPN connection on Mac/Linux.

Impact:
It breaks usability of /etc/resolv.conf for OS apps.

Workaround:
An administrator can restore umask of /etc/hosts using system tools.

Fix:
Now the Mac/Linux CLI VPN client preserves the original umask of /etc/hosts after disconnecting from VPN.

---

630611 : PEM module crash when subscriber not fund

Solution Article: K84324392

Component: Policy Enforcement Manager

Symptoms:
Under rare circumstances, PEM usage reporting for a subscriber will cause a crash.

Conditions:
PEM subscriber info is missing for the current tmm, e.g., after a CMP state change.

Impact:
PEM/TMM SIGSEV.

Workaround:
None.

Fix:
PEM usage reporting for a subscriber no longer causes a crash when PEM subscriber info is missing for the current tmm.

---

630610 : BFD session interface configuration may not be stored on unit state transition

Component: TMOS

Symptoms:
'bfd session' statements missing in ZebOS 'running-config'.

Conditions:
State transitions from online to offline.

Impact:
BFD configuration will become missing in ZebOS running config and no BFD sessions will be established.

Workaround:
Re-add statements manually.

Fix:
BFD session interface configuration is now stored on unit state transition.

---

630390 : Client Side challenges and device ID doesn't work on a virtual server that has also APM

Component: Application Security Manager

Symptoms:
Client side challenges do not work when APM is enabled in clientless mode.

Conditions:
APM is on the virtual server as ASM.
APM is running in clientless mode.

Impact:
device ID related features doesn't work correctly.

Workaround:
N/S

Fix:
challenges are now sent in when APM in on the chain.

---

630355 : Local Logs Missing Or Recorded Found For Incorrect Policy

Solution Article: K57041868

Component: Application Security Manager

Symptoms:
When loading a UCS (manually or due to a UCS sync) which has a the same ASM Policy names, but created in a differing order, the local logging daemon does not update its internal mappings.

Conditions:
The configuration is replaced by a UCS load that had a different list of ASM Policies.

Impact:
Local logs may be missing or listed for an incorrect ASM policy.

Workaround:
Restart asmlogd.

---

630278 : Top Traffic Learning Violations

Component: Application Security Manager

Symptoms:
In v12.x, ASM unified manual learning and automatic policy building, which also caused significant changes in the GUI. There were only suggestions in Traffic Learning screen (both for manual and automatic mode). There were no more tables of manual traffic learning showing violating requests, ordered by violations or attack signatures.

Conditions:
When Policy Builder is enabled in ASM.

Impact:
In earlier versions, the 'manual traffic learning' feature showed violating requests, ordered by violations, making it possible to learn false positives and improve the policy. It also showed all violations ordered by violations or signature names, instead of the time-based order in the event logs.

In later versions, instead of marking those as 'Unknown / Learnable Filetype' or something like 'New Entity Discovered: Filetype XYZ', traffic learning marks those as 'Illegal Filetype/URL <url>', which causes undue concern.

Workaround:
None.

Fix:
Four triage sections were added to the Traffic Learning screen to speed up the traffic learning process:
- Reduce Potential False-positive Alerts: Tables for the Top Violations, Top Matched Attack Signatures and Top Violating Meta-Characters.
- Enforcement Readiness.
- Add New Entities.
- Delete Inactive Entities.

---

630062 : gnome-software throws error "This file is not supported" for F5EPI and F5VPN RPMs on Fedora 25

Component: Access Policy Manager

Symptoms:
gnome-software throws error "This file is not supported" for F5VPN and F5EPI RPMs on Fedora 25.

Download F5EPI or F5VPN applications from chrome/firefox browsers. Once downloaded double clicking will launch gnome-software and it throws the specified error.

Conditions:
gnome-software, F5EPI and F5VPN RPM. This is specific to Fedora 25 and gnome-software version 3.22.1.

Impact:
F5EPI and F5VPN applications cannot be installed using OS native software installer GUI.

Workaround:
Open Terminal application and go to command line and run either one of the following commands:
- pkgcon install-local -y -n /path/to/rpm/package.
- dnf install /path/to/rpm/package.

Fix:
Versions of gnome-software 3.22.5 and later can now install F5EPI and F5VPN helper applications successfully.

---

630045 : Microsoft Edge 14 on Windows 10 mobile device may collect incorrect Device ID

Component: Advanced Firewall Manager

Symptoms:
In some cases of users using Microsoft Edge 14 on Microsoft Windows 10 mobile, the device ID may be collected incorrectly.

Conditions:
Device ID is enabled is ASM Policy or DOS Profile.

Impact:
Repeat ASM end users might be detected as new ones.

Workaround:
None.

Fix:
Device ID is now collected correctly using Microsoft Edge 14 on Windows 10 mobile devices.

---

629921 : [[SWG]-NTLM 407 based front end auth and passthrough 401 based NTLM backend auth does not work.

Component: Access Policy Manager

Symptoms:
With SWG client side NTLM auth configuration while doing the NTLM auth for backend, ECA plugin is trapping the Authorization credentials (NTLMSSP_NEGOTIATE) sent by the client, it sinks the request and generates the 407 to the client to do proxy authentication.

Conditions:
Set-up SWG for auth with ntlm credentials
Access a proxied resource which also requires ntlm auth

Impact:
Backend server access is restricted.

Workaround:
None

Fix:
Now when using SWG in explicit proxy mode with NTLM authentication with the Proxy-Authenticate header, BIG-IP allows NTLM authentication to proceed simultaneously to protected resource servers that also use NTLM authentication with the Authenticate header.

---

629871 : FTP ALG deployment should not rewrite PASV response 464 XLAT cases

Component: Carrier-Grade NAT

Symptoms:
Deploying NAT64 part of a 464 XLAT solution may overwrite PASV response 464 XLAT cases.

Conditions:
FTP ALG deployment.

Impact:
PASV response 464 XLAT cases overwritten.

Workaround:
None.

Fix:
Deploying NAT64 part of a 464 XLAT solution no longer overwrites PASV response 464 XLAT cases.

---

629830 : Remote-logging where destination matches virtual will be sourced from loopback network

Solution Article: K36048158

Component: TMOS

Symptoms:
Remote-logging traffic sent from the loopback network (e.g., 127.1.1.1).

Conditions:
Destination of remote-logging traffic matches virtual server.

Impact:
Remote-logging may be dropped due to sourced from non-routeable network.

Workaround:
Enable snat automap on the remote-logging virtual or create transparent host virtual (arp disable) which matches the remote-logging destination with snat automap enabled.

Alternatively, an iRule could be associated with the virtual which snats traffic from the loopback network. Care must be taken to take route domains into consideration while writing the iRule. Example iRule for virtual in route-domain 38:

when CLIENT_ACCEPTED {
    # Work-around for ID629830.
    if { [IP::addr [getfield [IP::client_addr] "%" 38] equals 127.0.0.0/8] } {
        snat automap
    }
}

Fix:
Remote-logging traffic is no longer sent from the loopback network (e.g., 127.1.1.1). This is correct behavior.

---

629674 : FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned

Component: Advanced Firewall Manager

Symptoms:
If AFM provisioned, a FastL4 virtual server with enabled loose-init option drops all RST packets that do not relate to any existing flows.

This behavior does not match the BIG-IP behavior when AFM is not provisioned.

Conditions:
AFM provisioned.
-- FastL4 virtual server.
-- Loose-init option enabled.

Impact:
RST packets that do not relate to any existing flows are dropped, while they should not be dropped if the loose-init option enabled.

Workaround:
No workaround

Fix:
Fixed, so FastL4 virtual servers with enabled loose-init option will forward any RST packets.

---

629663 : CGNAT SIP ALG will drop SIP INVITE

Solution Article: K23210890

Component: Service Provider

Symptoms:
SIP INVITE message is dropped.

Conditions:
Subscriber registers and then attempts to call out.

Impact:
Subscriber not able to make calls.

Workaround:
None.

Fix:
The system now uses the expiration value from the SIP message i.e. either from expires parameter or the Expire header to update the timeout of the registration record.

---

629626 : ASM failures after upgrade due to empty file for most recent policy history★

Solution Article: K92486415

Component: Application Security Manager

Symptoms:
ASM fails to start up correctly after roll-forward upgrade when the most recent policy history file for an active policy is empty.

When this condition is encountered, the following messages are seen in /var/log/ts/ts_debug.log:

----------------------------------------------------------------------
asm|INFO|...Can't call method "policy_name" on an undefined value at /usr/local/share/perl5/F5/PolicyHistory.pm line 134.
----------------------------------------------------------------------

ASM enforcer (BD) will fail with core dump on every repeated attempt to start.

Conditions:
The most recent policy history file for an active policy is empty. This may have occurred due to a full disk partition. However, if empty policy files were created on previous versions, ASM still fails following an aborted attempt to upgrade using these empty policy files.

Impact:
ASM fails to start up correctly. Errors appear in /var/log/ts/ts_debug.log and ASM enforcer (BD) fails with core dump repeatedly.

Workaround:
To correct this issue, the device configuration should be re-upgraded as follows:

1) Reboot to another installation location.
2) Delete the empty policy history file using a command similar to the following:
   rm /ts/dms/policy/policy_versions/8/57.plc
3) Save UCS file and Reboot.
4) Load UCS file saved in Step 3.

Fix:
Empty policy history files will not be written. Thus, subsequent roll-forward upgrades will complete successfully.

---

629625 : Corrupt policy history file causes UCS load to fail★

Solution Article: K95558398

Component: Application Security Manager

Symptoms:
When a UCS containing a corrupted policy history is loaded from the CLI, the system posts an an error similar to the following:

  Can't call method "policy_name" on an undefined value at /usr/local/share/perl5/F5/PolicyHistory.pm line 134.

When the same UCS is loaded a second time, a message similar to the following is also reported:

  01070710:3: Cannot update_indexes/checkpoint DB object, class:fw_log_profile status:13 - EdbCfgObj.cpp, line 127 Unexpected Error: Loading configuration process failed.

Conditions:
This may occur when upgrading from v12.0.0 to v12.1.x if these files are empty (length 0), and cause UCS restore to fail because they cannot be read. The ASM configuration fails to upgrade properly, leaving all of the policies in transparent mode.

Impact:
Failed upgrade.

Workaround:
1. Copy the last known valid versions of policies to replace the corrupted files.
2. Recreate the UCS.
3. Try the upgrade again.

Fix:
Corrupt policy history file no longer causes UCS load to fail.

---

629573-2 : No drill-down filter for virtual-servers is mentioned on exported reports when using partition

Solution Article: K66001885

Component: Application Visibility and Reporting

Symptoms:
The selected filters will not appear in exported reports for virtual servers created under non 'Common' partitions.

Conditions:
When using virtual-servers and ASM policies under a non 'Common' partition, exported reports will not display the the selected drill-down filters.

Impact:
Exported reports will be displayed without the filters.

Workaround:
None.

Fix:
Exported reports will take into consideration partitions which will make the drill-down filters appear as expected.

---

629491 : REST token storage improvement

Component: Device Management

Symptoms:
Under some conditions, it is possible to exceed the capacity of the REST token storage subsystem

Conditions:
REST interface in heavy use by authenticated users

Impact:
Unable to generate additional REST tokens

Fix:
Improve handling of REST tokens under high usage conditions

---

629426 : No option to display time in 24-hour format at top of web-GUI

Component: TMOS

Symptoms:
There is no option in BIG IP system preferences that changes time format displayed on top of every web-GUI page to 24-hour format (for example, instead of '2:00 PM', time could be displayed as '14:00').

Conditions:
System Preferences options for GUI display.

Impact:
No way to configure for 24-hour time.

Workaround:
None.

Fix:
There is now an option in BIG IP system preferences that controls how time format displays on top of every web-GUI page, 12- or 24-hour format (for example, '2:00 PM', or '14:00').

---

629411 : OAuth Client/RS and Authorization Server don't work together on the same BIG-IP

Component: Access Policy Manager

Symptoms:
OAuth Client/RS and Authorization Server don't work together on the same BIG-IP system. These two features cannot be configured on the same BIG-IP system, and have to be configured on separate BIG-IP systems.

Beginning with version 13.0.0, APM supports OAuth Client and RS functionality as one feature. APM also supports AS (an F5-specific implementation) as another feature. These two features are dependent on each other in that OAuth Client/RS communicate with AS for authorization decisions.

Conditions:
When APM OAuth client/RS and AS are configured on the same BIG-IP system.

Impact:
APM OAuth Client/RS and AS cannot communicate each other when configured on the same BIG-IP system.

Workaround:
Configure OAuth ClientRS on one BIG-IP system and AS on another BIG-IP system.

Fix:
Now OAuth Resource Server (RS), Authorization Server (AS), and Client role can be used simultaneously in the same BIG-IP.

---

629390 : GUI: virtual-address route-advertisement setting changed from 'selective' to 'disabled' after update

Component: Local Traffic Manager

Symptoms:
Updating virtual-address setting route-advertisement via GUI setting to 'selective' does not reflect after update.

Conditions:
Updating virtual-address setting route-advertisement via the GUI, to 'selective'.

Impact:
Setting changes after update.

Workaround:
Use TMSH to update the virtual-address route-advertisement setting.

Fix:
Updating of the virtual-address setting route-advertisement via the GUI can be performed correctly now.

---

629178 : Incorrect initial size of connection flow-control window

Solution Article: K42206046

Component: Local Traffic Manager

Symptoms:
When a client establishes an HTTP2 connection, both endpoints can update their flow-control windows for the connection but their initial sizes of connection flow-control windows must be 65,535. BIG-IP erroneously sets it immediately to a configured value instead. Discrepancy in the window size calculation can result in cancelling of the client's requests.

Conditions:
A virtual server that has an HTTP2 profile with a custom value for receive-window exceeding 79 (Kilobytes).

Impact:
BIG-IP updates another endpoint with a WINDOW_UPDATE frame for the connection once it reaches a certain threshold. It doesn't happen when receive-window is set above 79 (Kilobytes). If a client has a large request (e.g., POST with a large amount of data), it resets the stream with HTTP2 RST_STREAM frame, canceling the request.

Workaround:
Configure receive-window attribute in HTTP2 profile to a value below 80 (Kilobytes).

Fix:
The fix in this release allows BIG-IP to behave according to RFC and send WINDOW_UPDATE frames, preventing the connection flow-control window from exhaustion on a remote endpoint.

---

629095 : iControl keymanagment impory may fail when stale content exists in /config/ssl

Solution Article: K08240314

Component: TMOS

Symptoms:
iControl returns fault similar to "Keys do not match" when respective key/cert does not exist in the filestore.

Conditions:
Stale cert/key in /config/ssl which matches the name of the cert/key being imported. For example, iControl attempting to import file as test.crt while /config/ssl/ssl.key contains test.key which does not match test.crt.

Impact:
Unable to import cert/key with particular name while /config/ssl contains stale content.

Workaround:
Remove the conflicting file from /config/ssl/ssl.{key,crt}.

Fix:
A certificate being imported is now checked against contents in filestore to determine whether the contents in /config/ssl are stale.

---

629085 : Any CSS content truncated at a quoted value leads to a segfault

Solution Article: K55278069

Component: TMOS

Symptoms:
Any CSS content truncated at a quoted value leads to a segfault.

Example:
...
.c1 {background-image: url('some

Conditions:
CSS ends without closing quote in value.

Example:
...
.c1 {background-image: url('some

Impact:
TMM or rewrite segfault. Traffic disrupted while tmm restarts.

Workaround:
Use a particular iRule.

Fix:
CSS content truncated at a quoted value no longer leads to a segfault.

---

629069 : Portal Access may delete scripts from HTML page in some cases

Component: Access Policy Manager

Symptoms:
If JavaScript uses Range.createContextualFragment() call to insert new scripts into HTML document, in some cases Portal Access may delete one of the scripts in the page.

Conditions:
JavaScript with Range.createContextualFragment() call which is used to add new scripts by subsequent insertBefore()/insertAfter() calls.

Impact:
Web application may not work correctly.

Workaround:
None.

Fix:
Now web apps delivered via APM Portal Access can use Range.createContextualFragment(), insertBefore(), and insertAfter() javascript properly.

---

629013-1 : Right pane displaying doesn't respect pin selected function when filter just applied

Component: Application Visibility and Reporting

Symptoms:
When applying a filter when Pin Selected function is enabled, it doesn't work. If disabling and enabling it again, everything will be fine and filtered entities will be pinned.

Conditions:
N/A

Impact:
N/A

Workaround:
Disable and re-enable Pin Selected option

Fix:
When changing filters from outside of the widget, the widget will update the position of its selected entities.

---

628869 : Unconditional logs seen due to the presence of a PEM iRule.

Component: Policy Enforcement Manager

Symptoms:
TMM log files will fill up.

Conditions:
Execution of an iRule with the following iRule command:

PEM::subscriber config policy get <subscriber-id> <e164 | imsi | nai | private | mac-address | dhcp | mac-dhcp | dhcp-custom | sip-uri>.

Impact:
Limits the gathering and traversal of relevant data from the TMM logs if the condition is encountered several times.

Workaround:
Do not use an iRule containing the following iRule command: PEM::subscriber config policy get.

Fix:
Unconditional logs are no longer seen in response to the presence of a PEM iRule.

---

628781 : CGNAT: Inbound NAT session logs may not log delete event after a blade failover

Component: Carrier-Grade NAT

Symptoms:
After a blade failover, an existing inbound session may not have the delete event logged when it completes.

Conditions:
This occurs when the following conditions are met:
-- lsn-pool with NAPT.
-- Inbound session logging enabled.
-- HA configuration.
-- After failover.

Impact:
The add event for the inbound session may not have a matching delete event.

Workaround:
None.

---

628646 : Debug Messages for libcec.so library Hitless Upgrade

Component: Traffic Classification Engine

Symptoms:
Using 'hitless upgrade' (Traffic Intelligence :: Classification :: Signature Update :: Check for updates, or the tmsh command, tmsh list ltm classification signature-version) does not provide sufficient information in messages to indicate success or enable debugging of failure, nor do messages report the installed version of libcec.so.

The system does not report the installed version of libcec, the classification library for PEM, in GUI or tmsh. The output shows the date that it last updated, but doesn't report the version of the library that it updated to.

Conditions:
-- A BIG-IP system that was previously updated to a non-default libcec.so, for example, using 'hitless upgrade' (Traffic Intelligence / Classification / Signature Update / Check for updates).

-- Upgrade the software. This reverts libcec.so to the original ISO distribution, as libcec is not part of the UCS file.

-- Attempt to upgrade libcec again. The system responds as if the latest version is already running, despite it not existing on disk.

Impact:
There are no errors displayed in the GUI (or in tmsh). The only failure information available exists in /var/log/hitless_upgrade.log:

   update_dpi_sigfile.pl|DEBUG|Nov 01 20:39:33.305|19694|F5::DPI::Sigfile::AutoDownload::call_soap_server,,Timestamp: 2016-10-19 11:25:00, BigIP: 12.1.0
   update_dpi_sigfile.pl|INFO|Nov 01 20:39:34.562|19694|F5::Sigfile::Update::update,,The most recent DPI Signatures file is already installed.

This problem occurs because the decision on whether to to update is based on classification signature-version :: last-update-datetime, which is stored in the config, survives an upgrade, and is not tightly bound to the actual datetime of libcec on disk.

Workaround:
Before performing hitless upgrade, click 'Reset to Defaults' (under Traffic-Intelligence / Classification / Signature Update).

This deletes the classification_signature_version object, which allows the hitless upgrade operation to succeed.

Fix:
The system now reports the installed version of libcec, the classification library for PEM in response to the following command: tmsh list ltm classification signature-version.

---

628337-3 : Forcing a single injected tag configuration is restrictive

Component: Fraud Protection Services

Symptoms:
Injected tags configuration in profile is globally controlled from the db variable antifraud.injecttags, and forces all protected pages to have a common set of HTML tags. If your web application has pages that do not work with the injected tags, then this will cause the application to work improperly.

Conditions:
This occurs when the injected tags db variable (antifraud.injecttags) is configured.

Impact:
Your web application may have pages that do not handle the tags properly and may malfunction.

Workaround:
Configure injected tags in a way which can applied to all URLs protected in a profile. If it is not possible due to some URL HTML structure, HTML must be modified.

Fix:
Injected tags configuration has been moved to the URL level.

---

628311 : Potential TMM crash due to duplicate installed PEM policies by the PCRF

Solution Article: K87863112

Component: Policy Enforcement Manager

Symptoms:
Potential TMM crash due to duplicate installed PEM policies by the PCRF.

Conditions:
- PEM enabled with Gx and Gy.
- PEM policies configured with Gy quota management.
- PCRF installs an already-installed policy against a subscriber.

Impact:
Loss of service. Traffic disrupted while tmm restarts.

Workaround:
Configure the PCRF to not install an already-installed policy against a subscriber.

Fix:
PEM now prevents PCRF from installing an already-installed policy against a subscriber.

---

628164 : OSPF with multiple processes may incorrectly redistribute routes

Component: TMOS

Symptoms:
When OSPF is configured with multiple processes that each redistribute different type routes, LSAs may be created in a process for a route of the type other than the one configured for redistribution into that process.

Conditions:
OSPF routing with multiple processes configured. Each OSPF process configured with a different route type redistributed.

Impact:
Incorrect routing information in the network when OSPF converges.

Workaround:
Redistribute the leaked route type into the affected OSPF process and use a route map that filters out all routes.

Fix:
OSPF no longer leaks LSAs between processes redistributing different types of routes.

---

628016 : MP_JOIN always fails if MPTCP never receives payload data

Component: Local Traffic Manager

Symptoms:
MP_JOIN during an MPTCP connection always fails if the BIG-IP never receives payload data.

Conditions:
A virtual server is configured with a TCP profile attached and "Multipath TCP" is enabled.
An MPTCP connection is established where payload data is never sent to the BIG-IP.

Impact:
Unidirectional data connections receiving data from the BIG-IP (like with FTP) cannot join additional subflows.

Workaround:
There is no workaround at this time.

Fix:
Allow MP_JOIN after receiving a DATA_ACK that acknowledges data.

---

627841 : Connection queue limit is not properly enforced on bladed systems

Solution Article: K16626343

Component: Local Traffic Manager

Symptoms:
The connection queue depth may be larger than the configured limit.

Conditions:
Connection queues are enabled on bladed systems.

Impact:
Proper limits are not enforced, memory consumption may be larger than desired.

Workaround:
None.

Fix:
The pool queue-depth-limit is now properly enforced chassis-wide, which may reduce the effective limit observed in previous versions.

Behavior Change:
The pool queue-depth-limit is now properly enforced chassis-wide, which may reduce the effective limit observed in previous versions.

---

627832 : AVR HTTP/TCP: Only profiles from Common partition are displayed under All

Solution Article: K08001397

Component: Application Visibility and Reporting

Symptoms:
If you have HTTP Analytics profiles configured in multiple partitions, they will not be displayed when looking at all profiles from within the Common partition. Only the HTTP Analytics profiles from the Common partition are shown in the "All [Read Only]" view.

Conditions:
This occurs if you are looking at the HTTP Analytics profiles from within the All [Read Only] partition.

Impact:
Analytics profiles from non-Common partition are not displayed, when viewing all partitions in read-only mode.

Workaround:
Workaround in UI: Switch to specific partition.
Workaround in CLI: Display profiles using TMSH commands.

---

627747-4 : Improve cURL Usage

Component: Advanced Firewall Manager

Symptoms:
In some cases, cURL usage within AFM does not comply with standards.

Conditions:
AFM active and configured to use external credentials

Impact:
Non-compliant cURL usage

Fix:
Improve cURL usage

---

627695 : [netHSM SafeNet] The 'Yes' and 'No' options to proceed or cancel the unisntall during "safenet-sync.sh -u " are not operational

Component: Local Traffic Manager

Symptoms:
'Yes' and 'No' options to proceed or cancel the uninstall operation are not operational.

Conditions:
Issue happens when running safenet-sync.sh -u.

Impact:
No impact.

Workaround:
None.

Fix:
In this release, there is no Yes or No option for the SafeNet uninstall 'safenet-sync.sh -u.' command.

---

627656 : BIG-IP alerts contains proxy IP instead of client IP

Component: Fraud Protection Services

Symptoms:
BIG-IP alerts contains proxy IP address instead of client IP address.

Conditions:
1. db var antifraud.uselastxff is disabled.
2. HTTP's 'accept xff' is enabled.
3. Request contains multiple XFF headers.

Impact:
WebSafe uses wrong IP address (proxy) as 'client IP' in alerts.

Workaround:
Use alternate XFF headers in HTTP profile.

Fix:
xff logic should consider multiple xff headers

---

627648 : Power on option in bladectl incorrectly resets already powered on blade

Component: TMOS

Symptoms:
If the power-on option via the bladectl command is issued against any B4100, B4200, B43xx, and B4450 blade that is already powered ON, it will cause the specified blade to reset similar to the reset option in bladectl.

Conditions:
Running any version of BIG-IP with 'bladectl -b X -p 1' on B4100, B4200, B43xx and B4450 blades where 'X' is the blade number.

Impact:
Blade resets unexpectedly if it is already powered ON.

Workaround:
Do not use the -p power on option against an already powered ON blade.

Fix:
B43xx and B4450 blades no longer reset when using the power on option in bladectl on an already powered on blade.

Note: There is no fix for the B4100 or B4200 blades. The B4100 and B4200 blades are not supported in this release.

---

627554 : Partition of LTM policies is displayed in breadcrumb rather than properties table row

Component: TMOS

Symptoms:
There is no 'Partition/Path' row on LTM policies properties page. Instead the partition is displayed in the breadcrumb at the top of the page.

Conditions:
This is encountered when selecting a LTM policy.

Impact:
Partition/Path not displayed.

Workaround:
None.

Fix:
The partition was removed from the properties page breadcrumb and added as a 'Partition/Path' row to match the behavior of other LTM properties pages.

---

627221 : iControl SOAP doesn't support displaying all possible media options for interfaces

Component: TMOS

Symptoms:
Newer media options would erroneously be displayed as MT_AUTO from iControl SOAP.

If the media option is considered internal; iControl SOAP will still display the specific type if available in its list. This has been changed to display MT_NONE for those options.

Conditions:
Platforms that support the missing interfaces in the iControl SOAP will not get the right info vi iControl SOAP.
Specifically those that support MEDIA_40000_FDX and MEDIA_40000_LR4_FDX.

Affected Platforms:
A108
A112
D112
D113

Impact:
Information Mismatch

Fix:
iControl SOAP will display MT_NONE for media options that are considered internal.

iControl SOAP has been extended to display newer media options matching the current list of supported BIG-IP media options.

Behavior Change:
iControl SOAP will return MT_NONE media options for INTERNAL interfaces.

---

627203 : Multiple Oracle Java SE vulnerabilities

Solution Article: K63427774

---

627063 : Browser will be stuck on 'checking endpoint status' in some cases

Component: Access Policy Manager

Symptoms:
If the APM end user selects 'No' in response to the prompt 'Allow this site to inspect your machine', the Firefox and Chrome browsers will hang on the 'checking endpoint status' page.

Conditions:
-- Firefox or Chrome browser is used to launch endpoint inspection helper app.

-- The APM end user does not allow the app to perform endpoint check at launch time.

Impact:
Browser hangs on the 'checking endpoint status' page.

Workaround:
Use a different browser.

Fix:
End-User "no" responses to "Allow this site to inspect your machine" no longer results in a browser hang at "checking endpoint status" in Firefox.

---

626894 : Portal Access may determine end of HTML SCRIPT tag incorrectly

Component: Access Policy Manager

Symptoms:
If HTML page contains SCRIPT tag with HTML comment inside, the end of this SCRIPT tag may be found incorrectly by Portal Access.

Conditions:
- HTML page with SCRIPT tag
- HTML comment inside this tag
- strings '<script>' and '</script>' inside this HTML comment

Example:

<script>
<!--
var i=1; // <script>
var line = "</script>";
//-->
</script>

Impact:
The end of the SCRIPT tag is determined incorrectly by server-side HTML parser. In the example above, the end of SCRIPT tag is set at first '</script>' string.
HTML page and scripts inside it may be handled incorrectly; web application may not work as expected.

Workaround:
Split '</script>' string inside HTML comment into concatenation of two separate strings by iRule.

Fix:
Now interaction between HTML SCRIPT tag and HTML comment tag is handled correctly by server-side HTML parser in APM Portal Access.

---

626890 : Portal Access: URLs in CSS image-set() function may not work correctly

Component: Access Policy Manager

Symptoms:
Portal Access does not rewrite URLs in CSS function image-set() parameters. Browser cannot load corresponding resources.

Conditions:
CSS file with image-set() function or any of its variants, for example:

.img {
  background-image:
    -webkit-image-set(
      "examples/images/image-384.jpg" 1x,
      "examples/images/image-768.jpg" 2x,
    );
}

Impact:
URLs in image-set() function are not rewritten; hence corresponding resources cannot be loaded by browser.

Workaround:
Use iRule to replace non-rewritten URLs by rewritten ones.

Fix:
Now URLs in CSS image-set() function are rewritten correctly by Portal Access. Several browser-dependent modifications of this function are supported as well: '-webkit-image-set', '-moz-image-set', '-ms-image-set' and '-o-image-set'.

---

626861 : Ensure unique IKEv2 sequence numbers

Component: TMOS

Symptoms:
Although BIG-IP generates random sequence numbers for use in protocol negotiation, it is possible to allocate a new number already in use by a phase-one ike-SA or a phase-two child-SA.

Conditions:
When a sufficiently large number of tunnels are in use (e.g., numbering in thousands), odds of generating a duplicate sequence number is relatively high, given the number of random bits used to generate the number. More tunnels makes it more likely to occur.

Impact:
On sequence number collision, this might confuse an old SA, and probably never complete negotiation of a new SA. In addition, the system might crash if updating an old SA happened in a state where update is not expected.

Workaround:
None.

Fix:
Now BIG-IP uses more random bits in generated sequence numbers, and it always checks whether a new sequence number is currently in use anywhere else before proceeding. Thus collisions cannot be generated in sequence number allocation. New numbers should always be guaranteed unique now.

---

626851 : Potential crash in a multi-blade chassis during CMP state changes.

Solution Article: K37665112

Component: Policy Enforcement Manager

Symptoms:
CMP state change can result in a blade crash.

Conditions:
CMP state change with a PEM profile enabled on a virtual. The former can be triggered using a TMM restart/unrelated crash, blade insertion or blade administrative state change.

Impact:
Blade crash resulting in potential loss of service.

Workaround:
Deploy PEM in an HA-pair with a chassis fail over configured to occur if at most one blade on the active chassis fails.

Fix:
The system now gracefully handles sessionDB errors due to a CMP state change.

---

626641 : CLI VPN client crashes when HOME environment variable is not defined

Component: Access Policy Manager

Symptoms:
CLI VPN client requires HOME environment variable for logging. If the variable is not set, CLI client crashes on Linux/Mac.

Conditions:
HOME environment variable is not defined.

Impact:
The VPN client crashes it is difficult to determine the cause.

Workaround:
Set HOME environment variable.

Fix:
Now the Linux command line client logs a message and exits gracefully rather than crashing when HOME variable is not set.

---

626594 : No way to perform a soft server certificate verification

Component: Local Traffic Manager

Symptoms:
There is no way to perform a soft server certificate verification.

Conditions:
Server-side SSL forward proxy when 'server certificate is set to 'require' and 'untrusted CA response control' and 'expired certificate response control' are both set to 'ignore'.

Impact:
No way to perform a soft server certificate verification and continue the handshake as though the verification is OK, even if it is not OK.

Workaround:
None.

Fix:
There is a new sys db variable: tmm.ssl.servercert_softval with default value 'disabled'.

When this sys db variable is 'enabled', calling SSL::verify_result will return a soft verfiy_result value.

Typical use case:
It is used in the server-side SSL forward proxy when 'server certificate is set to 'require' and 'untrusted CA response control' and 'expired certificate response control' are both set to 'ignore' but would like to perform a soft server certificate verification.

Behavior Change:
There is a new sys db variable: tmm.ssl.servercert_softval with default value 'disabled'.

When this sys db variable is 'enabled', calling SSL::verify_result will return a soft verfiy_result value.

Typical use case:
It is used in the server-side SSL forward proxy when 'server certificate is set to 'require' and 'untrusted CA response control' and 'expired certificate response control' are both set to 'ignore' but would like to perform a soft server certificate verification.

---

626589 : iControl-SOAP prints beyond log buffer

Solution Article: K73230273

Component: TMOS

Symptoms:
When trace logging is turned on, iControl SOAP can potentially print text beyond its log buffer.

Conditions:
Logging for iControl SOAP is turned on with trace level.

Impact:
iControl-SOAP can print out garbage log to /var/log/ltm and can potentially lead to instability with reading beyond a buffer.

Workaround:
Do not enable logging with trace level, which is not turned on by default.

Fix:
Trim trace buffer to appropriate length to prevent printing garbage.

---

626386 : SSL may not be reassembling fragments correctly with a large-sized client certificate when SSL persistence is enabled

Component: Local Traffic Manager

Symptoms:
On a BIG-IP device, whenever a large-sized client certificate is sent by an SSL client to a virtual service, and SSL persistence is enabled, the SSID parser does not reassemble fragmented ClientKeyExchange messages correctly. It interprets the next incoming fragment - part of the CertificateVerify message - as a new record, incorrectly calculates its length and ends up waiting endlessly for more bytes to receive the record.

Conditions:
When SSL persistence is enabled and a large-sized client
certificate is sent by the SSL client to the BIG-IP device.

Impact:
Client connection hangs during the handshake. No impact to any other module.

Workaround:
Disable SSL persistence.

Fix:
SSL now reassembles fragments correctly with a large-sized client certificate when SSL persistence is enabled.

---

626363 : HA Groups sufficient threshold warns sufficient count=0 when sufficient count is set to all

Component: TMOS

Symptoms:
When the HA Health Monitor indicates that one or more objects do not meet the sufficient threshold, it is indicated by a yellow triangle icon in the System :: High Availability : HA Groups : Group screen. If the sufficient threshold is set to "All", then when you hover your mouse over the icon it will say the sufficient threshold of 0 is not met.

Conditions:
Device Cluster configured with HA Groups configured for one or more traffic groups. The HA Group has a sufficient threshold setting of "All".

Impact:
The text will indicate that the sufficient threshold of 0 is not met. This is a cosmetic display issue.

---

626311 : Potential failure of DHCP relay functionality credits to incorrect route lookup.

Component: Local Traffic Manager

Symptoms:
DHCP requests from client to server may not make it through.

Conditions:
-- BIG-IP system configured as a DHCP relay.
-- Input variable (flow_key) incorrectly initialized.

Impact:
Clients might not get an IP address from the DHCP server.

Workaround:
None.

Fix:
Input variable (flow_key) is initialized properly to prevent a potential route-lookup failure.

---

626056 : Apmd crashes when using iRule in clientless mode

Component: Access Policy Manager

Symptoms:
Apmd crashes when iRule is used in clientless mode.

Conditions:
This occurs when following conditions are met:

- iRule is used to evaluate the access policy.
- If LDAP/AD query agent is configured in access policy to fetch many attributes. If the data is more than 64K, apmd will hit segfault (SIGSEGV) when trying to copy them.

Impact:
Apmd crashes or restarts.

Workaround:
Limit the number of attributes in Ldap/AD query agents. Apmd doesn't crash if the total data are less than 64K.

Fix:
Access Sessions with large amounts of session variable data are now created properly when called from the "ACCESS::policy evaluate" iRule command.

---

625892 : Nagle Algorithm Not Fully Enforced with TSO

Component: Local Traffic Manager

Symptoms:
Sub MSS packets are more numerous than Nagle's algorithm would imply.

Conditions:
TCP Segmentation Offload is enabled.

Impact:
Sub-MSS packets increase overhead and client power consumption.

Workaround:
Disable TCP Segmentation Offload by running the following command:
tmsh modify sys db tm.tcpsegmentationoffload value disable

Fix:
Deliver Integer Multiples of MSS to the TSO hardware when Nagle's algorithm applies.

---

625703 : SELinux: snmpd is denied access to tmstat files

Component: TMOS

Symptoms:
When a custom SNMP MIB is created by using Tcl scripts or other methods, the snmpwalk will fail to access the created MIB data.

Conditions:
Custom created MIBs.

Impact:
Access to that MIB is denied.

Workaround:
None.

Fix:
When a custom SNMP MIB is created by using a Tcl scripts or other methods, the snmpwalk no longer fails to access the created MIB data.

---

625602 : ASM Auto-Sync Device Group Does Not Sync

Component: Application Security Manager

Symptoms:
Some messages that should be sent to peers in a device group are not successfully sent.

Conditions:
A series of create/delete ASM policies and multiple changes to the ASM sync Device Group (creation, deletion, joining devices, removing devices).

Impact:
ASM configuration does not sync properly

Workaround:
Reconfigure the device group and restart asm_config_server using the following command:
# pkill -f asm_config_server

Fix:
Communication over the ASM Device Group now works correctly after leaving/joining Device Groups.

---

625565 : SSL error message is missing important information

Component: Global Traffic Manager (DNS)

Symptoms:
If a SSL error occurs while running the iqsh utility or when BIG-IP DNS/GTM attempts to establish an SSL connection, then the system will dump certain pieces of information about the attempted connection but won't include the return code from OpenSSL (which indicates what the error actually was).

Conditions:
An SSL error occurs while running the iqsh utility or when BIG-IP DNS/GTM attempts to establish an ssl connection.

Impact:
The SSL connection has already failed by the time this error is displayed. Without the additional return code information it may be difficult to diagnose why the failure occurred.

Workaround:
There is no workaround at this time.

Fix:
The error code is output as a string indicating which of the defined errors occurred. See 'man SSL_get_error' for details on what each code means.

---

625542 : SIP ALG with Translation fails for REGISTER refresh.

Component: Service Provider

Symptoms:
SIP-MBLB-ALG-Translation mode doesn't translate SIP REGISTER refresh message when arriving on the original flow.

Conditions:
1. LSN Pool selected on CLIENT_ACCEPTED event.
2. SIP REGISTER request refresh happens on the original flow.

Impact:
SIP Register message egressed will not have translation applied i.e. the CONTACT and VIA header will not be translated.

Workaround:
None

Fix:
SIP REGISTER refresh processing identifies the translation used for the original SIP REGISTER and applies that translation to the SIP REGISTER refresh message.

---

625514 : [RFE] - iApp modification request to add apm policy - f5.peoplesoft_9

Component: TMOS

Symptoms:
Currently its not possible to associate APM access policies to virtual servers created using the f5.peoplesoft_9 iApp template. This requires users to disable strict updates and then associate the policy with the virtual server.

Conditions:
When using f5.peoplesoft_9 iApp template and require an APM configuration.

Impact:
Cannot associate APM access policies to virtual servers created using the f5.peoplesoft_9 iApp template.

Workaround:
Disable strict updates and then associate the policy with the virtual server.

Fix:
The system now supports APM policies in f5.peoplesoft_9 iApp deployments.

---

625428 : SNMP reports incorrect values for F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit

Component: TMOS

Symptoms:
The F5 BIG-IP local mib has the wrong value definitions for
F5-BIG-IP-LOCAL-MIB::ltmPoolQueueOnConnectionLimit
allowed(0),disallowed(1)
instead of
disabled(0),enabled(1)

Conditions:
This occurs on any platform that supports this MIB field and has LTM Pool configurations.

Impact:
Information mismatch

---

625165 : Routes added by 'Allow local DNS servers' are not removed even if these DNS servers are no longer among client's local DNS servers.

Component: Access Policy Manager

Symptoms:
-Routes to local DNS that get added due to 'allow local DNS' option in Network Access config do not get removed once network changes after VPN is established.

Conditions:
- 'Allow local DNS' option is selected in Network Access config.
- BIG-IP administrator changes the network configuration after VPN is connected.

Impact:
If the BIG-IP administrator changes the network after a VPN is connected, and if DNS servers have changed, then routes to old DNS servers (which may or may not be reachable) will be left in the routing table.

Workaround:
None.

Fix:
In Network Access, routes added by 'Allow local DNS servers' are now removed when they are no longer among a client's local DNS servers if the client's network properties change.

---

624992 : LTM Configuration Found after Provisioning VCMP

Component: TMOS

Symptoms:
When provisioning VCMP on a previously enabled LTM unit, the existing LTM configuration is not automatically removed.

Conditions:
VCMP provisioned with LTM configuration.

Impact:
The behavior of the BIG-IP is undefined when VCMP is provisioned and LTM is configured. The impact can range from none to intermittent or total traffic loss.

Workaround:
Delete pool members, pools, and virtual servers before provisioning VCMP.

Fix:
Virtual servers will be disabled when VCMP is provisioned. If VCMP is already provisioned virtual servers can't be created unless they are created as a disabled virtual.

---

624909 : Static route create validation is less stringent than static route delete validation

Component: TMOS

Symptoms:
When creating a static route the BIG-IP ensures that there is a self-IP on the same interface, but does not check to make sure that there is a self-IP on the same interface that uses the same IP protocol (IPv4 vs. IPv6). If the route is created with only self-IPs that use different IP protocols, then the system will not allow you to delete any self-IPs on the same interface as the static route.

Conditions:
Using a static route that has one IP protocol on a given interface along with self-IPs that, while on the same interface, use a different IP protocol.

Impact:
Unable to delete certain self-IPs.

Workaround:
In order to delete the self-IPs you can either:

1) Delete the static route.
or
2) Create a self-IP on the same interface and using the IP protocol as the static route.

Fix:
Added validation to ensure that when a static route is created there is at least one self-IP that uses the same interface and IP protocol.

---

624896 : GUI LTM Virtual Server Connection Limit and Connection Rate Limit

Component: TMOS

Symptoms:
Depending on the Virtual Server Type selection the Connection Limit and Connection Rate Limit may or may not be supported.

When changing the Virtual Server Type the GUI sometimes displays or hides the Connection Limit and/or Connection Rate Limit inconsistently.

Conditions:
When switching between Types, the Connection Limit and Connection Rate Limit may or may not be displayed or hidden correctly for the selected type.

Impact:
When updating the Virtual Server, if a value is persisted when it is not supported, the user will get an error. Or if a value is supported, but not visible, you cannot set the value through the GUI.

Workaround:
For values that are saved when they are not supported and the user gets an error, the user can set the value to 0. If the Connection Limit or Connection Rate Limit is not displayed in the GUI, the user can use tmsh to set the value.

Fix:
Ensure GUI is displaying and hiding Connection Limit and Connection Rate Limit correctly for each Virtual Server Type.

---

624802 : AWS - Sometimes iid-document is not loaded on instance startup

Solution Article: K43044995

Component: TMOS

Symptoms:
Sometimes iid-document is not loaded on instance startup.

Conditions:
VE in AWS (some of new regions). This can happen when network traffic is blocked during boot or if AWS metadata service is temporary not available.

Impact:
iid-document is missing and AWS Advanced HA functionality is not working as expected.

Workaround:
Manually execute the following script: /etc/vadc-init/aws-init.

---

624777 : Reducing the response time of the Device ID collection

Component: Advanced Firewall Manager

Symptoms:
Device ID collection time being run on the browser needs to be faster.

Conditions:
Device ID collection is enabled on either the ASM Policy or DOS Profile.

Impact:
New sessions in the browser may take slightly longer to reach the website than necessary.

Workaround:
None.

Fix:
Slightly reduced the response time of the Device ID collection.

---

624692 : Certificates with ISO/IEC 10646 encoded strings may prevent certificate list page from displaying

Component: TMOS

Symptoms:
SSL Certificate List page displays "An error has occurred while trying to process your request." or unable to view certificate information via iControl/REST.

Conditions:
Certificate with multi-byte encoded strings.

Impact:
Unable to view certificate list page or view certificate information via iControl/REST.

---

624671 : A route for /32 mask can't be added

Component: TMOS

Symptoms:
Adding a route for /32 mask will be allowed, with no error message, however, /32 route will not be populated into kernel.

Conditions:
Complex route overriding default routes and adding /32 mask route

Impact:
Route is not added to the routing table.

Workaround:
There will be error message like
Feb 14 12:24:09 disc5 err chmand[2476]: 012a0003:3: Kernel returns error : Network is unreachable
Feb 14 12:24:09 disc5 err chmand[2476]: 012a0003:3: Mgmt Operation:0 Dest:7.7.7.7
Feb 14 12:24:09 disc5 err chmand[2476]: 012a0003:3: Prefix Length:32 Gateway:10.255.0.1 mgmt:0

in /var/log/ltm until it's fixed properly.

---

624626 : Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility

Component: TMOS

Symptoms:
You cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility, which returns an error message similar to the following example:

01020036:3: The requested Certificate File (/Common/example.crt) was not found

Conditions:
The presence of SSL certificates and keys created without the .crt and .key extensions. This might have happened, for example, if the SSL certificates and keys were created using the tmsh utility.

Impact:
Cannot delete keys without extension .key (and certificates without .crt) using the Configuration utility.

Workaround:
You can use the tmsh utility to delete affected SSL certificates and keys. You would use commands similar to the following example:

tmsh delete sys crypto cert example
tmsh delete sys crypto key example

Fix:
You can now delete keys without extension .key (and certificates without .crt) using the Configuration utility.

---

624484 : Timestamps not available in bash history on non-login interactive shells

Solution Article: K09023677

Component: TMOS

Symptoms:
There are no timestamps in bash history when bash is initiated from tmsh.

Conditions:
This issue arises when an Administrator or Resource Administrator with tmsh as the default shell runs bash from tmsh and then runs the 'history' command.

Impact:
Running 'history' in bash will not include timestamps of commands.

Workaround:
Timestamps can be added to bash history by running the following command in bash: export HISTTIMEFORMAT="%Y-%m-%d %T ".

Fix:
Added timestamps to bash history for non-login interactive shells.

---

624181 : Preserve original ownership of /etc/hosts file

Component: Access Policy Manager

Symptoms:
CLI VPN client changes ownership of /etc/hosts file to root. After disconnecting from VPN, ownership is not restored back to the original.

Conditions:
CLI VPN client is used to establish VPN connection on Mac/Linux.

Impact:
It breaks usability of /etc/resolv.conf for OS apps.

Workaround:
An administrator can restore ownership of /etc/hosts using system tools.

Fix:
Now the Mac / Linux CLI client preserves the original ownership of /etc/hosts after disconnecting from VPN.

---

624155 : MRF Per-Client mode connections unable to return responses if used by another client connection

Component: Service Provider

Symptoms:
When an outgoing connection is created in per-client mode, that connection is exclusively for use by the client whose message was routed to the destination. All messages (response or requests) received by the server are automatically forwarded to the client. The messages received from the server are forwarded to the original connection from the client (even if it has been closed).

Conditions:
The connection from the client closes and the client connects again.

Impact:
Messages from the new client connection will be routed using the previously created outgoing connection. But messages received from the server will be forwarded to the original connection from the client which is closed. These message will fail to be delivered.

Workaround:
None.

Fix:
When message arrive from a new client connection, the outgoing connection will be to forward messages received from the server to the new connection.

---

623940-4 : SSL Handshake fails if client tries to negotiate EC ciphers but does not present ec_point_formats extension in ClientHello

Component: Local Traffic Manager

Symptoms:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.

The ltm error log message looks like:
*****************************************************
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260009:4: Connection error: ssl_select_suite:6799: no shared ciphers (40)
Oct 12 11:25:08 gtm2 warning tmm1[21167]: 01260026:4: No shared ciphers between SSL peers 10.1.6.50.36563:10.1.6.15.443.
*****************************************************

Conditions:
If client tries to negotiate EC ciphers but does not present ec_point_formats extension, SSL handshake fails.

Impact:
SSL Handshake fails.

---

623536 : SNMP traps for TCP resets sent due to maintenance mode enabled may not be sent

Component: TMOS

Symptoms:
Due to a syntax issue in /etc/alert/alertd.conf, SNMP traps sent for notifying RSTs sent due to maintenance mode on are not being sent.

Conditions:
Reset cause logging and maintenance mode are enabled
Snmp trap destination is configured and routable

Impact:
snmp traps are not sent

Workaround:
Adding custom trap in /config/user_alert.conf with escaped characters will workaround the issue:

alert BIGIP_IP_REJECT_MAINT_MODE_FIX "RST sent from (.*) Maintenance mode \(all VIP\/SNAT\/Proxy connections disabled\)" {
   snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.34"
}

Fix:
BIG-IP now correctly sends SNMP traps when configured to do so with TCP resets in maintenance mode.

---

623509 : Gx CCA with non-existent or non-pem policy does not trigger CCR-u reply

Component: Policy Enforcement Manager

Symptoms:
If Gx interface, from the PCRF, receives a CCA with non-existent or non-pem policy, a CCR-u with 'Unknown rule name' is not being sent back to PCRF.

Conditions:
By default, for any CCR with a CCA having non-existent or non-pem policy.

Impact:
CCR-u with 'unknown rule name' is not being send back to PCRF.

Workaround:
Configure PCRF to send an existing policy on the BIG-IP system.

Fix:
Set the sys db variable tmm.pem.session.policy.InstallUnknown to FALSE to receive CCR-u with result code UNKNOWN_RULE_NAME, otherwise there will be no CCR-u sent back.

Behavior Change:
Before: If CCA with an unknown policy is received from Gx, the BIG-IP system replied with CCR-u with Result code set to UNKNOWN_RULE_NAME.

Now: You can set a sys db variable tmm.pem.session.policy.InstallUnknown to FALSE to receive CCR-u with result code UNKNOWN_RULE_NAME. Otherwise, there will be no CCR-u sent back.

---

623362 : Oversized pool member input

Component: TMOS

Symptoms:
In the System :: High Availability : Fail-safe : Gateway property page in the GUI, you are allowed to enter a pool member count higher than the maximum of 65535.

Conditions:
This occurs when entering a minimum pool member count. The limit is 0-65535 but the GUI allows you to enter a higher number.

Impact:
If you enter a higher number, a validation error will occur: "Value out of range. Correct Range: 0 - 65535"

Fix:
The pool member input is now 5 characters long.

---

622845 : Adding unlimited snaplen option to support page

Component: TMOS

Symptoms:
Qkviews with unlimited snaplen can only be created using the terminal.

Conditions:
Attempting to create qkviews with unlimited snaplen using the GUI.

Impact:
Cannot use the GUI to create qkviews with unlimited snaplen.

Workaround:
Use tmsh to create qkviews with unlimited snaplen.

Fix:
Qkviews with unlimited snaplen can be created using the terminal and the web UI.

---

622619 : BIG-IP 11.6.1 - "tmsh show sys log <item> range" can kill MCPD

Component: TMOS

Symptoms:
MCPd cpu utilization is high and renders it unresponsive.

Conditions:
A ranged log query where the log files are excessively large, e.g., 1 GB uncompressed.

Impact:
MCPd is killed due to being unresponsive, which restarts multiple daemons.

Workaround:
Lower the logging level, thereby decreasing the size of the file which must be parsed.

---

622395 : Allowing Application Editor users to remove pool members

Component: TMOS

Symptoms:
Application Editors aren't allowed to remove pool members

Conditions:
This applies to the application editor user role.

Impact:
Application Editors cannot remove pool members using the web UI

Workaround:
Use tmsh to remove pool members with an Application Editor user

Fix:
Application Editor users can now remove pool members

---

622304 : Windows command line client cannot connect if Edge client is running and disconnected

Solution Article: K52854041

Component: Access Policy Manager

Symptoms:
Windows command line client cannot connect if Edge client is running and disconnected.

Conditions:
f5fpc.exe (Windows command line client) is used to establish VPN.
Windows Edge client is running and is in disconnected state.

Impact:
VPN cannot be established using command line client.

Workaround:
Use Edge client to connect VPN.

Fix:
Now the Windows command line edge client (f5fpc.exe) works correctly if the full Edge Client is simultaneously running but disconnected.

---

622204 : If a virtual server's name has a "." in it then a DoS profile cannot be attached to it

Solution Article: K14141640

Component: Advanced Firewall Manager

Symptoms:
For virtual servers with a . (dot, or period) in the name and a DoS profile attached, a crash might occur when attacks are detected/stopped.

Conditions:
Virtual server with a name that includes a . and an attached DoS profile, and then a DoS attack is detected.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove the . in the virtual server name.

Fix:
The BIG-IP system now allows attaching a DoS profile to a virtual server that has a . in its name.

---

621976 : OneDrive for Business thick client shows javascript errors when rendering APM logon page

Component: Access Policy Manager

Symptoms:
OneDrive for Business thick client shows javascript errors when rendering APM logon page

Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses OneDrive for Business thick client to authenticate.

Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working OneDrive for Business app.

Workaround:
Click thru javascript error dialogs.

Fix:
OneDrive for Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.

---

621974 : Skype For Business thick client shows javascript errors when rendering APM logon page

Component: Access Policy Manager

Symptoms:
Skype For Business thick client shows javascript errors when rendering APM logon page

Conditions:
APM is used as federated auth provider for Microsoft Azure. User uses Skype For Business thick client to authenticate.

Impact:
User experience is impacted, however clicking thru javascript errors eventually leads to successful authentication and working Skype For Business app.

Workaround:
Click thru javascript error dialogs.

Fix:
Skype For Business thick client is now fully supported when authenticating against APM as federation provider for Microsoft Azure.

---

621870 : Outage may occur with VIP-VIP configurations

Component: Local Traffic Manager

Symptoms:
In some VIP-VIP configurations, a system outage may occur while processing traffic.

Conditions:
VIP-VIP configuration

Impact:
System outage

Workaround:
None.

---

621682 : Portal Access: problem with specific JavaScript code

Component: Access Policy Manager

Symptoms:
Portal Access does not rewrite JavaScript code with try...catch... operator followed by literal regular expression.

Conditions:
JavaScript code like follows:
try {} catch (e) {} /aaa/.test(b)

Impact:
Web application may not work correctly.

Fix:
Now try / catch operator followed by literal regular expression in JavaScript code is handled correctly by Portal Access.

---

621379 : TCP Lossfilter not enforced after iRule changes TCP settings

Component: Local Traffic Manager

Symptoms:
TCP Lossfilter function doesn't work properly, although the first few losses will be properly ignored.

Conditions:
TCP profile has ALL of the following settings:
mptcp disabled; rate-pace disabled; tail-loss-probe disabled; fast-open disabled; cmetrics-cache-timeout = 0; congestion ctrl is reno, new-reno, high-speed, or scalable; nagle enabled or disabled; rtx_thresh = 3; loss-filter settings are both > 0.

an iRule changes any of the above settings except loss-filter.

Impact:
Sending rate declines due to packet losses improperly interpreted as congestion.

Workaround:
Change any of the conditions above.

Fix:
Properly handle loss-filter state when switching TCP stacks.

---

621314-5 : SCTP virtual server with mirroring may cause excessive memory use on standby device

Solution Article: K55358710

Component: TMOS

Symptoms:
If a SCTP virtual server has high availability (HA) mirroring enabled, the send buffer on the standby may have extremely high memory usage until the connections close.

Conditions:
SCTP virtual server has mirroring enabled.

Impact:
TMMs will have high memory usage on standby device.

Workaround:
Disable mirroring on the SCTP virtual server.

Fix:
SCTP virtual server with mirroring no longer causes excessive memory use on standby device.

---

621259 : Config save takes long time if there is a large number of data groups

Component: TMOS

Symptoms:
Config save takes a long time to complete

Conditions:
This occurs when there is a large number (~2000) of data-group objects in the configuration

Impact:
When take longer than 90 seconds soap iControl will time out.
This make it impossible to manage via EM

---

621233 : fastL4 + http profile with ip-protocol not set to tcp can crash tmm

Component: TMOS

Symptoms:
TMM will core when receiving a non-TCP datagram on a fastL4 + http profile virtual.

Conditions:
Create a virtual server that uses profiles fastL4 and http and is set to use an ip-protocol other than just tcp.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Set the virtual's ip-protocol to tcp.

---

621197 : Question mark prevents TMSH from loading configuration file

Component: TMOS

Symptoms:
When loading system configuration for TMSH, if some properties have value question mark, TMSH would fail to complete the loading.

Conditions:
-- Use TM Shell to load configuration.
-- string, vector of string properties have ? as value

Impact:
TMSH fails to load system configuration file

Workaround:
None.

Fix:
TMSH now considers escaped question mark as literal character if the question mark is explicitly escaped (i.e. using quotes, backslash, etc.) Loading system configuration succeeds if all question marks are properly escaped

---

620933 : qkview generation is slow due to 'ss -p' command

Component: TMOS

Symptoms:
qkview takes a significant amount of time to complete due to performance of 'ss -p' command.

Conditions:
Significant number of open sockets

Impact:
Slow qkview generation

Fix:
Decrease time of qkview generation by increasing performance of 'ss -p' command due to reduced complexity.

---

620929 : New iRule command, MR::ignore_peer_port

Component: Service Provider

Symptoms:
For incoming connections where the client used a ephemeral source port, subsequents connections from the same client may connect using a different ephemeral port. Without being able to identify the current connection as equivalents to other connections from the same IP, it will not be discoverable as an equivalent connection.

Conditions:
For incoming connections where the client used a ephemeral source port, subsequents connections from the same client may connect using a different ephemeral port.

Impact:
Without being able to identify the current connection as equivalents to other connections from the same IP, it will not be discoverable as an equivalent connection.

Workaround:
Without this change, a new connection would need to be created to the client.

Fix:
New iRule command allow script author to identify the current connection as equivalent to other connections of the IP and route domain ID matches.

---

620903 : Decreased performance of ICMP attack mitigation.

Component: Performance

Symptoms:
Decreased performance of ICMP attack mitigation.

Conditions:
A Big-Ip is under attack, for example a ICMP flood attack.

Impact:
Decreased performance of ICMP attack mitigation.

Workaround:
NA

Fix:
Increased performance of ICMP attack mitigation.

---

620759 : Persist timeout value gets truncated when added to the branch parameter.

Component: Service Provider

Symptoms:
Persist timeout value gets truncated when added to the branch parameter due to difference in storage type.

