Applies To:

Show Versions Show Versions

Supplemental Document: BIG-IP 14.0.0.1 Fixes and Known Issues

Original Publication Date: 08/30/2018

BIG-IP Release Information

Version: 14.0.0.1
Build: 2.0

NOTE: This release includes fixes for the Spectre Variant 1 and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754).
In some configurations, installing software containing these fixes might impact performance. You can disable these fixes to recover performance. Please see K91229003 for additional Spectre and Meltdown information.

Known Issues in BIG-IP v14.0.x

Functional Change Fixes

ID Number Severity Solution Article(s) Description
693359-2 1-Blocking   AWS M5 and C5 instance families are supported


TMOS Fixes

ID Number Severity Solution Article(s) Description
721364-1 1-Blocking   Per-App VE BYOL license does not support three wildcard virtual servers
707100-1 2-Critical   Potentially fail to create user in AzureStack
706688-2 2-Critical   Automatically add additional certificates to BIG-IP system in C2S and IC environments
700086-2 2-Critical   AWS C5/M5 Instances do not support BIG-IP VE
721342-2 3-Major   No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments.
720961-4 3-Major   Upgrading in Intelligence Community AWS environment may fail
719396-2 3-Major K34339214 DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.
714303-2 3-Major   X520 virtual functions do not support MAC masquerading
709936-2 3-Major K38121141 Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
707585-2 3-Major   Use native driver for 82599 NICs instead of UNIC
703869-4 3-Major   Waagent updated to 2.2.21

 

Cumulative fix details for BIG-IP v14.0.0.1 that are included in this release

721364-1 : Per-App VE BYOL license does not support three wildcard virtual servers

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) admin cannot create three wildcard virtual servers for Per-App BYOL license. Only one wildcard virtual server is allowed.

Conditions:
Per-App VE with BYOL license.

Impact:
Per-App VE with BYOL license does not work as expected.

Workaround:
There is no workaround at this time.

Fix:
Per-App VE BYOL license now supports three wildcard virtual servers.


721342-2 : No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments.

Component: TMOS

Symptoms:
No Per-App Virtual Edition (VE) LTM or Per-App VE WAF images for various cloud environments.

Conditions:
Various Cloud environments (i.e., Azure, Google, AWS).

Impact:
No options to use various Per-App VE features.

Workaround:
None.

Fix:
There are now offerings for various cloud environments (Azure, Google, AWS). There are two types of Per-App VE LTM and two of Per-App VE WAF images.


720961-4 : Upgrading in Intelligence Community AWS environment may fail

Component: TMOS

Symptoms:
After importing an AWS instance into the Intelligence Community (IC) AWS environment you cannot upgrade to 13.1.0.2 (or later) because their license fails to validate afterwards.

Conditions:
-- Manually imported BIG-IP image into AWS IC.
-- Upgraded to 13.1.0.2 or newer.

Impact:
The system fails to validate the license after rebooting into the new software. Licenses are inoperative after the upgrade.

Workaround:
To work around this issue, perform the following procedure:
1. Redeploy a BYOL image from the IC marketplace.
2. Move over the license.
3. Configure the system.

Fix:
This release provides improved license validation to address this situation by detecting the IC environment, but allowing prior licenses to function.


719396-2 : DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.

Solution Article: K34339214

Component: TMOS

Symptoms:
DHCP Client on the BIG-IP system sends host-name 'localhost' in DISCOVER packet after first boot.

Note: The problem goes away after the first boot.

Conditions:
-- DHCP is enabled (this is the default on BIG-IP systems).
-- Initial startup.

Impact:
This can affect the lease given out by the DHCP server in the given network if the DHCP server is configured in such a way as to dynamically update the DNS based on the host-name option in the lease.

Workaround:
-- Empty the /var/lib/dhclient/dhclient.leases file.
-- Run the following command: bigstart restart dhclient

Fix:
DHCP Client on the BIG-IP system no longer sends 'localhost' as the host-name in DISCOVER packet after first boot.


714303-2 : X520 virtual functions do not support MAC masquerading

Component: TMOS

Symptoms:
MAC masquerading is not supported when using X520 virtual functions via SR-IOV in Virtual Edition (VE). This is due to a lack of functionality in the underlying hardware.

Conditions:
-- Use SR-IOV virtual functions as interfaces within VE.
-- Configure MAC masquerading with a shared MAC that should follow the active system after traffic group failovers.

Impact:
MAC masquerading will not function in this environment.

Workaround:
There is no workaround other than not to use MAC masquerading, as conventional failover works for this environment.

Fix:
MAC masquerading is now supported when using X520 virtual functions via SR-IOV in Virtual Edition (VE).


709936-2 : Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.

Solution Article: K38121141

Component: TMOS

Symptoms:
/var/log/boot.log has this error:
dhcp_config: save error: 01070911:3: The requested host (ntp-servers-ip) is invalid for servers in ntp (/Common/ntp).

Conditions:
- The BIG-IP system has DHCP enabled for management interface.
- Multiple NTP servers or domain-search are specified in the dhclient lease (stored at /var/lib/dhclient/dhclient.leases).

Impact:
- DNS and NTP servers are not configured in MCPD.
- Name resolution can break.

Workaround:
None.

Fix:
Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.


707585-2 : Use native driver for 82599 NICs instead of UNIC

Component: TMOS

Symptoms:
-- Lower performance in TPS.
-- Increased CPU consumption for throughput.

Conditions:
-- Running BIG-IP Virtual Edition (VE) (UNIC is the default Virtual Function Network Driver for VE).
-- High data rates, perhaps particularly when connection mirroring is configured.

Impact:
Lower TPS performance numbers and higher CPU usage in throughput tests.

Workaround:
In case of UNIC, extra CPUs must be allocated to handle SoftIRQs for higher performance.

Fix:
This release provides a native driver based on F5's physical platforms.


707100-1 : Potentially fail to create user in AzureStack

Component: TMOS

Symptoms:
Using Microsoft Azure Stack on the BIG-IP Virtual Edition (VE) configured with password authentication, the system sometimes fails to create the provided user, which means that the VE admin cannot ssh in after deployment. Note that an unexpected reboot causes this to occur during provisioning, and that Microsoft might have already fixed this issue.

Conditions:
Azure Stack VE provisioned with password authentication.

Impact:
Admin loses provisioned VE instance because there is no way to ssh in.

Workaround:
Deploy VE with key authentication.

Fix:
Extra handling was added to make user creation work even with unexpected reboots happening during Azure Stack provisioning.


706688-2 : Automatically add additional certificates to BIG-IP system in C2S and IC environments

Component: TMOS

Symptoms:
In order to function properly, the BIG-IP system's failover and autoscale features need extra certificates (which are used inside C2S environments) and endpoint URL. The extra certificates must be pointed to by the $AWS_CA_BUNDLE environment variable. The BIG-IP system's failover and autoscale feature use AWS CLI commands. Those AWS CLI commands need to have the $AWS_CA_BUNDLE pointing to the certificate files location and endpoint URL. These must be configured manually.

Conditions:
-- BIG-IP is running in AWS C2S (Commercial Cloud Services) where the domain is either c2s.ic.gov or sc2c.sgov.gov.

-- The BIG-IP system is configured to do failover or autoscale in those environments.

Impact:
Requires manual copying of the extra certificates, which are pointed to by AWS_CA_BUNDLE, to the BIG-IP system.

Workaround:
None.

Fix:
In this release, you can add all the needed certificates' URLs in the AWS user-data. The BIG-IP system then automatically downloads and stores the certificate and sets the $AWS_CA_BUNDLE environment variable and endpoint-url.

To use the functionality, when launching the BIG-IP system from the AWS web console, specify the C2S certificate URL and test URL in the following format:
 
c2s-keys-urls=url1,url2,url3;c2s-cert-test-url=ec2.us-iso-east-1.c2s.ic.gov:443;

Where the syntax explanation is as follows:
1. The string literal : c2s-keys-urls=
2. List of comma separated URLs.
3. A semicolon (;).
4. The string literal : c2s-cert-test-url=
5. A URL which is of following format
    <A service name (e.g., ec2)>.<The region where it is running (e.g., us-iso-east-1)>.<the domain name :443 (e.g., c2s.ic.gov:443)>
     
Example: ec2.us-iso-east-1.c2s.ic.gov:443;


703869-4 : Waagent updated to 2.2.21

Component: TMOS

Symptoms:
Microsoft updates waagent via an opensource process, but it is not compatible with BIG-IP software, and so cannot be upgraded outside of BIG-IP releases. Without this, Microsoft will not support older releases of BIG-IP systems in their environment.

Conditions:
Using Microsoft Azure.

Impact:
Microsoft does not support the version of waagent shipped as part of BIG-IP software.

Workaround:
None.

Fix:
Waagent was updated to 2.2.21 from Microsoft along with F5 changes for compatibility with BIG-IP software.


700086-2 : AWS C5/M5 Instances do not support BIG-IP VE

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) does not function on AWS C5/M5 instances.

Conditions:
BIG-IP VE on AWS C5/M5 instances.

Impact:
Cannot use BIG-IP VE on AWS C5/M5 instances.

Workaround:
None.

Fix:
BIG-IP VE now functions on AWS C5/M5 Instances.


693359-2 : AWS M5 and C5 instance families are supported

Component: TMOS

Symptoms:
AWS has announced support for M5 and C5 instance families. No previous BIG-IP Virtual Edition (VE) software supports these new AWS instance families.

Conditions:
Attempting to install pre-v14.0.0.1 VE software on M5 and C5 instance families.

Impact:
The system experiences a kernel panic and might crash.

Workaround:
None.

Fix:
All necessary components are added to support AWS M5 and C5 instance families.

Behavior Change:
No previous BIG-IP Virtual Edition (VE) software supports the newly announced AWS M5 and C5 instance families. Version 14.0.0.1 officially supports the AWS M5 and C5 instance families.



Known Issues in BIG-IP v14.0.x


TMOS Issues

ID Number Severity Solution Article(s) Description
708956-3 1-Blocking   During system boots up, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
737900-1 2-Critical   mcpd might crash on an unlicensed system
737055-1 2-Critical   Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy
734822-2 2-Critical   TMSH improvements
726487-3 2-Critical   VIPRION secondary MCPD, Node Name encodes IP address which differs from supplied
723722-1 2-Critical   MCPD crashes if several thousand files are created between config syncs.
721350-3 2-Critical   The size of the icrd_child process is steadily growing
719597-1 2-Critical   HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0
717785-4 2-Critical   Interface-cos shows no egress stats for CoS configurations
716391-1 2-Critical K76031538 High priority for MySQL on 2 core vCMP may lead to control plane process starvation
715820-3 2-Critical K61422392 vCMP in HA configuration with VIPRION chassis might cause unstable data plane
711683-1 2-Critical   bcm56xxd crash with empty trunk in QinQ VLAN
708968-1 2-Critical   OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address
706423-3 2-Critical   tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
703669-1 2-Critical   Eventd restarts on NULL pointer access
703045-2 2-Critical   If using TMSH commands with deprecated attributes in iAPP, the upgrade will fail.
436674-3 2-Critical K17271 The msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime values contained in SNMPv3 trap message may be incorrect after the SNMP agent reboot.
740746-1 3-Major   RSA key creation fails for generating key/csr pair when using gen-csr challenge-password
740589-2 3-Major   mcpd crash with core after 'tmsh edit /sys syslog-all-properties'
740517-2 3-Major   Application Editor users are unable to edit HTTPS Monitors via the Web UI
740413-2 3-Major   sod not logging Failover Condition messages
740135-2 3-Major   Traffic Group ha-order list does not load correctly after reset to default configuration
739872-1 3-Major   The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover
739533-5 3-Major   In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config
739118-2 3-Major   Manually modifying a Self IP address in BIG-IP_base.conf file and reloading the configuration results in routing misconfiguration
737901-3 3-Major   Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode
737397-2 3-Major   User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP
737346-2 3-Major   After entering username and before password, the logging on user's failure count is incremented.
734846-2 3-Major   Redirection to logon summary page does not occur after session timeout
734836-2 3-Major   Network Map summary counts pool members more than once if they are shared across pools
734527-3 3-Major   BGP 'capability graceful-restart' for peer-group not properly advertised when configured
727467-2 3-Major   Some iSeries appliances can experience traffic disruption when the HA peer is upgraded from 12.1.3 and earlier to 13.1.x and later.
727297-2 3-Major   GUI TACACS+ remote server list should accept hostname
726174-2 3-Major   Slow response times when expandSubcollections set to true
725791-5 3-Major   Potential HW/HSB issue detected
722682-3 3-Major   Fix of ID 615222 results in upgrade issue for GTM pool member with colon -- config failed to load
722380-1 3-Major   The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.
721020-2 3-Major   Changes to the master key are reverted after full sync
720819-3 3-Major   Certain platforms may take longer than expected to detect and recover from HSB lock-ups
720713-1 3-Major   TMM traffic to/from a i10600/i10800 device in vCMP host mode may fail
720651-1 3-Major   Running Guest Changed to Provisioned Never Stops
720610-1 3-Major   Updatecheck logs bogus 'Update Server unavailable' on every run
720461-1 3-Major   qkview prompts for password on chassis
720269-1 3-Major   TACACS audit logging may append garbage characters to the end of log strings
720104-2 3-Major   BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
718817-1 3-Major   Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.
718800-1 3-Major   Cannot set a password to the current value of its encrypted password
718525-2 3-Major   PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting
718291-1 3-Major   iHealth upload error doesn't clear
714986-4 3-Major   Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot
714974-1 3-Major   Platform-migrate of UCS containing QinQ fails on VE
714903-3 3-Major   Errors in chmand
714654-1 3-Major   Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
714216-1 3-Major   Folder in a partition may result in load sys config error
713708-6 3-Major   Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI
712102-1 3-Major K11430165 customizing or changing the HTTP Profile's IPv6 field hides the field or the row
712033-3 3-Major   When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name
711249-3 3-Major   NAS-IP-Address added to RADIUS packet unexpectedly
710976-2 3-Major   Network Map might take a long time to load
710232-1 3-Major   platform-migrate fails when LACP trunks are in use
709559-1 3-Major   LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name
709444-1 3-Major   "NTP not configured on device" warning seen when NTP symmetric key authentication is configured
709192-2 3-Major   GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart
708484-1 3-Major   Network Map might take a long time to load
708063 3-Major   In older RAID BIG-IP systems, storage provisioning is not possible when a drive is missing.
707740-5 3-Major   Fixed issue preventing GTM Monitors from being deleted when used on mulitple Virtual Servers with the same ip:port combination
707445-4 3-Major K47025244 Nitrox 3 compression hangs/unable to recover
707391-1 3-Major   BGP may keep announcing routes after disabling route health injection
706169-2 3-Major   tmsh memory leak
705651-2 3-Major   Async transaction may ignore polling requests
705037-1 3-Major K32332000 System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
704804-4 3-Major   The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
704733-3 3-Major   NAS-IP-Address will be sent with the bytes backwards
704449-1 3-Major   Orphaned tmsh processes might eventually lead to an out-of-memory condition
704247-1 3-Major   BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
703090-3 3-Major   With many iApps configured, scriptd may fail to start
701249-3 3-Major   RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
700827-3 3-Major   B2250 blades may lose efficiency when source ports form an arithmetic sequence.
698619-3 3-Major   Disable port bridging on HSB ports for non-vCMP systems
698432-1 3-Major   Invalid error messages: warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
696731-4 3-Major K94062594 The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled
684096-3 3-Major   stats self-link might include the oid twice
673018 3-Major   Parsed text violates expected format error encountered while upgrading or loading UCS
671712-3 3-Major   The values returned for the ltmUserStatProfileStat table are incorrect.
668041-3 3-Major K27535157 Config load fails when an iRule comment ends with backslash in a config where there is also a policy.
667618-5 3-Major   Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
641450-6 3-Major K30053855 A transaction that deletes and recreates a virtual may result in an invalid configuration
606032-4 3-Major   Network Failover-based HA in AWS may fail
486712-4 3-Major   GUI PVA connection maximum statistic is always zero
725612-2 4-Minor   syslog-ng remote destination needs unique name that changes on address change.
723988-1 4-Minor   IKEv1 phase2 key length can be changed during SA negotiation
713932-2 4-Minor   Commands are replicated to PostgreSQL even when not in use.
713134-1 4-Minor   Small tmctl memory leak when viewing stats for snapshot files
708415-3 4-Minor   Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled
707631-3 4-Minor   The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI
707267-2 4-Minor   REST Framework HTTP header limit size increased to 8 KB
704336-5 4-Minor   Updating 3rd party device cert not copied correctly to trusted certificate store
703509-3 4-Minor   Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled
689491-2 4-Minor   cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled
685582-8 4-Minor   Incorrect output of b64 unit key hash by command f5mku -f
648917-2 4-Minor   Need to re-provision vCMP after upgrading to 13.1.x or later on the BIG-IP 10350F platform
394873 4-Minor   Upgrade process does not update Tcl scripts
720669-1 5-Cosmetic   Within the GUI, the 'MQTT-TLS' service port is incorrectly reported as 'common.all.MQTT-TLS'.
713519-1 5-Cosmetic   Enabling MCP Audit logging does not produce log entry for audit logging change
713491-3 5-Cosmetic   IKEv1 logging shows spi of deleted SA with opposite endianess
662725 5-Cosmetic   tmsh kernel default log levels does not match documentation


Local Traffic Manager Issues

ID Number Severity Solution Article(s) Description
740490 2-Critical   Configuration changes involving HTTP2 or SPDY may leak memory
737758-3 2-Critical   MPTCP Passthrough and VIP-on-VIP can lead to TMM core
737445-1 2-Critical   Use of TCP Verified Accept can disable server-side flow control
726239-5 2-Critical   interruption of traffic handling as sod daemon restarts TMM
724868-3 2-Critical   dynconfd memory usage increases over time
724213-2 2-Critical   Modified ssl_profile monitor param not synced correctly
721571-2 2-Critical   State Mirroring between BIG-IP 12.1.3.* and 13.* systems may cause TMM core on standby system during upgrade
716900-3 2-Critical   TMM core when using MPTCP
716213-5 2-Critical   BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
710221-1 2-Critical K67352313 Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled
709828-1 2-Critical   fasthttp can crash with Large Receive Offload enabled
700056-2 2-Critical K05350542 MCPD process may lock up and restart when applying Local Traffic Policy to virtual server
571651-5 2-Critical K66544028 Reset Nitrox3 crypto accelerator queue if it becomes stuck.
431480-6 2-Critical   Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
739963-3 3-Major   TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
739638-3 3-Major   BGP failed to connect with neighbor when pool route is used
739379-1 3-Major   Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error
739349-2 3-Major   LRO segments might be erroneously VLAN-tagged.
738523-1 3-Major   SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages
738521-3 3-Major   i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
738450-2 3-Major   Parsing pool members as variables with IP tuple syntax
726734-3 3-Major   DAGv2 port lookup stringent may fail
726319-1 3-Major   'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses
726232-3 3-Major   iRule drop/discard may crash tmm
723306-2 3-Major   Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
722363-3 3-Major   Client fails to connect to server when using PVA offload at Established
721621-3 3-Major   Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node
721261-2 3-Major   v12.x Policy rule names containing slashes are not migrated properly
720799-1 3-Major   Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
720440-2 3-Major   Radius monitor marks pool members down after 6 seconds
720293-4 3-Major   HTTP2 IPv4 to IPv6 fails
719600-1 3-Major   TCP::collect iRule with L7 policy present may result in connection reset
718867-1 3-Major   tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades
717346-1 3-Major K13040347 [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
716716-1 3-Major   Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
715883-1 3-Major   tmm crash due to invalid cookie attribute
715785-1 3-Major   Incorrect encryption error for monitors during sync or upgrade
715756-1 3-Major   Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only
715750-1 3-Major   The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.
715467-1 3-Major   Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
714559-4 3-Major   Removal of HTTP hash persistence cookie when a pool member goes down.
714503-1 3-Major   When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl
714495-1 3-Major   When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"
714384-2 3-Major   DHCP traffic may not be forwarded when BWC is configured
713951-6 3-Major   tmm core files produced by nitrox_diag may be missing data
713934-1 3-Major   Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
713585-2 3-Major K31544054 When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long
712819-1 3-Major   'HTTP::hsts preload' iRule command cannot be used
712664-1 3-Major   IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
712489-1 3-Major   TMM crashes with message 'bad transition'
711981-6 3-Major   BIG-IP system accepts larger-than-egress MTU, PMTU update
711281-6 3-Major   nitrox_diag may run out of space on /shared
710028-1 3-Major   LTM SQL monitors may stop monitoring if multiple monitors querying same database
709963-1 3-Major   Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
709837-1 3-Major   Cookie persistence profile may be configured with invalid parameter combination.
709133-1 3-Major   When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur
709132-2 3-Major   When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur
708068-1 3-Major   Tcl commands like "HTTP::path -normalize" do not return normalized path.
707961-1 3-Major   Unable to add policy to virtual server; error = Failed to compile the combined policies
707951-3 3-Major   Stalled mirrored flows on HA next-active when OneConnect is used.
707691-5 3-Major   BIG-IP handles some pathmtu messages incorrectly
706505-3 3-Major   iRule table lookup command may crash tmm when used in FLOW_INIT
706102-1 3-Major   SMTP monitor does not handle all multi-line banner use cases
704764-1 3-Major   SASP monitor marks members down with non-default route domains
704450-4 3-Major   bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
704381-6 3-Major   SSL/TLS handshake failures and terminations are logged at too low a level
702450-2 3-Major   The validation error message generated by deleting certain object types referenced by a policy action is incorrect
702439-4 3-Major K04964898 Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset
699598-1 3-Major   HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR
698211-4 3-Major K35504512 DNS express response to non-existent record is NOERROR instead of NXDOMAIN.
693244-3 3-Major   BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned
688553-4 3-Major   SASP GWM monitor may not mark member UP as expected
686059-3 3-Major   FDB entries for existing VLANs may be flushed when creating a new VLAN.
682283-1 3-Major   Malformed HTTP/2 request with invalid Content-Length value is served against RFC
679687-2 3-Major   LTM Policy applied to large number of virtual servers causes mcpd restart
677709 3-Major   pkcs11d daemon can generate a very large number of log messages
674591-4 3-Major K37975308 Packets with payload smaller than MSS are being marked to be TSOed
672410 3-Major   High CPU load when HTTP/2 gateway is configured with source-persistence.
672312-4 3-Major   IP ToS may not be forwarded to serverside with syncookie activated
620053-3 3-Major   Gratuitous ARPs may be transmitted by active unit going offline
602708-5 3-Major K84837413 Traffic may not passthrough CoS by default
473787 3-Major   System might fail to unchunk server response when compression is enabled
722534-2 4-Minor   load sys config merge not supported for iRulesLX
719247-1 4-Minor K10845686 HTTP::path and HTTP::query iRule functions cannot be set to a blank string
716922-1 4-Minor   Reduction in PUSH flags when Nagle Enabled
713533-1 4-Minor   list self-ip with queries does not work
712637-1 4-Minor   Host header persistence not implemented
708249-1 4-Minor   nitrox_diag utility generates QKView files with 5 MB maximum file size limit
699426-4 4-Minor   RRD cpu files are not updated when statsd has no prior knowledge of blades joining a cluster.
693901-5 4-Minor   Active FTP data connection may change source port on client-side
688005-1 4-Minor   The maximum-connection count doubles pva traffic counts for virtuals
594064-6 4-Minor K57004151 tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.