Conditions:
If the persist timeout value was higher that 65535 then the value gets truncated.

Impact:
Incorrect persist timeout get into affect for the call other than the value set in the config.

Workaround:
None.

Fix:
Persist timeout value no longer gets truncated when added to the branch parameter.

---

620659 : The BIG-IP system may unecessarily run provisioning on successive reboots

Component: TMOS

Symptoms:
After the first boot, the system runs provisioning and boots successfully, but there is a file left on the system /mprov_firstboot. This will appear in /var/log/ltm:
  info mprov:4614:: \'\'provision.initialized\' indicates force TMOS only provisioning - forcing.\'

During a subsequent boot, provisioning will run again, potentially unnecessarily, due to the existence of this file. The following will appear in /var/log/ltm during the second boot:
  info mprov:4609:: \'Existence of file \'/mprov_firstboot\' indicates force TMOS only provisioning - forcing.\'

Conditions:
The memory size of the host changes and there is some other need for reprovisioning (for example a new configuration load).

Impact:
On a vCMP host, the second provisioning may not complete properly and guest systems will not pass traffic.

The vCMP host will continually try to start more than one tmm and fail when there should only be one tmm running. The /var/log/tmm logfile on the vCMP host will contain:
  <13> Sep 25 01:33:28 vcmphost1 notice Too small memsize (60) -- need at least 136 MB

The /var/log/tmm logfile on the vCMP guest will contain:
  <13> Sep 25 01:38:21 bigip1 notice Failed to write /var/run/libdag.so_2, err: -30
  <13> Sep 25 01:38:21 bigip1 notice panic: vdag failed to attach
  <13> Sep 25 01:38:21 bigip1 notice ** SIGFPE **

Workaround:
If the vCMP host is in a tmm restart loop due to this issue, reboot the vCMP host to allow the system to come up properly.

Fix:
The BIG-IP software now always removes the /mprov_firstboot file when the system is reprovisioned.

---

620625 : Changes to the Connection.VlanKeyed DB key may not immediately apply

Component: Local Traffic Manager

Symptoms:
Changes to the Connection.VlanKeyed DB key may not immediately apply to all TMMs

Conditions:
The Connection.VlanKeyed DB key is changed

Impact:
Asymmetrically routed connections may fail with Connection.VlanKeyed disabled

Workaround:
Restarting TMM will resolve the issue, though this will interrupt traffic so should be performed during a maintenance window. To do so, run one of the following tmsh commands:

-- on an appliance (BIG-IP platform): bigstart restart tmm
-- on a clustered system (a VIPRION or VIPRION-based vCMP guest): clsh bigstart restart tmm

Fix:
Asymmetrically routed connections no longer fail with Connection.VlanKeyed disabled.

---

620567 : HTTP to HTTPS TMUI redirection erroneously allows HTTP access to iControl SOAP and iControl REST

Component: TMOS

Symptoms:
When the BIG-IP is configured to redirect HTTP to HTTPS, iControl SOAP and iControl REST API calls are erroneously accepted on port 80 (in addition to 443).

Conditions:
The BIG-IP has "Redirect HTTP to HTTPS" enabled.

Impact:
iControl SOAP and iControl REST calls are accepted on an unencrypted port. API calls still require authentication, but results are not encrypted.

---

620445 : New SIP::persist keyword to set the timeout without changing key

Component: Service Provider

Symptoms:
Setting the SIP persistence key's timeout using SIP::persist <new_key> <new_timeout> disables bidirectional persistence.

Conditions:
Setting the SIP persistence key's timeout using SIP::persist <new_key> <new_timeout>.

Impact:
Disables bidirectional persistence. Persistence entry only records destination (not source) of the session.

Workaround:
None.

Fix:
New keyword, SIP::persist timeout <new_timeout> allows changing the timeout without changing the key.

Behavior Change:
There is a new keyword, SIP::persist timeout <new_timeout> allows changing the timeout without changing the key. Previously, if you changed the timeout, it disabled bidirectional persistence.

---

620280 : Some parts of Portal Access client may cause performance issues on rewritten pages

Component: Access Policy Manager

Symptoms:
Portal users complain that the page takes a lot of time to load and browser is unresponsive for most of this time.
Top entries in the JavaScript profiler are any of following functions:
 F5_Deflate_index
 F5_Inflate_index
 F5_DomainCheck, F5_DomainCheck_IE or F5_DomainCheck_others

Conditions:
This can occur through the Access Portal under heavy load.

Impact:
Pages take a while to load and browser may show warnings about script execution time.

Workaround:
None

Fix:
Now the performance of F5 functions F5_Deflate_index, F5_inflate_index, and F5_DomainCheck is optimized to allow much better web app performance when delivered via Portal Access.

---

619873 : Secure Vault: Key cleanup for 5000- and 7000-series platforms★

Component: TMOS

Symptoms:
Outdated and unused unit key is left on 5000- and 7000-series platforms after upgrade from an older version to v13.0.0.

Conditions:
-- Running on 5000- and 7000-series platforms.
-- Upgrading from a version earlier than v13.0.0 to v13.0.0.

Impact:
1) Unit key on disk is preferred over unit key in hardware.
2) Potential config load failures when upgrading from pre-v13.0.0 to v13.0.0, or installing v13.0.0 hotfixes on these devices.

Workaround:
NOTE: Impacts only 5000- and 7000-series platforms.

On or before upgrade to v13.0.0 or its associated hotfixes, perform the following procedure:
1) Set master key to a known value:
   modify sys crypto master-key prompt-for-password
2) Save config:
   tmsh save sys config
3) Remove the old unit key:
   rm /config/bigip/kstore/.unitkey
4) Load config:
   tmsh load sys config
5) Save config:
   tmsh save sys config

Fix:
Unit key is no longer left on 5000- and 7000-series platforms after upgrade from an older version.

---

619844-1 : Packet leak if reject command is used in FLOW_INIT rule

Component: Local Traffic Manager

Symptoms:
TMM memory usage (packets) increases steadily over time.

Conditions:
'reject' command is used in a FLOW_INIT rule

Impact:
Packet leak over time will consume TMM memory.

Workaround:
Do not use reject command in FLOW_INIT iRule

---

619593 : Provisioning page table cells overlap

Component: TMOS

Symptoms:
Cells in the provisioning page table overlap when they contain long strings.

Conditions:
Cells in the provisioning page table contain long strings.

Impact:
The cells will overlap.

Workaround:
None.

Fix:
Cells in the provisioning page table no longer overlap when they contain long strings.

---

619397-1 : LCD shows error screen on boot or after license expires

Solution Article: K04055706

Component: Device Management

Symptoms:
The LCD on BIG-IP iSeries appliances may display an error screen.

Conditions:
This occurs if the appliance has just finished booting, or if the license has just expired.

Impact:
This may cause an unexpected error and subsequent navigation back to the LCD splash page.

Workaround:
Wait one minute and try to navigate the LCD screens again. If the system has already been licensed and is in the 'Active' state, subsequent attempts should work.

Fix:
The LCD on BIG-IP iSeries appliances no longer displays an error screen just after boot or license expiration.

---

619162 : Two Delete buttons for records and main delete. Edit and Delete buttons are enabled when no record selected.

Component: TMOS

Symptoms:
There are two Delete buttons on the page. One Delete button is for the records and one for the overall Data Group.

Conditions:
The Data Group page had two "Delete" buttons, which causes confusion.

Impact:
Button confusion might result in clicking the incorrect button.

Workaround:
There is a confirmation message when deleting the Data Group. User must consider the warning before proceeding.

Fix:
Relabeled the buttons to "Delete Records" and "Delete Data Group". Also, disabled the Edit and Delete Records buttons until a record is selected.

---

619071 : OneConnect with verified accept issues

Component: Local Traffic Manager

Symptoms:
System may experience an outage.

Conditions:
Verified Accept enabled in TCP profile
hardware syncookies enabled
OneConnect profile on VIP
Syncookie threshold crossed

Impact:
System outage.

Workaround:
Disabled verified accept when used with OneConnect on a VIP.

Fix:
Verified accept, OneConnect and hardware syncookies work
correctly together.

---

618985 : Changing type on external data-group may cause issues with iRule

Component: Local Traffic Manager

Symptoms:
When the type is changed on external data-group the iRule may improperly read the contents leading to iRule issues.

Conditions:
Type changed when re-loading external data-group.

Impact:
iRule issues while using contents of external data-group.

Workaround:
Restart TMM (e.g., bigstart restart tmm). This will impact traffic running through the system so it is advised to perform this step during maintenance window.

---

618982 : IPSEC + chassis behavior for case secondary blades on-off switch.

Component: TMOS

Symptoms:
After cmp_state change (secondary blade restart), some flows will fail

Conditions:
Adding-removing blades causes DAG flow redistribution and redistribution IKE/IPSEC SA's and IPSEC data flows between existing blades. It makes some flows interrupted and IPSEC peer disconnect.

Impact:
Some users may lose their connections and have difficulty restoring them.

Workaround:
None

Fix:
On HW configuration change BIG-IP need:
1. Graciously close affected IPSEC tunnels.
2. Update all involved IPSEC peers
3. Be ready to create the new tunnels upon requests.

Behavior Change:
Expected behavior:
All IPSEC tunnels should be shutdown and restarted upon request.

---

618773 : Improve the detection of malicious browsers

Component: Advanced Firewall Manager

Symptoms:
Some malicious browsers are not always detected.

Conditions:
This occurs when Proactive Bot Defense is enabled.

Impact:
Some malicious browsers are not detected and not reported in the logs.

Workaround:
None.

Fix:
Improved the detection of malicious browsers.

---

618463 : artificial low route mtu can cause SIGSEV core from monitor traffic

Component: Local Traffic Manager

Symptoms:
When configuring a monitor instance targeting an address reachable via a route with an artificially low route mtu, tmm can crash repeatedly.

Conditions:
see above

Impact:
Traffic disrupted while tmm restarts.

Workaround:
configure correct MTU

---

618430 : iRules LX data not included in qkview

Component: Local Traffic Manager

Symptoms:
Qkview does not contain any of the iRuleLX information.

Conditions:
N/A

Impact:
Support engineers will have to ask for the iRuleLX information separately. No iHealth heuristics possible at the moment.

Fix:
The following ILX information was added to the qkview:

TMSH commands:
  list ilx workspace all-properties
  list ilx plugin all-properties
  list ilx global-settings (13.0.0+)
  list ltm profile ilx all-properties (13.0.0+)
  show ilx plugin all
  show ltm profile ilx all (13.0.0+)

The files in the following folders:
  /var/ilx - master copies of workspaces
  /var/sdm - running files of the plugins
  /var/log/ilx - ILX specific logs

---

618332 : No event triggered when the system receives a certificate message from the server.

Component: Local Traffic Manager

Symptoms:
There is no event triggered when the system receives a certificate message from the server.

Conditions:
System receives a certificate message from the server.

Impact:
No event triggered.

Workaround:
None.

Fix:
A new event SERVERSSL_SERVERCERT is raised after the server certificate is received and verified on the server side.

Behavior Change:
A new event SERVERSSL_SERVERCERT is raised after the server certificate is received and verified.

---

617901 : GUI to handle file path manipulation to prevent GUI instability.

Component: TMOS

Symptoms:
Request file path may be incorrectly processed

Conditions:
Authenticated administrative user makes a GUI request

Impact:
The GUI becomes unstable because it cannot process the request.

Fix:
Redirect the user to a No Access page.

---

617690 : enable SIP::respond iRule command to operate during MR_FAILED event

Component: Service Provider

Symptoms:
When an message fails to route, it is not possible to return an error status back to the client.

Conditions:
When a message fails to route, the MR_FAILED event is raised for the message.

Impact:
Without this change, it is not possible for the script author to generate a response message to the client based on the routing failure.

Workaround:
NA

Fix:
SIP::respond command now works during MR_FAILED event.

---

617578-3 : Inconsistent info between tmsh and WebUI for profile radiusLB-subscriber-aware

Component: Policy Enforcement Manager

Symptoms:
On a BIG-IP provisioned with LTM only, the radius profile called radiusLB-subscriber-aware displays inconsistent information between tmsh and configuration utility

Conditions:
This occurs when looking at the radiusLB-subscriber-aware profile in both tmsh and the GUI.

Impact:
On a device that does not have PEM licensed:
root@(v12)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# list ltm profile radius radiusLB-subscriber-aware
ltm profile radius radiusLB-subscriber-aware {
    app-service none
    defaults-from radiusLB
}

However, viewing the profile in the configuration utility Local Traffic :: Profiles : Services : RADIUS : radiusLB-subscriber-aware
Settings field Custom checkbox
Persist Attribute disabled
Subscriber Discovery enabled
Client Spec disabled
Protocol Profile(_sys_radius_proto_imsi) enabled

On a device which does not PEM licensed, the Protocol profile should be set to None but shows as enabled.

---

617324 : Service health calculation creates unjustified CPU utilization

Component: Anomaly Detection Services

Symptoms:
When ASM provisioned service health is calculated and published to all VSs with security profile, even if stress-based detection is not configured

Conditions:
AFM provisioned and configured hundreds of VSs with security profile

Impact:
High CPU utilization

Workaround:
No

Fix:
Refactored internal infrastructure illuminated unnecessary server health calculation and CPU utilization

---

617273 : Expat XML library vulnerability CVE-2016-5300

Solution Article: K70938105

---

616104 : VMware View connections to pool hit matching BIG-IP virtuals

Component: Access Policy Manager

Symptoms:
When a VMware View resource is configured to use a pool as a destination, for all the connections to this pool, except the very first one, a matching virtual lookup is performed.
This doesn't align with the typical BIG-IP behavior on pool connections that should go directly to the chosen pool member and not hit matching virtual servers.

Conditions:
If a VMware View resource is configured to connect to a pool and there is a virtual server matching some or all the IP/port values of pool members, connections to those members will go through the matching virtual server, except for the very first one.

Impact:
If a matching virtual is not intended to pass the traffic through (e.g., a 'reject-all' virtual), those connections routed to this virtual server will fail.

Workaround:
None.

Fix:
All the connections to VMWare View pool members now go directly without hitting matching BIG-IP virtual servers.

---

615553 : Reverse/transparent setting reverting to disabled on child monitor

Solution Article: K51205306

Component: Local Traffic Manager

Symptoms:
Child monitor failing. Reverse/transparent setting reverting back to disabled.

Conditions:
Parent monitor with reverse/transparent enabled and child monitor with reverse/transparent disabled.

Impact:
The child monitor begins to fail when the configuration is re-loaded.

Workaround:
Make sure child and parent monitors have the same reverse/transparent setting. Or don't use a custom monitor as a parent if you want to modify reverse/transparent settings.

Fix:
Parent monitor and child monitor with differing reverse/transparent now use the correct setting for that monitor configuration.

---

615479 : netHSM key creation with tmsh fails if CSR is also requested

Component: Local Traffic Manager

Symptoms:
When using gen-csr option in tmsh to create a netHSM key, the operation fails.

Conditions:
gen-csr is used in the tmsh command when creating netHSM keys.

Impact:
Cannot create csr and key at the same tmsh command for netHSM.

Workaround:
Do not use gen-csr option when creating netHSM key.

Fix:
Implemented the underlying infrastructure to fully support PKCS #11 protocol. With this change, specifying gen-csr in tmsh works as expected for all netHSM, e.g., Safenet and Thales.

---

615372-1 : Occasional TCP resets during connection initiation (RST cause is "No local listener")

Component: TMOS

Symptoms:
Occasionally, the BIG-IP will send a TCP RST in response to an initial SYN with the reset cause "No local listener". This does not affect subsequent connections from the client, so they are likely to succeed.

The reset cause for a packet can be logged by setting the DB variable TM.rstcause.log to enable. The reset cause can be sent in the RST packet by setting the DB variable TM.rstcause.pkt to enable.

Conditions:
A virtual server is configured to use TCP and a client initiates a connection.

Impact:
The attempted connection is reset. Subsequent attempts are likely to succeed.

Workaround:
None.

Fix:
The icr_eventd daemon was updated to use TCP connections more efficiently.

---

615303 : bigd crash with Tcl monitors

Component: Local Traffic Manager

Symptoms:
bigd crashes after logging an error similar to the following:

emerg bigd: PID: 38611 Received invalid magic '1213486160' in the stream

Conditions:
-- Tcl Monitors: FTP, SMTP, POP3, IMAP.

-- This issue might also occur if the Tcl worker is in a stuck state, due to pool member not responding within the configured timeout.

-- May be particularly likely if the monitor is configured with an interval value of 1 second.

Note: Although less frequent, this issue might still occur with proper monitor configurations (timeout: 3*interval + 1).

Impact:
bigd crashes and error messages.

Possible interruption of monitoring status, pool members going down, interruption of traffic.

Workaround:
For the case where a Tcl monitor is configured with a 1-second interval value, increase the interval value to 2 seconds. Also increase the timeout value to 7 seconds (3*interval + 1). This reduces the chances of this issue occurring but does not eliminate it entirely.

Fix:
Monitor works as expected under the conditions described.

---

615267-3 : OpenSSL vulnerability CVE-2016-2183

Solution Article: K13167034

---

615226-6 : Libarchive vulnerabilities: CVE-2016-8687 and others

Solution Article: K13074505

---

615222 : GTM configuration fails to load when it has gslb pool with members containing more than one ":"★

Solution Article: K79580892

Component: Global Traffic Manager (DNS)

Symptoms:
GTM Virtual Servers or GTM Servers containing a colon ":" in their name would throw errors when attempting to use them as a GTM Pool Member through TMSH. If created through TMUI, and a configuration was saved and loaded, the same error would be thrown.

Example error:
01070226:3: Pool Member 20002 references a nonexistent Virtual Server.

Conditions:
1. Create virtual server of format <IP>:<PORT>.
2. Attempt to add this virtual server as a GTM Pool Member

Impact:
Unable to create GTM Pool Member from TMSH, or to load a configuration with this object in it.

Workaround:
None.

Fix:
Fixed issue related to parsing of GTM Pool member names that prevents the use of GTM virtual servers or GTM servers with a colon ":" in the name from being used as a GTM pool member.

---

614887 : large qkview files may not be uploadable to iHealth

Component: TMOS

Symptoms:
If a BIG-IP device has a significantly complex configuration, this may cause the exported XML version of the configuration database to be significantly large, which might not be parsable by the iHealth service.

Conditions:
Very large configuration database, or very large core files exist.

Impact:
qkview files cannot be uploaded to iHealth diagnostic service.

---

614804 : libcurl vulnerabilities: CVE-2016-5420, CVE-2016-5421, CVE-2016-7141

Component: TMOS

Symptoms:
Under certain conditions, processes using libcurl may reuse existing TCP connections that should be isolated.

Conditions:
Custom programs installed on BIG-IP and using libcurl may be affected.

Impact:
Libcurl is present on BIG-IP systems but is not used in a vulnerable way by any standard processes.

Fix:
Update libcurl to non-vulnerable version

---

614702 : Race condition when using SSL Orchestrator can cause TMM to core

Component: Local Traffic Manager

Symptoms:
When running SSL Forward Proxy in the SSL Orchestrator environment, tmm may crash.

Conditions:
This race condition occurs only when running SSL Orchestrator with large numbers of connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes the race condition so that TMM does not crash.

---

614533 : SSL session cache invalidations stat unused in TMM

Component: Local Traffic Manager

Symptoms:
The statistic `session cache invalidations' is never updated.

Conditions:
client-ssl and/or server-ssl profiles are on a virtual

Impact:
none. this is only cosmetic.

---

614410 : Unexpected handling of TCP timestamps in HA configuration

Component: Local Traffic Manager

Symptoms:
Despite TCP timestamps being configured, the BIG-IP system fails to present timestamp option during TCP negotiation.

The BIG-IP system calculates invalid round trip time which might result in delayed retransmission.

Conditions:
This occurs when the following conditions are met:
- Virtual server configured with a TCP profile with timestamps enabled.
- Virtual server configured with connection mirroring.

Impact:
Retransmission timeout (RTO) value may be skewed. Segments that are subject to RTO might take up to 64 segments to retransmit.

Fix:
TCP timestamps are negotiated when connection mirroring is enabled.

---

614400 : IPv6 configuration limitations

Component: TMOS

Symptoms:
When an Intel XL710 Ethernet 40 Gb interfaces interface is added to a VLAN, correct configuration procedure requires that all assigned IPv6 self ip addresses be reconfigured on the VLAN.

Conditions:
IPv6 self IP addresses.
Intel XL710 Ethernet 40 Gb interface.

Impact:
Special configuration procedure is required.

Workaround:
Follow the defined procedure, by deleting and recreating any IPv6 self IP addresses.

Fix:
No special configuration procedures are required to configure the IPv6 self IP addresses for which a VIP is enabled.

---

613823 : DNS Resource Records for Wide-IPs are potentially missing when creating a large number of Wide-IPs

Component: Global Traffic Manager (DNS)

Symptoms:
When a Wide-IP is created, or a pool member is added/removed from a pool associated with the wideip, updates are sent to the on-box BIND to create/update/delete the matching resource records. Some of these updates could possibly be lost if there are a large number of changes happening rapidly.

Conditions:
If the BIG-IP is a member of a DNS/GTM sync-group and "synchronize-zone-files" is enabled.

Impact:
Not every wideip will have the appropriate resource records in bind. If the BIG-IP is functioning normally and answering DNS queries, then this is not a problem. If GTM is down but the on-box bind is still functioning, BIND could have answered DNS queries for the wideip. This situation could also come up right after the BIG-IP has rebooted where GTM is not fully initialized, but BIND is up.

Workaround:
There are some options:
1) Delete and recreate any affected wideips. Alternatively remove and re-add the pool members.
2) To avoid this condition if you know you will be adding many wideips, you could stop csyncd before and renable right after. "bigstart stop csyncd", create wips, "bigstart start csyncd".

Fix:
Eliminate race condition with creating BIND resource records when creating many Wide-IPs.

Behavior Change:
1) Changes made directly to the BIND zone files in /var/named/config/namedb/ will not be automatically reloaded. The recommended steps provided by ISC for bind with dynamic zones should be used to freeze/thaw the zone to prevent conflicts. For example:
    a. Run 'rndc freeze example.com.'
    b. <edit the zone file in /var/named/config/namedb making sure to increment the zone serial number>
    c. Run 'rndc thaw example.com.'
Note that BIND will reject dynamic updates while the zone is frozen so the zone should be left frozen only for the shortest amount of time possible. Resource records created by the BIG-IP for Wide-ips or using ZoneRunner will be refused and lost if the zone is frozen.

2) Changes made to /var/named/config/named.conf will not be reloaded automatically if DNS(GTM) is not provisioned. The 'rndc reconfig' or 'rndc reload' command should be used to load any changes made to the named.conf file.

---

613542-5 : tmm core while running the iRule STATS:: command

Solution Article: K81463390

Component: TMOS

Symptoms:
With an iRule that runs the STATS::set command inside the ACCESS_SESSION_CLOSED event, tmm cores.

Conditions:
STATS:: command invoked inside the ACCESS_SESSION_CLOSED event. This event does not have all of the connection information so invoking STATS:: to store data from the connection will fail and cause tmm to crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use STATS::set inside ACCESS_SESSION_CLOSED

---

613275 : SNMP get/MIB walk returns incorrect speed for sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed when the interface is not up

Solution Article: K62581339

Component: TMOS

Symptoms:
The values returned during an SNMP get/MIB walk are incorrect for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.

The values should match what is displayed in tmsh list net interface media-max and tmsh list net interface media-active respectively which are correct.

Conditions:
-- Performing an SNMP get or MIB walk.
-- Viewing values for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.

Impact:
The system reports inaccurate information for these objects.

Workaround:
To get the correct results, use the following commands:
 tmsh list net interface media-max
 tmsh list net interface media-active

Fix:
SNMP get/MIB walk now return correct information for the sysInterfaceMediaMaxSpeed and sysInterfaceMediaActiveSpeed objects.

---

612954 : IKEv1 log line warns proxy-support must be enabled for v1 peers to work

Component: TMOS

Symptoms:
If you disable proxy-support inside a v1 ike-peer, the config will not work because the racoon daemon cannot send proper identifying information to tmm in a GETSPI request. (The source appears to be localhost 127.0.0.1, which does not identify the peer, so no SPI can be allocated.)

Conditions:
In a v1 ike-peer, disable proxy-support.

Impact:
IPsec tunnels for IKEv1 cannot be established when proxy-support is disabled in the racoon daemon.

Workaround:
Enable proxy-support in the ike-peer config definition.

Note: In a v1 ike-peer, proxy-support must be enabled for a v1 peer to work. This is the default value, and should not be changed.

Fix:
On the responder side, a logged line will say 'check IKE-PEER proxy support' in part of the message, to explains GETSPI failure, as a suggestion to fix this in the ike-peer config.

---

612752-3 : UCS load or upgrade may fail under certain conditions.★

Component: TMOS

Symptoms:
UCS load fails, with the following error message: loaddb[20786]: 01080023:3: Error return while getting reply from mcpd: 0x10718e6, 010718e6:3: The requested primary admin user (user1) must exist in local user database.

Conditions:
Root login is disabled and the primary administrative user is set to anything other than 'admin', the default.

Impact:
UCS load or upgrade will fail.

Workaround:
Before upgrading or generating the UCS, re-enable the root account by setting DB variable systemauth.disablerootlogin to 'false'.

Unset the custom primary administrative user by setting DB variable systemauth.primaryadminuser to 'admin'.

These settings may be safely reinstated after the upgrade is complete.

---

612721-1 : FIPS: .exp keys cannot be imported when the local source directory contains .key file

Component: TMOS

Symptoms:
*.exp exported FIPS keys cannot be imported from local directory when the directory contains any file named *.key with matching name. For example, if the directory /shared/abc/ contains an exported FIPS key named xyz.exp and another file named xyz.key, the user will fail to import xyz.exp as a FIPS key into the system.

Conditions:
When the local source directory of the exported FIPS key (xyz.exp) also contains a file with matching name (xyz.key).

Impact:
Unable to import the FIPS key

Workaround:
Remove the same name *.key file from the local directory before importing the FIPS exported key *.exp.

---

612369 : Thales install script has no support for Thales HA

Component: Local Traffic Manager

Symptoms:
Thales install script has no support for Thales high availability (HA). There is an enhancement required in the Thales install script to provide support to enroll a second Thales HSM device in an HA configuration.

Conditions:
Thales installation script does not provide support for installing Thales in HA pair.

Impact:
This enhancement is important in scenarios like chassis and multiple HSMs where the BIG-IP administrator must run the enroll command for each HSM and across all the blades.

Workaround:
Run the script on each chassis and blade to be part of the HA configuration.

Fix:
To allow support for Thales HA installation using Thales install scripts.

---

612128-7 : OpenSSH vulnerability CVE-2016-6515

Solution Article: K31510510

---

612086-4 : Virtual server CPU stats can be above 100%

Component: Local Traffic Manager

Symptoms:
The CPU usage is reported as above 100%.

Conditions:
It is not known exactly what triggers this.

Impact:
The reported CPU usage values are invalid and do not properly report the actual CPU usage. The invalid values will be visible in results from tmsh commands, SNMP OID messages, and also in the GUI.

Workaround:
Use top to see the actual CPU usage, or tmctl to examine the stats for the individual CPUs.

---

612040 : Statistics added for all crypto queues

Component: Local Traffic Manager

Symptoms:
Requests for crypto operations that have been issued but not yet actively queued in the crypto hardware will not show up in the "tmm/crypto" statistics table.

Conditions:
Crypto requests issued but not actively queued in the crypto hardware.

Impact:
Crypto requests do not show up in the "tmm/crypto" statistics table.

Fix:
New rows have been added to the "tmm/crypto" statistics table that will count requests that have been issued but not actively queued to the crypto hardware.

---

611790 : HA Message Sweeper Interval renamed to Mirrored Message Sweeper Interval

Component: Service Provider

Symptoms:
In GUI, on the SIP Router Profile screen, HA Message Sweeper Interval was renamed to Mirrored Message Sweeper Interval.

Conditions:
Using the SIP Router Profile.

Impact:
Name change might introduce confusion.

Workaround:
None.

Fix:
The HA Message Sweeper Interval option was renamed to Mirrored Message Sweeper Interval.

Behavior Change:
In GUI, on the SIP Router Profile screen, HA Message Sweeper Interval was renamed to Mirrored Message Sweeper Interval.

---

611787 : Collect thread stats in qkview's proc module

Component: TMOS

Symptoms:
proc_module.xml file in qkview does not have /proc info for all threads for multithreaded processes. It only collects for primary thread.

Conditions:
Run qkview and look for thread info in proc_module.xml

Impact:
Thread specific data is not available for debugging

Workaround:
No workaround.

Fix:
this fix enables qkview to collect /proc data of all threads of multithreaded processes in proc_module.xml.

---

611691 : Packet payload ignored when DSS option contains DATA_FIN

Component: Local Traffic Manager

Symptoms:
The payload of a packet is ignored when an MPTCP DSS option has DATA_FIN set.

Conditions:
A packet contains both a payload and an MPTCP DSS option with DATA_FIN set. This has been observed when uploading files from a Linux client to a server.

Impact:
The last packet of data is not received.

Workaround:
Disable MPTCP.

Fix:
Accept data when a packet contains both a payload and an MPTCP DSS option with DATA_FIN set.

---

611440 : AFM NAT does not support Proxy ARP for Source Translation Addresses

Component: Advanced Firewall Manager

Symptoms:
AFM NAT does not support proxy ARP for source translation addresses that are in the same subnet as the egress interface.

Conditions:
== AFM NAT source translation is being used.
-- The source translation IP address is in the same subnet as the egress interface (self IP address).

Impact:
Since AFM NAT does not respond to ARP requests for the translated IP Address in the directly connected topology, the return traffic does not reach the BIG-IP system.

Workaround:
You can use either of the following workarounds:

-- Use static ARP configuration for the AFM NAT source translated addresses (in same subnet as egress interface) on the downstream device.

-- Use the routing topology instead (so that NAT Address is not in the same subnet as the egress interface).

Fix:
This is now fixed by allowing a configuration option per AFM NAT Source translation object that can be enabled to allow AFM NAT to respond to ARP requests for these addresses. By default, it is disabled.

---

611161 : VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.

Solution Article: K28540353

Component: Local Traffic Manager

Symptoms:
VLAN failsafe generates traffic using ICMP which fails if VLAN CMP hash is non-default.

Conditions:
VLAN failsafe configured on a non-default cmp-hash VLAN.
When the VLAN failsafe situation occurs, and the generated arp requests are not being answered, VLAN failsafe resorts to ICMP.

Impact:
There are very rare situations in which failsafe triggers but it should have not.

Workaround:
None.

Fix:
VLAN failsafe no longer generates traffic using ICMP, and now supports non-default cmp-hash on VLAN.

---

610897 : FPS generated request failure throw "unspecified error" error in old IE.

Component: Fraud Protection Services

Symptoms:
If FPS generated request sent and failed in old IE, it will throw "unspecified error" error.

Conditions:
FPS generated request sent and failed in old IE

Impact:
The browser will show error message in the left bottom side.

Workaround:
N\A

Fix:
N\A

---

610710 : Pass IP TOS bits from incoming connection to outgoing connection

Component: Service Provider

Symptoms:
ToS is set to 0 when going through a SIP profile.

Conditions:
This occurs when a SIP profile is in use and ToS is set.

Impact:
Currently outgoing packets TOS bits are configured via profile and are not affected by TOS bits of incoming packet.

Workaround:
NA

Fix:
Outgoing packets TOS bits can be configured via profile to preserve the TOS bits of incoming packet.

Behavior Change:
This change will only change existing behavior if the transport protocol (TCP, UDP or SCTP) has the ip-tos-to-client attribute set to pass-through. If configured as pass-through, the TOS bits of the incoming packet containing a message will be used on the outgoing packets containing the message. Without this change, the TOS bits of the outgoing packet would be undefined if configured this way.

---

610682 : LTM Policy action to reset connection only works for requests

Component: Local Traffic Manager

Symptoms:
The LTM Policy forwarding action 'reset', which forcibly terminates the client connection, works for requests, but gives an error when used with a response event.

Conditions:
Issue occurs in an LTM Policy rule where one or more of the conditions is associated with HTTP response. For example, checking the HTTP status code in the response from a backend server.

Impact:
System posts error message similar to the following: “transaction failed:010716e2:3: Policy '/Common/Drafts/mypolicy', rule 'rule-1'; an action precedes its conditions.

Workaround:
None.

---

610639 : Collect non-truncated SAR data when the -c switch is specified

Component: TMOS

Symptoms:
System stat files are not collected in qkview.

Conditions:
Run qkview and look for system stat file in /var/log/sa*.

Impact:
Data is not available for debugging.

Workaround:
Collect /var/log/sa* files separately from bash prompt.

Fix:
Output now includes /var/log/sa* files without being truncated in qkview when -c flag is passed.

Note: These files will not be collected without -c flag.

---

610582 : Device Guard prevents Edge Client connections

Component: Access Policy Manager

Symptoms:
When Device Guard is enabled, BIG-IP Edge Client cannot establish a VPN connection.

Conditions:
-- Clients running Windows 10.
-- Device Guard enabled.
-- Attempting to connect using the Edge client.

Impact:
Clients are unable to establish a VPN connection.

Workaround:
As a workaround, have the affected Edge Client users disable Device Guard.

Note: Previously, Device Guard was disabled by default. Starting with the Windows 10 Creators Update, however, Device Guard is enabled by default.

Fix:
The F5 VPN Driver is recertified and is now compliant with Microsoft Device Guard, so that Edge Client users can now establish a VPN connection as expected.

---

610485 : Attacks chart has no time axis

Component: Application Visibility and Reporting

Symptoms:
Attacks chart has no time axis.

Conditions:
Viewing the Attacks chart in AVR.

Impact:
There is no grid. Difficult to determine time values.

Workaround:
None.

Fix:
Standard AVR Chart time axis has been added

---

610323 : LTM SSL supports Client Certificate Constrained Delegation

Component: Local Traffic Manager

Symptoms:
LTM does not support SSLI Client Certificate Constrained Delegation Support (C3D).

Conditions:
Using LTM.

Impact:
No C3D support.

Workaround:
None.

Fix:
ProxySSL allows a client and server to perform mutual authentication. It supports RSA key exchange only and will not work with PFS.

The C3D support allows servers that require authentication of the client certificate to work. Basically, C3D performs client authentication on the client side and then forges a client certificate on the server side if server requests a client certificate.

C3D is disabled by default. Enabling C3D has a performance impact.

---

610201 : Undefined behavior when calling HTTP::payload within HTTP_REQUEST_SEND iRule event

Component: Local Traffic Manager

Symptoms:
The invocation of HTTP::payload iRule API within the HTTP_REQUEST_SEND iRule event may lead to undefined behavior, such as retrieval of invalid HTTP data, or system crash.

Conditions:
The problem manifests itself exclusively with iRules attached to HTTP virtual servers, where the iRules are using the HTTP::payload API invocation within the HTTP_REQUEST_SEND server-side event.

Impact:
Corrupted HTTP data or system crash may result from the invocation of the HTTP::payload API within the HTTP_REQUEST_SEND iRule event.

Workaround:
The HTTP::payload API should not be invoked within the HTTP_REQUEST_SEND iRule event. According to the underlying API documentation, the valid HTTP events should be limited to CACHE_REQUEST, CACHE_RESPONSE, HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE, HTTP_RESPONSE_CONTINUE, HTTP_RESPONSE_DATA.

Fix:
The HTTP::payload API should not be invoked within the HTTP_REQUEST_SEND iRule event. According to the underlying API documentation, the valid HTTP events should be limited to CACHE_REQUEST, CACHE_RESPONSE, HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_RESPONSE, HTTP_RESPONSE_CONTINUE, HTTP_RESPONSE_DATA.

---

610138-3 : STARTTLS in SMTPS filter does not properly restrict I/O buffering

Component: Local Traffic Manager

Symptoms:
Commands following STARTTLS in a group are accepted and processed after TLS is in place.

Conditions:
SMTPS profile in use.

Impact:
SMTPS filter will improperly process commands after STARTTLS.

Workaround:
None.

Fix:
Commands in a group after STARTTLS are dropped. This is correct behavior.

---

609995 : Device Connectivity tabs not properly highlighted

Component: TMOS

Symptoms:
The Failover Network and Mirroring tabs in Device Connectivity aren't properly highlighted.

Conditions:
Clicking on "System :: High Availability :: Device Connectivity :: Failover Network" menu option and the "System :: High Availability :: Device Connectivity :: Mirroring" menu option.

Impact:
Displays the "Device Management :: Devices :: [device name]" page but doesn't highlight the tab. Highlighting works for ConfigSync tab only. "Failover Network and Mirroring" should be highlighted as well.

Workaround:
None.

Fix:
The Failover Network and Mirroring tabs in Device Connectivity are now highlighted as expected.

---

609967 : qkview missing some HugePage memory data

Solution Article: K55424912

Component: TMOS

Symptoms:
Some HugePage status data is missing from qkview, if the contents of /proc/meminfo does not list a units column for the Huge Page data.

Conditions:
/proc/meminfo file does not list units for HugePage data.

Impact:
HugePage data is missing from qkview diagnostics file.

Workaround:
Separately provide /proc/meminfo file.

Fix:
HugePage status data is now collected as expected.

---

609731 : Error message on WSDL schema validation

Component: Application Security Manager

Symptoms:
On upload, invalid WSDL schema validation file error message does not indicate the specific error in WSDL schema.

Conditions:
Upload invalid WSDL file.

Impact:
The system posts a vague error message:
 Validation failed. An error has occurred while processing the schema or WSDL document. (Can't use an undefined value as a SCALAR reference).

In this case, the error message should similar to the following:
 Validation failed. An error has occurred while processing the schema or WSDL document. (Element ServerVersionInfo in namespace "http://schemas.microsoft.com/exchange/2010/Autodiscover" is not defined).

Workaround:
None.

Fix:
The WSDL schema validation file error message now indicates the specific error in the WSDL schema.

---

609691-9 : GnuPG vulnerability CVE-2014-4617

Solution Article: K21284031

---

609244-3 : tmsh show ltm persistence persist-records leaks memory

Component: Local Traffic Manager

Symptoms:
A small memory leak is detected when running the following command: tmsh show ltm persistence persist-records.

Conditions:
This occurs when running tmsh show ltm persistence persist-records.

Impact:
The memory leak is small, however if the command is run constantly the memory growth can become large.

Workaround:
None.

Fix:
tmsh show ltm persistence persist-records no longer leaks memory.

---

609084-3 : Max number of chunks not configurable above 1000 chunks

Solution Article: K03808942

Component: Application Security Manager

Symptoms:
If you want to support requests larger than 1000 chunks, the request is blocked and the system posts the following message in the ASM event log:

Unparsable request content Chunks number exceeds request chunks limit: 1000.

Conditions:
This occurs when the request exceeds 1000 chunks.

Impact:
Requests that are valid from the server side are being rejected.

Workaround:
None.

Fix:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000

Behavior Change:
This release adds an internal parameter "request_max_chunks_number" to enable configuring a greater than 1000 max number of chunks. The default value is 1000

---

608927-1 : SIP Parser logging improvements

Component: Service Provider

Symptoms:
The SIP parser logging and tracing can be vague and not helpful to field troubleshooting when SIP messages are unable to be parsed.

Conditions:
This occurs when SIP logs an error due to a malformed or unsupported SIP message to the SIP parser.

Impact:
Isolating the specifc issue with a defective SIP message is difficult

Workaround:
Do not pass malformed or unsupported SIP messages into the BIGIP.

Fix:
Logging of SIP parser message rejection has been improved.

---

608635 : SIP ALG not compatible with LSN PBA mode

Component: Service Provider

Symptoms:
SIP Registrations cease to have incoming traffic delivered after a LSN PBA Block expires.

Conditions:
1. SIP ALG is configured with a LSN pool in PBA mode with a block timeout configured
2. SIP registration requested with a longer expiry than then the remaining PBA lifetime
3. PBA block lifetime expires.

Impact:
SIP Registrations created with the associated LSN pool will not have inbound traffic after the PBA block expires.

Workaround:
Do not configure the LSN pool being used with SIP ALG into PBA mode with a block timeout; control SIP client behavior with SIP ALG profiles instead of PBA

---

608304 : TMM crash on memory corruption

Solution Article: K55292305

Component: Local Traffic Manager

Symptoms:
In rare cases tmm might crash on memory corruption.

Conditions:
It is not known what sequence of events triggers this condition.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm no longer crashes on memory corruption in rare cases.

---

608245-2 : Reporting missing parameter details when attack signature is matched against parameter value

Component: Application Security Manager

Symptoms:
A parameter is shown without parameters details or with garbled parameter details in the local logging GUI.

Conditions:
An attack signature was detected in a parameter value.

Impact:
Bad reporting

Workaround:
N/A

---

607438 : False alert in daemon log (/var/log/daemon.log) when listing all certificates using iControl SOAP or GUI

Component: TMOS

Symptoms:
When calling get_certificate_list_v2 in iControl SOAP or browsing to "System ›› Certificate Management : Device Certificate Management : Device Certificate" in GUI, it prints the error message in the log:

"big3 err iControlPortal.cgi[21270]: Could not find any crypto codecs supporting key management"

Conditions:
The false alert error appears when it is not a FIPS box.

Impact:
There is no impact. The message is supposed to be a neutral message instead of an error message.

Fix:
The message will only be displayed in the debug log, instead of appearing as an error message.

---

607246 : Encrypted cookie insert persistence with fallback may not honor cookie after fallback expires

Component: Local Traffic Manager

Symptoms:
You notice erratic persistence behavior when you set cookie persistence to "required" in your cookie persistence profile

Conditions:
Encrypted cookie persistence with fallback where the fallback persistence has a reasonable short timer such that a request containing a valid cookie is handled after the fallback entry has expired.

Impact:
Persistence fails after fallback expired.

Workaround:
Change cookie-encryption to preferred which allows persistence on either encrypted or decrypted cookie.

---

607166 : Hidden directories and files are not synchronized to secondary blades

Component: Local Traffic Manager

Symptoms:
Hidden directories and files (those whose filenames start with '.') that are created on primary blade are not synced to secondary blades.

Existing hidden files that are edited on the primary blade are not synced to secondaries.

Conditions:
Multi-bladed system.

Impact:
The most common uses of hidden files are per-user shell configuration and history.

Workaround:
Manually copy configuration files onto other blades.

---

606710 : Mozilla NSS vulnerability CVE-2016-2834

Solution Article: K15479471

---

605918 : tmsh list sys db non-default-properties, was listing db vars with default values.

Component: TMOS

Symptoms:
When running "tmsh list sys db non-default-properties", it lists results with default values when it should not.

Conditions:
This occurs when you run tmsh list sys db non-default-properties.

Impact:
All db variables are displayed, not just the ones with no-default properties.

Workaround:
None.

Fix:
The tmsh command "list sys db non-default-properties" now only returns results that are not equal to their default values.

---

605891-2 : Enable ASM option disappears from L7 policy actions

Component: TMOS

Symptoms:
ASM cannot be enabled if 'Application Security Manager' is used in the license string instead of 'ASM'.

Conditions:
'Application Security Manager' is used in the license string instead of 'ASM'.

Impact:
The ASM module cannot be enabled using the GUI under certain licenses where ASM is licensed.

Workaround:
Enable ASM using tmsh instead of the GUI.

Fix:
The issue was caused by the license string used to check the licensing being 'Application Security Manager' instead of 'ASM'. iControl REST does not provide licensing info directly and the license string had to be parsed manually, unlike provisioning. The fix now checks for the spelled out version of the module as well.

---

605792-9 : Installing a new version changes the ownership of administrative users' files★

Component: TMOS

Symptoms:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID.

Conditions:
A user is an administrative user who has advanced shell (bash) access and custom files in their home directory.

Impact:
Low in most cases, since the administrative user can still access most files. One exception is that SSH requires that the authorized_keys file be owned by the user ID in question. This is 0 when a user has an administrative role, so the authorized_keys file will be ignored and a password will still be required for login.

Workaround:
Run the following command, substituting a different filename as needed: chown 0 /home/theuser/.ssh/authorized_keys.

Fix:
Installing a new version changes the ownership of administrative users' files to a different, nonzero UID. This still happens by design, but no longer applies to the user's SSH configuration files, which stay at UID 0. Therefore, these users are no longer be prevented from using stored public keys in authorized_keys.

---

605491 : No confirmation prompt for tmsh 'load sys config base' in command line mode

Component: TMOS

Symptoms:
TMSH 'load /sys config' command does not produce a confirmation prompt when run in the command line mode.

Conditions:
Run the TMSH 'load /sys config' command in command line mode.

Impact:
The 'load /sys config base' command does not produce confirmation prompt in command line mode. As a result, the operation could result in destructive configuration changes.

Workaround:
None.

Fix:
TMSH 'load /sys config' command now produces the confirmation prompt in both the command line mode and interactive mode.

---

605270-4 : On some platforms the SYN-Cookie status report is not accurate

Component: TMOS

Symptoms:
On a vCMP guest, after a ePVA-enabled virtual server enters SYN Cookie mode, the FPGA will never leave SYN Cookie mode even though BIG-IP has returned to normal mode.

Conditions:
This occurs intermittently on virtual servers with ePVA enabled on a vCMP instance where SYN Protection is triggered.

Impact:
Since this occurs very intermittently, the entire impact is not known. Initially this is an incorrect SYN Cookie status reporting issue for LTM Virtual statistics, but it is possible that if SYN Cookie mode is triggered again, hardware SYN might not be enabled properly.

Workaround:
Upgrade with new fixes for this.

Fix:
BIG-IP FPGAs now correctly report hardware SYN Cookie mode.

---

604547 : Unix daemon configuration may lost or not be updated upon reboot

Component: TMOS

Symptoms:
The confpp script is invoked to pass TMOS configuration information to other non-TMOS daemons running on a BIG-IP system. When a BIG-IP system is rebooted, if TMOS configuration elements are parsed or configuration changes or other events occur early in the boot process, the corresponding changes may not be propagated to the confpp.dat file and processed by the confpp script. As a result, configuration information may not be propagated as expected to non-TMOS daemons.

A common symptom of this issue is that syslog-ng configuration is not updated to reflect the selection of the primary blade in a VIPRION chassis.

Conditions:
This issue may occur when booting an affected version of BIG-IP, such as:
- Rebooting blades in a VIPRION chassis.
- Rebooting a BIG-IP appliance or Virtual Edition instance.

Impact:
Expected configuration settings may not be applied to non-TMOS daemons upon a reboot.

For example, syslog-ng configuration may not be updated to include expected logging on the primary blade in a VIPRION chassis.

Workaround:
On a running BIG-IP system that shows symptoms of this issue, changing a db variable will trigger the confpp script to run and update the relevant non-TMOS daemons with appropriate settings from the current configuration. To implement this workaround, use the Traffic Management Shell (tmsh) to update a db variable.

For example:
tmsh modify sys db log.clusterd.level value "Informational"

This issue can be avoided by forcing the MCP configuration to be reloaded from configuration files instead of from the MCP binary database (mcpdb.bin).

For details, see:
K13030: Forcing the mcpd process to reload the BIG-IP configuration.

Fix:
Configuration data/changes that occur early in the BIG-IP boot process are propagated successfully to non-TMOS daemons by the confpp script.

---

604011 : Sync fails when iRule or policy is in use★

Component: Local Traffic Manager

Symptoms:
After upgrading and attempting to sync to devices in a sync group, sync fails with the following error:

Load failed from 119.big.ip 01070621:3: Rule priorities for virtual server (vs1) must be unique.

Load failed from /Common/big152 01070712:3: Caught configuration exception (0), Values (/Common/vs1) specified for virtual server policy (/Common/vs1 /Common/asm_auto_l7_policy__vs1): foreign key index (vs_FK) do not point at an item that exists in the database.

Conditions:
- A virtual address exists in the traffic-group-local-only group, meaning that it is not synced
- A CPM policy or iRule is applied to that virtual server
- Conduct a sync

This was seen on an upgrade from 12.0.0 to 12.1.0 HF1 or beyond, but could be triggered on an upgrade from any version from 11.4.0 and beyond to 12.1.0 HF1.

Impact:
Config sync fails.

Workaround:
Disassociate the iRule or policy from the virtual server, then attempt to sync.

---

603609 : Policy unable to match initial path segment when request-URI starts with "//"

Component: Local Traffic Manager

Symptoms:
HTTP URI path policy does not match when request-URI starts with "//".

Conditions:
Policy unable to catch request when HTTP URI path configured to match value anywhere in path or in initial path segment when the request-URI starts with "//".

Impact:
The policy does not match in this case.

Workaround:
The policy could be modified to scan the full URI instead of just the path element however care should be taken to correctly handle potential matches with absolute URIs or in the query string.

---

602074 : Management.KeyCertificate.get_certificate_validator() doesn't throw not-found exception when a given certificate doesn't exist.

Solution Article: K46583034

Component: TMOS

Symptoms:
The iControl SOAP call get_certificate_validator() is supposed to return the certificate-validators of the given certificates. The issue is that when an user inputs a non-existing certificate to the function, it just returns empty strings [[]] instead of presenting the exception for the non-existent certificate.

Conditions:
When the iControl SOAP function get_certificate_validator() is called to get the certificate-validators 's names of the given certificates.

Impact:
The impact should be limited. Since the function returns empty strings [[]] for a non-existing certificate, from the output the user is unable to distinguish whether the certificate is non-existing or the certificate has no certificate-validators configured.

Workaround:
None.

Fix:
The iControl SOAP call get_certificate_validator() now presents the exception for the non-existent certificate.

---

601978 : APM does not support Dell/Wyse ThinOS client for VMware View access

Component: Access Policy Manager

Symptoms:
APM does not support Dell/Wyse ThinOS client for VMware View access.

Conditions:
Dell/Wyse ThinOS client used to access VMware View through APM.

Impact:
Dell/Wyse ThinOS client does not work through APM for VMware View access.

Workaround:
Apply the following iRule:

when HTTP_REQUEST {
    if { [HTTP::uri] == "/broker/xml" && [HTTP::cookie JSESSIONID] == "JSESSIONID" } {
        HTTP::cookie remove JSESSIONID
    }
}

Fix:
Now APM supports Dell/Wyse ThinOS 8.0 client for VMware View access.

---

601957 : Message Routing SIP ALG with Address Translation doesn't support LSN iRule Commands

Component: Service Provider

Symptoms:
The following iRule commands will fail when used with a Message Routing Virtual with a SIP Application Protocol.

- LSN::disable
- LSN::pool
- LSN::address
- LSN::inbound
- LSN::persistence
- LSN::port

Conditions:
Trying to use certain LSN iRules with a Message Routing Virtual configured with a SIP Application Protocol will fail with an error.

Impact:
Some ALG LSN programability is not possible with a Message Routing Virtual configured with a SIP Application with Address Translation. The following commands are not supported:

- LSN::disable
- LSN::pool
- LSN::address
- LSN::inbound
- LSN::persistence
- LSN::port

---

601936 : VPN client session hangup cause reported as unknown_error

Component: Access Policy Manager

Symptoms:
When observing the APM logs for the reason a VPN client has initiated a session hangup (which then deletes the session), the session deletion cause is often reported as unknown_error, even though the error code looks like it should be decipherable:

 notice tmm[10740]: 01490567:5: /Common/AP_NA1:Common:18c98a2d: Session deleted (unknown_error, code - 24584).

Conditions:
-- VPN client initiates a session hangup (which subsequently deletes the session).
-- Viewing the log file for the reason.

Impact:
The session deletion logs for VPN clients are misleading. APM expects and logs only the cause domain, and not the specific domain reason. In cases in which the client returns a code that contains both the domain and the reason, APM treats the cause as unknown instead of properly extracting the cause domain from the value.

Workaround:
There is no true workaround. You can view the codes in the unknown_error logs, but it might take assistance from the F5 support organization to decode them.

Fix:
APM now properly extracts the session termination cause from the code passed by the client when the client initiates a session hangup.

---

600812 : IPv6 virtual address with icmp-echo is enabled on a IPv6 Host IP forwarding ignores the neighbor advertisement packet.

Component: Local Traffic Manager

Symptoms:
tmsh show net ndp shows an incomplete entry for the neighbor

Conditions:
icmp-echo is enabled for an IPv6 virtual address on a IPv6 Host IP forwarding virtual server.

Impact:
The neighbor advertisement reaches the LTM, but the ndp entry for that neighbor is left incomplete, leading to not being able to connect to that neighbor.

Workaround:
This issue can be resolved by disabling the icmp-echo on the virtual IPv6 address or configuring a static mac-address
for the neighbor

Fix:
The neighbor entry in the LTM displays the correct neighbor information.

---

600570 : VE License may enforce improper TMM count

Component: TMOS

Symptoms:
If a BIG-IP VE license enforces a number of TMM instances less than the system would otherwise run, and that license limit is not a power of two (e.g. 1, 2, 4, 8, 16), the BIG-IP system will incorrectly start with a non-power of two number of TMMs.

Conditions:
Certain license combinations can result in the BIG-IP VE system starting with a non power of two number of TMMs.

Impact:
This results in traffic disruption and connection failures where traffic leaves one TMM, but returns and is not processed by a different TMM.

Workaround:
Set the "provision.tmmcount" DB key to the next lower power of two (1, 2, 4, 8, 16) from the count listed in the license.

---

600205 : OpenSSL Vulnerability: CVE-2016-2178

Solution Article: K53084033

---

600189 : K53084033: OpenSSL vulnerability CVE-2016-2178

Solution Article: K53084033

---

600178 : Support for ProtocolBinding and ProviderName attributes in SAML 2.0 Authentication Requests

Component: Access Policy Manager

Symptoms:
This enhancement contains two parts:

1. BIG-IP as SAML IdP:
When BIG-IP is used as SAML identity provider, processing of authentication requests from external service providers may fail if request does not contain required AssertionConsumerServiceURL or AssertionConsumerServiceIndex attributes, but instead contains unsupported 'ProtocolBinding' attribute.

2. BIG-IP as SAML SP:
BIG-IP as service provider cannot be configured to send ProviderName element in authentication requests.

Conditions:
1. BIG-IP is used as SAML IdP. Received from external SP authentication requests does not contain required AssertionConsumerServiceURL/AssertionConsumerServiceIndex attributes.

2. BIG-IP is used as SAML SP. Attempt to configure 'ProviderName' attribute to be send out to external IdP's with authentication requests.

Impact:
1. IdP will fail to process authentication request, and subsequently user authentication will fail.

2. Authentication request generated by BIG-IP as SP will not contain 'ProviderName' attribute.

Workaround:
None.

Fix:
1. BIG-IP as IdP now supports processing of ProtocolBinding in authentication requests from external service providers.

ProtocolBinding is a URI reference that identifies a SAML protocol binding to be used when returning the <Response> message. Attribute ProtocolBinding is mutually exclusive with the AssertionConsumerServiceIndex attribute and is typically accompanied by the AssertionConsumerServiceURL attribute.

2. BIG-IP as SP now supports configurable ProviderName attribute in BIG-IP's SAML 2.0 service provider configuration. ProviderName is an attribute in authentication request that may optionally specify the human-readable name of the requester for use by the presenter's user agent or the identity provider.

---

599313 : Support IPv6 address in XFF header to encapsulated within square brackets

Component: Application Security Manager

Symptoms:
ASM cannot extract IPv6 addresses from XFF header when it is encapsulated within square brackets.

Conditions:
1. Trust XFF is on in ASM policy.
2. IP address in XFF header is IPv6 and encapsulated within square brackets.

Impact:
ASM treats the TCP connection IP address as the request IP address instead of the one present in the XFF header.

Workaround:
None.

Fix:
ASM parser now allows IPV6 to be encapsulated within square brackets.

---

599285 : PHP vulnerabilities CVE-2016-5094 and CVE-2016-5095

Solution Article: K51390683

---

599177 : Regression in Route Domain and Partition GUI load times due to high CPU utilization in merged.

Component: Local Traffic Manager

Symptoms:
With large configuration load, the time it takes to load the configuration might take minutes.

Conditions:
Loading Route Domain and Partition pages in the TMUI.

Impact:
Long loading times.

Merged uses a lot of CPU cycles. Using the tmctl command 'tmctl -f /var/tmstat/istats' shows .icomplete and .irequest tables have a large number of rows in them, resulting in merged spending a lot of time merging these rows.

Workaround:
Restart mcpd using the following command: bigstart restart mcpd.

Warning! Restarting mcpd causes the system to reinitialize all processes, which affects traffic. This workaround should be used with caution.

Fix:
mcpd and merged now provide improved handling of loading large pages so performance issues when loading Route Domain and Partition pages in the TMUI no longer occur.

---

599048 : BIG-IP connections to OCSP servers do not use the TCP TIMESTAMPS option

Component: Local Traffic Manager

Symptoms:
As part of the OCSP Stapling feature, the BIG-IP periodically connects to an OCSP server to certify to its clients that an SSL certificate has not been revoked. It was discovered that these side connections to OCSP servers incorrectly do not use the TCP TIMESTAMPS option.

Conditions:
Use of the OCSP Stapling feature.

Impact:
Usage of the TCP TIMESTAMPS option can help reduce the time a previously used tuple remains in TIME_WAIT on the OCSP server. Therefore, this can help ensure a new connection from the BIG-IP system to the OCSP server re-using a recent tuple is not rejected by the OCSP server. Note that there is little impact even if sporadically a single connection to the OCSP server fails. The BIG-IP will quickly try again, and clients that receive non-stapled SSL SERVER HELLO messages can perform their own validation of the returned SSL certificate.

Workaround:
None

---

598950-2 : Apache Xerces vulnerability CVE-2016-2099

Solution Article: K04253390

---

598748-1 : IPsec AES-GCM IVs are now based on a monotonically increasing counter

Component: TMOS

Symptoms:
IPsec was using random IVs.

With random IVs and shortest packets the complete integrity loss will happen before 8 Gb of data are exchanged over the security association in one direction (assuming probability of collision at 0.1%).

Conditions:
Use of AES-GCM or GMAC in IPsec.

Impact:
The use of random IVs limits the amount of traffic that can be sent with AES-GCM in IPsec.

Workaround:
The workaround is to limit the amount of traffic per above guidelines for long-lived security associations in IPsec.

A re-key before 10 Gbyte of data are exchanged is recommended. For 1 Gbps connection the rekey should happen in under 1 min (100 Mbps -- 15 min, 10 Gbps -- 10 sec).

Fix:
Changed IPsec AES-GCM IV scheme to use a counter-based IV.

This is an improvement that allows maximum amount of traffic to be sent on the same security association for AES-GCM in IPsec.

---

598724 : Abandoned indefinite lifetime SessionDB entries on STANDBY devices.

Component: TMOS

Symptoms:
Memory hold/leak in SessionDB due to poor HA connection. Active device cannot tell the Standby device that an entry has been deleted because of poor HA connection. These entries accumulate on the Standby device, consuming extra memory which is not released.

Conditions:
A poor HA or insufficient connection exists, one that is not capable of handling the required HA traffic between devices.

Impact:
Eventual out-of-memory errors on standby device.

Workaround:
The mitigation steps in ID 555465 apply to this as well:

You can mitigate by temporarily disabling HA:
- Disable session mirroring: tmsh modify sys db statemirror.mirrorsessions value disable
- Wait a minute for HA connections to stabilize
- Sync the config changes
- Reboot the standby
- Re-enable session mirroring: tmsh modify sys db statemirror.mirrorsessions value enable

Fix:
On the Next Active ("Standby") device, SessionDB will remove all Subkey entries that the Next Active did not receive HA (re)mirror messages for during the HA sync that occurs after an HA (re)connect; the Next Active not receiving a (re)mirror for an entry generally indicates that the entry no longer exists on the Active.

---

598707 : Path MTU does not work in self-IP flows

Component: Local Traffic Manager

Symptoms:
While performing an Update Check, the network connection fails. Path MTU is not working in self-IP initiated flows.

Conditions:
Network flows initiated by the Self IP address (in this case it was encountered while running Update Check)

Impact:
If the downstream router sends ICMP Path MTU messages back to the Self IP, the messages will be ignored and MTU will not be adjusted.

---

598650 : apache-ssl-cert objects do not support certificate bundles

Component: TMOS

Symptoms:
The Traffic Management Shell (tmsh) documents command options for apache-ssl-cert objects that suggest that Apache SSL Certificates (apache-ssl-cert objects) support certificate bundles.
References to certificate bundles in context of the 'bundle-certificates', 'subject' and 'is_bundle' fields are in error, and should refer to single certificates only.
Apache SSL Certificates (apache-ssl-cert objects) do not actually support certificate bundles.
On BIG-IP v11.5.0 and later, attempting to create Apache SSL Certificate objects from a certificate bundle will result an error like the following:
01070712:3: Values (/Common/certificate_name) specified for Certificate Bundle Entity (/Common/certificate_name.0 /Common/certificate_name): foreign key index (certificate_file_object_FK) do not point at an item that exists in the database.

Conditions:
Attempting to create Apache SSL Certificate objects from a certificate bundle.

Impact:
Unable to create Apache SSL Certificate objects from a certificate bundle.

---

598437 : SNMP process monitoring is incorrect for tmm and bigd

Component: TMOS

Symptoms:
The default configuration for SNMP process monitoring causes an error of "Too many bigd running", and "No tmm process running".

snmpwalk -c public -v 2c localhost prErrMessage
UCD-SNMP-MIB::prErrMessage.1 = STRING: Too many bigd running (# = 2)
...
UCD-SNMP-MIB::prErrMessage.6 = STRING: No tmm process running

Conditions:
Depending on system capacity and configuration, more than one "bigd" process may be running, resulting in the incorrect report of "Too many bigd running".

The system does not properly count instances of the "tmm" process. In older releases, the system always detected a single "tmm" process, even if more than one existed. In the affected releases, no "tmm" process is detected.

Impact:
SNMP monitoring of system health incorrectly reports error conditions.

Workaround:
For the 'bigd' problem, the administrator can change the the process-monitor max-processes to allow for more instances of "bigd". For example:

(tmos)# modify sys snmp process-monitors modify { bigd { max-processes infinity } }

max-processes should be set to the same value as the sys dbvar bigdb.numprocs or "infinity" if the dbvar is set to "0", allowing bigd to dynamically adjust the number of processes.

There is no viable workaround for the tmm process count problem.

Fix:
The system now correctly counts the number of TMM process instances, which is not the same as the number of TMM threads. but is based on the hardware capabilities.

Existing/upgraded configurations need to manually adjust the bigd 'max-processes' attribute as described in the Mitigation section. New configurations will be configured appropriately.

---

598387 : Limiting Node's Default Monitor updates to the Common partition

Component: Local Traffic Manager

Symptoms:
Updating Node's Default Monitors in a partition other than Common also affects other partitions.

Conditions:
Updating Node's Default Monitors in a partition other than Common.

Impact:
The status of the node may change in other partitions as well.

Workaround:
Make sure to perform Node's Default Monitor updates in the Common partition.

Fix:
Updates on Node's Default Monitor are now limited to the Common partition.

---

598289-5 : TMSH prevents adding pool members that have name in format <ipv4>:<number>:<service port>

Component: TMOS

Symptoms:
In TMSH, when trying to add a pool member that has name in the format of <ipv4>:<number>:<service port>, TMSH gives an error. It also corrupts bigip.conf.

Conditions:
-- Use TM Shell to load configuration.
-- ltm pools have members that have names in the format of <ipv4>:<number>:<service port>

Impact:
TMSH fails to load system configuration file

Workaround:
None.

Fix:
TMSH now allows pool members have names in the format of <ipv4>:<number>:<service port>, so the valid pool member could pass TMSH checks without error.

---

598024 : FastL4 profile with immediate idle timeout is not honored for ePVA offloaded flows

Component: TMOS

Symptoms:
On ePVA platforms, if fastL4 profile is configured with immediate idle timeout and the flow was offloaded at embryonic, the server still acts as the flow has not timeout, and continues to send packets to client.

Conditions:
Users have flows that passes through virtual IP with a "idle-timeout immediate" setting may not have the expected behaviors.

Impact:
Some flows that should have timed-out and should no longer exist is still alive.

Workaround:
Set "pva-acceleration" to "none" for the FastL4 profile.

Fix:
Now all flows goes through the virtual IP configured with a fastL4 profile and has idle-timeout to immediate will timeout immediate as expected.

---

598002-8 : OpenSSL vulnerability CVE-2016-2178

Solution Article: K53084033

---

597972 : Inconsistent treatment for sFlow configuration in CLI and GUI.

Solution Article: K49512487

Component: TMOS

Symptoms:
When using the GUI to configure sFlow settings on a VLAN, HTTP profile, or interface, specifying a poll interval or sample rate of '0' works as follows:

-- The GUI treats as "Default" an sFlow poll interval / sample rate of "0".

-- TMSH treats "0" as the 0 (zero) value.

What that means is that if you use tmsh to configure those values to "0", and then go into the GUI to reconfigure those objects, even if you don't change the poll interval / sample rate), the system resets those values to use the default (inherit from the global sFlow settings).

Conditions:
Using the tmsh to set sFlow poll interval / sample rate of "0", and then using the GUI to update anything in the configuration.

Impact:
The BIG-IP system sets sFlow settings of an object to the global sFlow configuration's values.

Workaround:
Use tmsh to view and modify sFlow configuration settings when you plan to set the poll-interval to 0.

Fix:
Ensure Polling Interval and Sample Rate State values are consistently persisted in the GUI.

---

596924 : Bot signatures are not reported in the PBD log when the PBD is turned off

Component: Advanced Firewall Manager

Symptoms:
Bot signatures are matched and not reported

Conditions:
Proactive bot defense (PBD) is turned off. Bot signatures is turned on.

Impact:
Missing logs on bot signatures.

Workaround:
N/A

Fix:
Matched bot signatures are now reported .

---

596429 : pgadmind process restarts continuously

Component: TMOS

Symptoms:
pgadmind process restarts continuously. The ltm log contains messages similar to the following:
 err postgres[23237]: [1-1] FATAL: bogus data in lock file "postmaster.pid": ""
 err pgadmind[23229]: 01890008:3: Postgres stopped with a non-zero status (1).
 notice pgadmind[23229]: 0189000b:5: Shutting down postgres.

Conditions:
This occurs when the pid file is corrupt (i.e., containing content that fails to parse, e.g., 0x116 bytes of null characters).

Impact:
pgadmind process restarts continuously.

Workaround:
None.

Fix:
pgadmind now handles corrupt pid files, so the restart loop no longer occurs.

---

595918 : Aggregation issues in 'last day' and 'last month' data in AVR-related charts

Component: Application Visibility and Reporting

Symptoms:
AVR aggregates data with the following resolutions:

1 Hour: every 5 minutes (12 data points).
4 Hours: every 1 hour (4 data points).
1 Day: every 4 hours (6 data points).
1 Week: every 1 day (7 data points).
1 Month: every 1 week (4 data points).
Older: every 1 month.

This can lead to situations in time-charts report a very limited number of data points, which results in data that is not useful.

Conditions:
Viewing 'last day' and 'last month' data in AVR-related charts.

Impact:
Data that is not useful.

Workaround:
No workaround.

Fix:
Historical statistics are now shown in a better time resolution.

Behavior Change:
The intervals of 'last day' and 'last month' in all AVR-related charts has changed.

-- 'last day' is represented by 24 points, each of which represents 1 hour (changed from 6 points that each represented 4 hours).
-- 'last month' is now represented by 30 points, each of which represents 1 day (changed from 4 points that each represented a week).

Immediately after upgrade, you might notice some data missing from the 'last day' and 'last month' reports. For example, you might see only the most recent 4 hours (represented by 4 points) in 'last day', but not the points that preceded those 4 hours, as you might expect when viewing data for the 'last day'. Similarly, you might see 7 points representing 1 week when selecting 'last month', but not the three weeks before that.

In both cases the data is not lost (assuming you did not change the default db variable avr.stats.aggregation which is set to medium). You can view the data by selecting a different interval. For example, you can select 'last week' to see the last day (specifically, the day = 1 point), and you can select 'last year' to see the last month's data.

After an interval (one week, or one month, depending on the type of chart), the time periods will sync up with the data, so the charts show a full representation of the data, as expected.

---

594775 : Include <AttributeConsumingService> in SP metadata

Component: Access Policy Manager

Symptoms:
Cannot include <AttributeConsumingService> in the Service Provider (SP) metadata to configure a BIG-IP system as an SP.

Conditions:
Configuring SAML federation as SP requires configuration of at least one <AttributeConsumingService>. This/these attribute/s along with the corresponding unique AttributeConsumingServiceIndex/s must be reported in the exported SP metadata.

Impact:
Cannot configure a BIG-IP system as an SP.

Workaround:
AttributeConsumingService is typically used together with AttributeConsumingServiceIndex in either of the following ways.

1. At configuration time, Service Providers export metadata and specify 'AttributeConsumingService' to describe the service and provide a list of requested attributes to be used by the service.

2. At run-time, Service Provider generates an authentication request to IdP and specifies 'AttributeConsumingServiceIndex', which is a reference to a particular AttributeConsumingService previously shared using metadata. This index is used by IdP to identify which AttributeConsumingService should be used to generate assertion with relevant attributes.


For #1, the workaround is to manually edit the exported-by-SP metadata to include the AttributeConsumingService element.

Note: In this case, exported metadata cannot be digitally signed.

There is no workaround for #2, so even if metadata is edited, BIG-IP as SP will not include AttributeConsumingServiceIndex in authentication requests.

Fix:
Support for configuring Attribute Consuming Service(s) for SAML SP was added. On exporting SP metadata, the configured Attribute Consuming Service(s) along with corresponding unique Attribute Consuming Service Index(es) are part of the metadata.

The metadata can be shared with an IdP, and the SP can generate an authentication request with an Attribute Consuming Service Index (reference to a particular Attribute Consuming Service). If the IdP supports Attribute Consuming Service, the index in the request is used by IdP to identify which AttributeConsumingService should be used to generate assertion with relevant attributes.

---

594260 : Pool members do not exit slow ramp when CARP persistence is enabled.

Solution Article: K85831051

Component: Local Traffic Manager

Symptoms:
Pool members do not exit slow ramp when CARP persistence is enabled and priority groups are configured.

Conditions:
Pool members using slow ramp with CARP persistence enabled and priority groups configured.

Impact:
Pool member selections shifts through decreasing priority, groups and the connection goes to an unexpected pool member, (that is, one not in the highest priority group), even though members in a higher priority group are active.

Workaround:
Disable the Slow Ramp Time setting on the pool.

---

593845 : VE interface limit

Solution Article: K24093205

Component: TMOS

Symptoms:
TMM fails to bootup successfully.

Conditions:
More than 10 interfaces assigned to Virtual Edition (VE).

Impact:
BIG-IP fails to pass traffic as TMM fails to load successfully.

Workaround:
Make sure VE is assigned 10 or fewer interfaces.

Fix:
Added support for 32 interfaces on VE.

---

593396 : Stateless virtual servers may not work correctly with route pools or ECMP routes

Component: Local Traffic Manager

Symptoms:
Stateless virtual servers might not work correctly if the configured poolmember is reachable via a route pool or via several ECMP routes learned via dynamic routing.

Conditions:
- Stateless virtual server.
- Pool reachable via route pool or via ECMP routes.

Impact:
Traffic might be dropped.

Workaround:
Use other virtual server types to process this traffic.

Fix:
The BIG-IP system now correctly handles traffic to a Stateless virtual server which makes use of route pools or ECMP routes to reach the poolmembers.

---

593139-10 : glibc vulnerability CVE-2014-9761

Solution Article: K31211252

---

592647 : Thales client install requires an SSH username, and always attempts to SSH into the RFS

Solution Article: K58112012

Component: Local Traffic Manager

Symptoms:
The Thales client installation operation always attempts to SSH into the RFS machine as part of the install script, and always requires an ssh-login.

Conditions:
-- A BIG-IP user installing Thales nethsm client software.
-- The BIG-IP user does not have an SSH login to the RFS server.

Impact:
The BIG-IP user must supply the script with an SSH login name, even if it is expected that the command will fail. Thales client installation fails otherwise.

Workaround:
As long as the RFS user can run the following command, the existing script will work, even if the user is non-root:

/opt/nfast/bin/rfs-setup --force -g --write-noauth <BIG-IP IP address>

If the BIG-IP system cannot log into the RFS at all, you must supply a dummy login for the RFS, because the unpatched script requires an SSH username, and will always attempt to log into the RFS.

With a dummy login, although this step fails, the script attempts to recover as follows:

-- Instructs the user to run the following command manually on the RFS:
/opt/nfast/bin/rfs-setup --force -g --write-noauth <BIG-IP IP address>

-- Asks whether the command completed successfully.

As long as someone runs that command on the RFS before attempting or continuing Thales installation, the operation should complete without issue.

Note: It is possible to run this command on the RFS before even attempting to run the Thales installation script on the BIG-IP system.

Fix:
Thales install now works with a non-root login to the RFS server or with no login at all.

---

592611 : Some Access Policy sessions may not be sent over High Speed Logging destinations.

Component: Access Policy Manager

Symptoms:
At high APM (Access Policy) load, some sessions may fail to be reported through High Speed Logging destinations while these session logs can be found in other destinations, i.e., local-db or local-syslog.

Conditions:
-- APM configured to send logs over High Speed Logging.
-- High APM load.

Impact:
Some Access session logs are not sent to High Speed Logging destinations.

Workaround:
There is no workaround for remote High Speed Logging destinations, however, to avoid losing logs, ensure that APM session logs are sent to local-db.

Fix:
Logs sent by the APM modules are delivered successfully over High Speed Logging.

---

591486 : Pipeline reject in HTTP filter is not enforced in certain cases.

Component: Local Traffic Manager

Symptoms:
Pipeline reject in HTTP filter is not enforced in certain cases.

Conditions:
A HTTP::respond or HTTP::redirect is currently sinking a request. The next request arrives within the same packet as part of the sunk request.

Impact:
Pipelined data incorrectly allowed as the next request.

Fix:
The passthrough_pipeline reject option will reject requests arriving within the same packet as a sunk request.

---

590840 : OpenSSH vulnerability CVE-2015-8325

Solution Article: K20911042

---

590091 : Single-line Via headers separated by single comma result in first character second header being stripped.

Solution Article: K79075081

Component: Service Provider

Symptoms:
Removing the first Via header strips the leading character from the second Via when headers are separated by a comma (',').

Conditions:
Multiple Via headers on single-line separated by a single comma (',').

Impact:
Leading character of 2nd Via header will be stripped e.g. 'SIP/2.0/TCP' becomes 'IP/2.0/TCP'.

Workaround:
None.

Fix:
Removing the first Via header no longer strips the leading character from the second Via when headers are separated by a comma (',').

---

589367 : Some Edge Client's German translations are incorrect

Component: Access Policy Manager

Symptoms:
Some Edge Client's German translations are incorrect.

Conditions:
APM end-user's system using German locale.

Impact:
Conversion results in confusing text.

Workaround:
None.

Fix:
Edge Client's German translations are now correct.

---

588929 : SCTP emits 'address conflict detected' log messages during failover

Component: TMOS

Symptoms:
The system may advertise, on the client-side, SCTP alternate addresses that are in a route-domain different from that of the virtual server.

Conditions:
Configuring an SCTP virtual server with alternate-addresses that are not in the correct route domain.

Impact:
No impact to traffic processing. Some addresses advertised may fail to respond to negotiation, but the SCTP association overall will be stable.

Workaround:
Ensure that all addresses for SCTP virtual servers are in the same route domain.

Fix:
The SCTP profile now screens alternate addresses for route domain membership before advertising them.

---

588794 : Misconfigured SCTP alternate addresses may emit incorrect ARP advertisements

Component: TMOS

Symptoms:
SCTP alternate addresses may be advertised on the server-side that are in a route-domain that is different from that of the virtual server.

Conditions:
Alternate-addresses are configured on an SCTP virtual server that aren't in the correct route domain.

Impact:
There is no impact to traffic processing. Alternate-addresses will be advertised even though they are not in the correct domain. Some addresses advertised may fail to respond to negotiation, but the SCTP association overall will be stable.

Workaround:
Ensure that all addresses for SCTP virtual servers are in the same route domain.

Fix:
The SCTP profile now screens alternate addresses for route domain membership before advertising them.

---

588771 : SCTP needs traffic-group validation for server-side client alternate addresses

Component: TMOS

Symptoms:
Addresses may be advertised in an SCTP INIT chunk even though they are not usable by the BIG-IP.

Conditions:
When an SCTP virtual server has server-side-multihoming enabled and the snatpool used by the virtual server contains addresses from other traffic groups, it will advertise all of the addresses from the snatpool in the INIT chunk.

Impact:
Some of the paths advertised in the SCTP association establishment creation process will be unusable. A conformant SCTP implementation on the server-side should test and disregard these paths, causing no impact to traffic.

Fix:
The SCTP filter in BIG-IP has been fixed so that all of the alternate addresses advertised during SCTP association establishment are in the same traffic group as the virtual server. Configured addresses are checked for the correct traffic group membership before being advertised.

---

588752 : APM Login Performance may be degraded

Component: Performance

Symptoms:
A high number of logins per second can cause increased latency. The actual login rate that can cause the increased latency depends on the Access Policy configuration and network characteristics. In a typical configuration and network setup, you should not observe noticeable latency if logins per second is less than a few hundred.

Conditions:
Very high rate of login requests. More noticeable if the login-per-second rate is more than several hundred.

Impact:
End users will experience slower login or login failure.

Workaround:
None.

---

587266 : Chassis Name and Type are blank in "tmsh show sys hardware"

Component: TMOS

Symptoms:
As of BIG-IP v12.1.0, the output of the "tmsh show sys hardware" command includes the "Chassis Name" and "Chassis Type" fields under the "Chassis Information" section.
On VIPRION blades, these fields report the Marketing Name and Platform ID of the VIPRION chassis in which the blade is installed.
On BIG-IP appliances, the "Chassis Name" and "Chassis Type" fields are not populated.

Conditions:
This affects the following BIG-IP appliances running BIG-IP v12.1.0 or later:
BIG-IP 1600, 3600, 3900, 6900, 8900, 8950, 11000, 11050
BIG-IP 2000-/4000-series, 5000-/7000-series, 10000-/12000-series

Impact:
Cosmetic. Non-applicable fields contain no information.

---

586938 : Standby device will respond to the ARP of the SCTP multihoming alternate address

Solution Article: K57360106

Component: TMOS

Symptoms:
When there is a SCTP connection established, the router will request the ARP for the client-side multi-homing alternate address, but the standby device will reply to the ARP request as well.

Conditions:
When an SCTP profile has at least one alternate-address configured, and is used in an high availability (HA) scenario, this issue will manifest.

Impact:
Traffic for the alternate-addresses may be directed to the wrong device in an HA group. The multi-homing function will fail as the alternate connection cannot established on the standby device.

Workaround:
Do not use a VLAN address as an alternate address. Use only routed addresses, and route those addresses to the floating Self-IP address of the BIG-IP system.

Fix:
SCTP multihoming has been fixed to work correctly when used in a high availability setup with VLAN addresses

---

586621-6 : SQL monitors 'count' config value does not work as expected.

Solution Article: K36008344

Component: Local Traffic Manager

Symptoms:
SQL monitors 'count' config value does not work as expected.

Conditions:
SQL monitor in use with the 'count' config value specified. The 'count' value is intended to record the number of times the connection to the back-end database is re-used before it is disconnected. However, the value is not correctly recording the number in this release.

Impact:
SQL monitor might use a 'count' value that is incorrect.

Workaround:
Add 101 to the desired value. For example, if the desired count is '5', use '106' instead.

---

586287 : No way to control how aborted iRules log messages are generated and sent to /var/log/ltm.

Component: Local Traffic Manager

Symptoms:
There is no way to control the rate at which aborted iRules log messages are generated and sent to /var/log/ltm rule-aborted log messages similar to the following:
info tmm[19392]: 01220009:6: Pending rule /Common/abort_rule <HTTP_REQUEST_SEND> aborted for <IP address>

Conditions:
Viewing ltm log messages.

Impact:
Many "pending rule aborted" messages in ltm log.

Workaround:
Syslog filter can be created to filter the unwanted log messages from /var/log/ltm.

modify syslog {
...

include "
        filter f_local0 {
            facility(local0)
            and not match (\"Pending rule /Common/_sys_APM_Exchange <HTTP_REQUEST> aborted for\");
        };
    "
...
}

Fix:
This release adds a bigdb variable to control how aborted iRules log messages are generated and sent to /var/log/ltm.

The new option can be configured either via a sys db or using tmsh:
sys db: tmm.tcl.rule.aborted.log.ratio
tmsh: ltm global-settings rule rule-aborted-log-ratio

The options are as follows:
- 0 Logging is disabled.
- 1 (default) every aborted iRule occurrence is logged.
- > 1 only one in N aborted execution is logged, in addition to a message indicating how many previous log messages were suppressed.

Behavior Change:
This release introduce a configuration option to control the rate at which aborted iRules log messages are generated and sent to /var/log/ltm.

The option can be configured as follows:
- 0 Logging is disabled
- 1 (default) every aborted iRule occurrence is logged
- > 1 only one in N aborted execution is logged, in addition to a message indicating how many previous log messages were suppressed.

The new option can be configured either via a sys db or using tmsh:
Sys db: tmm.tcl.rule.aborted.log.ratio
tmsh: ltm global-settings rule rule-aborted-log-ratio

---

586031 : Configuration with LTM policy may fail to load

Component: TMOS

Symptoms:
Load may fail with an error similar to the following:

01070726:3: Policy /Common/Drafts/[name] in partition Common cannot reference policy reference /Common/Drafts/[name] /Common/[virtual server name] in partition [partition].

Note: The named object is in partition Common, but the message will incorrectly specify a different partition.

Conditions:
* An LTM policy has been published.
* A draft has been created from this policy.
* The LTM policy has been associated with a virtual server.
* At least one partition other than Common has been created (the policy does not need to be in this partition).
* The system is loading the configuration from the text config files (without a binary config file), e.g., as a result of performing a software upgrade or following the directions in K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).

Impact:
Configuration will fail to load.

Workaround:
Edit the configuration file to remove the draft policy (but not the published one).

Fix:
This defect has been resolved and the configuration will now load successfully.

---

585351 : ASM add_del_internal script does not sync across blades on the VIPRION platform.

Solution Article: K22971309

Component: Application Security Manager

Symptoms:
ASM add_del_internal script does not sync across blades on the VIPRION platform. The changes are not carried over to the secondary slots. The bd.log contains messages similar to the following:
----
BD_MISC|NOTICE|Apr 04 00:54:28.139|18395|temp_func.c:1899|CHANGED INTERNAL PARAM: [cookie_secure_attr][1]
----

Conditions:
This occurs when the following conditions are met:
- Add the following internal parameter:
1.# /usr/share/ts/bin/add_del_internal add cookie_secure_attr

2. Run the following command on the primary slot: bigstart restart asm.

Impact:
This results in an inconsistent config and state between the primary blade and the secondary blades, which can cause inconsistent responses to the same traffic across blades.

Workaround:
Use clsh to set the value using the following command:
# clsh /usr/share/ts/bin/add_del_internal add cookie_secure_attr 1.

Fix:
The VIPRION platform now syncs across blades the internal parameter 'add_del_internal add cookie_secure_attr' after running 'bigstart restart asm' on the primary blade, so inconsistent configurations and traffic handling no longer exist.

---

585043 : Question mark prevents TMSH from loading configuration file

Component: TMOS

Symptoms:
When loading system configuration for TMSH, if some properties have the value ? (question mark), TMSH fails to complete the loading.

Conditions:
-- Use TMSH to load configuration.
-- string, vector of string properties have ? as value.
-- ? is the stand-alone value. That is, ? has no characters before or after it and it is not part of a string.

Impact:
TMSH fails to load system configuration file

Workaround:
None.

Fix:
TMSH now considers escaped question mark as a literal character if the question mark is explicitly escaped (i.e., using quotes, backslash, etc.). Loading system configuration succeeds if all question marks are properly escaped.

Escaped question mark now stops displaying help messages in the TMSH, because a literal question mark should not have any special meaning attached to it.

This fix does not affect the ways question marks are stored in the TMSH configuration files. Loading existing system configuration files should work properly.

Behavior Change:
TMSH now considers escaped question mark as a literal character if the question mark is explicitly escaped (i.e., using quotes, backslash, etc.), and will successfully load that system configuration if all question marks are properly escaped.

---

584545 : Failure to stabilize internal HiGig link will not trigger failover event

Component: Local Traffic Manager

Symptoms:
The internal HiGig interface potentially and repeatedly report FCS errors or does not become stable in rare cases.

Conditions:
The internal HiGig interfaces experiences FCS or XLMAC link failures.

Impact:
Device is left in a state where it cannot receive or pass traffic or have frame checksum errors.

Workaround:
None.

Fix:
HA failover mechanism is now activated when internal HSB ports on critical data path are consistently unstable.

Behavior Change:
There is a condition in which failures happen on the internal HiGig interfaces on the critical packet path between the HSB and the Broadcom switch, causing traffic interruption. Such failures can be inferred by HSB XLMAC instability or by observing increasing FCS errors. When these HSB XLMAC failures happened in the past, TMOS initiated a recovery mechanism by resetting the HSB MAC interface. However, if the failure persisted even after repeated recovery attempts, TMOS triggered a high availability (HA) failover event to prevent prolonged traffic disruption. The failover triggering condition is set as either the consecutive recovery attempts or consecutive FCS failure events that reach a configurable preset limit. After the HA failover was triggered, the original active unit will still keep trying to recover, and will mark itself ready if the failure condition is no longer observed. The XLMAC reset was existing behavior. The new behavior also applies to FCS failure events.

---

583272 : "Corrupted Connect Error" when using IPv6 and On-Demand Cert Auth

Component: Access Policy Manager

Symptoms:
Browser shows a "corrupted connect error" when access policy runs On-Demand Cert Auth on an IPv6 virtual server.

The root cause is that in packet capture, the APM sends an HTTP 302 with invalid brackets around the hostname, like this:
Location: https://[login.example.com]/my.policy

Brackets around IPv6 addresses are for raw IPv6 addresses. They are illegal for DNS names that represent an IPv6 address.

Conditions:
IPv6 virtual server, and On-Demand Cert Auth in the access policy. Only applies if a DNS hostname is used. Raw IPv6 addresses are not affected.

Impact:
Client is unable to authenticate.

Workaround:
None.

Fix:
Clients connecting to an APM access policy with on-demand certificate authentication to an IPv6 virtual server now transmit the client certificate correctly when executing the access policy.

---

581857 : Rewrite option missing in TCP Window Scale Mode for FastL4 profiles

Solution Article: K13950312

Component: TMOS

Symptoms:
The Rewrite option is missing in TCP Window Scale Mode for FastL4 profiles.

Conditions:
This is visible when modifying the TCP Window Scale Mode in the GUI. In tmsh the options are preserve, rewrite, or strip. In the GUI the only options are rewrite or strip.

Impact:
Unable to set this mode using the GUI.

Workaround:
Use tmsh.

Fix:
The Rewrite option has been added to TCP Window Scale Mode for FastL4 profiles.

---

581746 : MPTCP or SSL traffic handling may cause a BIG-IP outage

Component: Local Traffic Manager

Symptoms:
Occasional BIG-IP outages may occur when MPTCP or SSL traffic is being handled by a virtual server.

Conditions:
MPTCP has been enabled on a TCP profile on a virtual server, or SSL is in use.

Impact:
A system outage may occur.

Workaround:
None.

Fix:
An issue with handling of MPTCP and SSL traffic has been corrected.

---

580472-1 : /var/log partition is full, sadf may crash

Component: TMOS

Symptoms:
the system activity report utility sadf may crash when /var/log partition is full

Conditions:
/var/log partition is full

Impact:
A core will be generated, but system activity report utility will continue to function.

Fix:
Update to latest version of software to address core

---

580149 : AVR widgets are not synchronized in a HA configuration

Component: Application Visibility and Reporting

Symptoms:
AVR widgets are not being synced between devices in a Sync-Failover Device Group.

Conditions:
Using a Sync-Failover Device Group and creating AVR widget.

Impact:
GUI widgets will not be available on all devices.

Workaround:
None.

Fix:
MCP object for AVR-widgets is now set to be synced between devices.

---

579932 : [Portal Access] Web-applications can't set cookies with expiration date after 07 Feb 2106

Component: Access Policy Manager

Symptoms:
Portal Access silently discards cookies with expiration time after 07 Feb 2106

Impact:
Application is not able to set cookies. This could make it impossible to login or break other functionality of application when accessing it through Portal Access

Workaround:
when HTTP_RESPONSE {
# Cookies from backend application may have expiration time after 07 Feb 2106.
# This overflows 32-bit variable with timestamp ("Year 2038 problem"), therefore
# such cookies are treated as expired and Portal Access code discards them.
# The solution is to limit internal expiration time with some reasonable value: one month.
    foreach {cname} {affected_cookie_name} {
        if { [HTTP::cookie exists $cname]} {
# log local0. "$cname=[HTTP::cookie $cname];expires=[HTTP::cookie expires $cname]"
            HTTP::cookie expires $cname 2592000 relative
        }
    }
}

Fix:
Portal Access now correctly handles cookies from backend application with expiration date after 07 Feb 2106

---

579760-2 : HSL::send may fail to resume after log server pool member goes down/up

Solution Article: K55703840

Component: TMOS

Symptoms:
High speed logging (HSL): asymmetric bandwidth loss might result in no bandwidth tracking.

Conditions:
This will occur if the log server pool only has a single member in it, and that member goes down and up while HSL::send is occurring during traffic processing.

Impact:
For a period of time after the logging node comes back up, HSL::send events will not be sent to the log server. Sometimes it never recovers and tmm needs to be restarted.

Workaround:
If possible, configure log server pools with multiple members to avoid this condition.

---

579210 : VIPRION B4400N blades might fail to go Active under rare conditions.

Solution Article: K11418051

Component: TMOS

Symptoms:
Over extended periods of booting and rebooting a VIPRION system containing B4400N blades, a switch port connected to the HSB might fail to initialize properly. In some cases, logs indicate an occurrence of the problem in the following form: hgm_fcs_errs[higig mac #] exceeds 1000.

Conditions:
This happens under very rare conditions on B4400N blades; for example, after approximately 8-12 hours of continuous rebooting.

Impact:
When the problem is manifest, the HSB receives FCS errors at a high-frequency and does not receive any valid traffic from the port switch. The B4400N blade might be unable to go active and join the cluster.

Workaround:
To recover, reboot the system once.

---

579035 : Config sync error when a key with passphrase is converted into FIPS.

Solution Article: K46145454

Component: TMOS

Symptoms:
When a key with passphrase is converted to a FIPS key (that is, imported into the FIPS card) and a config sync is done, sync fails with an error saying that passphrase is specified but the key is not passphrase protected.

Conditions:
Converting a private key with a passphrase to FIPS key and then performing a config-sync.

Impact:
Config sync will fail.

Workaround:
Ensure that you only import FIPS keys that are not encrypted with a passphrase. For more information, see K15720: Certain tasks related to the management of SSL certificates do not support encrypted private keys (11.x) at https://support.f5.com/csp/#/article/K15720

---

578983-2 : glibc: Integer overflow in hcreate and hcreate_r

Solution Article: K51079478

---

577846 : NPN configuration options are obsolete

Component: Local Traffic Manager

Symptoms:
Next Protocol Negotiation (NPN) support is obsolete and will be removed from a future software version.

Conditions:
HTTP/2 configuration currently allows selection of NPN, ALPN or both.

Impact:
HTTP/2 will only use ALPN, irrespective of the configuration referencing NPN.

Workaround:
Configure applicable profiles to use ALPN.

---

575818 : Apply Security Policies Only During Specified Times

Component: Application Security Manager

Symptoms:
When in Automatic mode Policy Builder might apply policy changes at any time. There is no way to constrain changes to a specific time or schedule.

Conditions:
Policy Builder is used in automatic mode, and ramcache is being used.

Impact:
When changes to policy are applied the ramcache is flushed.

Workaround:
None.

Fix:
A schedule can now be set for when to apply policy changes. This feature allows the option to apply changes to policies built by Policy Builder on scheduled interval/dates. This allows scheduling it during low traffic time, at night.

---

575733 : Support launching native RDP client from APM Webtop on iOS

Component: Access Policy Manager

Symptoms:
Cannot launch native RDP client from APM Webtop on iOS.

Conditions:
Attempting to launch native RDP client from APM Webtop on iOS.

Impact:
Does not launch.

Workaround:
None.

Fix:
Native RDP resources can now be launched from APM Webtop on iOS regardless of the state of the broker role on the target server.

---

575368 : Error is not posted when a UCS file with FIPS keys is loaded after re-initializing the FIPS card

Component: TMOS

Symptoms:
When a UCS with FIPS keys is loaded after re-initializing the FIPS card, errors should be posted that the FIPS keys in the configuration that are now invalid. Instead, the configuration loads without any errors, and SSL handshake failures are seen when a clientSSL profile uses the FIPS key.

Conditions:
UCS file with FIPS keys is loaded after re-initializing the FIPS card.

Impact:
SSL handshake failures are seen when a clientSSL profile uses the FIPS key.

Workaround:
You can delete the FIPS keys, re-initialize the FIPS card, then install the needed keys.

---

574811 : SSL Orchestrator: Add the ability to dynamically update the CA bundles on the BIG-IP

Component: Local Traffic Manager

Symptoms:
Maintaining CA bundle files on the BIG-IP system is a manual process, which can result in repeated overhead and potential mistakes.

Conditions:
Adding, deleting, merging, updating CA bundle files on the BIG-IP system.

Impact:
Incur administrative overhead for CA bundle file maintenance.

Workaround:
Manual process for adding, deleting and updating CA bundle files and configuration objects.

Fix:
BIG-IP users can now automate some of the CA bundle management processes, such as adding, deleting, or updating a CA bundle from local file systems or online sources, and merging, subtracting certificates from multiple CA bundle files.

---

574160-6 : Publishing DNS statistics if only Global Traffic and AVR are provisioned

Component: Application Visibility and Reporting

Symptoms:
AVR does not publish DNS statistics if LTM is not provisioned.

Conditions:
LTM is not provisioned.

Impact:
The DNS chart does not show statistics.

Fix:
We changed the condition when we published DNS statistic in this configuration.

---

574088 : Add AES-GCM support for ssldump

Component: Local Traffic Manager

Symptoms:
ssldump is unable to decrypt AES-GCM ciphers.

Conditions:
This applies only when the following SSL cipher suites are negotiated:

AES128-GCM-SHA256
AES256-GCM-SHA384

Impact:
This makes it more difficult to analyze SSL related issue.

Workaround:
None.

Fix:
Add AES-GCM cipher support.

---

572567 : Portal Access: JavaScript errors accessing MS SharePoint 2010 / 2013 / 2016 in Internet Explorer 11

Component: Access Policy Manager

Symptoms:
Microsoft Internet Explorer version 11 (IE11) shows numerous JavaScript errors in debug console opening SharePoint pages with document lists via Portal Access. As a result, part of SharePoint functionality is unavailable (document submenus, for instance). System posts the following message:
 Export to database failed. To export a list, you must have a Microsoft SharePoint Foundation-compatible application.

Conditions:
- Using Portal Access in IE11.
- Accessing SharePoint 2010 / 2013 / 2016.
- Opening document library page in SharePoint.

Impact:
SharePoint application may not work correctly.

Workaround:
None, although you can successfully access the library directly using IE11.

Fix:
Now SharePoint pages with shared document lists can be opened correctly via Portal Access.

---

572519 : More than one header name/value pair not accepted by ACCESS::respond

Component: Access Policy Manager

Symptoms:
An error is seen when ACCESS::respond command is used, for example, in an iRule with multiple header name/value pairs.

Conditions:
When ACCESS::respond command is used with multiple header name/value pairs.

Impact:
An error is generated when the command is used.

Workaround:
Let the command take only one name/value pair.

Fix:
The ACCESS::respond iRule event has been corrected to accept multiple HTTP header name/value pairs in a similar way to HTTP::respond. For example:

ACCESS::respond 200 content "http body" header1 value1 header2 value2

---

572234 : When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10.

Component: Local Traffic Manager

Symptoms:
When using a pool route, it is possible for TCP connections to emit packets onto the network that have a source MAC address of 00:98:76:54:32:10. This is the MAC address of Linux's tmm0 or tmm interface.

Conditions:
The traffic destination is the BIG-IP Linux host, e.g. big3d iQuery server.

The traffic is proxied via fastL4, e.g. ConfigSync "Local Address" is set to None.

The return route is a pool route.

The traffic is interrupted, e.g. a router between the iQuery server and the client is switched off for several seconds.

Impact:
The traffic is sourced from invalid ethernet MAC 00:98:76:54:32:10.
The iQuery connection cannot continue.

Workaround:
Increase the lasthop module's TCP idle timeout.

echo 121 > /proc/sys/net/lasthop/idle_timeout/tcp

Fix:
TCP connections no longer emit packets that have a source MAC address of 00:98:76:54:32:10.

---

572111 : Rate shaper drop policy sometimes show value is zero which is equivalent of default value

Component: Local Traffic Manager

Symptoms:
The default values for a drop policy's elements max-threshold and min-threshold may show as '0' under certain circumstances, and their actual values under other circumstances. This can actually lead to the values being displayed differently between configsync devices despite the traffic group showing in-sync (internally, the actual non-zero default value is always used, and so no config mismatch is detected). This leads to confusion.

Conditions:
This occurs when using rate-shaping drop policies.

Impact:
Confusion when you see the change in value from zero to something else when you change one value and see other value automatically changed.

Workaround:
No work around is needed.

Fix:
Ignore the parameter values when rate shaper drop policy changes automatically to the default value.

---

571634 : tmstat CPU values can be incorrect

Component: TMOS

Symptoms:
The CPU values returned by blades in a chassis may not be sorted correctly and so the returned values might appear confusing or invalid.

Conditions:
Retrieving values for a chassis using the following command: tmstat cpu.

Impact:
Incorrect reporting of TMM CPU utilization using tmstat command.

Workaround:
No workaround.

Fix:
Values are now properly sorted and maintained.

---

571017 : Extra log messages seen on optics removal.

Component: TMOS

Symptoms:
Following message may appear in /var/log/ltm when optics are removed:
soc_phy_i2c_read_devtype - eeprom soc_phy_i2c_read_bytes failed port(28)

Conditions:
Optics removal.

Impact:
This is a cosmetic message and does not indicate a problem with the system.

Workaround:
None needed.

Fix:
This release eliminates the benign log messages that occurred when optics were removed.

---

570855 : DB variable log.csyncd.level cannot be set to certain values

Component: Local Traffic Manager

Symptoms:
The DB variable log.csyncd.level lists some values for tab completion, but validation prevents you from setting them. The error message looks like this:

01070911:3: The requested enumerated (alert) is invalid (critical, error, warning, notice, informational, debug) for loglevel in daemon_csyncd (/Common/daemon_csyncd)

Conditions:
You are trying to use the DB variable log.csyncd.level to increase the amount of information logged by csyncd. csyncd is a system service that on chassis mirrors certain portions of the filesystem between blades, and on all BIG-IP devices runs certain commands after detecting filesystem changes.

Impact:
You cannot set the log level to certain values.

Workaround:
If you want more debugging information, set the log level to 'debug', which is still accepted.

Fix:
The DB variable log.csyncd.level lists some values for tab completion, but validation formerly prevented you from setting them. This has now been resolved; all advertised values will now be accepted.

---

570841 : Cannot create or edit a new document from SharePoint 2013 ribbon buttons via Portal Access

Component: Access Policy Manager

Symptoms:
Cannot create or modify a new document from SharePoint 2013 ribbon buttons via Portal Access.

Conditions:
-- Attempting to create or edit a new document.
-- Using SharePoint 2013 ribbon buttons via Portal Access.

Impact:
Cannot create or modify SharePoint 2013 documents via Portal Access. Document cannot be opened, edited, or saved to the server.

Workaround:
None.

Fix:
Can now create and modify a new document from SharePoint 2013 ribbon buttons via Portal Access from Mac.

---

570783 : Improved debug log for IKEv2 proposal transforms and payloads.

Component: TMOS

Symptoms:
IKEv2 logs insufficiently for debugging, for proposal transforms, especially when compared to IKEv1 logging of transforms during negotiation. Insufficient info is shown to explain why an IKEv2 negotiation fails.

Conditions:
If an IKEv2 negotiation fails due to proposal transform disagreement, examining /var/log/ipsec.log shows too few clues about what was wrong.

When log-level is at least DEBUG, the log should give more debug info:

tmsh modify net ipsec ike-daemon ikedaemon log-level debug.
tmsh modify net ipsec ike-daemon ikedaemon log-level debug2.

Impact:
Diagnosing IKEv2 disagreement in transforms is hard without the new debug log info.

Workaround:
None.

Fix:
Now /var/log/ipsec.log reveals clear detail about proposal transforms and payloads in /var/log/ipsec.log (and in tmm logs) when log level is at least DEBUG. Changing log level to debug works like this:

tmsh modify net ipsec ike-daemon ikedaemon log-level debug.
or
tmsh modify net ipsec ike-daemon ikedaemon log-level debug2.

---

569814-1 : iRule "nexthop IP_ADDR" rejected by validator

Component: Local Traffic Manager

Symptoms:
The nexthop command allows an administrator the ability to specify a forwarding address in an iRule. The form which takes an IP address may be rejected by the validator with an error message of the form:

01070151:3: Rule [/Common/irule_example] error: Unable to find vlan, vlangroup or tunnel (10.0.0.1) referenced at line 2: [nexthop 10.0.0.1]

Conditions:
This occurs when the nexthop command contains only the IP address, for example:

when HTTP_REQUEST {
  nexthop 10.0.0.1
}

Impact:
The iRule containing the 'nexthop IP_ADDR' command cannot be associated with a virtual server.

Workaround:
The 'nexthop VLAN IP_ADDR' form of the command does pass the validator. Choose the named vlan on which IP_ADDR can be reached. For example:

    when HTTP_REQUEST {
nexthop internal 10.0.0.1
    }

Fix:
Validator now allows 'nexthop IP_ADDR' in iRules.

---

569441 : Added --num_threads option to nethsm-thales-install.sh and nethsm-safenet-install.sh

Component: Local Traffic Manager

Symptoms:
As part of the netHSM install, it is not possible to specify the number of threads for pkcs11d to use.

Conditions:
Using BIG-IP versions 11.x, 12.x, or 13.0.0.

Impact:
Cannot specify the number of threads for pkcs11d to use.

Workaround:
To set the number of threads, after install, run a separate tmsh command to set the number of threads and then restart pkcs11d.

Fix:
nethsm-thales-install.sh and nethsm-safenet-install.sh now have a --num_threads option to specify the number of threads pkcs11d will use. This simplifies the initial setup process for users that want to use a non-default number of threads.

Behavior Change:
nethsm-thales-install.sh and nethsm-safenet-install.sh now have a --num_threads option to specify the number of threads pkcs11d will use. This simplifies the initial setup process for users that want to use a non-default number of threads.

---

567330 : tmsh show sys memory on secondaries will generate innocuous error

Component: Local Traffic Manager

Symptoms:
The ltm log file contains these errors: err mcpd[9011]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (5130).

Conditions:
This occurs when logged into secondary member of a cluster (VIPRION blade or vCMP guest) and running the command: tmsh show sys memory.

Impact:
The error indicates that the secondary member cannot display information that is only presented on a primary. This is a spurious error, and you can safely ignore it.

Workaround:
Ignore the specific error with this signature:

0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (5130).

Fix:
no longer displays 'Data publisher not found or not implemented' messages when running the command: tmsh show sys memory on secondary member of a cluster (VIPRION blade or vCMP guest).

---

567177 : Log all attempts of key export in ltm log

Component: TMOS

Symptoms:
Attempts to export keys are not logged.

Conditions:
-- Exporting keys.
-- Viewing ltm log.

Impact:
No messages logged to indicate the export attempts.

Workaround:
None.

Fix:
iControl:
======================
When any of the following iControl functions is called (either by the GUI or directly by a system user), the system logs it in ltm log. The log will include the iControl function name, key names, and BIG-IP user name.
key_export_to_file
key_export_to_pem
export_all_to_archive_stream
export_to_archive_stream
export_all_to_archive_file
export_to_archive_file

ltm logs example:
======================
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/kc.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::key_export_to_file()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key, /Common/kc.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::key_export_to_pem()
-- info iControlPortal.cgi[26687]: Management: private key export: All keys in Default mode are being exported by user "admin" via KeyCertificate_impl::export_all_to_archive_stream()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_stream()
-- info iControlPortal.cgi[26687]: Management: private key export: keys (/Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_file()
-- info iControlPortal.cgi[4868]: Management: private key export: All keys in Default mode are being exported by user "admin" via KeyCertificate_impl::export_all_to_archive_file()
-- info iControlPortal.cgi[4868]: Management: private key export: keys (/Common/kc.key, /Common/default.key) in Default mode are being exported by user "admin" via KeyCertificate_impl::export_to_archive_file()

tmsh:
======================
The only possibility for using tmsh to export a key is saving a UCS file, so that will be logged.

ltm logs example:
======================
notice tmsh[21886]: 01420012:5: private key export: All keys are being exported by user "admin" via UCS saving.


GUI:
======================
There are 3 ways that a user can get key export from GUI:
-- System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: default : Key Export
-- System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: Archive...
-- System :: Archives :: New Archive...

These are internally implemented by using iControl and tmsh calls, so they will be automatically be logged in ltm log as iControl or tmsh users.

Behavior Change:
With this change, any attempt to export key will be logged in ltm log. Logged attempts include: save a UCS file, archive key files, or export key files, using tmsh/iControl/GUI.

---

566565 : ADAPT could time out during sending to IVS with no preview

Component: Service Provider

Symptoms:
If ADAPT is sending a very long HTTP request or response to an internal virtual server (IVS), its timeout might expire before sending is complete, not giving a chance for the IVS to respond. This might occur in this following case: the IVS has an ICAP profile and the ICAP server waits for the entire ICAP request before responding, by which time the ADAPT timeout has fired.

Conditions:
A request-adapt or response-adapt profile has preview-size 0 and a timeout short enough to expire before the IVS has a chance to respond.

Impact:
The IVS transaction fails and ADAPT performs its service-down action. In this no-preview case, an 'ignore' (bypass) action is not possible, so the HTTP transaction fails.

Workaround:
Increase the timeout in the requestadapt or responseadapt profile, to cover the longest HTTP payload expected to be sent to the IVS.

Fix:
The ADAPT timeout begins after the entire payload has been sent to the IVS, so IVS has the full allowed time to respond.

---

566553 : Support two factor authentication for Citrix Receiver for Windows

Component: Access Policy Manager

Symptoms:
Two-factor authentication cannot be used with Citrix Receiver for Microsoft Windows.

Conditions:
-- BIG-IP APM is configured in Citrix replacement mode configuration.
-- Two-factor authentication is used in Access policy.

Impact:
Two-factor authentication does not work

Workaround:
None.

Fix:
The system now supports two-factor authentication for Citrix Receiver for Windows.

---

564524 : Cron logs hourly email failure messages.

Component: Application Visibility and Reporting

Symptoms:
Cron logs hourly email failure messages.

When mailhub is configured, sends hourly email notifications containing the following message: Reports scheduling should not run on a machine with a failover state of inactive or standby at /usr/share/avr/bin/run_scheduled_reports.pl line 23.

Conditions:
Device is in standby or disabled.

Impact:
Log/email spam.

Workaround:
To avoid mail delivery attempts, change the third line of '/etc/cron.d/0hourly' to MAILTO="" .

Fix:
System no longer sends hourly reports when device is in standby or disabled.

---

564105 : ArcSight gives error on specific transactions

Component: Application Security Manager

Symptoms:
The Arcsight remote logger shows error messages when trying to parse messages from ASM.

Conditions:
An arcsight remote logger is configured. Specific transaction is coming out.

Impact:
Remote logging is not coming out.

Workaround:
N/A

---

563905-4 : vCMP guest fails to go Active after the host system is rebooted

Solution Article: K62975642

Component: TMOS

Symptoms:
A vCMP guest fails to go Active after the host system is rebooted. When this occurs, the system posts the following message: confpp[9184]: rollback FAILED for 'unix_config_syslog'

Conditions:
The host of a vCMP guest is rebooted.

Impact:
The guest will not become active.

Workaround:
None.

Fix:
vCMP guest now correctly goes Active after the host system is rebooted

---

563689 : ZebOS configuration cannot be loaded via imish when service password-encryption is set

Component: Local Traffic Manager

Symptoms:
When "service password-encryption" is configured in ZebOS, encrypted passwords cannot be loaded through imish. imish will print "% Invalid input detected at '^' marker." and the password will not be loaded.

Conditions:
Dynamic routing is configured with "service password-encryption" in ZebOS config file or running config, run "imish -f <file>" or paste encrypted password into imish.

Impact:
ZebOS configuration will be incompletely loaded.

Workaround:
The config will be properly read if tmrouted is restarted. Restarting tmrouted will interrupt all dynamic routing.

The config can also be loaded without restarting tmrouted by configuring the cleartext passwords manually. They will be encrypted when the configuration is saved.

Fix:
imish now correctly loads the ZebOS configuration when "service password-encryption" is set.

---

563444 : vCMP guest cluster may have two primaries due to partial partitioning of the management backplane network on one cluster member

Component: Local Traffic Manager

Symptoms:
The management backplane network on one cluster member of a vCMP guest may partially malfunction in that multicast packets are able to be sent out of the cluster member but incoming multicast packets from the peer members are dropped. This results in the cluster becoming "split-brained" and having two primary members; the original primary remains so while the isolated member also elects itself as a primary.

Conditions:
This issue only occurs on vCMP guest clusters and has been found to only happen in extremely rare cases.

Impact:
Dataplane traffic remains unaffected. However, configuration changes will not propagated to the isolated cluster member, and stats will not be synced from the isolated cluster member. Furthermore, if the cluster is the active unit in an HA pair, this may result in a failover not occurring as expected due to the technical nature of the malfunction.

Workaround:
To resolve the issue, reboot the cluster member whose management backplane has malfunctioned.

---

562087 : Supported platforms for Event Correlation

Component: Application Security Manager

Symptoms:
Event correlation is not supported on:
1. Any kind of multi slot/blade platform, physical or virtual, with multiple available slots/blades. But if cluster has only 1 active slot (green blade) - event correlation will run on it. This is relevant since version 11.3
2. A vCMP guest, that is hosted by a hypervisor, that runs on a platform which does not have an SSD drive. But if the disk is SSD on vCMP guest - event correlation will run on it. This is relevant since version 11.6

Conditions:
Clustered environment.

Impact:
Event Correlation daemon and GUI.

Fix:
Just documented exact platforms.

---

560291 : vCMP guest cluster may have two primaries due to partial partitioning of the management backplane network on one cluster member

Component: Local Traffic Manager

Symptoms:
The management backplane network on one cluster member of a vCMP guest may partially malfunction in that multicast packets are able to be sent out of the cluster member but incoming multicast packets from the peer members are dropped. This results in the cluster becoming "split-brained" and having two primary members; the original primary remains so while the isolated member also elects itself as a primary.

Conditions:
This issue only occurs on vCMP guest clusters and has been found to only happen in extremely rare cases.

Impact:
Dataplane traffic remains unaffected. However, configuration changes will not propagated to the isolated cluster member, and stats will not be synced from the isolated cluster member. Furthermore, if the cluster is the active unit in an HA pair, this may result in a failover not occurring as expected due to the technical nature of the malfunction.

Workaround:
To resolve the issue, reboot the cluster member whose management backplane has malfunctioned.

---

558865 : Overlapping of address are not allowed on firewall NAT policy match side

Solution Article: K45262411

Component: Advanced Firewall Manager

Symptoms:
Overlapping IP addresses (addresses and address-list) are not allowed in NAT policy rules.

Conditions:
Trying to configure overlapping IP addresses in NAT policy rules.

Impact:
Cannot configure overlapping IP addresses in NAT policy rules.

Workaround:
None.

Fix:
The system now allows overlapping IP addresses (addresses and address-list) in a NAT policy rule. It logs a notice message in /var/log/ltm when there are overlapping IP addresses and includes detail address information.

---

557155-7 : BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.

Solution Article: K33044393

Component: TMOS

Symptoms:
BIG-IP Virtual Edition becomes completely unresponsive under very heavy load.

Conditions:
Sustained high packet rate with a very small payload.

Impact:
Traffic through the guest stops until the guest/BIG-IP system is reset. However, this issue is reproduced during a test that over provision a 2-vCPU guest and is unlikely to happen in normal operation.

Workaround:
Try ones of the following workarounds (first on is the most preferred and so ):
1. Increase guest memory.
2. Significantly reduce the value of the content in '/sys/module/unic/rx_queue_size'. For example running the following command substantially decreases throughput: echo 1048576 > /sys/module/unic/rx_queue_size.
3. Set panic on OOM. Try this as the last option.
   sysctl vm.panic_on_oom=1

Fix:
BIG-IP Virtual Edition becomes unresponsive under extreme load test due to kernel memory exhaustion from over-provisioning.

---

556780 : Portal Access should ignore incorrect IE-specific cookies with empty name and value

Component: Access Policy Manager

Symptoms:
IE-specific cookies with empty name and value are being sent to backend.
Request header in a traffic dump between APM and backend could look like "Cookie: =;<other cookies>" for example.

Conditions:
This can occur with cookies being sent via Internet Explorer through Portal Access.

Impact:
Errors from backend applications which are unable to handle such cookies.

Fix:
Cookies with empty name and value will no longer be sent to backend application via Portal Access

---

554393 : Multiple log messages stating 'AdminIp fixed up with dhcp_enabled = false' are printed in /var/log/ltm after upgrade.

Component: TMOS

Symptoms:
/var/log/ltm shows multiple entries with this message:
'AdminIp fixed up with dhcp_enabled = false'.

Conditions:
Upgrading running BIG-IP with a newer version.

Impact:
This is a benign informational message about internal DHCP variable handling. The /var/log/ltm might contain repeated messages, but there is no functional impact.

Workaround:
None.

Fix:
Multiple log messages stating 'AdminIp fixed up with dhcp_enabled = false' are no longer printed in /var/log/ltm after upgrade.

---

552988 : Cannot enable MPTCP on some profiles in GUI.

Component: Local Traffic Manager

Symptoms:
Version 12.1 Cannot enable MPTCP on some profiles in GUI. Get error message: 01070734:3: Configuration error: In profile /Common/proxy-client to enable MPTCP, Hardware SYN Cookie must be disabled.

Conditions:
Version 12.1 Enabling MPTCP on some profiles in GUI.

Impact:
Version 12.1 Cannot enable MPTCP.

Workaround:
Use tmsh to enable MPTCP on some profiles.

Fix:
Eliminate validation: it is reasonable to have MPTCP function until entering syncookie mode.

---

550547 : URL including a "token" query fails results in a connection reset

Component: Access Policy Manager

Symptoms:
Per Request Policy access to URL containing a "token" query parameter fails and results in a connection reset with the following error:

"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"

Conditions:
Configure an Explicit SWG with a PRP that includes [protocol lookup (https) + category-lookup]
It does not matter ntlm or basic auth.
This is triggered on sites that have "token" in the query parameters.

Impact:
Clients receive this response:
"ERR_NOT_FOUND: access2 token not found; subsession might be inactive"

Workaround:
Workaround iRule:

when HTTP_REQUEST {
    if { [HTTP::query] contains "token" } {
      set fix 1
      HTTP::query [string map "token aabbcc" [HTTP::query]]
    }
}

when HTTP_REQUEST_SEND {
    if { [info exists fix] && $fix equals 1 } {
      clientside {
        HTTP::query [string map "aabbcc token" [HTTP::query]]
        unset fix
      }
    }
}

Fix:
Customization namespace for subsession state prefix with default value as "000fffff" has been added controlled via db variable "tmm.access.subsessionstateprefix" before state/token query param and validation is ensured to check for the prefix value before triggering serialize/deserialize code to avoid RST.