Global Traffic Manager (DNS) Issues

ID Number Severity Solution Article(s) Description
739846-2 2-Critical   Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection
737726-1 2-Critical   If named is restarted and zrd is not restarted, ZoneRunner can lose contact with the DNS server daemon
722741-2 2-Critical   Damaged tmm dns db file causes zxfrd/tmm core
739553-2 3-Major   Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
737529-3 3-Major   [GTM] load or save configs removes backslash \ from GTM pool member name
726255-1 3-Major   dns_path lingering in memory with last_access 0 causing high memory usage
723792-1 3-Major   GTM regex handling of some escape characters renders it invalid
723288-1 3-Major   DNS cache replication between TMMs does not always work for net dns-resolver
723095-3 3-Major   Add record type breaks commands 'modify gtm pool type all'; errors on nonexistent pool
719644-3 3-Major   If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions
715448-3 3-Major   Providing LB::status with a GTM Pool name in a variable caused validation issues
714507-1 3-Major   [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server
710246-1 3-Major   DNS-Express was not sending out NOTIFY messages on VE
710032-2 3-Major   'No Access' error when viewing GSLB Server's Virtual Server that has a name indicating a partition that does not exist on that bigip.
688335-6 3-Major K00502202 big3d may restart in a loop on secondary blades of a chassis system
688266-6 3-Major   big3d and big3d_install use different logics to determine which version of big3d is newer
679316-6 3-Major   iQuery connections reset during SSL renegotiation
712335-2 4-Minor   GTMD may intermittently crash under unusual conditions.
699733-1 4-Minor   DNS NOTIFY not sent to mgmt IP under Zone Transfer Clients list after DNS Express zone update


Application Security Manager Issues

ID Number Severity Solution Article(s) Description
716788-1 2-Critical   TMM may crash while response modifications are being performed within DoSL7 filter
606983-1 2-Critical   ASM errors during policy import
740719-1 3-Major   ASM CSP header parser does not honor unsafe-inline attribute within script-src directive
739373 3-Major   ASM restart loop after sync from non-ASM to ASM device
738211-1 3-Major   pabnagd core when centralized learning is turned on
737500-1 3-Major   Apply Policy and Upgrade time degradation when there are previous enforced rules
734228 3-Major   False-positive illegal-length violation can appear
724414-1 3-Major   ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled
724032-2 3-Major   Searching Request Log for value containing backslash does not return expected result
722862 3-Major   ASM CAPTCHA sends non url-encoded payload when captcha is submitted by pressing 'Enter'
721752-3 3-Major   Null char returned in REST for Suggestion with more than MAX_INT occurrences
721399-1 3-Major   Signature Set cannot be modified to Accuracy = 'All' after another value
719459-1 3-Major   Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled
719005-2 3-Major   Login request may arrive corrupted to the backend server after CAPTCHA mitigation
718232-3 3-Major   Some FTP servers may cause false positive for ftp_security
716940-1 3-Major   Traffic Learning screen graphs shows data for the last day only
716324-1 3-Major   CSRF protection fails when the total size of the configured URL list is more than 2 KB
715128-2 3-Major   Simple mode Signature edit does not escape semicolon
713282-2 3-Major   Remote logger violation_details field does not appear when virtual server has more than one remote logger
712362-4 3-Major   ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
711818-4 3-Major   Connection might get reset when coming to virtual server with offload iRule
711405-2 3-Major K14770331 ASM GUI Fails to Display Policy List After Upgrade
704643-2 3-Major   Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule
687759 3-Major   bd crash
592504-1 3-Major   False positive illegal length violation can appear
722294-1 4-Minor   Reported session ID keeps changing for the same user session when ASM doesn't track sessions
720581-1 4-Minor   Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files


Application Visibility and Reporting Issues

ID Number Severity Solution Article(s) Description
726852-1 2-Critical   AVR inject CSPM event when there is no analytics profile on the virtual server
737867-2 3-Major   Scheduled reports are being incorrectly displayed in different partitions
737863-2 3-Major   Advanced Filters for Captured Transactions not working on Multi-Blade Platforms
648242-3 3-Major K73521040 Administrator users unable to access all partition via TMSH for AVR reports


Access Policy Manager Issues

ID Number Severity Solution Article(s) Description
739674-2 2-Critical   TMM might core in SWG scenario with per-request policy.
722013-2 2-Critical   MCPD restarts on all secondary blades post config-sync involving APM customization group
713820-2 2-Critical   Pass in IP to urldb categorization engine
738397-3 3-Major   SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.
737355-2 3-Major   HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files
737064-1 3-Major   ACCESS::session iRule commands may not work in serverside events
734316-1 3-Major   Per-Request Policy may require enabling SSL Forward Proxy Bypass
726616-2 3-Major   TMM crashes when a session is terminated
725867-1 3-Major   ADFS proxy does not fetch configuration for non-floating virtual servers
725840-1 3-Major   Customization group object is not deleted when SAML resource object is deleted
722423-2 3-Major   Analytics agent always resets when Category Lookup is of type custom only
720757-2 3-Major   Without proper licenses Category Lookup always fails with license error in Allow Ending
720030-5 3-Major   Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)
713655-1 3-Major   RouteDomainSelectionAgent might fail under heavy control plane traffic/activities
710884-2 3-Major   Portal Access might omit some valid cookies when rewriting HTTP request.
710044-4 3-Major   Portal Access: same-origin AJAX request may fail in some case.
707953-3 3-Major   Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page
706797-2 3-Major   Portal Access: some multibyte characters in JavaScript code may not be handled correctly
706374-5 3-Major   Heavy use of APM Kerberos SSO can sometimes lead to memory corruption
704587-3 3-Major K15450552 Authentication with UTF-8 chars in password fails for ActiveSync users
704524-5 3-Major   [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
703984-8 3-Major   Machine Cert agent improperly matches hostname with CN and SAN
701800-1 3-Major   SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x
698836-1 3-Major   Increased APM session capacity is not available after installing an APM session count License
660654 3-Major   The APM 'epsec refresh' CLI command works incorrectly if install package is deleted


WebAccelerator Issues

ID Number Severity Solution Article(s) Description
706642-1 2-Critical   wamd may leak memory during configuration changes and cluster events
701977-6 3-Major   Non-URL encoded links to CSS files are not stripped from the response during concatenation


Service Provider Issues

ID Number Severity Solution Article(s) Description
738070-1 3-Major   Persist value for the RADIUS Framed-IP-Address attribute is not correct
727288-2 3-Major   Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC
709383-1 3-Major   DIAMETER::persist reset non-functional


Advanced Firewall Manager Issues

ID Number Severity Solution Article(s) Description
726090 2-Critical   No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense
724532-3 2-Critical   SIG SEGV during IP intelligence category match in TMM
726154-3 3-Major   TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies
724679-1 3-Major   Non-attacking IP addresses could be logged along with attacking IP addresses when DoS detects an attack
720242-1 3-Major   GUI for AFM rules shows protocol value IPENCAP for rules under rule-list
707054-2 4-Minor   SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162


Policy Enforcement Manager Issues

ID Number Severity Solution Article(s) Description
699531-5 2-Critical   Potential TMM crash due to incorrect number of attributes in a PEM iRule command
726647-4 3-Major   PEM content insertion in a compressed response may truncate some data
726011-3 3-Major   PEM transaction-enabled policy action lookup optimization to be controlled by a sys db
711093-4 3-Major   PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
709670-4 3-Major K44067891 iRule triggered from RADIUS occasionally fails to create subscribers.
709610-4 3-Major   Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
676346-1 3-Major   PEM displays incorrect policy action counters when the gate status is disabled.
663874-1 3-Major K77173309 Off-box HSL logging does not work with PEM in SPAN mode.
648802-4 3-Major   Required custom AVPs are not included in an RAA when reporting an error.
719107-1 4-Minor   Message type is not displayed in CLI and incorrect message type is displayed in GUI for Subscriber Management diameter protocol profile message type CCA-T.


Carrier-Grade NAT Issues

ID Number Severity Solution Article(s) Description
734446-1 2-Critical   TMM crash after changing LSN pool mode from PBA to NAPT
723658-2 2-Critical   TMM core when processing an unexpected remote session DB response.
669645-4 2-Critical K44021449 tmm crashes after LSN pool member change
721579-2 4-Minor   LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing


Fraud Protection Services Issues

ID Number Severity Solution Article(s) Description
738669-1 3-Major   Login validation may fail for a large request with early server response
737368-2 3-Major   Fingerprint cookie large value may result in tmm core.
719186-1 3-Major   Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts
716318-1 3-Major   Engine/Signatures automatic update check may fail to find/download the latest update


Anomaly Detection Services Issues

ID Number Severity Solution Article(s) Description
739277-2 2-Critical   TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode
714334-2 2-Critical   admd stops responding and generates a core while under stress.
718772-1 3-Major   The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists)


Traffic Classification Engine Issues

ID Number Severity Solution Article(s) Description
737379-1 3-Major   URLCAT doesn't work when we have uppercase characters in feedlist
726303-2 3-Major   Unlock 10 million custom db entry limit


Device Management Issues

ID Number Severity Solution Article(s) Description
710809-3 3-Major   Restjavad hangs and causes GUI page timeouts

 

Known Issue details for BIG-IP v14.0.x

740746-1 : RSA key creation fails for generating key/csr pair when using gen-csr challenge-password

Component: TMOS

Symptoms:
Failed to generate RSA key in pair with CSR via TMSH command when using key password options.

Response from create sys crypto key command when using challenge-password option:
Syntax Error: Key creation doesn't support challenge-password option.

Response from create sys crypto key command when using prompt-for-password option:
Syntax Error: Key creation doesn't support prompt-for-password option.

Conditions:
This issue happens while using either of the key password protect options while generating csr and key via tmsh create sys crypto key command.

Impact:
Can not generate password protected RSA key via tmsh command.

Workaround:
There is no workaround.


740719-1 : ASM CSP header parser does not honor unsafe-inline attribute within script-src directive

Component: Application Security Manager

Symptoms:
Browser reports Content-Security-Policy error when ASM modifies the 'Content-Security-Policy' (CSP) header.

Conditions:
1. ASM provisioned.
2. ASM policy attached to a virtual server.
3. CSRF or Ajax blocking page enabled within ASM policy
4. Backend server sends 'Content-Security-Policy' header with 'script-src' 'unsafe-inline' directive.

Impact:
Browser posts 'Content-Security-Policy' error and stops JavaScript execution.

Workaround:
Disable 'Content-Security-Policy' header parsing for ASM policies. To do so, follow these steps:

1. In /usr/share/ts/bin/add_del_internal, run the following command:
add csp_enabled 0

2. Restart ASM by running the following command:
bigstart restart asm


740589-2 : mcpd crash with core after 'tmsh edit /sys syslog-all-properties'

Component: TMOS

Symptoms:
Syslog-ng consumes more than 95% CPU starving other processes of CPU time. This leads to eventual mcpd crash with core.

Conditions:
Configuring nonexistent local IP addresses and remote log server.

Impact:
Abnormal CPU usage. Potential eventual mcpd crash with core.

Workaround:
To mitigate the issue:
- Remove the remote log server from the configuration.
- Replace the nonexistent local IP addresses with self IP addresses.


740517-2 : Application Editor users are unable to edit HTTPS Monitors via the Web UI

Component: TMOS

Symptoms:
A user with Application Editor role cannot modify an HTTPS Monitor via the GUI. The user is sent the the following, misleading and incorrect error message: Access Denied: user does not have delete access to object (ssl_cert_monitor_param)

Conditions:
The logged in GUI user must be an Application Editor role for the partition containing the HTTPS Monitor

Impact:
The user must use TMSH to modify an HTTPS Monitor.

Workaround:
Run the following tmsh command: modify ltm monitor https"\


740490 : Configuration changes involving HTTP2 or SPDY may leak memory

Component: Local Traffic Manager

Symptoms:
If virtual servers which have HTTP2 or SPDY profiles are updated, then the TMM may leak memory.

Conditions:
-- A virtual server has a HTTP2 or SPDY profile.
-- Any configuration object attached to that virtual server changes.

Impact:
The TMM leaks memory, and may take longer to execute future configuration changes. If the configuration changes take too long, the TMM may be restarted by SOD.

Workaround:
None.


740413-2 : sod not logging Failover Condition messages

Component: TMOS

Symptoms:
When a failsafe fault occurs, sod does not log a message indicating that the device is unable to become Active.

Conditions:
Failsafe fault.

Impact:
No 'Failover Condition'messages logged in /var/log/ltm.

Workaround:
None.


740135-2 : Traffic Group ha-order list does not load correctly after reset to default configuration

Component: TMOS

Symptoms:
After resetting the BIG-IP configuration to default (i.e., 'tmsh load sys config default'), if a configuration is loaded where the name of the self-device changes, this may cause the self-device to be removed from any traffic group HA Order lists.

Conditions:
-- Must be loading a configuration after resetting to default.
-- Must have at least one traffic group using the 'HA Order' Failover Method.

Impact:
Incorrect HA configuration.

Workaround:
Reload the configuration a second time.


739963-3 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
To restore the state of the member, remove it and add it back to the pool.


739872-1 : The 'load sys config verify' command can cause HA Group scores to be updated, possibly triggering a failover

Component: TMOS

Symptoms:
Running the 'load sys config verify' command for a configuration that would alter the high availability (HA) Group score for a Traffic Group can cause the HA group score to be updated.

Conditions:
Run 'load sys config verify' with configuration data that affects a Traffic Group's HA Group score.

Impact:
Unintended failover.

Workaround:
None.


739846-2 : Potential Big3D segmentation fault when not enough memory to establish a new iQuery Connection

Component: Global Traffic Manager (DNS)

Symptoms:
When the big3d runs out of memory for iQuery connections, a segmentation fault might occur.

Conditions:
-- Not enough memory to create additional iQuery connections.
-- Receive an new iQuery connection.

Impact:
Segmentation fault and big3d restarts. No statistics collection or auto-discovery while big3d restarts.

Workaround:
None.


739674-2 : TMM might core in SWG scenario with per-request policy.

Component: Access Policy Manager

Symptoms:
TMM can core when Secure Web Gateway (SWG) is configured, and SSL is resumed through per-request policy.

Conditions:
-- SWG is configured.
-- SSL is resumed through per-request policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


739638-3 : BGP failed to connect with neighbor when pool route is used

Component: Local Traffic Manager

Symptoms:
BGP peering fails to be established.

Conditions:
- Dynamic routing enabled.
- BGP peer connect through a pool route or ECMP route.

Impact:
BGP dynamic route paths are not created.

Workaround:
Use a gateway route.


739553-2 : Setting large number for Wide IP Persistence TTL breaks Wide IP persistence

Component: Global Traffic Manager (DNS)

Symptoms:
Wide IP persistence is not working. Previous Wide IP persistence records are cleared.

Conditions:
This occurs when the Wide IP Persistence TTL plus the persist-record creation time is greater than 4294967295.

Impact:
Wide IP persistence does not work.

Workaround:
There is no workaround other than not setting Wide IP Persistence TTL to a number greater than 4294967295.


739533-5 : In rare circumstances, config sync may fail to delete files in /config/filestore/.snapshots_d/, filling up /config

Component: TMOS

Symptoms:
If mcpd loses connection with a peer in the middle of a config sync operation when a large file is being transferred, the temporary copy of that file in /config/filestore/.snapshots_d/ might not be deleted. If this happens enough times with large enough files, those temporary files might fill the /config filesystem.

Conditions:
-- A config sync of a large file is happening.
-- The mcp connection between peers is lost.

Impact:
When that happens, the temporary files that should be deleted, might not be. This is not a problem until the issue has occurred many times, leaving many temporary files, at which point /config can run out of space. /config may get to 100% full. Having /config at 100% full might cause config sync to fail, prevent configuration changes, and other issues.

Workaround:
Delete all files in /config/filestore/.snapshots_d that are more than an hour old.


739379-1 : Multi-layered SSL forward proxy deployed within single BIG-IP may trigger random certificate verification error

Component: Local Traffic Manager

Symptoms:
In situation where multiple SSL forward proxies are connected via virtual targeting, the SNI value extracted from ClientHello and saved in 1st layer of SSL forward proxy may get overwritten by the 2nd layer of SSL forward proxy. When this happens, certification verification will fail when 1st layer of SSL forward proxy attempts to validate certificate.

Conditions:
Two SSL forward proxies connected via virtual command in iRule.

Impact:
Client traffic gets random reset.

Workaround:
None.


739373 : ASM restart loop after sync from non-ASM to ASM device

Component: Application Security Manager

Symptoms:
When two or more device are configured with Configuration Management interface in a sync-failover device group: if one of the devices does not have ASM provisioned while another one does, performing a config sync of the sync-failover device group from the non-ASM device will cause the /Common/asm-hidden folder to be deleted along with its content.

The next time ASM is restarted (for any reason) on one of the ASM devices, ASM keeps restarting in a loop. Messages similar to the following appear in /var/log/ltm :
-- err mcpd[6550]: 01070734:3: Configuration error: Can't associate Bot Signature Category (/Common/asm-hidden/ASM-search-engines) folder does not exist.

Similarly messages similar to the following appear in /var/log/ts/ts_debug.log:
asm|INFO|Jul 30 12:03:02.481|5282|,,01070734:3: Configuration error: Can't associate Bot Signature Category (/Common/asm-hidden/ASM-search-engines) folder does not exist.

Conditions:
- Two or more devices are connected with a sync-failover device group.
- One device has ASM provisioned, while another device does not have ASM provisioned.
- Performing a sync from the non-ASM device to the ASM device.

Impact:
-- Search Engines are not applied on JavaScript challenges.
-- Upon an ASM restart, ASM restarts in a loop, and the device will remain offline.

Workaround:
Reload the configuration by running the following command:
tmsh save sys config && tmsh load sys config

As an alternative, re-provision ASM by running the following command:
tmsh modify sys provision asm level nominal


739349-2 : LRO segments might be erroneously VLAN-tagged.

Component: Local Traffic Manager

Symptoms:
Segments being processed for large receive offload (LRO) (the action the system performs to aggregate multiple incoming packets within a buffer before passing them up)
might be erroneously VLAN-tagged when LRO is enabled.

Conditions:
-- TCP LRO enabled.
-- Egress VLAN untagged.

Impact:
Egress traffic might sometimes be tagged.

Workaround:
Disable TCP LRO. To enable or disable LRO functionality, you can use the following command syntax:

tmsh modify sys db tm.tcplargereceiveoffload value <enable | disable>


739277-2 : TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode

Component: Anomaly Detection Services

Symptoms:
TMM core when the virtual server is deleted during POST data and BADOS standard/aggressive mode

Conditions:
-- The virtual server is deleted during POST data.
-- BADOS configured in standard/aggressive mode.

Impact:
TMM core / traffic does not path through till TMM restarts.

Workaround:
You can work around this issue using either of the following options if you plan to delete a virtual server:

-- First detach the DoS protection profile.
-- Remove BADOS configuration or change BADOS mitigation to Conservative.


739118-2 : Manually modifying a Self IP address in BIG-IP_base.conf file and reloading the configuration results in routing misconfiguration

Component: TMOS

Symptoms:
Changing existing Self IP addresses in BIG-IP_base.conf file directly. After uploading changed configuration file, BIG-IP routing service provides out of date Self IP routes information to dependent services.

Conditions:
- Self IP address is configured on BIG-IP.
- Manually change the IP address of Self IP in BIG-IP_base.conf file.
- Load changed configuration via tmsh.

Impact:
Different services have different route information:
tmsh table - old route
dynamic routing - old and new routes
kernel table - new route

Workaround:
There are two workarounds, preventive and corrective.
Preventive:
Don't change BIG-IP_base.conf file manually. It's not recommended way to add/change BIG-IP configuration. Use GUI or tmsh instead.

Corrective:
If changed configuration is uploaded. In GUI or tmsh, delete changed Self IP address, then create a Self IP address with old IP address and delete it as well. Now, all affected routes are removed.


738669-1 : Login validation may fail for a large request with early server response

Component: Fraud Protection Services

Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsing, egress :: for login validation's banned/mandatory strings check or scripts injection), if the server responds fast enough, the buffer may contain mixed parts of request/response. This may have several effects, from incorrectly performing login-validation to generating a tmm core file.

Conditions:
-- Login validation is enabled and configured to check for banned/mandatory string.
-- A username parameter is configured.
-- There are no parameters configured for encrypt/HTML Field Obfuscation (HFO), and no decoy parameters.
-- There is a large request and response.
-- The system response very quickly.

Impact:
This results in one or more of the following:
-- Login validation failure/skip.
-- Bad response/script injection.
-- tmm core. In this case, traffic is disrupted while tmm restarts.

Workaround:
None.


738523-1 : SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages

Component: Local Traffic Manager

Symptoms:
When monitoring an SMTP server that emits multi-line '250' responses to the initial 'HELO' message, the monitor fails. If monitor logging is enabled on the pool member, the system posts an error similar to the following in the monitor log:

09:50:08.580145:(_Tcl /Common/mysmtp): ERROR: failed to complete the transfer, Failed to identify domain.

Conditions:
-- Monitoring an SMTP server.
-- SMTP server is configured to return a multi-line '250' response to the initial 'HELO' message.

Impact:
The pool member is marked down even though it is actually up.

Workaround:
None.


738521-3 : i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.

Component: Local Traffic Manager

Symptoms:
A trunk configured between a BIG-IP i4x00/i2x00 platform and an upstream switch may go down due to the presence of the VLAN tag.

Conditions:
LACP configured between a BIG-IP i4x00/i2x00 platform and an upstream switch.

Impact:
Trunks are brought down by upstream switch.

Workaround:
There is no workaround other than disabling LACP.


738450-2 : Parsing pool members as variables with IP tuple syntax

Component: Local Traffic Manager

Symptoms:
There is a config loading warning at tmsh similar to the following: unexpected end of arguments;expected argument spec:PORT.

Conditions:
Tcl variable is used for the IP tuple instead of a plain value.

Impact:
iRule LB::reselect command may not recognize an IP tuple when it is a variable. tmsh warning shows.

Note: There is no warning in the GUI.

Workaround:
Use plain value instead of variable.


738397-3 : SAML -IdP-initiated case that has a per-request policy with a logon page in a subroutine fails.

Component: Access Policy Manager

Symptoms:
For a BIG-IP system configured as IdP, in the SAML-IdP-initiated case: If the IdP has a Per-Request policy (in addition to a V1 policy), such that the Per-Request policy has a subroutine or a subroutine macro with a logon page, the system reports access failure on running the policy.

The error logged is similar to the following: '/Common/sso_access:Common:218f759e: Authorization failure: Denied request for SAML resource /Common/saml_resource_obj1&state=000fffff032db022'.

Conditions:
-- BIG-IP system configured as IdP.
-- SAML IdP initiated case in which the following is true:
  + The IdP has a Per-Request policy (in addition to a V1 policy).
  + That Per-Request policy has a subroutine or a subroutine macro with a logon page.

Impact:
Access is denied. The request URI has '&state=<per-flow-id>' appended to the SAML Resource name.

Workaround:
None.


738211-1 : pabnagd core when centralized learning is turned on

Component: Application Security Manager

Symptoms:
pabnagd (the process responsible for automated and manual policy building operations) restarts and generates a core file. This might result in a loss of learning progress.

Note: This is a very rarely occurring issue.

Conditions:
Centralized learning is enabled for a policy.

Impact:
If there are locally learned policies, the system might lose some number of hours of learning progress. How many hours might be lost depends on the version, as follows:

-- For 13.1.0: 24 hours (12 hours, on average).
-- For 14.0.0: 1 hour (1/2 hour, on average).

Workaround:
None.


738070-1 : Persist value for the RADIUS Framed-IP-Address attribute is not correct

Component: Service Provider

Symptoms:
Using the RADIUS Framed-IP-Address attribute as a persistence value does not work correctly.

Conditions:
Using RADIUS and persisting on the Framed-IP Address attribute (RADIUS AVP 8).

Impact:
RADIUS requests may not get persisted to the servers they should be.

Workaround:
Use an iRule to persist instead, e.g.:

ltm rule radius-persistence {
    when CLIENT_DATA {
    persist uie [RADIUS::avp 8]
}
}


737901-3 : Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode

Component: TMOS

Symptoms:
On iSeries platforms, when a VLAN is attached to a vCMP guest, the management MAC address and the host VLAN MAC address will be the same.

Conditions:
-- Creating a VLAN on the host and attaching it to a vCMP guest.
-- iSeries platforms.

Impact:
The management MAC address is the same as the Host VLAN MAC address, resulting in the same MAC being used for the VLAN traffic originating from the vCMP Host along with the Host's mgmt Interface traffic, potentially resulting in issues relating to the inability to differentiate traffic to mgmt port or traffic ports.

Workaround:
There is no workaround at this time.


737900-1 : mcpd might crash on an unlicensed system

Component: TMOS

Symptoms:
On an unlicensed system with a built-in iRule attached to a virtual server, mcpd might crash.

Conditions:
-- Unlicensed system (including as a result of the service agreement check date validation treating a license as invalid).
-- At least one built-in, system-supplied iRule is attached to a virtual server.
-- mcpd loads from the config files, such as when having just upgraded.

Impact:
On an unlicensed system, mcpd might crash repeatedly.

Workaround:
Perform the following procedure:

1. Reactivate the license on the system from the command-line, following the instructions in K2595: Activating and installing a license file from the command line :: https://support.f5.com/csp/article/K2595.

2. License the system.

Note: Running commands (e.g., tmsh show /sys hardware) on VIPRION systems while mcpd is down might fail or otherwise not work as expected.


737867-2 : Scheduled reports are being incorrectly displayed in different partitions

Component: Application Visibility and Reporting

Symptoms:
Scheduled analytics reports are being displayed in the list regardless of selected partition. However, you can only open reports belonging to the selected partition, even if they belong to 'Common'.