In case if a UCS is being restored and used for a Hotfix, the newly added DB variable may not be present in /config/Bigdb.dat file. The following information needs to be added in /config/Bigdb.dat file followed by a "bigstart restart" to ensure proper working.

#
# This string is used as the prefix for the subsession state value that is sent as
# part of the redirect URI being sent to the client.
#
[Tmm.Access.SubsessionStatePrefix]
default=000fffff
type=string
realm=local
display_name=Tmm.Access.SubsessionStatePrefix
scf_config=true
max=32

---

549927 : iRule validation does not check RULE_INIT/virtual are disallowed in proc calling

Component: Local Traffic Manager

Symptoms:
iRule validation does not check RULE_INIT/virtual are disallowed in proc calling

Conditions:
Under RULE_INIT event call a proc which has virtual command.

Impact:
Pass validation while it should not.

Workaround:
Do not call virtual command inside proc.

Fix:
Use the workaround.

---

549622 : Cannot launch Horizon RDS applications with the HTML5 client

Component: Access Policy Manager

Symptoms:
APM does not support launching Horizon RDS applications with the HTML5 client.

Conditions:
Accessing APM webtop with Horizon resources expanded into some RDS applications.

Impact:
Cannot launch Horizon RDS applications with the HTML5 client.

Workaround:
None.

Fix:
Support for HTML5 client with Horizon RDS applications has been implemented.

---

548321 : External link status not displayed for VLAN/interfaces

Component: TMOS

Symptoms:
When you run tmsh show net interface on a Virtual Edition/Z100 BIG-Ip device, you see "Media None".

Conditions:
This occurs on devices that are not using SR-IOV

Impact:
External Link status cannot readily be determined from within the VE using usual interface status commands

Workaround:
check the link state on the hypervisor or connected devices

check the results of higher layer protocols (ARP, ping, etc.)

---

548003 : GUI Network Map page runs out of memory and the GUI hangs indefinitely.

Solution Article: K03416530

Component: TMOS

Symptoms:
GUI Network Map page runs out of memory and the GUI hangs indefinitely.

Conditions:
When a BIG-IP system is configured with a large number of Virtual Servers (3000+) and accompanying components (iRules, Pools, Pool Members, and Node Addresses), multiple users retrieving the Network Map might result in an Out of Memory Exception.

Impact:
GUI server becomes unresponsive and unable to process new requests. The GUI becomes unusable and requires a restart.

Workaround:
Use items in the filter bar (along the top of the screen) to reduce the result size to avoid an Out of Memory Exception. Also, increase the memory of the container server.

Fix:
Change how we retrieve data from the backend and move more logic to the client from the backend.

---

544906 : Issues when using remote authentication when users have different partition access on different devices

Solution Article: K07388310

Component: TMOS

Symptoms:
User validation failing when adding a partition when the [All] partition already exists, or when adding [All] partition if a specific (non-All) partition is already configured for that user.

For example, on config sync, the system might post an error similar to the following: error 01070821:3: User Restriction Error: Once configured for specific partition(s), user cannot have [all].

Conditions:
Devices configured for remote authentication.

User A on device 1 with role on all-partitions.

User A on device 2 with role restricted to a single partition.

Perform operation that involves accessing partitions on each device. For example, a config sync operation. The config sync issue occurs because one device is trying to sync an [All] partition to a peer that has a non-All partition already configured for a user.

Impact:
The system posts User Restriction Errors and operations (such as config sync) fail.

Workaround:
Switch to local authentication on device 1 to perform operations on multiple devices on which a single user has different partition access configured. After completing the operations, switch back to remote authentication on device 1.

Fix:
User authentication completes successfully for operations on multiple devices on which a single user has different partition access configured.

---

544171 : bigd loses connection to mcpd on debug data dump

Component: Local Traffic Manager

Symptoms:
The 'bigd' connection to 'mcpd' may be lost on large configurations (more than 1 KB pool members) when a debug data dump is triggered through a manual 'kill -USR1 <bigd-pid>', possibly resulting in only a partial diagnostic data dump.

When the 'bigd' process is manually killed to trigger a diagnostic data dump, large configurations (with more than a thousand pool members) may cause the 'bigd' process to appear 'stuck' as those instances are logged, causing the process to be killed and restarted by the 'sod' daemon. In this case, it is possible that only a partial diagnostic dump is performed before the 'bigd' process is restarted.

Conditions:
-- 'bigd' is running with a large configuration (more than a thousand pool members).
-- The 'bigd' process is manually killed to trigger a diagnostic dump (such as through 'kill -USR1 <bigd-pid>').
-- The 'sod' daemon finds the 'bigd' process unresponsive (causing it to terminate and restart 'bigd').

Impact:
The 'bigd' diagnostic dump may be incomplete, as the process was terminated before all logging information is written.

Workaround:
Turn off the 'bigd' heartbeat monitoring before manually initiating a 'bigd' diagnostic dump; or run a smaller representative configuration before triggering the diagnostic dump.

Note: Make sure to turn back on the 'bigd' heartbeat monitoring afterward.

Fix:
The 'bigd' connection to 'mcpd' remains intact on large configurations (more than 1 KB pool members) when a debug data dump is triggered through a manual 'kill -USR1 <bigd-pid>', such that the diagnostic data dump is always complete.

---

543208-3 : Upgrading v11.6.0 to v12.x in a sync-failover group might cause mcpd to become unresponsive.★

Solution Article: K40670213

Component: TMOS

Symptoms:
Failover event on traffic-group-1 causes mcpd to generate messages like this:

01070711:3: Caught runtime exception, Failed to collect files (Invalid IP Address: )..
01070712:3: Caught configuration exception (0), Failed to sync files..
...
0107134b:3: (Child rsync being terminated due to timeout. Total size in Kb: 0 timeout in secs: 10 start-time: Mon Aug 24 11:35:42 2015 max-end-time: Mon Aug 24 11:35:42 2015 time now: Mon Aug 24 11:35:42 2015 ) errno(0) errstr().
01070712:3: Caught configuration exception (0), Failed to sync files..

Conditions:
-- Some systems in the trust are running a pre-12.x version of TMOS.
-- Some systems in a device group have been upgraded to 12.x.
-- A failover event occurs on traffic-group-1.
-- This appears to be most evident in APM configurations.

Impact:
mcpd on the devices running pre-12.x version may become unresponsive. Upgrade fails.

Workaround:
None.

Fix:
This release corrects an issue in which a group of devices in a trust domain could potentially cause mcpd to become unresponsive and log failure messages.

---

542347 : Denied message in audit log on first time boot

Component: TMOS

Symptoms:
After booting BIG-IP for the first time, you may see a 'denied' message for the lastlog file in /var/log/audit.log:

type=AVC msg=audit(1440786377.593:32): avc: denied { read write } for pid=5922 comm="login" name="lastlog" dev=md2 ino=18 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file.

Conditions:
This can occur on first time boot of devices that contain version 11.x software in one of the image slots.

Impact:
This error message is benign and can be ignored.

Workaround:
None needed. This is cosmetic and does not indicate an issue with the system.

Fix:
Fixed an erroneous error message in the audit log related to lastlog during manufacturing install.

---

541550 : Defining more than 10 remote-role groups can result in authentication failure

Component: TMOS

Symptoms:
Authentication fails, indicating the affected user is associated with an "unknown" role:

notice httpd[2112]: pam_bigip_authz: authenticated user bob with role 12345678 ([unknown]) in partition /bin/false

Conditions:
Define more than 10 remote-role groups and authenticate with a user having more than 10 roles.

Impact:
User cannot authenticate.

Workaround:
None.

---

539075 : Client side checks on CentOS 7 don't work.

Component: Access Policy Manager

Symptoms:
Client side checks such as antivirus, firewall, process, file, and so on, on CentOS 7 do not work. Server logs show "Access encountered error: ERR_ARG" for these clients.

Conditions:
This happens when client-side checks are configured on the BIG-IP system and CentOS 7 and Firefox client connecting to this BIG-IP shows symptoms

Impact:
Clients from CentOS 7 are not able to connect to BIG-IP APM.

Workaround:
There is no workaround at this time.

---

538014 : EVAL shown in CLI Mode even after purchasing subscription license for SWG.

Solution Article: K40533060

Component: TMOS

Symptoms:
EVAL shown in CLI Mode even after purchasing subscription license for SWG.

Conditions:
Users have a subscription license for SWG.

Impact:
The user will see EVAL in the CLI.

Workaround:
Ignore EVAL as seen in the CLI. The feature operates as expected.

Fix:
EVAL is no longer shown in CLI Mode after purchasing subscription license for SWG.

---

535340 : Confusing message in edge client logs

Component: Access Policy Manager

Symptoms:
Edge client logs contain several instances of log messages similar to the following: GetCookie, Cookie F5_ST not set.

Conditions:
Use of Edge client on Microsoft Windows in typical operations.

Impact:
Log cluttering make it difficult to troubleshoot genuine issues.

Workaround:
No workaround at this time.

Fix:
Readability of Windows Edge Client have been improved by reducing background messages about browser object cookies.

---

534996 : Allow swapping of vlan names in config for switch based platforms

Component: TMOS

Symptoms:
Reloading of config with prior vlan names swapped, was not allowed by bcm56xxd and resulted in an error message being logged.

Conditions:
Reload a config file where the names of existing vlans are being swapped.

Impact:
Swapping of preexisting vlan names were not handled correctly on switch based platforms.

Workaround:
Modify the tag for one of the pair of configured vlans, whose names are being swapped, to a different tag and save the config. Modify the config with just the names swapped and original vlan tags and reload the config.

Fix:
Allow the switch daemon to handle the swapping of vlan names for a pair of configured vlans.

---

534008 : [Portal Access] Server-side URL parser does not recognize URLs with HTML entities in scheme part

Component: Access Policy Manager

Symptoms:
Not rewritten URLs in HTML.

Conditions:
HTML with URLs which contains HTML entities in scheme part

Impact:
Web-application misfunction.

Workaround:
There is no workaround at this time.

Fix:
The APM Portal Access Rewrite URL parser has been improved to handle conditions where HTML entities are present in the scheme part of a URL.

---

532904 : Some HTTP commands fail validation when it is in a proc and the proc is called from another proc

Solution Article: K24219334

Component: Local Traffic Manager

Symptoms:
The following HTTP commands fail validation:

HTTP::uri
HTTP:version
HTTP::header
HTTP::method

Validation fails with the following error:
HTTP::uri command in a proc in rule (<the rule>) under event at virtual-server (<the virtual>) does not satisfy cmd/event/profile requirement.

Conditions:
Command is in a proc and the proc is called from another proc.

Impact:
Config load fails.

Workaround:
Directly call the proc from an iRule, instead of from the proc.

Fix:
The HTTP::uri, HTTP:version, HTTP::header, HTTP::method HTTP commands now pass validation when they are in a proc and the proc is called from another proc.

---

530927 : Adding interfaces to trunk fails if trunk and interfaces are forced to lower speed

Solution Article: K01481294

Component: TMOS

Symptoms:
If a trunk is created from interfaces that have lower than max speed (e.g., 100full-duplex on 1GbE links) adding a new interface fails.
When this occurs, the system posts an error similar to the following:
01070619:3: Interface 1.4 media type is incompatible with other trunk members.

Conditions:
Interfaces use a lower speed then their capacity.
Trunk is created where the highest speed of any of the members is this reduced speed.
Interface, also lowered, is added to the trunk.

Impact:
Interface cannot be added to the trunk.

Workaround:
Remove all interfaces, readd them all at the same time.

Fix:
The BIG-IP system now correctly adds interfaces to a trunk formed from interfaces running at a lowered speed.

---

530530 : tmsh sys log filter is displays in UTC time

Solution Article: K07298903

Component: TMOS

Symptoms:
When using the time-based log filters hour, minute, and second, tmsh returns results based on UTC time.

Conditions:
Use range filter for 'tmsh show sys log' in either of the following ways:

Filter logs by hour.
Filter logs for less than 8 hours.

Impact:
tmsh does not filter the log correctly with 'range' filter.

Workaround:
Calculate the difference between the local BIG-IP system time and UTC, or change the system time to UTC.

---

530300 : Added SSL certificate expiration date as an OID into F5 MIBs

Component: TMOS

Symptoms:
SSL certificate expiration date is not viewable in viewable as an SNMP OID.

Conditions:
Attempt to view an SSL certificate expiration date in SNMP information.

Impact:
The impact is that SSL certificate expiration date is not viewable in viewable as an SNMP OID.

Workaround:
No workaround.

Fix:
SSL Certificate Expiration Date is now viewable as an SNMP OID. These are viewable under the sysCertificateFileObject as either a text format at sysCertificateFileObjectExpirationString in textual form such as "Aug 13 21:21:29 2031 GMT" or as the internal date format at sysCertificateFileObjectExpirationDate in unix time form such as "1944422489".

Behavior Change:
This release adds an SSL certificate expiration date as an OID into F5 MIBs. SSL Certificate Expiration Date is now viewable as an SNMP OID. These are viewable under the sysCertificateFileObject as either a text format at sysCertificateFileObjectExpirationString in textual form such as "Aug 13 21:21:29 2031 GMT" or as the internal date format at sysCertificateFileObjectExpirationDate in unix time form such as "1944422489".

---

528984-1 : Support limited to 1000 BIG-IP system users.

Component: TMOS

Symptoms:
Attempting to load sys config default fails with an error similar to the following error:

010719a2:3: PostgreSQL database error: ERROR: out of shared memory
...
PL/pgSQL function rbac_drop_user(name) line 3 at EXECUTE statement

Unexpected Error: Loading configuration process failed.

Conditions:
Configuring more than 1000 BIG-IP system users.

Impact:
Cannot log in. In this version of BIG-IP, no more than 1000 BIG-IP system users are supported. This limit is applied to the sum of all local BIG-IP system users and any remote BIG-IP system users who will log in to the system.

Workaround:
None.

Fix:
Support is no longer limited to 1000 BIG-IP system users.

---

527720 : Rare 'No LopCmd reply match found' error in getLopReg

Component: TMOS

Symptoms:
An error message similar to the following might be logged at rare intervals while the BIG-IP system is operating normally:
warning chmand[7018]: 012a0004:4: getLopReg exception: No LopCmd reply match found for action=0x1 obj_id=0x67 subobj=0x0 slot=0xff.

This message might be followed by a log message similar to one of the following:
err chmand[7018]: 012a0003:3: GET_MEDIA failure (status=0xffffffff) page=0x%1 reg=0x0.
err chmand[32142]: 012a0003:3: GET_STAT failure (status=0xffffffff) page=0x%20 reg=0x50.

This message might be followed by a log message similar to the following:
warning chmand[5847]: 012a0004:4: getLopReg: lop data size does not match, u16DataLen=0x5 expected=0x7.

Conditions:
This problem might occur rarely on the BIG-IP 2000-/4000-series, 5000-/7000-series, and 10000-/12000-series appliances, and on VIPRION 2100, 2150, and 2250 blades.

Impact:
This problem might occur if the response to a request to read the status of the hardware registers for the management interface is delayed beyond the normally-expected timeout value. When this problem occurs, status of the management interface might be reported incorrectly, which might cause the management interface to flap momentarily. In this scenario, subsequent requests typically complete successfully, at which point status of the management interface is again reported normally, and expected functionality restored.

Workaround:
None.

---

523814 : When iRule or Web-Acceleration profile demotes HTTP request from HTTP/1.1 to HTTP/1.0, OneConnect may not pool serverside connections

Component: Local Traffic Manager

Symptoms:
An HTTP virtual server with OneConnect and RAM Cache will not consistently keep server-side connections alive and idle (for reuse), depending on the HTTP version that the client uses.

Clients that use HTTP/1.1 will result in fewer serverside connections being reused.

Conditions:
HTTP virtual server with HTTP cache enabled (in RAM cache mode, not AAM mode) and OneConnect profile.

Alternately, an iRule that down-steps the HTTP request version to HTTP/1.0

Impact:
Increased server utilization and number of ports in use / timewait / finwait as a result of OneConnect and RAM Cache closing serverside connections more frequently than expected.

Inconsistent behavior as a result of client HTTP version.

Workaround:
An iRule can work around this issue by inserting a Connection: Keep-Alive header.

---

523797 : Upgrade: file path failure for process name attribute in snmp.★

Component: TMOS

Symptoms:
The upgrade operation might fail to update the file path name for snmp.process_name, causing a validation error.

Conditions:
Upgrade from 10.x. to 11.5.1 or later.

Impact:
The upgrade operation does not remove the parent path name from process-monitors, which might cause a validation error.

Workaround:
Edit the process name path in /config/BIG-IP_sys.conf to reflect the location. For more information, see K13540: The BIG-IP system may return inaccurate results for the prTable SNMP object at https://support.f5.com/csp/article/K13540.

---

523126 : Change in route domain in NAT configuration does not take effect until restart

Solution Article: K40362020

Component: Local Traffic Manager

Symptoms:
When the route domain of the originating address of a NAT configuration is changed without the address itself being changed, the change does not take effect. Viewing the configuration through tmsh and the GUI indicates that the change has worked, when it is not yet in use.

Conditions:
This occurs when editing an existing NAT configuration and changing the route domain without changing the address.

Impact:
The intended NAT change is not in effect.

Workaround:
In order to make the change take effect, delete and recreate the NAT or restart tmm.

---

522304 : Some password policy changes are not reflected in /etc/shadow when synced in a CMI device group

Component: TMOS

Symptoms:
Some password policy settings (maximum and minimum durations, expiration warning) are reflected in /etc/shadow when a user's password is changed. In a CMI device group, changes to password policy are correctly synced, but the settings reflected in /etc/shadow are not.

Conditions:
CMI device group configured; maximum or minimum duration, or expiration warning, settings of password policy are used; user password is changed.

Impact:
Password policy may not be enforced consistently across all devices.

Workaround:
None.

---

520877 : Alerts sent by the lcdwarn utility are not shown in tmsh

Component: TMOS

Symptoms:
Beginning in BIG-IP version 12.1.0, the 'tmsh show sys alert lcd' command displays the list of alerts sent to the LCD front panel display.

The command-line utility lcdwarn can be used to send alert messages to the LCD front panel display.

Alert messages sent to the LCD front panel display by the lcdwarn utility are not included in the list of alerts shown by the 'tmsh show sys alert lcd' command.

Conditions:
This occurs when using the lcdwarn utility to send alert messages to the LCD front panel display. Such messages are typically sent for testing purposes.

This problem occurs on affected BIG-IP software versions running on all BIG-IP and VIPRION hardware platforms.

Impact:
The 'tmsh show sys alert lcd' command may not include all alert messages sent to the LCD front panel display. Messages sent by the lcdwarn utility are not shown.

Workaround:
None. This is a cosmetic issue.

---

519612 : JavaScript challenge fails when coming within iframe with different domain than main page

Component: Advanced Firewall Manager

Symptoms:
The JavaScript Challenge fails when coming within an iframe that is on a different domain than the main page.

Conditions:
1. The web application uses an iframe coming from a different domain than the main page, AND
2. Any of the following options are enabled on an ASM Policy or Application DoS Profile attached to the Virtual Server which is handling the iframe:
  a. DoS Client-Side Integrity Defense Mitigation (affecting only during attack mitigation)
  b. DoS CAPTCHA Mitigation (affecting only during attack mitigation)
  c. Device-ID (fingerprint)
  d. Web Scraping Bot Detection Challenge
  e. Proactive Bot Defense (with/without "Block Suspicious Browsers")

Impact:
On the browser, the iframe will fail to load, leaving a white box, or the following message:
"Please enable browser cookies to view the page content."
There may be error messages in the browser's console.

Workaround:
It is possible to workaround the problem using Proactive Bot Defense (DoS Profile) and iRules.
This works even if the problem is in Web Scraping and DoS profile was not previously used.

The following steps must be done for the Virtual Server handling the iframe, as well as the one handling the main page.

1. Attach a DoS profile to the Virtual Server (if not already attached).
2. Disable TPS-based detection (unless already enabled, or it is desired).
3. Enable Proactive Bot Defense on the DoS profile (if not already enabled).
   a. Disable "Block Suspicious Browsers" (unless already enabled, or it is desired).
   b. Configure Cross-Domain Requests to "Allow configured domains; validate upon request".
   c. Add the domain of the main page to the Related Site Domains.
4. Attach the following iRule to the virtual server:
ltm rule rule_fix_cross_domain_challenges {
    when HTTP_REQUEST {
        set refdom ""
        regexp -nocase {^https?://([^/]*).*$} [HTTP::header referer] -> refdom
        log local0. "uri [HTTP::uri] host [HTTP::host] referer [HTTP::header referer] refdom $refdom"
        if { $refdom ne "" && $refdom ne [HTTP::host] } {
            BOTDEFENSE::cs_allowed false
        }
    }
}
NOTES:
1. The challenges must run on the main page. The following rule block could be used to force the challenges to run on a specified URL or URLs.
    when HTTP_REQUEST {
        if { [HTTP::uri] eq "/" } {
            BOTDEFENSE::cs_allowed true
        }
    }
2. If additional URLs are getting blocked or challenged as a result of Proactive Bot Defense and it is unwanted, it is possible to control them in the iRule by checking for URLs and using the "BOTDEFENSE::action allow" command.

Fix:
JavaScript challenges no longer fail when coming within an iframe on a different domain than the main page.

---

517756 : Existing connections can choose incorrect route when crossing non-strict route-domains

Component: Local Traffic Manager

Symptoms:
After modifying the BIG-IP system's routing table, traffic for some existing connections might be interrupted because an incorrect route starts being used.

Conditions:
After a routing table modification, routes might be reselected for a portion of connections through the BIG-IP system. When a connection crosses non-strict route-domains, the routing table from a route-domain that is different from the route-domain used during connection start-up may be used.

Impact:
This might lead to traffic following a different path to the destination and traffic interruption. New connections will work properly, this only affects existing connections.

Workaround:
None.

Fix:
Existing connections now choose the correct route when crossing non-strict route-domains.

---

517347 : DNS::return iRule can lead to infinite packet processing loop

Component: Local Traffic Manager

Symptoms:
An improperly coded iRule can lead to an infinite loop. This generally occurs when the DNS::return command is used in the DNS_RESPONSE event.

The simplest example is:

when DNS_RESPONSE {
   DNS::return
}

Every time a request is finished, this event will push the request back into the DNS filter to be processed again, endlessly.

Conditions:
DNS::return command in a DNS_RESPONSE event with no path to skip the DNS::return command.

Impact:
If enough requests trigger this path, system resources will eventually be fully consumed processing

Workaround:
If DNS::request is being used in a DNS_RESPONSE event, be very certain that it is being properly used.

Fix:
A TCL error is now thrown if a loop is detected, if this re-process path is triggered 10 times. The error takes the form:

01220001:3: TCL error: /Common/irule_infinite_loop <DNS_RESPONSE> - DNS::return loop detected. invoked from within "DNS::return"

---

516307 : Multiple Relay in DHCP relay is not working.

Component: Local Traffic Manager

Symptoms:
If the BIG-IP is behind another DHCP relay, then the packets are not sent to the server, instead they are dropped.

Conditions:
This occurs when a DHCP virtual server is configured with a profile based on dhcpv4_fwd.

Impact:
This used to work on 11.4.x so if you are running on version 11.4.x and upgrade to 11.6.x, the virtual server may not function correctly.

Workaround:
To work around this, do the following:
1. Configure a unicast IP address for the BIG-IP DHCPv4 listener destination address field.
2. Configure the same IP address as the DHCP server IP address on DHCP relay agent.

This way the BIG-IP system can load balance DHCP load on to a pool of DHCP servers.

Fix:
Multiple Relay in DHCP relay is now working.

---

516167 : TMSH listing with wildcards prevents the child object from being displayed

Solution Article: K21382264

Component: TMOS

Symptoms:
The tmsh list command is attempted with an identifier that specifies use of wildcard match character (*) , the results returned may not print the nested objects contained within the parent object.

For example, the list ltm pool* command will print all pools that begin with the word pool, but will fail to list the profiles that are within the pool.

Conditions:
tmsh list with a wildcard character specified for parent object.

Impact:
Missing details of nested objects when tmsh list is invoked with wildcard character (*) specified in the object identifier

Workaround:
None.

Fix:
The tmsh list with a wildcard character specified in the object identifier result contains all the nested objects.

For the example specified, the results would now be as follows:

(tmos)# list ltm pool pool*
ltm pool pool-http-1 {
    members {
        10.1.3.1:http {
            address 10.1.3.1
            inherit-profile disabled
            profiles {
                nvgre { }
            }
        }
    }
}

The missing profile objects are now listed correctly, as expected.

---

514871-1 : Unnecessary ssh key pair exist for root user in AWS and Azure.

Component: TMOS

Symptoms:
Unnecessary ssh key pair exist for root user in AWS and Azure.
 - root account is by default disabled in VE cloud platforms like AWS and Azure. However, an ssh public-private keypair is created by BIG-IP startup for root user that lives under /root/.ssh/ directory.

Conditions:
BIG-IP VE deployment in cloud platforms like AWS and Azure.

Impact:
Mostly cosmetic impact as root ssh keypair is unused and unnecessary on BIG-IP VE cloud platforms as root account is by default disabled and only way to access the deployed instance is through the admin account.

Workaround:
You can manually delete /var/ssh/root/identity* files to remove unnecessary ssh keypair for the root account created as part of BIG-IP VE startup.

Fix:
Not applicable.

---

513968 : CGNAT hairpin connections using multiple route-domains are not supported

Component: Carrier-Grade NAT

Symptoms:
When subscribers are in a different route-domain from the route-domain used for the prefix in the LSN pool, hairpin connections cannot be established.

Conditions:
The route-domain used on the Virtual Server is different from the route-domain used on the prefix in the LSN pool.

Impact:
Subscribers cannot make connections to each other using public (translated) addresses.

Workaround:
The routes can be configured so the hairpinning takes place on an external router.

---

511664 : The fipskey.nethsm utility does not support or enforce RFC 3280 with regards to field length Upper/Lower Bounds.

Component: Local Traffic Manager

Symptoms:
The fipskey.nethsm utility does not support or enforce RFC 3280 with regards to field length Upper Bounds.

Conditions:
This occurs when user uses fipskey.nethsm utility to create the X509 certificate with the paramerers country,
province, locality, org,orgunit, dnscommon, email whose length exceeds than the RFC specified upper bound limit.

Impact:
Noncompliance to the RFC.

Workaround:
Limit the various field input length to be less than RFC upper bound

---

510395-4 : Disabling some events while in the event, then running some commands can cause tmm to core.

Solution Article: K17485

Component: Local Traffic Manager

Symptoms:
If an event is disabled inside the event itself, and then a Tcl command that executes asynchronously is executed, TMM can core.

Conditions:
An event is disabled from inside the event, and then a parking command is issued.
Example:
when HTTP_REQUEST {
   if { $a == $b } {
       event disable HTTP_REQUEST
   }
   after 100
   log local0. "foo"
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable events as the last command before exiting the event. For example:

when HTTP_REQUEST {
   if { $a == $b } {
       event disable HTTP_REQUEST
       return
    }

}

Fix:
TMM can cores if an event is disabled inside the event itself, and then a Tcl command that executes asynchronously is executed.

---

508113 : tmsh load sys config base merge file <filename> fails

Component: TMOS

Symptoms:
Save sys config file.

(tmos)# save sys config file demo.scf no-passphrase
Saving running configuration...
  /var/local/scf/demo.scf
  /var/local/scf/demo.scf.tar

Try to load the base configuration within this file.

(tmos)# load sys config base merge file demo.scf
Loading configuration...
  /var/local/scf/demo.scf
Syntax Error:(/var/local/scf/demo.scf at line: 6) "apm" unexpected argument

The error is from a system configuration, not user created.

apm report default-report {
    report-name sessionReports/sessionSummary
    user /Common/admin
}

Basically the configuration fails to load all components for unprovisioned modules and features.

Conditions:
Running the command: load sys config base merge file <filename> when the system contains unprovisioned modules and features.

Impact:
tmsh load sys config base merge file <filename> fails.

Workaround:
None.

Fix:
The provisioning checks were modified to let this command succeed.

---

507206 : Multicast Out stats always zero for management interface.

Component: TMOS

Symptoms:
Multicast Out stats are always zero for the management interface.

Conditions:
Statistics information on the management interface.

Impact:
The Multicast Out stats can help determine whether multicast network failover is working (from looking at a qkview). The missing stat might also delay or confuse other troubleshooting activities unrelated to network failover.

Workaround:
Run the following command: clsh 'ethtool -S eth0 | grep tx_mcast_packets'.

---

507140 : Sod daemon stalls while writing to syslog, and is halted repeatedly on startup.

Solution Article: K63390807

Component: TMOS

Symptoms:
Sod daemon stalls while writing to syslog, and is halted repeatedly on startup.

Conditions:
DNS failure while multiple syslog connections are being established.

Impact:
Sod daemon does not start successfully.

Workaround:
There are two workarounds: -- Remove duplicate remote servers in syslog configuration. -- Add 120 seconds delay in sod startup script.

Fix:
Sod daemon now gets restarted periodically when duplicate remote servers are configured in syslog.

---

500684 : Use of cookie hash persist, local cache entry may not removed upon connection close.

Solution Article: K62862317

Component: Local Traffic Manager

Symptoms:
Orphaned persistence record.

Conditions:
Cookie hash persistence is configured.
No persistence record exists.
The connection is assigned to a tmm thread that doesn't own the record.

Impact:
Possible persistence records discrepancy between tmm threads.

Workaround:
NA

Fix:
Dereferenced local cache entry is now always removed on connection close.

---

498524 : [Portal Access] Server-side URL parser interprets &# in URL as HTML entity in any case

Component: Access Policy Manager

Symptoms:
URL may contain a character sequence, &# (ampersand, pound) that is not a part of HTML entity, for instance:

http://example.com/some/path?query&#fragment

In this example, &# is not a beginning of a valid HTML entity and should be left untouched at rewriting.

Conditions:
URL containing a &# character sequence that is not a part of HTML entity.

Impact:
URL with &# inside may not be rewritten.

Workaround:
Use an iRule with two steps:
- Modifies the original URL to let it be rewritten.
- Modifies the rewritten URL to revert changes made by 1st step, as shown in the following example:

  a) Original URL:
     http://example.com/path?aa=bb&#fragment.
  b) URL after 1st step of iRule:
     http://example.com/path?aa=bb&@F5_@#fragment.
  c) Rewritten URL before 2nd step of iRule:
     https://bigip.system.name.com/f5-w-687474703a2f2f6578616d706c652e636f6d$$/path?aa=bb&F5CH=I@F5_@#fragment.
  d) URI corrected by 2nd step of iRule:
     https://bigip.system.name.com/f5-w-687474703a2f2f6578616d706c652e636f6d$$/path?aa=bb&F5CH=I#fragment.

In other words, the second step removes insertions made by the first step.

Fix:
Now, a URL containing &# character sequences are rewritten correctly, even if the &# fragment does not belong to a valid HTML entity.

---

497559 : Chrome developer console shows error with iRules LX Workspace Editor

Component: Local Traffic Manager

Symptoms:
While using the iRules LX Workspace editor, it's possible to see an error if the developer console or other JavaScript console is being used. The error takes the form of: Refused to load the image 'data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==' because it violates the following Content Security Policy directive: "default-src 'self' 'unsafe-inline' 'unsafe-eval'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

Conditions:
Opening files in the iRules LX Workspace editor

Impact:
There is no impact. The image trying to be loaded isn't necessary.

Workaround:
The workaround is to upgrade to TMOS v13 or later or upgrade the Chrome version being used.

Fix:
Prevent browser console error when using iRules LX Workspace Editor

---

480209 : Stats and Logging for ADAPT dynamic contexts, and IVS Transaction Logging

Component: Service Provider

Symptoms:
The stats for request-adapt and response-adapt profile aggregate all dynamic contexts into a single row, which can hinder debug or analysis of the use of dynamic adaptation contexts. The interface between the parent virtual server with those profiles, and the internal virtual server, cannot be packet-captured, which can increase the difficulty with debugging.

Conditions:
Adaption profile request-adapt or response-adapt, and an internal virtual server.

Impact:
Difficult to debug and analyze dynamic context behavior.
Difficult to diagnose IVS related issues due to lack of visibility of the internal non-TCP interface.

Workaround:
None.

Fix:
Statistics for request-adapt and response-adapt profiles now use separate rows for dynamic contexts, allowing greater visibility into usage of each dynamic context by name.

Log messages for request-adapt and response-adapt provide key flow information. Additional messages provide information regarding dynamic contexts.

Log messages for an internal virtual server provide transaction information to increase visibility on the software interface between the ADAPT filter and an internal virtual server.

Behavior Change:
Statistics for request-adapt and response-adapt profiles use separate rows for dynamic contexts by name (previously they were all aggregated into the single stats row for the profile).

Log messages for request-adapt and response-adapt provide key flow information, and additional messages provide more information regarding dynamic contexts. The log level is set by the existing DB variable log.adapt.level.

More log messages for an internal virtual server provide transaction information to increase visibility on the internal IVS interface between the ADAPT filter and an IVS. The log level is set by the existing DB variable log.ivs.level.

---

479537 : Force to Standby does not work with HA Groups configured.

Component: TMOS

Symptoms:
Using Force to Standby does not work if HA Groups are configured. In older releases, the operation is allowed, but has no effect, or is unreliable. In newer releases, the operation is disallowed.

Conditions:
Configure HA Group scoring for a traffic-group.

Impact:
Administrator must make configuration changes (disable HA Groups) in order to force a particular device to become Active.

Workaround:
Workaround is to disable the HA Group on the Active device, perform the failover, and then re-enable the HA Group. For more information, see K14515: The Force to Standby feature should not be used when the HA group feature is enabled, available at https://support.f5.com/csp/article/K14515.

Fix:
Force to Standby is allowed for traffic-groups configured with HA Group scoring.

Behavior Change:
Previously, traffic-group Force to Standby was disallowed if HA Groups are configured, it is now allowed.

---

479471 : CPU statistics reported by the tmstat command may spike or go negative

Solution Article: K00342205

Component: TMOS

Symptoms:
On bladed systems, the results from the 'tmstat' and 'tmstat cpu' commands may spike high or go negative due to a issue with how per-blade statistics are collected.

Conditions:
Error in the timing of statistics collection such that display is incorrect.

Impact:
Incorrect display of CPU statistics.

Workaround:
There is no workaround.

Fix:
The CPU statistics display has been fixed.

---

474901 : Profiles with a large number of regexps can cause excessive memory usage.

Component: Local Traffic Manager

Symptoms:
tmm crashes on out of memory.

Conditions:
This can occur if you are using a lot of profiles that rely on regular expressions, such as compression or deflate.

Impact:
Traffic disrupted while tmm restarts.

---

473755 : It's possible to exhaust monpd's Thrift server connections by simply not closing the connection on the client side

Component: Application Visibility and Reporting

Symptoms:
It's possible to open a connection to monpd's Thrift server and if the client does not actively close it, the connection will persist indefinitely (even if it's idle). As a result of this issue, you might experience the following symptoms: -- Cannot access event logs or reports.
-- Cannot run tmsh analytics commands.

Conditions:
Client system opens a connection to monpd's Thrift server (port 9090 or 9091), and does not close it.

Impact:
If the number of allowed connections to monpd's Thrift server is reached, monpd will not receive new connections. Since the idle connections can persist indefinitely this will deny service from monpd.

Workaround:
No workaround (except for manually killing open idle connections).

Fix:
Idle connections are closed after one minute.

---

472581 : Cannot use 'default' as the FIPS security officer password.

Component: TMOS

Symptoms:
Trying to use 'default' as the FIPS security officer password results in an invalid encryption error from the fips-util.

Conditions:
Trying to use 'default' as the FIPS security officer password.

Impact:
You cannot use the word 'default' as the security officer password. Although this is expected behavior, the error message posted does not provide a relevant explanation. The system posts errors similar to the following: -- Invalid encrypted password. -- Failed to set security officer's password: 1073742342. -- Failed to create security domain. -- INITIALIZATION FAILED! -- The FIPS device is NOT operational. In version 11.1.0 and earlier, the error was similar to the following: -- Creating crypto user and crypto officer identities. -- password should not be default. -- Failed to set security officer's password.

Workaround:
Use a password other than the word 'default'.

Fix:
Disallow 'default' to be used as the Security Officer password.

---

462524 : HTTP compression browser workarounds incorrectly match modern browsers.

Solution Article: K16131

Component: Local Traffic Manager

Symptoms:
When a User-Agent identifies a browser which has known compression limitations, the 'browser workarounds' disable compression. Browsers requiring these workarounds include:

- Microsoft Internet Explorer 6.0
- Netscape Navigator 4.1
- Netscape Navigator 5.0

Unfortunately, the functionality will falsely identify many modern browsers as needing compression workarounds, disabling compression.

Conditions:
Enable HTTP compression browser workarounds.

Impact:
HTTP compression will not compress responses for modern browsers.

Workaround:
Disable browser workarounds. If legacy clients require compression workarounds, use an iRule that selectively disables compression depending on the User-Agent.

Behavior Change:
Starting Evergreen release we will be deprecating the browser-workarounds option in HTTP compression profile. All related code handling the option in the deflate filter is being removed. The option will no longer be seen in GUI, and will show up as deprecated in tmsh and SNMP.

---

462507 : CGNAT PBA mode when setting block lifetime timeouts, may not be able to terminate SIP-ALG media flows

Component: Carrier-Grade NAT

Symptoms:
If CGNAT Port block allocation (PBA) is configured for block lifetimes, when the lifetime expires, the system terminates any flows still associated with that port block. However, SIP media flows cannot be terminated, so the block cannot be released until the media flows terminate.

Conditions:
This occurs when the following conditions are met:
-- Using CGNAT PBA mode.
-- block lifetime set.
-- Using SIP-ALG.
-- Media flows outlive block lifetime.

Impact:
Blocks cannot be released as expected until media flows terminate.

Workaround:
None.

---

462043 : DB variable 'qinq.cos' does not work in all cases on 5000 and C2400 platforms

Component: Local Traffic Manager

Symptoms:
On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner'; a packets inner priority bits do not determine the CoS mapping when the incoming packet is customer-tagged and the outgoing interface is service-tagged.

Conditions:
On 5000 and C2400 platforms.

Impact:
Incorrect egress CoS queue mapping. In this case, all packets are mapped to CoS queue 0.

Workaround:
None.

Fix:
On the 5000 and C2400 platforms, when the DB variable 'qinq.cos' is set to 'inner', the packets are now handled as expected.

---

456376 : BigIP does not support IPv4-mapped-IPv6 notation in the configuration with prefix length greater than 32

Component: Advanced Firewall Manager

Symptoms:
BigIP does not allow IPv4-mapped-IPv6 notation (with prefix length greater than 32) in tmsh or GUI.

Conditions:
Usage of IPv4-mapped-IPv6 addresses.

Impact:
This issue prevents you from specifying an IPv4-mapped-IPv6 blocked to be configured in AFM firewall rule (and possibly other AFM configurations as well)

Workaround:
A partial workaround exists for customers wishing to drop the v4-mapped-v6 block. While it is not possible to do so in an AFM rule by specifying :ffff:0.0.0.0/96 there is DoS db variable to do so - dos.dropv4mapped

---

452482-9 : HTTP virtual servers with cookie persistence might reset incoming connections

Solution Article: K16014

Component: Local Traffic Manager

Symptoms:
Incoming TCP connection to HTTP virtual server receives RST during 3-way handshake

Conditions:
Incoming connection matches existing cookie persistence record and would be persisted to a pool member whose connection limit has been reached.

Impact:
TCP connection fails.

Fix:
Cookie persistence records are ignored when the connection limit of the persisted pool member has been reached. This results in incoming connections to be offloaded to another pool member (if available).

---

452321 : APM does not support more than one traffic group with different HA order

Component: Access Policy Manager

Symptoms:
APM does not support more than one traffic group with different HA order. Here is an example configuration:

cm traffic-group /Common/traffic-group-1 {
    ha-order {
        /Common/RM-F5-SKY.IT-01.sky.local
    }
    unit-id 1
}
cm traffic-group /Common/traffic-group-2 {
    ha-order {
        /Common/RM-F5-SKY.IT-02.sky.local
    }
    unit-id 2
}

This configuration causes the creation of an Active/Active HA pair and APM does not support this configuration. APM supports Active/Standby HA pair only.

Conditions:
Configure two or more traffic groups with different HA order.

Impact:
APM does not support this configuration.

Fix:
BIG-IP no longer allows an invalid configuration where APM services exist in more than one traffic group simultaneously

---

449427 : BIG-IP as IdP does not support Attribute Name Format Identifiers

Component: Access Policy Manager

Symptoms:
BIG-IP as identity provider (IdP) does not support "Attribute Name Format Identifiers". It always uses "Unspecified" format for each attribute as part of the created SAML assertion.

Conditions:
BIG-IP is used as IdP

Impact:
Attribute Name Format Identifiers is reported as "Unspecified" format for each attribute as part of the created SAML assertion.

Workaround:
None.

Fix:
APM as IdP SAML support has been improved to allow GUI changes to configure Name Format for assertion attributes on SAML IdP page:
     - Allow enum selection of name format with default value 'unspecified'
     - Allow editing of name format for all attributes.

---

448409 : 'load sys config verify' commands cause loss of sync configuration and initiates a provisioning cycle

Component: TMOS

Symptoms:
The commands 'load sys config from-terminal verify' and 'load sys config file <filename> verify' causes loss of sync configuration and initiates a provisioning cycle. The 'verify' option on the 'load sys config' command is designed to ensure that a configuration (either from a file or pasted to the terminal) is valid, but not have it take effect.

Conditions:
This affects the ConfigSync communication channel if configured.

Impact:
The ConfigSync connection, including the connections to other devices, might be lost. In addition, provisioning might be impacted.

Workaround:
You can avoid this issue by using the 'load sys config from-terminal verify' and 'load sys config file <filename> verify' commands 'merge' option, which keeps the current configuration during the validation step. Once affected by this issue, the workaround is to re-load the full configuration using the following command: tmsh load sys config partitions all.

Fix:
Previously, the commands 'load sys config from-terminal verify' and 'load sys config file <filename> verify' did some operations related to sync and provisioning, though they are supposed to check only the validity of the configuration (without changing it). This has been resolved.

---

447417 : GUI Node Address List does not display by hostname.

Component: TMOS

Symptoms:
The GUI does not display hostname in node list despite having a host entry in /etc/hosts and the 'Display Host Names When Possible' setting enabled in system

Conditions:
Having a host entry in /etc/hosts, and the 'Display Host Names When Possible' setting enabled in system.

Impact:
It is not possible to find a node by name.

Workaround:
Use the Pool member list to find a note by hostname.

---

445501 : Only one delegation account supported for Kerberos SSO for a same domain

Component: Access Policy Manager

Symptoms:
There is no way to configure more than one delegation account to be used in Kerberos SSO for the same realm.
Single sign-on fails in case there is more than one delegation account for a same realm.

Conditions:
There is a need to configure two or more delegation accounts for Kerberos SSO to provide single-sign-on to resources in the same domain

Impact:
Impossible to separate SSO objects to different resources by defining separate delegation accounts.

Workaround:
Use the same delegation account for all the resources across one particular domain.

Fix:
It is now possible to use multiple kerberos S4U constrained delegation accounts for the same realm by configuring separate kerberos SSO objects and switching between them using iRules, Portal Access ACLs, multidomain mode SSO, or a Per-Request Access Policy switch.

---

439594 : Order of members in AAA server pools now show in reverse order of Priority Group

Component: Access Policy Manager

Symptoms:
Members of AAA server pools are listed in increasing order of priority group. This shows the node most likely to be serving current requests at the bottom of the list.

Conditions:
Viewing pool members in the list.

Impact:
Potential confusion when viewing of pool members, potentially counter-intuitive.

Workaround:
None.

Fix:
Now, the nodes of a AAA pool are shown in decreasing order of priority group, which places the node currently serving requests at the top of the list.

Behavior Change:
Order of members in AAA server pools now show in reverse order of Priority Group.

---

438574 : Web UI: iSession Profile properties page displays incorrect parent profile name.

Component: TMOS

Symptoms:
Local Traffic :: Profiles :: iSession Profile properties page displays incorrect parent profile name.

Conditions:
-- Viewing parent profile for an iSession profile.
-- 'iSession' is set as parent profile .
-- Another profile exists with name beginning from 'a' to 'h'.

Impact:
Incorrect information is displayed on the GUI even though the database has the correct information.

Workaround:
View the properties of iSession profile from tmsh.

Fix:
In the iSession properties page, GUI now sets the 'iSession' profile in Parent Profile dropdown list when 'iSession' is the parent profile. This matches the behavior of profiles other than 'iSession'.

---

438572-1 : Support Email-Based Account Discovery through BIG-IP APM

Component: Access Policy Manager

Symptoms:
Citrix Email-Based Account discovery does not work when BIG-IP APM is used to proxy Citrix VDI.

Conditions:
BIG-IP APM is configured in StoreFront integration mode.

Impact:
Email-Based Account discovery does not work

Workaround:
No workaround at this time.

Fix:
Now APM supports Email discovery for Citrix Receiver when configured as StoreFront proxy.

---

435458 : The HTTP Explicit Proxy and the SOCKS Proxy do not support AAAA address lookups

Solution Article: K47553552

Component: Local Traffic Manager

Symptoms:
The HTTP Explicit Proxy and the SOCKS Proxy do not support IPv6 AAAA DNS lookups. They ar limited to IPv4 DNS records.

This will prevent IPv6-only addresses from being resolved.

Conditions:
The destination URI resolves to an IPv6-only address.

Impact:
The destination will be unreachable.

Workaround:
None.

Fix:
The HTTP Explicit Proxy and the SOCKS proxy are now IPv6 address aware. The default is to attempt to resolve the IPv4 A record first, before trying the AAAA record.

Behavior Change:
The HTTP Explicit Proxy and the SOCKS proxy are now IPv6 address aware. The default is to attempt to resolve the IPv4 A record first, before trying the AAAA record.

---

435419-1 : Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.

Solution Article: K10402225

Component: Access Policy Manager

Symptoms:
Install of partial EPSEC file causes mcpd to crash, followed by multiple cores.

Conditions:
-- Attempt to upload a current EPSEC file.
-- Upload stalls and appears hung.
-- Close the web browser used for uploading epsec.
-- Attempt to install the partially uploaded file.

Impact:
mcpd crashes, followed by multiple cores.

Workaround:
Upload the EPSEC file completely, and try the installation again.

Fix:
BIG-IP now correctly handles incomplete or failed uploads of EPSEC software updates via the web admin GUI.

---

429013-3 : Log file permissions lock down

Component: TMOS

Symptoms:
Log file permissions for one specific log file were incorrectly set. This has been fixed to address an issue with CCE-26812-8, CCE-26821-9 and CCE-27190-8 syslog-ng configuration/permissions.

Conditions:
Since only Administrators can have advanced shell access, they are on the only ones who could be able to see the log files. This just sets the file permissions the same as the rest.

Impact:
Very little impact.

Workaround:
none

Fix:
/var/log/catalina.out permissions changed to be more secure.

---

427028 : Support Citrix or VMware view resources launch client selection prompt

Component: Access Policy Manager

Symptoms:
Automatic client detection does not work for Citrix receiver or VMware Horizon View client if it is already installed.

Conditions:
Citrix or View resource is launched from APM webtop and automatic client does not work.

Impact:
End user is shown a Citrix prompt even though Citrix receiver is already installed.

Workaround:
None.

Fix:
Citrix or VMware Horizon View resources published on APM Webtop can be launched either using their native clients or HTML5 client.

Automatic client detection does not work in recent browsers. Due to that, whenever a resource could be launched using either of the two (Native client or HTML5), a prompt is shown to the APM end user to select the appropriate client for resource launch. The preference is saved, so the system uses it for subsequent resource launch. If the APM end user wants to see the current settings and to change their preference, they can use 'VDI Settings' menu item shown in the webtop toolbar.

There is admin preferred settings can be used from access policy of VPE agent. Possible values are "native", "html5" or "". Default value of this variable is empty string (""). It is shown as 'Prompt User' in VMware View Policy VPE agent.

New Behavior for Citrix:
  Name of Admin preferred VPE session variable is 'session.citrix.preferred_client'. If admin-preferred value is not provided or given value of empty string, APM end user is shown the prompt to select the client type for launching first time they click on the application/desktop. After that, their chosen value is saved in the browser. The HTML5 option is shown only when the html5 package is installed on Citrix client bundle. If the html5 package is not available, the native client URL is shown for native client download for the first time.

   If admin preferred value is "native", the native client URL is shown to download either the Citrix receiver client.

New Behavior for View:
       Name of admin-preferred VPE session variable is 'session.vmware_view.preferred_client'. There is already the 'VMware View Policy' VPE agent to select this variable value.
    For View, only RDS desktop is supported for HTML5 launch. If the admin-preferred value is 'Prompt User', the APM end user is prompted for the client type selection. And the native client download link is shown for VMware Horizon client download. For apps, native client is directly launched.

---

426844 : In Admin UI, import of CSV file with users very slow to process complete CSV.

Solution Article: K10354385

Component: Access Policy Manager

Symptoms:
Importing users from a file into a local user database takes a long time. The admin must wait until all users get created. The wait time depends of number of users.

Conditions:
This happens when importing a long list of users from a CSV file to a local user database.

Impact:
Because loading users takes a long time, an administrator user might not know what to do and retry multiple times.

Workaround:
An administrator must wait until the users load to the database without making additional attempts.

Fix:
The performance of a bulk user import operation from a CSV file into APM local user database via the Admin GUI is improved dramatically.

---

424689 : Rename 'IP Address Intelligence' to 'IP Intelligence'

Component: Application Security Manager

Symptoms:
Some fields in sub-menus, tooltips, etc., of the application still 'IP Address Intelligence' instead og 'IP Intelligence'.

Conditions:
'IP Address Intelligence' occurs in some places, such as in Event Logs, Requests, Charts, etc. For example, the older phrase occurs in Security :: Application Security : Policy : Audit : Log , Security :: Reporting : Scheduled Reports :: New Reporting Schedule, and other locations.

Impact:
This has no functional impact. Simply, the phrase 'IP Address Intelligence' was replaced with 'IP Intelligence', but not all visible occurrences have been changed.

Workaround:
No workaround needed, this is a cosmetic issue only.

Fix:
All visible occurrences have now been changed from 'IP Address Intelligence' to 'IP Intelligence'.

---

422525 : Portal Acccess resources with proxy require hostnames to be resolvable to BIG-IP

Component: Access Policy Manager

Symptoms:
Portal Access resources with proxy host configured and no DNS record available to BIG-IP will be blocked by APM ACL. All requests to these resources will result in APM DNS error page.

Impact:
Some resources accessible only via proxy cannot be configured to work through APM Portal Access.

Workaround:
Use intranet DNS server for BIG-IP, or add resources behind proxy server to a DNS server configuration.

Fix:
Portal Access resources with proxy host configured and no DNS record available to BIG-IP are no longer blocked by APM ACL.

---

421851 : Config load does not skip leading whitespaces if iRule starts with #

Component: TMOS

Symptoms:
When iRules are saved into bigip.conf, the first line is automatically indented with four whitespaces. Usually these whitespaces are removed when the config is loaded, but when an iRule starts with commented lines, the whitespace is not removed. Every subsequent save/load operation adds another four whitespaces. When users adds checksum to the iRule, loading fails at checksum verification error

Conditions:
This occurs when both conditions are true: 1. Line 1 begins with a # character and white spaces. 2. The checksum operation is performed on the iRule.

Impact:
Load failure.

Workaround:
Remove the whitespace at the beginning of the iRule

---

421797 : ePVA continues to accelerate IP Forwarding VS traffic even in Standby

Component: TMOS

Symptoms:
When the active BIG-IP unit in a redundant configuration becomes the standby unit after a failover event, the traffic sent to the virtual servers with hardware acceleration enabled will continue to be accelerated by the ePVA hardware on the original active unit (current standby unit). These offloaded flows will eventually be evicted after the failover switch period (16 second by default) though, and it does not affect the new active unit (original standby unit) to offload the flows to hardware for acceleration. As a result, accelerated traffic can still be observed on the standby unit.

Conditions:
When a failover event happens in a redundant configuration with virtual servers that have hardware acceleration enabled.

Impact:
No performance impact or traffic interruption. You might observe unexpected traffic on standby unit.

Workaround:
None. This is a cosmetic issue.

Fix:
The standby unit now evicts the accelerated flows from the ePVA hardware after the failover event. This is correct behavior.

---

419741 : Rare crash with vip-targeting-vip and stale connections on VIPRION platforms

Component: TMOS

Symptoms:
Rare TMM crash bug with vip-targeting-vip. Core analysis is typically necessary to determine whether this bug is the cause.

Conditions:
Triggering this bug is difficult and seems to require vip-targeting-vip (e.g., use of the 'virtual' command in an iRule) and more than one blade.

Impact:
In rare situations, the TMM crashes.

Workaround:
None. This occurs rarely, and the system recovers automatically. Although this workaround has not be verified, in situations where virtual A targets virtual B via the 'virtual' command, it should be sufficient for virtual A to have shorter timeouts than virtual B.

---

418349 : Update/overwrite of FIPS keys error

Component: TMOS

Symptoms:
After deleting and re-creating a FIPS key, sync to other devices fails and /var/log/ltm gives the following error:

crit tmm[10817]: 01260010:2: FIPS acceleration device failure: fips_poll_completed_reqs: req: 78 status: 0x40000116 : ERR_HSM_ERROR

Note that this error is logged on any FIPS-related error, it might be this issue if you were attempting to replace FIPS keys with an identical name on devices in a device group.

Conditions:
This can occur on FIPS-enabled devices in a device group when a FIPS key is deleted and an identically-named FIPS key is added.

Impact:
Sync of the FIPS key fails.

Workaround:
If you are encountering this, you can do the following workaround.

Impact of workaround: this should have no negative impact to the system since your objective is to replace the FIPS keys.

- Detach all keys/certs from all SSL Profiles and delete all keys via script on the standby System
- Run “tmsh show sys crypto fips” and verify all keys have been deleted
- Run a configsync with override and verify the sync has been carried out successfully.

---

417819 : APM - when Edge Clients, some JS contents are different causing warning

Solution Article: K69046914

Component: Access Policy Manager

Symptoms:
Intermittent JS Error in sesstimeout.js during access to full webtop by Edge Clients.

Conditions:
-- At least two different Edge Clients with User Agent strings based on Internet Explorer version 11 (IE11).
-- A version of IE earlier that IE11 is used to access full webtop resource.

Impact:
If 'Display notification about all script errors' is enabled in IE (Internet Options :: Advanced tab) IE displays JS error messages. One client might encounter a JS Syntax error, depending on TMM count and APM RAMCACHE content.

Note: There is no impact on product functionality, because Edge Clients do not call JS code from sesstimeout.js. The error is cosmetic only and can be ignored.

Workaround:
Special APM resource assignment branch for standalone Edge Clients can be configured in VPE to access 'webtop-type network', (NA_only_webtop resource does not include /vdesk/sesstimeout.js and /vdesk/hometab.js).

Fix:
A javascript error no longer is intermittently displayed during a Network Access VPN session from the APM Full Webtop.

---

409059 : CGNAT hairpinning is not supported for NAT64

Solution Article: K17061922

Component: Carrier-Grade NAT

Symptoms:
Hairpin connections are not supported for NAT64.

Conditions:
-- lsnpool with NAT64.
-- Hairpinning enabled.

Impact:
Hairpinned connections do not work

Workaround:
Hairpin via upstream router.

Fix:
Hairpin connections are now supported for NAT64.

Behavior Change:
Hairpin connections are now supported for NAT64.

---

403866 : PEM Data plane listeners when created with cmp-hash not equal to src-ip may break PEM functionality

Component: Policy Enforcement Manager

Symptoms:
Subscriber lookup failures.

Conditions:
PEM Data plane listeners configured with cmp-hash not set to src-ip.

Impact:
Potential breakage in PEM functionality.

Workaround:
Change the VLAN cmp-hash to src-ip.

Fix:
At the PEM data plane listener page, only VLANs with src-ip or dst-ip hash can be chosen.

---

401815 : IP ToS not passing through with SIP LB

Component: Service Provider

Symptoms:
Egress flow doesn't show the ToS bit even though ingress flow has ToS bit set.

Conditions:
Non zero ToS value in the ingress flow

Impact:
Ingress flow ToS value is not propagated to egress flow

Workaround:
when CLIENT_ACCEPTED {
   set client_tos [IP::tos]
}
when SERVER_CONNECTED {
  IP::tos $client_tos
}

Fix:
Propagate the ToS bit from ingress flow to the egress flow.

---

398416 : Volume threshold and time threshold support in Gx reporting

Component: Policy Enforcement Manager

Symptoms:
In this release, volume threshold is supported. However, time threshold does not qualify for Gx reporting, even though it is present in GUI and TMSH

Conditions:
Configuring volume threshold and time threshold in Gx reporting.

Impact:
Configuring volume threshold does not work as expected. Configuring time threshold has no effect because it is not supported.

Workaround:
None.

Fix:
Volume threshold and time threshold have been removed from the GUI and TMSH for Gx reporting.

---

394734 : Added the transparent option for DNS monitor

Component: TMOS

Symptoms:
There is no way to create transparent DNS monitor in the GUI.

Conditions:
Trying to configure a DNS monitor as transparent.

Impact:
Cannot use the GUI to create a transparent DNS monitor.

Workaround:
Use TMSH to configure the transparent option for DNS monitors.

Fix:
The DNS monitor now has the transparent option available from the GUI.

---

390197 : Allow the HTTP::payload command to be used in the HTTP_REJECT iRule event

Component: Local Traffic Manager

Symptoms:
It is difficult to obtain the contents of an HTTP request or response that the BIG-IP system rejects. (This requires using a complex iRule involving TCP::collect, with some performance cost.)

Conditions:
An HTTP request or response fails a test at the parsing stage. It may be too large, have too many headers, have invalid structure, or some other issue.

Impact:
Difficult to obtain the contents of an HTTP request or response that the BIG-IP system rejects.

Workaround:
Use an iRule with TCP::collect to obtain this information.

Note: This might result in a performance cost.

Fix:
The contents of a rejected HTTP request or response is now available in the HTTP_REJECT iRule event from the HTTP::payload command. This allows rejected requests and responses to be logged via an iRule script, and later inspected.

---

386996 : Client detection does not work for new browsers and always Download client prompt is shown

Component: Access Policy Manager

Symptoms:
When APM end-users connect to APM, they are prompted to down the Citrix client even if their browser does not support it.

Conditions:
Webtop is used with the latest browsers (who have disabled NPAPI support) to access the Citrix published resources.

Impact:
Users are prompted to Download the client every time they access the webtop.

Workaround:
None.

Fix:
Automatic client detection functionality for Receiver Clients has been disabled from the APM webtop and is now a manual setting. See the note for ID427028 for more information.

---

382577 : imish 'terminal monitor' command does not have any effect in TMOS

Solution Article: K40515053

Component: TMOS

Symptoms:
When you run the imish 'terminal monitor' command, you do not receive the expected results. The imish command has no effect in TMOS.

Conditions:
This occurs when running imish command.

Impact:
There is no display of debug logs in the imish session.

Workaround:
The workaround is to configure the log file (under /var/log) and use the tail command to monitor it in real-time. Note: For this workaround, users must have access to bash.

---

382109 : No message when removing PSU from chassis.

Component: TMOS

Symptoms:
When a power supply is removed from a chassis, there is no warning or alert message on the console.

Conditions:
This occurs when removing a PSU from a chassis, and there is insufficient power from the plugged in PSUs.

Impact:
NOTICE-level log messages are posted in /var/log/ltm.

Workaround:
PSU changes can be detected using the command 'tmsh show sys hardware'.

---

374441-1 : IPv6.port format in iRule pool command is not errored out

Component: Local Traffic Manager

Symptoms:
iRule pool command does not allow IPv6.port format, but it is taken and there is no error message.

Conditions:
The IPv6 address and port are in one argument in the format of Ipv6.port.

Impact:
The connection gets reset.

Workaround:
Use twp argument, e.g.:
 Ipv6 port

Fix:
In this release, the iRule pool command supports the IPv6.port format.

---

368690 : Disabling iRule events that are executing or pending execution will work correctly

Solution Article: K33313540

Component: Local Traffic Manager

Symptoms:
If an iRule event is executing or about to execute, disabling that event will not work correctly.

The TMM will fail to complete the execution of the iRule, perhaps causing connection stalls.

You may see the following signature in the LTM log:
tmm info tmm[30823]: 01220009:6: Pending rule event CLIENT_ACCEPTED aborted on flow 10.10.0.1:59609->10.10.0.51:80 (listener: /Common/vs1)

Conditions:
An iRule event is disabled while it is executing (parked), or pending execution.

Disabling an event from within its own rule will only work if no parking command executes afterwards.

Impact:
Connection stalls

Workaround:
If an iRule wants to disable itself, move that disabling to the end of the rule. This may make this issue less likely to occur.

Fix:
iRule events can be disabled at any time. If an iRule is disabled while it is executing, or pending execution, it will still run to completion. The next invocation of the iRule event will be disabled.

---

367226 : Outgoing RIP advertisements may have incorrect source port

Component: Local Traffic Manager

Symptoms:
TMM may change the source port of RIP packets send by ripd to something other than 520. Neighbor routers will not accept these packets and RIP routing will not work.

If the TMM instance handling the outgoing packet would not be selected to handle return traffic by the hashing algorithm in use, the source port of the traffic will be modified so the hashing algorithm returns the same TMM instance.

Conditions:
Multiple TMM instances, RIP routing configured.

Impact:
Dynamic routing using RIP will not work if the traffic hash of the packets does not match the TMM handling the outgoing traffic.

Fix:
TMM no longer modifies the source port of RIP traffic.

---

366695 : Remove managers create/modify/delete ability from TMSH on GTM datacenters, links, servers, prober-pools, and topology errors incorrectly, and receive a database error when performed

Component: Global Traffic Manager (DNS)

Symptoms:
A "Manager" role has the ability to create/modify/delete GTM data centers, links, servers, prober pools, and topology objects from TMSH, but they do not have this permission in the database, so they get an error.

Conditions:
Someone of "Manager" roll attempts to create/modify/delete a GTM datacenter, link, server, prober-pools, or topology objects.

Impact:
Error message thrown

Workaround:
Error thrown is correct, but user's shouldn't be able to even get this far in tmsh.

Fix:
Removed Manager's ability to create/modify/delete GTM data centers, links, servers, prober-pools, and topology objects. This was already prevented through validation code, but now TMSH users only have access to view these objects.

---

353229 : Buffer overflows in DIAMETER code

Solution Article: K54130510

Component: Service Provider

Symptoms:
There were instances in the DIAMETER code where fixed-sized buffers could overflow.

Conditions:
DIAMETER attribute-value pairs that are larger than 1024 bytes in size.

Impact:
Memory corruption, which can cause unpredictable behavior (often coring TMM).

Workaround:
None.

Fix:
Prevented buffer overflows in the DIAMETER code.

---

352957 : Route lookup after change in route table on established flow ignores pool members

Component: Local Traffic Manager

Symptoms:
Established flows via Virtual Servers with iRules using the 'nexthop vlan addr' command to set the nexthop to a different address than the gateway returned in route lookup, or transparent flows to a pool member, might fail after a route table change, even if the change does not affect any of the addresses used in the flow.

Conditions:
An iRule with 'nexthop vlan addr' on the CLIENT_ACCEPTED state is added to a virtual server with pool members and the address in the nexthop command is different from the gateway.

Impact:
A flow established before a route table change may fail if the destination was set in an iRule using 'nexthop'. New flows established after the route table change work as expected.

Workaround:
Modify iRule to fire 'nexthop' on every client packet. If the flow has been modified due to a route change, then the next client packet that fires 'nexthop' will correct it.

Fix:
The nexthop for established flows, set using "nexthop vlan addr" in an iRule for CLIENT_ACCEPTED state, does not change when there are changes in the route table. This is correct behavior.

---

346852 : Only three signatures are reported in the remote logger

Component: Application Security Manager

Symptoms:
The sig_names storage format field in the Remote and Reporting Server remote storage type displays the names of signatures detected in requests. However, there is a limitation for this field: it only displays three values. Therefore, if a request matches more than three signatures, the log displays the first three matched signatures, and then displays "..." instead of the remaining matched signatures.

Conditions:
-- More than three signatures were matched on a transaction.
-- A remote logger is configured to display the signatures names.

Impact:
Not all signatures are displayed.

Workaround:
None.

Fix:
A remote logger that is configured to display the signatures names now reports all matched signatures.

---

273014 : LTM Monitor Test Feature

Component: Local Traffic Manager

Symptoms:
On BIG-IP versions prior to v13.1.0, if you want to add a monitor but you're not sure it's configured correctly, you need to add it to a node, pool, or pool member and observe the resulting state of the node or pool member(s).
Starting with BIG-IP version 13.1.0, you can test a configured LTM monitor before adding it to a node, pool, or pool member configuration.

Conditions:
LTM monitor types that can be tested using the new Monitor Test feature include:
dns, external, firepass, ftp, gateway-icmp, http, https, icmp, imap, ldap, mssql, mysql, nntp, oracle, pop3, postgresql, radius, rpc, scripted, sip, smb, smtp, soap, tcp-echo, tcp-half-open, tcp, udp, and wap.

LTM monitor types that cannot be tested using the new Monitor Test feature include:
inband, module-score, radius-accounting, real-server, sasp, snmp-dca-base, snmp-dca, virtual-location, and wmi.

Impact:
It is not possible to test an LTM monitor configuration to verify its correctness without assigning it to an LTM node, pool, or pool member. Such action may affect the availability of one or more configured LTM virtual servers. This action will also generate LTM logs indicating the UP or DOWN status of the configured node, pool, or pool member, which may generate undesired alerts.

Workaround:
To test an LTM monitor configuration without applying it to an actively-used LTM node, pool, or pool member (and thus potentially affecting the availability of a configured LTM virtual server):
1. Create a new LTM node or pool and pool member which is not associated with any active LTM virtual server.
2. Assign the configured LTM monitor to the new, unused node, pool, or pool member.
3. Observe the health status of the configured node or pool member.

This workaround will generate LTM logs indicating the UP or DOWN status of the configured node, pool or pool member, which may generate undesired alerts.

Fix:
Starting with BIG-IP version 13.1.0, you can test a configured LTM monitor before adding it to a node, pool, or pool member configuration.
The LTM monitor types that can be tested using this new Monitor Test feature include dns, external, firepass, ftp, gateway-icmp, http, https, icmp, imap, ldap, mssql, mysql, nntp, oracle, pop3, postgresql, radius, rpc, scripted, sip, smb, smtp, soap, tcp-echo, tcp-half-open, tcp, udp, and wap.

Behavior Change:
You can now test a configured LTM monitor before adding it to a node, pool, or pool member configuration. LTM monitor types that can be tested using the new Monitor Test feature include:
dns, external, firepass, ftp, gateway-icmp, http, https, icmp, imap, ldap, mssql, mysql, nntp, oracle, pop3, postgresql, radius, rpc, scripted, sip, smb, smtp, soap, tcp-echo, tcp-half-open, tcp, udp, and wap.

LTM monitor types that cannot be tested using the new Monitor Test feature include:
inband, module-score, radius-accounting, real-server, sasp, snmp-dca-base, snmp-dca, virtual-location, and wmi.

---

248914 : ARP replies from BIG-IP on a translucent vlangroup use the wrong source MAC address

Solution Article: K00612197

Component: Local Traffic Manager

Symptoms:
When self IP or virtual addresses are configured on a vlangroup, ARP replies for that address will have the locally administered bit set in the ARP payload, but the source MAC of the frame will have this bit clear.

Conditions:
vlangroup in translucent mode with self IP and/or virtual addresses configured.

Impact:
This may cause destination lookup failures on the layer 2 network.

Workaround:
Use transparent mode instead of translucent mode on the vlangroup.

Fix:
ARP and NDP replies sent from the BIG-IP to a vlangroup use the vlangroup MAC address as the layer 2 source address.

---

224988 : LTM does not log anything when node/pool member connection limit is reached

Component: Local Traffic Manager

Symptoms:
There is no information logged when a connection limit is reached for a node or a pool member.

Conditions:
A connection limit is reached for a node or a pool member.

Impact:
Lack of proper information about the connection limits being reached.

Behavior Change:
TMM will now log information about connection limits being reached for nodes and pool members.

---

222409 : The HTTP::path iRule command may return more information than expected

Component: Local Traffic Manager

Symptoms:
The HTTP::path iRule command is intended to return only the path of the HTTP request. However, if the HTTP request specifies an absolute URI for the request URI, the HTTP::path command returns the entire URI, which includes not only the path, but also any protocol scheme, host name, and port included in the request URI value.

The first line of an HTTP request from a client to a server is referred to as the request line. The request line begins with a method token, followed by the request URI and the protocol version. A typical HTTP request line appears similar to the following example:

GET /dir1/dir2/file.ext HTTP/1.1

In this example, the method token is GET, the resource URI is /dir2/dir2/file.ext, and the protocol version is HTTP/1.1.

Conditions:
However, some clients (most notably proxies) may send an HTTP request for the same resource by specifying the absolute URI in the request, which appears similar to the following example:

GET http://www.example.org:80/dir1/dir2/file.ext

In this example, the method token is GET, the resource URI is http://www.example.org/dir2/dir2/file.ext, and the protocol version is HTTP/1.1.

Impact:
The HTTP::path iRule command should return the following path value for both requests:

/dir1/dir2/file.ext

However, since the HTTP::path command actually returns the value of the request URI, the entire absolute URI is returned for the request in the second example, which specifies the following absolute URI in the request URI:

www.example.org:80/dir1/duir2/file.ext

Note: Both requests in the example above conform to the HTTP request specification as defined in Section 5 of RFC2616: HyperText Transfer Protocol.

Note: For more information about the HTTP::path iRule command, refer to HTTP:path on the F5 Networks DevCentral website. A separate DevCentral login is required to access this content; you will be redirected to authenticate or register if necessary.

Workaround:
You can work around this issue by parsing the path element from the return value for the HTTP::path command. To do so, use the following iRule wherever HTTP::path is called:

when HTTP_REQUEST {
log local0. "Path: [URI::path [HTTP::uri]][URI::basename [HTTP::uri]]"
}

Fix:
The HTTP::path iRule command now returns only the information expected.

If the extra information is required, you can use the HTTP::uri iRule command to obtain it.

Behavior Change:
In previous releases, the HTTP::path command returns the entire URI, which includes not only the path, but also any protocol scheme, host name, and port included in the request URI value. Beginning in this release, the HTTP::path iRule command no longer returns the extra data. That means that if you have iRules that expect the extra data, you can use HTTP::uri instead.

It also means that you no longer need to use any workaround, so you can eliminate that iRule.

---

Known Issues in BIG-IP v13.1.x


TMOS Issues

ID Number	Severity	Solution Article(s)	Description
667148-3	1-Blocking	K02500042	Config load or upgrade can fail when loading GTM objects from a non-/Common partition
693996-5	2-Critical		MCPD sync errors and restart after multiple modifications to file object in chassis
693206	2-Critical		iSeries LCD screen is frozen on a red spinning 'please wait' indicator
692158-1	2-Critical		iCall and CLI script memory leak when saving configuration
689577-3	2-Critical	K45800333	ospf6d may crash when processing specific LSAs
689437-1	2-Critical		icrd_child cores due to infinite recursion caused by incorrect group name handling
689002-3	2-Critical		Stackoverflow when JSON is deeply nested
686190-1	2-Critical		LRO performance impact with BWC and FastL4 virtual server
677937-3	2-Critical	K41517253	APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets
667173-1	2-Critical		13.1.0 cannot join a device group with 13.1.0.1
665362-2	2-Critical		MCPD might crash if the AOM restarts
665354-1	2-Critical	K31190471	Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log
624635	2-Critical		BIG-IP doesn't support more than 4 NICs on Hyper-V on Windows Server 2012
581851-6	2-Critical	K16234725	mcpd restarts due to interleaving of messages / folder contexts from primary to secondary blade
563661-1	2-Critical		Datastor may crash
694740-3	3-Major		BIG-IP reboot during a TMM core results in an incomplete core dump
693884-1	3-Major		ospfd core on secondary blade during network unstability
693563-1	3-Major		No warning when LDAP is configured with SSL but with a client certificate with no matching key
692371	3-Major		Unexpected Octeon, Nitrox, and/or Super IO recovery warnings in LTM log
692189-1	3-Major		errdefsd fails to generate a core file on request.
692179-1	3-Major		Potential high memory usage from errdefsd.
691749-1	3-Major		reset-stats operations cannot be part of TMSH transactions
691497-2	3-Major		tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions
690928	3-Major		System posts error message: 01010054:3: tmrouted connection closed
690890-1	3-Major		Running sod manually can cause issues/failover
690259	3-Major		Benign message 'keymgmtd started' is reported at log-level alert.
689567-1	3-Major		Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned
689375-1	3-Major		Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled
688406-1	3-Major	K14513346	HA-Group Score showing 0
688231	3-Major		Unable to set VET, AZOT, and AZOST timezones
687658	3-Major		Monitor operations in transaction will cause it to stay unchecked
687617-1	3-Major		DHCP request-options when set to "none" are reset to defaults when loading the config.
687534-1	3-Major		If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page
687353-1	3-Major	K35595105	Qkview truncates tmstat snapshot files
686926-2	3-Major		IPsec: responder N(cookie) in SA_INIT response handled incorrectly
686816-1	3-Major		Link from iApps Components page to Policy Rules invalid
686124-1	3-Major		IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs
684391-3	3-Major		Existing IPsec tunnels reload. tmipsecd creates a core file.
684218-1	3-Major		vADC 'live-install' Downgrade from v13.1.0 is not possible
683767-1	3-Major		Users are not able to complete the sync using GUI
683131-1	3-Major		Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present★
682213-1	3-Major	K31623549	TLS v1.2 support in IP reputation daemon
682174	3-Major		Live install from version 11.6.x to version 13.1.0 requires a manual step★
681782-6	3-Major	K30665653	Unicast IP address can be configured in a failover multicast configuration
680838-2	3-Major		IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator
679347-2	3-Major		ECP does not work for PFS in IKEv2 child SAs
678925-1	3-Major		Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.
678488-1	3-Major		BGP default-originate not announced to peers if several are peering over different VLANs
678380-2	3-Major		Deleting an IKEv1 peer in current use could SEGV on race conditions.
676897-3	3-Major		IPsec keeps failing to reconnect
676092-3	3-Major		IPsec keeps failing to reconnect
671518	3-Major		F5 does not currently support i18n across its product lines.
670197-1	3-Major		IPsec: ASSERT 'BIG-IP_conn tag' failed
664304	3-Major		Waagent data isn't rolled forward to the new slot after upgrading from pre-v13.1.x Azure VE★
636818	3-Major		IKEv1 DELETE payload can use wrong source IP address for floating IPs
633824	3-Major	K39319200	Cannot add pool members containing a colon in the node name
631316-2	3-Major		Unable to load config with client-SSL profile error★
629915-1	3-Major		Cannot login with Firefox and IE after toggling between wireless and wired networks.
628703	3-Major		Multiple audit_forwarder processes cause the mcpd process to use a lot of CPU cycles
627760-5	3-Major		gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card
623371	3-Major		After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed
623367	3-Major	K57879554	When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key.
620954-5	3-Major		Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable
567490	3-Major		db.proxy.__iter__ value is overwritten if it's manually set
550739	3-Major		TMSH mv virtual command will cause iRules on the virtual to be dis-associated
542327	3-Major		Portal rewrite does not properly transform responses generated by BIG-IP as SAML IdP
536509	3-Major		Device groups sharing common folders can cause conflicting folder settings
535717-1	3-Major		Password history is not enforced when root, Administrator, or User Manager changes another user's password
534637	3-Major		Disabling a renamed pool member removes member from pool.
521792	3-Major		Missing health monitor information for FQDN members
517829-1	3-Major	K16803	BIG-IP system resets client without sending error report when certificate is revoked
471237-4	3-Major	K12155235	BIG-IP VE instances do not work with an encrypted disk in AWS.
469035	3-Major	K16559	A SecureVault rekey operation may fail if configuration contains a blank password protected by SecureVault
464650-6	3-Major		Failure of mcpd with invalid authentication context.
464048	3-Major		Google Docs does not work through Portal Access
402691-1	3-Major		The fields displayed in the 'tmsh show net ipsec' should be visible through SNMP
384208	3-Major		Crond does not apply timezone changes
692172-1	4-Minor		rewrite profile causes "No available pool member" failures when connection limit reached
692165-1	4-Minor		A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token
691571	4-Minor		tmsh show sys software doesn't show the correct HF version
691491-5	4-Minor		2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
689147	4-Minor		Confusing log messages on certain user/role/partition misconfigurations when using remote role groups
687368-1	4-Minor	K64414880	The Configuration utility may calculate and display an incorrect HA Group Score
686111-1	4-Minor		Searching and Reseting Audit Logs not working as expected
685582-7	4-Minor		Incorrect output of b64 unit key hash by command f5mku -f
685475-1	4-Minor		Unexpected error when applying hotfix
685233-1	4-Minor	K13125441	tmctl -d blade command does not work in an SNMP custom MIB
683029-1	4-Minor		Sync of virtual address and self IP traffic groups only happens in one direction
680856-2	4-Minor		IPsec config via REST scripts may require post-definition touch of both policy and traffic selector
678388-1	4-Minor	K00050055	IKEv1 racoon daemon is not restarted when killed multiple times
677428	4-Minor		While upgrading a BIG-IP HA pair to version 13.1.0, mirroring may not work while the units are running different software versions
674145-1	4-Minor		chmand error log message missing data
669433	4-Minor		Use of more than 10 interfaces within AWS instances
657459-1	4-Minor	K51358480	Setting MGMT GUI Port to 443 on Single Nic not honored on reboot.
653418	4-Minor		Host Processor Superuser keys in /root/.ssh/authorized_keys no longer necessary
651427	4-Minor		VCMP statistic for tmctl vcmp_stat n3_core_mask may be incorrect
625291-1	4-Minor		dhclient doesn't honor 'interface-mtu' request-options
572554	4-Minor		iRule object with '{' ,'#', '}' in the same line not properly handled
562406	4-Minor		Total pva assisted connection counters are per acceleration.
557642	4-Minor		Manually created backend nodes should not be added to a pool that is managed by AWS Auto Scaling Group.
492369	4-Minor	K33135278	vCMP guests fail the image verification check
479262	4-Minor		'readPowerSupplyRegister error' in LTM log
679431-1	5-Cosmetic		In routing module the 'sh ipv6 interface <interface> brief' command may not show header
614593	5-Cosmetic		Raw markup in IPsec docs for ike-phase2-encrypt-algorithm on tmsh command line
603092	5-Cosmetic		"displayservicenames" does not apply to show ltm pool members
475486	5-Cosmetic		Stats for legacy PVA connection flows are not relevant on ePVA platforms.

Local Traffic Manager Issues

ID Number	Severity	Solution Article(s)	Description
694656-1	2-Critical		Routing changes may cause TMM to restart
692970-2	2-Critical		Using UDP port 67 for purposes other than DHCP might cause TMM to crash
691706-5	2-Critical		HTTP2/SPDY profile can cause orphaned connections
690756-1	2-Critical		APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated
687635-1	2-Critical		Tmm becomes unresponsive and experiences restart
686228-1	2-Critical	K23243525	TMM may crash in some circumstances with VLAN failsafe
681175-3	2-Critical	K32153360	TMM may crash during routing updates
651476-2	2-Critical		bigd may core on non-primary bigd when FQDN in use
452283-5	2-Critical		An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows
695925-1	3-Major		tmm crash when showing connections for a CMP disabled virtual server
695109-1	3-Major		Changes to fallback persistence profiles attached to a Virtual server are not effective
694697-1	3-Major		clusterd logs heartbeat check messages at log level info
693910-4	3-Major		Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)
691806-1	3-Major		RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
691785-1	3-Major		The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes
690778-1	3-Major		Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule
690042-1	3-Major		Potential Tcl leak during iRule suspend operation
689449-1	3-Major		Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
689361-1	3-Major		Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)
689089-1	3-Major		VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
688744-1	3-Major		LTM Policy does not correctly handle multiple datagroups
688629-1	3-Major		Deleting data-group in use by iRule does not trigger validation error
688571-2	3-Major		Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile.
687807-1	3-Major		The presence of a file with the suffix ".crt.csr" in folder /config/ssl/ssl.csr/ causes a GUI exception
687044-3	3-Major		tcp-half-open monitors might mark a node up in error
686563-1	3-Major		WMI monitor on invalid node never transitions to DOWN
686547-1	3-Major		WMI monitor sends logging data for credentials when no credentials specified
686307-3	3-Major		Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later
686305-1	3-Major		Memory leak when SSL forward proxy forged certificate.
686101-1	3-Major		Creating a pool with a new node always assigns the partition of the pool to that node.
686065-2	3-Major		RESOLV::lookup iRule command can trigger crash with slow resolver
685615-4	3-Major	K24447043	Incorrect source mac for TCP Reset with vlangroup for host traffic
685519-1	3-Major		Mirrored connections ignore the handshake timeout
685344-1	3-Major		Monitor 'min 1 of' not working as expected with FQDN nodes/members
685110-1	3-Major	K05430133	With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
683706-3	3-Major		Pool member status remains 'checking' when manually forced down at creation
683697-1	3-Major	K00647240	SASP monitor may use the same UID for multiple HA device group members
683061-1	3-Major		Rapid creation/update/deletion of the same external datagroup may cause core
681757-3	3-Major	K32521651	Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'
681673-4	3-Major		tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results
679613-1	3-Major	K23531420	i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'
678872-3	3-Major		Inconsistent behavior for virtual-address and selfip on the same ip-address
678524-1	3-Major		Join FF02::2 multicast group when router-advertisement is configured
677666-2	3-Major	K60909141	/var/tmstat/blades/scripts segment grows in size.
677525-2	3-Major	K06831814	Translucent VLAN group may use unexpected source MAC address
663821-1	3-Major	K41344010	SNAT Stats may not include port FTP traffic
659519-6	3-Major	K42400554	Non-default header-table-size setting on HTTP2 profiles may cause issues
651106-2	3-Major		memory leak on non-primary bigd with changing node IPs
640395	3-Major		When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly
630257	3-Major		Monitor send/receive strings cannot end with trailing single-backslash★
623084	3-Major		mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp★
570281-1	3-Major		Cannot modify 'ip-address' attribute of static ARP / NDP entries
542104-3	3-Major	K33458192	In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.
495443-9	3-Major		ECDH negotiation failures logged as critical errors.
462678	3-Major		DF flag is not set on the egress fragmented packets
251162-1	3-Major		The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name
222690-2	3-Major	K10281	The persist none iRule command does not disable cookie persistence for the connection when used with the LB::reselect command.
692095-1	4-Minor		bigd logs monitor status unknown for FQDN Node/Pool Member
688557-1	4-Minor		Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'
685467-1	4-Minor		Certain header manipulations in HTTP profile may result in losing connection.
680680-1	4-Minor		The POP3 monitor used to send STAT command on v10.x, but now sends LIST command
603380	4-Minor		Very large number of log messages in /var/log/ltm with ICMP unreachable packets.
594794	4-Minor		Ability to present a SHA1 certificate to clients that don't support SHA2
592503-1	4-Minor		TMM 'timer' device does not report 'busy' for non-priority timers.
582117	4-Minor		Configuring TCP/HTTP type iRules together has insufficient validation.
558893	4-Minor		TMM may fail to forward FTP data connections when multiple PORT/EPRT commands are used in succession referring to the same IP/PORT
550706	4-Minor		Renaming a virtual server will emit unnecessary '01010007:3: Config error: virtual_server_profile bad virtual' error messages in the ltm log.
363523	4-Minor		iRule errors may result in TMM crash.
490139	5-Cosmetic		Loading iRules from file deletes last few comment lines

Performance Issues

ID Number	Severity	Solution Article(s)	Description
685628-1	1-Blocking		Performance regression on B4450 blade★
681256-1	1-Blocking		Virtual Edition GTM DNS Query Performance Degradation
673832-1	1-Blocking		Performance impact for certain platforms after upgrading to 13.1.0.
696525-1	2-Critical		B2250 blades experience lower fastL4 performance.
682209	2-Critical		Per Request Access Policy subroutine performance down by about 7%
681352	2-Critical		Performance of a client certificate validation with OCSP agent is degraded

Global Traffic Manager Issues

ID Number	Severity	Solution Article(s)	Description
682335-1	2-Critical		TMM can establish multiple connections to the same gtmd
562921-5	2-Critical		Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
690166-1	3-Major		ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
689583-1	3-Major		Running big3d from the command line with arguments other than '-v' or '-version' may cause a GTM disruption.
688335-5	3-Major		big3d may restart in a loop on secondary blades of a chassis system
580537-3	3-Major		The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data
413902-1	3-Major		Pre-v11.x and 11.x GTM devices should not share the same sync group★
693007-1	4-Minor		Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC
688266-5	4-Minor		big3d and big3d_install use different logics to determine which version of big3d is newer

Application Security Manager Issues

ID Number	Severity	Solution Article(s)	Description
691670-5	2-Critical	K02515009	Rare BD crash in a specific scenario
684312-1	2-Critical		During Apply Policy action, bd agent crashes, causing the machine to go Offline
697303-1	3-Major		BD crash
696265-5	3-Major		BD crash
694934-1	3-Major		bd crashes on a very specific and rare scenario
694922-5	3-Major		ASM Auto-Sync Device Group Does Not Sync
690883-1	3-Major		BIG-IQ: Changing learning mode for elements does not always take effect
689982-3	3-Major		FTP Protocol Security breaks FTP connection
686517-2	3-Major		Changes to a parent policy, which has no active children, are not synced to the secondary chassis slots
686470-1	3-Major		Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load.
686452-1	3-Major		File Content Detection Formats are not exported in Policy XML
685964-1	3-Major		cs_qualified_urls bigdb does not cause configured URLs to be qualified.
685771-1	3-Major		Policies cannot be created with SAP, OWA, or SharePoint templates
685164-1	3-Major		In partitions with default route domain != 0 request log is not showing requests
683508-1	3-Major		WebSockets: umu memory leak of binary frames when remote logger is configured
679384-3	3-Major	K85153939	The policy builder is not getting updates about the newly added signatures.
676223-4	3-Major		Internal parameter in order not to sign allowed cookies
670516	3-Major		Illegal metachar in headers violation may happen on legitimate traffic
668184-2	3-Major		Huge values are shown in the AVR statistics for ASM violations
667414-1	3-Major		JSON learning of parameters in WebSocket context is not working
605649-2	3-Major	K28782793	The cbrd daemon runs at 100% CPU utilization
694073-3	4-Minor		All signature update details are shown in 'View update history from previous BIG-IP versions' popup
688833-3	4-Minor		Inconsistent XFF field in ASM log depending violation category
685743-5	4-Minor		When changing internal parameter 'request_buffer_size' in large request violations might not be reported
685193-1	4-Minor		If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies
675232-6	4-Minor		Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction
665470-3	4-Minor		Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised
654451	4-Minor		Compatibility in bot defense iRules reasons from version 12.1.0 to version 13.0.0 or later★
646511	4-Minor		BD crashes repeatedly after interrupted roll-forward upgrade★
637686	4-Minor		relax_unicode_in_xml should become the default behavior
612691	4-Minor		It takes 5 mins to complete a iControl REST GET for the policy parameters

Application Visibility and Reporting Issues

ID Number	Severity	Solution Article(s)	Description
688813-2	3-Major	K23345645	Some ASM tables can massively grow in size.
683474	3-Major		The case-sensitive problem during comparison of 2 Virtual Servers
679088-1	3-Major		Avr reporting and analytics does not display statistics of many source regions

Access Policy Manager Issues

ID Number	Severity	Solution Article(s)	Description
692557-1	2-Critical		When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted.
695953-1	3-Major		Custom URL Filter object is missing after load sys config TMSH command
694624-1	3-Major		SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor
693844-1	3-Major		APMD may restart continuously and cannot come up
688046-2	3-Major		Change condition and expression for Protocol Lookup agent expression builder
687937-1	3-Major		RDP URIs generated by APM Webtop are not properly encoded
687213-3	3-Major		When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED
686389-1	3-Major		APM does not honor per-farm HTML5 client disabling at the View Connection Server
684399-4	3-Major		Connectivity profiles UI shows (Not Licensed) when LTM base is presented
684325-1	3-Major		APMD Memory leak when applying a specific access profile
683389-3	3-Major		Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
683297-2	3-Major		Portal Access may use incorrect back-end for resources referenced by CSS
682751-7	3-Major		Kerberos keytab file content may be visible.
682500-2	3-Major		VDI Profile and Storefront Portal Access resource do not work together
680855	3-Major		Safari 11 sometimes start more than one session
671138	3-Major		FireFox and Chrome users are asked to re-install windows "Endpoint Inspector Application" after upgrade from 13.0.0
668247-2	3-Major		Machine Certificate Checker service may not be used when UAC is disable on windows machine
658278-1	3-Major		Network Access configuration with Layered-VS does not work with Edge Client
655576	3-Major		On Linux, application launch parameter string may be truncated in some cases
652820	3-Major		xdg-open fails to open custom protocol link (at first attempt) causing Google Chrome not to open F5 apps (f5vpn, f5epi) on Fedora 25
632964	3-Major		EAM warning message "failed to get host identifier"
621158-3	3-Major		f5vpn does not close upon closing session
612118-2	3-Major		Nexthop explicit proxy is not used for the very first connection to communicate with the backend.
527668	3-Major		"Minimize to tray" option doesn't work in IE with latest updates if APM is not in Trusted Sites list
527119	3-Major		Iframe document body could be null after iframe creation in rewritten document.
468238	3-Major		Connection reset with client value of "/" in rewrite profile
447565-9	3-Major		Renewing machine-account password does not update the serviceId for associated ntlm-auth.
416412	3-Major		Network Access session closed without warning
405352	3-Major		NTLM Auth does not work if FQDN to domain controller is set to a invalid domain controller
404890	3-Major		Java app-tunnel freezes in the Initializing state after clicking Allow Once using IE
381258	3-Major		'with' statement in web applications works wrong in some cases
686718-3	4-Minor		VPN tunnel adapter stays up in some cases
649531	4-Minor		MS RDP may not work thru native Application Tunnels on MacOS and Linux if user didn't specify credentials prior establishing the connection
638989	4-Minor		Webtop is displayed in English when viewed from a German Locale on Firefox Enterprise service release
633587	4-Minor		UI mode required if session created before HTTP
610436-1	4-Minor		DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10.
600676	4-Minor		Log viewer cannot be launched from web client UI on Debian 8 + Gnome
522590	4-Minor		DNS Relay proxy service doesn't resolve static hosts in certain conditions

WebAccelerator Issues

ID Number	Severity	Solution Article(s)	Description
440572	4-Minor		Empty X-WA-Surrogate header in WAM symmetric deployment

Wan Optimization Manager Issues

ID Number	Severity	Solution Article(s)	Description
650164	3-Major		iSession APM virtual server changes port if connection has forwarding virtual server with defined IP and wild card port

Service Provider Issues

ID Number	Severity	Solution Article(s)	Description
689343-2	2-Critical		Diameter persistence entries with bi-directional flag created with 10 sec timeout
685708-4	2-Critical		Routing via iRule to a host without providing a transport from a transport-config created connection cores
684068-1	2-Critical		FIX with PVA offload and late binding without flow release may not execute iRules on subsequent messages
696049-1	3-Major		High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
692310-2	3-Major		ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body
691048-1	3-Major	K34553736	Support DIAMETER Experimental-Result AVP response
688942-5	3-Major	K82601533	ICAP: Chunk parser performs poorly with very large chunk
679114-4	3-Major	K92585400	Persistence record expires early if an error is returned for a BYE command
674747-4	3-Major	K30837366	sipdb cannot delete custom bidirectional persistence entries.
656811	3-Major		Memory usage with MBLB SIP ingress buffer on standby
545737	4-Minor		Incoming INVITE SIP message to Subscriber is dropped when working with Asterix Proxy
437260	4-Minor		Data groups can be deleted even when in use by FIX profile

Advanced Firewall Manager Issues

ID Number	Severity	Solution Article(s)	Description
685820-3	2-Critical		Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not
644822	2-Critical	K19245372	FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned
684369-2	3-Major	K35423171	AFM ACL Rule Policy applied on Standby device
651169-1	3-Major		The Dashboard does not show an alert when a power supply is unplugged
624572	3-Major		AFM rules do not support the syntax ip_addr%vlan_tag in the address specification.
565598	3-Major		Policies on channel types "Other" and "Shell" may have implications on the remaining channel types as well
684696	4-Minor		Signatures page includes columns supporting future enhancements
664618	4-Minor		Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'
626068	4-Minor		Memory Requirement for deploying Bot Signatures in DoS profiles
543022	4-Minor		Logging profile with trailing whitespace cannot be associated with VS in GUI

Policy Enforcement Manager Issues

ID Number	Severity	Solution Article(s)	Description
694717-1	2-Critical		Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
616008-1	2-Critical	K23164003	TMM core may be seen when using an HSL format script for HSL reporting in PEM
684333-1	3-Major		PEM session created by Gx may get deleted across HA multiple switchover with CLI command
667700-1	3-Major		Web UI: PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed
642068-4	3-Major		PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
624231-4	3-Major		No flow control when using content-insertion with compression
566767	3-Major		TMSH allows RAN congestion and BWC to be enabled in the same policy rule.
561805	3-Major		HA: Failover during Radius Accounting On/Off bulk deletion not supported
680729-1	4-Minor	K64307999	DHCP Trace log incorrectly marked as an Error log.
674341	4-Minor		PEM subscriber sessions are shown as '0' for blades that are not operationally UP.
575746	4-Minor		Custom subscriber attributes in upper case cannot be searched via the TMSH.
527288	5-Cosmetic		Correct parsing of the "PSC::ip_address" iRule command needs a comma at the end of an IP address list.
527275	5-Cosmetic		For correct parsing, a comma is required after the policy name in the 'PSC::policy remove <policy>' iRule command.

Carrier-Grade NAT Issues

ID Number	Severity	Solution Article(s)	Description
630430	3-Major	K93873214	IPsec ALG: Traffic may not go through IPsec tunnel if ipsec.lookupspi is disabled and default DAG is used★
601916	3-Major		IPsecALG resources remain in use after IPsec clients switch to NAT-T
665972	4-Minor		TFTP_DATA_SETUP/TFTP_DATA_TEARDOWN messages may not be logged if client and server reuse the ports

Fraud Protection Services Issues

ID Number	Severity	Solution Article(s)	Description
684852-1	2-Critical		Obfuscator not producing deterministic output
674292	2-Critical		Upgrade to 13.1+ may fail for low resources platforms
661718-1	2-Critical		Web Acceleration profile causes FPS failure
692123	3-Major		GET parameter is grayed out if MobileSafe is not licensed
674297-3	3-Major		Custom headers are removed on cross-origin requests
667452	3-Major		FPS: Upgrade from 11.6.* failure
630269-1	3-Major		Support Substitute value in ajax with application/x-www-form-urlencoded content-Type
671212-1	4-Minor		P+NAB-12.1.1-IE9 truncating request if path do not end with"/"
651980	4-Minor		In Internet Explorer 6, encrypting ajax may cause significant slowdown for single page applications

Global Traffic Manager (DNS) Issues

ID Number	Severity	Solution Article(s)	Description
692941-1	2-Critical		GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
691287-1	2-Critical		tmm crashes on iRule with pool command after string command
678861-1	2-Critical	K00426059	DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★
672504-2	2-Critical	K52325625	Deleting zones from large databases can take excessive amounts of time.
667542-6	2-Critical		DNS Express does not correctly process multi-message DNS IXFR updates.
696808-1	3-Major		Disabling a single pool member removes all GTM persistence records
691498-3	3-Major		Connection failure during iRule DNS lookup can crash TMM
680069-1	3-Major		zxfrd core during transfer while network failure and DNS server removed from DNS zone config
679149-1	3-Major		TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]
667469-3	3-Major	K35324588	Higher than expected CPU usage when using DNS Cache
646491	3-Major		GTM autodiscovery shows same status for tcp+udp virtuals using the same dest:port

Anomaly Detection Services Issues

ID Number	Severity	Solution Article(s)	Description
691462-1	3-Major		Bad actors detection might not work when signature mitigation blocks bad traffic
687986	3-Major		High CPU consumption during signature generation, not limited number of signatures per virtual server
687984	3-Major		Attacks with randomization of HTTP headers parameters generates too many signatures

iApp Technology Issues

ID Number	Severity	Solution Article(s)	Description
653726	3-Major		On VIPRION, iApps LX packages can take 10 minutes to synchronize

 

Known Issue details for BIG-IP v13.1.x

697303-1 : BD crash

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.

Impact:
BD crash, failover, and traffic disturbance.

Workaround:
Turn off the internal parameter relax_unicode_in_json.

---

696808-1 : Disabling a single pool member removes all GTM persistence records

Component: Global Traffic Manager (DNS)

Symptoms:
Disabling a single pool member removes all GTM persistence records.

Conditions:
1. WideIP with persistence enabled.
2. drain-persistent-requests no.
3. GTM pool member toggled from enabled to disabled.

Impact:
All GTM persistence records are accidently cleared.

Workaround:
Set drain-persistent-requests yes.

---

696525-1 : B2250 blades experience lower fastL4 performance.

Component: Performance

Symptoms:
B2250 blades have lower performance by up to 17%. This is caused by connections not being offloaded to hardware as often as expected.

Conditions:
The fastL4 profile is configured to offload to hardware and the service provider DAG needs to be configured on B2250 blades. Configuring PEM also configures this DAG.

Impact:
Performance will be lower due to more connections being handled in software.

---

696265-5 : BD crash

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.

Impact:
Potential traffic disturbance and failover.

Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.

---

696049-1 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running

Component: Service Provider

Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.

Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.

Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.

Workaround:
None.

---

695953-1 : Custom URL Filter object is missing after load sys config TMSH command

Component: Access Policy Manager

Symptoms:
The user will not be able to see the custom URL Filter object that is created either through TMSH/GUI.
If the filter object is referred in Access Policy, the policy will fail to load during "load sys config" command.
01070712:3: Values (/Common/custurlfilter) specified for URL Filter Lookup Agent (/Common/prp_act_url_filter_lookup_ag): foreign key index (name_FK) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.

Conditions:
The custom URL Filter object is missing after the user does "load sys config" command in TMSH. Please note that SWG is not provisioned in this case.

Impact:
(1) The access policy will fail to load if it refers the URL Filter object. The user will not be able to use the URL Filter object in the policy.

Workaround:
(1) Provision SWG, and recreate the URL Filter
or
(2) Change bigip.conf to include the URL Filter object

---

695925-1 : tmm crash when showing connections for a CMP disabled virtual server

Component: Local Traffic Manager

Symptoms:
tmm crashes when performing 'tmsh show sys connection' and there is a connection from a secondary blade to a CMP-disabled virtual server.

Conditions:
This occurs when all of the following conditions are met:

-- There is a CMP-disabled virtual server.

-- There is a connection to that server from the control plane of a secondary blade (this can include monitoring traffic).

-- Connections are displayed that include the connection from the secondary blade ('tmsh show sys connection').

Impact:
tmm crashes and restarts impacting traffic.

Workaround:
Do not use 'cmp-enabled no' virtual servers when there will be connections from the BIG-IP control plane to the virtual server.

Avoid using tmsh show sys connection

---

695109-1 : Changes to fallback persistence profiles attached to a Virtual server are not effective

Component: Local Traffic Manager

Symptoms:
Changes to fallback persistence profiles attached to a Virtual server may not be effective.

Conditions:
-- Virtual server configured with persistence and a fallback persistence profile.
-- Changes made to the fallback persistence profile.

Impact:
Changes to the fallback persistence profile are not effective with new connections until a change is made to the virtual server or TMM is restarted.

Workaround:
Make a simple change, for instance to the description field, to the virtual servers that have the changed fallback persistence profile configured.

---

694934-1 : bd crashes on a very specific and rare scenario

Component: Application Security Manager

Symptoms:
When the system is configured in a specific way and the request sender responds incorrectly, bd crashes.

Conditions:
This rarely encountered crash occurs when there is a very specific BIG-IP system configuration, and ICAP is configured but not responding.

Impact:
bd crashes.

Workaround:
None.

---

694922-5 : ASM Auto-Sync Device Group Does Not Sync

Component: Application Security Manager

Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.

Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device

Impact:
ASM configuration is not correctly synchronized between devices

Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic

---

694740-3 : BIG-IP reboot during a TMM core results in an incomplete core dump

Component: TMOS

Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then HSB panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On this platform, the reboot occurs before the core file is fully written, resulting in a truncated core.

Conditions:
An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.

Impact:
The reboot happens before the core dump completes, resulting in an incomplete core dump which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.

Workaround:
No workaround; does not hinder device operation, but does prevent post-crash analysis.

---

694717-1 : Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.

Component: Policy Enforcement Manager

Symptoms:
TMM crashes

Conditions:
PEM iRule command that would result in an inter-TMM lookup on a long lived flow that would result in the PEM iRule command being hit several times. For example, a long lived flow with multiple HTTP transactions.

Impact:
Traffic disrupted while tmm restarts.

---

694697-1 : clusterd logs heartbeat check messages at log level info

Component: Local Traffic Manager

Symptoms:
The system reports clusterd logs heartbeat check messages at log level info, similar to the following.

-- info clusterd[6161]: 013a0007:6: Skipping heartbeat check on peer slot 3: Slot is DOWN.
-- info clusterd[5705]: 013a0007:6: Checking heartbeat of peer slot: 2 (Last heartbeat 0 seconds ago)

Conditions:
log.clusterd.level set to info.

Impact:
This is a cosmetic issue: clusterd heartbeat messages will be logged at info to the /var/log/ltm.

Workaround:
Set log.clusterd.level to notice (or debug).

---

694656-1 : Routing changes may cause TMM to restart

Component: Local Traffic Manager

Symptoms:
When routing changes are made while traffic is passing through the BIG-IP system, TMM might restart. This isn't a general issue, but can occur when other functionality is in use (such as Firewall NAT).

Conditions:
-- Routing changes occurring while BIG-IP is active and passing traffic.

-- Dynamic routing, due to its nature, is likely increase the potential for the issue to occur.

-- Usage of Firewall NAT functionality is one specific case known to contribute to the issue (there may be others).

Impact:
TMM restarts, resulting in a failover and/or traffic outage.

Workaround:
If dynamic routing is not in use, avoiding static route changes may avoid the issue.

If dynamic routing is in use, there is no workaround.

---

694624-1 : SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor

Component: Access Policy Manager

Symptoms:
APM Webtop's SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113)) from Mac, iOS and Android clients. Each launch attempt generates following errors in /var/log/apm:
... err vdi[123] ... {45.C} RsaDecryptData error: AsyncError:5: InvalidData
... err vdi[123] ... {45.C} An exception is thrown: handshake: decryption failed or bad record mac

Conditions:
Native RDP resource with enabled SSO is used on hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113)).
The client OS is Mac, iOS or Android.

Impact:
RDP client can't launch requested resource (desktop/application).

Workaround:
Disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable

---

694073-3 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup

Component: Application Security Manager

Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.

Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).

Impact:
Low and incorrect visibility of signature update details.

Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.

---

693996-5 : MCPD sync errors and restart after multiple modifications to file object in chassis

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
Making multiple changes to the same file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.

---

693910-4 : Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)

Component: Local Traffic Manager

Symptoms:
Some MAC addresses might experience delayed forwarding after the interface on which they are learned transition to a STP blocked state. This is because the FDB entries are not being flushed on these interfaces after they change to a block state. Traffic destined to these MAC addresses gets dropped until their associated entries in the FDB age out.

Conditions:
MAC addresses are learned on a STP forwarding interface that transitions to a blocked interface following a topology change.

Impact:
Traffic interruption for up to a few minutes for MAC addresses learned on the affected interface.

Workaround:
None.

---

693884-1 : ospfd core on secondary blade during network unstability

Component: TMOS

Symptoms:
ospfd core on secondary blade while network is unstable.

Conditions:
-- Dynamic routing configured with OSPF on a chassis.
-- During a period of network instability.

Impact:
Dynamic routing process ospfd core on secondary blade.

Workaround:
None.

---

693844-1 : APMD may restart continuously and cannot come up

Component: Access Policy Manager

Symptoms:
apmd process cannot start correctly and restarts in an infinite loop. When apmd initializes the Allow Ending agent, the process tries to load all resources (including ACLs, the webtop, and all resources for every webtop, app tunnels, rdp, etc.). The most likely configuration to encounter this issue is with ACLs. For example, if you have thousands of ACL records, the Allow agent pulls them all at once. If the mcpd process is consumed with other operations, it might be that apmd cannot initialize the Allow agent in 30 secs, so it restarts, at which point the process tries to load all resources, cannot complete within the 30 seconds, and restarts in a loop.

Conditions:
Too many resources assigned in an Access Policy profile
for example thousands of ACLs configured.

apmd cannot initialize the Allow Ending agent in 30 seconds and decides it has stopped responding. Then it restarts by it's own, but problem is not solved, so it restarts in a loop

Impact:
APM end users cannot authenticate.

Workaround:
Reduce amount of resources so every agent can initialize within the 30-second timeframe.

---

693563-1 : No warning when LDAP is configured with SSL but with a client certificate with no matching key

Component: TMOS

Symptoms:
When LDAP auth is configured with SSL:

- Authentication attempts fail
- Packet captures between the BIG-IP system and the LDAP server show the BIG-IP system sending FIN after TCP handshake.

Conditions:
LDAP auth is configured with SSL with client cert set but no matching key.

Impact:
LDAP auth fails. There is no warning that the auth failed.

Workaround:
Configure a key that matches the specified client certificate.

---

693206 : iSeries LCD screen is frozen on a red spinning 'please wait' indicator

Component: TMOS

Symptoms:
There are conditions where the LCD looks frozen on a red spinning 'please wait' indicator. Known conditions include: power supply swaps, AC power cycles, or LCD connection issues to the host or AOM.

Conditions:
This occurs during power supply swaps, AC power cycles, or LCD connection issues to the host or AOM.

Impact:
iSeries LCD screen is frozen on a red spinning 'please wait' indicator. At this point the LCD screen is not usable until it is reset.

Workaround:
Using a command line prompt, from either the front panel management port or serial port, issue the following IPMI commands to reset the LCD module:

ipmiutil cmd 00 20 e8 29 5 1
ipmiutil cmd 00 20 e8 29 5 0

---

693007-1 : Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC

Component: Global Traffic Manager

Symptoms:
The current IPv4 address for b.root-servers.net is 192.228.79.201. The IPv4 address for b.root-servers.net will be renumbered to 199.9.14.201, effective 2017-10-24. The older number will be invalid after that date.

Conditions:
Several profiles contain the b.root-servers.net IPv4 address as 192.228.79.201.

Impact:
The impact is likely minimal, at most a single timeout for pending TLD queries when they happen to round-robin onto an old IP address, probably not more often than the hint's TTL, which is more than a month, and even this should cause a timeout only when the old IP actually stops responding.

Workaround:
Update the root hints for all affected profiles manually except the hardwired ones.

---

692970-2 : Using UDP port 67 for purposes other than DHCP might cause TMM to crash

Component: Local Traffic Manager

Symptoms:
DHCP relay presumes that a flow found via lookup is always a server-side flow of type DHCP relay. Hence TMM can crash when DHCP relay makes a server connection if UDP port 67 is used for another purpose, in which case a wrong DHCP server flow could be selected.

Conditions:
A UDP port 67 is configured for a purpose other than DHCP relay.

Impact:
TMM restart causes traffic interruption or failover.

Workaround:
Do not use UDP port 67 for other virtual servers, or configure a drop listener on certain VLANs that cannot avoid using UDP port 67.

---

692941-1 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD

Component: Global Traffic Manager (DNS)

Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.

Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.

Impact:
gtmd and tmm core. Traffic disrupted while tmm restarts.

Workaround:
None.

---

692557-1 : When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted.

Component: Access Policy Manager

Symptoms:
After processing signed authentication requests from external SAML SP, SAML IdP may corrupt a block of tmm memory.

Conditions:
- BIG-IP system is configured as SAML IdP.
- IdP is configured with external SP's signing certificate.
- External SP sends signed authentication request.

Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.

Workaround:
None.

---

692371 : Unexpected Octeon, Nitrox, and/or Super IO recovery warnings in LTM log

Component: TMOS

Symptoms:
Unexpected warnings in the LTM log indicating Octeon, Nitrox, and/or Super IO recovery happening in BIOS.

Messages appear similar to the following:
-- warning chmand[5972]: 012a0004:4: Nitrox recoveries: 1
-- warning chmand[5972]: 012a0004:4: Octeon recoveries: 1
-- warning chmand[6018]: 012a0004:4: Host CPU subsystem power-off event caused by Super IO

Conditions:
-- Currently released BIOS with error recovery enabled.
-- VIPRION B2150 and B2250 blades.

Impact:
There is no functional impact to the system. The BIOS shipping with the VIPRION B2150 and B2250 blades configures the PCIe interfaces in such an order that BIOS recovery may have to take over. These messages are generated as BIOS error recovery is implemented to correct the PCIe interfaces configuration issues after which the system will boot normally. These messages are then benign.

Workaround:
These are benign messages in the LTM and shows that BIOS error recovery is working. The messages may be ignored.

---

692310-2 : ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body

Component: Service Provider

Symptoms:
When a modified HTTP v1.1 request or response is returned from an ICAP server and has no body (and also no content-length), a 'Transfer-Encoding: chunked' header is added and a zero-length chunk is appended.

Conditions:
-- HTTP profile.
-- Either request-adapt or response-adapt profile.
-- Modified HTTP v1.1 request/response has no body (and no content-length header).

Impact:
The HTTP server or client to which the modified request or response is destined, receives invalid HTTP and might behave in an unexpected manner.

Workaround:
Use an iRule to detect the lack of a Content-Length header in the modified request or response, and insert 'Content-Length: 0'.

For example with modified request:

when ADAPT_REQUEST_HEADERS {
    if {([HTTP::method] eq "GET") and (not [HTTP::header exists 'Content-Length'])} {
        HTTP::header insert Content-Length 0
    }
}

Similarly when ADAPT_RESPONSE_HEADERS {} for a response.

---

692189-1 : errdefsd fails to generate a core file on request.

Component: TMOS

Symptoms:
Should errdefsd crash or be manually cored for the purpose of gathering diagnostic information, no core file will be generated.

Conditions:
Forcing errdefsd to core for diagnostic purposes.

Impact:
Increased communication required with F5 Support when attempting to diagnose problems with errdefsd.

Workaround:
1. Add the following lines to the official errdefsd script, /etc/bigstart/scripts/errdefsd:
16a17,19
> # set resource limits, affinity, etc
> setproperties ${service}
>
2. Run the following command: bigstart restart errdefsd

---

692179-1 : Potential high memory usage from errdefsd.

Component: TMOS

Symptoms:
errdefsd memory usage grows with each config-sync or config update.

Conditions:
Ever increasing errdefsd memory usage is visible when the following conditions are met:
-- Config updates are frequent.
-- management-port logging is not being used.

Impact:
In extreme cases, errdefsd memory usage might increase userland memory-pressure. Note, however, that it isn't actually using the extra memory, so while Virtual Memory Size (VSZ) might be high, Resident Set Size (RSS) need not be.

Workaround:
A workaround for this problem is to periodically send logs to a management-port destination. The destination may be as simple as a dummy UDP port on 127.0.0.1. Adding such a destination to the publisher for an existing, active log source will work. errdefsd just needs a reason to process and flush accumulating configurations.

---

692172-1 : rewrite profile causes "No available pool member" failures when connection limit reached

Component: TMOS

Symptoms:
ltm rewrite profile (with mode uri-translation) can cause connections on ltm forwarding virtual server to be terminated with reason "No available pool member".

Conditions:
Virtual server configured with ltm rewrite profile. Default pool has request queuing enabled and connection limits configured for all its nodes.

Impact:
When the connection limit is reached, further connections are terminated with "No available pool member" cause instead of being queued.

Workaround:
An iRule which selects default pool on HTTP_REQUEST:

when HTTP_REQUEST priority 1000 {
    pool [LB::server pool]
}

---

692165-1 : A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token

Component: TMOS

Symptoms:
For some HTTP requests, a request-log profile can log nothing for the $VIRTUAL_POOL_NAME token (which expands to an empty string in the resulting logs).

Conditions:
- The virtual server where the request-log profile is used also uses OneConnect.

- The client uses HTTP Keep-Alive and sends multiple HTTP requests over the same TCP connection.

Impact:
For all HTTP requests the client sends except the first one, the $VIRTUAL_POOL_NAME token logs nothing. As a result, a BIG-IP Administrator may struggle to determine which pool serviced which request.

Workaround:
The $SERVER_IP and $SERVER_PORT tokens work for all requests, and so if those are also being logged it may be possible to deduce the pool name from that information.

However, there is no workaround to make the $VIRTUAL_POOL_NAME token work all of the time.

---

692158-1 : iCall and CLI script memory leak when saving configuration

Component: TMOS

Symptoms:
Whenever an iCall script or CLI script saves the configuration, the scriptd process on the device will leak memory.

Conditions:
Use of iCall or CLI scripts for saving config.

Impact:
Repeated invocation may cause the system to run out of memory causing tmm to restart disrupting traffic.

Workaround:
Do not save the configuration from iCall or CLI scripts.

---

692123 : GET parameter is grayed out if MobileSafe is not licensed

Component: Fraud Protection Services

Symptoms:
GET parameter is grayed out if MobileSafe is not licensed.

Conditions:
-- Provision FPS on a system whose license has at least one active feature.
-- Do not license MobileSafe.

Impact:
In FPS Parameter's list, the GET method is always grayed out.

Workaround:
Use either of the following workarounds:
-- License MobileSafe.
-- Use TMSH or REST.

---

692095-1 : bigd logs monitor status unknown for FQDN Node/Pool Member

Component: Local Traffic Manager

Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:

notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]

Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.

Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.

Workaround:
None.

---

691806-1 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state

Component: Local Traffic Manager

Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.

Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.

Impact:
The BIG-IP system resets connection with RST.

Workaround:
None.

---

691785-1 : The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes

Component: Local Traffic Manager

Symptoms:
The bcm570x driver will cause TMM to core with the log message:

panic: ifoutput: packet_data_compact failed to reduce pkt size below 4.

Conditions:
-- Running on a platform that uses the bcm570x driver (BIG-IP 800, 1600, 3600).
-- A packet larger than 6144 bytes is transmitted from the BIG-IP system.

Impact:
TMM core. Failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.

---

691749-1 : reset-stats operations cannot be part of TMSH transactions

Component: TMOS

Symptoms:
Operations that reset statistics are currently cannot be part of transactions. A know exception to this is the "delete sys connection ..." command. Once the TMSH transaction is submitted, TMSH actually freezes up if a "delete sys connection ..." command was included.

Conditions:
include reset-stats operations in the TMSH transactions

Impact:
reset-stats operations cannot be part of TMSH transactions

Workaround:
using tmsh reset-stats operations outside the TMSH transactions

---

691706-5 : HTTP2/SPDY profile can cause orphaned connections

Component: Local Traffic Manager

Symptoms:
When tearing down a HTTP2 connection, which is composed of a clientside HTTP2 connection and 'n' serverside HTTP1.1 connections, the system might leave a subset of the 'n' serverside HTTP1.1 connection behind. Those left behind connections are still referencing the clientside PCB, which might result in a crash should they ever be expired, e.g., due to an AFM firewall policy change triggering the sweeper.