Conditions:
System configured with multiple partitions.

Impact:
It makes it difficult to modify reports from different partitions.

Workaround:
Switch to the report's partition before editing it.


737863-2 : Advanced Filters for Captured Transactions not working on Multi-Blade Platforms

Component: Application Visibility and Reporting

Symptoms:
On multi-blade systems, when you navigates to System :: Logs : Captured Transactions, click on Expand Advanced Filters, choose something, and click Update, the GUI reports a 'Could not get captured events' message.

Conditions:
-- Multi-blade systems.
-- AVR provisioned.
-- AVR HTTP Analytics Profile configured with 'Internal Traffic Capturing Logging Type' option enabled.

Impact:
The Captured Transactions filter does not work.

Workaround:
None.


737758-3 : MPTCP Passthrough and VIP-on-VIP can lead to TMM core

Component: Local Traffic Manager

Symptoms:
If a FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled, TMM may produce a core upon receiving certain traffic.

Conditions:
A FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with a TCP profile attached that has MPTCP passthrough enabled, and certain traffic is received.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not using an iRule with the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled.


737726-1 : If named is restarted and zrd is not restarted, ZoneRunner can lose contact with the DNS server daemon

Component: Global Traffic Manager (DNS)

Symptoms:
ZoneRunner displays the following error message when attempting to list resource records: No route to host.

Conditions:
-- named is restarted outside of the normal start up procedure.
-- zrd is not restarted.

Impact:
ZoneRunner cannot communicate with named, and thus cannot display resource records.

There are temporary addresses created on the loopback address to facilitate communication between the zrd and named processes. When named is restarted, these temporary address are inadvertently removed.

Workaround:
Restart the zrd process using the following command:
bigstart restart zrd


737529-3 : [GTM] load or save configs removes backslash \ from GTM pool member name

Component: Global Traffic Manager (DNS)

Symptoms:
GTM config fails to load, and posts an error similar to the following:

Syntax Error:(/config/bigip_gtm.conf at line: 47) the "create" command does not accept wildcard configuration identifiers

Conditions:
GTM server virtual server name contains a backslash (\) character.

Impact:
GTM config fails to load.

Workaround:
Edit bigip_gtm.conf manually and add the \ character.

Important: The system removes the \ (which results in further validation failures) in response to any of the following actions:
-- Load the GTM config.
-- Make changes to the GTM config, and you or the system saves it.
-- cpcfg operation.
-- Upgrade the system.


737500-1 : Apply Policy and Upgrade time degradation when there are previous enforced rules

Component: Application Security Manager

Symptoms:
When there are previously enforced rules present in the system, the time to apply changes made to a policy, and the time to upgrade the configuration to a new version suffers.

Conditions:
-- Signature Staging is enabled.
-- Updated Signature Enforcement is set to 'Retain previous rule enforcement and place updated rule in staging'.
-- Signatures are enforced on a policy.
-- A new ASM Signature Update is installed, which modifies the matching rule for some enforced signatures.

Impact:
The time to apply changes made to a policy, and the time to upgrade the configuration to a new version, suffers from a inefficiently performing query related to the existence of previously enforced rules.

Workaround:
There is no workaround at this time.


737445-1 : Use of TCP Verified Accept can disable server-side flow control

Component: Local Traffic Manager

Symptoms:
Unexpectedly high memory usage, aggressive sweeper messages, TCP memory pressure messages in logs.

Conditions:
Verified Accept is enabled in TCP profiles that are associated with virtual servers.

Impact:
Excessive memory usage.

Workaround:
There is no workaround other than disabling Verified Accept.


737397-2 : User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP

Component: TMOS

Symptoms:
Unable to archive certificates or keys using GUI and iControlSOAP.

Conditions:
When the user is in Certificate Manager role.

Impact:
Unable to backup certificates or keys.

Workaround:
The user in Certificate Manager role is still be able to export the key and see its PEM string. So you can manually create an archive file by copying the PEM string into a file.


737379-1 : URLCAT doesn't work when we have uppercase characters in feedlist

Component: Traffic Classification Engine

Symptoms:
A URL does not get classified when there are uppercase characters in the feedlist.

Conditions:
Using uppercase characters in the feedlist.

Impact:
URL is not classified as expected.

Workaround:
There is no workaround at this time.


737368-2 : Fingerprint cookie large value may result in tmm core.

Component: Fraud Protection Services

Symptoms:
The JavaScript component calculates part of the fingerprint cookie value. In some rare cases, large values are generated and may result in tmm core.

Conditions:
A large value (more than 35 characters) inside the fingerprint cookie.

Impact:
Memory overrun, tmm core in some cases.

Workaround:
N/A


737355-2 : HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files

Component: Access Policy Manager

Symptoms:
HTTP Strict-Transport-Security (HSTS) headers are missing for some APM-generated files.

Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS enabled.
-- HTTP GET requests for APM renderer files, including CSS, JS, and image files from the webtop.

Impact:
Without these headers, the user agent (browser) may switch to non-secure communication.

Workaround:
None.


737346-2 : After entering username and before password, the logging on user's failure count is incremented.

Component: TMOS

Symptoms:
Listing login failures (i.e., using the following command: 'tmsh show auth login-failures') shows a failed login for the user who is currently logging in via console or SSH.

Conditions:
-- A user is logging in via console or SSH.
-- Between the time the system presents the password prompt and and the user enters the password.

Note: This does not apply to GUI or iControl REST logins.

Impact:
If many logins for the same user get to this state simultaneously, it may be enough to exceed the lockout threshold, locking the user out.

Workaround:
None.


737064-1 : ACCESS::session iRule commands may not work in serverside events

Component: Access Policy Manager

Symptoms:
-- 'ACCESS::session sid' will returns empty.
-- 'ACCESS::session data get <varname>' returns empty.

Conditions:
-- Using IP-based sessions
-- ACCESS::session iRule commands in a serverside iRule event, such as HTTP_PROXY_CONNECT.
-- Using SSL Bypass. Note: This issue is known to occur when using SSL Bypass, but this is not the only configuration that exhibits the problem.

Impact:
iRules may not work as expected.

Workaround:
There is no workaround at this time.


737055-1 : Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy

Component: TMOS

Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you cannot login to the Configuration Utility. Instead the system presents a blank page, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP system.

Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.

Impact:
You are unable to login to the Configuration Utility.

Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP system in the Referer header.


734846-2 : Redirection to logon summary page does not occur after session timeout

Component: TMOS

Symptoms:
After a BIG-IP Administrator user session times out, the user is not automatically redirected to the logon summary page, despite being configured to do so.

Conditions:
-- The BIG-IP system is configured to redirect to the logon summary page immediately after logging in, using the following db variable:
ui.users.redirectsuperuserstoauthsummary = true

-- The BIG-IP Administrator users' session automatically times out.

Impact:
The system does not comply with government security requirements that BIG-IP Administrator users be sent automatically to the logon summary. BIG-IP Administrator users must manually navigate to the logon summary page

Workaround:
Manually navigate to the logon summary page.


734836-2 : Network Map summary counts pool members more than once if they are shared across pools

Component: TMOS

Symptoms:
On the page at Local Traffic :: Network Map, in the summary view, the total number of pool members shows a larger number if there are pool members referenced by multiple pools.

Conditions:
-- Network Map summary view.
-- Pool members referenced by multiple pools.

Impact:
The number of pools value is higher than the actual number of pools because of how the system tracks a single pool member referenced in multiple pools.

Workaround:
There is no workaround at this time.


734822-2 : TMSH improvements

Component: TMOS

Symptoms:
Under certain conditions TMSH usage, including via iControl, may lead to excessive resource consumption.

Conditions:
Authorized users making queries or updates via TMSH or iControl

Impact:
Excessive resource consumption, potentially leading to a failover event.

Workaround:
None.


734527-3 : BGP 'capability graceful-restart' for peer-group not properly advertised when configured

Component: TMOS

Symptoms:
BGP neighbor using peer-group with 'capability graceful-restart' enabled (which is the default). However, on the system, peer-group defaults to disable. Because there is no config statement to enable 'capability graceful-restart' after restart, it gets turned off after config load, which also turns it off for any BGP neighbor using it.

Conditions:
- Neighbor configured to use peer-group.
- Peer-group configured with capability graceful-restart, but with the default: disabled.

Impact:
Because peer-group is set to disable by default, and there is no operation to enable it after restart, 'capability graceful-restart' gets turned off after config load, and neighbors using it from peer-group get turned off as well.

Workaround:
Re-issue the commands to set peer-group 'capability graceful-restart' and 'clear ip bgp *' to reset BGP neighbors.


734446-1 : TMM crash after changing LSN pool mode from PBA to NAPT

Component: Carrier-Grade NAT

Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.

Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.

The PBA pool can be deleted after the virtual servers are no longer using it.


734316-1 : Per-Request Policy may require enabling SSL Forward Proxy Bypass

Component: Access Policy Manager

Symptoms:
For some SSL/TLS traffic, the per-request policy does not complete, leading to hanging connections and/or connection resets.

Conditions:
Reproducible with any forward proxy configuration involving per-request policies. This includes Secure Web Gateway (SWG) and SSL Orchestrator (SSLO).

To reproduce, the SSL Forward Proxy Bypass feature must be disabled in the client and server SSL profiles. This is equivalent to 'always intercept'.

Impact:
Policy execution may stall. Clients may experience hanging connections and/or connection resets.

Workaround:
Perform the following procedure:
1. Enable the SSL Forward Proxy Bypass feature in the client and server SSL profiles.
2. Set the default action to 'Intercept'.


734228 : False-positive illegal-length violation can appear

Component: Application Security Manager

Symptoms:
A false-positive illegal-length violation.

Conditions:
A chunked request where the request length is more than half of the configured max-request length.

Impact:
False-positive illegal-length violation.

Workaround:
Configure a higher max request length violation.


727467-2 : Some iSeries appliances can experience traffic disruption when the HA peer is upgraded from 12.1.3 and earlier to 13.1.x and later.

Component: TMOS

Symptoms:
- CPU core 0 can be seen utilizing 100% CPU.
- Other even cores may show a 40% increase in CPU usage.
- Pool monitors are seen flapping in /var/log/ltm.

Conditions:
-- Active unit on a pre-12.1.3.1 release.
-- Standby peer upgraded to a post 13.1.0 release.
-- Device is an iSeries device (i5600 or later).

*This issue may also affect iSeries HA peers on the same software version if the devices do not share the same model number.

Impact:
- High CPU usage.
- Traffic disruption.

Workaround:
Minimize impact on affected active devices by keeping the upgraded 13.1.x unit offline as long as possible before going directly to Active. For example, on the unit to be upgraded (pre-upgrade):
-- Run the following command: tmsh run sys failover offline persist
-- Run the following command: tmsh save sys config
-- Upgrade to 13.1.0.7
-- Unit comes back up on 13.1.0.7 as 'Forced Offline and does not communicate with the active 12.1.3 at all
-- Set up HA group and make sure the 12.1.3 Active unit's HA score is lower than 13.1.0.7.
-- Run the following command on the unit running 13.1.0.7: tmsh run sys failover online. This unit goes directly to Active and takes over traffic.

At this point, the 12.1.3 unit starts to show symptoms of this issue, however, because it is no longer processing traffic, there is no cause for concern.


727297-2 : GUI TACACS+ remote server list should accept hostname

Component: TMOS

Symptoms:
Cannot add hostnames to the Remote - TACACS+ server list in the GUI.

Conditions:
-- On the System :: Users : Authentication page with Remote - TACACS+ specified.
-- Add hostname to the server list.

Impact:
Validation does not accept a hostname. Cannot add hostname as a server.

Workaround:
Use tmsh to add a hostname.


727288-2 : Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC

Component: Service Provider

Symptoms:
Diameter message routing framework sends Capabilities-Exchange-Request (CER)/Device-Watchdog-Request (DWR) with hop-by-hop (h2h) ID and end-to-end (e2e) ID set to 0 as the server.

Conditions:
Diameter Message Routing Framework (MRF) in use

Impact:
The BIG-IP system sends CER and DWR to remote peers.
However, the BIG-IP system sends e2e=0 and h2h=0 as the server ID in the CER and DWR requests. This does not comply with RFC 6733 (https://tools.ietf.org/html/rfc6733).

Workaround:
Use an DIAMETER_EGRESS iRule event to change the hop-by-hop ID and end-to-end server ID.


726852-1 : AVR inject CSPM event when there is no analytics profile on the virtual server

Component: Application Visibility and Reporting

Symptoms:
When there is a request for page load time in the analytics profile, and changes to the configuration remove the analytics profile, AVR will continue to inject the Client Side Performance Monitoring (CSPM) cookie.

Conditions:
-- Request for page-load-time statistic.
-- The analytics profile has been removed from the virtual server.

Impact:
Page-load-time cookie is injected when it should not be.

Workaround:
Uncheck the page-load-time checkbox before removing the profile from the virtual server.


726734-3 : DAGv2 port lookup stringent may fail

Component: Local Traffic Manager

Symptoms:
Under certain circumstances tmm might not be able to find a local port, and the connection may fail. This happens, for example, for active FTP with mirroring enabled.

Conditions:
Active FTP with mirroring enabled.

Impact:
Connection cannot get established.

Workaround:
There is no workaround other than to disable mirroring.


726647-4 : PEM content insertion in a compressed response may truncate some data

Component: Policy Enforcement Manager

Symptoms:
HTTP compressed response with content insert action can truncate data.

Conditions:
PEM content insertion action with compressed HTTP response.

Impact:
Data might be truncated.

Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.


726616-2 : TMM crashes when a session is terminated

Component: Access Policy Manager

Symptoms:
TMM crashes when it is releasing the memory used by a session that is terminated. Either one of the following error messages might appear in the TMM log:

-- notice panic: ../kern/umem.c:4166: Assertion "valid type" failed.

-- notice panic: ../kern/page_alloc.c:705: Assertion "vmem_hashlist_remove not found" failed.

Conditions:
The memory used by a session is corrupted during the lifetime of the session. This issue happens infrequently.

Impact:
TMM restarts, causing service interruption if the BIG-IP system is not part of a high-availability setup.

Workaround:
There is no workaround at this time.


726487-3 : VIPRION secondary MCPD, Node Name encodes IP address which differs from supplied

Component: TMOS

Symptoms:
MCPD on secondary blade of VIPRION exits and restarts, logging errors similar to the following:

-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.

-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.

Conditions:
-- VIPRION platform.
-- Non-primary blade.
-- Modified default route domain for a partition.
-- Deleting and creating pool members during configuration save from a different client.

Impact:
Failovers and traffic degradation while blade restarts.

Workaround:
There is no workaround other than not to delete/create pool members from a different client while saving configuration changes in another client.


726319-1 : 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses

Component: Local Traffic Manager

Symptoms:
When FQDN nodes and pool members are used in LTM pools, a message similar to the following may be logged if the DNS server returns a different set of IP address records to resolve the FQDN name:

err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.

Conditions:
This message may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name, and new ephemeral pool members are created corresponding to the new IP addresses.

This may occur intermittently depending on timing conditions.

Impact:
These log messages are cosmetic and do not indicate any impact to traffic or BIG-IP operations.

Workaround:
None.


726303-2 : Unlock 10 million custom db entry limit

Component: Traffic Classification Engine

Symptoms:
Cannot add more than 10 million custom db entries.

Conditions:
This happens when you try to add more than 10 million custom db entries.

Impact:
Not able to add more than 10 million entries.

Workaround:
There is no workaround at this time.


726255-1 : dns_path lingering in memory with last_access 0 causing high memory usage

Component: Global Traffic Manager (DNS)

Symptoms:
dns_path not released after exceeding the inactive path ttl.

Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.

Impact:
High memory usage.

Workaround:
There is no workaround at this time.


726239-5 : interruption of traffic handling as sod daemon restarts TMM

Component: Local Traffic Manager

Symptoms:
When the receiving host in a TCP connection has set its send window to zero (stopping the flow of data), following certain unusual protocol sequences, the logic in the TMM that persists in probing the zero window may enter an endless loop.

Conditions:
When the TCP implementation is probing a zero-window connection under control of a persist timer.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.


726232-3 : iRule drop/discard may crash tmm

Component: Local Traffic Manager

Symptoms:
TMM crash after an iRule attempts to drop packet.

Conditions:
Virtual server with UDP profile, and following iRule:
when LB_SELECTED {
    drop
    # discard - drop is the same as discard
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


726174-2 : Slow response times when expandSubcollections set to true

Component: TMOS

Symptoms:
A query for virtual servers with expandSubcollections set to true may exhibit slow response to the caller.

Conditions:
-- icrd logging enabled.
-- Using the 'expandSubcollections=true' option in the REST query.

Impact:
Slow response times may impact usability, and the query may time out.

Workaround:
A refined query for specific entities may improve the performance time.


726154-3 : TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies

Component: Advanced Firewall Manager

Symptoms:
TMM might restart when changing firewall or NAT configurations on a virtual server with the same name as a route-domains.

Conditions:
- There is a virtual server and a route-domain that have the same name in the configuration.
- A firewall or NAT policy is being attached or removed from one or both of the virtual server or route-domain.

Impact:
TMM might halt and traffic processing temporarily ceases. TMM restarts and traffic processing resumes.

Workaround:
There is no workaround other than not to use the same name for virtual server and route-domain objects.


726090 : No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense

Component: Advanced Firewall Manager

Symptoms:
Device ID challenges are not logged in the Bot Defense Request Log (local and remote) when associating the Bot Defense logging profile to the virtual server.

Conditions:
-- Device ID is enabled on the ASM Policy.
-- DoS profile with Proactive Bot Defense is not associated with the virtual server.

Impact:
There are no logs to show the browser challenges and the requests from clients that do not support JavaScript.

Workaround:
There is no workaround at this time.


726011-3 : PEM transaction-enabled policy action lookup optimization to be controlled by a sys db

Component: Policy Enforcement Manager

Symptoms:
There is no way to disable optimization if time-based actions are enabled in the PEM policy and a statistical transaction-based action enforcement is desired.

Conditions:
If the PEM classification tokens do not change.

Impact:
Time-based actions such as insert content may not get applied to such flows.

Workaround:
None.


725867-1 : ADFS proxy does not fetch configuration for non-floating virtual servers

Component: Access Policy Manager

Symptoms:
If the virtual address of a virtual server has a non-floating traffic group (e.g., traffic-group-local-only), ADFS proxy does not perform periodic configuration updates, including listing allowed URIs from ADFS, and thus blocks all the requests (by responding with 404).

Conditions:
-- Virtual address of virtual server has non-floating traffic group.

-- ADFS proxy feature is enabled on the virtual server.

Impact:
All the requests to ADFS are blocked.

Workaround:
Set floating traffic group for virtual address (e.g., traffic-group-1).


725840-1 : Customization group object is not deleted when SAML resource object is deleted

Component: Access Policy Manager

Symptoms:
Customization group object for the corresponding SAMLResource object is in the configuration store, even after SAMLResource is deleted in GUI/TMSH.

Conditions:
-- Customization Object is in the configuration store.
-- Delete the SAMLResource.

Impact:
There is no functional impact, but additional configuration objects exist in the configuration store.

Workaround:
Delete the customization group object manually in TMSH.

The BIG-IP system administrator can delete those customization groups if the corresponding SAML resources are deleted or do not exist in the configuration.

The command 'list apm policy customization-group' lists all the customization groups. The SAML-specific customization groups end with '_resource_saml_customization' and are prefixed with the SAML resource name (SAML resource name concatenated with literal 'resource_saml_customization').


725791-5 : Potential HW/HSB issue detected

Component: TMOS

Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.

With a burst of CRC errors in the SRAM for ePVA transformation cache, it won't trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This is because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.

In these cases, there might be the following messages in /var/log/tmm*:

  Device error: hsb_lbb* tre2_crc_errs count *

Conditions:
Traffic is offloaded to HSB hardware for acceleration.

Impact:
Hardware accelerated traffic drop.

Workaround:
Switch traffic to software acceleration.


725612-2 : syslog-ng remote destination needs unique name that changes on address change.

Component: TMOS

Symptoms:
Changing syslog server IP address requires syslog-ng restart to take effect. Syslog operations do not use the new remote destination address on syslog service reconfiguration.

Conditions:
1. Add Remote Syslog server (Server A) using System :: Logs :: Configuration :: Remote Syslog.
2. Click Update (Syslog messages go out toward Server A).
3. Remove Server A from configuration.
4. Add new Server B (different IP address).
5. Click Update.

Impact:
Syslog messages still go out toward Server A.

Workaround:
Restart the syslog service using the following command:
bigstart restart syslog-ng

Messages now properly go out toward Server B (the new IP address).


724868-3 : dynconfd memory usage increases over time

Component: Local Traffic Manager

Symptoms:
dynconfd memory usage slowly increases over time as it processes various state-related messages.

Conditions:
No special conditions as dynconfd is a core LTM process. Large numbers of pool members combined with flapping might increase the rate of memory usage increase.

Impact:
dynconfd grows over time and eventually the system is pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.

Workaround:
Periodic restarts of dynconfd avoids the growth affecting the system.


724679-1 : Non-attacking IP addresses could be logged along with attacking IP addresses when DoS detects an attack

Component: Advanced Firewall Manager

Symptoms:
During an attack, MySQL might log IP addresses that are not part of an attack along with the IP addresses that are part of the attack.

Conditions:
This occurs when the system detects a BadEndpoint attack.

Impact:
The system might log messages related to IP addresses that are not part of the attack. These IP addresses are not part of the attack and may be ignored.

Workaround:
None.


724532-3 : SIG SEGV during IP intelligence category match in TMM

Component: Advanced Firewall Manager

Symptoms:
TMM restart while matching traffic from source IP to IP Intelligence category.

Conditions:
Multiple configuration changes that include deleting the custom IP intelligence categories.

Impact:
TMM restart. Traffic disrupted while tmm restarts.

Workaround:
None.


724414-1 : ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled

Component: Application Security Manager

Symptoms:
When ASM inspects WebSocket frames, the bd daemon memory is leaking; eventually ASM stops inspecting traffic and sends resets or bypass requests.

Conditions:
ASM module is provisioned.
-- ASM policy and WebSocket profile are attached to a virtual server.
-- WebSocket URL has JSON profile attached to it.
-- JSON profile has parse parameters flag enabled (this is the default).

Impact:
ASM may reset connections; failover might occur.

Workaround:
There are two workarounds:
-- Remove JSON profile from WebSocket URL in the ASM policy.

-- Disable parse parameters flag in the json profile.


724213-2 : Modified ssl_profile monitor param not synced correctly

Component: Local Traffic Manager

Symptoms:
After modifying the ssl_profile attribute on an HTTPS monitor on a device within a high availability (HA) configuration, and after performing a full ConfigSync, the corresponding monitor on the peer-sync unit does not have the updated value.

Conditions:
-- An HTTPS monitor is used on BIG-IP systems in an HA configuration.
-- in-tmm monitor is enabled (for more information on in-tmm monitoring see K11323537: Configuring In-TMM monitoring at https://support.f5.com/csp/article/K11323537)
-- The ssl_profile field is modified on an HTTPS monitor.
-- A sync-to-peer (full ConfigSync, not incremental sync) is attempted to propagate the modified ssl_profile value to the peer units.

Impact:
The ssl_profile value for the HTTPS monitor on the peer unit is set to none, resulting in the two devices reporting themselves as in-sync, but having potentially different HTTPS monitor configurations.

Workaround:
Do not run HTTPS monitors using in-tmm monitors, and instead use the traditional HTTPS monitor configuration for SSL-attributes (cipherlist, key, cert, and compatibility attributes on HTTPS monitor).

Note: Using these attributes will generate deprecation warnings, but the configuration should still take effect.


724032-2 : Searching Request Log for value containing backslash does not return expected result

Component: Application Security Manager

Symptoms:
Searching within Request Log for a value containing backslash does not return the expected result. This happens because escaping of backslashes in REST API access is handled differently with 'eq' and 'contains' filters.

Conditions:
Searching within Request Log for a value containing backslash.

Impact:
Search within Request Log record containing backslash does not return the expected result.

Workaround:
Backslashes in REST API requests should be doubled when searching using 'contains' filter, but must not be doubled when searching with 'eq' filter.


723988-1 : IKEv1 phase2 key length can be changed during SA negotiation

Component: TMOS

Symptoms:
Using IKEv1, if phase2 key length does not agree on both sides, a responder accepts whatever the initiator proposes as key length, but only after an initiator is authenticated. This results in key length downgrade or upgrade at a trusted peer's request, because the IKEv1 daemon was configured to obey the other peer's key length request.