Conditions:
-- HTTP2 leaves serverside connections behind.
-- AFM firewall policy change occurs that triggers the sweeper.

Impact:
Orphaned connections might result in various behaviors, from a small memory leak to a tmm restart, which has the possibility of disrupting traffic.

Workaround:
None.

---

691670-5 : Rare BD crash in a specific scenario

Solution Article: K02515009

Component: Application Security Manager

Symptoms:
BD crash or False reporting of signature ID 200023003.

Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).

Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.

Workaround:
Removing attack signature 200023003 from the security policy stops the issue.

---

691571 : tmsh show sys software doesn't show the correct HF version

Component: TMOS

Symptoms:
tmsh show sys software does not show the correct hotfix version. Instead, it shows the base 12.1.2 release, not the 12.1.2 HF1 hotfix version. However, selecting it boots the correct version. At the login prompt, in /VERSION and in tmsh show sys version the correct hotfix version is shown.

Conditions:
Using tmsh command: tmsh show sys software

Impact:
Hotfix version is not correct.

Workaround:
At the login prompt, using /VERSION or using tmsh show sys version, the correct hotfix version will be shown.

---

691498-3 : Connection failure during iRule DNS lookup can crash TMM

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes in the DNS response cache periodic sweep.

Conditions:
The DNS resolver connection fails after a successful lookup response is cached. This has been reproduced with a failure due to a lost route. Other failures such as down ports do not cause a crash.

Impact:
The TMM cores and automatically restarts, leading to a temporary loss of service.

Workaround:
No known workaround.

---

691497-2 : tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions

Component: TMOS

Symptoms:
The .diffVersions directory has config change-diffs saved into patch files every time tmsh saves the configs. This is used for diagnostic purposes only.

Conditions:
When doing a 'tmsh save sys ucs <file>', it is possible that a background 'tmsh save sys config' gets run at the same time, causing a patch file to be deleted that the ucs-save feature now expected to exist.

Impact:
The ucs-save feature complains about the missing patch file and exits.

Workaround:
Re-run the 'tmsh save sys ucs <file>' ignoring the missing patch file message. That missing file doesn't need to be restored.

---

691491-5 : 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces

Component: TMOS

Symptoms:
2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces

Conditions:
-- 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms.
-- SNMP query of network interfaces via OID sysIfxStatHighSpeed.

Impact:
Value returned for 10G/40G/100G interfaces may be incorrect.

Workaround:
Use OID sysInterfaceMediaActiveSpeed.

---

691462-1 : Bad actors detection might not work when signature mitigation blocks bad traffic

Component: Anomaly Detection Services

Symptoms:
When signature detected and mitigating no bad actors detection

Conditions:
1. Signatures detected and mitigating
2. Attack traffic is not significantly higher than the good traffic

Impact:
No bad actors detected.
Only signatures provides DoS protection.
BIG-IP CPU utilization is higher than necessary

Workaround:
No workaround at this time.

---

691287-1 : tmm crashes on iRule with pool command after string command

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes when a pool command immediately follows a string command in an iRule, for example:
when DNS_REQUEST {
    pool [string tolower "Test.com"]
}

Conditions:
Similar GTM iRule with pool command after string command.
when DNS_REQUEST {
    pool [string tolower "Test.com"]
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use a pool command immediately after a string command in an iRule.

---

691048-1 : Support DIAMETER Experimental-Result AVP response

Solution Article: K34553736

Component: Service Provider

Symptoms:
When the Diameter server returns an answer message with an Experimental-Result AVP, but doesn't have Result-Code AVP inside, then the server side flow is aborted.

Conditions:
Diameter answer message doesn't have Result-Code AVP available, but with Experimental-Result AVP.

Impact:
The server side flow is aborted.

Workaround:
Use iRule to insert Result-Code AVP in all Diameter answer messages.

---

690928 : System posts error message: 01010054:3: tmrouted connection closed

Component: TMOS

Symptoms:
Beginning in BIG-IP 12.0.0, the tmrouted process pushes dynamic routes directly to the Traffic Management Microkernel (TMM). This message indicates the system is shutting down and is expected behavior during the reboot or shutdown process. The appearance of this message on a stable running system may indicate an issue with tmrouted functionality.

System posts the following message in /var/log/ltm: 01010054:3: tmrouted connection closed

Conditions:
This message occurs when all of the following conditions are met:

-- You have configured the BIG-IP system to use dynamic routing.
-- The BIG-IP system is in the process of shutting down or rebooting.

Impact:
This message is benign, unless you view the message on a stable running system. In this case, the message may indicate an issue with the tmrouted process.

Workaround:
None.

---

690890-1 : Running sod manually can cause issues/failover

Component: TMOS

Symptoms:
If multiple instances of the system failover daemon are executed, improper behavior results. The system failover daemon is run internally by the system service manager (bigstart). When accidentally or intentionally executing the command 'sod', the second running instance will disrupt the failover system.

Conditions:
Accidentally or intentionally executing the command 'sod'.

Impact:
System might failover, reboot, or perform other undesirable actions that result in traffic interruption.

Workaround:
Do not attempt to invoke the 'sod' daemon directly. There is no use case for executing 'sod' directly, it is managed by 'bigstart'.

---

690883-1 : BIG-IQ: Changing learning mode for elements does not always take effect

Component: Application Security Manager

Symptoms:
When changing learning mode for an element type (e.g., WebSocket URLs), if no other changes are made to the default '*' entity, then suggestions are not created correctly.

Conditions:
Changes are deployed from a BIG-IQ device, where the learning mode for an element type (e.g., WebSocket URLs) is changed (e.g., from Never to Always), and no other changes are made to the default '*' entity.

Impact:
Suggestions are not created correctly.

Workaround:
Modify the '*' entity as well (change description).

---

690778-1 : Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule

Component: Local Traffic Manager

Symptoms:
Memory leak; the memory_usage_stat cur_allocs will increase each time the iRule is invoked.

Conditions:
This occurs when using an iRule that calls the STREAM::replace command more than once in the iRule's STREAM_MATCHED event.

Impact:
Memory leak; eventually the system will run out of memory and TMM will restart (causing a failover or outage). Traffic disrupted while tmm restarts.

Workaround:
Change the way the iRule is written so that the STREAM::replace command is not called more than once in the iRule's STREAM_MATCHED event.

---

690756-1 : APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated

Component: Local Traffic Manager

Symptoms:
Using the ACCESS::restrict_irule_events disable command to allow iRule events triggered by APM-generated responses to be visible to the iRule no longer works.

Conditions:
ACCESS::restrict_irule_events disable
HTTP iRules commands used in HTTP_RESPONSE_RELEASE after a retry has been triggered by APM.

Impact:
iRule execution is aborted.

Workaround:
The only possible workaround is to abandon the iRule, and implement the functionality using a VIP-targeting-VIP configuration.

Note: This might not be acceptable in many cases either by some functionality loss (e.g., client certificate auth), or because there are complicated issues specifically solved by iRules.

---

690259 : Benign message 'keymgmtd started' is reported at log-level alert.

Component: TMOS

Symptoms:
Whenever keymgmtd starts, a benign message reporting that keymgmtd has started is reported in ltm logs at log-level alert: alert keymgmtd[7853]: 01a40000:1: keymgmtd started.

Note: The keymgmtd daemon provides CA-bundle management functionality.

Conditions:
Whenever keymgmtd starts.

Impact:
No functional impact. This is a benign message that you can safely ignore.

Workaround:
None.

---

690166-1 : ZoneRunner create new stub zone when creating a SRV WIP with more subdomains

Component: Global Traffic Manager

Symptoms:
Creating SRV wideip will result in stub zone creation even there are already matching zones.

Conditions:
Creating SRV wideip with three more layers than existing zone.

Impact:
Unnecessary stub zones created.

---

690042-1 : Potential Tcl leak during iRule suspend operation

Component: Local Traffic Manager

Symptoms:
TMM's Tcl memory usage increases over time, and does not decrease. Memory leak of Tcl objects might cause TMM to core.

Conditions:
-- iRules are in use.
-- Some combination of nested proc calls and/or loops must go at least five levels deep.
-- Inside the nested calls, an iRule executes a suspend operation.

Impact:
Degraded performance. TMM out-of-memory crash. A failover or temporary outage might occur. Traffic disrupted while tmm restarts.

Workaround:
None.

---

689982-3 : FTP Protocol Security breaks FTP connection

Component: Application Security Manager

Symptoms:
FTP Protocol Security breaks FTP connection.

Conditions:
-- ASM provisioned
-- FTP profile (Local Traffic :: Profiles : Services : FTP) with 'Protocol Security' enabled is assigned to a virtual server.

Impact:
-- RST on transaction.
-- bd PLUGIN_TAG_ABORT messages in mpidump.

Workaround:
Create and use a custom "FTP Security Profile" instead of the system default one.

1. Navigate to Security :: Protocol Security : Security Profiles : FTP.
2. Create a custom FTP Security Profile alongside the system default named 'ftp_security'.
3. Navigate to Security :: Protocol Security : Profiles Assignment : FTP.
4. From the Assigned Security Profile drop-down menu, choose the newly created custom FTP Security Profile, instead of the pre-selected system default 'ftp_security'.

---

689583-1 : Running big3d from the command line with arguments other than '-v' or '-version' may cause a GTM disruption.

Component: Global Traffic Manager

Symptoms:
Running big3d from the command line with arguments other than '-v' or '-version' might cause a GTM disruption. When viewing /var/log/gtm, you might see messages similar to the following:
 notice big3d[4131]: 012b0020:5: Executable /shared/bin/big3d timestamp is newer than (or the same as) /usr/sbin/big3d.
 notice big3d[4137]: 012b0018:5: Respawning to run /shared/bin/big3d.
 err big3d[4026]: 012b1015:3: Error 'Address already in use' attempting to bind to socket.

Conditions:
This occurs when attempting to get the big3d version and accidentally typing an invalid or nonsense argument or a valid argument that does not immediately cause big3d to exit. Here are some examples (note the double-dash in the first example):
 big3d --version
 big3d
 big3d -xyz
 big3d -d

Impact:
GTM server goes red momentarily.

Workaround:
There is no workaround other than not specifying an invalid or nonsense argument or a valid argument that does not immediately cause big3d to exit.

---

689577-3 : ospf6d may crash when processing specific LSAs

Solution Article: K45800333

Component: TMOS

Symptoms:
When OSPFv3 is configured and another router in the network performs a graceful restart, ospf6d may crash.

Conditions:
-- OSPFv3 in use.
-- Graceful restart initiated by another system.

Impact:
OSPFv3 routing will interrupted while the daemon restarts and the protocol re-converges.

Workaround:
Disabling graceful restart on other network systems will prevent ospf6d from crashing on the BIG-IP system. However, it will cause a routing interruption on a system that restarts.

---

689567-1 : Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned

Component: TMOS

Symptoms:
Several pages in the Acceleration tab (e.g., Acceleration :: Quick Start : Symmetric Properties) display a warning message that directs you to provision AAM in order to access WOM utilities. These pages are visible even if it is impossible for you to provision AAM, which is confusing.

Conditions:
You have an iSeries platform with no AAM license.

Impact:
The impact is cosmetic only. The page is confusing because it suggests that AAM can be provisioned without the proper license (e.g., that WOM/AAM can be set up with only an LTM license), which it cannot. You can safely ignore the warning messages.

Workaround:
No workaround at this time.

---

689449-1 : Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, in some circumstances the system may experience an unconstrained TMM memory growth when a virtual server is configured for spdy/http2 and http with fallback-host.

Conditions:
- VIP configured with spdy/http2 and http with fallback-host.

Impact:
TMM may eventually enter aggressive sweeper mode where this memory will be released. In the process it is possible that some legitimate connections will killed.

Workaround:
No workaround at this time.

---

689437-1 : icrd_child cores due to infinite recursion caused by incorrect group name handling

Component: TMOS

Symptoms:
Every time the virtual server stats are requested via REST, icrd_child consumes high CPU, grows rapidly toward the 4 GB max process size (32-bit process), and might eventually core.

Conditions:
Virtual server stats are requested via iControl REST with a special string that includes the dotted group names.

Impact:
icrd_child consumes high CPU, grows rapidly, and might eventually core.

Workaround:
Clear the virtual server stats via reset-stats and icrd_child no longer cores.

---

689375-1 : Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled

Component: TMOS

Symptoms:
TMUI hides several SSL client/server settings when 'Proxy SSL' is enabled, including the 'Generic Alert' setting, so you cannot set it.

Conditions:
Enable 'Proxy SSL' on SSL client/server profile in TMUI.

Impact:
TMUI hides many config settings, including 'Generic Alert'. You cannot modify 'Generic Alert' setting on SSL client/server profile using the GUI when 'Proxy SSL' is enabled.

Workaround:
Modify the same setting through TMSH modify client/server SSL profile command, as follows:

tmsh modify ltm profile client-ssl <profile_name> generic-alert disabled

tmsh modify ltm profile server-ssl <profile_name> generic-alert disabled

---

689361-1 : Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)

Component: Local Traffic Manager

Symptoms:
It is possible for an overwrite-configsync to change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device.

Conditions:
Two pool members are monitored; and one references a node not responding to ICMP requests; and a gateway_icmp monitor is on both nodes; and an overwrite-configsync is initiated from a paired device, where the node does respond to ICMP requests from that paired device.

Impact:
The overwrite-configsync causes the 'unchecked' monitor to transition to 'up', when it should remain 'unchecked' for the device to which the node does not respond to ICMP requests.

Workaround:
Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node will not respond to ICMP requests.

---

689343-2 : Diameter persistence entries with bi-directional flag created with 10 sec timeout

Component: Service Provider

Symptoms:
Diameter persistence entries have timeout value less than 10 seconds, although the configured persistence timeout is 120 seconds

Conditions:
When Diameter custom persistence "DIAMETER::persist key 1" bi-directional iRule is used.

Impact:
The persist timeout is less than 10 seconds, thus subsequent requests will be dispatched to other pool member.

Workaround:
Don't use bi-directional persistence iRule. Use AVP persistence type with session-id as the persist key.

---

689147 : Confusing log messages on certain user/role/partition misconfigurations when using remote role groups

Component: TMOS

Symptoms:
When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful.

Errors appear in /var/log/ltm, one of:

User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition.

or

Input error: invalid remote user credentials, partition does not exist, broken-partition

Conditions:
Using remote role groups to set user/role/partition information for remote users. A remote user is configured so that they will receive a role of administrator, resource administrator, auditor, or web application security administrator and access to a particular partition, rather than all. (These roles require access to all partitions.) Or a remote user is configured so that their partition access will be set to a partition that does not exist on the bigip.

Impact:
The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.

Workaround:
Check /var/log/ltm for more specific error message

---

689089-1 : VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot

Component: Local Traffic Manager

Symptoms:
The cluster configuration file can be lost or corrupted, resulting in the out-of-band cluster management IP reverting to the default value.

Conditions:
Unexpected system restart while the configuration file is being updated may cause the file to become corrupted. If this occurs, the following error will be logged during blade startup:

"err clusterd[8171]: 013a0027:3: Chassis has N slots, config file has 0, ignoring config file"

Where "N" is the number of physical slots in the chassis (2, 4, or 8).

Impact:
Management IP reverts to 192.168.1.246, resulting in loss of access to the chassis through the out-of-band management network.

Workaround:
If this occurs, the management IP can be restored using TMSH or the UI through an in-band self IP, or with TMSH through the management console port.

---

689002-3 : Stackoverflow when JSON is deeply nested

Component: TMOS

Symptoms:
When the returned JSON payload from iControl REST is very large and deeply nested, the JSON destruction could trigger stack overflow due to deep recursion. This will crash icrd_child.

Conditions:
Deeply nested JSON returned from iControl-REST.

Impact:
icrd_child process coredumps.

Workaround:
None.

---

688942-5 : ICAP: Chunk parser performs poorly with very large chunk

Solution Article: K82601533

Component: Service Provider

Symptoms:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system buffers the entire chunk and reevaluates the amount of data received as each new packet arrives.

Conditions:
ICAP server returns large payload entirely in a single chunk, or otherwise generates very large chunks (MB to GB range).

Impact:
The BIG-IP system uses memory to buffer the entire chunk. In extreme cases the parser can peg the CPU utilization at 100% as long as packets are arriving.

Workaround:
If possible, configure the ICAP server to chunk the response payload in mulitple normal sized chunks (up to a few tens of KB).

---

688833-3 : Inconsistent XFF field in ASM log depending violation category

Component: Application Security Manager

Symptoms:
Depending on the violation category, the xff ip field is reported as 'xff_ip' and sometimes as 'xff ip'.

Conditions:
Viewing the XFF results in ASM log.

Impact:
This might cause problems with the syslog filters configured on the remote loggers.

Workaround:
Put in the rules that the client is using both 'xff ip' and 'xff_ip'.

---

688813-2 : Some ASM tables can massively grow in size.

Solution Article: K23345645

Component: Application Visibility and Reporting

Symptoms:
/var/lib/mysql mount point gets full.

Conditions:
Many combinations of IP addresses, Device IDs (and other ASM dimensions) in traffic over very long period of time (potentially weeks/months).

Impact:
While other dimensions are being collapsed correctly, the Device ID field is not being collapsed causing the growth in size.
-- High disk usage.
-- Frequent need to clear AVR data.

Workaround:
Manually delete AVR mysql partitions located in /var/lib/mysql/AVR.

---

688744-1 : LTM Policy does not correctly handle multiple datagroups

Component: Local Traffic Manager

Symptoms:
Policy in use where the conditions reference two or more datagroups, but only the conditions that refer to the first datagroup have any effect.

Conditions:
LTM Policy where the conditions reference two or more datagroups.

Impact:
LTM Policy conditions do not check against second and subsequent datagroups, resulting in policy not working as intended.

Workaround:
Only mitigation is to refactor the policy so that it does not refer to more than one datagroup-based condition.

---

688629-1 : Deleting data-group in use by iRule does not trigger validation error

Component: Local Traffic Manager

Symptoms:
iRule aborts due to failed commands, causing connflow aborts.

Conditions:
-- Delete a data group.
-- iRule uses that data-group on a virtual server

Impact:
In use data-group can be deleted without error. iRule aborts leading to connflow aborts.

Workaround:
Don't delete data-groups in use by an iRule.

---

688571-2 : Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile.

Component: Local Traffic Manager

Symptoms:
If the server-ssl profile is configured with 'untrusted-cert-response-control drop', and the system receives the certificate from the backend server which is not trusted by current BIG-IP system, the expected behavior is that the system should end the connection.

But the current server-side behavior is that the system still accepts the untrusted certificate and establishes the SSL connection with backend server.

Conditions:
-- The BIG-IP system receives a certificate from the backend server that is not trusted by the BIG-IP system.

-- Configure the 'untrusted-cert-response-control drop' in the server-ssl profile.

-- The corresponding server-ssl is configured at the virtual server.

Impact:
Virtual server might communicate with the backend server that sends the untrusted certificate to the BIG-IP system. Untrusted cert could still be accepted by the server-ssl virtual server even though 'untrusted-cert-response-control drop' is configured in the server-ssl profile.

Workaround:
None.

---

688557-1 : Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'

Component: Local Traffic Manager

Symptoms:
The description of the 'mode' parameter shown by tmsh help for the ltm sasp monitor indicates that the default value for the 'mode' parameter is 'pull' (where the load balancer sends Get Weight Requests to the GWM).
As of BIG-IP v13.0.0 and v12.1.2-hf1, the default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
This is a change from prior versions of BIG-IP, where the default value for the 'mode' parameter was 'pull'.

Conditions:
The incorrect description appears when issuing the 'tmsh help ltm monitor sasp' command on BIG-IP v13.0.0, v12.1.2-hf1, and later.

Impact:
Incorrect information about the default value for the 'mode' parameter for the ltm sasp monitor.

Workaround:
The default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).

---

688406-1 : HA-Group Score showing 0

Solution Article: K14513346

Component: TMOS

Symptoms:
The 'show sys ha-group' command incorrectly displays a "0" for the total score even if the pools/trunks/clusters components have non-zero scores.

Conditions:
If the sys ha-group object is not currently assigned to any traffic-group.

Impact:
The total score is not calculated. An incorrect score value is displayed.

Workaround:
Refer to the component Score Contributions displayed using the following command: show sys ha-group detail.

---

688335-5 : big3d may restart in a loop on secondary blades of a chassis system

Component: Global Traffic Manager

Symptoms:
After big3d_install is run against a target system, and this target system is a multi-blade chassis, the big3d utility may begin restarting in a loop on all secondary blades of the target system. The primary blade is not affected, where big3d continues to run stable.

Conditions:
The following conditions are required to encounter this issue:

-- The big3d_install utility is used against a target system.
-- The target system is a multi-blade chassis.
-- The big3d_install utility picks the iQuery installation method (and not the SSH one).
-- The big3d_install utility incorrectly determines that the local version of the big3d utility should be copied to the remote system.

Impact:
big3d does not typically do anything on secondary blades, so this issue should have no immediate material impact.

However, should the cluster elect a new primary blade, and should big3d still be restarting on that blade, this could cause iQuery communication failures between that system and remote BIG-IP systems.

Workaround:
To stop secondary blades from restarting, manually restart big3d on the primary blade using the following command:
 bigstart restart big3d

To prevent this issue from happening, you can run the big3d_install by specifying that the SSH installation method be used using the following command:
 big3d_install -use_ssh <target IP>

---

688266-5 : big3d and big3d_install use different logics to determine which version of big3d is newer

Component: Global Traffic Manager

Symptoms:
The big3d_install utility includes logic to determine whether the local system should copy its version of the big3d daemon to the remote system specified by the user.

This logic is incorrect and may result in the local copy of the big3d daemon being unnecessarily copied to the remote system or not copied when actually necessary.

Conditions:
A user runs the big3d_install utility.

Impact:
If the local big3d daemon was unnecessarily copied over to the remote system, there is no tangible impact (other than the fact big3d restarts on the remote system, which is expected). Eventually, the remote system restores and uses its version of the big3d daemon.

If the local big3d daemon was not copied over when it should have been, then the remote system may continue to run an older version of the big3d daemon, which may impede iQuery communication.

Workaround:
If the local big3d daemon was unnecessarily copied over to the remote system, you do not need to perform any remedial action. The remote system will automatically resolve this situation by restoring the intended (i.e., newer) big3d version.

If the local big3d daemon was not copied over when it should have been, you can invoke the big3d_install utility using the -f argument, which forces an install of the big3d daemon regardless of the local and remote versions.

---

688231 : Unable to set VET, AZOT, and AZOST timezones

Component: TMOS

Symptoms:
Unable to set VET, AZOT, and AZOST timezones

Conditions:
This occurs under normal operation.

Impact:
Cannot set these timezones.

Workaround:
Use the following zones with the same offset:

The AZOT timezone is the same offset as
N – November Time Zone.

The AZOST timezone is the same offset as
Z – Zulu Time Zone,
GMT – Greenwich Mean Time,
WET – Western European Time.

The VET timezone is the same offset as
AST – Atlantic Standard Time,
CDT – Cuba Daylight Time, CLT – Chile Standard Time,
EDT – Eastern Daylight Time,
FKT – Falkland Island Time,
Q – Quebec Time Zone.

---

688046-2 : Change condition and expression for Protocol Lookup agent expression builder

Component: Access Policy Manager

Symptoms:
Protocol lookup agent shows the incorrect condition and expression in the expression builder when included in the per-request policy.

Conditions:
This occurs when the protocol lookup agent is used in the expression builder for branching.

Impact:
Cannot follow successful branch in per-request policy.

Workaround:
To work around this issue:
1. Include Protocol lookup agent in the expression builder.
2. Click the 'change' link right next to the existing expression.
3. Go to the Advanced tab and change the expression to one of the following (depending on whether you are using HTTPS or HTTP):
-- "expr { [mcget {perflow.protocol_lookup.result}] == "https" }"
-- "expr { [mcget {perflow.protocol_lookup.result}] == "http" }"
4. Click Finished.

---

687986 : High CPU consumption during signature generation, not limited number of signatures per virtual server

Component: Anomaly Detection Services

Symptoms:
The number of the signatures per virtual server is not limited. This can result in a very large number of generated signatures during sophisticated attacks that use changing patterns. After a time, when a system experiences a number of attacks, the list of generated signatures can be too long.

Conditions:
-- Sophisticated attacks that use changing patterns.
-- System experiences a large number of attacks.

Impact:
High CPU utilization when mitigating. Overloaded GUI signatures screen.

Workaround:
Manually remove old / not-often-used signatures.

---

687984 : Attacks with randomization of HTTP headers parameters generates too many signatures

Component: Anomaly Detection Services

Symptoms:
When attackers randomize HTTP headers parameters, Behavioral DoS (BADoS) might generate too many signatures.

Conditions:
Attacks with randomization of HTTP headers parameters.

Impact:
The list of generated signatures is too long. It produces unnecessary CPU utilization for attack mitigation.

Workaround:
None.

---

687937-1 : RDP URIs generated by APM Webtop are not properly encoded

Component: Access Policy Manager

Symptoms:
RDP URIs used to launch Native RDP resources form APM Webtop on Android/iOS/Mac are not properly encoded. As a result, RDP client might misinterpret the URI, in cases in which some RDP parameter contains the ampersand ( & ) symbol.

Conditions:
Native RDP resource is launched via RDP URI from APM Webtop.

One of RDP parameters contains symbol that should be URI encoded, e.g., '&'.

Impact:
RDP client misinterprets URI, which may result in failure to open RDP resource.

Workaround:
None.

---

687807-1 : The presence of a file with the suffix ".crt.csr" in folder /config/ssl/ssl.csr/ causes a GUI exception

Component: Local Traffic Manager

Symptoms:
When there is a file named *.crt.csr in folder /config/ssl/ssl.csr/, the webgui will get an exception on page: System ›› Device Certificates : Device Certificate ›› Device Certificate

A message, "An error has occurred while trying to process your request." appears.

Conditions:
The presence of a file with the suffix ".crt.csr" in folder /config/ssl/ssl.csr/

Impact:
the webgui will get an exception on page: System ›› Device Certificates : Device Certificate ›› Device Certificate

A message, "An error has occurred while trying to process your request." appears.

Workaround:
rename the csr file suffix from ".crt.csr" to ".csr"

---

687658 : Monitor operations in transaction will cause it to stay unchecked

Component: TMOS

Symptoms:
If a monitored object is deleted and created or modified in the same transaction, and any of its monitor configuration is changed (either the monitor, or the state user-down), the monitor state will become unchecked.

Conditions:
This only happens within transactions.

Note: Using the command 'modify ltm pool <name> members replace-all-with' is considered a transaction containing a delete and create of pool members.

Impact:
Monitor state never returns to its correct value.

Workaround:
Do not do these operations in transactions. For pool members, use 'modify ltm pool <name> members modify' instead of replace-all-with.

---

687635-1 : Tmm becomes unresponsive and experiences restart

Component: Local Traffic Manager

Symptoms:
Under certain conditions, the tmm process can become unresponsive, and eventually be restarted by the watchdog process.

Conditions:
Problem occurs when there is an unexpected interaction between HTTP and SSL handlers during an abnormal connection shutdown.

Impact:
Tmm becomes unresponsive and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

---

687617-1 : DHCP request-options when set to "none" are reset to defaults when loading the config.

Component: TMOS

Symptoms:
Config load resets the request-option in "tmsh sys management-dhcp" to its default value when they are set to "none" in configuration.

Conditions:
- A config load in which request-option in "tmsh sys management-dhcp" is set to "none".

Impact:
User configuration is reverted as a side-effect of config load.

Workaround:
request-option specify the minimal set of configuration that DHCP server must provide as part of the lease. Setting it to "none" defeats the whole purpose of DHCP. It's better to set it to a minimal value like "routers, subnet-mask" in order to have management connectivity.

---

687534-1 : If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page

Component: TMOS

Symptoms:
- Create a pool with name containing two dots (that is, the string '..')
- Go to the GUI Local Traffic :: Pools : Member List page and click the Add button to add a member.
- There is a No Access error preventing you from adding a member to the pool

Conditions:
This issue occurs when a pool name contains .. in the name.

Impact:
Cannot add a Member to the pool using the GUI.

Workaround:
Use tmsh to add pool members to an existing pool using a command similar to the following.
 tmsh modify ltm pool <pool name> members add { <member info> }

---

687368-1 : The Configuration utility may calculate and display an incorrect HA Group Score

Solution Article: K64414880

Component: TMOS

Symptoms:
The Configuration utility may calculate and display a high availability (HA) Group Score of 0, while in reality the correct HA Group Score is greater than 0.

Conditions:
This issue occurs when a particular HA Group object (for example, a Pool) has no available members, and the 'Minimum Member Count' option is not used (this is the default).

Impact:
This issue is cosmetic as it is limited to what the Configuration utility calculates and displays to the user. Internally, the system uses the correct HA Group Score to determine the role of the unit. However, it is possible for a BIG-IP Administrator to be mislead by this issue and take a wrong or unnecessary corrective action because of it.

Workaround:
You can use the TMSH utility from the command line to display the correct HA Group Score.

---

687353-1 : Qkview truncates tmstat snapshot files

Solution Article: K35595105

Component: TMOS

Symptoms:
Qkview truncates the snapshot files it collects in /shared/tmstat/snapshots/.

Conditions:
Files are larger than 5 MiB, or the 'max file size' limit specified when running Qkview (the -s argument).

Note: 5 MiB is qkview utility's default maximum file size value.

Impact:
Snapshot data may not be collected in qkview. This may result in data being lost if the issue is only identified once important data has rotated out of history.

Workaround:
To specify no file size limit when collecting qkviews, use the following tmsh command:
qkview -s0

---

687213-3 : When access to APM is denied, system changes connection mode to ALWAYS_DISCONNECTED

Component: Access Policy Manager

Symptoms:
When access to APM is denied, Edge Client goes into ALWAYS_DISCONNECTED mode. Hence, it does not retry to establish VPN tunnel.

Conditions:
-- Edge Client installed in ALWAYS_CONNECTED mode (locked client).
-- Access to APM is denied.

Impact:
No VPN tunnel is established, even if APM becomes accessible momentarily.

Workaround:
None.

---

687044-3 : tcp-half-open monitors might mark a node up in error

Component: Local Traffic Manager

Symptoms:
The tcp-half-open monitor might mark a node or pool member up when it is actually down, when multiple transparent monitors within multiple 'bigd' processes probe the same IP-address/port.

Conditions:
All of the following are true:
-- There are multiple bigd processes running on the BIG-IP system.
-- There are multiple tcp-half-open monitors configured to monitor the same IP address.
-- One or more of the monitored objects are up and one or more of the monitored objects are down.

Impact:
The BIG-IP system might occasionally have an incorrect node or pool-member status, where future probes may fix an incorrect status.

Workaround:
You can use any of the following workarounds:

-- Configure bigd to run in single process mode by running the following command:
   tmsh set sys db bigd.numprocs value 1

-- Use a tcp monitor in place of the tcp-half-open monitor.

-- Configure each transparent monitor for different polling cycles to reduce the probability that an 'up' response from the IP address/port is mistakenly viewed as a response to another monitor that is currently 'down'.

---

686926-2 : IPsec: responder N(cookie) in SA_INIT response handled incorrectly

Component: TMOS

Symptoms:
IKEv2 negotiation fails when a responder uses N(cookie) in the SA_INIT response, because the BIG-IP system does not expect a second response with the same zero message_id always used by SA_INIT.

Conditions:
Any time a responder sends N(cookie) in the first response to SA_INIT from a BIG-IP initiator.

Impact:
The SA negotiation fails when a responder includes N(cookie) in a SA_INIT response, because a second response appears to have an out-of-order message ID when BIG-IP believe the first message_id of zero was already handled earlier.

Workaround:
None.

---

686816-1 : Link from iApps Components page to Policy Rules invalid

Component: TMOS

Symptoms:
In an application that contains a Local Traffic policy, the link from the Components page to the Rule will not be valid.

Conditions:
-- Application creates or contains a Local Traffic Policy.
-- Click the link from the iApps Components page to the Policy Rules page.

Impact:
Cannot navigate to the policy rule directly from the Components page.

Workaround:
Click on the Policy within the Components page to navigate to the Rule from that page.

---

686718-3 : VPN tunnel adapter stays up in some cases

Component: Access Policy Manager

Symptoms:
In some cases, VPN tunnel adapter created by VPN client stays up even when tunnel is disconnected.

Conditions:
Application launch on VPN establishment is configured on APM and launched application is not closed

Impact:
Cosmetic. No functionality impact. Subsequent launch of VPN will create a new tunnel adapter

Workaround:
Close the launched application

---

686563-1 : WMI monitor on invalid node never transitions to DOWN

Component: Local Traffic Manager

Symptoms:
A WMI monitor configured for an invalid node defaults to 'UP', and never transitions to 'DOWN'. Upon loading a configuration, a node defaults to 'UP' as an initial probe is sent based on the monitor configuration, and the node is then marked 'DOWN' as probes timeout or monitor responses indicate an error. However, an WMI monitor probe sent to a non-existent node is not detected as an error, and that node may persist in an 'UP' state (not transitioning to 'DOWN' as expected, such as after expiration of the configured monitor timeout).

Conditions:
WMI monitor is configured for an invalid node address, or for a node address on which no WMI service is running.

Impact:
The node persists in an 'UP' state, even though no WMI service is available, or that node does not exist.

Workaround:
An additional node monitor can be created to confirm the node is available (which may be a partial solution in some configurations). Using a non-WMI monitor (such as TCP) to probe availability of the WMI service on the target node may be possible in other scenarios.

---

686547-1 : WMI monitor sends logging data for credentials when no credentials specified

Component: Local Traffic Manager

Symptoms:
A properly configured WMI monitor requires username and password credentials; but when these are omitted from the configuration, logging data is sent in place of the username and password (with the monitored object likely being marked 'down'). Because username/password credentials are required, the monitor should have been identified as wrongly configured before the monitor is marked down.

Conditions:
A WMI monitor is configured without including the required username/password credentials.

Impact:
The monitored object will be marked 'down'.

Workaround:
Configure the WMI monitor to include the username/password credentials.

---

686517-2 : Changes to a parent policy, which has no active children, are not synced to the secondary chassis slots

Component: Application Security Manager

Symptoms:
Changes to a parent policy, which has no active children, are not synced to the secondary chassis slots

Conditions:
v13 or later
ASM provisioned
Having a Parent policy, which has no active children

Impact:
On a chassis failover, the new Primary slot will have an outdated version of the Parent policy

Workaround:
n/a

---

686470-1 : Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load.

Component: Application Security Manager

Symptoms:
AJAX requests are not sent, JavaScript errors, AJAX-based web-app malfunctions.

Conditions:
1a. Single page application enabled either via a DoS application profile or in an ASM policy.
1b. AJAX Response Page enabled via ASM policy.

2. Web Application client side code uses jQuery or any other AJAX clientside framework.

Impact:
AJAX request might not be sent, and the overall website's clientside functionality related to the AJAX requests might not work as expected.

Workaround:
Disable Single Page Application support.

---

686452-1 : File Content Detection Formats are not exported in Policy XML

Component: Application Security Manager

Symptoms:
If a policy is configured with Data Guard enabled with File Content Detection, the selected File Content Detection Formats are not correctly exported in the Policy XML.

When the policy is then imported, the Data Guard settings will be invalid and cannot be changed until the File Content Detection Formats are configured again.

Conditions:
A policy is configured with Data Guard enabled with File Content Detection, and then exported in XML format.

Impact:
When the policy is then imported, the Data Guard settings will be invalid and cannot be changed until the File Content Detection Formats are configured again.

The formerly selected file content formats will not be correctly identified.

Workaround:
Use Binary Policy import/export.

---

686389-1 : APM does not honor per-farm HTML5 client disabling at the View Connection Server

Component: Access Policy Manager

Symptoms:
Current logic for determining whether to offer HTML5 client option works for Horizon 6.x (and earlier) but it does not work for Horizon 7.x.

With Horizon 7.x, VMware has enhanced the XML so that each resource includes a flag to indicate whether HTML5 client is enabled (absence of <html-access-disabled/> tag). APM does not honor this flag to show HTML5 client option to APM end user only if it has been enabled for that resource.

Conditions:
-- APM webtop with a VMware View resource assigned.
-- HTML5 Access disabled for some of the RDS farms managed by the broker.

Impact:
APM offers HTML5 client launch option and actually runs it if requested, although it is disabled at the backend.

Workaround:
There is no workaround at this time.

---

686307-3 : Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later

Component: Local Traffic Manager

Symptoms:
When upgrading, monitor attributes such as receive string and send string might contain escape sequences that must be processed after the upgrade. However, due to a problem introduced by the LTM policy upgrade script, this processing is not performed, resulting in monitors not functioning correctly after the upgrade.

Note: Without LTM policies in the configuration, monitors upgrade without problem.

Conditions:
-- Upgrading and rolling forward monitor configuration data.
-- LTM policy data present.

Impact:
Monitors may not work after upgrade.

Workaround:
No workaround at this time.

---

686305-1 : Memory leak when SSL forward proxy forged certificate.

Component: Local Traffic Manager

Symptoms:
Four types of memory leaks happen when SSL forward proxy tries to forge one certificate.

Conditions:
When SSL forward proxy is enabled.

Impact:
Memory leaks and causes TMM restart. Traffic disrupted while TMM restarts.

Workaround:
None.

---

686228-1 : TMM may crash in some circumstances with VLAN failsafe

Solution Article: K23243525

Component: Local Traffic Manager

Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms

Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.

Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.

Workaround:
Relax the timer to the default VLAN failsafe timer setting.

---

686190-1 : LRO performance impact with BWC and FastL4 virtual server

Component: TMOS

Symptoms:
Using Bandwidth controller (BWC) might result in a very large drop in performance of up to 75%. In this release, Large receive offload (LRO) is enabled by default.

Conditions:
-- BWC is configured.
-- Virtual server has a FastL4 profile assigned.
-- LRO is enabled (enabled by default in 13.1.0).

Impact:
Very large performance impact to the BWC policy (up to 75%). For example, if the BWC policy rate limit is set to 100Mb, the actual rate limit could be 25Mb.

Workaround:
Disabling LRO recaptures most of the performance degradation related to using FastL4. To disable LRO (this is a system-wide setting), run the following command:
 tmsh modify sys db tm.largereceiveoffload value disable

Important note: Although you can disable LRO to recapture much of the 13.0.0-level performance, you will likely still experience some impact: 2-5% for small files, 17-22% degradation for the '10 requests per connection' benchmark. The only guaranteed way to avoid performance degradation is to remain on version 13.0.0.

---

686124-1 : IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs

Component: TMOS

Symptoms:
Deleting SAs on a remote peer can cause improper handling in the IKEv1 racoon daemon when invalid SPI notifications are processed.

Conditions:
Events causing deletion of phase one IKE SAs.

Impact:
IPsec IKEv1 tunnels will halt or restart. Connectivity between remote private networks will be interrupted.

Workaround:
None.

---

686111-1 : Searching and Reseting Audit Logs not working as expected

Component: TMOS

Symptoms:
Clicking the Search and Reset buttons on Audit Logs might post the following error message: An error has occurred while trying to process your request.

Conditions:
Clicking the 'Search' or 'Reset' button on Audit Logs.

Impact:
Cannot search Audit Logs.

Workaround:
Use tmsh or bash.

---

686101-1 : Creating a pool with a new node always assigns the partition of the pool to that node.

Component: Local Traffic Manager

Symptoms:
When creating a node while creating a pool, the partition of the node is set to the one of the pool regardless of what was expected. For example, after running the command below, the new node will be assigned to differentpartition:
root@(v13)(Active)(/differentpartition)(tmos)# create ltm pool my_pool2 members add { /Common/172.16.199.33:0 }

Conditions:
Creating a node while creating a pool in a partition different from the node.

Impact:
The node is displayed in the wrong partition.

Workaround:
Create a node separately and then add it to the pool.

---

686065-2 : RESOLV::lookup iRule command can trigger crash with slow resolver

Component: Local Traffic Manager

Symptoms:
If thousands of connections are serviced by an iRule that performs a lookup for the same FQDN before the FQDN can be resolved, tmm may crash.

Conditions:
iRule with RESOLV::lookup.
Slow DNS resolver.
Thousand of connections triggering resolution of the same name.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove RESOLV::lookup from the workflow if it is not required.

---

685964-1 : cs_qualified_urls bigdb does not cause configured URLs to be qualified.

Component: Application Security Manager

Symptoms:
cs_qualified_urls is configured but is not functional.

Conditions:
-- cs_qualified_urls is configured.
-- A request to the URL listed in the bigdb arrives.
-- The URL is seen as non-qualified although configured.

Impact:
URLs that are not supposed to getting through configuration.

Workaround:
None.

---

685820-3 : Active connections are silently dropped after HA-failover if ASM licensed and provisioned but AFM is not

Component: Advanced Firewall Manager

Symptoms:
If ASM licensed and provisioned, but AFM is not licensed/provisioned, active connections are silently dropped after HA-failover.

In earlier versions, active connections were reset after HA-failover if only ASM was licensed/provisioned. When AFM is also licensed/provisioned, existing active connections were always silently dropped after HA-failover.

Conditions:
-- ASM licensed and provisioned, but AFM is not licensed/provisioned.
-- HA-failover occurs.

Impact:
ASM client connections are not reset, but are silently dropped after HA-failover event.

Workaround:
None.

---

685771-1 : Policies cannot be created with SAP, OWA, or SharePoint templates

Component: Application Security Manager

Symptoms:
Attempting to create a security policy using "OWA Exchange", "SAP NetWeaver", or "SharePoint" Policy Template fails.

Conditions:
Attempt to create a security policy using "OWA Exchange", "SAP NetWeaver", or "SharePoint" Policy Templates

Impact:
Policy creation fails.

Workaround:
None.

---

685743-5 : When changing internal parameter 'request_buffer_size' in large request violations might not be reported

Component: Application Security Manager

Symptoms:
When the internal 'request_buffer_size' is set to a large value, long requests might be blocked, and no violation is reported.

Conditions:
-- Internal parameter 'request_buffer_size' is set to a large value (~50 KB or larger).
-- Request is long (~50 KB or longer).
-- Violations found.

Impact:
Requests might be blocked, and no reason is reported.

Workaround:
Reset internal 'request_buffer_size' to default.

---

685708-4 : Routing via iRule to a host without providing a transport from a transport-config created connection cores

Component: Service Provider

Symptoms:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Conditions:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Specify a transport to use for creating a new outgoing connection in the MR::message route command.

---

685628-1 : Performance regression on B4450 blade★

Component: Performance

Symptoms:
Performance degradation may occur for certain types of traffic when system is under heavy traffic load. L4 and L7 performance may be degraded by up to 5% compared to previous BIG-IP releases.

Conditions:
- L4 and L7 traffic when system is under heavy traffic load.
- VIPRION B4450 blades.

Impact:
You may encounter a performance degradation for certain types of traffic upon upgrading.

Workaround:
None.

---

685615-4 : Incorrect source mac for TCP Reset with vlangroup for host traffic

Solution Article: K24447043

Component: Local Traffic Manager

Symptoms:
BIG-IP outbound host TCP RST packets have incorrect source-mac-address.

Conditions:
BIG-IP host traffic is exiting via VLANs in a VLAN group.

Impact:
TCP Reset for traffic exiting the BIG-IP system with incorrect source-mac-address, which could include monitor traffic.

Workaround:
Use transparent mode on the VLAN group.

---

685582-7 : Incorrect output of b64 unit key hash by command f5mku -f

Component: TMOS

Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.

Conditions:
Viewing output of 'f5mku -f' command.

Impact:
Inconsistent output of the b64 unit key.

Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:

 f5mku -vf

For example:

# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...

---

685519-1 : Mirrored connections ignore the handshake timeout

Component: Local Traffic Manager

Symptoms:
Mirrored connections that do not complete the TCP 3-way-handshake do not honor the configured TCP handshake timeout on active and standby systems.

Conditions:
High availability mirroring enabled on virtual server with attached FastL4 profile.

Impact:
Unestablished TCP sessions in the connection table stay open for the duration of the TCP idle-timeout.

Workaround:
None.

---

685475-1 : Unexpected error when applying hotfix

Component: TMOS

Symptoms:
Software 'install hotfix' commands fail with a message similar to the following: Image (BIGIP-11.6.1.0.0.317.iso) has a software image entry in MCP database but does not exist on the filesystem.

Conditions:
Before installing the hotfix, the necessary full (base) software image prerequisite was added to the images directory, but then was removed before issuing the hotfix command.

For example, to apply 'Hotfix-BIGIP-11.6.1.2.0.338-HF2.iso', the system must have access to the base image; 'BIGIP-11.6.1.0.0.317.iso'.

Impact:
Cannot apply hotfix until the full base image is present.

Workaround:
Perform the following procedure:
1. Copy the base image to the images directory on the BIG-IP system.
2. Restart the 'lind' daemon.
3. Try the hotfix installation process again.

---

685467-1 : Certain header manipulations in HTTP profile may result in losing connection.

Component: Local Traffic Manager

Symptoms:
HTTP profile has an option 'Insert X-Forwarded-For' which adds a header when a request is forwarding to a pool member. When a virtual server has iRule with a collect command like SSL::collect, it is affected by the HTTP profile processing. Same issue has an option 'Request Header Erase' available in HTTP profile.

Conditions:
A virtual server meets the following conditions:
-- ClientSSL profile.
-- HTTP profile with option 'Insert X-Forwarded-For' enabled and/or configured option 'Request Header Erase'.
-- iRule that has an 'SSL::collect' command in at least two events (e.g., CLIENTSSL_HANDSHAKE and CLIENTSSL_DATA).

Impact:
TCP connection is reset, and no response is provided to a client.

Workaround:
Use iRule to insert X-Forwarded-For with an appropriate IP address and/or remove headers configured in 'Request Header Erase' option of HTTP profile.

---

685344-1 : Monitor 'min 1 of' not working as expected with FQDN nodes/members

Component: Local Traffic Manager

Symptoms:
A pool with a monitor configured as 'min 1 of {...}' may be unavailable when one or more members configured with FQDN are down, rather than remain available as long as at least one pool member remains up.

Conditions:
-- Pool nodes/members are configured with FQDN.
-- At least one associated monitor is defined with the 'min 1 of {...}' feature.

Impact:
The pool may be seen as 'offline' when one or more members are down, rather than remaining available as long as a single pool member is 'UP'.

Workaround:
To configure a pool with 'min 1 of{...}', specify static pool members, do not use FQDN to configure pool members.

---

685233-1 : tmctl -d blade command does not work in an SNMP custom MIB

Solution Article: K13125441

Component: TMOS

Symptoms:
tmctl -d blade commands run in an SNMP custom MIB fail.

Conditions:
-- Using an SNMP custom MIB.
-- Running tmctl -d blade commands.

Impact:
Unable to configure a custom MIB to gather data via a tmctl -d blade command.

Workaround:
Instead of tmctl -d blade, use the following command:
 tmctl -d /var/tmstat/blade.

---

685193-1 : If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies

Component: Application Security Manager

Symptoms:
If Inheritance is None in the Parent Policy and there is at least one child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies.

Conditions:
1) Create Parent policy and set some section's Inheritance to None.
2) Create child policy and assign it to the parent created above.
3) Go to the Parent Policy Inheritance Setting tab, you will see that number of comments for sections with None will be equal to number of child policies.

Impact:
There is an incorrect number of Comments shown in Inheritance Settings

Workaround:
None.

---

685164-1 : In partitions with default route domain != 0 request log is not showing requests

Component: Application Security Manager

Symptoms:
No requests in request log when partition selected, while they can be seen when 'All [Read Only]' is selected.

Conditions:
Select a partition whose default route domain is not 0 (zero).

Impact:
No requests in request log.

Workaround:
As a partial workaround, you can use [All], but it's read only.

---

685110-1 : With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.

Solution Article: K05430133

Component: Local Traffic Manager

Symptoms:
1. FQDN Node/pools fails to populate with members.

2. An error similar to the following is logged in /var/log/ltm when an FQDN node or pool member is created:

err mcpd[####]: 01070356:3: Ratio load balancing feature not licensed.

Conditions:
1. License a BIG-IP system with non-LTM license lacking the ltm_lb_ratio feature.
Such licenses include APM and/or ASM licenses for certain newer platforms which do not support the AAM module.
Affected platforms include certain iSeries and Virtual Edition (VE) releases.
2. Configure an FQDN node/pool member. Do not specify a 'ratio' value.

Impact:
Unable to use FDQN nodes/pool members with non-LTM license.

Workaround:
None.

---

684852-1 : Obfuscator not producing deterministic output

Component: Fraud Protection Services

Symptoms:
Proactive defense challenge is not passed.

Conditions:
The obfuscator does not produce the same output for the same pair of key and seed. Therefore, on multi-blade devices, or on active-active deployments, when the request to the page (url=/) and the request to the javascript (/TSPD/*?type=10) each go to a different blade or a different device.

More frequently, it happens when the page and javascript are loaded from the same blade, but the javascript is stored in the cache.

Then another refresh, and the request goes to the second blade. Because the javascript in the cache was received from the first blade, it does not match the page.

Impact:
Proactive defense challenge is not passed; challenge remains on blank page on chassis.

Workaround:
None.

---

684696 : Signatures page includes columns supporting future enhancements

Component: Advanced Firewall Manager

Symptoms:
The 'Shareability' and 'Approval State' columns are intended to support functionality that was not included in this release. There is no way to update status for either for any AFM Dynamic Signatures. tmsh will fail with the following message:

Data Input Error: Can't modify 'shareability-state', 'approval-state', or 'predicates' for a DoS signature with 'network' or 'network' family.

Signatures in the HTTP family can be modified via tmsh, but that requires ASM.

Conditions:
AFM provisioned, Dynamic Signatures enabled, DNS Dynamic Signatures enabled, at least one generated DNS Dynamic Signature.

Impact:
No impact on traffic.

Workaround:
None.

---

684399-4 : Connectivity profiles UI shows (Not Licensed) when LTM base is presented

Component: Access Policy Manager

Symptoms:
In APM, the connectivity profile UI shows (Not Licensed) when LTM base is presented

Conditions:
when LTM and APM is provisioned.

Impact:
UI shows FEC profile as not licensed. But user can still choose FEC profile.

Workaround:
Ignore the not licensed warning.

---

684391-3 : Existing IPsec tunnels reload. tmipsecd creates a core file.

Component: TMOS

Symptoms:
Existing IPsec tunnels reload. tmipsecd creates a core file.

Conditions:
Although an exact replication of the issue has not been reliable, the one instance occurred after the following conditions:
-- Remote peer repeatedly tries to establish a tunnel.
-- The IPsec IKEv1 daemon 'racoon' is dead.

Impact:
Existing IPsec tunnels reload when tmipsecd aborts. tmipsecd creates a core file.

Workaround:
None.

---

684369-2 : AFM ACL Rule Policy applied on Standby device

Solution Article: K35423171

Component: Advanced Firewall Manager

Symptoms:
In a Active/Standby setup, with a Virtual Server configured to Mirror Connection State, the Standby Device is aware of the state of connections. The Standby device apart from maintaining the state of connections, need not apply ACL policy to the mirrored connections.

But in a specific case where a ACL Policy happens to have Rule with Schedules attached, the Standby happens to apply policy on mirrored connections, which also generates ACL rule hit logs.

Conditions:
1) Active/Standby device setup.
2) Virtual Server with Connection Mirroring enabled.
3) ACL Policy with a Rule having a Schedule attached, and during periods of transition when a Schedule may cause a Rule to be enforced or expired.

Impact:
Does not impact handling of traffic.

Generation of ACL Rule hit logs from Standby is unexpected, and is not desirable.

Workaround:
Objective:
- Disable sweeper applying ACL policy on Standby device.
- Sys DB tunable must disable only on Standby device. Because sys db settings are auto-sync'd to Active device as well, you must do so using the following procedure.
 
Steps to Apply Sys DB setting only on Standby device:
1. Turn off auto-sync for the device-group.
2. Apply settings just before Rule Schedule expiry on Standby device.
3. Wait till Rule Schedule change takes effect.
4. Revert the settings to normal, and enable auto-sync again.


TMSH Command Sequence:

root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
 # list sys db tm.sweeper.flow.acl value

 sys db tm.sweeper.flow.acl {
    value "enable" <<<< Set this to 'disable'
 }

root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
 # modify cm device-group <device-group-for-failover> auto-sync disabled

root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
 # modify sys db tm.sweeper.flow.acl value disable

root@(BIG-IP-primary)(cfg-sync Changes Pending)(Standby)(/Common)(tmos)
 # list sys db tm.sweeper.flow.acl value

 sys db tm.sweeper.flow.acl {
    value "disable"
 }

On Active, it's still 'enable':

root@(BIG-IP-secondary)(cfg-sync Changes Pending)(Active)(/Common)(tmos)
 # list sys db tm.sweeper.flow.acl value

 sys db tm.sweeper.flow.acl {
    value "enable"
 }

Enable auto-sync again:

root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos)
 # modify cm device-group <device-group-for-failover> auto-sync enable

Might have to issue this run command if the device is reported as 'requiring sync'.

root@(BIG-IP-primary)(cfg-sync Changes Pending)(Standby)(/Common)(tmos)
 # run cm config-sync to-group <device-group-for-failover>

---

684333-1 : PEM session created by Gx may get deleted across HA multiple switchover with CLI command

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may get cleaned up with terminate cause of FATAL GRACE TIMEOUT, if multiple high availability (HA) failover is being performed using the following command: tmsh run sys failover standby.

Conditions:
Multiple HA failover performed using the following command: tmsh run sys failover standby.

Impact:
PEM session created using Gx may get deleted.

Workaround:
Initiate failover using alternate commands, such as the following:
 tmm big start restart.

---

684325-1 : APMD Memory leak when applying a specific access profile

Component: Access Policy Manager

Symptoms:
Access profile having CheckMachineCert agent, while updating profile using 'Apply access policy', each time it leaks 12096 bytes of memory.

Conditions:
-- Access profile configured with agent 'CheckMachineCert'.
-- Repeatedly update the profile using 'Apply access policy'.

Impact:
APMD process stops after repeated application of the script.

Workaround:
None.

---

684312-1 : During Apply Policy action, bd agent crashes, causing the machine to go Offline

Component: Application Security Manager

Symptoms:
During Apply Policy action, bd agent crashes, causing with this error:
--------------------
crit perl[21745]: 01310027:2: ASM subsystem error (bd_agent,): bd_agent exiting, error:[Bit::Vector::new_Dec(): input string syntax error at /usr/local/share/perl5/F5/CfgConvert.pm line 66, <$inf> line 1. ]
--------------------

Causing bd and bd_agent processes restart, and causing the machine to go Offline.

Conditions:
-- ASM provisioned.
-- Applying policy.
-- Corrupted data was attempted to be loaded during an Apply Policy action.

Impact:
bd and bd_agent processes restart, causing the machine to go Offline while the processes restart..

Workaround:
None.

---

684218-1 : vADC 'live-install' Downgrade from v13.1.0 is not possible

Component: TMOS

Symptoms:
vADC v13.1.0 has a new storage format that is incompatible with earlier versions. It should be possible to use the '--format' option of 'image2disk' to downgrade a v13.1.0 vADC system, but it is not.

Conditions:
Running v13.1.0, attempt software downgrade to 11.5.4, for example:

image2disk --format=volumes --nosaveconfig 11.5.4

Impact:
request is not allowed. no changes are made.

Workaround:
deploy a new 11.5.4 software image via the hypervisor environment

---

684068-1 : FIX with PVA offload and late binding without flow release may not execute iRules on subsequent messages

Component: Service Provider

Symptoms:
With a virtual server configured with a fastL4 profile and a FIX profile where the fast L4 profile is configured with late binding and explicit flow migration, the first connection after a setup or restart may not correctly execute FIX iRules if the flow is not handed off to ePVA after the first FIX message.

Conditions:
Configure a virtual server with a fastL4 profile and a FIX profile. Configure the FastL4 profile to have late binding and explicit flow migration. Place iRules on the virtual server that trigger on FIX_MESSAGE or FIX_HEADER. Restart the BIGIP, connect to the virtual server and begin sending FIX messages.

Impact:
The iRules may not trigger on the second and further messages sent to the FIX virtual server on the first connection after the restart.

---

683767-1 : Users are not able to complete the sync using GUI

Component: TMOS

Symptoms:
A validation error occurred while syncing to a remote device
Sync error on unitA.lab.local: Load failed from /Common/unitB.lab.local 01070080:3: The requested pool member is already in use as a self IP address (1.1.2.1)

The above is expected as unit B is unable to validate the config for unit A. Incremental sync adds and removes configuration on unit A, hence the error.

Conditions:
1.Units A and B in HA with manual incremental sync, unit B is active.
2.On unit B add a pool with a member having IP address matching the self IP of unit A. Then delete it.
3.create ltm pool p1 members add { 1.1.2.1:80 }
4.delete ltm pool p1
5.Try config-sync (using GUI). You will end up with a Sync Failed message:
  A validation error occurred while syncing to a remote device
Sync error on unitA.lab.local: Load failed from /Common/unitB.lab.local 01070080:3: The requested pool member is already in use as a self IP address (1.1.2.1

Impact:
Users are not able to complete the sync using GUI

Workaround:
using tmsh to force a full sync

---

683706-3 : Pool member status remains 'checking' when manually forced down at creation

Component: Local Traffic Manager

Symptoms:
When a pool member is created with an associated monitor, and initially forced offline (e.g., '{session user-disabled state user-down}'), that pool member status remains in 'checking'. By default, the pool member status initializes to 'checking' until the first monitor probe confirms the pool member is available. However, by creating-and-forcing-offline the pool member, no monitoring is performed and the status remains in 'checking'.

Conditions:
Pool member is created with an associated monitor, and that pool member is simultaneously forced offline.

Example: create ltm pool test1 members add { 10.1.108.2:80 { session user-disabled state user-down } } monitor http

Impact:
Pool member remains offline as directed, but pool member status indicates 'checking' rather than 'user-down'.

Workaround:
Create the pool member with associated monitor, and in a separate step, force the pool member offline.

---

683697-1 : SASP monitor may use the same UID for multiple HA device group members

Solution Article: K00647240

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, the SASP monitor running on one member of an HA group (failover device group) may use the same LB UID as another member of the device group.

The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.

As a result, only the first HA group member using the duplicated UID is able to successfully use the SASP monitor.

The SASP monitor instance running on the HA group member using the duplicated UID will fail to connect to the SASP GWM.

Conditions:
This occurs under rare timing conditions when using the SASP monitor on a BIG-IP system that belongs to an HA group.

It is possible that the necessary timing conditions may occur if the external SASP monitor daemon is forcibly restarted (such as for troubleshooting purposes).

Impact:
The SASP monitor is unable to monitor pool member availability on all members of the HA group.

Workaround:
Forcing the mcpd process to reload the configuration (as described in article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030) allows recovery from this condition.

It is possible that less-intrusive measures such as restarting the external SASP monitor daemon (such as by sending a SIGTERM to the SASPD_monitor process) may also allow recovery. Due to the rare occurrence of this symptom, this solution has not been confirmed.

---

683508-1 : WebSockets: umu memory leak of binary frames when remote logger is configured

Component: Application Security Manager

Symptoms:
ASM out of memory error messages in /var/log/asm.

Conditions:
-- Virtual server configured with WebSocket profile.
-- ASM remote logger configured and assigned to the virtual server.

Impact:
ASM out of memory, memory leak.

Workaround:
Remove ASM remote logging profile from a virtual server.

---

683474 : The case-sensitive problem during comparison of 2 Virtual Servers

Component: Application Visibility and Reporting

Symptoms:
Failed to load "incident types volume graph" if incident was filtered by Virtual Server

Impact:
Chart of incident data will not be displayed.

Workaround:
Avoid to create virtual servers that have the same letters, differing only by capital letters verses small letters.

---

683389-3 : Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application shows Error #2134 when trying to call flash.net::SharedObject.getLocal with localPath specified.

Conditions:
Attempt to create local SharedObject.

Impact:
Affected Flash applications are not working when accessed through Portal Access.

Workaround:
None.

---

683297-2 : Portal Access may use incorrect back-end for resources referenced by CSS

Component: Access Policy Manager

Symptoms:
If HTML page contains reference to external CSS file with URL beginning with '//', then host-less references in this CSS file are handled incorrectly by Portal Access.

Conditions:
- HTML page at http://example.host/page.html:

    <link rel=stylesheet href=//another.host/some/path/my.css>

- and this CSS contains reference with absolute path like this:

    html { background-image: url(/misc/image/some.png); }

Portal Access uses 'http://example.host' as back-end for this image instead of correct 'http://another.host'.

Impact:
Web application may not work correctly.

Workaround:
Use iRule to correct back-end host.

---

683131-1 : Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present★

Component: TMOS

Symptoms:
BIG-IP software installations will fail and report a status of:

    waiting for cleanup; multiple base builds found (BIG-IP 13.0.0)

Conditions:
- Perform software installation in a vCMP guest when guest is running v13.0.0 or newer.
- Ask the guest to install a hotfix (e.g. "tmsh install /sys software hotfix 13.0.0-hf2.iso volume HD1.2 create-volume") to a boot location that does not have a base software version installed.
- Hypervisor has a valid copy of the the correct base image (e.g. v13.0.0 build 0.0.1645)
- Guest has a valid copy of the correct base image (e.g. v13.0.0 build 0.0.1645)

Impact:
Software installation fails, and will not complete/continue.

Workaround:
Delete the base software image from either the hypervisor or guest's file system

---

683061-1 : Rapid creation/update/deletion of the same external datagroup may cause core

Component: Local Traffic Manager

Symptoms:
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued.
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued for update.
-- err tmm[15187]: 01010258:3: External Datagroup (/Common/Datagroup_1) creation failed: initial load error, deleting.

Conditions:
Using external datagroup, rapidly creating updating and then deleting it.

Impact:
TMM fails

Workaround:
Allow TMM enough time to finish processing external data-group before starting another operation. Depending on the size of the datagroup anywhere from 1s to 10s or more may be needed. The LTM log can be examined for the create/finished message to help determine how much wait time is required.

---

683029-1 : Sync of virtual address and self IP traffic groups only happens in one direction

Component: TMOS

Symptoms:
If you have a virtual address and a self IP that both listen on the same IP address, changing the traffic group of the self IP will make an equivalent change to the traffic group of the virtual address. However, this does not work in reverse. Changing the traffic group of the virtual address will not cause a change of the traffic group of the self IP.

Conditions:
You have a virtual address and a self IP that both listen on the same IP address. (The subnet mask need not be the same.)

Impact:
This is by design, but is counterintuitive, and there is no warning message that this is the case. Setting the traffic group on both objects will always work properly.

Workaround:
Care should be taken to ensure that the desired traffic group is set on both objects.

---

682751-7 : Kerberos keytab file content may be visible.

Component: Access Policy Manager

Symptoms:
Kerberos keytab file content may be visible.

Conditions:
Import a Kerberos keytab file.

From the command line, check the file permissions. It is readable.

Impact:
keytab is similar to a private key file and should not be readable.

Workaround:
Use chmod to change the keytab file permission manually so that it is not world-readable.

---

682500-2 : VDI Profile and Storefront Portal Access resource do not work together

Component: Access Policy Manager

Symptoms:
Accessing a Citrix Storefront portal access resource and clicking on the application does not work since VDI returns HTTP status 404.

Conditions:
-- VDI profile is attached to the Virtual server.
-- Access policy has Citrix Storefront portal access resource.
-- Citrix remote-desktop resource is attached.

Impact:
Citrix Storefront portal access resource cannot be used to launch applications.

Workaround:
None.

---

682335-1 : TMM can establish multiple connections to the same gtmd

Component: Global Traffic Manager

Symptoms:
TMM can establish multiple connections to the same gtmd, and tmm may core.

Conditions:
This timing-related issue involves coordination between license blob arrival, gtmd connection teardown/establishment, and gtmd restart.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

---

682213-1 : TLS v1.2 support in IP reputation daemon

Solution Article: K31623549

Component: TMOS

Symptoms:
The IP reputation daemon opens SSL connections to the Webroot BrightCloud server using TLS 1.0 protocol.

Conditions:
This occurs when using IP reputation.

Impact:
Because IP reputation services are used to accept/deny connections to critical business applications, there might be concerns about the service. Also some configurations might require that all transactions exfiltrating a PCI-controlled environment leverage secure protocols and ciphers, which won't be the case for IP reputation services.

Workaround:
None.

---

682209 : Per Request Access Policy subroutine performance down by about 7%

Component: Performance

Symptoms:
The performance of the per-request access policy with subroutines, even an empty one (in->out) is down by about 7%.

Conditions:
All of the following must be true for this issue to be exposed.
1) APM is provisioned.
2) An APM profile is attached to the virtual server.
3) A Per-Request access policy containing a subroutine is attached to the virtual server.

Impact:
Maximum RADIUS TPS is degraded (~7%).

Workaround:
No workaround at this time.

---

682174 : Live install from version 11.6.x to version 13.1.0 requires a manual step★

Component: TMOS

Symptoms:
Upgrade (live install) to 13.1.0 never finishes due to the insufficient disk space because there is not enough memory allocated for /var filesystem. Therefore, upgrade/live install of BIG IP VE version 11.6.x to VE version 13.1.0 requires a manual step. File /shared/.tmi_config/global_attributes must be deleted before starting live install with the following command: tmsh install sys software image.

Note: This applies only to images for VE/cloud that are 'Good'-model licenses.

Conditions:
-- Version 11.6.x VE/cloud images licensed for the 'Good' licensing model.
-- Upgrade (live install) to version 13.1.0.

Impact:
Impossible to upgrade/live install from version 11.6.x to version 13.1.0.

Workaround:
1. Delete the following file:
 /shared/.tmi_config/global_attributes.
2. Start upgrade/live install with the following command:
 tmsh install sys software image.


After removing /shared/.tmi_config/global_attributes, upgrade/live install completes as expected.

---

681782-6 : Unicast IP address can be configured in a failover multicast configuration

Solution Article: K30665653

Component: TMOS

Symptoms:
Failover multicast configuration does not work when configured with a unicast IP address. Although this is an invalid configuration, the system does not prevent it.

Conditions:
Specify a unicast IP address under 'Failover Multicast Configuration' for network failover in high availability configurations.

Impact:
Failover multicast configuration does not work.

Workaround:
Specify a multicast IP address under 'Failover Multicast Configuration' for network failover.

---

681757-3 : Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'

Solution Article: K32521651

Component: Local Traffic Manager

Symptoms:
In response to this issue, you might see the following symptoms:
-- System remains inoperative
-- Screen alerts similar to the following are posted: 'Configuration has not yet loaded'.
-- Configuration fails to load after upgrade to v12.1.0 or higher.

The system records an error message similar to the following in the ltm log file:

 emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 010716de:3: Policy '/Common/Policy', rule 'Policy-Rule'; target 'forward' action 'select' does not support parameter of type 'member'. Unexpected Error: Loading configuration process failed.

Conditions:
Local Traffic Policy with a forward action that selects a target of type 'member'.

Impact:
Configuration fails to load on upgrade.

Workaround:
Modify the local traffic policies to use a target type of 'node' before upgrading, or, after upgrading, edit the config file and modify 'member' to 'node' in the local traffic policy, and then reload the configuration.

---

681673-4 : tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results

Component: Local Traffic Manager

Symptoms:
TMSH does not block modify FDB commands that add a multicast MAC addresses.

Conditions:
This occurs when the following is configured using tmsh commands when the mac-address is multicast:
 fdb vlan <vlan> records add {<mac-address> {interface <slot>/<port>}}.

Impact:
There is not enough information to map the outgoing MAC address to a multi-cast group, and therefore it gets a default entry added that has no ports mapped. The result is that the frame will not go out the interface indicated in the tmsh command yet no warning is provided.

Workaround:
None.

---

681352 : Performance of a client certificate validation with OCSP agent is degraded

Component: Performance

Symptoms:
Performance is being degraded for OCSP agent. This can lead to Access Policy performance degradation if there are no more heavy agents configured.

Conditions:
OCSP agent is configured in an Access Policy.

Impact:
Fewer logons processed per second by the access policy that contains OCSP agent configured.

Workaround:
There is no workaround at this time.

---

681256-1 : Virtual Edition GTM DNS Query Performance Degradation

Component: Performance

Symptoms:
The transaction rate for a DNS A record request synthetic test was up to fourteen percent lower for the BIG-IP Virtual Edition Release 13.1.0 compared to Release 13.0.0.

Conditions:
BIG-IP Virtual Edition 13.1.0 is deployed on a vSphere 6.0 or 6.5 system. Traffic consists solely of DNS A record requests at the rate of 700,000 requests per second. Ingress traffic is handled by an EXSi Intel ixgbe driver.

Impact:
The DNS transaction rate is up to fourteen percent lower on BIG-IP Virtual Edition 13.1.0 compared to 13.0.0.

Workaround:
BIG-IP Virtual Edition performance tuning can recover up to half of the performance degradation:
    - Set the VM's CPU Scheduling Affinity to CPUs in the
      same NUMA node as the ingress network interface for
      the DNS requests.
    - Disable GRO for the NIC:
          ethtool -K eth1 gro off
      or for the VM:
          tmsh modify sys db tm.tcplargereceiveoffload value disable
    - Maximize the VM's CPU Reservation.

---

681175-3 : TMM may crash during routing updates

Solution Article: K32153360

Component: Local Traffic Manager

Symptoms:
When dynamic routing is configured and ECMP routes are received, certain routing updates may lead to a TMM crash.

Conditions:
-- Dynamic routing.
-- ECMP routes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable ECMP routes by configuring "max-paths 1" in ZebOS.

---

680856-2 : IPsec config via REST scripts may require post-definition touch of both policy and traffic selector

Component: TMOS

Symptoms:
A new IPsec tunnel may not work after being configured over REST. While the configuration is correct, a log message similar to the following may appear in ipsec.log (IKEv2 example):

info tmm[24203]: 017c0000 [0.0] [IKE] [INTERNAL_ERR]: selector index (/Common/Peer_172.16.4.1) does not have corresponding policy

Conditions:
A new IPsec tunnel is configured over REST.

Impact:
The newly configured IPsec tunnel does not start.

Workaround:
The following methods cause the traffic-selector and ipsec-policy to be correctly related to one another:
-- Restart tmm.
-- Change the configuration, for example the Description field, of both the policy and the traffic selector. This may also be done using REST.

---

680855 : Safari 11 sometimes start more than one session

Component: Access Policy Manager

Symptoms:
In Safari 11 after session is finished and being restarted by "Click here to establish a new session" more than one session appears. It looks like Safari 11 beta and release bug.

Conditions:
Safari 11 beta and official release
Policy with webtop
Several passes from start to finish

Impact:
At certain point browser is reaching max sessions per IP and hangs on webtop.

Workaround:
Don't use Safari 11 for now

---

680838-2 : IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator

Component: TMOS

Symptoms:
A tmm restart and corefile can occur in rare cases while negotiating an IKEv2 IPsec tunnel.

A child_sa managed to process GETSPI_DONE once in the IDLING state, where the ike_sa was expected to be the initiator, but it appeared not to be -- failing an assert.

Conditions:
The BIG-IP is negotiating an IPsec tunnel as the Initiator, but an unexpected state change associated with being the Responder occurs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

---

680729-1 : DHCP Trace log incorrectly marked as an Error log.

Solution Article: K64307999

Component: Policy Enforcement Manager

Symptoms:
The following sample DHCP debug log may be found repeatedly in the TMM logs.

<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>

Conditions:
Send a DHCP request through a DHCP virtual and wait for 30 seconds for the DHCP callback to trigger.

Impact:
Possible clutter in the TMM logs.

Workaround:
Set the db variable to critical. To do so, run the following command: setdb tmm.dhcp.log.level critical

---

680680-1 : The POP3 monitor used to send STAT command on v10.x, but now sends LIST command

Component: Local Traffic Manager

Symptoms:
in BIG-IP version 10.x, the POP3 monitor sent STAT command (which returned a count of messages in the mailbox). Now, the monitor sends the LIST command (which returns a list of messages and their sizes).

Conditions:
POP3 monitor set up on a mailbox.

Impact:
If the polled mailbox used in the monitoring has a huge amount of messages, the STAT command might fail to return results in time.

Workaround:
1. Create a mail account that does not receive many emails.
2. Make sure that the mailbox is nearly empty all the time (copy /dev/null periodically to the mailbox file).

---

680069-1 : zxfrd core during transfer while network failure and DNS server removed from DNS zone config

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd cores and restarts.

Conditions:
While zone transfer is in progress, the network fails and the DNS server is removed from the DNS zone configuration.

Impact:
zxfrd cores.

Workaround:
None.

---

679613-1 : i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'

Solution Article: K23531420

Component: Local Traffic Manager

Symptoms:
When an interface is associated with a VLAN whose tag value is '1', traffic is incorrectly sent out as untagged.

Conditions:
1. Create a VLAN with a tag value of '1'.
2. Associate an interface with the VLAN whose value is '1'.
3. Send traffic out that interface.

Impact:
Incorrect routing/switching of traffic.

Workaround:
Use VLANs with a tag value different from '1'.

---

679431-1 : In routing module the 'sh ipv6 interface <interface> brief' command may not show header

Component: TMOS

Symptoms:
In the BIG-IP Advanced Routing module the 'sh ipv6 interface <interface> brief' command does not show header

Conditions:
- Advanced Routing module licensed and configured
- From within imish shell, run the command 'sh ipv6 interface <interface> brief'.

Impact:
The header is not shown.

Workaround:
Run the equivalent command without indicating the interface:
sh ipv6 interface brief

---

679384-3 : The policy builder is not getting updates about the newly added signatures.

Solution Article: K85153939

Component: Application Security Manager

Symptoms:
The policy builder is not getting updates about the newly added signatures.

Conditions:
When ASU is installed or user-defined signatures are added/updated.

Impact:
No learning suggestions for some of the newly added signatures.

Workaround:
Use either of the following workarounds:
-- One workaround is restarting the policy builder. This will revert the learning progress made in the last 24 hours:
 killall -s SIGHUP pabnagd

-- Manually change some Policy Attack Signature Set in Learning and Blocking Settings (e.g., disabling and re-enabling Learn checkbox).

---

679347-2 : ECP does not work for PFS in IKEv2 child SAs

Component: TMOS

Symptoms:
The original racoon2 code has no support for DH generate or compute using elliptic curve algorithms for (perfect forward security).

Additionally, the original interfaces are synchronous, but the only ECP support present uses API with async organization and callbacks, so adding ECP does not work.

Conditions:
Changing an ike-peer definition from the default phase1-perfect-forward-secrecy value of modp1024 to something using ECP: ecp256, ecp384, or ecp512.

Note: The first child SA is negotiated successfully.

Impact:
Once the first child SA expires (or is deleted), the IKEv2 tunnel goes down when another SA cannot be negotiated.

Workaround:
Use MODP for perfect-forward-secrecy instead of ECP.

---

679149-1 : TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash or LB::server returns unexpected result.

Conditions:
GTM rule command LB::server is executed before a load balance decision is made or the decision is not to a real pool member.

Impact:
GTM rule command LB::server returns unexpected result. Traffic disrupted while tmm restarts.

Workaround:
None.

---

679114-4 : Persistence record expires early if an error is returned for a BYE command

Solution Article: K92585400

Component: Service Provider

Symptoms:
When an error is returned for a SIP command, the persistence timeout is set to the transaction timeout.

Conditions:
An error is returned for a any SIP command.

Impact:
The persistence record will expire early when the call has not been ended.

Workaround:
None.

---

679088-1 : Avr reporting and analytics does not display statistics of many source regions

Component: Application Visibility and Reporting

Symptoms:
1. The network reporting does not show the statistics related to some Source Regions.
2. In the Security=>Reporting=>Network=>Enforced Rules dashboard are impossible to select or find some Source Region using filtering .
For example, there are list of some missing Source Regions:
France, Ile-de-France, Ukraine, Kyyiv,Russian Federation, Tambovskaya oblast, South Africa, Western Cape and Spain,Madrid

Conditions:
This occurs when attempting to filter on the affected source regions.

Impact:
The network reporting does not show the statistics related to some Source Regions.

---

678925-1 : Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.

Component: TMOS

Symptoms:
Using a multicast VXLAN tunnel without a proper route associated with the tunnel's local-address may cause a TMM crash.

Conditions:
When the following conditions are met:
- No route is associated with the tunnel's local-address.
- A selfip address is assigned to the tunnel.

Then, a connection using the tunnel may cause a TMM crash.

Note that the user can use the TMSH command "show net route lookup <address>" to check if there is a route associated with the tunnel's local-address.

Impact:
The TMM crashes and traffic is disrupted.

Workaround:
Make sure that there is a route associated with the tunnel's local-address, before using the tunnel.

---

678872-3 : Inconsistent behavior for virtual-address and selfip on the same ip-address

Component: Local Traffic Manager

Symptoms:
Inconsistent ICMP/ARP behavior for self IP address or virtual-address when virtual-address and self IP address have the same IP address.

Conditions:
Virtual-address and self IP address have the same IP address.
-- Virtual-address ICMP and ARP disabled.

Impact:
ICMP echo reply and ARP for the IP address might be inconsistent. Self IP address might override the ARP setting of a virtual address.

Workaround:
No workaround.

---

678861-1 : DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★

Solution Article: K00426059

Component: Global Traffic Manager (DNS)

Symptoms:
Upgrade fails with a message similar to the following.

emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 01070356:3: Link Controller feature not licensed. Unexpected Error: Loading configuration process failed.

Conditions:
Previously had Link Controller with DNS:: commands in an iRule proc.

Impact:
Upgrade fails.

Workaround:
Remove DNS:: commands from procs before upgrade.

Or use AFM instead of iRules.

---

678524-1 : Join FF02::2 multicast group when router-advertisement is configured

Component: Local Traffic Manager

Symptoms:
MLD snooping switches may not deliver router solicitation packets to BIG-IP, which breaks BIG-IP's router advertisement functionality. MLD snooping switches may not deliver the packets because BIG-IP has not joined the FF02::2 multicast group.

Conditions:
router-advertisement configured, MLD snooping switches.

Impact:
IPv6 hosts never receive router advertisements from BIG-IP in response to their router solicitations.

Workaround:
Disable MLD snooping on switches.

---

678488-1 : BGP default-originate not announced to peers if several are peering over different VLANs

Component: TMOS

Symptoms:
BGP default-originate is not announced to peers if several are configured as peers over different VLANs.

Conditions:
-- default-originate is configured on four similar neighbors.
-- The neighbors are reachable over different interfaces/subnets.

Impact:
Only some of the peered neighbors get the default route.

Workaround:
Add the following to the the BGP configuration:
 network 0.0.0.0/0

---

678388-1 : IKEv1 racoon daemon is not restarted when killed multiple times

Solution Article: K00050055

Component: TMOS

Symptoms:
IPsec IKEv1 tunnels will fail and stay down indefinitely if the IKEv1 racoon daemon crashes. racoon does not get restarted by tmipsecd. This can occur if racoon has crashed more than once beforehand.

Conditions:
The IPsec IKEv1 racoon daemon crashes, or is killed manually, multiple times.

Impact:
IPsec IKEv1 tunnels cannot be established because the racoon daemon is dead. The user will receive no CLI or web UI clues to indicate that racoon is dead. Attempts to reconfigure IPsec while racoon is dead will not resolve the problem.

Workaround:
Run the following command to restart the IPsec IKEv1 racoon and tmipsecd daemons at the same time:
tmsh restart sys service tmipsecd

---

678380-2 : Deleting an IKEv1 peer in current use could SEGV on race conditions.

Component: TMOS

Symptoms:
When either deleting a peer in IKEv1 or updating it, this problem causes the v1 racoon daemon to crash with a SIGSEGV under some race conditions, intermittently.

Conditions:
This requires a peer using IKEv1, which gets updated or deleted while the IKEv1 racoon daemon is performing operations related to this peer.

Impact:
If the problem occurs, the IKEv1 racoon daemon restarts and interrupts IPsec traffic.

Workaround:
None.

---

677937-3 : APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets

Solution Article: K41517253

Component: TMOS

Symptoms:
APM client cannot connect to server when the APM tunnel is encapsulated in an IPsec tunnel.

Conditions:
This requires a relatively complicated network setup of configuring an APM tunnel over an IPsec tunnel (and iSession is in use).

Impact:
No connectivity between the client and the server.

Workaround:
Do not encapsulate APM tunnel in an IPsec tunnel. (The APM tunnel has its own TLS.)

---

677666-2 : /var/tmstat/blades/scripts segment grows in size.

Solution Article: K60909141

Component: Local Traffic Manager

Symptoms:
Over time the /var/tmstat/blade/scripts file size grows.

Conditions:
-- Using istats.
-- Deleting configurations.
-- Using ASM.

Impact:
Virtual size of merged process grows linearly with /var/tmstat/blades/scripts segment. This could lead to out of memory condition.

Workaround:
No known workarounds.

---

677525-2 : Translucent VLAN group may use unexpected source MAC address

Solution Article: K06831814

Component: Local Traffic Manager

Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.

Conditions:
VLAN group in translucent mode.

Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.

Workaround:
No workaround at this time.

---

677428 : While upgrading a BIG-IP HA pair to version 13.1.0, mirroring may not work while the units are running different software versions

Component: TMOS

Symptoms:
As part of upgrading a BIG-IP high availability (HA) configuration to version 13.1.0, there is a brief moment when the two units are running different software versions.

For instance, the unit that was upgraded first will be running version 13.1.0, while the peers may still be running the previous software version (such as 13.0.0).

During this time, mirroring (Connection Mirroring, Persistence Mirroring, and Session Mirroring) may not be working, and errors similar to the following example may be logged to the /var/log/ltm file:

-- err tmm3[17095]: 01340004:3: HA Connection detected dissimilar peer: local npgs 1, remote npgs 1, local npus 4, remote npus 4, local pg 0, remote pg 0, local pu 3, remote pu 0. Connection will be aborted.
-- err tmm2[17095]: 01340004:3: HA Connection detected dissimilar peer: local npgs 1, remote npgs 1, local npus 4, remote npus 4, local pg 0, remote pg 0, local pu 2, remote pu 1. Connection will be aborted.

This issue occurs because of differences in the hashing of traffic by the pre-13.1.0 and post-13.1.0 Virtual Edition (VE) NIC drivers.

Conditions:
- A BIG-IP HA pair is upgraded to version 13.1.0 from a previous version.

- The BIG-IP HA configuration consists of VE units (all other platforms are not affected).

Impact:
Mirroring does not work until the upgrade is completed and each unit is running version 13.1.0.

During this time, failing over between the units can result in the loss of connection, persistence, or session records.

Please note mirroring support is only considered best-effort while the units are running different software versions as part of a software upgrade.

Workaround:
There is no workaround.

---

676897-3 : IPsec keeps failing to reconnect

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

---

676223-4 : Internal parameter in order not to sign allowed cookies

Component: Application Security Manager

Symptoms:
ASM TS cookies may get big (up to 4k).

Conditions:
policy building is turned on (manual or automatic). There are allowed cookies.

Impact:
This increases web site throughput.

Workaround:
N/A

---

676092-3 : IPsec keeps failing to reconnect

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

---

675232-6 : Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction

Component: Application Security Manager

Symptoms:
Errors encountered -

In TMSH CLI transaction:
----------------
transaction failed: 01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

In iApp template implementation:
----------------
script did not successfully complete: (01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

Conditions:
In an iApp template implementation or TMSH CLI transaction, create a new ASM policy and then try to modify it's active state.

Impact:
The policy is created but the modify action cannot find the policy.

Workaround:
iApps are built to work with ASM Policy Templates.

A new ASM Policy Template can be created from the desired ASM Policy.

That can be done via GUI and starting from from v13.0 via REST as well.

Then, the newly created ASM Policy Template can be referenced in the iApp template implementation or TMSH CLI transaction as follows:
-----------------
tmsh::create asm policy <some_policy> active policy-template NEWLY_CREATED_POLICY_TEMPLATE
-----------------

---

674747-4 : sipdb cannot delete custom bidirectional persistence entries.

Solution Article: K30837366

Component: Service Provider

Symptoms:
Custom bidirectional SIP persistence entries cannot be deleted using the sipdb tool.

Conditions:
Rules and SIP messages created custom bidirectional SIP persistence entries.

Impact:
Custom bidirectional SIP persistence entries exist and can be viewed with the sipdb utility. They cannot be deleted,
however.

Workaround:
None.

---

674341 : PEM subscriber sessions are shown as '0' for blades that are not operationally UP.

Component: Policy Enforcement Manager

Symptoms:
PEM subscriber sessions are shown as '0' for blades that are not operationally UP.

Conditions:
Execute 'tmsh show pem sessiondb blade x' on a blade that is DOWN.

Impact:
No impact to PEM-provided services. Potential questions related to why the the number of subscriber sessions on blade X is 0, when the operator is unaware that Blade X is operationally DOWN.

Workaround:
None.

---

674297-3 : Custom headers are removed on cross-origin requests

Component: Fraud Protection Services

Symptoms:
Custom headers are removed on cross-origin requests.

Conditions:
A cross domain FPS request uses the FPS custom header. For example: AJAX encryption from one domain to another.

Impact:
The request will be blocked, FPS functionality breaks.

Workaround:
For HOST <HOST NAME> and FPS custom header <HEADER NAME>, a variant of the following iRule can be used:


when HTTP_REQUEST {
    if {[HTTP::method] equals "OPTIONS" && [HTTP::host] equals "<HOST NAME>"} {
       set modify_allowed_headers 1
    }
}

when HTTP_RESPONSE {
    if { [info exists modify_allowed_headers] && $modify_allowed_headers equals "1"} {
        if { [HTTP::header exists "Access-Control-Allow-Headers"] } {
            set hdr [HTTP::header value "Access-Control-Allow-Headers"]
            append hdr ", <HEADER NAME>"
            HTTP::header replace Access-Control-Allow-Headers $hdr
        }
    }
}

---

674292 : Upgrade to 13.1+ may fail for low resources platforms

Component: Fraud Protection Services

Symptoms:
when upgrading a low resources platform (like vCMP guest with many provisioned modules) to 13.1 or higher, upgrade might fail

Conditions:
low resources platform

Impact:
upgrade failure

Workaround:
un-provision a few modules before upgrading (depends on platform resources)

---

674145-1 : chmand error log message missing data

Component: TMOS

Symptoms:
When there is an error with communication between chmand and lopd, a message is logged giving information about the problem. That message is missing data useful to F5 for determining the cause of the communications error.

Messages similar to:
Jul 11 11:10:19 localhost warning chmand[7815]: 012a0004:4: getLopReg: lop response data does not match request, u16DataLen=0xb expected=0xb, u8Length=0x8 expected=0x, u8Page=0x28 expected=0x$, u8Register=0x50 expected=0xP

The expected data values are missing in this message, making it more difficult for F5 engineers to determine what caused the original communications problem.

Conditions:
This issue only occurs when there is some problem with the communication channel between chmand and lopd.

Impact:
Added difficulty for F5 to determine what problem caused the error message to be logged.

---

673832-1 : Performance impact for certain platforms after upgrading to 13.1.0.

Component: Performance

Symptoms:
Performance impact for certain platforms after upgrading to 13.1.0.

Conditions:
The following platforms, with Fast HTTP/OneConnect/Full Proxy configured.

-- i2800
-- i4800
-- i5800
-- i7800
-- i10800
-- i11800
-- B2250
-- B4450

Impact:
The performance impacts occur on the following platforms under the associated conditions:

-- i2800 2%-3% Full Proxy traffic.
-- i4800 2%-3% Full Proxy traffic.
-- i5800 3%-8% Fast HTTP/Full Proxy traffic.
-- i7800 3%-7% Fast HTTP/Full Proxy traffic.
-- i10800 3%-7% Fast HTTP/Full Proxy traffic.
-- i11800 2%-3% Fast HTTP traffic.
-- B2250 3%-6% OneConnect/Full Proxy traffic.
-- B4450 4%-10% Fast HTTP/OneConnect/Full Proxy traffic.

Workaround:
None.

---

672504-2 : Deleting zones from large databases can take excessive amounts of time.

Solution Article: K52325625

Component: Global Traffic Manager (DNS)

Symptoms:
When deleting a zone or large number of Resource Records, zxfrd can reach 100% CPU for large amounts of time.

Conditions:
With a significantly sized database, deletes might be very time-intensive.

Impact:
Because zxfrd takes an excessive amount of time deleting records, it can delay transfer requests

Workaround:
None.

---

671518 : F5 does not currently support i18n across its product lines.

Component: TMOS

Symptoms:
APIs and interfaces at F5 have varying levels of support for Unicode and extended character sets. There is currently no comprehensive solution for non-ASCII support. Any non-ASCII data is not strictly guaranteed to behave or display as expected.

Conditions:
Non-ASCII character sets are used in resource configuration across the F5 product line.

Impact:
All APIs and interfaces are not guaranteed to support non-ASCII characters.

Workaround:
There is no workaround at this time. Different interfaces at F5 have varying levels of support for non-ASCII text, though none have support officially.

---

671212-1 : P+NAB-12.1.1-IE9 truncating request if path do not end with"/"

Component: Fraud Protection Services

Symptoms:
SR 1-3168243165

Conditions:
Only one URL of the form "/path/to/resource/" or "/path/to/resource" is configured as protected.

Impact:
URLs which are equivalent by RFC are treated as different by FPS, which hinders FPS protection.

Workaround:
Configure both URLs:

/path/to/resource/
/path/to/resource

as protected with identical configuration.

---

671138 : FireFox and Chrome users are asked to re-install windows "Endpoint Inspector Application" after upgrade from 13.0.0

Component: Access Policy Manager

Symptoms:
After upgrade from 13.0.0 to 13.1.0, or a later release, all APM end users running FireFox and Chrome browsers on Microsoft Windows are asked to re-install 'Endpoint Inspector Application'.

The following page appears:
'Browser is waiting for status from Endpoint Inspector Application.' 'Please confirm that this application is launched and is not waiting for your input. This application may be behind other windows on your desktop.'

Link and installation instructions provided behind 'More Option' link.

Conditions:
Endpoint inspection configured in BIG-IP APM access policy.

Impact:
APM end users are prompted to install the endpoint inspector application.

Workaround:
No workaround. APM end users must follow instructions to install application.

Note: When 'Endpoint Inspector Application' is not installed, the instruction screen is clearly visible, as it is part of normal APM usage. However, when 'Endpoint Inspector Application' is installed, the instructions window is hidden behind the 'More Option' link, and the APM end users must click the link to view the instructions.

---

670516 : Illegal metachar in headers violation may happen on legitimate traffic

Component: Application Security Manager

Symptoms:
False positive 'Illegal meta character in header' violation is posted.

Conditions:
This occurs when the browser sends un-escaped headers in a specific language.

Impact:
ASM violation. Blocking page.

Workaround:
To work around this issue, turn off the 'Illegal meta character in header' violation.

Note: This is a known issue with Microsoft Internet Explorer v11.

---

670197-1 : IPsec: ASSERT 'BIG-IP_conn tag' failed

Component: TMOS

Symptoms:
When using IPsec, tmm assert with 'BIG-IP_conn tag' failed.

Conditions:
The conditions under which this assert occurs when using IPsec are unknown.

Impact:
The tmm restarts and all connections are reset. Traffic disrupted while tmm restarts.

Workaround:
None.

---

669433 : Use of more than 10 interfaces within AWS instances

Component: TMOS

Symptoms:
Within AWS, instances of type i3.16xlarge and r4.16xlarge allow for up to 15 network interfaces. Use of more than 10 interfaces on BIG-IP instances will result in the extra interfaces not functioning. Interfaces 1.10-1.14 will have the same MAC address as 1.1 and not function.

Conditions:
Use of i3.16xlarge or r4.16xlarge instances for BIG-IP with more than 10 network interfaces.

Impact:
The extra interfaces will not function.

Workaround:
Use multiple instances with fewer interfaces. Potentially use tunnels to separate traffic.

---

668247-2 : Machine Certificate Checker service may not be used when UAC is disable on windows machine

Component: Access Policy Manager

Symptoms:
Machine Certificate Checker service may not be used when UAC is disabled on windows machine causing Machine Cert Auth to either fail or go to 'Found' branch

Conditions:
Machine Certificate Checker is installed.
Access Policy has Machine Cert Auth configured.
Windows machine has UAC disabled.

Impact:
Machine Cert Auth agent either fails or goes to 'Found' branch

Workaround:
Enable UAC or Use elevation helper app (requires user to be an local admnistrator).

---

668184-2 : Huge values are shown in the AVR statistics for ASM violations

Component: Application Security Manager

Symptoms:
Huge values are shown in the AVR statistics for ASM violations.

Conditions:
Out-of memory-condition in the ASM. Some other extreme conditions might also cause this behavior.

Impact:
ASM violation numbers are incorrectly reported.

Workaround:
None.

---

667700-1 : Web UI: PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed

Component: Policy Enforcement Manager

Symptoms:
PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed. So User cannot create PEM rule with web sense classification filters from Web UI.

Conditions:
Creation of PEM rule with classification filter from Web UI

Impact:
None. User can update the configuration from TMSH.

Workaround:
Use TMSH to add websense classification filter to a PEM rule.

---

667542-6 : DNS Express does not correctly process multi-message DNS IXFR updates.

Component: Global Traffic Manager (DNS)

Symptoms:
If DNS Express sends an IXFR query to a DNS server, and that server responds with an IXFR update that is larger than one DNS message, DNS Express processes only the first message.

DNS Express then updates the SOA serial number to match that of the IXFR, marks the IXFR as successful and the Zone as 'Green'.

There is no indication that the IXFR was incomplete.

DNS Express might then have, and might serve, incorrect data for that Zone.

Conditions:
An IXFR response from a DNS server spans multiple DNS messages.

Note: This is not a common condition, but it is possible.

Impact:
This might result in incomplete or otherwise inaccurate Zone data, which DNS Express will serve.

Workaround:
Note: Although this does have a workaround, there is no way for you to determine that the Zone is complete other than to query the entire zone and compare it to the zone from the master DNS server.

To workaround this issue:
1. Stop zxfrd.
2. Remove the database /var/db/zxfrd.bin.
3. Restart zxfrd.

This triggers a full transfer (AXFR) of the zone, as well as all the other zones.

---

667469-3 : Higher than expected CPU usage when using DNS Cache

Solution Article: K35324588

Component: Global Traffic Manager (DNS)

Symptoms:
CPU usage shows higher than expected usage when using the DNS Cache.

Conditions:
Usage of any of the 3 DNS Cache types, particularly on chassis with multiple blades.

Impact:
Higher than expected CPU usage.

Workaround:
No workaround at this time.

---

667452 : FPS: Upgrade from 11.6.* failure

Component: Fraud Protection Services

Symptoms:
Upgrading from 11.6.* will fail if newer config exists on partition

Conditions:
- upgrading from 11.6.* to 12.* or above
- target version's FPS configuration already exists on current partition

Impact:
upgrade will fail

Workaround:
make sure partition is clean (no FPS configuration) before upgrading

1. delete volume
2. install new image and create the volume
3. load ucs

---

667414-1 : JSON learning of parameters in WebSocket context is not working

Component: Application Security Manager

Symptoms:
When a JSON parameter arrives in WebSocket, it is not sent to policy builder, and thus is not learned.

Conditions:
1. WebSocket traffic contains JSON data.
2. In the JSON profile, parse parameter is enabled.

Impact:
JSON parameter arriving in WebSocket is not learned.

Workaround:
None.

---

667173-1 : 13.1.0 cannot join a device group with 13.1.0.1

Component: TMOS

Symptoms:
13.1.0.1 cannot form device trust with a 13.1.0 device.

Conditions:
A device running 13.1.0 wanting to establish device trust with a device running 13.1.0.1 or vice versa.

Impact:
Cannot form Device Trust.

Workaround:
13.1.0 cannot initially form device trust with a 13.1.0.1 device. However, if you establish trust from the 13.1.0.1 device and then bring in the 13.1.0 device from 13.1.0.1, you can mitigate this issue. Once trust is formed, there should be no issue.

---

667148-3 : Config load or upgrade can fail when loading GTM objects from a non-/Common partition

Solution Article: K02500042

Component: TMOS

Symptoms:
GTM configuration fails to load.

Conditions:
GTM config referencing non-/Common partition objects from /Common.

Impact:
GTM configuration fails to load, which may keep a system from becoming active

Workaround:
No workaround.

---

665972 : TFTP_DATA_SETUP/TFTP_DATA_TEARDOWN messages may not be logged if client and server reuse the ports

Component: Carrier-Grade NAT

Symptoms:
TFTP_DATA_SETUP/TFTP_DATA_TEARDOWN messages may not be logged if client and server reuse the ports

Conditions:
Client and server must reuse the ports quickly for this to occur. When TFTP data transfer is started TMM creates a new flow for it and logs a "TFTP_DATA_SETUP" message if ALG logging is enabled. "TFTP_DATA_TEARDOWN" message is logged when the flow expires. The flow established to transfer the data expires after idletimeout configure in the TFTP profile. While the flow is alive if a new data transfer is initiated between the same client,server and if they use reuse the source,destination ports then TMM will not create a new for this data transfer. The existing flow will be reuse and the log messages will not be logged.

Impact:
Some TFTP data transfers are not logged.

Workaround:
None

---

665470-3 : Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised

Component: Application Security Manager

Symptoms:
Failed to Learn page malicious IP addresses in a specific case.

Conditions:
-- IP intelligence is turn on.
-- Logging is turned off.

Impact:
Requests that should be learned are not.

Workaround:
Turn on logging.

---

665362-2 : MCPD might crash if the AOM restarts

Component: TMOS

Symptoms:
In very rare circumstances, mcpd might crash when the AOM restarts.

Conditions:
This can occur while AOM is restarting.

Impact:
System goes offline for a few minutes.

Workaround:
None.

---

665354-1 : Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log

Solution Article: K31190471

Component: TMOS

Symptoms:
The most common symptom is a reboot of the unit without much detail in the normal tmm or ltm logs. From there, inspect the SEL logs. In the SEL logs, you will see a message about a bad_tlp_status, followed shortly by a message about completion_time_out_status.

Those two messages together indicate this known issue.

Conditions:
-- There are empty 10 GB ports or 10 GB ports that have optics but are not connected to a proper link.
-- Running on one of the following platforms: i2600, i2800, i4600, i4800.

Impact:
The unit intermittently reboots.

Workaround:
Populate all 10 GB ports with optics and connect them to a valid link. Even a single 10 GB link left unconnected or empty of optics can cause this issue.

---

664618 : Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'

Component: Advanced Firewall Manager

Symptoms:
When using Protocol Security profiles for HTTP, the HTTP Protocol Checks 'Alarm' vs. "Block' setting will not be honored for the 'Check maximum number of headers' check. If an HTTP response contains more than the configured maximum number of headers, the connection will be reset.

Client traffic with more than the maximum allowed headers will be allowed through to the server, and an alert will be generated, as expected. The server response will also have too many headers, but the connection will be reset.

Conditions:
PSM HTTP Protocol Checks configured in 'Alarm' mode ('Block' disabled), and the maximum number of headers is exceeded for server responses.

Impact:
Connections are reset, when only alerting is expected.

Workaround:
None.

---

664304 : Waagent data isn't rolled forward to the new slot after upgrading from pre-v13.1.x Azure VE★

Component: TMOS

Symptoms:
Waagent data saved in "/var/lib/waagent" isn't rolled forward to the new slot after upgraded from pre-v13.1.x Azure VE

Conditions:
It happens on Azure when upgrading VE from pre-v13.1.x

Impact:
Azure VE is in "soft failure" status:

- the most important authentication data is rolled forward
- however, all other data, such as Custom Data and Extensions and their data are left in the old slot

Waagent still works without any issues

Workaround:
VE admin can manually copy Waagnet lib-dir to "/shared/vadc/azure/waagent" directory, and create a symbolic link in the new slot after upgrade (from "/shared/vadc/azure/waagent" to "/var/lib/waagent")

---

663821-1 : SNAT Stats may not include port FTP traffic

Solution Article: K41344010

Component: Local Traffic Manager

Symptoms:
Using 'tmsh show ltm snat' command or the GUI, SNAT stats are not updated for port 21 traffic (FTP).

Conditions:
-- SNAT is configured.
-- FTP connections transverse the SNAT.

Impact:
Stats are not incremented in tmsh or GUI

Workaround:
None.

---

661718-1 : Web Acceleration profile causes FPS failure

Component: Fraud Protection Services

Symptoms:
When applying both Web Acceleration and FPS security profiles on the same URL, FPS behaves incorrectly.

Conditions:
Apply webacceleration on FPS protected URL.

Impact:
FPS is not working as expected and the target URL becomes unprotected by FPS.

Workaround:
The issue was moved to RFE.

---

659519-6 : Non-default header-table-size setting on HTTP2 profiles may cause issues

Solution Article: K42400554

Component: Local Traffic Manager

Symptoms:
HTTP2 connection sent RST_STREAM due to protocol error in response to headers frame.

Conditions:
HTTP2 profile configured with header-table-size with value exceeding 4096.

Impact:
Periodic HTTP2 connection failure to the virtual.

Workaround:
Restore the default header-table-size setting for the HTTP2 profile.

---

658278-1 : Network Access configuration with Layered-VS does not work with Edge Client

Component: Access Policy Manager

Symptoms:
When Network Access is configured in virtual server-to-virtual server targeting, the Edge client cannot connect.

Conditions:
Network Access is configured as follows :
-- The external-client-facing virtual server has the SSL profile attached.
-- The internal virtual server has the Access profile and connectivity profile attached.
-- The external-client-facing virtual server has an iRule that forwards the HTTP requests to the internal virtual server.

Impact:
When Edge client connects, the external-client-facing virtual server issues a request for '/pre/config.php?version=2.0', and the Edge client hangs.

Workaround:
None.

---

657459-1 : Setting MGMT GUI Port to 443 on Single Nic not honored on reboot.

Solution Article: K51358480

Component: TMOS

Symptoms:
Setting MGMT GUI Port to 443 on Single Nic not honored on reboot.

Conditions:
Setting MGMT GUI Port to 443 on Single Nic.

Impact:
The 443 value is not saved after reboot.

Workaround:
Reconfigure port after each reboot using the following command: modify sys httpd ssl-port 443.

---

656811 : Memory usage with MBLB SIP ingress buffer on standby

Component: Service Provider

Symptoms:
Memory usage increases to high levels when the ingress-max profile setting is set to a large value.

Conditions:
Incoming SIP messages are mirrored to standby, then the flow is aborted on active.

Impact:
Degraded performance. With the built-in MBLB profile allocations will go up to 50 and stay there until the 'while' is killed on the client and the flow is allowed to expire. With a non-default MBLB profile, allocations will go as high as the ingress-max setting.

Workaround:
- Make sure there is at least one available pool member.
- Use default MBLB profile, or at least ingress-max set close to the default (50).

---

655576 : On Linux, application launch parameter string may be truncated in some cases

Component: Access Policy Manager

Symptoms:
Application will be launched with truncated parameters if the parameter string specified in the UI contains the ampersand '&' character

Conditions:
Application tunnel feature is used on Linux.
Application parameter string contains & character, and the string is unquoted.

Impact:
Application will be launched with incorrect parameters.

Workaround:
Encapsulate the parameter sting in double quotes.

---

654451 : Compatibility in bot defense iRules reasons from version 12.1.0 to version 13.0.0 or later★

Component: Application Security Manager

Symptoms:
Some specific iRules that use BOTDEFENSE::reason that worked in version 12.1.0 stop working after an upgrade to 13.0.0 or later.

Conditions:
An iRule exists that matches the string of a bot defense reason, for example:

if {([BOTDEFENSE::reason] eq "passed browser challenge" ...

Impact:
The iRules that use the bot defense reason string may fail to match the new string.

Workaround:
You can manually update your iRules to use the correct bot defense reason string. Typically this is a matter of making the string case-insensitive. Here are some examples, but the list is extensive:

From "Service to Other Module" to "Web-Scraping Detection".
From "passed browser challenge" to "Passed Browser Challenge".
From "passed captcha challenge" to "Passed CAPTCHA Challenge".
From "whitelist" to "Whitelisted Transaction".


For some of the reasons, a simple search and replace of:
'[BOTDEFENSE::reason]' to '[string tolower [BOTDEFENSE::reason]]' would work

---

653726 : On VIPRION, iApps LX packages can take 10 minutes to synchronize

Component: iApp Technology

Symptoms:
Install a large iApps LX package on a VIPRION system, such as the "diameter" package, which installs roughly 20 MB of files. Then, within the next 10 minutes, remove or disable the new primary blade. The new primary blade may not have a complete copy of the package in /var/config/rest/iapps.

Conditions:
-- VIPRION is in use.
-- Install a large iApps LX package.
-- The VIPRION primary blade has been disabled.

Impact:
The new iApps LX package may be unusable with the new VIPRION primary blade.

Workaround:
After installing a large iApps LX package, allow the current primary blade to remain the primary for at least 10 minutes, so that it can synchronize the files to the other blades. If this is not possible, then re-install the iApps LX package on the new blade.

---

653418 : Host Processor Superuser keys in /root/.ssh/authorized_keys no longer necessary

Component: TMOS

Symptoms:
Keys with the name 'Host Processor Superuser' are still present in /root/.ssh/authorized_keys, but are no longer used by supported BIG-IP versions.

Conditions:
Running any currently supported version of BIG-IP software.

Impact:
The keys' presence is benign and there is no negative impact except for the confusion caused by wondering what these keys are for.

Workaround:
Keys with this label can be safely removed from the authorized_keys file manually.

---

652820 : xdg-open fails to open custom protocol link (at first attempt) causing Google Chrome not to open F5 apps (f5vpn, f5epi) on Fedora 25

Component: Access Policy Manager

Symptoms:
F5's applications (f5vpn, f5epi) can't be launched from the webtop/webpage when Google Chrome is used on Fedora 25 or Fedora 26.

This happens because of improper behavior of 'gio' utility which fails to process custom protocol link request ("f5-vpn://..."). gio utility is invoked by xdg-open script which, in turn, is invoked by Google Chrome.

Firefox browser is not affected.

Conditions:
It happens when all conditions are met:
* Fedora 25/26 Linux distribution.
* Gnome as desktop manager.
* Google Chrome.

Impact:
F5's application f5vpn and f5epi can't be launched from a web page by the first click. The second click within a short amount of time works fine.

Workaround:
* Click the second time on webtop resource icon or "Try again" link within the short amount of time (less than a minute).
* Use Firefox browser on Fedora as it's not affected.

---

651980 : In Internet Explorer 6, encrypting ajax may cause significant slowdown for single page applications

Component: Fraud Protection Services

Symptoms:
Browsing a single page application in Microsoft Internet Explorer 6 may become very slow if full ajax encryption is enabled.

Conditions:
Single page applications that support Internet Explorer 6 and activate full ajax encryption.

Impact:
Very slow browsing experience in Internet Explorer 6. Sometimes you cannot start using the page in browser stack, or it never loaded. In other cases, the page stops responding after sending request

Workaround:
Disabled ajax encryption in Internet Explorer 6 using a custom JavaScript function.

Note: BIG-IP software does not support Internet Explorer 6.

---

651476-2 : bigd may core on non-primary bigd when FQDN in use

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool member resolution, a non-primary bigd process may core under certain circumstances. A non-primary bigd is any process instance other than zero in a multi-bigd scenario, or any bigd process on a non-primary blade in a chassis.

Conditions:
FQDN is in use.

Impact:
bigd may core and be restarted in a loop, causing some monitor instances to not be serviced. This may cause node/pool member flapping, or may cause certain nodes or pool members to be effectively not monitored.

Workaround:
Use static IPs instead of FQDN for node/pool member address assignment.

---

651427 : VCMP statistic for tmctl vcmp_stat n3_core_mask may be incorrect

Component: TMOS

Symptoms:
When switching a vCMP guest ssl-mode from dedicated to shared, the tmctl vcmp_stat n3_core_mask does not always reflect the change correctly.

Note: Only the stat being reported by tmctl is wrong; the feature is still working properly.

Conditions:
vCMP system with one or more guests that the hypervisor admin switches the ssl-mode between shared and dedicated.

Impact:
This is a cosmetic issue. This stat is used only for debugging.

Workaround:
None.

---

651169-1 : The Dashboard does not show an alert when a power supply is unplugged

Component: Advanced Firewall Manager

Symptoms:
The TMUI Dashboard's alert panel will not show any warning if the cord to one of the power supplies is unplugged.

Conditions:
One of the power supplies is unplugged.

Impact:
Watching the Dashboard will not alert the administrator to an unplugged power supply.

Workaround:
None.

---

651106-2 : memory leak on non-primary bigd with changing node IPs

Component: Local Traffic Manager

Symptoms:
On BIG-IP systems with the multiple blades, or a BIG-IP system with multiple bigd processes running (bigd.1, bigd.2, etc.), if the system has FQDN nodes configured, all secondary bigd processes will consume an unusually high amount of memory, and bigd cores may exist when the FQDN node IP addresses change frequently.

Conditions:
FQDN nodes configured on a system, and the system (as a whole) has multiple bigd processes running, either across multiple blades or multiple bigd instances on a single blade. As configuration changes are made to FQDN nodes causing IP addresses to change, bigd on the non-primary places memory consumption may be unusually high.

Impact:
bigd memory leak; possible bigd crash.

Workaround:
Mitigation: use static IP nodes and pool members rather than FQDN.

---

650164 : iSession APM virtual server changes port if connection has forwarding virtual server with defined IP and wild card port

Component: Wan Optimization Manager

Symptoms:
iSession does not use the correct port when connecting to a specific (not-wildcard), layered virtual server listening on all ports.

Conditions:
-- Present forwarding virtual server after APM.
-- A forwarding virtual server with a defined IP address and wildcard port.

Impact:
Connection is made using an unexpected port.

Workaround:
Use one of the following workarounds:

-- Define a forwarding virtual server with a wildcard listener for IP address and wildcard port.

-- Define a forwarding virtual server with a specific IP address and port.

---

649531 : MS RDP may not work thru native Application Tunnels on MacOS and Linux if user didn't specify credentials prior establishing the connection

Component: Access Policy Manager

Symptoms:
Microsoft Remote Desktop (MS RDP) may not work through native Application Tunnels on MacOS and Linux if there are no credentials specified prior to establishing the connection.

Conditions:
* Native applications tunnels are configured to use for MS RDP tunneling (MacOS and Linux).
* Certificate of MS RDP backend is not always trusted by the keychain.
* There are no credentials specified before establishing connection in remote desktop entry.

Impact:
MS RDP connection through Application Tunnels doesn't work.

Workaround:
Use one of the following workarounds:
A. Specify credentials in the remote desktop entry.
B. Mark the certificate of the remote backend as "always trust".
C. Create a /etc/hosts entry alias for the required backend to point to localhost. Use this alias to access the remote backend to SSL layer accessible do not complain about certificate

---

646511 : BD crashes repeatedly after interrupted roll-forward upgrade★

Component: Application Security Manager

Symptoms:
After roll-forward upgrade of version 12.1.x with ASM traffic data is interrupted, BD crashes repeatedly.

Conditions:
Roll-forward upgrade with ASM traffic data from version 12.1.x (with or without hotfixes) to any 12.1.x or later is interrupted by restart/reboot.

Impact:
BD crashes repeatedly on subsequent attempts to start ASM.

Workaround:
Disable roll-forward upgrade of ASM traffic data before upgrade:

tmsh modify sys db ucs.asm.traffic_data.save value disable

---

646491 : GTM autodiscovery shows same status for tcp+udp virtuals using the same dest:port

Component: Global Traffic Manager (DNS)

Symptoms:
With GTM autodiscovery, when virtuals having same dest:port but different protocols from same ltm target, these virtuals have same status(both down or both up).

Conditions:
Virtual servers have same dest:port but different protocol from the same ltm target and GTM enables auto discovery.

Impact:
If you have two virtuals configured with the same IP:port, and you use those virtuals in gtm pools, you could have a virtual server down, and yet gtm would see it as still being up (or up, and seen as down), and there are no warnings, no messages to let them know anything is wrong.

Workaround:
Manually define the ltm-names, allowing gtmd to pass unambiguous requests to mcpd over iquery like this:

   modify gtm server gtm_myself virtual-servers modify { /Common/vs1_tcp { ltm-name vs1_tcp }}
   modify gtm server gtm_myself virtual-servers modify { /Common/vs1_udp { ltm-name vs1_udp }}

---

644822 : FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned

Solution Article: K19245372

Component: Advanced Firewall Manager

Symptoms:
If AFM provisioned, a FastL4 virtual server with enabled loose-init option drops all RST packets that do not relate to any existing flows.

This behavior does not match the BIG-IP behavior when AFM is not provisioned.

Conditions:
AFM provisioned.
-- FastL4 virtual server.
-- Loose-init option enabled.

Impact:
RST packets that do not relate to any existing flows are dropped, while they should not be dropped if the loose-init option enabled.

Workaround:
No workaround.

---

642068-4 : PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens

Component: Policy Enforcement Manager

Symptoms:
PEM sessions stay in the marked-for-delete state if CCR-T times out.

Conditions:
This occurs if PCRF does not respond to CCR-T packets from the BIG-IP system during session termination.

Impact:
PEM sessions remain in the marked-for-delete state.

Workaround:
Configure the required timeout value in the sys db variable tmm.pem.session.timeout.endpointdeleteresponse.

Note: The value must be greater than 0 (zero).

---

640395 : When upgrading from 10.x to a version that supports spanning VIPs, the virtual address spanning property may not be set properly

Component: Local Traffic Manager

Symptoms:
When upgrading from 10.x to version 12.1.0 or later, a network virtual address that had ARP disabled will not have spanning automatically enabled.

Conditions:
Upgrading from 10.x to 12.1.0 or later. Must have a network virtual address configured with ARP disabled when upgrading.

Impact:
If you are not actually using the spanning feature, there is no impact.

If you are using the spanning feature, it will no longer work until it is explicitly enabled. This can result in the loss of traffic, as the upstream router will be sending packets to standby systems that will now refuse to process that traffic.

Workaround:
Upgrade to an intermediate version that implements the explicit ICMP-Echo setting for virtual addresses (e.g. 11.x) and then upgrade to the desired version.

Alternatively, you can manually set the spanning property on their virtual addresses as desired (after the upgrade).

---

638989 : Webtop is displayed in English when viewed from a German Locale on Firefox Enterprise service release

Component: Access Policy Manager

Symptoms:
Webtop is not localized.

Conditions:
-- Firefox ESR is used to connect to APM.
-- Viewing the APM webtop in a German Locale.

Note: This is a Firefox issue that occurs only with the German language. Firefox sends uilang="en" (for English) instead of uilang="de" (for German).

Impact:
Webtop is displayed in English.

Workaround:
None.

---

637686 : relax_unicode_in_xml should become the default behavior

Component: Application Security Manager

Symptoms:
You see "Malformed XML data - Malformed document, Input stream corrupt" violations on valid XML.

Conditions:
A character appears in the payload that is considered by the XML parser as illegal.

Impact:
A violation happens.

Workaround:
Use internal parameter relax_unicode_in_xml.

---

636818 : IKEv1 DELETE payload can use wrong source IP address for floating IPs

Component: TMOS

Symptoms:
When a BIG-IP system uses a floating IP to establish an IKEv1 IPsec tunnel, and then the Security Association (SA) is deleted, under rare conditions the ISAKMP notification will use a non-floating IP as the source address.

Conditions:
Define a tunnel with floating IP addresses, then toggle version between IKEv1 and IKEv2.

Impact:
The IKEv1 racoon daemon now deletes an SA without requiring the source IP to be the correct peer. It is possible that this will allow a random peer to delete another peer's security associations.