Conditions:
The value of the ike-phase2-encrypt-algorithm on both sides agree on the encryption algorithm, but differ in key length. For example, if the initiator picks AES128 when the responder expects AES256.

Impact:
The responder accepts AES128 anyway. Although phase1 key length must be an exact match, when phase2 key length does not match, this allows an initiating peer to change the key length a responder uses, thus changing the strength configured by that responder.

Workaround:
No workaround is known at this time.


723792-1 : GTM regex handling of some escape characters renders it invalid

Component: Global Traffic Manager (DNS)

Symptoms:
The memory footprint of big3d increases.

Conditions:
GTM monitor recv string such as the following: ^http\/\d\.\d[23]\d\d

Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory. The monitor marks the server it is monitoring UP as long as the server returns any response.

Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}


723722-1 : MCPD crashes if several thousand files are created between config syncs.

Component: TMOS

Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.

Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.

Impact:
Traffic is disrupted while the MCPD process restarts.

Workaround:
Run a config sync operation after every ~5000 files created.


723658-2 : TMM core when processing an unexpected remote session DB response.

Component: Carrier-Grade NAT

Symptoms:
Using CGNAT or FW-NAT on a cluster may cause a TMM core if there are intra-cluster communication issues that cause CMP state transitions.

The system writes messages to /var/log/tmm* similar to the following:

   notice CDP: exceeded 1/2 timeout for PG 1
   notice CDP: PG 1 timed out
   notice CDP: New pending state 0f -> 0d
   notice Immediately transitioning dissaggregator to state 0xd
   notice cmp state: 0xd
   notice CDP: New pending state 0d -> 0f
   ...
   notice cmp state: 0xf
   notice CDP: exceeded 1/2 timeout for PG 1

Conditions:
-- A LSN pool or FW-NAT source translation that has persistence enabled.
-- Intra-cluster communication issues that cause CMP state transitions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


723306-2 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition

Component: Local Traffic Manager

Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:

    01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.

Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.

Impact:
Inability to load config, with created internal virtual server.

Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on different partition.


723288-1 : DNS cache replication between TMMs does not always work for net dns-resolver

Component: Global Traffic Manager (DNS)

Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.

Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.

Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.

Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.

Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)


723095-3 : Add record type breaks commands 'modify gtm pool type all'; errors on nonexistent pool

Component: Global Traffic Manager (DNS)

Symptoms:
tmsh command returns an error similar to the following message:
01070227:3: Pool Member references a nonexistent Pool (/Common/poolname of type NAPTR)

Conditions:
Changing the record type on GTM pool members by running the following command: tmsh modify gtm pool type all members add.

Impact:
Unable to add pool members quickly to all pools of the same type.

Workaround:
There is no workaround at this time.


722862 : ASM CAPTCHA sends non url-encoded payload when captcha is submitted by pressing 'Enter'

Component: Application Security Manager

Symptoms:
When an APM end-user gets the ASM CAPTCHA page, types the correct CAPTCHA letters and presses the 'Enter' key, rather than clicking the Submit button. The CAPTCHA letters are sent to the BIG-IP system along with other request parameters, these additional parameters are forwarded to the backend server incorrectly as non-url-encoded, they should be url-encoded.

Conditions:
This occurs when the following conditions are met:
-- ASM provisioned.
-- DoS application or ASM policy attached to a virtual server.
-- DoS application or ASM policy has CAPTCHA enabled.
-- User submits the CAPTCHA form using the 'Enter' key.

Impact:
Application receives unexpected content, which might cause the backend server's application business logic to not work as expected.

Workaround:
Disable CAPTCHA within the DoS application or ASM policy.


722741-2 : Damaged tmm dns db file causes zxfrd/tmm core

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd/tmm cores on startup.

Conditions:
Damaged tmm dns db file.

Impact:
System remains in a tmm-restart loop caused by tmm opening a corrupted tmmdns.bin on startup and segfaulting. Traffic disrupted while tmm restarts.

Workaround:
Delete the damaged db files.


722682-3 : Fix of ID 615222 results in upgrade issue for GTM pool member with colon -- config failed to load

Component: TMOS

Symptoms:
Loading configuration process failed after upgrade.

Conditions:
1. GTM pool member has colon in the name.
2. Upgrade to versions that has fix for ID 615222.

Impact:
Configuration load fails.

Workaround:
Add "\\" before the first ":" after upgrade.


722534-2 : load sys config merge not supported for iRulesLX

Component: Local Traffic Manager

Symptoms:
iRulesLX configurations are (for the most part) contained in the file system, rather than the 'traditional' BIG-IP config files. An attempt to merge configurations containing iRulesLX using the tmsh command 'load sys config merge' options fails with an error similar to the following:

# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ilx plugin test-plugin {
  from-workspace test-ws
}
Validating configuration...
Unexpected Error: "basic_string::at"

Conditions:
The configuration being merged contains iRulesLX.

Impact:
The merge will fail with the error: Unexpected Error: "basic_string::at". The previous configuration will continue to work.

Workaround:
There is no workaround at this time for merging iRulesLX configuration. If the iRulesLX configuration is removed from the configuration to be merged, the merge will work.


722423-2 : Analytics agent always resets when Category Lookup is of type custom only

Component: Access Policy Manager

Symptoms:
Analytics errors out with a log that says you cannot use custom lookup only along with analytics (/var/log/apm). Even if the Analytics agent is set to disable RST on failure, the agent will send a RST.

Conditions:
In the per-request policy, Category Lookup agent is set to custom lookup only.

Impact:
This configuration leads to an Analytics agent with 'RST on Failure' disabled. The BIG-IP Admin cannot make the choice to disable RST on failure for this particular setup (even though it is a misconfiguration).

Workaround:
You can avoid the RST and error by modifying the configuration to use a standard category lookup before the analytics agent.

Using a custom-only 'Category Lookup' immediately followed by 'Response Analytics' is not a valid configuration. In this configuration, Analytics cannot run the way it is supposed to because it does not have the right information. 'Response Analytics' gives the option to choose what to do on error: RST, or continue on, implying that the non-RST option is valid. If the admin chooses to not reset, the system should log the error and continue. In this case, the system actually does send a RST, even though the RST is not what the BIG-IP admin intended to configure.


722380-1 : The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.

Component: TMOS

Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then TMM panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On these platforms, the reboot occurs before the core file is fully written, resulting in a truncated core.

Conditions:
An HSB lockup occurs on an i10600 or i10800 platform, triggering a core dump and a nic_failsafe reboot.

Impact:
The reboot happens after the core dump begins before it completes, resulting in a truncated core dump, which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.

Workaround:
None.


722363-3 : Client fails to connect to server when using PVA offload at Established

Component: Local Traffic Manager

Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.

When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.

Conditions:
A FastL4 virtual server is configured with offload_state = EST.

Impact:
Clients fail to connect to the server.

Workaround:
There is no workaround other than to disable PVA acceleration.


722294-1 : Reported session ID keeps changing for the same user session when ASM doesn't track sessions

Component: Application Security Manager

Symptoms:
A reported session ID is not maintained for the same user session.

Conditions:
-- Simple, feature-less policy (i.e., policy contains only attack signatures).

-- There are no cookies coming in from the server.

Impact:
The TS cookie is not created since there is no cookie-enforcing feature that is turned on (such as session tracking). Although this is correct behavior, it might result in confusion when there is a different, random session ID on each request.

Workaround:
Turn on a cookie-related feature (such as session tracking).


722013-2 : MCPD restarts on all secondary blades post config-sync involving APM customization group

Component: Access Policy Manager

Symptoms:
After performing a series of specific config-sync operations between multi-blade systems, the MCPD daemon restarts on all secondary blades of one of the systems.

Each affected blade will log an error message similar to the following example:

-- err mcpd[5038]: 01070711:3: Caught runtime exception, Failed to collect files (snapshot path () req (7853) pmgr (7853) not valid msg (create_if { customization_group { customization_group_name "/Common/Test-A_secure_access_client_customization" customization_group_app_id "" customization_group_config_source 0 customization_group_cache_path "/config/filestore/files_d/Common_d/customization_group_d/:Common:Test-A_secure_access_client_customization_66596_1" customization_group_system_path "" customization_group_is_system 0 customization_group_access 3 customization_group_is_dynamic 0 customization_group_checksum "SHA1:62:fd61541c1097d460e42c50904684def2794ba70d" customization_group_create_time 1524643393 customization_group_last_update_time 1524643393 customization_group_created_by "admin" customization_group_last_updated_by "admin" customization_group_size 62 customization_group_mode 33188 customization_group_update_revision 1

Conditions:
This issue occurs when all of the following conditions are met:

- You have configured a device-group consisting of multi-blade systems (such as VIPRION devices or vCMP guests).

- Systems are provisioned for APM.

- The device-group is configured for incremental manual synchronizations.

- On one system (for example, source_system), you create an APM configuration object (for example, a connectivity profile) that causes the automatic creation of an associated customization group.

- You synchronize the configuration from the source_system to the device-group.

- On the source_system, you create a new configuration object of any kind (for example, an LTM node).

- Instead of synchronizing the newest configuration to the device-group, you synchronize the configuration from another device in the device-group to the source_system (which effectively undoes your recent change).

- The MCPD daemon restarts on all secondary blades of the source_system.

Impact:
While the MCPD daemon restarts, the blade is offline, and many other BIG-IP daemons need to restart along with MCPD.

-- If the source_system is Active, the load capacity of the system temporarily decreases proportionally to the number of blades restarting. Additionally, if the systems use the min-up-members or HA-Group features, losing a certain number of secondary blades may trigger a failover.

-- If the source_system is Standby, some of the previously mirrored information may become lost as TMM on secondary blades restarts along with MCPD. Should this system later become the Active system, traffic may be impacted by the lack of previously mirrored information.

Workaround:
None.


721752-3 : Null char returned in REST for Suggestion with more than MAX_INT occurrences

Component: Application Security Manager

Symptoms:
Unable to view ASM event log details for a majority of violations.

Conditions:
Suggestion with more than MAX_INT (2,147,483,647) occurrences.

Impact:
Null char returned in REST for Suggestion with more than MAX_INT occurrences.

Workaround:
Use the following sql command:

UPDATE PLC.PL_SUGGESTIONS set occurrence_count = 2147483647 where occurrence_count < 0;


721621-3 : Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node

Component: Local Traffic Manager

Symptoms:
If an LTM pool is configured with only FQDN members, the DNS server resolves the FQDN to IP addresses that match statically-configured LTM nodes, and the IP address records returned by the DNS server change, an ephemeral pool member may not be added to the pool for the new IP address.

When in this state, if the FQDN template pool member is deleted from the pool, a new ephemeral pool member may be added corresponding to the last IP address record returned by the DNS server.

Conditions:
This may occur when:
1. Static nodes are configured which match addresses that may be returned in the DNS query for a given FQDN name.
2. An FQDN node is created with autopopulate disabled, for an address which may resolve to the same address as one of the static nodes.
3. This FQDN node is added (as a pool member) with autopopulate disabled, to a pool with no other non-FQDN members.
4. The DNS server resolves the FQDN name to an address that matches one of the static nodes.
5. A subsequent DNS query resolves the FQDN name to a different address that matches a different static node.

Impact:
In this case:
-- The original ephemeral member is removed from the pool.
-- A new ephemeral member for the new address may NOT be added to the pool.
-- In this state, if the FQDN template member is deleted from the pool, a new ephemeral member (i.e., the missing ephemeral with new IP address) is re-added to the pool.

Note. This symptom can occur only if the statically-configured node is created prior to an ephemeral pool member being created for the same IP address. If an ephemeral pool member and node are created first, it is not possible to create a statically-configured node or pool member using the same IP address.

Overall, traffic for the affected pool may not be sent to correct pool member (new ephemeral address).

If no other members are defined in the pool, traffic will be interrupted.

Workaround:
This issue can be prevented by:
-- Avoiding configuring a static (non-FQDN) node with an IP address that matches any address that might be returned by the DNS server when resolving the FQDN.
-- Adding a statically-configured pool member to the pool in addition to the FQDN template member.

Once the symptom occurs, recovery is possible by performing either of the following actions:
-- Delete the statically-configured node with the conflicting IP address.
-- Recreate the node using the following procedure:
1. Delete the FQDN template member from the pool.
2. Delete the orphaned ephemeral member from the pool.
3. Re-add the FQDN template member to the pool.


721579-2 : LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing

Component: Carrier-Grade NAT

Symptoms:
When checking persistence TTL by using 'lsndb list all', TTL for 'LSN Persistence Entries' and Age for 'LSN Inbound Mapping Entries' are reset once at around the halfway point of the persistence timeout, even though there is no traffic.

Conditions:
-- LSN with persistence timeout configured.
-- Using the following command: lsndb list all.

Impact:
lsndb shows misleading stats.

Workaround:
There is no workaround at this time.


721571-2 : State Mirroring between BIG-IP 12.1.3.* and 13.* systems may cause TMM core on standby system during upgrade

Component: Local Traffic Manager

Symptoms:
BIG-IP devices running 12.1.3.x (12.1.3 or a 12.1.3 point release) and 13.x software versions in a High-Availability (HA) configuration with state mirroring enabled may cause a standby system to produce a TMM core file.

Conditions:
-- State mirroring configured on two or more BIG-IP systems (state mirroring is enabled by default).
-- For VIPRION clusters or VIPRION-based vCMP guests, the systems are configured to mirror 'Between Clusters'.
-- The active system is running v12.1.3.x, and the standby system is running v13.x, e.g., as a result of an in-progress upgrade.

Impact:
TMM may crash on a standby system during upgrade.

This issue should not disrupt traffic, because the TMM is coring only on the standby unit.

Workaround:
To workaround this issue, disable State Mirroring prior to upgrading, and re-enable it once both devices are running v13.x, or complete the upgrade of both devices to v13.x.

1. You can disable mirroring using either the GUI or the command line.

1a. In the GUI:
-- Set the Primary and Secondary Local Mirror Address configurations to 'None' under Device Management :: Devices :: [Self] device :: Mirroring Configuration.

1b. From the command-line:
-- Run the following command:
tmsh modify cm device <name-of-self-device> mirror-ip any6 mirror-secondary-ip any6 && tmsh save sys config


Important: This action results in connection state loss on failover.


2. Once all devices are running the same software version, re-enable state mirroring by re-adding the device mirror IPs removed previously.

Note: F5 recommends that BIG-IP systems run with the same software version on all devices.


721399-1 : Signature Set cannot be modified to Accuracy = 'All' after another value

Component: Application Security Manager

Symptoms:
ASM Signature Set cannot be modified to Accuracy = 'All' after another value was used previously.

Conditions:
-- ASM Signature Set has a value set for Accuracy filter.
-- Accuracy is subsequently set to 'All'.

Impact:
The change to Accuracy = 'All' does not take effect. ASM Signature Set cannot be modified to Accuracy = 'All'.

Workaround:
You can use either of the following workarounds:

-- Delete and re-create the Signature Set with the desired value.
-- Modify the filter to a value that will match all results (such as Accuracy is greater than or equal to 'Low').


721350-3 : The size of the icrd_child process is steadily growing

Component: TMOS

Symptoms:
The resident segment size (rss) for the icrd_child process continues to increase on issuing iCR GET requests. This increase is permanent and the rss does not drop back to its original size.

Conditions:
The following is an example config under which this issue occurs. Note this is an illustrative example; the actual issue might occur for various config objects.

GET tm/ltm/virtual?expandSubcollections=true wherein the virtual has some profiles associated with it.

ltm pool p-http { }
ltm virtual novel-1000 {
...
    pool p-http
    profiles {
        analytics { }
        http { }
        tcp { }
    }
....
}


# tmctl proc_pid_stat 'proc_name=icrd_child' -s proc_name,ppid,vsize,rss

On subsequent GET requests the rss size continues to increase.

Impact:
Increase in the rss of the icrd_child process. This increase could lead to icrd_child core or swapping of processes into the rss due to limited memory left for other processes.

Workaround:
There is no workaround.


721261-2 : v12.x Policy rule names containing slashes are not migrated properly

Component: Local Traffic Manager

Symptoms:
When migrating from v12.x to v13.0.x, 13.1.x, or 14.0.x, LTM polices that have rules containing the slash character will not migrate properly, and roll-forward migration will fail.

Conditions:
-- BIG-IP systems running v12.x.
-- Configuration contains LTM Policy rules whose names include the slash (/) character.
-- Upgrading to v13.0.x, 13.1.x, or 14.0.x.

Impact:
Roll-forward migration fails with the error: illegal characters in rule name.

Workaround:
Edit the rule names within LTM Policies, replacing the now-illegal slash (/) character with a legal alternative, such as the underscore (_).

Alternately, prior to migration, rename the rules on the v12.x system, and then perform the upgrade.


721020-2 : Changes to the master key are reverted after full sync

Component: TMOS

Symptoms:
Changing the master key on a device that is in a device cluster are reverted when performing a full sync of any device-group. The master key is reset to its previous value.

Conditions:
-- The BIG-IP system is in a device cluster.
-- You change the master key from within TMSH.

Impact:
Subsequent configuration loads fail on the device.

Workaround:
There is no workaround.


720819-3 : Certain platforms may take longer than expected to detect and recover from HSB lock-ups

Component: TMOS

Symptoms:
In the unlikely event of a HSB lock-up, certain BIG-IP platforms may take longer than expected to detect and recover from the condition.

For instance, it may take several minutes for an affected unit to detect the condition and initiate the predefined failsafe action.

Instead, the recovery mechanism should trigger almost instantaneously.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is an i56xx/i58xx, i76xx/i78xx, or i106xx/i108xx platform.

-- The HSB locks-up due to a different issue.

Impact:
Traffic will be negatively impacted until the BIG-IP system detects and remedies the condition.

Workaround:
None.


720799-1 : Virtual Server/VIP flaps with FQDN pool members when all IP addresses change

Component: Local Traffic Manager

Symptoms:
When using FQDN pool members, if all ephemeral members are removed and replaced by a DNS query that returns an entirely new set of IP addresses (no overlap with previous DNS query results), all ephemeral pool members are removed before the new ephemeral pool members are created.

This results in a brief moment when there are no ephemeral members (that can receive traffic) in the pool.

Conditions:
A DNS query for the FQDN node in which the pool members belong, returns an entirely new set of IP addresses (no overlap with previous DNS query results).

Impact:
The brief moment during which there are no ephemeral members (that can receive traffic) in the pool can cause a Virtual Server or Virtual Address using that pool to flap.

Workaround:
It is possible to work around this issue by:
1. Adding a pool member with a statically-configured IP address.
2. Including multiple FQDN pool members in the pool, to limit the effect of the ephemeral members changing for a single FQDN pool member.


720757-2 : Without proper licenses Category Lookup always fails with license error in Allow Ending

Component: Access Policy Manager

Symptoms:
When a per-request policy's Category Lookup agent queries Standard Categories with an expired SWG/URLF license (and has 'RST on failure' disabled), the execution always ends with the following log messages:

Error: Global concurrent url filter session limit reached

The connection is aborted.

Conditions:
Category Lookup agent set to query the urldb engine (standard categories) with either no SWG/URLF license or an expired license.

Impact:
Even if 'RST on failure' is disabled, traffic cannot reach the allow ending successfully.

Workaround:
Remove the Category Lookup with standard category lookup from the per-request policy if the licenses do not allow for its use.


720713-1 : TMM traffic to/from a i10600/i10800 device in vCMP host mode may fail

Component: TMOS

Symptoms:
When a i10600/i10800 device is configured as a vCMP host and at least one vCMP guest is running (or ever ran), TMM traffic to the vCMP host may fail.

Note: Management port traffic to/from the device is unaffected.

Note: TMM traffic to/from the vCMP guests running on the device is unaffected. This issue affects only the vCMP host.

The most visible symptom is that TMM on the vCMP host fails to answer ARP requests that it receives for its own Self-IP addresses.

Conditions:
This issue occurs when all of the following conditions apply:

- i10600/i10800 device in vCMP host mode.

- At least one vCMP guest is deployed or was deployed, at some point.

Impact:
Inability to communicate to/from the vCMP host via its Self-IP addresses.

Workaround:
None.


720669-1 : Within the GUI, the 'MQTT-TLS' service port is incorrectly reported as 'common.all.MQTT-TLS'.

Component: TMOS

Symptoms:
In some sections of the GUI, the 'MQTT-TLS' service port may be incorrectly reported as 'common.all.MQTT-TLS'.

Conditions:
This is currently known to happen in the 'Virtual Server List' screen when a virtual server is configured to listen on port 8883 (a.k.a. MQTT-TLS).

Impact:
None. The issue is cosmetic and has no effect on traffic.

Workaround:
None.


720651-1 : Running Guest Changed to Provisioned Never Stops

Component: TMOS

Symptoms:
After changing a vCMP guest status to provisioned the guest remains running showing a status of stopping.

Conditions:
-- Guests deployed on a BIG-IP VCMP host.
-- Changing the state from deployed to provisioned.

Impact:
Guests do not stop and change status until vcmpd process is restarted.

Workaround:
There is no workaround.


720610-1 : Updatecheck logs bogus 'Update Server unavailable' on every run

Component: TMOS

Symptoms:
The updatecheck operation erroneously logs that the Update Server is unavailable on every run, successful or not.

Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.

Impact:
Misleading messages in the log file, implying that the update server is not available.

Workaround:
None.


720581-1 : Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files

Component: Application Security Manager

Symptoms:
When using Policy Merge to add an XML Profile from policy A to policy B, if there are any Schema files (such as xsd or wsdl) associated with the profile, then the XML Profile added to policy B erroneously points to the file that is in policy A and does not create a new reference within policy B.

Conditions:
Policy Merge is used to add an XML Policy that contains a schema file from one policy to another.

Impact:
-- The reference to an object in another policy breaks BIG-IQ discovery.
-- The policy is not consistent after export/import.

Workaround:
None.


720461-1 : qkview prompts for password on chassis

Component: TMOS

Symptoms:
Qkview prompts for a password when executing getnodedates from the chassis module.

Conditions:
SSH auth keys are missing or corrupted.

Impact:
This blocks collecting qkview.

Workaround:
Edit the /user/bin/getnodedates script and add -oBatchMode=yes for the SSH command as shown in the following example:

        $date = `/usr/bin/ssh -q -oBatchMode=yes -oStrictHostKeyChecking=no $ip /bin/date`;


720440-2 : Radius monitor marks pool members down after 6 seconds

Component: Local Traffic Manager

Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.

Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.

Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.

Workaround:
There is no workaround at this time.


720293-4 : HTTP2 IPv4 to IPv6 fails

Component: Local Traffic Manager

Symptoms:
An IPv4-formatted virtual server with an IPv6-formatted pool member cannot establish the connection to the pool member if HTTP2 is configured.

Conditions:
-- IPv4 virtual Server.
-- IPv6 pool member.
-- HTTP2 profile.

Impact:
Traffic connection does not establish; no traffic passes.

Workaround:
None.


720269-1 : TACACS audit logging may append garbage characters to the end of log strings

Component: TMOS

Symptoms:
When using TACACS audit logging, you might see extra 'garbage' characters appended to the end of logging strings.

Conditions:
Using audit forwarding with a remote TACACS server.

Impact:
Confusing log messages. Remote TACACS logging might stop altogether after some time.

Workaround:
There is no workaround at this time.


720242-1 : GUI for AFM rules shows protocol value IPENCAP for rules under rule-list

Component: Advanced Firewall Manager

Symptoms:
When a user tries to set the protocol field to 'IPv4', it is displayed as IPENCAP after saving. This happens only for rules under RuleList.

Conditions:
This occurs only for rules under RuleList.

Impact:
Protocol value is displayed as 'IPENCAP' as opposed to 'IPv4'.

Workaround:
Use tmsh to see the actual value.


720104-2 : BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'

Component: TMOS

Symptoms:
BIG-IP i2800/i2600 650W AC PSU is missing marketing name under 'show sys hardware' and displays 'unknown' when OID sysObjectID is queried.

Conditions:
-- Execute 'tmsh show sys hardware'.
-- Query for OID sysObjectID using snmpwalk.
-- Using BIG-IP i2800/i2600 platforms.

Impact:
System reports an empty marketing name when queried. Platform with 650W AC PSU not identified using tmsh command or snmpwalk.

Workaround:
There is no workaround at this time.


720030-5 : Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests are generated without enabling EDNS0. Without this, internal DNS server (dnscached) truncates the UDP response if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in a lot of TIME_WAIT connections on the socket using dnscached.

Conditions:
APM end users using Kerberos SSO to access backend resources.

Impact:
Ability to create new DNS requests is affected, if there are numerous sockets in TIME_WAIT. This can result in scalability issues.

Workaround:
For BIG-IP software v12.x and later,

Edit the /etc/resolv.conf file to add an EDNS0 option.

There is no workaround if you are running a version earlier than 12.x.


719644-3 : If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions

Component: Global Traffic Manager (DNS)

Symptoms:
When an LTM configuration has virtual server names containing period (.), a GTM configuration with auto-discovery enabled is upgraded from v11.5.x to a later version might lose consistency.

Conditions:
-- Upgrading GTM from v11.5.x to later versions (e.g., BIG-IP DNS v12.x).
-- Auto-discovery is enabled.
-- LTM configuration containing virtual server names containing the period character (.).
-- The same virtual server name is used in multiple partitions.

Impact:
The configuration after the upgrade might be affected in the following ways:
-- Missing virtual servers.
-- Deletion of some pool members.
-- Virtual servers with incorrect addresses.

Workaround:
There is no workaround at this time.


719600-1 : TCP::collect iRule with L7 policy present may result in connection reset

Component: Local Traffic Manager

Symptoms:
If an iRule utilizing TCP::collect and HTTP_REQUEST is on a virtual server with an L7 policy, the policy engine may cause the connection to be unexpectedly reset with a 'policy execution error' reset cause, and 'Unable to resume pending policy event on connflow' will be logged to /var/log/ltm.

Conditions:
TCP::collect and HTTP_REQUEST iRule with L7 policy on virtual server.

Impact:
Connections may be unexpectedly reset and errors logged to /var/log/ltm.

Workaround:
At the start of the HTTP_REQUEST event, issue an 'after 1' command to allow the policy engine to reach a consistent state before proceeding with the remainder of the iRule.


719597-1 : HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0

Component: TMOS

Symptoms:
When two VIPRION chassis with B2250 blades try to form a high availability (HA) connection, with one running v12.1.1 and the other running v13.1.0, HA connections between TMMs on Active and TMMs on Standby might fail.

Conditions:
-- Two VIPRION chassis with B2250 blades.
-- One blade running v12.1.1 and the other running v13.1.0.
-- Try to configure HA connection.

Impact:
Fail to form HA connection.

Workaround:
There is no workaround other than installing the same software on both blades.


719459-1 : Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled

Component: Application Security Manager

Symptoms:
Policy builder suggests adding already existing URLs (as HTTPS) learned from response.

Conditions:
-- Differentiate HTTP and HTTPS URLs is disabled.
-- Learn-from response is enabled.
-- Server responses contain HTTPS links for HTTP requests instead of using protocol-relative URLs.

Impact:
This is a cosmetic issue in that incorrect suggestions are created. There is no impact to functionality.

Workaround:
Add the incorrect suggestions to the 'ignore' list.


719247-1 : HTTP::path and HTTP::query iRule functions cannot be set to a blank string

Solution Article: K10845686

Component: Local Traffic Manager

Symptoms:
The HTTP::path and HTTP::query iRule functions generate an error if called with an argument that is a blank string, resulting in connection termination.

Conditions:
In an iRule where the argument is a blank string:
  HTTP::path ""
  HTTP::query ""

Impact:
Error encountered while executing iRule "HTTP::query $blank", and the connection is terminated with an error in the logs similar to the following:
   -- err tmm[17219]: 01220001:3: TCL error: /Common/ir_1-4045405141_query <HTTP_REQUEST>

Workaround:
To set HTTP::query to blank, use the following function:
HTTP::uri [HTTP::path]

To set HTTP::path to blank, use the following function:
HTTP::uri [HTTP::query]


719186-1 : Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts

Component: Fraud Protection Services

Symptoms:
Multipart/form-data requests are not supported in FPS. FPS-protected pages which have the enhanced data-manipulation feature enabled, may generate a false-positive 'missing strong integrity parameter' alert for multipart/form-data requests.

Conditions:
-- FPS profile attached to a virtual server.
-- Multipart/form-data requests to a URL.
-- Enhanced data-manipulation feature enabled on a protected URL.

Impact:
False-positive 'missing strong integrity parameter' alert.

Workaround:
Use the ANTIFRAUD::disable_alert iRule command to drop the alert:

(set the static::drop_alert variable, probably matching URL name and checking that Content-Type header starts with 'multipart/form-data')

when ANTIFRAUD_ALERT {
    if {$static::drop_alert eq 1 &&
            [ANTIFRAUD::alert_type] eq "vtoken" &&
            [ANTIFRAUD::alert_component] eq "no_strong_integrity_param" } {
        ANTIFRAUD::disable_alert
        set static::drop_alert 0
    }
}


719107-1 : Message type is not displayed in CLI and incorrect message type is displayed in GUI for Subscriber Management diameter protocol profile message type CCA-T.

Component: Policy Enforcement Manager

Symptoms:
If versions earlier than v13.1.0 have Subscriber Management diameter protocol message type CCA-T, their message type is not displayed on the command-line interface (CLI) and is incorrectly displayed as CCR-I in the GUI when upgraded to later versions.

Conditions:
-- Upgrade to v13.1.0 or later.
-- Configuration has Subscriber Management diameter protocol message type CCA-T.

Impact:
incorrectly displayed as CCR-I in the GUI.

Note: This configuration has no effect.

Workaround:
Delete the Subscriber Management diameter protocol message that has no message-type when viewed from CLI.


719005-2 : Login request may arrive corrupted to the backend server after CAPTCHA mitigation

Component: Application Security Manager

Symptoms:
Login request arrives corrupted (specifically, some of the characters in the payload are changed).

Conditions:
-- A brute force CAPTCHA mitigation happens.
-- Specific traffic conditions.

Impact:
Login request fails.

Workaround:
None.


718867-1 : tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades

Component: Local Traffic Manager

Symptoms:
The db variable 'tmm.umem_reap_aggrlevel' (to set the memory-usage level at which aggressive connection-reaping begins) does not persist across upgrades; on upgrade it will be reset to its default value (80%).

Conditions:
-- The db variable 'tmm.umem_reap_aggrlevel' is set to a custom value (specifically, not '80').
-- The BIG-IP system is upgraded.

Impact:
The value for 'tmm.umem_reap_aggrlevel' has reset to '80', its default value.

Workaround:
Reset the variable's custom value after upgrade.


718817-1 : Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.

Component: TMOS

Symptoms:
Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest fails due to a race condition.

There are log entries in /var/log/liveinstall.log:

-- error: status 256 returned by command: F5_INSTALL_SESSION_TYPE=install tmsh -f save sys ucs /var/tmp/kRf24pKXTQ.ucs.
-- info: tar: config/.ucs_base_mac: Cannot stat: No such file or directory.
-- info: Unexpected Error: UCS saving process failed.

Conditions:
-- Installing onto secondary VIPRION blade or onto VIPRION-based vCMP guest.

Impact:
Software installation fails.

Workaround:
You can use either workaround:
-- Add 'ignore .ucs_base_mac' to the 'monitor dir /config' stanza in /etc/csyncd.conf on all blades, and then restart csyncd on all blades by running "clsh bigstart restart csyncd"

-- Retry the installation until it succeeds.


718800-1 : Cannot set a password to the current value of its encrypted password

Component: TMOS

Symptoms:
Attempting to set a password to the current value of its encrypted password silently fails without changing the password. For example, running the following tmsh command sets the encrypted password to the value 'password':

modify auth user <username> encrypted-password password

Attempting to set the password to 'password' using the command does not report an error, but does not change the password (meaning that encrypted password remains 'password'):

modify auth user <username> password password

Conditions:
Changing a password to the value of encrypted-password.

Impact:
Difficult to recover from this situation because trying to simply change the password to the correct value doesnot work.

(It is likely this initially happened by accident: attempting to set 'password', but setting 'encrypted-password' instead.)

Workaround:
First, change the password to something else. Then, change it back to the correct value.


718772-1 : The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists)

Component: Anomaly Detection Services

Symptoms:
The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists).

Conditions:
Attack with traffic with 'unknown' header, for example
'Upgrade-Insecure-Requests: 1'.

Impact:
In the GUI, when the signature with the predicate 'unknown_header' is edited, this predicate is empty (instead of exists / does not exist).

Workaround:
There is no workaround.


718525-2 : PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting

Component: TMOS

Symptoms:
After removing the mcpd binary database and restarting, occasionally there are errors similar to the following in /var/log/ltm:

warning postgres[7663]: [3-1] ERROR: duplicate key value violates unique constraint "vlan_pkey"

(The object type may be something other than 'vlan_pkey'.)

Conditions:
This occurs when you remove the mcpd binary database and reboot the system.

Impact:
The configuration does not load until 'bigstart restart' is executed.

Workaround:
None.


718291-1 : iHealth upload error doesn't clear

Component: TMOS

Symptoms:
If an error occurs that sets the iHealth error string, then this string is never cleared.

Conditions:
Setting an invalid hostname for db variable proxy.host.

Impact:
The system reports the following error string: curl: (56) Recv failure: Connection reset by peer. This error message is never cleared, despite running a successful upload. The bogus error message could result in unnecessary confusion after a successful upload.

Workaround:
To clear the error message, run the following command:
/usr/bin/guishell -c "update diags_ihealth_request set error_str='';"


718232-3 : Some FTP servers may cause false positive for ftp_security

Component: Application Security Manager

Symptoms:
A login might get rejected after a lower number of failed logins than is configured for 'Maximum Username Login Retries'. BIG-IP system posts the following error message: 530 Too many failed login attempts by the user.

Conditions:
-- The server sends unexpected ingresses that are rejected.
-- There is a value specified for 'Maximum Username Login Retries'.

Impact:
A legitimate user might be rejected and have to wait until the configured 'Re-enable login' time.

Workaround:
There is no workaround at this time.


717785-4 : Interface-cos shows no egress stats for CoS configurations

Component: TMOS

Symptoms:
No egress packet counts per CoS queue are reported on B21x0 and 5x00/7x00 platforms. The issue affects the egress packet statistics reporting per CoS queue only. The operation of the CoS feature is not affected and the egress packets statistics reporting per external interface is also not affected.

Conditions:
-- Valid 8 HW CoS feature configuration has been enabled and passing traffic.
-- BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.
-- Running the show net interface-cos command.

Impact:
Egress packet statistics reported per CoS queue shows no counts.

Workaround:
None.


717346-1 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total

Solution Article: K13040347

Component: Local Traffic Manager

Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.

Conditions:
Rarely occurring, unstable network could be one of the reasons.

Impact:
Cannot use stats for troubleshooting.

Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket


716940-1 : Traffic Learning screen graphs shows data for the last day only

Component: Application Security Manager

Symptoms:
Traffic Learning screen graphs shows data for the last day only.

Conditions:
Visit Learning screen 1 hour after policy creation.

Impact:
Statistics shown are for the last day. No statistics for longer or for shorter periods of time.

Workaround:
There is no workaround.


716922-1 : Reduction in PUSH flags when Nagle Enabled

Component: Local Traffic Manager

Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.

Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.

Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.

Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.

Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.

Mote: To take advantage of some of the Nagle benefits, use 'Auto'.


716900-3 : TMM core when using MPTCP

Component: Local Traffic Manager

Symptoms:
In some cases TMM may crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic interrupted while TMM restarts.

Workaround:
There is no workaround other than to disable MPTCP.


716788-1 : TMM may crash while response modifications are being performed within DoSL7 filter

Component: Application Security Manager

Symptoms:
TMM might crash when a response is modified by the DoSL7 filter while injecting an HTML response from a backend server.

Conditions:
-- ASM provisioned.
-- DoS application profile is attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts, failover may occur.

Workaround:
There is no workaround other than to remove the DoS application profile from the virtual server.


716716-1 : Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core

Component: Local Traffic Manager

Symptoms:
TMM cores when the system has a kernel route configured, but no matching TMM route.

Conditions:
The scenario that can lead to this state is unknown.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
Either remove the kernel route, or add a matching TMM route.


716391-1 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation

Solution Article: K76031538

Component: TMOS

Symptoms:
vCMP guest with only 2 cores may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.

Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores.
-- A module using MySQL is provisioned.

Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.

Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.
 
IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.


716324-1 : CSRF protection fails when the total size of the configured URL list is more than 2 KB

Component: Application Security Manager

Symptoms:
When the cross-site request forgery (CSRF) protection URL list is of a total size that is greater than 2 KB. As a result, CSRF injection fails.

Conditions:
- CSRF protection is enabled.
- The total length of the defined CSRF URL list is more than 2 KB.
- A protected URL is accessed.

Impact:
CSRF false-positive violation.

Workaround:
Use wildcards to minimize total CSRF URL size.


716318-1 : Engine/Signatures automatic update check may fail to find/download the latest update

Component: Fraud Protection Services

Symptoms:
Engine/Signatures automatic update check may fail to find/download the latest update if the timestamp of the factory update file is later than the timestamp of the update file in downloads.f5.com.

Note: This issue is relevant only for engineering hotfixes.

Conditions:
This occurs when the following conditions are met:
-- Engineering hotfix.
-- The factory update file timestamp is later than the timestamp of the update file in downloads.f5.com.

Impact:
Automatic update check will detect the wrong update file.

Workaround:
Manually check, and then download and install the update file from downloads.f5.com, if needed.


716213-5 : BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic

Component: Local Traffic Manager

Symptoms:
When APM connects to Active Directory Federation Services (ADFS), a blank page is observed. The log file /var/log/ltm exhibits a TCP reset issued by the BIG-IP system. The TCP capture informs that the issue is due to an out-of-bounds error that occurs when traffic gets parsed by the SSL Persistence Parser (SSID).

Conditions:
-- SSL persistence (SSID) is enabled for a virtual host.
-- APM connects to ADFS.

Impact:
A blank page is observed due to the TCP reset.

Workaround:
No workaround is available.


715883-1 : tmm crash due to invalid cookie attribute

Component: Local Traffic Manager

Symptoms:
tmm crash due to invalid request-side cookie attribute.

Conditions:
While processing an HTTP request, an iRule tries to add a cookie attribute to a cookie that is only valid in an HTTP response (for instance, an 'expires' attribute).

Impact:
TMM cored. Traffic disrupted while tmm restarts.

Workaround:
None.


715820-3 : vCMP in HA configuration with VIPRION chassis might cause unstable data plane

Solution Article: K61422392

Component: TMOS

Symptoms:
When multiple vCMP guests are deployed in a high availability (HA) with VIPRION chassis, the data plane cluster might become unstable. When this issue occurs, the system posts repeated log messages in /var/log/ltm similar to the following:

-- CDP: exceeded 1/2 timeout for PG 3

Conditions:
-- Multiple vCMP guests are deployed.
-- HA configured.
-- Using VIPRION chassis.

Impact:
Unstable data plane might cause traffic disruption/packet drops.

Workaround:
None.


715785-1 : Incorrect encryption error for monitors during sync or upgrade

Component: Local Traffic Manager

Symptoms:
The system logs an error message similar to the following in /var/log/ltm:

err mcpd[6823]: 01071768:3: Encryption of the field (password) for object (<monitor name>) failed.

This may cause a configuration sync to fail, or an upgrade to fail.

Conditions:
The exact conditions are unknown, however it may occur under these circumstances:

-- Performing a config sync operation.
-- Performing an upgrade.

Impact:
Inability to sync peer devices, or an inability to upgrade.

Workaround:
There is no workaround at this time.


715756-1 : Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only

Component: Local Traffic Manager

Symptoms:
When filesystems critical to TMOS functional operation are mounted read-only, clusterd on that blade should trigger a primary election if it was primary. Either way, the cluster should be informed of this critical error state.

Conditions:
A critical filesystem (e.g., '/', '/var', '/var/run', '/config', '/shared') has been mounted read-only.

Impact:
The blade with read-only filesystems and degraded functionality might stay primary and claim to be passing traffic.

Workaround:
There is no workaround other than to avoid mounting filesystems read-only on a BIG-IP system.


715750-1 : The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.

Component: Local Traffic Manager

Symptoms:
Upon receiving a FIN midstream in an SSL connection, the BIG-IP system will immediately proxy the FIN to the remote host on the peer side. At this point, depending on the specific configuration of the remote host on the peer side, the BIG-IP system may exhibit behaviors that may be deemed undesirable.

For instance, if the remote host on the peer side acknowledges the FIN but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system will drop all ingress data (i.e., not proxy it) while keeping the side that transmitted the original FIN open indefinitely.

Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close.

Conditions:
This issue occurs when the following conditions are met:

-- A standard virtual server with the clientssl and serverssl profiles in use.

-- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.

Impact:
There is no real impact to the BIG-IP system because of this issue. However, both the client and the server can be negatively impacted by this issue.

For example, if the original FIN was received by the BIG-IP system on the clientside:

-- The client connection is not allowed to close for potentially a very long time. During this time, the client does not receive anything other than Keep-Alive packets from the BIG-IP system. This can delay or adversely impact applications on the client.

-- The server continues to send data to the BIG-IP system unnecessarily. After accounting for the fact this could be a lot of data and many connections could be in this state, the server and/or its surrounding network could become impacted/congested. At a minimum, this might cause a waste of resources.

Workaround:
There is no workaround at this time.


715467-1 : Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY

Component: Local Traffic Manager

Symptoms:
If the 'A' record for an FQDN node is removed or replaced on the DNS server, then the BIG-IP system does not remove the old ephemeral pool member or create the new pool member and node.

Conditions:
-- FQDN nodes.
-- Pool members with a service port of ANY.

Impact:
Ephemeral pool member and nodes are not removed or updated when the DNS 'A' record is removed or changed.

Workaround:
There is no workaround at this time.


715448-3 : Providing LB::status with a GTM Pool name in a variable caused validation issues

Component: Global Traffic Manager (DNS)

Symptoms:
When utilizing an LB::status iRule where the GTM Pool name was provided in a variable, instead of directly written into the command, the system posts the following error message: Can't read 'monkey': no such variable.

Conditions:
LB::status pool a <Variable containing string>.

Impact:
Unable to use LB::status iRule.

Workaround:
There is no workaround at this time.


715128-2 : Simple mode Signature edit does not escape semicolon

Component: Application Security Manager

Symptoms:
When creating a user-defined ASM Signature in Simple mode, semicolon followed by space cannot be used in a keyword.

Conditions:
-- Using a user-defined ASM Signature in Simple mode.
-- There is a semicolon followed by a space in a keyword.

Impact:
The signature cannot be created.

Workaround:
The signature can be created in Advanced Mode by escaping semicolon as "|3B|".


714986-4 : Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot

Component: TMOS

Symptoms:
On an iSeries platform, when the console baud rate is changed through TMSH, new terminal sessions revert back to the previous baud rate instead of adopting the new setting unless the unit is rebooted.

Conditions:
1. Modify the console baud rate in BIG-IP through TMSH on an iSeries platform (i2xxx, i4xxx, i5xxx, i7xxx, i10xxx, i15xxx), for example: tmsh modify sys console baud-rate 9600.

2. Exit from the login prompt in the current terminal session, or kill it and start a new session.

Impact:
The BIG-IP system reverts to the previous baud rate instead of the new setting. Inability to create any new serial console connections with the modified baud-rate without a reboot.

Workaround:
The problem can be mitigated by manually reprogramming the TTY device and restarting the agetty process and bash login sessions. This closes any existing console connections, but newly established connections will connect at the modified baud rate.

1. Use TMSH to modify the baud rate to the desired speed by running a command similar to the following:

tmsh modify sys console baud-rate 9600

2. Re-program the TTY device with the desired speed by running a command similar to the following:

stty -F /dev/ttyS0 9600

3. Kill the existing agetty process so it will re-start at the new baud rate by running the following command:

/usr/bin/killall -q agetty

4. Restart bash logins by running the following command:

/bin/kill -HUP `/bin/ps -A | /bin/grep ttyS0 | /bin/grep -v grep | /bin/grep bash | /bin/awk '{print $1}'` >/dev/null 2>&1


714974-1 : Platform-migrate of UCS containing QinQ fails on VE

Component: TMOS

Symptoms:
If you are doing platform-migrate from a hardware device to a Virtual Edition (VE) guest, and the UCS that came from the hardware device has a QinQ VLAN configuration, then the upgrade will fail.

Conditions:
-- VLAN with a QinQ configuration exists on the hardware configuration.
-- UCS file is saved on the hardware device.
-- UCS is copied to a VE guest.
-- Attempt to load the configuration using the following command: load sys ucs <UCS filename> no-license platform-migrate.

Impact:
The UCS load will fail and generate an error:

01071bd8:3: The tag-mode for requested member <VLAN name> has to be 'none' on platforms that do not support QinQ. Unexpected Error: Loading configuration process failed.

Workaround:
None.


714903-3 : Errors in chmand

Component: TMOS

Symptoms:
VIPRION cluster does not form; only primary blade stays online. Chassis manager chmand generated a core file. System logs the following error in ltm log: err clusterd[11162]: 013a0004:3: Error adding cluster mgmt addr, HAL error 7.

Conditions:
-- Restoring UCS.
-- Chassis starting up.
-- System in stressed condition, where there is very little or no memory available.

Impact:
Cluster does not form.

Workaround:
None.


714654-1 : Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM

Component: TMOS

Symptoms:
While creating a static route, tmrouted disconnects with error: existing entry is not a dynamic.

Conditions:
Creating a static route for a network that already has an advertised dynamic route.

Impact:
TMM's connection to tmrouted goes down, which results in loss of the dynamic route for TMM.

Workaround:
There is no workaround other than not creating a static route for routes received through dynamic routing.


714559-4 : Removal of HTTP hash persistence cookie when a pool member goes down.

Component: Local Traffic Manager

Symptoms:
When HTTP cookie hash persistence is configured the cookie is removed when a pool member goes down. This is incorrect if pool members are using session replication.

Conditions:
- Cookie hash persistence is configured.
- A pool member that the persistence record points to goes down.
- Pool members are using session replication.

Impact:
Connected clients must establish a new session.

Workaround:
To configure HTTP cookie hash persistence, use an iRule similar to the following:

when CLIENT_ACCEPTED {
    persist cookie hash JSESSIONID
}


714507-1 : [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server

Component: Global Traffic Manager (DNS)

Symptoms:
GTM pool member dependency cannot be listed correctly using the following command:
# tmsh list gtm pool

Conditions:
-- Virtual server dependency in GTM server.
-- Running the command: tmsh list gtm pool.

Impact:
1. Pool member dependencies are not listed.
2. Pool member dependency information is missing when saving config:
    # tmsh save sys config gtm-only

Workaround:
List specific gtm pools instead by running a command similar to the following:
# tmsh list gtm pool a p1


714503-1 : When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl

Component: Local Traffic Manager

Symptoms:
When using the GUI to create a new iRulesLX rule with the extension .tcl as part of the rule name, the GUI will append another .tcl at the end of the file. This is problematic when attempting to view the iRule in the iRulesLX workspace (at Local Traffic :: iRules : LX Workspaces :: <workspace name>).

Conditions:
-- Creating a new iRulesLX iRule in the GUI.
-- Adding the extension .tcl.

Impact:
Cannot view or delete the iRule from the iRulesLX GUI.

Workaround:
Do not name rules with the .tcl extension. The system will do that for you.


714495-1 : When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"

Component: Local Traffic Manager

Symptoms:
When using TMSH to create a new iRulesLX rule with the extension '.tcl' as part of the rule name, TMSH will append another '.tcl' at the end of the file. This is problematic when attempting to view the iRule in the GUI (in the iRulesLX workspace at Local Traffic :: iRules : LX Workspaces :: <workspace name>).

Conditions:
Creating a new iRulesLX iRule in TMSH.

Impact:
Cannot view or delete the iRule from the iRulesLX GUI.

Workaround:
Do not name rules with the '.tcl' extension.


714384-2 : DHCP traffic may not be forwarded when BWC is configured

Component: Local Traffic Manager

Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.

Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.

Impact:
DHCP traffic may not be forwarded.

Workaround:
There is no workaround other than to remove the BWC policy.


714334-2 : admd stops responding and generates a core while under stress.

Component: Anomaly Detection Services

Symptoms:
admd stops responding and generates a core while under stress.

Conditions:
-- The BIG-IP system is under stress.
-- CPU starvation is occurring.

Impact:
admd core and restart.

Note: The admd process provides stress-based DoS detection and mitigation control. When admd is not running, there is no stress-based anomaly detection or behavioral statistics aggregation.

Workaround:
None.


714216-1 : Folder in a partition may result in load sys config error

Component: TMOS

Symptoms:
If you run the command 'tmsh load sys config current_partition' in a partition that includes a folder, the command may return an error.

Conditions:
This occurs in the following scenario:
-- Create a partition.
-- Create a folder in that partition.
-- In the newly-created partition.
-- Save the configuration with the command 'save sys conf'.
-- In the same partition, run the following command to load the configuration: 'tmsh load sys config current_partition'.

Impact:
The load configuration process fails with an error that the folder does not exist.

Workaround:
There is no workaround at this time.


713951-6 : tmm core files produced by nitrox_diag may be missing data

Component: Local Traffic Manager

Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.

Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.

Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


713934-1 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response

Component: Local Traffic Manager

Symptoms:
Received malformed Truncated DNS response.

Conditions:
-- Using iRule 'DNS::question name' to shorten the name.
-- DNS response is longer than 4096 UDP limit.

Impact:
DNS request might not be resolved correctly.

Workaround:
There is no workaround at this time.


713932-2 : Commands are replicated to PostgreSQL even when not in use.

Component: TMOS

Symptoms:
In MCP, PostgreSQL is used only by AFM. Even when AFM is not provisioned, commands are being replicated to PostgreSQL.

Conditions:
AFM is not provisioned.

Impact:
Unnecessary CPU cycles spent by MCP replicating commands to PostgreSQL.


713820-2 : Pass in IP to urldb categorization engine

Component: Access Policy Manager

Symptoms:
Category lookup results might be less accurate. In some cases, the system returns 'uncategorized' when the reference (Forcepoint) returns a specific category.

Conditions:
Category Lookup agent is in per-request policy using the categorization engine to lookup up a website's classification.

Impact:
Actions leveraging categorization results will be applied incorrectly.

Workaround:
None.


713708-6 : Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI

Component: TMOS

Symptoms:
On the BIG-IP GUI, under System :: Software Management :: Update Check, after pressing 'Check now', the 'Available Update' shows a long string 'OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install' instead of the EPSEC version, e.g.: epsec-1.0.0-679.0.

Conditions:
-- Under System :: Software Management :: Update Check.
-- Press 'Check now'.

Impact:
Cannot determine what version is available by viewing 'Available Update'. Although this is how all the other updates work, it can result in a confusing BIG-IP user experience.

Workaround:
To have the browser show the link's destination address, view the browser's status fields while hovering the cursor over the following link text: OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install.


713655-1 : RouteDomainSelectionAgent might fail under heavy control plane traffic/activities

Component: Access Policy Manager

Symptoms:
If per-session access policy requests route domain selection during policy evaluation, the agent might hang and fail to retrieve route domain information. APMD might restart and produce a core file.

Conditions:
-- Policy sync operation.
-- System receives a query for route domain information.
-- There is a heavy load of control plane traffic to process.

Impact:
Poor performance and/or APMD restarts with a core file, causing brief disruption of the authentication service.

Workaround:
None.


713585-2 : When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long

Solution Article: K31544054

Component: Local Traffic Manager

Symptoms:
Config load could be very long and CPU usage very high.

Conditions:
There are many iRule and they are installed on many virtual servers.

Impact:
BIG-IP system performance could be degraded during the load and may cause system lock up.

Workaround:
Run "tmsh modify sys db rule.validation value syntax", this causes iRule validation to check iRule syntax only; the semantic checks will not be performed.


713533-1 : list self-ip with queries does not work

Component: Local Traffic Manager

Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.

Conditions:
list net self always returns all Self IPs

Impact:
You are unable to filter the Self IP list using a regex pattern.


713519-1 : Enabling MCP Audit logging does not produce log entry for audit logging change

Component: TMOS

Symptoms:
When you enable MCP audit logging, the action of changing the audit logging entry is not logged. All actions after the configuration change are logged.

Conditions:
This occurs when enabling MCP audit logging.

Impact:
The audit logging change itself is not logged in the audit logs.

Workaround:
None.


713491-3 : IKEv1 logging shows spi of deleted SA with opposite endianess

Component: TMOS

Symptoms:
Sometimes the IKEv1 racoon daemon logs a 32-bit child-SA spi with octets in backwards order (reversing the endianness).

Conditions:
When an SA is deleted.

Impact:
Logging typically shows a network byte order spi in the wrong order. Cosmetic interference with logging interpretation.

Workaround:
There is no workaround at this time.


713282-2 : Remote logger violation_details field does not appear when virtual server has more than one remote logger

Component: Application Security Manager

Symptoms:
Remote logger violation_details field appears empty.

Conditions:
-- More than one remote logger is attached to the virtual server.
-- A violation occurs.
-- Viewing the associated log.

Impact:
Violation_details field appears empty in logs.

Workaround:
There is no workaround at this time.


713134-1 : Small tmctl memory leak when viewing stats for snapshot files

Component: TMOS

Symptoms:
When viewing statistics for snapshot files, tmctl leaks a small amount of memory and displays the message:

tmctl: BUG: tmstat_dealloc invoked on a handle with rows outstanding; release all rows before calling tmstat_dealloc at <address>

Conditions:
Using tmctl to view statistics of snapshot files, for example:
tmctl -D /shared/tmstat/snapshots memory_usage_stat -s time,name,allocated,max_allocated name=access

Impact:
Errors written to output when running tmctl. The leak itself is very small and is only for tmctl (i.e., it does not have a cumulative, detrimental effect on the system that a TMM or MCP leak might).

Workaround:
None.


712819-1 : 'HTTP::hsts preload' iRule command cannot be used

Component: Local Traffic Manager

Symptoms:
Using the 'HTTP::hsts preload' iRule command in the GUI, you might see error message similar to the following:
01070151:3: Rule [/Common/test] error: /Common/test:3: error: ["invalid argument preload; expected syntax spec: "][HTTP::hsts preload enable].

The message is incorrect: the command has the correct format. However, the system does not run it.

Conditions:
Using the 'HTTP::hsts preload' iRule command in the GUI.

Impact:
The command does not run. Cannot use the 'HTTP::hsts preload' iRule command in the GUI.

Workaround:
None.


712664-1 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address

Component: Local Traffic Manager

Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting

Conditions:
- transparent vlan-group
 - Virtual Address with ARP disabled
 - Virtual Address corresponds to remote IPv6 host address

Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.

Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.


712637-1 : Host header persistence not implemented

Component: Local Traffic Manager

Symptoms:
Online documentation describes a persistence mechanism which uses the HTTP Host: header. However, this mechanism is not implemented, and attempts to use it generates an error.

Conditions:
Online help for ltm persistence says that Host persistence can be enabled via iRule, but attempting to do so generates an error 'invalid argument host'.

Impact:
Although this does not impact any existing functionality, the documented function is not available.

Workaround:
There is no workaround at this time.


712489-1 : TMM crashes with message 'bad transition'

Component: Local Traffic Manager

Symptoms:
TMM crashes under a set of conditions in which the system detects an internal inconsistency. The system posts an error similar to the following in the LTM and TMM logs:
crit tmm[18755]: 01010289:2: Oops @ 0x2285e10:5157: bad transition

Conditions:
Conditions that cause this to happen are not predictable, but these might make it more likely:
-- FastL4 virtual server and HTTP are configured
-- db variable tmm.oops set to 'panic'.
-- Client sends three GET requests at once, and then closes the connection after a few seconds.
-- The server sends a partial 'Connection: close' response.

Impact:
TMM crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.


712362-4 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase

Component: Application Security Manager

Symptoms:
When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection.

The system posts the following messages in /ts/log/bd.log:
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0269|101 Switching Protocols HTTP status arrived, but the websocket hanshake failed.
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0270|Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.

Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- WebSocket backend server sends 101 response without the 'Switching Protocols' phrase.

Impact:
WebSocket frames stalls.

Workaround:
#1 Change the backend server:
Change WebSocket backend server to return 101 response to include the 'Switching Protocols' reason phrase:

HTTP/1.1 101 Switching Protocols


#2 Use an irRule:
when SERVER_CONNECTED {
    TCP::collect 15
}
when SERVER_DATA {
    if { [TCP::payload 15] contains "HTTP/1.1 101 \r\n" } {
        TCP::payload replace 0 12 "HTTP/1.1 101 Switching Protocols"
    }
}


712335-2 : GTMD may intermittently crash under unusual conditions.

Component: Global Traffic Manager (DNS)

Symptoms:
GTMD may intermittently crash when an unexpected error occurs while creating a statistics row for a resource added to the configuration.

Conditions:
When a pool member is added to the system and there is an unexpected failure to create the associated statistics row.

Impact:
GTMD restarts.

Workaround:
There is no workaround at this time.


712102-1 : customizing or changing the HTTP Profile's IPv6 field hides the field or the row

Solution Article: K11430165

Component: TMOS

Symptoms:
Customizing or changing the HTTP Profile's IPv6 field hides the field or the row.

Conditions:
Customizing or changing the HTTP Profile's IPv6 field.

Impact:
The HTTP Profile's IPv6 field cannot be customized or changed.

Workaround:
Use tmsh to set the HTTP Profile's IPv6 field.


712033-3 : When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name

Component: TMOS

Symptoms:
When you make a REST request to association list in /stats you get a duplicate name in the selfLink after members in both the entries and the selfLink, e.g.:

# restcurl -X GET -u admin /tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats
{
  "kind": "tm:ltm:pool:members:membersstats",
  "generation": 3,
  "selfLink": "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats?ver\u003d14.0.0",
  "entries": {
    "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/~Common~node1:8105/stats": {

Conditions:
When making a REST request to an object in /stats that is an association list.

Impact:
The selfLink has a duplicate name. SelfLinks for associations do not work.

Workaround:
None.


711981-6 : BIG-IP system accepts larger-than-egress MTU, PMTU update

Component: Local Traffic Manager

Symptoms:
A Path MTU (PMTU) message can lead to the BIG-IP system to falsely assume an egress MTU on the related flow to be larger than the interface egress MTU.

Conditions:
A valid PMTU message.

Impact:
BIG-IP sends larger-than-configured interface egress MTU messages.

Workaround:
None.


711818-4 : Connection might get reset when coming to virtual server with offload iRule

Component: Application Security Manager

Symptoms:
When IN_DOSL7_ATTACK event is triggered, and iRule has an async command in it, events might be released out of order, causing connection RST.

Conditions:
1. Have DoS profile with iRule turned on.
2. iRule is async (such as wait, DNS resolving, etc.).
3. Send POST request.

Impact:
Connection receives a RST.

Workaround:
There is no workaround at this time.


711683-1 : bcm56xxd crash with empty trunk in QinQ VLAN

Component: TMOS

Symptoms:
When an empty trunk (no members) is configured 'tagged' in a QinQ VLAN, bcm56xxd will continuously crash.

Conditions:
Trunk with no members, configured as 'tagged' in a QinQ VLAN.

Impact:
bcm56xxd continuously crashes.

Workaround:
Use either of the following workarounds:
-- Add members to the trunk.

-- Remove the trunk from the QinQ VLAN.


711405-2 : ASM GUI Fails to Display Policy List After Upgrade

Solution Article: K14770331

Component: Application Security Manager

Symptoms:
After upgrade to version 13.1.0 or later, ASM GUI fails to display the Policy List.

Conditions:
Using an 11.5.0 to 11.5.4-HF1 version that is affected by the issue of policies with duplicate REST IDs that occurred after restoring from policy history or using Policy Diff to compare policies.

Impact:
ASM GUI starting using the REST API from version 13.1.0, so any systems that have been affected by this issue on a previous version now cause the GUI to fail to display the Policy List.

Workaround:
On the device run the following script:
---------------------------------
perl -MF5::DbUtils -MF5::Utils::Rest -MF5::ASMConfig::Entity::Policy -e '$dbh = F5::DbUtils::get_dbh();
 $dbh->begin_work();
 $dbh->do("UPDATE PLC.PL_POLICIES a SET a.rest_uuid = \"\" WHERE a.rest_uuid IN ( SELECT rest_uuid FROM (SELECT rest_uuid FROM PLC.PL_POLICIES GROUP BY rest_uuid having count(*) > 1) b)");
 F5::Utils::Rest::populate_uuids(dbh => $dbh);
 $dbh->commit();'
---------------------------------
Note: In a management environment, this change must be pushed to the peer as a full sync. The easiest way to do so is to ensure that the ASM sync device group is in manual sync mode, and to push the config to the peers from the device where the script was run.


711281-6 : nitrox_diag may run out of space on /shared

Component: Local Traffic Manager

Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.

Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.

Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.

Workaround:
The only workaround is to ensure there is enough free space for the files to be created.

In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.


711249-3 : NAS-IP-Address added to RADIUS packet unexpectedly

Component: TMOS

Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.

Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.

Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.

Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.


711093-4 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.

Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).

Impact:
PEM sessions remain in marked-for-delete state.

Workaround:
None.


710976-2 : Network Map might take a long time to load

Component: TMOS

Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.

For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.

In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.

# tmsh list ltm virtual vs
ltm virtual vs {
    creation-time 2018-03-06:18:27:53
    destination 0.0.0.0:any
    ip-protocol tcp
    last-modified-time 2018-03-06:18:27:53
    mask any
    profiles {
        myhttp { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        socks-tunnel
    }
    vs-index 5
}

Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.

-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.

Impact:
It takes tens of seconds to load the Network Map page.

Workaround:
None.


710884-2 : Portal Access might omit some valid cookies when rewriting HTTP request.

Component: Access Policy Manager

Symptoms:
Portal Access is not sending certain cookies to the backend application.

Conditions:
-- Request path and cookie path are equal.
-- The last character of request path is not a forward slash (/).

Impact:
Backend application does not receive some cookies and may decide that APM end users are not authenticated, when they are.

Workaround:
There is no workaround at this time.


710809-3 : Restjavad hangs and causes GUI page timeouts

Component: Device Management

Symptoms:
Restjavad stops responding, causing GUI page timeouts.

Conditions:
The conditions behind this issue are not known.

Impact:
restjavad is active, but all endpoints are nonresponsive.

Workaround:
Restart restjavad


710246-1 : DNS-Express was not sending out NOTIFY messages on VE

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Express is not sending out NOTIFY messages on Virtual Editions.

Conditions:
DNS Express configured to send out NOTIFY messages.

Impact:
DNS Slave Servers serving stale data.

Workaround:
There is no workaround at this time.


710232-1 : platform-migrate fails when LACP trunks are in use

Component: TMOS

Symptoms:
Use of the platform-migrate option might fail due to some configurations being invalid on the new system. The error message generated appears as follows:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform.

Conditions:
You have a trunk with LACP enabled.
-- You are migrating from a hardware platform to a Virtual Edition (VE).

Impact:
Configuration fails to migrate.

Workaround:
After taking the old system offline, but before saving the UCS, disable LACP on all trunks.


710221-1 : Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled

Solution Article: K67352313

Component: Local Traffic Manager

Symptoms:
In an high availability (HA) configuration where an FQDN template-node on the 'active' unit is 'Force Offline', and the configuration is synchronized to the 'standby' unit, upon 'Enable' on that FQDN template-node in the 'active' unit (and the configuration is synchronized to the 'standby' unit), the ephemeral nodes associated with that FQDN template node remain Unavailable on the 'standby' unit.

Conditions:
HA configuration is configured with 'active' sync.
-- FQDN template-node is configured.
-- After ephemeral nodes are refreshed on the 'active' unit, it transitions to the 'standby' unit.
-- The FQDN template node on the (new-'active') unit is 'Force Offline' by the user.
-- The user explicitly 'Enable' that FQDN template node on the 'active' unit.

Impact:
The ephemerals on the 'standby' unit remain unavailable, even though the associated FQDN template node is 'available'. However, as no traffic is routed to the 'standby' unit, traffic is unaffected. Upon transition from 'standby' to' active', the ephemeral nodes will be refreshed and traffic should continue.

Workaround:
You can use either of these configuration options to prevent this issue from occurring:
-- Select 'Disabled' (rather than 'Force Offline') for the FQDN template node on the 'active' unit.
-- Configure the node without using FQDN.


710044-4 : Portal Access: same-origin AJAX request may fail in some case.

Component: Access Policy Manager

Symptoms:
If base URL for current HTML page contains default port number, same-origin AJAX request from this page may fail via Portal Access.

Conditions:
- HTML page with explicit default port in base URL, for example:
  <base href='https://some.com:443/path/'>

- Same-origin AJAX request from this page, for example:
  var xhr = new XMLHttpRequest;
  xhr.open('GET', 'some.file');

Impact:
Web application may not work correctly.

Workaround:
It is possible to use iRule to remove default port number from encoded back-end host definition in Portal Access requests, for example:

when RULE_INIT {
  # hex-encoded string for 'https://some.com'
  set ::encoded_backend {68747470733a2f2f736f6d652e636f6d}
  # '3a343433' is hex-encoded form for ':443'
  set ::pattern "/f5-w-${encoded_backend}3a343433\$"
  set ::remove_end [ expr { [ string length $::pattern ] - 2 } ]
  set ::remove_start [ expr {$::remove_end - 7} ]
}

when HTTP_REQUEST {
  if { [HTTP::path] starts_with "$::pattern" } {
    set path [ string replace [HTTP::path] $::remove_start $::remove_end "" ]
    HTTP::path "$path"
  }
}


710032-2 : 'No Access' error when viewing GSLB Server's Virtual Server that has a name indicating a partition that does not exist on that bigip.

Component: Global Traffic Manager (DNS)

Symptoms:
The user will get a 'No Access' error message instead of the virtual's properties.

Conditions:
At least 2 BIG-IP in a sync group.
One of the BIG-IP must have a partition that does not exist on the other with an LTM virtual server on that partition.
The issue will happen when a GSLB Server discovers that LTM virtual and displays it on its Virtual Server page.

Impact:
It makes the GSLB Server's virtual server's properties page unavailable in this case.

Workaround:
Use TMSH to view or edit the properties of that virtual server.


710028-1 : LTM SQL monitors may stop monitoring if multiple monitors querying same database

Component: Local Traffic Manager

Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.

When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:

[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'

then multiple, periodic instances of the following message, referencing the same connection string:

Abandoning hung SQL query: '<query string>' for: '<connection string>'

or:

<connection string>(<thread-number>): Hung SQL query; abandoning

Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.

And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.

Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.

Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.

To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.


709963-1 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.

Component: Local Traffic Manager

Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.

Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.

Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.

Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.


709837-1 : Cookie persistence profile may be configured with invalid parameter combination.

Component: Local Traffic Manager

Symptoms:
Configuring Cookie persistence profile via TMSH or iControl REST allows invalid parameter combinations.

Conditions:
Cookie persistence profile is configured via TMSH or iControl REST. TMUI is not affected.

Impact:
Invalid parameters for any method type of a Cookie persistence profile are ignored by TMM, no functional impact.

Workaround:
Use only the allowed parameters of each method type when Cookie persistence is configured via TMSH or iControl REST.


709828-1 : fasthttp can crash with Large Receive Offload enabled

Component: Local Traffic Manager

Symptoms:
fasthttp and lro can lead to a tmm crash.

Conditions:
fasthttp and lro enabled. (lro is enabled by default >= 13.1.0)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use fasthttp


709670-4 : iRule triggered from RADIUS occasionally fails to create subscribers.

Solution Article: K44067891

Component: Policy Enforcement Manager

Symptoms:
The subscriber can not be added with the same IP address after retries. This is a rarely occurring issue: if the daily average of subscriber additions is ~30000 subscribers, 5 to 6 subscribers face this problem (0.02%).

Conditions:
Running iRule to create PEM sessions from RADIUS packets using the 'PEM::subscriber create' command.

Impact:
Intermittently (a few operations per day), the command silently fails. No session is created, and no TCL error is produced. Subscriber addition requires manual intervention.

Workaround:
Trigger a RADIUS START using a different IP address for the subscriber.


709610-4 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM

Component: Policy Enforcement Manager

Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.

Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
    value "0"
}
sys db tmm.pem.session.provisioning.continuous {
    value "disable"
}

-- Actions occur in the following order:
 1. PEM receives RADIUS START with subscriber ID1 and IP1.
 2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
 3. PEM receives RADIUS START with subscriber ID1 and IP2.
 4. PEM receives RADIUS STOP with subscriber ID1 and IP2.

-- The time interval between steps 1 and 2 is very small (less than ~1ms).

Impact:
Subscriber session creation via PEM may fail.

Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.


709559-1 : LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name

Component: TMOS

Symptoms:
Loading configuration fails on upgrade

Conditions:
Must have a profile named "/Common/ssh" and must be upgrading to v12.1.2

Impact:
The system won't be functional

Workaround:
Delete or rename "/Common/ssh"


709444-1 : "NTP not configured on device" warning seen when NTP symmetric key authentication is configured

Component: TMOS

Symptoms:
When NTP symmetric key authentication is configured, as per https://support.f5.com/csp/article/K14120, and the BIG-IP is part of a device service cluster, then a warning similar to this will be seen periodically in /var/log/ltm:

warning mcpd[6317]: 01071af0:4: NTP not configured on device 1.2.3.4 - within a trust

Conditions:
- NTP symmetric key authentication must be configured.
- The BIG-IP must be part of a device service cluster.
- Non-authenticated NTP servers must not be in-use.

Impact:
Incorrect NTP warnings are seen periodically in /var/log/ltm.

Workaround:
There is no workaround at this time.


709383-1 : DIAMETER::persist reset non-functional

Component: Service Provider

Symptoms:
When the iRule DIAMETER::persist reset is called, it is meant to remove existing persistence records from diadb. Without this bug fix, calling DIAMETER::persist reset has no effect and the persistence record remains.

Conditions:
Diameter session profile has persistence enabled and an iRule attempts to remove a persistence record.

Impact:
not provided by ENE

Workaround:
none


709192-2 : GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart

Component: TMOS

Symptoms:
The export operation of SSL keys and certificate into a .tgz archive file fails when the httpd daemon is restarted.

Conditions:
-- Export SSL Keys and certificates into archive file.
-- httpd is restarted.

Impact:
Export of SSL Keys and certificates into archive file does not work immediately after httpd restart via GUI/iControl.

Workaround:
After httpd restart, perform other operation like creating a key/cert before exporting archive file.


709133-1 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur

Component: Local Traffic Manager

Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error can occur.

Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- An error occurs when reading the certificate serial number.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not setting the tmm.ssl.loggingcreatedcerts BigDB variable.


709132-2 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur

Component: Local Traffic Manager

Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a buffer overflow can occur.

Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- A malformed certificate with a serial number length equal to 256 bytes is parsed during forging.

Impact:
A off-by-one error causes one byte to write off the end of an array.

Workaround:
There is no workaround other than to not set tmm.ssl.loggingcreatedcerts BigDB variable.


708968-1 : OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address

Component: TMOS

Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not created in TMM when passed from Dynamic Routing protocols like OSPFv3.

Conditions:
- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.

Impact:
- Route entry is not created in TMM, packets addressed to such a destination might not be delivered at all or might not be delivered using the most efficient route.
- Connection between TMM and tmrouted is restarted that is a small performance overhead.

Workaround:
- If possible IPv4 address or IPv4-compatible IPv6 address should be passed instead of IPv4-mapped IPv6 address, however this depends on other routers.


708956-3 : During system boots up, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'

Component: TMOS

Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
 Dataplane INOPERABLE - only 1 HSBes found on this platform.

Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.

Impact:
System does not come up.

Workaround:
Reboot system.

Because this condition only happens occasionally, rebooting typically corrects the issue.


708484-1 : Network Map might take a long time to load

Component: TMOS

Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.

For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.

In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.

# tmsh list ltm virtual vs
ltm virtual vs {
    creation-time 2018-03-06:18:27:53
    destination 0.0.0.0:any
    ip-protocol tcp
    last-modified-time 2018-03-06:18:27:53
    mask any
    profiles {
        myhttp { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        socks-tunnel
    }
    vs-index 5
}

Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.

-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.

Impact:
It takes tens of seconds to load the Network Map page.

Workaround:
None.


708415-3 : Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled

Component: TMOS

Symptoms:
When setting the flow control value of an interface with a copper SFP to any value other than 'none' and the link partner has flow control disabled on their end, the interface stats will not reflect the configured flow control setting. This is because the interface stats reflect the negotiated link state rather than the advertised capabilities.

Conditions:
BIG-IP device is using copper SFPs.
-- Flow control is enabled on an interface.
-- That interface is connected to another device where flow control has not been enabled.

For example, an administrator might perform the following on a BIG-IP system with a copper SFP on interface 1.1:

# modify net interface 1.1 flow-control tx-rx

# show net interface 1.1 all-properties

Under the 'Flow Ctrl' column of the interface properties, the value will indicate 'none' even though the interface was configured to enable transmit and receive flow control. This is because the column does not indicate the advertised capabilities but rather the negotiated property of the link.

Impact:
There is no functional impact, as flow control cannot be performed until both link partners agree to support it.

Workaround:
Flow control must be enabled on the remote device and the link must be re-negotiated, in order for the flow control configuration to take effect and be reflected in the interface properties of the link.


708249-1 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit

Component: Local Traffic Manager

Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.

Conditions:
Run the nitrox_diag command.

Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.

Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0


708068-1 : Tcl commands like "HTTP::path -normalize" do not return normalized path.

Component: Local Traffic Manager

Symptoms:
When using HTTP::path with the -normalized parameter:

"%2E%2E" is converted to ".." (expected)
"/foo/../bar" is converted to "/bar" (expected)
"/foo/%2E%2E/bar" is converted to "/foo/../bar" (unexpected)

Conditions:
The TCL command HTTP::path -normalize does not return normalized path as expected.

Impact:
Unexpected result.

Workaround:
There is no workaround.


708063 : In older RAID BIG-IP systems, storage provisioning is not possible when a drive is missing.

Component: TMOS

Symptoms:
Any task requiring modification of application storage volumes does not succeed. This includes re-provisioning, which occurs automatically during software upgrades.

Conditions:
-- When a drive is not present in a drive bay on the following platforms:

  + BIG-IP 6900
  + BIG-IP 8900
  + BIG-IP 10000
  + BIG-IP 11050

-- An application that requires storage volumes is provisioned, such as ASM.

Impact:
Tasks requiring modification of application storage volumes such as software upgrades or re-provisioning fails.

Workaround:
Check RAID status before software upgrades or re-provisioning. Address any degraded RAID issues, such as a missing drive, before upgrades and/or re-provisioning.


707961-1 : Unable to add policy to virtual server; error = Failed to compile the combined policies

Component: Local Traffic Manager

Symptoms:
LTM policy does not compile if it has more than one similar condition, and some of them refer to datagroup and others to non-datagroup types. The policy compiles if similar conditions all refer to datagroups or to non-datagroups.

Conditions:
-- LTM policy that has more than one similar condition.
-- Some conditions refer to datagroup types.
-- Some conditions refer to non-datagroup types.

Impact:
LTM policy does not compile. Cannot use the policy.

Workaround:
Create a datagroup for the non-datagroup type and use it in policy instead.


707953-3 : Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page

Component: Access Policy Manager

Symptoms:
APM and APM Lite licenses are not distinguishable from the Provisioning UI: they both show as Licensed but APM lite only includes licenses for 10 sessions.

Conditions:
Viewing APM and APM Lite licenses in the GUI.

Impact:
Cannot distinguish the difference in types of licenses.

Workaround:
Check license file and verify what type of apm license is enabled: mod_apm (Full APM) or mod_apml (APM Lite).


707951-3 : Stalled mirrored flows on HA next-active when OneConnect is used.

Component: Local Traffic Manager

Symptoms:
-- 'tmctl -d blade tmm/umem_usage_stat | grep xdata' may show increased memory usage.
-- 'tmsh show sys connect' shows idle flows.

Conditions:
- OneConnect profile is configured.
- High availability (HA) mirroring is enabled.

Impact:
- Some flows are mirrored incorrectly.
- Stalled flows may occupy a lot of memory.

Workaround:
Disable OneConnect.


707740-5 : Fixed issue preventing GTM Monitors from being deleted when used on mulitple Virtual Servers with the same ip:port combination

Component: TMOS

Symptoms:
User would get "monitor is in use" when attempting to delete a GTM Monitor, even after removing that monitor from all GTM Virtual Servers

Conditions:
Attach a gtm monitor to multiple gtm virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port

Impact:
User will not be able to ever delete the un-used gtm monitor

Workaround:
There is no workaround at this time.


707691-5 : BIG-IP handles some pathmtu messages incorrectly

Component: Local Traffic Manager

Symptoms:
FastL4 virtual servers incorrectly handle some pathmtu messages, such as ICMPv4 unreachable/fragmentation needed and ICMPv6 packet too big.

Conditions:
This occurs when the following conditions are true:
-- The client sends a window scaling factor greater than 0 (zero).
-- The server sends a window scaling factor equal to 0 (zero).
-- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).

Impact:
pmtu message is erroneously ignored.

Workaround:
There is no workaround at this time.


707631-3 : The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI

Component: TMOS

Symptoms:
The 'SYN Challenge Handling' setting of a TCP profile can be reverted to defaults when a TCP profile is updated using the BIG-IP management GUI.

Conditions:
The SYN Challenge Handling settings of a TCP profile have previously been set to non-default values, and a configuration change is later made to the same TCP profile using the GUI.

Impact:
Loss of TCP profile syn challenge configuration settings

Workaround:
In the GUI, specifically set the SYN Challenge Handling fields after making an update to other TCP profile fields, or use tmsh to make the changes instead

SYN Challenge

GUI Setting: Nominal
TMSH:
    syn-cookie-enable enabled
    syn-cookie-whitelist disabled

GUI Setting: Challenge and Remember
TMSH:
    syn-cookie-enable enabled
    syn-cookie-whitelist enabled


GUI Setting: Disable Challenges:
    syn-cookie-enable disabled
    syn-cookie-whitelist disabled


707445-4 : Nitrox 3 compression hangs/unable to recover

Solution Article: K47025244

Component: TMOS

Symptoms:
LTM logs show the following message:

    Nitrox 3, Hang Detected: compression device was reset

When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.

Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.

Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.

Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.

Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.

There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:

A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).

Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.


707391-1 : BGP may keep announcing routes after disabling route health injection

Component: TMOS

Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.

Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.

Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.

Workaround:
Workaround would be to restart the dynamic routing process.


707267-2 : REST Framework HTTP header limit size increased to 8 KB

Component: TMOS

Symptoms:
HTTP Header size limit causing 'Error getting auth token from login provider' GUI messages.

Conditions:
A client uses an HTTP Header larger than 4kb to make a request to the REST framework.

Impact:
Users will not be able to login or access certain pages in the UI.

Workaround:
Clear browser cookies, or otherwise reduce the size of the HTTP headers, so that the entire content HTTP headers is smaller than 4kb.


707054-2 : SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162

Component: Advanced Firewall Manager

Symptoms:
User cannot configure SYN Cookie MSS values for Fast L4 Profiles outside of 256-9162.

Conditions:
Under syncookie activated condition, SYN Cookie MSS value is set to < 256.

Impact:
Under syncookie activated condition, server side MSS lower than SYN Cookie MSS lower limit cannot be honored on client side. As a result, server side MSS discards data segment if larger than SYN Cookie MSS lower limit.


706797-2 : Portal Access: some multibyte characters in JavaScript code may not be handled correctly

Component: Access Policy Manager

Symptoms:
If JavaScript code contains multi-byte character which contains 0x0A in the last byte after conversion to UTF-32 form, then this character is handled as NEW LINE by Portal Access server-side JavaScript parser. If NEW LINE is not valid in this place, JavaScript code cannot be parsed.

Conditions:
JavaScript code with multi-byte character which contains 0x0A in the last byte after conversion to UTF-32 form, for example:

  //上 aa bb

(上) gives (4E 0A) in UTF32 form. So this line is processed as the following TWO lines:

  //
  aa bb

The second line is not a valid JavaScript code.

Impact:
Web application may not work correctly.

Workaround:
There is no workaround at this time.


706642-1 : wamd may leak memory during configuration changes and cluster events

Component: WebAccelerator

Symptoms:
wamd memory consumption increases over time.

Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.

Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.

Workaround:
No workaround available.


706505-3 : iRule table lookup command may crash tmm when used in FLOW_INIT

Component: Local Traffic Manager

Symptoms:
iRule table lookup command may crash tmm when used in FLOW_INIT.

Conditions:
iRule table lookup command is used in FLOW_INIT.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use table lookup in the events after the flow is constructed.


706423-3 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption

Component: TMOS

Symptoms:
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.

Conditions:
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly.

A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.

Impact:
TMM restarts, disrupting traffic and causing HA failover.

Workaround:
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)


706374-5 : Heavy use of APM Kerberos SSO can sometimes lead to memory corruption

Component: Access Policy Manager

Symptoms:
Kerberos SSO under high load can sometimes lead to system instability.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
This might result in unpredictable behavior such as memory corruption or core. However, the occurrence is rare since it only impacts concurrent DNS SRV requests to resolve different KDCs.

Workaround:
There is no workaround.


706169-2 : tmsh memory leak

Component: TMOS

Symptoms:
tmsh is leaking approximately 24 KB for every 'save sys config' call.

Conditions:
Run the command following command repeatedly:
 save sys config

Impact:
This results in a memory leak, and a possible out-of-memory condition.

Workaround:
None.


706102-1 : SMTP monitor does not handle all multi-line banner use cases

Component: Local Traffic Manager

Symptoms:
An SMTP monitor does not handle all multi-line banner use cases, such as when the banner is physically split across two packets. This issue is due to attempting to parse the banner value from the first packet without a portion of the banner value that may arrive in a second packet.

Conditions:
An SMTP monitor is configured; and uses a multi-line banner; and the SMTP monitor banner is split across two physical packets.

Impact:
The SMTP monitor sends an RST after the first packet, and marks the resource down.

Workaround:
Use an SMTP monitor with a single-line banner. Or, rather than using an SMTP monitor, instead use a TCP monitor with send/recv strings.


705651-2 : Async transaction may ignore polling requests

Component: TMOS

Symptoms:
Querying for the status of an asynchronous transaction by making a GET request may cause the query to block. The transaction will complete, even though the query may return an error status (400) to indicate that the GET request timed out.

Conditions:
A typical asynchronous transaction that returns a 202 status to indicate that you successfully created a transaction.

Impact:
The query returns an error.

Workaround:
To avoid having the query request block, refrain from querying the transaction for status.


705037-1 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart

Solution Article: K32332000

Component: TMOS

Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.

Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.

Impact:
-- Unreliable or confusing statistics via SNMP polling.

-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.

Workaround:
None.


704804-4 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address

Component: TMOS

Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.

Conditions:
This applies to remote authentication for the control plane, not APM.

Impact:
Login may be impacted.

Workaround:
There is no workaround at this time.


704764-1 : SASP monitor marks members down with non-default route domains

Component: Local Traffic Manager

Symptoms:
The LTM SASP monitor marks pool members down, whose address include non-default route domains.

Conditions:
1. Using the SASP health monitor to monitor a pool or pool member.
2. The address of the pool member includes a non-default route domain, such as:

ltm pool rd_test {
    members {
        test_1:http {
            address 12.34.56.78%99
        }
    }
    monitor my_sasp
}

Impact:
Pool members with non-default route domains will never be marked up by the SASP monitor.

Workaround:
Do not specify non-default route domains in the addresses of pool members monitored by the SASP health monitor.

The SASP protocol does not support the use of route domains in member addresses. Thus, the SASP GWM (Global Workload Manager) will ignore route domain information included in the member addresses when registered by the SASP monitor in BIG-IP, and will report the status of members using addresses without route domains.

Therefore, even with a fixed version of the SASP monitor, BIG-IP LTM administrators must be careful to avoid configuring multiple pool members with the same address except for different route domains, to be monitored by the SASP monitor. If case of such a configuration error, the status of the member reported by the SASP GWM may not accurately reflect the status of one or more of the pool members with matching IP addresses.


704733-3 : NAS-IP-Address will be sent with the bytes backwards

Component: TMOS

Symptoms:
The NAS-IP-Address will have the address of the local device sent with the bytes backwards (78.56.30.172 where 172.30.56.78 would be expected).

Conditions:
This affects IPv4 addresses only.

Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.

Workaround:
There is no workaround at this time.


704643-2 : Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule

Component: Application Security Manager

Symptoms:
When adding or modifying a user-defined Attack Signature in Simple Edit Mode, backslashes preceding a forward slash are mistakenly doubled in regular expression keywords within the Signature.

Conditions:
-- Add or modify a user-defined Attack Signature with a regular expression keyword containing an escaped forward slash in Simple Edit Mode.

Impact:
The backslash escaping the forward slash is doubled, which changes the enforced signature rule.

Workaround:
Create or modify the Signature rule using Advanced Edit Mode.


704587-3 : Authentication with UTF-8 chars in password fails for ActiveSync users

Solution Article: K15450552

Component: Access Policy Manager

Symptoms:
ActiveSync end users cannot login to the server.

Conditions:
-- ActiveSync end users.
-- UTF-8 characters in the password.

Impact:
ActiveSync service is unavailable.

Workaround:
Put a Variable Assign agent after Logon Page with following assignment:

(check the secure checkbox)
session.logon.last.password = set pass [mcget -secure session.logon.last.password]; binary scan $pass c* chars; set newpass ""; foreach {ch} $chars { append newpass [format %c [expr $ch & 0xFF]] }; return $newpass


704524-5 : [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests do not contain EDNS headers. Without this header, DNS server truncates the UDP responses if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in unnecessary round trips in order to resolve DNS SRV queries.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
Increased latency of HTTP request processing. If the number of APM users is large, then this issue is magnified.

Workaround:
There is no workaround at this time.


704450-4 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration

Component: Local Traffic Manager

Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').

Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.

Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.

Workaround:
Reduce the load on the system.


704449-1 : Orphaned tmsh processes might eventually lead to an out-of-memory condition

Component: TMOS

Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.

An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:

/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh

If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.

Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.

Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.

Workaround:
There are several workarounds for this issue:

-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Halt orphaned tmsh processes.


704381-6 : SSL/TLS handshake failures and terminations are logged at too low a level

Component: Local Traffic Manager

Symptoms:
SSL/TLS handshake failures and terminations are being logged at too low of a level (INFO).

Conditions:
-- SSL/TLS connections are received or sent.
-- Handshake failures are logged.

Impact:
Sometimes other errors are produced, and the cause is a SSL/TLS handshake failure, but this failure is not being logged.

Workaround:
There is no workaround.


704336-5 : Updating 3rd party device cert not copied correctly to trusted certificate store

Component: TMOS

Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.

Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.

Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.

Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.


704247-1 : BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted

Component: TMOS

Symptoms:
BIG-IP .iso images may fail to install if multiple copies of the same image are present and have been deleted.

Conditions:
-- Have multiple copies of the same image .iso in the /shared directory on a BIG-IP system.
-- Delete one of them.

Impact:
Installation attempt of the remaining image(s) might fail.

Workaround:
Restart the lind process, so the installation can continue.


703984-8 : Machine Cert agent improperly matches hostname with CN and SAN

Component: Access Policy Manager

Symptoms:
MacOS Machine certificate agent matches the configured hostname with the actual hostname upon a beginning partial string match.

Conditions:
MacOS APM client using Machine Certificate Check agent.

Impact:
Hostname match may be incorrect in these cases.

Workaround:
There is no workaround at this time.


703669-1 : Eventd restarts on NULL pointer access

Component: TMOS

Symptoms:
The loop that reads /config/eventd.xml to load configuration data processes data in 1024-byte chunks. If the size of the file is a multiple of 1024 bytes, the end of file condition that terminates the file read does not occur until the subsequent read. The subsequent read returns zero (0) bytes and passes an empty buffer to the parser, which causes eventd to restart repeatedly.

Conditions:
The length of the file /config/eventd.xml is a multiple of 1024 bytes.

Impact:
Causes eventd to crash.

Workaround:
To work around the problem, insert whitespace in /config/eventd.xml to pad the file to a size that is not a multiple of 1024 bytes.


703509-3 : Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled

Component: TMOS

Symptoms:
Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled.

...notice tmsh[32418]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
...notice tmsh[32418]: 01420003:5: The current session has been terminated.
...err tmsh[32417]: 01420006:3: Project-Id-Version: f5_tmsh 9.7.0 POT-Creation-Date: 2008-05-13 16:18-0700 PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE Last-Translator: F5 Networks <support@f5.com> Language-Team: LANGUAGE <en@li.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit
...err tmsh[32415]: 01420006:3: UCS saving process failed.

Conditions:
The default admin account is disabled, using an alternate user that has the administrator role.

Impact:
User is unable to save the configuration.

Workaround:
A user with the administrator role can save the config.
The root user can save the config.


703090-3 : With many iApps configured, scriptd may fail to start

Component: TMOS

Symptoms:
If many iApp instances are installed, scriptd may have issues starting up, including the log message:

"script has exceeded its time to live, terminating the script"

Conditions:
This occurs when many iApp instances exist. F5's internal testing has been able to show that it occurs with 70 instances.

Impact:
The error message will show up, and some instances of the script will not run.

Workaround:
Restarting scriptd will resolve the issue.


703045-2 : If using TMSH commands with deprecated attributes in iAPP, the upgrade will fail.

Component: TMOS

Symptoms:
TMSH commands with deprecated attributes will fail if used in iAPP.

Conditions:
TMSH commands with deprecated attributes will fail if used in iAPP. This is so whether the iAPP is activated during the upgrade process or simply run under iAPP service at the user display.

Impact:
TMSH commands will not execute like create command will result in no objects (eg monitor, virtual server etc) being created.

Workaround:
Try to avoid deprecated attributes of the object in the iAPP.


702450-2 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect

Component: Local Traffic Manager

Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:

# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.

The referenced object is not a "policy action" in this case, but is a virtual server.

Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.

Impact:
Possible confusion at the error message.

Workaround:
There is no workaround at this time.


702439-4 : Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset

Solution Article: K04964898

Component: Local Traffic Manager

Symptoms:
If the HTTP/2 configuration header_table_size is changed from the default value of 4096, then streams will be reset with a RST_STREAM error.

Conditions:
The header_table_size field in the HTTP/2 profile is changed from the default.

Impact:
HTTP/2 connections will be unusable.

Workaround:
Set the header table size argument back to its default.


701977-6 : Non-URL encoded links to CSS files are not stripped from the response during concatenation

Component: WebAccelerator

Symptoms:
Non-URL encoded links to CSS files are not stripped from the response during concatenation.

Conditions:
White space in the URLs.

Impact:
As above.

Workaround:
No workaround at this time.


701800-1 : SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x

Component: Access Policy Manager

Symptoms:
Mac RDP client 10.x shows credentials prompt when SSO-enabled native RDP resource is launched from the APM Webtop. If the user enters credentials manually, the RDP client will display an error message.

Conditions:
-- Mac RDP client is of version 10.x (e.g., 10.1.6).
-- Native RDP resource is assigned to the webtop.
-- SSO is enabled on the RDP Resource.

Impact:
RDP resource cannot be launched.

Workaround:
Add the following to 'Custom Parameters' of SSO-enabled RDP resources:
full address:s:%{session.server.network.name}
promptcredentialonce:i:1


701249-3 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1

Component: TMOS

Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.

The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.

Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.

Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.

Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.

Workaround:
There is no workaround.


700827-3 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command: tmsh show sys tmm-traffic

Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.

For example, some servers always use randomly selected even source port numbers. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8… 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.

Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.

Workaround:
Randomize source ports when connecting via a BIG-IP system.


700056-2 : MCPD process may lock up and restart when applying Local Traffic Policy to virtual server

Solution Article: K05350542

Component: Local Traffic Manager

Symptoms:
The mcpd process becomes unresponsive while attempting to load the configuration, or attempting to apply a configuration change that associates a particular local traffic policy to a virtual server. The mcpd process may also periodically restart every 5 minutes.

Conditions:
- Virtual servers configured.
- Specific policies configured and attached used by virtual servers.

Only policies configured in a specific way will trigger this situation. The specifics are not well understood, however, the vast majority of Local Traffic Policies are unaffected by this issue.

Impact:
Traffic disrupted while mcpd restarts.

Workaround:
There is no workaround.


699733-1 : DNS NOTIFY not sent to mgmt IP under Zone Transfer Clients list after DNS Express zone update

Component: Global Traffic Manager (DNS)

Symptoms:
When a DNS Express zone gets some zone entries updated, the BIG-IP system does not send DNS NOTIFY to nameserver with IP addresses from the mgmt subnet listed under Zone Transfer Clients.

Conditions:
* nameserver has IP address from mgmt subnet.
* nameserver id listed under Zone Transfer Clients of DNS Express zone.
* DNS Express zone gets entries updated.

Impact:
BIG-IP system does not send NOTIFY request to the nameserver.

Workaround:
There is no workaround at this time.


699598-1 : HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR

Component: Local Traffic Manager

Symptoms:
HTTP/2 requests with a large body may result in the BIG-IP system sending RST_STREAM with FRAME_SIZE_ERROR.

Conditions:
-- HTTP/2 profile is configured on the virtual server.
-- Request has body size greater than 16 KB.

Impact:
HTTP/2 stream is reset with FRAME_SIZE_ERROR and transfer does not complete.

Workaround:
None.


699531-5 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command

Component: Policy Enforcement Manager

Symptoms:
TMM crash.

Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.

Impact:
Loss of service. Traffic disrupted while tmm restarts.

Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.

For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.


699426-4 : RRD cpu files are not updated when statsd has no prior knowledge of blades joining a cluster.

Component: Local Traffic Manager

Symptoms:
If a blade already known to statsd goes down, statsd continues to update the blade's /var/rrd/bladeXcpu file
If a new blade joins and is announced to statsd, statsd stops updating all /var/rrd/bladeXcpu files especillay if it did not have prior knowledge of the blade.

Conditions:
If statsd is restarted after the blade is disabled, or goes down, and after that the blade rejoins the cluster, the /var/rrd/bladeXcpu files stop updating (where X is the blade number).

Impact:
Data of those files is not updated. This impacts the graphs generated from these files.

Workaround:
Execute the command "bigstart restart statsd" after the new blade has joined the cluster.


698836-1 : Increased APM session capacity is not available after installing an APM session count License

Component: Access Policy Manager

Symptoms:
Unable to use extra capacity after installing an APM add-on license with a larger session count.

Conditions:
This occurs when the add-on License generated lacks the mod_apm license, meaning that no full APM license was previously installed, only the APM Light license (which constrains connections to a 10-session maximum).

To determine whether this condition exists, check the bigip.license file, or execute the following command: tmsh show sys license details. If only mod_apml is present and session counts are higher than 10, then the system is in the condition that triggers the problem.

Impact:
Unable to use extra session capability; can use only the 10-session maximum provided by the APM Light license.

Workaround:
Contact your F5 sales representative to get the correct APM add-on license with mod_apm, as well as the additional session count capability.


698619-3 : Disable port bridging on HSB ports for non-vCMP systems

Component: TMOS

Symptoms:
Internal packets flooded on internal switch interfaces by the HSB can be bridged back to the HSB on BIG-IP 5000/7000 and VIPRION B2100 blades configured to enable port bridging by the switch.

Conditions:
-- Packets being flooded from the HSB to VLAN members when adding/deleting VLANs.
-- Non-vCMP systems.
-- Virtual server configured for Direct Server Return (DSR or nPath Routing).

Impact:
This triggers a FDB flush and can result in packet flooding back to the HSB and potential network saturation.

Workaround:
None.


698432-1 : Invalid error messages: warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10

Component: TMOS

Symptoms:
Loading a UCS in a vCMP guest which was taken from a different guest or a hardware device can produce the following error messages:

warning mcpd[5953]: 012a0004:4: halStorageRead: unable to read storage on this platform.
warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10

This is a cosmetic issue that occurs when the encrypted master key on a VCMP guest cannot be decrypted with the unit key of that system. This most often occurs when a UCS taken on a different guest is loaded.

Conditions:
Taking a UCS from one vCMP guest or hardware device and loading it onto a different vCMP guest.

Note: F5 does not support this configuration.

Impact:
Although there is no adverse effect on the system, error messages will be logged.

Workaround:
None.


698211-4 : DNS express response to non-existent record is NOERROR instead of NXDOMAIN.

Solution Article: K35504512

Component: Local Traffic Manager

Symptoms:
The DNS express response to a non-existent record is NOERROR instead of NXDOMAIN.

Conditions:
Delete a wildcard resource record to the related DNS express zone.

Impact:
DNS returns the incorrect response.

Workaround:
Delete the old db files: /var/db/tmmdns.bin and /var/db/zxfrd.bin, and then restart zxfrd.


696731-4 : The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled

Solution Article: K94062594

Component: TMOS

Symptoms:
The standard LinkUp/LinkDown traps are issued when a port's status changes; that is, the link goes up or down. Additionally, the network manager can administratively enable and disable ports. For some platforms, there is no reliably issued standard LinkUp/LinkDown trap when a port is administratively enabled/disabled.

Conditions:
Administrative disabling an interface on BIG-IP

Impact:
May issue only the F5 Link change trap and not the additional standard MIB trap. The standard LinkUp/LinkDown traps may not be issued.

Workaround:
Use the F5-proprietary MIB: 1.3.6.1.4.1.3375.2.4.0.37 F5-BIG-IP-COMMON-MIB::BIG-IPExternalLinkChange trap to track administrative changes to links.


693901-5 : Active FTP data connection may change source port on client-side

Component: Local Traffic Manager

Symptoms:
The active FTP data connection on the client-side may use source port other than what was configured in the 'Data Port' parameter of the FTP profile.

Conditions:
FTP profile is attached to a virtual server and the 'Data Port' parameter is either left as default (20) or defined as a specific value.

Impact:
Active FTP data connection may be blocked by firewalls that expect a pre-defined source port.

Workaround:
None.


693244-3 : BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned

Component: Local Traffic Manager

Symptoms:
BIG-IP silently drop the serverside TCP flow, when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.

Conditions:
BIG-IP receives a client-side reset when client-side TCP flow is in ESTABLISHED state and server-side TCP flow is in SYN-SENT state, serverside flow is silently dropped.

Impact:
Since serverside pool member does not receive the RST, it remains in SYN-RECEIVED state until it runs out of syn retransmissions and eventually, due to timeout, it returns to LISTEN state.


689491-2 : cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled

Component: TMOS

Symptoms:
CPU usage stats are incorrect and system looks idle when it's actually busy

Conditions:
vcmp guests with 1-core or htsplit disabled

Impact:
CPU stats are incorrect and it might make it difficult to trouble shoot problems.


688553-4 : SASP GWM monitor may not mark member UP as expected

Component: Local Traffic Manager

Symptoms:
Pool members monitored by the SASP monitor may be incorrectly marked DOWN when they should be marked UP.

Conditions:
This may occur on affected BIG-IP versions when using the SASP monitor targeting a Load Balancing Advisor GWM (Global Workload Manager).

This is more likely to occur if pool members monitored by the SASP monitor are also monitored by an additional monitor which has marked the members DOWN, or if one or more pool members monitored by the SASP monitor have been manually marked down (state user-down via tmsh, or Disabled in the GUI).

This is not expected to occur with non-affected BIG-IP versions or when using the SASP monitor targeting a Lifeline GWM (Global Workload Manager).

Impact:
Traffic handled by pool members monitored by the SASP monitor may be disrupted.

Workaround:
Removing the SASP monitor from the pool or pool member configuration then re-adding the SASP monitor may reset the pool member status to the correct state.


688335-6 : big3d may restart in a loop on secondary blades of a chassis system

Solution Article: K00502202

Component: Global Traffic Manager (DNS)

Symptoms:
After big3d_install is run against a target system, and this target system is a multi-blade chassis, the big3d utility may begin restarting in a loop on all secondary blades of the target system. The primary blade is not affected, where big3d continues to run stable.

Conditions:
The following conditions are required to encounter this issue:

-- The big3d_install utility is used against a target system.
-- The target system is a multi-blade chassis.
-- The big3d_install utility picks the iQuery installation method (and not the SSH one).
-- The big3d_install utility incorrectly determines that the local version of the big3d utility should be copied to the remote system.

Impact:
big3d does not typically do anything on secondary blades, so this issue should have no immediate material impact.

However, should the cluster elect a new primary blade, and should big3d still be restarting on that blade, this could cause iQuery communication failures between that system and remote BIG-IP systems.

Workaround:
To stop secondary blades from restarting, manually restart big3d on the primary blade using the following command:
 bigstart restart big3d

To prevent this issue from happening, you can run the big3d_install by specifying that the SSH installation method be used using the following command:
 big3d_install -use_ssh <target IP>


688266-6 : big3d and big3d_install use different logics to determine which version of big3d is newer

Component: Global Traffic Manager (DNS)

Symptoms:
The big3d_install utility includes logic to determine whether the local system should copy its version of the big3d daemon to the remote system specified by the user.

This logic is incorrect and may result in the local copy of the big3d daemon being unnecessarily copied to the remote system or not copied when actually necessary.

Conditions:
A user runs the big3d_install utility.

Impact:
If the local big3d daemon was unnecessarily copied over to the remote system, there is no tangible impact (other than the fact big3d restarts on the remote system, which is expected). Eventually, the remote system restores and uses its version of the big3d daemon.

If the local big3d daemon was not copied over when it should have been, then the remote system may continue to run an older version of the big3d daemon, which may impede iQuery communication.

Workaround:
If the local big3d daemon was unnecessarily copied over to the remote system, you do not need to perform any remedial action. The remote system will automatically resolve this situation by restoring the intended (i.e., newer) big3d version.

If the local big3d daemon was not copied over when it should have been, you can invoke the big3d_install utility using the -f argument, which forces an install of the big3d daemon regardless of the local and remote versions.


688005-1 : The maximum-connection count doubles pva traffic counts for virtuals

Component: Local Traffic Manager

Symptoms:
The counters maintaining virtual server statistics double count packets processed by the pva hardware. This makes maximum connection counts for pva unreliable.

Conditions:
Connections utilizing PVA incorrectly report PVA counts.

Impact:
Fast L4 virtuals may report unreliable maximum connection counts.


687759 : bd crash

Component: Application Security Manager

Symptoms:
A bd crash.

Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).

Impact:
bd crashes; system fails over; traffic disturbance occurs.

Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache


686059-3 : FDB entries for existing VLANs may be flushed when creating a new VLAN.

Component: Local Traffic Manager

Symptoms:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN.

Conditions:
- Creating a new VLAN with existing VLANs using trunk members. - STP is enabled on its trunk member.

Impact:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN. This will result in potential network saturation.

Workaround:
To avoid the FDB flushing on trunk member interfaces of existing, unrelated VLANs, ensure that STP is disabled on its trunk member.


685582-8 : Incorrect output of b64 unit key hash by command f5mku -f

Component: TMOS

Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.

Conditions:
Viewing output of 'f5mku -f' command.

Impact:
Inconsistent output of the b64 unit key.

Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:

 f5mku -vf

For example:

# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...


684096-3 : stats self-link might include the oid twice

Component: TMOS

Symptoms:
The object ID might be erroneously embedded in the self-link twice.

Conditions:
query for stats such as https://<host>/mgmt/tm/ltm/pool/p1/stats

Impact:
incorrect self-link returned

Workaround:
be mindful when parsing the self-link


682283-1 : Malformed HTTP/2 request with invalid Content-Length value is served against RFC

Component: Local Traffic Manager

Symptoms:
HTTP/2 request can include Content-Length header. When the value of a Content-Length header does not match the sum of lengths of all DATA frames from the stream, RFC requires that the system reset the stream.

Conditions:
-- A virtual server is configured with HTTP/2 profile.
-- The value of Content-Length header does not match the sum of lengths of all DATA frames from the stream.

Impact:
The BIG-IP system sends a request to a server and serves a provided response, which is not in conformance with the RFC.

Workaround:
None.


679687-2 : LTM Policy applied to large number of virtual servers causes mcpd restart

Component: Local Traffic Manager

Symptoms:
When a large policy (on the order of several dozen rules), is applied to a large number of virtual servers (on the order of hundreds), the mcpd process compiles the policy to an optimized, intermediate form for each virtual server. The compilation occurs in the mcpd process, and because it becomes so busy/non-responsive, a watchdog process intervenes and restarts the mcpd process.

Conditions:
-- Relatively large policy (~30 or more rules) applied to large number of virtual servers (~100 or more).
-- Creating a draft of the policy that is currently applied to those virtual servers, when a similarly attached policy is published.

Impact:
The mcpd process becomes unresponsive and is reset by a watchdog process.

Workaround:
Two possible workarounds:
-- Make copies of the policy and apply a different copy of policy to different subsets of virtual servers.
-- Implement the policy using iRules.


679316-6 : iQuery connections reset during SSL renegotiation

Component: Global Traffic Manager (DNS)

Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record

Conditions:
This occurs when a system tries to send data over the iQuery connection while the two endpoints are performing SSL renegotiation.

Note: iQuery connections automatically perform SSL renegotiation every 24 hours.

Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.

Note: This is a subtly different issue from the one (with a very similar error, 140940F5 vs 140940E5) described in Bug ID 477240: iQuery connection resets every 24 hours :: https://cdn.f5.com/product/bugtracker/ID477240.html (K16185: BIG-IP GTM iQuery connections may be reset during SSL key renegotiation :: https://support.f5.com/csp/article/K16185).

This issue occurs even in versions where ID477240 is fixed. There is no fix for this specific trigger of the same message.

Workaround:
There is no workaround at this time.


677709 : pkcs11d daemon can generate a very large number of log messages

Component: Local Traffic Manager

Symptoms:
If communication between a BIG-IP instance and the Hardware Security Module (HSM) is interrupted, during its attempts to re-establish a connection, the TMOS pkcs11d daemon will log many error messages in the /var/log/ltm log file (or in daemon.log for earlier versions).

Messages appear similar to the following:
-- err pkcs11d[21325]: 01680002:3: Session initialization error.
-- err pkcs11d[21325]: 01680032:3: netHSM: PKCS11d stopped. Verify password, and restart PKCS11d.
-- err pkcs11d[21325]: 01680029:3: netHSM: Failed login: password[incorrect]. Error[160].

Conditions:
-- Configurations employing an external HSM.
-- communication between the BIG-IP instance and the HSM is interrupted

Impact:
A sufficiently large amount of log-message handling may consume processor time and I/O resources, to the detriment of other processing.

Workaround:
None.


676346-1 : PEM displays incorrect policy action counters when the gate status is disabled.

Component: Policy Enforcement Manager

Symptoms:
Action counters are incorrect.

Conditions:
PEM policy actions enabled with gate status of disabled.

Impact:
May provide an inconsistent view of PEM actions.

Workaround:
There is no workaround.


674591-4 : Packets with payload smaller than MSS are being marked to be TSOed

Solution Article: K37975308

Component: Local Traffic Manager

Symptoms:
Packets with length less than the specified MSS are sent as TSO packets, and the Broadcom NIC drops those to degrade performance.

Conditions:
When TM.TcpSegmentationOffload is enabled, Packets with length less than MSS are sent as TSO packets.

Impact:
TCP Packets are dropped.

Workaround:
Disable TSO option by setting the following SYS DB variable to disable: TM.TcpSegmentationOffload.


673018 : Parsed text violates expected format error encountered while upgrading or loading UCS

Component: TMOS

Symptoms:
During a configuration roll-forward on an upgrade, the UCS load fails and reports the following error:

Parsed text violates expected format.

Conditions:
This can occur under the following conditions:
-- When loading a configuration that contains iFiles.
-- During an upgrade process, when the source-path for an iFile contain a URL with a space or other invalid URL character in it, for example: http://myfiles.com/get this file.txt.

Impact:
Configuration fails to load, and the system reports the following error: Parsed text violates expected format.

Workaround:
You can use either of the following workarounds:

-- Modify the URL to the iFile to remove any spaces, and then reload the configuration.

-- Use the HTTP specification for specifying spaces (and other characters) in URLs. For example, represent a space using the string %20 in the URL: http://myfiles.com/get%20this%20file.txt.


672410 : High CPU load when HTTP/2 gateway is configured with source-persistence.

Component: Local Traffic Manager

Symptoms:
High CPU load when HTTP/2 gateway is configured with source-persistence.

Conditions:
-- HTTP/2 gateway is configured on the virtual server.
-- Source-persistence is turned on.

Impact:
High CPU load may lead to performance degradation.

Workaround:
Setting 'match-across-services' might help improve performance.


672312-4 : IP ToS may not be forwarded to serverside with syncookie activated

Component: Local Traffic Manager

Symptoms:
IP ToS field may not be preserved on forwarding in a FastL4 virtual server when syncookie is activated.

Conditions:
-- FastL4 ip-forwarding virtual server.
-- ToS in passthrough mode.
-- Syncookie is activated in hardware mode.
-- On a hardware platform with ePVA.

Impact:
IP ToS header is not forwarded to the serverside.

Workaround:
None.


671712-3 : The values returned for the ltmUserStatProfileStat table are incorrect.

Component: TMOS

Symptoms:
An SNMP table entry that intermittently comes back incorrectly. Specifically, an LTM profile user statistic value is returned with an OID that is off by one in the table.

Conditions:
A statistics profile is attached to a virtual server with an iRule that increments statistics on the profile. The SNMP walk of the table created by the statistics profile intermittently returns the values shifted up one OID such that the last row is zero and the first row is lost. A subsequent request is correct.

Impact:
Incorrect data returned in SNMP walk of LTM profile table.

Workaround:
The statistics themselves are kept correctly and can be accessed without using SNMP.


669645-4 : tmm crashes after LSN pool member change

Solution Article: K44021449

Component: Carrier-Grade NAT

Symptoms:
Changing LSN pool members while processing traffic may cause tmm to crash.

Conditions:
-- Changing, using, or removing an LSN pool.
-- Traffic is being processed.

Impact:
When tmm crashes, traffic processing will stop until tmm restarts. Note that this can occur, even if the change was on a high-availability peer unit and config-sync has taken place.

Workaround:
Recommend to change LSN pool members during a maintainence window with low traffic or ideally to use an HA pair with a standby unit for implementing configuration changes on live traffic.


668041-3 : Config load fails when an iRule comment ends with backslash in a config where there is also a policy.

Solution Article: K27535157

Component: TMOS

Symptoms:
Config load fails when an iRule contains a commented line that ends with an escape character (backslash), and the config also contains an LTM policy. Depending on the iRule, you might also see the following error: Syntax Error:(/config/bigip.conf at line: 42078) double quotes are not balanced.

Conditions:
An iRule contains commented line that ends with a backslash, and the config also contains a policy, for example, an iRule similar to the first example, and a policy similar to the second:

ltm rule /Common/log_info {
  when HTTP_RESPONSE {
    #log local0. "Original Location header value: [HTTP::header value Location],\
     updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"
}
}

...

ltm policy /Common/Test_Policy {
    controls { forwarding }
    requires { http tcp }
    rules {
        TestPol_Rule1 {
            actions {
                0 {
                    forward
                    select
                    node 10.2.10.20
                }
            }
            conditions {
                0 {
                    tcp
                    address
                    matches
                    values { 10.1.10.20 }
                }
            }
        }
    }
    strategy /Common/first-match
}

Impact:
Config load fails.

Workaround:
You can use any of the following wordarounds:
-- Delete the comment line.
-- Merge the multiple-lines.
-- Make separate multi-line comments


667618-5 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts

Component: TMOS

Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts. The non-supported TCP options under SYN Cookie protection will continue to be unsupported until the machine exit hardware SYN cookies.

Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.

Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.

Because SYN cookie protection is still active, and because under SYN cookie protection some TCP options are not supported, the options will not be taken into account when processing traffic. For example, under SYN cookie protection, MSS is fixed to a few sizes. For traffic that arrives with a different MSS size, the system uses a supported size instead.

Workaround:
There is no workaround at this time.


663874-1 : Off-box HSL logging does not work with PEM in SPAN mode.

Solution Article: K77173309

Component: Policy Enforcement Manager

Symptoms:
While on-box HSL logging works, off-box HSL logging does not work with PEM in SPAN mode.

Conditions:
-- PEM in SPAN mode.
-- Off-box HSL logging is configured.

Impact:
Cannot use off-box HSL logging with PEM in SPAN mode; must use on-box HSL logging instead.

Workaround:
There is no workaround at this time.


662725 : tmsh kernel default log levels does not match documentation

Component: TMOS

Symptoms:
Actual tmsh default was 'notice', but changed to 'debug'
so that kern.log files in qkviews are complete.
This was done so that diagnosing issues, support
has all the information in terms of kernel output.

This documentation discrepancy is a non-functional
change that should have been done in 11.5.0 when
the actual default value was changed.

Conditions:
None.

Impact:
None.

Workaround:
None.


660654 : The APM 'epsec refresh' CLI command works incorrectly if install package is deleted

Component: Access Policy Manager

Symptoms:
If the install EPSEC package is deleted before running the 'epsec refresh' command, the existing EPSEC version is refreshed instead of the new version.

Conditions:
-- Upload and install EPSEC package with a later version than is on the system.
-- Delete the install package.
-- Run the command: epsec refresh.

Impact:
System package will be installed (essentially, a rollback to the previous version).

Workaround:
Leave the install package on the system until after you run the epsec refresh command.


648917-2 : Need to re-provision vCMP after upgrading to 13.1.x or later on the BIG-IP 10350F platform

Component: TMOS

Symptoms:
With vCMP provisioned, upgrading to 13.1.x or later release will not enable IOMMU support after the upgrade.

Conditions:
-- Upgrading to 13.1.x or later.
-- vCMP already provisioned.
-- Running on the BIG-IP 10350F platform.

Impact:
Guests will not have FIPS functionality until IOMMU is enabled.

Workaround:
Re-provision vCMP after the upgrade to enable IOMMU support.


648802-4 : Required custom AVPs are not included in an RAA when reporting an error.

Component: Policy Enforcement Manager

Symptoms:
Custom Attribute-Value-Pairs (AVPs) defined on the system will not be visible in a Re-Auth-Answer (RAA).

Conditions:
This occurs when the following conditions are met:
-- PEM enabled with Gx.
-- Custom AVPs configured.
-- PEM responds with an error code in an RAA against a Policy and Charging Rules Function (PCRF) triggered action.

Impact:
Lack of custom AVPs in such an RAA may result in loss of AVP dependent service.

Workaround:
There is no workaround at this time.


648242-3 : Administrator users unable to access all partition via TMSH for AVR reports

Solution Article: K73521040

Component: Application Visibility and Reporting

Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).

Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.

Impact:
AVR reports via TMSH will fail when using partition based entities.

Workaround:
None.


641450-6 : A transaction that deletes and recreates a virtual may result in an invalid configuration

Solution Article: K30053855

Component: TMOS

Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.

Config load error:
    01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.

Configuration-change-time error in /var/log/ltm:
    err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>

Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).

Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.

Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
   1. Delete virtual server.
   2. Create virtual server (with an empty profile list).
   3. Modify the virtual server's profile list.


620053-3 : Gratuitous ARPs may be transmitted by active unit going offline

Component: Local Traffic Manager

Symptoms:
When cluster's active goes offline, the non-primary blades may send gratuitous ARPs.

Conditions:
Cluster's active goes offline.

Impact:
Potential impact to traffic if the gratuitous ARPs of the blade which goes offline is received before the unit taking over as primary, or if gratuitous ARPs are rate-limited on upstream or downstream devices.

Workaround:
Failover the cluster before forcing offline or configure mac masquerading.


606983-1 : ASM errors during policy import

Component: Application Security Manager

Symptoms:
Import failure when importing ASM policy with many Session Awareness Data Points.

ASM logs errors similar to the following:
-- crit g_server_rpc_handler_async.pl[10933]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Could not update the Export Policy Task 'Export Policy Task (1469519765.114479)'. DBD::mysql::db do failed: Got a packet bigger than 'max_allowed_packet' bytes.

Conditions:
-- ASM provisioned.
-- Session Awareness enabled.
-- Many (more than 1000) active Session Awareness 'Block All' data points are present.
-- Export a policy.
-- Import the same policy.

Impact:
asm_config_server crash occurs. asm_config_server recovers automatically, within ~15-30 seconds.

Workaround:
Either release all Session Awareness Data Points before export, or remove them from the exported policy before importing it back.


606032-4 : Network Failover-based HA in AWS may fail

Component: TMOS

Symptoms:
MCPD posts an error that network failover is not configurable:
01071ac2:3: Device-group (/Common/autoscale-group): network-failover property must be disabled in VE-1NIC.

Conditions:
Attempting to setup high availability (HA) in Amazon Web Services (AWS) with only 1 network interface.

Impact:
Configuration of HA in AWS cannot be completed.

Workaround:
The current workaround is to configure HA in AWS with at least 2 network interfaces.


602708-5 : Traffic may not passthrough CoS by default

Solution Article: K84837413

Component: Local Traffic Manager

Symptoms:
Traffic being forwarded by TMM may not passthrough the Class of Service (CoS) received.

Conditions:
-- IP forwarding Virtual server.
-- Traffic received with priority other than 3.

Impact:
Traffic is set to L2 QoS priority 3 and may cause issues on other networking devices.

Workaround:
Create a default CoS configuration or apply L2 QoS settings in the FastL4 profile.


594064-6 : tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.

Solution Article: K57004151

Component: Local Traffic Manager

Symptoms:
When the tcpdump utility is used with the ':p' modifier, it appears that the first few serverside packets are not captured.

Conditions:
-- Using the ':p' modifier with the tcpdump utility to capture serverside flows associated with clientside flows that match a tcpdump filter.
-- FastL4 or standard virtual server UDP flows are being captured.

Impact:
Typically, the peer flow will not be captured until the second packet is processed on the original flow that is captured by the tcpdump filter. Although there is no operational impact, it might cause confusion when looking for serverside traffic when capturing using a command similar to the following: tcpdump -i <vlan>:p host <client-ip>

Typical examples of missing packets include:
  -- Serverside syn and syn-ack from FastL4 TCP traffic.
  -- All serverside packets for single packet request/reply traffic, e.g., dns request/reply.

Workaround:
Specify filter that includes serverside traffic (e.g., include pool member addresses as 'host <addr>').


592504-1 : False positive illegal length violation can appear

Component: Application Security Manager

Symptoms:
A false positive illegal length violation.

Conditions:
A chunked request where the request length is more than half of the configured max request length.

Impact:
False positive illegal length violation.

Workaround:
Configure a higher max request length violation.


571651-5 : Reset Nitrox3 crypto accelerator queue if it becomes stuck.

Solution Article: K66544028

Component: Local Traffic Manager

Symptoms:
Certain configuration parameters used during an SSL handshake can elicit a 'queue stuck' message from the accelerator. When this happens, the /var/log/ltm log file will contain a message similar to the following:

    'n3-cryptoX request queue stuck'.

Conditions:
The BIG-IP system uses Nitrox 3 encryption hardware to perform SSL encryption.

An SSL handshake sent to the BIG-IP system is incorrectly configured or contains bad information.

Impact:
In-flight and queued contexts for the specific accelerator are dropped. After device recovery, new requests will be accelerated.

Workaround:
Disable crypto acceleration.


486712-4 : GUI PVA connection maximum statistic is always zero

Component: TMOS

Symptoms:
The GUI PVA connection maximum statistic is always zero, regardless of the number of PVA connections established.

Conditions:
This occurs when fastL4 connections are used.

Impact:
The customer cannot determine the maximum number of PVA connections because the stat is always zero.


473787 : System might fail to unchunk server response when compression is enabled

Component: Local Traffic Manager

Symptoms:
If a BIG-IP virtual server is configured with a compression profile and either:

- an NTLM profile
- or an APM access policy

When a pool member sends a chunked (and uncompressed) HTTP response to the BIG-IP system (Transfer-Encoding: chunked), if the BIG-IP system compresses the payload, it does so without unchunking it.

This results in the BIG-IP system sending the client a malformed response that contains chunked encoding markers in the compressed content.

Conditions:
This issue occurs when the following conditions are met:
-- The NTLM and OneConnect profiles are applied to a virtual server. This can also be triggered when replacing the NTLM profile with an APM access policy configuration on the virtual server.
-- HTTP compression is enabled on the virtual server.

Impact:
HTTP responses to the client are malformed. When decompressed, the HTTP response payload incorrectly contains HTTP chunked encoding markers.

Workaround:
To work around this issue, you can either modify the type of response chunking or disable compression. For information on how to do so, see K14030: The BIG-IP system may fail to unchunk server responses when compression is enabled, available here: https://support.f5.com/csp/article/K14030.


436674-3 : The msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime values contained in SNMPv3 trap message may be incorrect after the SNMP agent reboot.

Solution Article: K17271

Component: TMOS

Symptoms:
After the reboot of the SNMP agent (snmpd), the SNMPv3 trap messages generated from the BIG-IP may contain the incorrect msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime values. After that, msgAuthoritativeEngineBoots value will also be out of sync with the engineBoots value in /config/net-snmp/snmpd.conf.

Conditions:
Configure SNMPv3 trap destination on the BIG-IP system and observe the msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime values in the generated trap messages. Reboot the SNMP agent (e.g., 'tmsh restart sys service snmpd') and observe these values again in the subsequent SNMPv3 trap messages.

Impact:
Some SNMP monitoring servers (e.g., SpectroSERVER) can lose the ability to poll the BIG-IP system. When the BIG-IP system sends out the incorrect values, the monitoring server thinks the information has been spoofed and it loses the ability to poll the BIG-IP until manual intervention.

Workaround:
This issue has no workaround at this time.


431480-6 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message

Component: Local Traffic Manager

Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.

Conditions:
The exact conditions that result in this error are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time, but the system recovers without any user action.


394873 : Upgrade process does not update Tcl scripts

Component: TMOS

Symptoms:
The upgrade process does not update Tcl scripts (such as iRules) in the configuration.

Conditions:
Upgrading Tcl scripts (such as iRules).

Impact:
This might cause issues when iRule syntax changes between releases. After upgrading, you might need to modify iRules to reflect any changes in iRule syntax.

Workaround:
None.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************
Generated: Tue Aug 21 10:28:09 2018 PDT
Copyright F5 Networks (2018) - All Rights Reserved

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.

Additional Comments (optional)