Workaround:
None.

---

633824 : Cannot add pool members containing a colon in the node name

Solution Article: K39319200

Component: TMOS

Symptoms:
You are allowed to create nodes that contain a colon in the node name. If you later try to add the named node (e.g. 10.1.20.10:80), adding the node will fail and you will get an error similar to the following:

0107003a:3: Pool member node (/Common/10.1.20.10) and existing node (/Common/10.1.20.10:80) cannot use the same IP Address (10.1.20.10).

Conditions:
This occurs when attempting to add a node to a pool where the node name contains a colon in it

Impact:
You are unable to add the node to the pool and will get a validation error.

Workaround:
First rename the node to not contain a colon in it, then you can add the node to the pool without error.

---

633587 : UI mode required if session created before HTTP

Component: Access Policy Manager

Symptoms:
When using an "ACCESS::session create" in an iRule event that fires on events prior to the HTTP filter, the command will not create the uimode session variable. The ACCESS filter requires the uimode to be present, so the end-user will receive a reset and see log messages in /var/log/apm:

Dec 13 15:47:24 slot3/jimvicg2mgmt err tmm2[27655]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_VAL. File: ../modules/hudfilter/access/access.c, Function: access_process_state_client_enforce_session, Line: 6867
Dec 13 15:47:24 slot3/jimvicg2mgmt err tmm2[27655]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_VAL. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 2628

Conditions:
An iRule that creates an access session prior to HTTP. For example:

when CLIENT_ACCEPTED {
    if { [ACCESS::session exists] } {
        log local0. "Found Access Session"
    } else {
         ACCESS::session create
    }
}

Impact:
End-users receive resets.

Workaround:
Set the "session.ui.mode" session variable to "0" when creating the session:


when CLIENT_ACCEPTED {
    if { [ACCESS::session exists] } {
        log local0. "Found Access Session"
    } else {
         ACCESS::session create
         ACCESS::session data set session.ui.mode "0"
    }
}

---

632964 : EAM warning message "failed to get host identifier"

Component: Access Policy Manager

Symptoms:
Seeing EAM warning message, "failed to get host identifier."

Conditions:
When starting EAM.

Impact:
You are unable to configure Access Management Service on OAM11g.

Workaround:
N/A

---

631316-2 : Unable to load config with client-SSL profile error★

Component: TMOS

Symptoms:
Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'

Conditions:
This occurs when both of the following conditions are met:
 -- The system is loading config.
 -- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example:

    cert-key-chain {
        cert /Common/default.crt <==== default cert
        chain /Common/chainCA.crt <==== non-empty
        key /Common/default.key <==== default key
        rsa {
            cert /Common/default.crt <==== default cert
            chain /Common/chainCA.crt <==== non-empty
            key /Common/default.key <==== default key
        }
    }

Impact:
Configuration can not be loaded.

Workaround:
Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again.

Steps:
1. Open the configuration file in a text editor.
2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition).
   
3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example:

    cert-key-chain {
        cert /Common/kc.crt <==== changed to non-default
        chain /Common/chainCA.crt
        key /Common/kc.key <==== changed to non-default
        rsa {
            cert /Common/kc.crt <==== changed to non-default
            chain /Common/chainCA.crt
            key /Common/kc.key <==== changed to non-default
        }
    }

4. Save your changes, and then run the following command:
 tmsh load sys conf

---

630430 : IPsec ALG: Traffic may not go through IPsec tunnel if ipsec.lookupspi is disabled and default DAG is used★

Solution Article: K93873214

Component: Carrier-Grade NAT

Symptoms:
The connection table and IPsec ALG profile stats may indicate that the IPsec tunnel has been established, but traffic may not be passing through it.

Conditions:
This may occur on appliances when the IPsec ALG is used with default DAG and the sys db variable ipsec.lookupspi is disabled.

Impact:
Connections going through the IPsec tunnel may fail.

Workaround:
Ensure the db variable ipsec.lookupspi is enabled.

---

630269-1 : Support Substitute value in ajax with application/x-www-form-urlencoded content-Type

Component: Fraud Protection Services

Symptoms:
Substitute value feature does not support Ajax requests with application/x-www-form-urlencoded content-Type.

Conditions:
Send the credentials validation Ajax POST request with application/x-www-form-urlencoded content-Type.

Impact:
Page that uses Ajax requests with application/x-www-form-urlencoded content-Type won't be able to use Substitute value feature.

Workaround:
None.

---

630257 : Monitor send/receive strings cannot end with trailing single-backslash★

Component: Local Traffic Manager

Symptoms:
A monitor with a 'send' or 'receive' string is not supported with a single trailing backslash, such as "GET /\r\n\" (note the single-trailing backslash that "escapes" the trailing double-quotes).

Conditions:
A monitor 'send' or 'receive' string ends with a single trailing backslash; and the configuration is saved, and then a load is attempted.

Impact:
When configuration is saved and then loaded, the single-trailing backslash will escape the trailing double-quotes and the configuration will fail to load.

Workaround:
A double-trailing backslash is supported, where the trailing double-quotes will not be escaped, for example:
 "GET /\\r\\n"

---

629915-1 : Cannot login with Firefox and IE after toggling between wireless and wired networks.

Component: TMOS

Symptoms:
Cannot log into BIG-IP's Web GUI on Firefox and Microsoft Internet Explorer (IE) for the first 3-5 attempts after toggling the host computer's network between wireless and wired connections.

Conditions:
Using Firefox or IE browsers.
Toggling between a wired and wireless network connections.

Impact:
BIG-IP shows a "login failed" page in the Web UI. The user cannot login with correct credentials for 3-5 attempts. Note: The number of attempts may be timing-dependent.

Workaround:
Use any of the following options:
-- Use a Chrome browser.
-- Do not toggle between different networks for internet access (i.e., wired and wireless).
-- Keep trying to logon (i.e., try more than five times, or for a few minutes after toggling between networks).
-- Restart the browser.
-- Clear cookies.

---

628703 : Multiple audit_forwarder processes cause the mcpd process to use a lot of CPU cycles

Component: TMOS

Symptoms:
Running multiple instances of syslog-ng causes multiple instances of audit_forwarder to be started up. Once more than one audit_forwarder process starts, mcpd CPU usage becomes excessive.

Conditions:
Running multiple instances of syslog-ng.

Impact:
The systems slows down significantly.

/dev/log may be deleted and recreated with the wrong selinux contexts

The GUI may become unresponsive and display a blank page.

Workaround:
Do not run more than one instance of syslog-ng.

---

627760-5 : gtm_add operation does not retain same-name DNSSEC keys after synchronize FIPS card

Component: TMOS

Symptoms:
When running gtm_add from one BIG-IP system to another, if the system being added already has the same DNSSEC key (dictated by DNSSEC key name), and you synchronize the FIPS card, then the FIPS card is wiped out (as expected), but the key is not re-added.

Conditions:
-- There is an existing DNSSEC key on one system.
-- A second system has a DNSSEC key of the same name.
-- Run gtm_add, with instructions to synchronize FIPS cards.

Impact:
No DNSSEC key of that name is present on FIPS card.

Workaround:
None.

---

626068 : Memory Requirement for deploying Bot Signatures in DoS profiles

Component: Advanced Firewall Manager

Symptoms:
When deploying large number of DoS profiles with Bot signatures enabled on low-end platforms, the memory spills over to the swap area.

Each DoS profile consumes about 2 MB of memory per core for accommodating the complied bot signatures. For example, on VE with 2 cores and 8 GB of memory, deploying 1024 DoS profiles with bot signatures will consume 4 GB which together with the other memory requirements of ASM far exceeds the physical memory. The symptom is high utilization of swap memory.

Conditions:
Deploy large number (over 100) of DoS profiles with Bot signatures.

Impact:
Severe performance degradation.

Workaround:
On VE platforms, provision at least 4 GB more memory to the VM. On vCMP platform, assign this amount of memory to the guest machine. On physical machines, the only option is to upgrade to a larger memory platform.

Consider using less profiles by reusing the same DoS profile on more than one Virtual Server.

---

625291-1 : dhclient doesn't honor 'interface-mtu' request-options

Component: TMOS

Symptoms:
Requesting MTU value from DHCP server is explicitly disabled using a configuration similar to the following:
tmsh modify sys management-dhcp sys-mgmt-dhcp-config request-options delete { interface-mtu }.
But if DHCP send MTU value in its reply, this MTU will be configured on BIG-IP management interface.

Conditions:
DHCP server ignoring option sent by BIG-IP DHCP client.

Impact:
BIG-IP accepts the MTU value provided.

Workaround:
1. Add supersede interface-mtu 1500; to interface "mgmt" section of the /etc/dhclient.conf file.
2. Restart dhclient.

---

624635 : BIG-IP doesn't support more than 4 NICs on Hyper-V on Windows Server 2012

Component: TMOS

Symptoms:
BIG-IP doesn't support more than 4 NICs.
As a result of this issue, you may encounter following symptoms:
- BIG-IP boot time is increased.
- Number of interfaces attached to tmm aren't more than 4 NICs.
- In the /var/log/boot.log file, you observe messages similar to the following examples:
 + info plymouthd: udev still not settled. Waiting.udevd[367]: worker [380] unexpectedly returned with status 0x0100
 + info plymouthd: udevd[367]: worker [380] failed while handling '/devices/LNXSYSTM:00/device:00/PNP0A03:00/device:08/VMBUS:01/vmbus_11'
 + info plymouthd: udevd[367]: worker [373] unexpectedly returned with status 0x0100

RHEL7.2 (or newer) guests are similarly affected, so this issue is not unique to BIG-IP 7.2 kernels.

The issue isn't reproduced on Hyper-V on Window Server 2012 R2.

Conditions:
This issue occurs when all of the following conditions are met:
- Your hypervisor version is Hyper-V on Windows Server 2012.
- You have more than 4 NIC attached to BIG-IP.

Impact:
BIG-IP doesn't support more than 4 NICs on Hyper-V on Windows Server 2012.

Workaround:
None.

---

624572 : AFM rules do not support the syntax ip_addr%vlan_tag in the address specification.

Component: Advanced Firewall Manager

Symptoms:
AFM rules do not support the syntax ip_addr%vlan_tag in the address specification.

Conditions:
This occurs when using the syntax ip_addr%vlan_tag in the address specification.

Impact:
Cannot use the syntax to define source addresses.

Workaround:
The VLAN property is supported only on source address specification with a separate keyword 'vlan'.

---

624231-4 : No flow control when using content-insertion with compression

Component: Policy Enforcement Manager

Symptoms:
Packets can get queued in PEM and cause performance impact.
It could cause memory corruptions in some cases

Conditions:
This issue can happen when system there is are a lot of connections with compression enabled, hardware offload is not enabled, and content insertion is enabled

Impact:
Performance impact to flows and possible system crash.

Workaround:
Enable hardware offload and use the pem throttle feature for content insertion

---

623371 : After changing from remote auth to local auth, if SSH keys are used, SSH attempts from nonexistent users result in a connection closed

Component: TMOS

Symptoms:
When attempting to ssh in as a nonexistent user using SSH keypair, the connection closes.

Conditions:
1. Configure SSH keypair for passwordless login.
2. Set auth source to a remote type such as RADIUS, TACACS+, LDAP, Active Directory.
3. Set auth source back to local.
4. Attempt to ssh to BIG-IP using keypair as a user that does not exist in the BIG-IP local user directory.

Impact:
User does not see expected password prompt.

This can be used to check which usernames are valid on the BIG-IP system, but it requires SSH keys.

Workaround:
None known.

---

623367 : When RADIUS remote authentication is enabled, a nonexistent user is able to ssh into the BIG-IP if they present the root's key.

Solution Article: K57879554

Component: TMOS

Symptoms:
Able to login to BIG-IP using root's keypair as a user which does not exist on either the BIG-IP or the RADIUS server.

Conditions:
1. Configure SSH keypair for passwordless login on the BIG-IP system.
2. Enable RADIUS auth on the BIG-IP system.
3. Attempt to ssh in to the BIG-IP as a user which does not exist on either the BIG-IP or the RADIUS server, using the keypair.

Impact:
With root SSH keys, can login as nonexistent user.

Workaround:
Set the default remote role to something other than admin.

---

623084 : mcpd fails validation of dhcp type virtual servers if the configured profile is /Common/udp★

Component: Local Traffic Manager

Symptoms:
mcpd will fail to load the configuration if the pre 11.6.0 configuration had a dhcp virtual server is configured using any profile that is not /Common/udp.

Conditions:
In pre 11.6.0 having a dhcp type virtual server with a profile other than /Common/udp and then upgrading to 11.6.0 or above.

Impact:
mcpd fails to load the configuration. The BIGIP will not be operational until the configuration is changed and loaded.

Workaround:
Before the upgrade change the profile to /Common/udp.

The same change can be made to the bigip.conf file after the upgrade. Then load the config with tmsh load /sys config

---

621158-3 : f5vpn does not close upon closing session

Component: Access Policy Manager

Symptoms:
f5vpn does not close upon closing session.

Conditions:
-- With Network Access started and connected to BIG-IP using browser.
-- Clicking 'Logout' button on webtop.

Impact:
Session closes. Network Access window does not close, but instead remains in disconnected state.

Workaround:
None.

---

620954-5 : Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable

Component: TMOS

Symptoms:
Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:
 PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.

Conditions:
High concurrent authentication attempts may trigger this issue. For example, open a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), then close the connection. If done frequently enough, there is an occasional authentication failure.

Impact:
This intermittent authentication failure results in users not being able to login.

Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to log in again.

---

616008-1 : TMM core may be seen when using an HSL format script for HSL reporting in PEM

Solution Article: K23164003

Component: Policy Enforcement Manager

Symptoms:
TMM core resulting in potential loss of service.

Conditions:
Requires a PEM HSL reporting action with an HSL format script against a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
In an iRule against the virtual server, set a Tcl variable in the first line after an iRule event. Unset the same Tcl variable in the last line of the iRule event.

---

614593 : Raw markup in IPsec docs for ike-phase2-encrypt-algorithm on tmsh command line

Component: TMOS

Symptoms:
Code that renders 'man page' docs for display on the tmsh command line appears to sometimes retain the original markup. In particular, the docs for ike-phase2-encrypt-algorithm will show aes-gcm128 as 'B<aes-gcm128>' instead of removing the 'B<>' markup. This case seems to be an exception.

Conditions:
Docs display via tmsh command line:

...(tmos)# create net ipsec ipsec-policy ipsec-1-2-1 ?

Impact:
Extraneous markup characters appear in one displayed entry.

Workaround:
None.

---

612691 : It takes 5 mins to complete a iControl REST GET for the policy parameters

Component: Application Security Manager

Symptoms:
When using BIG-IQ security 5.0 to manage the ASM devices and when trying to discover the ASM device, discovery fails. BIG-IQ resets the connection if it reaches the timeout.

Conditions:
ASM provisioned.
Existing ASM policy contains a large amount of parameters.
A REST GET call to retrieve all policies parameters at once.

Impact:
REST call times out.

From - /var/log/restjavad.0.log
---------------
[SEVERE][4300][22 Aug 2016 14:25:10 UTC][com.f5.rest.workers.asm.AsmConfigWorker][logAsmWorkerException] nanoTime:[443782712039188] threadId:[18] Exception:[org.apache.thrift.transport.TTransportException
...
        at com.f5.asmconfig.ASMConfig$Client.recv_rest_call(ASMConfig.java:605)
        at com.f5.asmconfig.ASMConfig$Client.rest_call(ASMConfig.java:590)
        at com.f5.asmconfig.client.AsmClient.rest_call(AsmClient.java:61)
        at com.f5.rest.workers.asm.AsmConfigWorker.restCallWithRetry(AsmConfigWorker.java:131)
        at com.f5.rest.workers.asm.AsmConfigWorker.forwardCall(AsmConfigWorker.java:154)
        at com.f5.rest.workers.asm.AsmConfigWorker$1.run(AsmConfigWorker.java:111)
...
        at java.lang.Thread.run(Thread.java:744)
]client:[27708304]
---------------

Workaround:
REST clients should use paging and avoid retrieving all parameters at once.
BIG-IQ, starting from 5.0.0, utilizes paging.

To use paging, set the 'top' and 'skip' params in the REST GET:
-------
    https://localhost/mgmt/tm/asm/policies/<asm_plc_uuid>/parameters$top=<n1>&$skip=<n2>
-------

As described in the "iControl REST User Guide":
-------
    https://devcentral.f5.com/d/icontrol-rest-user-guide-version-1150?download=true
-------
At sections:
 - About query parameters
 - About paging properties
 - Paging through large collections

---

612118-2 : Nexthop explicit proxy is not used for the very first connection to communicate with the backend.

Component: Access Policy Manager

Symptoms:
In SWG / forward proxy, nexthop explicit proxy is not used for the very first connection to communicate with the backend.

Conditions:
SWG per-request policy with proxy select agent.

Impact:
The BIG-IP system directly communicates with the backend to fetch server certificates.

Workaround:
None.

---

610436-1 : DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Windows 10.

Component: Access Policy Manager

Symptoms:
DNS resolution does not work in a particular case of DNS Relay Proxy Service when two adapters have the same DNS Server address on Microsoft Windows version 10.

Conditions:
* Windows 10.
* Client system is connected to two networks.
* Both networks have the same DNS server address.
* Before VPN establishment interface with lower index is disconnected.
* After VPN establishment interface with lower index is reconnected.

Impact:
DNS resolution completely stops working on client systems until the VPN is disconnected.

Workaround:
To work around this issue, add the following registry key:

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient key with DWORD 'EnableMultiHomedRouteConflicts' set to 0.

This will revert Windows DNS client behavior to pre-Windows 10 behavior, so the DNS relay proxy will create listeners on loopback for incoming requests, and the driver will redirect DNS requests to the listener on the loopback.

Important note: Use extreme care when editing Windows registry keys. Incorrect modification of keys might cause unexpected behavior.

---

605649-2 : The cbrd daemon runs at 100% CPU utilization

Solution Article: K28782793

Component: Application Security Manager

Symptoms:
The cbrd daemon runs at 100% CPU utilization.

You may notice this issue while inspecting:

- The performance graphs for the BIG-IP device.
- SNMP reports from the BIG-IP device.
- The output of utilities such as top or ps.

Note: The cbrd daemon performs XML Content-Based Routing on the BIG-IP system. However, the daemon runs regardless of provisioning and whether the feature is actually being utilized or not.

Conditions:
This is a rarely occurring event whose cause is not known.

Impact:
The cbrd daemon may run inefficiently. Additionally, other control-plane processes running on the BIG-IP device may also be detrimentally affected (depending on the size of the BIG-IP device and its configuration).

Workaround:
You can try to work around this issue by restarting the cbrd daemon using the following command:
bigstart restart cbrd

As the issue occurs rarely, you may not experience this issue again for a long time. This is, however, only a temporary workaround, and will have to be repeated as needed.

---

603380 : Very large number of log messages in /var/log/ltm with ICMP unreachable packets.

Component: Local Traffic Manager

Symptoms:
With ICMP unreachable packets, every packet generates a log message in /var/log/ltm. This results in a very large number of log messages, which takes up space without providing additional information.

Conditions:
You have a DNS virtual server with DNS resolver cache configured. The virtual server receives ICMP unreachable in response to the DNS query.

Impact:
You will see messages similar to the following in /var/log/ltm.

   err tmm[5021]: comm_point_tmm_recv_from failed: Software caused connection abort

Workaround:
None.

---

603092 : "displayservicenames" does not apply to show ltm pool members

Component: TMOS

Symptoms:
The db variable bigpipe.displayservicenames does not apply to the 'show ltm pool members' tmsh command.

Conditions:
This occurs when running tmsh show ltm pool members with bigpipe.displayservicenames enabled.

Impact:
The the IP address but not the service name is displayed.

---

601916 : IPsecALG resources remain in use after IPsec clients switch to NAT-T

Component: Carrier-Grade NAT

Symptoms:
IPsecALG resources will remain in use even after IPsec clients switch to NAT-T and do not send ESP packets.

ESP connections will be setup, but not used. They will remain until the 'idle-timeout' specified in the IPsecALG profile has been reached.

Translation endpoints will be unavailable until the 'idle-timeout' specified in the IPsecALG profile has been reached.

Conditions:
An IPsecALG profile is attached to a UDP virtual to handle IKE traffic with LSN or AFM FW-NAT enabled. IPsec clients detect the NAT and transition to NAT-T instead of sending ESP packets.

Impact:
IPsec clients that are not using NAT-T will not be able to establish connections if the translation addresses are in use to the same server.

This condition will clear after the IPsecALG profile 'idle-timeout' expires.

---

600676 : Log viewer cannot be launched from web client UI on Debian 8 + Gnome

Component: Access Policy Manager

Symptoms:
Log viewer cannot be launched from client UI

Conditions:
VPN is established from Debian 8 and Gnome window manager

Impact:
User cannot launch client logs viewer from UI.

Workaround:
Open log file from command shell.

---

594794 : Ability to present a SHA1 certificate to clients that don't support SHA2

Component: Local Traffic Manager

Symptoms:
Request to add ability to present SHA1 certificate (during SSL handshake) to SSL client that doesn't support SHA2 algorithms.

Conditions:
BIG-IP is configured to use certificate signed with SHA2 algorithm.

Impact:
Older SSL implementation that doesn't support SHA2 algorithm will fail when validating unsupported certificate.

Workaround:
These is no deterministic way to detect if a client supports SHA2 certificate; but heuristically, one can do the following using iRule:

If client_hello contains TLS version >= 1.2, check for SHA2 support in client_hello's signature algorithm extension; if present, use clientssl profile configured with SHA2 certificate.

Otherwise, use profile configured with SHA1 certificate.

---

592503-1 : TMM 'timer' device does not report 'busy' for non-priority timers.

Component: Local Traffic Manager

Symptoms:
A discrepancy in CPU utilization reporting can observed when looking at different utilities or reporting systems (i.e. top, tmctl, SNMP, the performance graphs in the GUI, etc.).

Specifically, certain utilities may report that TMM hyperthreads are 100% busy, while other utilities may indicate that TMM instances are only moderately busy.

In this case, the utilities or systems reporting the higher CPU utilization are correct.

Conditions:
This issue has been seen extremely rarely, as it requires some other edge condition to also be occurring (TMM firing non-priority timers in a looping manner).

Impact:
A BIG-IP Administrator monitoring CPU utilization on the system may be confused about how busy TMM actually is.

Although the main impacted system here is the tmm/stat tmctl table, these values are also exposed via the sysTmmStatTmUsageRatio5s MIB (which is more likely to be monitored by a BIG-IP Administrator).

Workaround:
Refer to utilities such as 'top' to monitor the CPU utilization of TMM hyperthreads.

---

582117 : Configuring TCP/HTTP type iRules together has insufficient validation.

Component: Local Traffic Manager

Symptoms:
The system allows configuration of BigTCP/FastL4 plus HTTP even though iRule validation does not prevent unusable iRules combinations.

For example, the node/pool iRule command typically used for steering in L7 virtual servers do not make sense in a FastL4 environment, as there is no delayed binding and pool/node selection would occur too late.

However the lack of specific validation for this configuration allows you to specify this combination without warning, resulting in a non-functional virtual server. The system allows node/pool commands in CLIENT_DATA or in HTTP_REQUEST, which is simply too late for them to execute correctly.

Conditions:
Configuration of BigTCP/FastL4 plus HTTP in iRules.

Impact:
Results in unusable iRules combinations. Connection will be aborted and dropped, and, depending on the configuration and version, the system might not send a RST.

Workaround:
None.

---

581851-6 : mcpd restarts due to interleaving of messages / folder contexts from primary to secondary blade

Solution Article: K16234725

Component: TMOS

Symptoms:
MCPD on secondary blades restarts with a configuration error.

Conditions:
This issue affects clustered systems only (VIPRION or vCMP guest).

The issue occurs when the system interleaves commands from different contexts. For example, this might occur when one system requests continual persistence records resets, and another requests continual TCP statistics resets.

Impact:
Secondary blades restart services, resulting in performance degradation or failover.

Workaround:
None.

---

580537-3 : The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data

Component: Global Traffic Manager

Symptoms:
The geoip_update_data script will not install a City2 GeoIP data.

Conditions:
Attempting to install the City2 GeoIP data.

Impact:
The City2 GeoIP data must be installed manually.

Workaround:
The City2 GeoIP data can be installed manually by extracting the contents of the RPM and updating the associated files. The commands are:

rpm -U <full path to the City2 GeoIP RPM file>
rm /shared/GeoIP/F5GeoIP.dat
ln -s /shared/GeoIP/F5GeoIPCity2.dat /shared/GeoIP/F5GeoIP.dat
rm /shared/GeoIP/v2/F5GeoIP.dat

---

575746 : Custom subscriber attributes in upper case cannot be searched via the TMSH.

Component: Policy Enforcement Manager

Symptoms:
Although the system does not prevent you from creating custom subscriber attributes using uppercase characters, they cannot be searched via the TMSH.

Conditions:
Create subscribers with custom attributes in uppercase.

Impact:
Potential limitations to diagnosis or analytics.

Workaround:
Use lowercase for custom subscriber attributes.

---

572554 : iRule object with '{' ,'#', '}' in the same line not properly handled

Component: TMOS

Symptoms:
EM device discovery/device update fails with:

Unexpected end of configuration...

Conditions:
iRule object with special characters in an expression may fail validation if they do not evenly match and are not escaped

Impact:
EM device discovery/device update fails or work but shows error

archive diff feature on EM may fail with error

Workaround:
Escape the '#' with '\#'

---

570281-1 : Cannot modify 'ip-address' attribute of static ARP / NDP entries

Component: Local Traffic Manager

Symptoms:
Attempting to modify the 'ip-address' attribute of a static ARP / NDP entry results in the following error:
Syntax Error: 'ip-address' may not be specified in the context of the 'modify' command. 'ip-address' may be specified using the following commands: create, list, show

Conditions:
Attempting to modify the 'ip-address' attribute of a static ARP / NDP entry.

Impact:
Note: Starting in 11.6.0, the 'ip-address' attribute of an ARP/NDP record can no longer be modified. This is as-designed functionality. However, the BIG-IQ SCVMM plugin fails to work properly as a result, which might impact some configurations. For example, when the LTM gateway device is running versions later than 11.5.3, it could fail because the syntax that worked in 11.5.3 no longer works in 11.6.0 and later.

Workaround:
None.

---

567490 : db.proxy.__iter__ value is overwritten if it's manually set

Component: TMOS

Symptoms:
When setting the "BIND Forwarder Server List" on the "Configuration : Device : DNS" page, the system stores the values in the sysdb variable db.proxy.__iter__. When changing the value using tmsh or iControl, the db.proxy.__iter__ value is overwritten when subsequently viewing the value in the GUI.

Conditions:
When setting these values in sysdb via tmsh or REST, the values are set, but then upon re-visiting Configuration : Device : DNS in the GUI, the values in the sysdb variable are reset to their former values.

Impact:
BIND Forwarder Server List values do not persist.

Workaround:
Use the GUI to change the BIND Forwarder Server List values.

---

566767 : TMSH allows RAN congestion and BWC to be enabled in the same policy rule.

Component: Policy Enforcement Manager

Symptoms:
BWC actions will be applied while RAN congestion will not be applied.

Conditions:
A subscriber should be assigned a policy that has a rule with both BWC and RAN congestion enabled.

Impact:
RAN congestion will be disabled while BWC will be applied.

Workaround:
Use the GUI for policy rule configuration.

---

565598 : Policies on channel types "Other" and "Shell" may have implications on the remaining channel types as well

Component: Advanced Firewall Manager

Symptoms:
For ssh proxy, if the admin has applied a Disallow or Terminate policy for a specific user or all users for "Other" and "Shell" channel types, it may disallow or terminate the remaining channel types. Currently disallowing “Other” and “Shell” will also block other channel types, namely shell, local and remote port forwarding, x11 forwarding and agent forwarding. For agent forwarding it is dependent on what kind of channel type the user uses with agent forwarding enabled. If it is shell or any forwarding type it will get disallowed, otherwise it will go through.

Conditions:
Disallow or Terminate policy for a specific user or all users for "Other" and "Shell" channel types needs to be applied.

Impact:
Usability is impacted. The admin has to be cautious of unintentionally blocking channel types when disallowing or terminating "Shell" and "Other" channels.

Workaround:
No Workaround.

---

563661-1 : Datastor may crash

Component: TMOS

Symptoms:
In rare cases datastor may crash to protect the system from corruption. After datastor restarts, tmm may crash when attempting to communicate with datastor.

Conditions:
WAM provisioned and enabled

Impact:
Datastor and TMM crashes. Traffic disrupted while tmm restarts.

---

562921-5 : Cipher 3DES and iQuery encrypting traffic between BIG-IP systems

Component: Global Traffic Manager

Symptoms:
BIG-IP systems use the iQuery protocol to securely communicate with other BIG-IP systems. The BIG-IP system supports the AES/3DES ciphers for encrypting iQuery traffic. Some of these ciphers are now considered unsecure.

Conditions:
The value is hardcoded into the product.

Note: This is completely independent of the TMM profiles or the httpd cipher values.

Impact:
There is no way to configure this; the value is hardcoded. Scanner operations performed on your configuration will report this as an unsecure cipher.

Workaround:
If you do not need iQuery at all, you can block port 4353 completely. For those who do need it, there is no workaround.

---

562406 : Total pva assisted connection counters are per acceleration.

Component: TMOS

Symptoms:
The total pva assisted connection counter is reported as the total number of times connections being accelerated by hardware. In the case of support dynamic hardware re-offloading, a connection might be offloaded to hardware multiple times, and therefore be counted in multiple time in this way.

Conditions:
Using pva-configured hardware.

Impact:
pva assisted connection counter reports higher-than-expected totals.

Workaround:
None.

---

561805 : HA: Failover during Radius Accounting On/Off bulk deletion not supported

Component: Policy Enforcement Manager

Symptoms:
During a failover, PEM sessions that should be deleted are still enabled on the device that became active.

Conditions:
Failover occurs during bulk deletion of subscriber sessions.

Impact:
When the standby unit becomes active, un-deleted subscriber sessions that remained at the moment of failover will continue to be enabled until they time out.

Workaround:
None.

---

558893 : TMM may fail to forward FTP data connections when multiple PORT/EPRT commands are used in succession referring to the same IP/PORT

Component: Local Traffic Manager

Symptoms:
TMM may fail to forward FTP data connections when PORT/EPRT commands are used in succession referring to the same IP/PORT.

Conditions:
FTP Virtual server configured with an FTP profile that does inherit-parent-profile disabled.
A client to request EPRT and then PORT commands referring to the same IP/PORT.

Impact:
TMM may reset the connection in some cases.

Workaround:
Change the ftp profile to enable the inherit-parent-profile option.

---

557642 : Manually created backend nodes should not be added to a pool that is managed by AWS Auto Scaling Group.

Component: TMOS

Symptoms:
Autoscale pool manager reports at every iteration in /var/log/ltm that it wants to delete a pool member but fails to do so.

Conditions:
Applies only to pool member autoscale in AWS. Happens only if you manually add a backend node to a pool that is managed by AWS Auto Scaling Group.

Impact:
/var/log/ltm is full of error messages. No actual impact on the traffic.

Workaround:
Manually delete the pool member that has been manually added to the pool.

Note: Manually created backend nodes should not be manually added to a pool that is managed by AWS Auto Scaling Group. Autoscale pool manager will detect that the offending pool member was not created by the AWS Auto Scaling Group. It will try to delete the pool member from the pool, an operation that will likely fail. This will be repeated at every iteration of the autoscale pool manager, which fills /var/log/ltm with error messages.

---

550739 : TMSH mv virtual command will cause iRules on the virtual to be dis-associated

Component: TMOS

Symptoms:
After renaming a virtual server that has attached iRules, the resulting virtual server configuration in tmm no longer has the iRules attached. The configuration in mcpd does not match the running configuration in tmm.

Conditions:
Must use the 'mv' command on an ltm virtual with iRules.

Impact:
Configuration is not as expected.

Workaround:
After moving the virtual, remove the iRules on it and re-add them.

---

550706 : Renaming a virtual server will emit unnecessary '01010007:3: Config error: virtual_server_profile bad virtual' error messages in the ltm log.

Component: Local Traffic Manager

Symptoms:
Renaming a virtual server will emit unnecessary error messages in the ltm log: 01010007:3: Config error: virtual_server_profile bad virtual.

Conditions:
Renaming a virtual server.

Impact:
The system emits an unnecessary error messages in the ltm log: 01010007:3: Config error: virtual_server_profile bad virtual. The virtual server is renamed and the configuration is correct. However, these spurious error messages are logged which, in this case, do not indicate a problem.

Workaround:
None.

---

545737 : Incoming INVITE SIP message to Subscriber is dropped when working with Asterix Proxy

Component: Service Provider

Symptoms:
Incoming SIP call from Asterix SIP Server to registered subscriber fails.

Conditions:
This occurs on incoming SIP Call to subscriber registered with Asterix server. The call request goes to Asterix which sends an INVITE to the subscriber through the BIG-IP system.

Impact:
Calls to Asterix SIP subscribers fail when they are behind BIG-IP.

Workaround:
None.

---

543022 : Logging profile with trailing whitespace cannot be associated with VS in GUI

Component: Advanced Firewall Manager

Symptoms:
A security logging profile with trailing whitespace cannot be associated with a Virtual Server from the "Virtual Server > Security" page in GUI.

Conditions:
The user attempts to associate a security logging profile with trailing whitespace with a Virtual Server from the "Virtual Server > Security" page in GUI.

Impact:
An error message occurs ("01020036:3: The requested firewall virtual log profile (/Common/profile name) was not found.").

Workaround:
The logging profile can be associated with the Virtual Server using tmsh. Also, please note that trailing whitespace on a configuration entity is not recommended and the issue can be easily avoided by adhering to entity naming best practices.

---

542327 : Portal rewrite does not properly transform responses generated by BIG-IP as SAML IdP

Component: TMOS

Symptoms:
SAML IdP responses are not properly rewritten through the reverse proxy engine.

Conditions:
BIG-IP as IdP (SAML and Portal Access) with a service provider that is not a BIG-IP system.

Impact:
Although SAML and Portal Access are not supported in this configuration, SAML IdP responses should not be bypassing the Portal Access rewrite engine.

Workaround:
None.

---

542104-3 : In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.

Solution Article: K33458192

Component: Local Traffic Manager

Symptoms:
In rare circumstances, it is possible for the TCP timestamps sent by the BIG-IP system to be inconsistent between blades.

TCP monitors may fail because the server fails to respond to the initial TCP SYN.

TCP traffic that utilizes a SNAT may fail because the server fails to respond to the initial TCP SYN.

Conditions:
A server with tcp_tw_recycle enabled.

A multi-blade BIG-IP chassis.

Impact:
Monitor failures or traffic disruption.

Workaround:
After confirming that the time is properly synchronized across the chassis, reboot the chassis.

Alternatively, if your servers do not require tcp_tw_recycle to be enabled, it is recommended that you disable this setting on your servers.

---

536509 : Device groups sharing common folders can cause conflicting folder settings

Component: TMOS

Symptoms:
Syncing a device group can overwrite the folder settings of another device group.

Conditions:
* There are multiple device groups configured (e.g. DG1, DG2, etc.).
* A subfolder is assigned to a different device group than the parent folder (e.g., /PARENT is assigned to DG1 and /PARENT/CHILD is assigned DG2).
* A device is a member of the device group assigned to the subfolder, but not the device group of parent folder (e.g., BIG-IP1 is a member of DG2 but not DG1).
* There is a second device that is in both device groups (e.g., BIG-IP2 in both DG1 and DG2).
* The device syncs configuration in the subfolders device group (e.g., BIG-IP1 makes a change to an object in /PARENT/CHILD and syncs it to peers).

Impact:
The parent folder may lose configuration. In particular, it may no longer be associated with the device group (i.e. /PARENT will no longer be associated with DG1 on BIG-IP2).

Workaround:
The recommendation is create separate partitions for the different device groups and make sure subfolders always inherit the device group and traffic group settings of the parent/partition folder.

---

535717-1 : Password history is not enforced when root, Administrator, or User Manager changes another user's password

Component: TMOS

Symptoms:
When logged in as root, or as a user with Administrator or User Manager role, an attempt to change a user's password will succeed, even if the new password is in password history. (An ordinary user changing their own password will be prevented from making this change.)

Conditions:
password-memory field of auth password-policy set to nonzero value

Impact:
Privileged users might circumvent the password history restriction.

Workaround:
To mitigate this, you should only permit management access to BIG-IP systems over a secure network, and limit shell access to trusted users.

---

534637 : Disabling a renamed pool member removes member from pool.

Component: TMOS

Symptoms:
Disabling a renamed pool member removes member from pool.

Conditions:
Must set db variable mcpd.mvenabled to true.

Impact:
Unpredictable behavior; missing configuration.

Workaround:
Restart mcpd after rename and save.

---

527668 : "Minimize to tray" option doesn't work in IE with latest updates if APM is not in Trusted Sites list

Component: Access Policy Manager

Symptoms:
KB3058515 introduces new security changes in Internet Explorer versions 9, 10, and 11. As a result, it is unable to create a tray icon from a plug-in that running on site that is not in the Trusted Sites list.

Conditions:
The problem occurs under these conditions:
1. KB3058515 is installed.
2. Client machine has Internet Explorer version 9, 10 or 11.
3. APM virtual server is not in Trusted Sites list.

Impact:
Minimize to tray option does not work.

Workaround:
To work around the problem, uninstall KB3058515 or add APM to the Trusted Sites list.

---

527288 : Correct parsing of the "PSC::ip_address" iRule command needs a comma at the end of an IP address list.

Component: Policy Enforcement Manager

Symptoms:
Not adding a comma at the end of the IP address list will result in an iRule command parsing failure.

Conditions:
Use the 'PSC::ip_address' function with a list of IP addresses.

Impact:
iRule failure.

Workaround:
Add a comma to the end of the IP address list.

---

527275 : For correct parsing, a comma is required after the policy name in the 'PSC::policy remove <policy>' iRule command.

Component: Policy Enforcement Manager

Symptoms:
A policy without a comma after it will not be deleted.

Conditions:
Policy without a trailing comma is used in the 'PSC::policy remove <policy>' iRule command.

Impact:
iRule command failure.

Workaround:
Add a comma after the policy name in any use of the 'PSC::policy remove <policy>' iRule command.

---

527119 : Iframe document body could be null after iframe creation in rewritten document.

Component: Access Policy Manager

Symptoms:
End users report being unable to use certain page elements in chrome (such as the Portal Access menu), and it appears that Javascript has not properly initialized.

Conditions:
The body of a dynamically created iframe document could be initialized asynchronously after APM rewriting. The issue is specific to Chrome browser and results in JavaScript errors on the following kind of code:
    iframe.contentDocument.write(html);
    iframe.contentDocument.close();
    <any operation with iframe.contentDocument.body>

One of applications known to contain such code and fail after APM rewriting is TinyMCE editor.

Impact:
Some JavaScript applications might not work correctly when accessed through Portal Access.

Workaround:
Revert rewriting of the document.write call with a post-processing iRule.
The workaround iRule will be unique for each affected application.

---

522590 : DNS Relay proxy service doesn't resolve static hosts in certain conditions

Component: Access Policy Manager

Symptoms:
DNS Relay proxy service does not resolve static hosts if no DNS server is configured at the Network Access resource.

Conditions:
The problem occurs under these conditions:
DNS Relay proxy service is installed on machine;
A DNS server is configured at the Network Access resource;
Full Tunnel mode is used.

Impact:
Static hosts are not resolvable on client.

Workaround:
Specify a bogus DNS server in Network Access resource (for example Virtual Server address).

---

521792 : Missing health monitor information for FQDN members

Component: TMOS

Symptoms:
Health monitor information and status are both missing for FQDN nodes and pool members.

Conditions:
FQDN nodes or pool members.

Impact:
GUI does not show health monitors info/status in node properties page, pool member properties page, or monitor instances page. Difficulty checking health monitor info/status for FQDN members.

Workaround:
Check logs for this info.

---

517829-1 : BIG-IP system resets client without sending error report when certificate is revoked

Solution Article: K16803

Component: TMOS

Symptoms:
When the BIG-IP system is configured for OCSP authentication, if the OCSP server reports that a certificate has been revoked, client connections are reset without sending SSL error alerts.

Conditions:
BIG-IP system configured for OCSP authentication.

Impact:
Client connections are reset without sending SSL error alerts.

Workaround:
Use the following iRule for the OSCP authentication profile instead of the system-supplied iRule:

when CLIENT_ACCEPTED {
    set tmm_auth_ssl_ocsp_sid 0
    set tmm_auth_ssl_ocsp_done 0
}


when CLIENTSSL_CLIENTCERT {
    if {[SSL::cert count] == 0} {
        return
    }
    set ssl_version [SSL::cipher version]
    set tmm_auth_ssl_ocsp_done 0
    if {$tmm_auth_ssl_ocsp_sid == 0} {
        set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]
        AUTH::subscribe $tmm_auth_ssl_ocsp_sid
    }
    AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]
    AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]
    AUTH::authenticate $tmm_auth_ssl_ocsp_sid
    SSL::handshake hold
}


when CLIENTSSL_HANDSHAKE {
    set tmm_auth_ssl_ocsp_done 1
}


when AUTH_RESULT {
    if {[info exists tmm_auth_ssl_ocsp_sid] && ($tmm_auth_ssl_ocsp_sid == [AUTH::last_event_session_id])} {
        set tmm_auth_status [AUTH::status]
        array set tmm_auth_response_data [AUTH::response_data]
        if {$tmm_auth_status == 0} {
            set tmm_auth_ssl_ocsp_done 1
            SSL::handshake resume
        }
        elseif {($tmm_auth_status == 1) && ($tmm_auth_response_data(ocsp:response:status) eq "revoked")} {
            if { $ssl_version equals "TLSv1.2" } { set hex_version "0303" }
            elseif { $ssl_version equals "TLSv1.1" } { set hex_version "0302" }
            elseif { $ssl_version equals "TLSv1.0" } { set hex_version "0301" }
            else { reject }
            set hex_response "15${hex_version}0002022C"
            set bin_response [binary format H* $hex_response]
            TCP::respond "$bin_response"
            TCP::close
        } elseif {($tmm_auth_status != -1) || ($tmm_auth_ssl_ocsp_done == 0)} {
            reject
        }
    }
}

---

495443-9 : ECDH negotiation failures logged as critical errors.

Component: Local Traffic Manager

Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.

Conditions:
An SSL negotiation failure involving ECDH key agreement.

Impact:
Spurious critical error logs.

Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.

---

492369 : vCMP guests fail the image verification check

Solution Article: K33135278

Component: TMOS

Symptoms:
IF BIG-IP image verification is enabled, vCMP guests may report that image verification has failed when you attempt to upgrade, even if you place the .sig file and .iso image on the vCMP guest.

Conditions:
BIG-IP image verification is enabled (sys db liveinstall.checksig value "enable")

vCMP guests exist

New BIG-IP .iso image and .sig file is uploaded to the host and to the guests, and an upgrade is triggered.

Impact:
The software install will fail on the vCMP guests, the software install status will be reported as "failed (Repository must be a file for signature validation ; /tmp/lind_util.CIcASU.)"

Workaround:
To work around this issue, you can disable automatic image verification and do image verification manually before installing.

Impact of workaround: this will have no impact to the system.

To disable automatic image verification, run the following tmsh command:
tmsh modify sys db liveinstall.checksig value "disable"

To manually verify the image, please see K24341140: Verifying BIG-IP software images using .sig and .pem files, available at https://support.f5.com/csp/article/K24341140

---

490139 : Loading iRules from file deletes last few comment lines

Component: Local Traffic Manager

Symptoms:
Loading iRules from the iRules file deletes last few comment lines immediately preceding the closing bracket.

Conditions:
This occurs when loading an iRule file from versions prior to 11.5.1.

Impact:
Although the comments are removed, this does not affect iRule functionality.

Workaround:
Put comments in places other than immediately above the closing bracket.

---

479262 : 'readPowerSupplyRegister error' in LTM log

Component: TMOS

Symptoms:
The 'readPowerSupplyRegister error' is logged in LTM log when DC PSU loses its power.

Conditions:
When a DC powered PSU loses its power, the system logs 'readPowerSupplyRegister error' messages in the LTM log. This occurs because PSU data is not available without power.

Impact:
The 'readPowerSupplyRegister error' messages occur because PSU data is not available without power. When the system is in this state, you can safely ignore these messages.

Workaround:
None. You can safely ignore this error message in this case.

---

475486 : Stats for legacy PVA connection flows are not relevant on ePVA platforms.

Component: TMOS

Symptoms:
The pva.tot_conns and pva.cur_conns in the virtual_server_stat tmstat table are used for stats for legacy PVA platforms with hardware only accelerated connection flows. In the current ePVA based platforms, all accelerated connection flows are counted as 'PVA assisted' flows, and the ePVA related stats are in the tot_pva_assist_conns and the curr_pva_assist_conns columns.

Conditions:
This applies when viewing pva.tot_conns and pva.cur_conns in the virtual_server_stat tmstat table on current ePVA based platforms.

Impact:
Stats for legacy PVA connection flows are not relevant on ePVA platforms, which might result in a bit of confusion when viewing virtual_server_stat table. However, the tmstat tables are not generally relevant for end users.

Workaround:
View tot_pva_assist_conns and curr_pva_assist_conns columns to view ePVA related stats.

---

471237-4 : BIG-IP VE instances do not work with an encrypted disk in AWS.

Solution Article: K12155235

Component: TMOS

Symptoms:
BIG-IP VE instances cannot use encrypted disks in AWS as encryption-decryption introduces some data corruption in the disk that causes failure in some of the TMOS daemons at run-time.

Conditions:
Deploy a BIG-IP VE guests in AWS with an encrypted disk.

Impact:
TMM cores at startup, and does not start.

Workaround:
Do not use encrypted disks in AWS for BIG-IP VE instances.

---

469035 : A SecureVault rekey operation may fail if configuration contains a blank password protected by SecureVault

Solution Article: K16559

Component: TMOS

Symptoms:
If the configuration includes encrypted items (for example, an LDAP bind password) that are empty strings, a SecureVault rekey operation fails.

Conditions:
Empty string as encrypted configuration item. This might occur when using the tmsh command 'modify /sys crypto master-key, or during the introduction of a device into a Trust Domain.

Impact:
The rekey operation fails, and the system posts an error similar to the following: with this error: 01071029:5: master_decrypt failed during rekey. This might result in a ConfigSync failure.

Workaround:
Do not use empty strings as passwords. Alternately, remove the problematic configuration object (which may require changing system authentication to a different source), perform the rekey operation, and then recreate the configuration.

---

468238 : Connection reset with client value of "/" in rewrite profile

Component: Access Policy Manager

Symptoms:
When virtual server has rewrite-uri-translation rewrite profile with Client value of / and an Access Policy is also on that virtual server then the connection will reset, reset cause will be "Access encountered an error (Out of memory..."

Conditions:
Connection reset with out of memory.
- Virtual Server
    - Access Policy
    - rewrite-uri-translation rewrite profile
      - URI Rules -> Client value is /

Impact:
- Clients fail to connect to virtual server solution
- FSE's customer POC is failing

Workaround:
Do not use / as a Client value within a URI Rule within a rewrite-uri-translation rewrite profile
Do not specify an Access Policy and a rewrite-uri-translation rewrite profile that has a / as Client value within a URI Rule

---

464650-6 : Failure of mcpd with invalid authentication context.

Component: TMOS

Symptoms:
MCPd cores.

Conditions:
It is not known what triggers this core.

Impact:
Mcpd restarts

Workaround:
None.

---

464048 : Google Docs does not work through Portal Access

Component: TMOS

Symptoms:
User is unable to use Google Docs through Portal Access due to multiple errors both shown by web application itself and in JS console.

Conditions:
Google Docs is accessed through Portal Access.

Impact:
It is impossible to use Google Docs through Portal Access.

Workaround:
This issue has no workaround at this time.

---

462678 : DF flag is not set on the egress fragmented packets

Component: Local Traffic Manager

Symptoms:
In some cases, fragmented ICMP packets are forwarded without their don't-fragment (DF) bit set.

Conditions:
AAM (WOM) is licensed.

Impact:
Unexpected behavior might occur. Specific behavior depends on the configuration.

Workaround:
None.

---

452283-5 : An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows

Component: Local Traffic Manager

Symptoms:
An MPTCP connection that never expires can be seen using the command "tmsh show sys conn". Its idle time periodically resets to 0.

Conditions:
A virtual server is configured with a TCP profile with "Multipath TCP" enabled.
BIG-IP receives an MP_FASTCLOSE while the BIG-IP is advertising a zero window.

Impact:
A connection remains that never expires; its idle time periodically resets to 0.

Workaround:
There is no workaround at this time.

---

447565-9 : Renewing machine-account password does not update the serviceId for associated ntlm-auth.

Component: Access Policy Manager

Symptoms:
Renewing machine-account password does not update the serviceId for associated ntlm-auth.

Because of this issue, you might see the following symptoms:
-- End users report that they cannot access email.
-- NTLM logons stop working for all users.
-- Log file shows errors similar to the following:
err nlad[12384]: 01620000:3: <0x566d4b90> nlclnt[71601c70a] init: Error [0xc000006d,NT_STATUS_LOGON_FAILURE] connecting to DC.

Conditions:
This occurs when the system has an NTLM machine account configured, but it is not known exactly what triggers the error. It can be triggered if the machine account credentials change, but the symptom might not show up for days since the connection can be reused.

Impact:
End users will be unable to connect.

Workaround:
Correct the problem by running the following command:
bigstart restart eca.

---

440572 : Empty X-WA-Surrogate header in WAM symmetric deployment

Component: WebAccelerator

Symptoms:
In WAM symmetric deployment, the X-WA-Surrogate header is used to communicate OWS lifetime values from the central device to the remote. In some cases, an empty X-WA-Surrogate header may be sent.

Conditions:
Occurs when central originates a 304 response when the original response from OWS does not contain cache-control headers.

Impact:
This occurs only when OWS sends no cache-control headers, so the remote still computes the correct lifetime, making the impact minimal.

Workaround:
None.

---

437260 : Data groups can be deleted even when in use by FIX profile

Component: Service Provider

Symptoms:
A data group can be deleted even while it is referenced by an applied FIX profile.

Conditions:
A data group is referenced by a FIX profile and the data group is deleted.

Impact:
The FIX message receiver will not process messages.

Workaround:
Do not delete a data group that is referenced by a SIP profile. First change the configuration of all FIX profiles, removing any references to the data group, then delete the data group.

---

416412 : Network Access session closed without warning

Component: Access Policy Manager

Symptoms:
A Network Access webtop does not show warning windows about session expiration. A full webtop does not show warnings intermittently.

Conditions:
This occurs on all clients logged in via Network Access

Impact:
When sessions expire, they are closed without prompting or warning.

---

413902-1 : Pre-v11.x and 11.x GTM devices should not share the same sync group★

Component: Global Traffic Manager

Symptoms:
If the sync group is intact and you are doing a rolling upgrade of your sync group from pre-v11.x to v11.x, you will experience flapping of the monitored objects due to the two versions not fully understanding iQuery messages.

Conditions:
This occurs while upgrading systems in a device group, and one or more of the devices are running a version prior to 11.0.0

Impact:
Could cause flapping of object status.

Workaround:
Use live install on volumes to complete upgrades on each system and then switch over all systems to the new v11.x systems at the same time, essentially, eliminating a window where the sync group contains both v11.x and pre-v11.x systems.

---

405352 : NTLM Auth does not work if FQDN to domain controller is set to a invalid domain controller

Component: Access Policy Manager

Symptoms:
If you enter a bad FQDN for domain controller in an NTLM Auth configuration and a DNS server responds with DNS SERVFAIL, the NTLM Auth configuration does not work even after you fix the incorrect FQDN.

Conditions:
NTLM auth configured in APM
Invalid domain controller specified, or the domain controller goes down.

Impact:
NTLM auth will stop working.

Workaround:
To work around this problem, after you correct the FQDN in the NTLM Auth configuration, restart the ECA plugin and NLAD daemon using this command: bigstart restart nlad.

Note: To avoid future problems due to misconfigurations, you can configure your DNS server to return a negative response.

---

404890 : Java app-tunnel freezes in the Initializing state after clicking Allow Once using IE

Component: Access Policy Manager

Symptoms:
This is a rare issue that happens for Microsoft Internet Explorer (IE) when pop-up screens are set to be blocked by browser.

When you launch a Java app-tunnel for the first time in Internet Explorer, the message 'Allow pop-ups for this site?' is displayed. In rare cases, when you click Allow once, the Java app-tunnel freezes in the Initializing state and cannot be used.

Conditions:
-- Using the IE browser.
-- Launch a Java app-tunnel.
-- In response to the 'Allow pop-ups for this site?' message, click Allow Once.

Impact:
Java app-tunnel freezes in the Initializing state and cannot be used.

Workaround:
To work around the problem, add a virtual server to the allowed sites for pop-ups from Tools :: Internet options in Internet Explorer.

---

402691-1 : The fields displayed in the 'tmsh show net ipsec' should be visible through SNMP

Component: TMOS

Symptoms:
The status information about traffic selectors in IPsec can be displayed with the TMSH command 'show net ipsec', but there is no way to manage the BIG-IP system and gather data using SNMP.

Conditions:
Using SNMP to query the BIG-IP system for IPsec traffic selector status.

Impact:
Use TMSH or customized SNMP solutions.

Workaround:
None.

---

384208 : Crond does not apply timezone changes

Component: TMOS

Symptoms:
When the timezone a BIG-IP is updated crond does not apply the new timezone

Conditions:
Device timezone updated

Impact:
Cron scheduled tasks do not execute at the expected time

Workaround:
Restart the affected device after applying timezone changes

---

381258 : 'with' statement in web applications works wrong in some cases

Component: Access Policy Manager

Symptoms:
Web-application misbehavior (exception, wrong rendering, and so on).

Conditions:
If the JavasScript operator 'with' is used in web-application code and, if after rewriting, 'F5_ScopeChain' is found within the 'with' statement in these contexts:

...F5_Inflate_xxxxx(F5_ScopeChain,...

...F5_Deflate_xxxxx(F5_ScopeChain,...

...F5_Invoke_xxxxx(F5_ScopeChain,...

then there is probability of this issue.

Impact:
Web-application functionality.

Workaround:
As a workaround, an iRule can be used for changing an 'interesting' variable name within the function's body. No general iRule exists. For each case, a custom iRule must be created as workaround.

---

363523 : iRule errors may result in TMM crash.

Component: Local Traffic Manager

Symptoms:
A iRule error precedes a TMM crash. This is an extremely rarely encountered issue.

Conditions:
An iRule contains an error. The error may be anything preventing the iRule from running or completing. Errors include syntax errors or runtime errors in the executing of commands.

Impact:
Traffic is not processed while the TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
Fix iRule errors.

---

251162-1 : The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name

Component: Local Traffic Manager

Symptoms:
If you apply a custom HTTP profile to a virtual server, and the maximum header size defined in the profile is exceeded, the BIG-IP system lists the wrong profile name in the corresponding log message. Instead of logging the profile name associated with the virtual server, the BIG-IP system logs the profile name as http.

For example:

tmm1[5133]: 011f0005:3: HTTP header (34083) exceeded maximum allowed size of 32768 (Client side: vip=http_10.1.0.30 profile=http pool=apache2)

Conditions:
-- You apply a custom HTTP profile to a virtual server.
-- The maximum header size defined in the profile is exceeded.

Impact:
The BIG-IP system lists the wrong profile name in the corresponding log message. This is a cosmetic error, as the correct profile is affected. Only its name is incorrectly reported.

Workaround:
None.

---

222690-2 : The persist none iRule command does not disable cookie persistence for the connection when used with the LB::reselect command.

Solution Article: K10281

Component: Local Traffic Manager

Symptoms:
The persist none iRule command disables persistence for the current connection. If cookie persistence is enabled for a virtual server referencing an iRule, and the LB::reselect command is called after the persist none iRule command, cookie persistence is not disabled for the connection.

Conditions:
For example, the following configuration illustrates the issue:

pool default_pool {
member 10.10.10.4:80 down session disable
}
pool fail_pool {
member 10.10.10.5:80
}
rule fail_rule {
when LB_FAILED {
persist none
LB::reselect pool fail_pool
}
}
virtual vs {
destination 10.10.10.6:80
ip protocol tcp
profile http tcp
persist cookie
pool default_pool
rule fail_rule
}

Impact:
In the example, the initial load balancing attempt to the default_pool pool will fail, since sessions are disabled for the pool member. The LB_FAILED iRule event will execute, which sets the persistence to none. In addition, the LB::reselect command will load balance the connection to the fail_pool pool. The connection to the pool member 10.10.10.5 will succeed, but the BIG-IP LTM will incorrectly place a persistence cookie in the response to the client.

Workaround:
You may be able to work around this issue by using the HTTP::cookie command in the HTTP_RESPONSE event to remove the BIG-IP cookie from the response before it is sent to the client.

For example, the following revised iRule removes the BIG-IP persistence cookie that would be set in the response when the fail_pool was selected:

rule fail_rule_no_cookie_for_you {
when LB_FAILED {
persist none
LB::reselect pool fail_pool
}
when HTTP_RESPONSE {
HTTP::cookie remove BIGipServerfail_pool
}
}

Note: The HTTP_RESPONSE event is triggered after the BIG-IP LTM has added the persistence cookie to the HTTP headers.

Note: The default persistence cookie name is derived from the name of the pool to which the request was sent. For more information about the BIG-IP persistence cookie, refer to SOL6917: Overview of BIG-IP persistence cookie encoding.

The workaround has the added benefit of preserving any persistence information for the original load balancing pool should it again become available. If you want to completely remove the persistence cookie from the client, you can use the HTTP::cookie command in the HTTP_RESPONSE event to set an expired version of the BIG-IP cookie in the response before it is sent to the client.

---

★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade