BIG-IP Release Information

Version: 14.0.0
Build: 2187.0

NOTE: This release includes fixes for the Spectre Variant 1 and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754).
In some configurations, installing software containing these fixes might impact performance. You can disable these fixes to recover performance. Please see K91229003 for additional Spectre and Meltdown information.

Known Issues in BIG-IP v14.0.x

Vulnerability Fixes

ID Number	CVE	Solution Article(s)	Description
693211	CVE-2017-6168	K21905460	CVE-2017-6168
716992	CVE-2018-5539	K75432956	The ASM bd process may crash
710140	CVE-2018-5527	K20134942	TMM may consume excessive resources when processing SSL Intercept traffic
707186	CVE-2018-5514	K45320419	TMM may crash while processing HTTP/2 traffic
702232-2	CVE-2018-5517	K25573437	TMM may crash while processing FastL4 TCP traffic
700556	CVE-2018-5504	K11718033	TMM may crash when processing WebSockets data
699012	CVE-2018-5502	K43121447	TMM may crash when processing SSL/TLS data
698080-4	CVE-2018-5503	K54562183	TMM may consume excessive resources when processing with PEM
695901	CVE-2018-5513	K46940010	TMM may crash when processing ProxySSL data
693744	CVE-2018-5531	K64721111	High CPU Usage by the TMM Can Cause SOD to Kill vCMP Guests
693312	CVE-2018-5518	K03165684	vCMPd may crash when processing bridged network traffic
691504	CVE-2018-5503	K54562183	PEM content insertion in a compressed response may cause a crash.
686305	CVE-2018-5534	K64552448	TMM may crash while processing SSL forward proxy traffic
681955	CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788	K23565223	Apache CVE-2017-9788
681710-1	CVE-2017-6155	K10930474	Malformed HTTP/2 requests may cause TMM to crash
673595-8	CVE-2017-3167 CVE-2017-3169	K34125394	Apache CVE-2017-3167
671498	CVE-2017-3143	K02230327	BIND zone contents may be manipulated
589233-1	CVE-2018-5518	K03165684	vCMPd may crash when processing bridged network traffic
717900	CVE-2018-5528	K27044729	TMM crash while processing APM data
714369-1	CVE-2018-5526	K62201098	ADM may fail when processing HTTP traffic
714350-1	CVE-2018-5526	K62201098	BADOS mitigation may fail
710314	CVE-2018-5537	K94105051	TMM may crash while processing HTML traffic
706176	CVE-2018-5512	K51754851	TMM crash can occur when using LRO
706086	CVE-2018-5515	K62750376	PAM RADIUS authentication subsystem hardening
703940-1	CVE-2018-5530	K45611803	Malformed HTTP/2 frame consumes excessive system resources
701447	CVE-2017-5754	K91229003	CVE-2017-5754 (Meltdown)
701445	CVE-2017-5753 CVE-2017-9074 CVE-2017-7542 CVE-2017-11176	K91229003	CVE-2017-5753 (Spectre Variant 1)
701359-1	CVE-2017-3145	K08613310	BIND vulnerability CVE-2017-3145
699455	CVE-2018-5523	K50254952	SAML export does not follow best practices
699451	CVE-2018-5511	K30500703	OAuth reports do not follow best practices
699346	CVE-2018-5524	K53931245	NetHSM capacity reduces when handling errors
698813-1	CVE-2018-5538	K45435121	When processing DNSX transfers ZoneRunner does not enforce best practices
694274	CVE-2017-3167 CVE-2017-3169 CVE-2017-7679 CVE-2017-9788 CVE-2017-9798	K23565223	[RHSA-2017:3195-01] Important: httpd security update - EL6.7
688625	CVE-2017-11628	K75543432	PHP Vulnerability CVE-2017-11628
688011	CVE-2018-5520	K02043709	Dig utility does not apply best practices
688009	CVE-2018-5519	K46121888	Appliance Mode TMSH hardening
676457	CVE-2017-6153	K52167636	TMM may consume excessive resource when processing compressed data
672124	CVE-2018-5541	K12403422	Excessive resource usage when BD is processing requests
671497	CVE-2017-3142	K59448931	TSIG authentication bypass in AXFR requests
662850	CVE-2015-2716	K50459349	Expat XML library vulnerability CVE-2015-2716
640766	CVE-2016-10088 CVE-2016-9576	K05513373	Linux kernel vulnerability: CVE-2016-10088 CVE-2016-9576
615274-1	CVE-2016-2183	K13167034	CVE-2016-2183: "SWEET32" Vulnerability (Apache)
673607-8	CVE-2017-3169	K83043359	Apache CVE-2017-3169
672667	CVE-2017-7679	K75429050	CVE-2017-7679: Apache vulnerability
632875	CVE-2018-5516	K37442533	Non-Administrator TMSH users no longer allowed to run dig
601572	CVE-2016-2047	K53729441	MySQL vulnerability CVE-2016-2047
523282	CVE-2015-3152	K16845	CVE-2015-3152 : MySQL BACKRONYM Vulnerability
684033	CVE-2017-9798	K70084351	CVE-2017-9798 : Apache Vulnerability (OptionsBleed)
661939	CVE-2017-2647	K32115847	Linux kernel vulnerability CVE-2017-2647

Functional Change Fixes

ID Number	Severity	Solution Article(s)	Description
682482-1	1-Blocking		LTM Policy with 'requires {ssl-persistence}' load issue resolved in 13.1.0★
685442	2-Critical		racoon daemon for IPsec IKEv1 listens on 0.0.0.0
535122	2-Critical		[tmsh/iCRD/GUI] Do not automatically add extensions to SSL key/cert/crl/csr file objects
717391-1	3-Major		advCustHelp - how to add, remove, and modify advanced customization without it
700833	3-Major		fipskey.nethsm is now deprecated
686389	3-Major		APM does not honor per-farm HTML5 client disabling at the View Connection Server
685056-1	3-Major		VE OVAs is not the supported platform to run VMware guest OS customization
685020	3-Major		Enhancement to SessionDB provides timeout
680850	3-Major		Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.
680345	3-Major		Change Captcha to be more flexible and dynamic
678524	3-Major		Join FF02::2 multicast group when router-advertisement is configured
676854	3-Major		CRL Authentication agent will hang waiting on unresponsive authentication server.
670103	3-Major		No way to query logins to BIG-IP in TMUI
668624	3-Major		The Configuration Utility now disables the TLS 1.0 protocol by default★
666908	3-Major		Default GTM HTTPS monitor no longer supports EXPORT ciphers
661909	3-Major		First-time root and admin passwords must now comply with the password policy.
657912	3-Major		PIM can be configured to use a floating self IP address
649930	3-Major		The TCP autonagle feature is not supported in LTM Policy
615245	3-Major		For the attributes that contain URI value in them, the passwords within the URI are stored in clear-text in the configuration file, audit file, tmsh history file
441800	3-Major		LTM Policy allows user-specified status code for redirect action
405432	3-Major		OpenSSL certificate directories excluded in qkview/ihealth.
225373	3-Major		Dual-stack IPv4/IPv6 on the management interface needs supporting.
693007	4-Minor		Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC
681385-1	4-Minor		Forward proxy forged cert lifespan can be configured from days into hours.
672176	4-Minor		Removed long deprecated metric with typo: "occurences"
607520	4-Minor		Send MSS on SYN,ACK when SYN does not have any options
607426	4-Minor		Analytics UI time format determined by System clock preferences

TMOS Fixes

ID Number	Severity	Solution Article(s)	Description
707226-1	1-Blocking		DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations
700315-1	1-Blocking	K26130444	Ctrl+C does not terminate TShark
697615	1-Blocking		Neurond may restart indefinitely after boot, with neurond_i2c_config message
694897	1-Blocking		Unsupported Copper SFP can trigger a crash on i4x00 platforms.
693611	1-Blocking	K76313256	IKEv2 ike-peer might crash on stats object during peer modification update
682837-1	1-Blocking		Compression watchdog period too brief.
675921-1	1-Blocking		Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running
667148	1-Blocking	K02500042	Config load or upgrade can fail when loading GTM objects from a non-/Common partition
723130	2-Critical		Invalid-certificate warning displayed when deploying BIG-IP VE OVA file
708054	2-Critical		Web Acceleration: TMM may crash on very large HTML files with conditional comments
706998	2-Critical		Memory leak when OCSP is configured in clientSSL profile for C3D, or in serverSSL profile for server authentication
706305	2-Critical		bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled
706087-1	2-Critical		Entry for SSL key replaced by config-sync causes tmsh load config to fail
705730	2-Critical		Config fails to load due to invalid SSL cipher after upgrade from v13.1.0
701898	2-Critical		Certain virtual address route-advertisement settings break upgrades from 13.0.0 hotfix rollups
700386	2-Critical		mcpd may dump core on startup
700247-1	2-Critical	K60053504	APM Client Software may be missing after doing fresh install of BIG-IP VE
696732-1	2-Critical	K54431534	tmm may crash in a compression provider
696468-1	2-Critical		Active compression requests can become starved from too many queued requests.
696113	2-Critical		Extra IPsec reference added per crypto operation overflows connflow refcount
694740	2-Critical		BIG-IP reboot during a TMM core results in an incomplete core dump
693996	2-Critical	K42285625	MCPD sync errors and restart after multiple modifications to file object in chassis
692890-1	2-Critical		Adding support for BIG-IP 800 in 13.1.x
692683	2-Critical		Core with /usr/bin/tmm.debug at qa_device_mgr_uninit
692158-3	2-Critical		iCall and CLI script memory leak when saving configuration
691589-2	2-Critical		When using LDAP client auth, tamd may become stuck
691196	2-Critical		one Cisco NEXUS switch and 2 BIG-IP WCCP web caches do not work together
690819	2-Critical		Using an iRule module after a 'session lookup' may result in crash
690793	2-Critical	K25263287	TMM may crash and dump core due to improper connflow tracking
689577	2-Critical	K45800333	ospf6d may crash when processing specific LSAs
689437	2-Critical	K49554067	icrd_child cores due to infinite recursion caused by incorrect group name handling
689002	2-Critical		Stackoverflow when JSON is deeply nested
688911	2-Critical	K94296004	LTM Policy GUI incorrectly shows conditions with datagroups
688148	2-Critical		IKEv1 racoon daemon SEGV during phase-two SA list iteration
686190	2-Critical		LRO performance impact with BWC and FastL4 virtual server
686124	2-Critical		IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs
685458	2-Critical		merged fails merging a table when a table row has incomplete keys defined.
681724-1	2-Critical		Update iSeries LCD firmware to v2.03.085.00.0
680556	2-Critical		Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted
679479	2-Critical		AOM banner can appear after rebooting BIG-IP systems
678380	2-Critical		Deleting an IKEv1 peer in current use could SEGV on race conditions.
677937	2-Critical	K41517253	APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets
676674	2-Critical		Two-core vCMP Guest Swap on B2100 Blades
676203	2-Critical		Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.
671741	2-Critical		LCD on iSeries devices can lock at red 'loading' screen.
671314	2-Critical	K37093335	BIG-IP system cores when sending SIP SCTP traffic
667173-3	2-Critical		13.1.0 cannot join a device group with 13.1.0.1
665362	2-Critical		MCPD might crash if the AOM restarts
665354	2-Critical	K31190471	Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log
663366-1	2-Critical		SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.
658410	2-Critical		icrd_child generates a core when calling PUT on ltm/data-group/internal/
657882	2-Critical		Allow the system to retrieve a CRL from the CRLDP(CRL distribution point) and verify the SSL server's ceritificate status using the CRL.
653152	2-Critical		Support RSASSA-PSS-SIGN in F5 crypto APIs.
652877	2-Critical		Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades
649866-3	2-Critical		fsck should not run during first boot on public clouds
581851-7	2-Critical	K16234725	mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands
563661	2-Critical		Datastor may crash
714626	3-Major	K30491022	When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.
709544-1	3-Major		VCMP guests in HA configuration become Active/Active during upgrade★
707320	3-Major		Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs
705818	3-Major		GUI Network Map Policy with forward Rule to Pool, Pool does not show up
705456	3-Major		VCMP Guests unable to install block-device-image ISOs when http->https redirection is enabled
704512	3-Major		Automated upload of qkview to iHealth can time out resulting in error
704282	3-Major		TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy
703848	3-Major		Possible memory leak when reusing statistics rows in tables
703305	3-Major		Unable to save an 'Enable ASM' policy rule action with an ASM profile selected
703298	3-Major		Licensing and phonehome_upload are not using the sync'd key/certificate
702520	3-Major	K53330514	Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address.
702310	3-Major		The ':l' and ':h' options are not available on the tmm interface in tcpdump
701626	3-Major	K16465222	GUI resets custom Certificate Key Chain in child client SSL profile
700897	3-Major		sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG
700895	3-Major	K34944451	GUI Network Map objects in subfolders are not being shown
700757	3-Major		vcmpd may crash when it is exiting
700426-1	3-Major	K58033284	Switching partitions while viewing objects in GUI can result in empty list
700405	3-Major		Disabling TCP segmentation offload can lead to a tmm assert
700250	3-Major	K59327012	qkviews for secondary blade appear to be corrupt
700061	3-Major		Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file
700057	3-Major		LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved
699281-2	3-Major		Version format of hypervisor bundle matches Version format of ISO
698429	3-Major		Misleading log error message: Store Read invalid store addr 0x3800, len 10
698407	3-Major		OSPF tag updates may not be propagated through process redistribution
698084	3-Major	K03776801	IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs
698013	3-Major	K27216452	TACACS+ system auth and file descriptors leak
697724	3-Major		Login LDAP Attribute for Active Directory configurations incorrectly capitalizes sAMAccountName
696260	3-Major	K53103420	GUI Network Map as Start Screen presents database error
695873-1	3-Major		Entry for ssl key removed from tmsh causes tmsh load config to fail
694947	3-Major		bcm56xxd restart causes error logs from stpd, lldpd and lacpd.
694899	3-Major		PHP Vulnerability: CVE-2017-16642
694696	3-Major		On multiblade Viprion, creating a new traffic-group causes the device to go Offline
694547	3-Major		TMSH save sys config creates unneeded generate_config processes.
693979-1	3-Major		Autoscale is not functional because of the change in file permission of the /shared/vadc/aws/iid-document document
693964	3-Major		Qkview utility may generate invalid XML in files contained in Qkview
693884	3-Major		ospfd core on secondary blade during network unstability
693682	3-Major		iHealth should show sfdisk info for vda for Z101 vcmp guests.
693106	3-Major		IKEv1 newest established phase-one SAs should be found first in a search
693098	3-Major		IKEv1 logging 'No need for ISAKMP mode config' event
693030	3-Major		Cannot SSH in with password after deploying Azure VE
692753	3-Major		shutting down trap not sent when shutdown -r or shutdown -h issued from shell
692239	3-Major	K31554905	AOM menu power off then on results in 'Host Power Cycle Event' SEL log entries posted every two seconds
692189	3-Major		errdefsd fails to generate a core file on request.
692179	3-Major		Potential high memory usage from errdefsd.
692165	3-Major		A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token
691497	3-Major	K41835995	tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions
691210	3-Major		Traffic stops on tmm restart when guest VLAN tagging is used for BIG-IP VE.
690890	3-Major		Running sod manually can cause issues/failover
689691	3-Major		iStats line length greater than 4032 bytes results in corrupted statistics or merge errors
689567	3-Major		Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned
688406	3-Major	K14513346	HA-Group Score showing 0
687797	3-Major		iControl REST /mgmt/tm/sys/crypto/cert endpoint cannot be used to return the details of all SSL certificates present in the configuration at once.
687658-1	3-Major		Monitor operations in transaction will cause it to stay unchecked
687617	3-Major		DHCP request-options when set to "none" are reset to defaults when loading the config.
687534	3-Major		If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page
687353	3-Major	K35595105	Qkview truncates tmstat snapshot files
686926	3-Major		IPsec: responder N(cookie) in SA_INIT response handled incorrectly
686906	3-Major		Fragmented IPv6 packets not handled correctly on Virtual Edition
686816	3-Major		Link from iApps Components page to Policy Rules invalid
686029	3-Major		A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces
685475	3-Major	K93145012	Unexpected error when applying hotfix
684942	3-Major		Disabled PHP configuration option 'allow_url_fopen'
684649-1	3-Major		Inconsistent DAGv2 state between B4400 blades after upgrade★
684494	3-Major		Changed /var/log mount options
684391	3-Major		Existing IPsec tunnels reload. tmipsecd creates a core file.
684218	3-Major		vADC 'live-install' Downgrade from v13.1.0 is not possible
683284	3-Major		tcpdump optin added to capture on "all interfaces" from linux side using the option "any:l"
683282	3-Major		tcpdump option added to capture on 'all interfaces' from host side using the option '0.0:h'
683246	3-Major		SNMP trap suppression should be based upon OID rather than trap text
683131	3-Major		Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present★
683114	3-Major		Need support for 4th element version in Update Check
682308	3-Major		Empty IP Address field of object created in a partition with route domain in GUI is auto-filled after save
682213	3-Major	K31623549	TLS v1.2 support in IP reputation daemon
681935	3-Major		B2000 Series Blades Low Throughput With Two Member Trunk
681782	3-Major	K30665653	Unicast IP address can be configured in a failover multicast configuration
680954	3-Major		mcpd emits an error message upon load when DER certificates are used
680838	3-Major		IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator
680808	3-Major		qkview may not collect all data if there are deleted files in the filestore
680154	3-Major		f5.http iApp cannot add nodes with names containing four or fewer characters
680086-1	3-Major		md5sum check on BMC firmware fails
679347	3-Major		ECP does not work for PFS in IKEv2 child SAs
678925	3-Major		Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.
678716	3-Major		GUI Unexpected changes to sFlow values when configuring using the GUI
678488	3-Major	K59332320	BGP default-originate not announced to peers if several are peering over different VLANs
677485	3-Major		Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error
676897	3-Major	K25082113	IPsec keeps failing to reconnect
676432	3-Major		i5000/i10000 Series platform serial console baud rate 38400 gets reset to 19200 after reboot
676092	3-Major		IPsec keeps failing to reconnect
675188-1	3-Major		CVE-2017-9233: Expat vulnerability
674745	3-Major	K53106344	Ordering and OSPF configuration timing of IA routes on HA configuration can lead to differences in route table
674455	3-Major		Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS
673998	3-Major		Dhclient does not support standard supersede options on the BIG-IP system.
673996	3-Major		Unable to set 'media-fixed' on management port on BIG-IP i15000 platforms
673871	3-Major		ESXi host client fails to deploy a virtual machine from BIG-IP OVA file
671447	3-Major		ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form
671044-1	3-Major	K78612407	FIPS certificate creation can cause failover to standby system
670757	3-Major		TMM crash from a possible memory corruption.
670197	3-Major		IPsec: ASSERT 'BIG-IP_conn tag' failed
669917	3-Major		Upgrade failure at Client SSL profile "cannot contain more than one set of same certificate/key type."★
669585-2	3-Major		The tmsh sys log filter is unable to display information in uncompressed log files.
669462	3-Major		Error adding /Common/WideIPs as members to GTM Pool in non-Common partition
669288-2	3-Major	K76152943	Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist.
669268-1	3-Major		Failover in the same availability zone of AWS may fail when AWS services are intermittently available.
669255	3-Major	K20100613	An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms
668826	3-Major		File named /root/.ssh/bigip.a.k.bak is present but should not be
668737	3-Major		Advisory color Yellow added to Configuration Utility
668276	3-Major		BIG-IP does not display failed login attempts since last login in GUI
668273	3-Major	K12541531	Logout button not available in Configuration Utility when using Client Cert LDAP
667788	3-Major		System offline after deleting the datasync-global-dg device-group and manually re-creating it
667257	3-Major		CPU Usage Reaches 100% After Traffic Flowed Into CGNAT
667082	3-Major	K21090061	Dynamic Routing ZebOS using ip ospf <IP> message-digest-key command may fail.
666888	3-Major	K16101312	tcpdump may take several seconds to start capturing packets on vCMP guests
658716	3-Major		MCPd SIGSEGV in boost::checked_delete
658636	3-Major	K51355172	When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.
655671-3	3-Major		Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced
651413	3-Major	K34042229	tmsh list ltm node does not return an error when node does not exist
649689	3-Major		Unsupported Power Supply Models Reported as 'Not-Present' When Inserted in 2xxx/4xxx/5xxx/7xxx/10xxx Series Platform
648271-3	3-Major		vCMP guest is unable to install a hotfix for block-device-images★
647020	3-Major		Hide datasync-global-dg from the Device Group List page
644813	3-Major		Trunks are not created when /cm config-sync recover-sync is run
643799	3-Major		Deleting a partition may cause a sync validation error
643768	3-Major		Invalid entries in SNMP allowed-address and SNMP community fields can cause upgrade failure.★
642923	3-Major	K01951295	MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system
641513	3-Major		ePVA traffic stats are not accumulated for SNAT pool members
640636	3-Major		F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade
638091-5	3-Major		Config sync after changing named pool members can cause mcpd on secondary blades to restart
633441	3-Major		Datasync Background Tasks running even without features requiring it
631316-1	3-Major	K62532020	Unable to load config with client-SSL profile error★
629329	3-Major		Incorrect message logged when vCMP guest repartitions a host VLAN
628739	3-Major		BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD
625901	3-Major		SNAT pools allow members in different partitions to be assigned, but this causes a load failure
621314	3-Major	K55358710	SCTP virtual server with mirroring may cause excessive memory use on standby device
620954	3-Major		Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable
617643	3-Major		iControl.ForceSessions enabled results in GUI error on certain pages
598085	3-Major		Expected telemetry is not transmitted by sFlow on the standby-mode unit.
589856-4	3-Major		iControl REST : possible to get duplicate transaction ids when transactions are created by multiple clients
589083-7	3-Major	K46205123	TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.
584696	3-Major		MCP debug (/service/mcpd/debug), "Rule checker library has not been initialized"
575848	3-Major	K03803451	Traffic statistics on a SNAT object might not be updated if traffic is ePVA accelerated.
573750	3-Major		New option to re-schedule datasync background tasks
572079	3-Major	K80155193	Command history and audit logs add additional escaping
544106-2	3-Major		Bundled state for B2250 40G interfaces may not be displayed or show as "unsupported"
491560	3-Major		Using proxy for IP intelligence updates
471237	3-Major	K12155235	BIG-IP VE instances do not work with an encrypted disk in AWS.
468505	3-Major	K16177	TMSH crypto commands do not work with the TMSH batch mode
464650	3-Major		Failure of mcpd with invalid authentication context.
402691	3-Major		The fields displayed in the 'tmsh show net ipsec' should be visible through SNMP
400550-1	3-Major		LCD listener error during shutdown
373568	3-Major		Unable to create and update data-group in a single transaction
693422	4-Minor		Proxy host synchronization
691491	4-Minor	K13841403	2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces
689211	4-Minor		IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }
687368	4-Minor	K64414880	The Configuration utility may calculate and display an incorrect HA Group Score
686111	4-Minor	K89363245	Searching and Reseting Audit Logs not working as expected
685233	4-Minor	K13125441	tmctl -d blade command does not work in an SNMP custom MIB
683029	4-Minor		Sync of virtual address and self IP traffic groups only happens in one direction
681243	4-Minor		Error messages in Google Compute Engine that gateway is not in a connected network
680856	4-Minor		IPsec config via REST scripts may require post-definition touch of both policy and traffic selector
680388	4-Minor		f5optics should not show function name in non-debug log messages
679135	4-Minor		IKEv1 and IKEv2 cannot share common local address in tunnels
678662	4-Minor	K14222230	In the GUI System :: High Availability : HA Groups edit page, pools created outside the Common partition cannot be modified
678388	4-Minor	K00050055	IKEv1 racoon daemon is not restarted when killed multiple times
678254	4-Minor		Error logged when restarting Tomcat
674145	4-Minor		chmand error log message missing data
673811	4-Minor		After an upgrade, IPsec tunnels may fail to start★
673491	4-Minor		IKEv2: fewer logging format artifcacts with debug log-level★
671013	4-Minor		Cannot see and edit the interface description in the GUI
668060	4-Minor		DNS Pool members do not show up in DNS statistics table
667284	4-Minor		Authentication statistics and logs added to Configuration Utility
663911	4-Minor		When running out of memory, MCP can report an incorrect allocation size
663649	4-Minor		Installer warning messages now printed to stderr rather than stdout
660760	4-Minor	K75105750	DNS graphs fail to display in the GUI
660239	4-Minor		When accessing the dashboard, invalid HTTP headers may be present
653759	4-Minor		Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update★
638893	4-Minor		Reference to SOL14556 instead of K14556 in tmsh modify net interface X.X media command
608348	4-Minor		Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system
606799	4-Minor	K16703796	GUI total number of records not correctly initialized with search string on several pages.
592048	4-Minor		Modification to custom provisioning does not yield expected results.
566477	4-Minor	K13744538	Too many annotations on dashboard line charts
560045	4-Minor		Serverside nexthop info not available
514703	4-Minor		gtm listener cannot be listed across partitions
430350	4-Minor		Utility to parse LOP error entries
381122	4-Minor		Provisioning a module may fail to reload page.
670366	5-Cosmetic		Security Banner Text omits some non-English characters
665366	5-Cosmetic		ltmVirtualServStatCurrentConnsPerSec statistic is maintained only for rate-limited virtuals
650322	5-Cosmetic		Invalid Hash More setting hash persistence profile
647198	5-Cosmetic		GUI to disable HEAD request
644748	5-Cosmetic		Removing postfix call

Local Traffic Manager Fixes

ID Number	Severity	Solution Article(s)	Description
722594-1	1-Blocking		TCP flow may not work as expected if double tagging is used
698424	1-Blocking	K11906514	Traffic over a QinQ VLAN (double tagged) will not pass
674689	1-Blocking		ECDSA Key management support on BIG-IP using Thales and SafeNet external network HSM
725545	2-Critical		Ephemeral listener might not be set up correctly
723300	2-Critical		TMM may crash when tracing iRules containing nameless listeners on internal virtual servers
722893-2	2-Critical		The TMM - host interface may stall when the kernel memory is fragmented
718071	2-Critical		HTTP2 with ASM policy not passing traffic
715747-1	2-Critical		TMM may restart when running traffic through custom SSLO deployments.
709334	2-Critical		Memory leak when SSL Forward proxy is used and ssl re-negotiates
708114	2-Critical	K33319853	TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed
707447	2-Critical		Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.
707246	2-Critical		TMM would crash if SSL Client profile could not load cert-key-chain successfully
707244	2-Critical		iRule command clientside and serverside may crash tmm
706631-3	2-Critical		A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.
706534	2-Critical		L7 connection mirroring may not be fully mirrored on standby BigIP
705611	2-Critical		The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used
704666	2-Critical		memory corruption can occur when using certain certificates
704435	2-Critical		Client connection may hang when NTLM and OneConnect profiles used together
703914	2-Critical		TMM SIGSEGV crash in poolmbr_conn_dec.
703191-1	2-Critical		HTTP2 requests may contain invalid headers when sent to servers
702792	2-Critical		Upgrade creates Server SSL profiles with invalid cipher strings
701244	2-Critical	K81742541	An incorrect data manipulation in cipher encrypt and decrypt could cause TMM crash with SIGABRT
701202	2-Critical	K35023432	SSL memory corruption
700862	2-Critical	K15130240	tmm SIGFPE 'valid node'
700597	2-Critical		Local Traffic Policy on HTTP/2 virtual server no longer matches
700393	2-Critical		Under certain circumstances a stale http2 stream can cause a tmm crash
700385	2-Critical		Behavioral Clarification For Tcl After Command
699298	2-Critical		13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV.
698461	2-Critical		tmm may crash in fastl4 TCP
697259	2-Critical	K14023450	Different versioned vCMP guests on the same chassis may crash.
694656	2-Critical	K05186205	Routing changes may cause TMM to restart
692970	2-Critical		Using UDP port 67 for purposes other than DHCP might cause TMM to crash
691095	2-Critical		CA bundle manager loses certificates in the CA bundle if the serial number is longer than 4 bytes
690756	2-Critical		APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated
687635	2-Critical		Tmm becomes unresponsive and might restart
687603	2-Critical	K36243347	tmsh query for dns records may cause tmm to crash
686228	2-Critical	K23243525	TMM may crash in some circumstances with VLAN failsafe
685254	2-Critical	K14013100	RAM Cache Exceeding Watchdog Timeout in Header Field Search
681175	2-Critical	K32153360	TMM may crash during routing updates
680074	2-Critical	K09225420	TMM crashes when serverssl cannot provide certificate to backend server.
678416-1	2-Critical		Some tmm/umem_usage_stat counters may be incorrect under memory pressure.
674576	2-Critical		Outage may occur with VIP-VIP configurations
673951-3	2-Critical	K56466330	Memory leak when using HTTP2 profile
673664	2-Critical		TMM crashes when sys db Crypto.HwAcceleration is disabled.★
673095-1	2-Critical		Loading UCS with QinQ VLANs fails 'Can't free vlan entry, can't find vlan with oid'
667779	2-Critical		iRule commands may cause the TMM to crash in very rare situations.
667770	2-Critical	K12472293	SIGSEGV to tmm when performing multiple, repeated SSL profile updates, or during UCS restore
648320	2-Critical		Downloading via APM tunnels could experience performance downgrade.
635191-3	2-Critical		Under rare circumstances TMM may crash
531934	2-Critical		Support SSL serverside certificate validation using OCSP and CRLDP (CRL distribution point)
452283	2-Critical		An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows
440620	2-Critical		New connections may be reset when a client reuses the same port as it used for a recently closed connection
712475-4	3-Major	K56479945	DNS zones without servers will prevent DNS Express reading zone data
712437-4	3-Major	K20355559	Records containing hyphens (-) will prevent child zone from loading correctly
708653	3-Major		TMM may crash while processing TCP traffic
707109	3-Major		Memory leak when using C3D
705794	3-Major		Under certain circumstances a stale http2 stream can cause a tmm crash
704073	3-Major	K24233427	Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm
702439-1	3-Major	K04964898	Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset
702151	3-Major		HTTP/2 can garble large headers
701690	3-Major	K53819652	Fragmented ICMP forwarded with incorrect icmp checksum
701678	3-Major		Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded
701147	3-Major	K36563645	ProxySSL does not work properly with Extended Master Secret and OCSP
700889	3-Major	K07330445	Software syncookies without TCP TS improperly include TCP options that are not encoded
700576	3-Major		GUI - Server SSL Profile shows irrelevant options when "Server Certificate" is set to "Ignore"
700433	3-Major	K10870739	Memory leak when attaching an LTM policy to a virtual server
699979	3-Major		Support for Safenet Client Software v7.x
699076	3-Major		URI::path iRules command warns end and start values equal
698916	3-Major		TMM crash with HTTP/2 under specific condition
698000	3-Major	K04473510	Connections may stop passing traffic after a route update
695925	3-Major		tmm crash when showing connections for a CMP disabled virtual server
695707	3-Major		BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection
694778	3-Major		Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size
694697	3-Major	K62065305	clusterd logs heartbeat check messages at log level info
693910	3-Major		Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)
693582	3-Major		Monitor node log not rotated for icmp monitor types
693308	3-Major		SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain
691806	3-Major	K61815412	RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state
691785	3-Major		The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes
691224	3-Major	K59327001	Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled
690778	3-Major	K53531153	Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule
690699	3-Major		Fragmented SSL handshake messages cause Proxy SSL handshake to fail
690042	3-Major	K43412307	Potential Tcl leak during iRule suspend operation
689561	3-Major		HTTPS request hangs when multiple virtual https servers shares the same ip address
689449	3-Major		Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
689375	3-Major	K01512833	Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled
689089	3-Major		VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot
688744	3-Major	K11793920	LTM Policy does not correctly handle multiple datagroups
688629	3-Major		Deleting data-group in use by iRule does not trigger validation error
688586	3-Major		DTLS does not retransmit ServerHello message if it is lost
688571	3-Major	K40332712	Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile.
688570	3-Major		BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes
688557	3-Major	K50462482	Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'
687807-1	3-Major		The presence of a file with the suffix '.crt.csr' in folder /config/ssl/ssl.csr/ causes a GUI exception
687205	3-Major		Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart
687182	3-Major		LTM Policy error message: Action occurs before conditions
686972	3-Major		The change of APM log settings will reset the SSL session cache.
686890	3-Major		X509_EXTENSION memory blocks leak when C3D forges the certificate.
686631	3-Major		Deselect a compression provider at the end of a job and reselect a provider for a new job
686307	3-Major	K10665315	Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later
686065	3-Major		RESOLV::lookup iRule command can trigger crash with slow resolver
685615	3-Major		Incorrect source mac for TCP Reset with vlangroup for host traffic
685519	3-Major		Mirrored connections ignore the handshake timeout
685110	3-Major		With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.
683697	3-Major	K00647240	SASP monitor may use the same UID for multiple HA device group members
683683	3-Major		ASN1::encode returns wrong binary data
683565	3-Major		Lack of meaningful information about 'codec alert' errors triggered by SSL traffic issues.
683061	3-Major		Rapid creation/update/deletion of the same external datagroup may cause core
682944	3-Major		key-id missing for installed netHSM key for standby BIG-IP system in HA setup
682344	3-Major		lindex does not recognize multi dimension array indexing
682104	3-Major		HTTP PSM leaks memory when looking up evasion descriptions
681814	3-Major		Changes to a cipher group are not propagated to the ssl profiles until the configuration is reloaded
681757	3-Major	K32521651	Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'
681673	3-Major		tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results
681499	3-Major		Deleting and recreating a route-domain can cause ICMP monitors in that route-domain to permanently fail
680755	3-Major	K27015502	max-request enforcement no longer works outside of OneConnect
680606	3-Major		Using iRule HTTP::redirect or HTTP::respond inside HTTP_REQUEST causes connection reset.
680264-3	3-Major	K18653445	HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags
679854	3-Major		UIE persist may be inconsistent after a pool member is brought down
679613	3-Major	K23531420	i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'
679494	3-Major		Change the default compression strategy to speed
678460	3-Major	K94298780	HTTP 302 Redirect status text is HTTP-version dependent
678257	3-Major		import existing netHSM private key to BigIP
678010	3-Major		Virtual-wire is not supported on 100 Gbit interface
677962	3-Major		Invalid use of SETTINGS_MAX_FRAME_SIZE
677666	3-Major	K60909141	/var/tmstat/blades/scripts segment grows in size.
677525	3-Major	K06831814	Translucent VLAN group may use unexpected source MAC address
676828	3-Major	K09012436	Host IPv6 traffic is generated even when ipv6.enabled is false
676557	3-Major		Binary data marshalled to TCL may be converted to UTF8
676355	3-Major		DTLS retransmission does not comply with RFC in certain resumed SSL session
675367	3-Major	K95393925	The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication
674106	3-Major		Allow multiple client SSL profiles on a virtual server with different security requirements
673399	3-Major		HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.
673316	3-Major	K06548092	Error when configuring a link local address as a default gateway
666494	3-Major		Refine PUSH flag settings for sub MSS packets
665040	3-Major		F5 iRule signing certificate changed to SHA2
664528	3-Major	K53282793	SSL record can be larger than maximum fragment size (16384 bytes)
663821	3-Major	K41344010	SNAT Stats may not include port FTP traffic
654086	3-Major		Incorrect handling of HTTP2 data frames larger than minimal frame size
653976	3-Major		SSL handshake fails if server certificate contains multiple CommonNames
649275	3-Major		RSASSA-PSS client certificates support in Client SSL
649166	3-Major		When tcp checksum set to software-only, automatically disable TCP Segmentation Offload
629678	3-Major		A secondary mirroring address may be used when the primary address is available.
617865	3-Major		Missing health monitor information for FQDN members
604811	3-Major		Under certain conditions TMM may crash while processing OneConnect traffic
594751	3-Major	K90535529	LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN
513317	3-Major		Add X25519 support for SSL ECDHE.
495443-6	3-Major	K16621	ECDH negotiation failures logged as critical errors.
463097	3-Major	K09247330	Clock advanced messages with large amount of data maintained in DNS Express zones
273104	3-Major		Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps
693285	4-Minor		Overriding Profile Max Age in RAM Cache
692095	4-Minor	K65311501	bigd logs monitor status unknown for FQDN Node/Pool Member
688005	4-Minor		The maximum-connection count doubles pva traffic counts for virtuals
685467	4-Minor		Certain header manipulations in HTTP profile may result in losing connection.
684319	4-Minor		iRule execution logging
679496	4-Minor		Add 'comp_req' to the output of 'tmctl compress'
678801	4-Minor		WS::enabled returned empty string
677958	4-Minor		WS::frame prepend and WS::frame append do not insert string in the right place.
674818	4-Minor	K86400531	DHCP virtuals need ALH set to Enabled for DHCP to function.
631977	4-Minor		Potential information leak of HTTP headers
631369	4-Minor		Empty external data-groups fail to load
613521	4-Minor		Add iRule support for no-padding RSA encryption
514470	4-Minor		tmm shows stats for unused TCP4 SYN cache and TCP SYN cache.
470807-1	4-Minor		iRule data-groups are not checked for existence
370573	4-Minor		iRule STREAM command internal error causes connection drop
251162	4-Minor	K11564	The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name
677343	5-Cosmetic		Unsupported graph log level changed from error to notice

Performance Fixes

ID Number	Severity	Solution Article(s)	Description
681256	1-Blocking		Virtual Edition GTM DNS Query Performance Degradation
673832	1-Blocking		Performance impact for certain platforms after upgrading to 13.1.0.
696525	2-Critical		B2250 blades experience degraded performance.
698992	3-Major		Performance degraded

Global Traffic Manager (DNS) Fixes

ID Number	Severity	Solution Article(s)	Description
718885-4	2-Critical	K25348242	Under certain conditions, monitor probes may not be sent at the configured interval
713066-4	2-Critical	K10620131	Connection failure during DNS lookup to disabled nameserver can crash TMM
710424-1	2-Critical	K00874337	Possible SIGSEGV in GTMD when GTM persistence is enabled.
707310-3	2-Critical		DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)
699135	2-Critical		tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip
698050	2-Critical		Under certain extreme conditions, big3d may core
692941	2-Critical		GTMD and TMM SIGSEGV when changing wide IP pool in GTMD
691498	2-Critical		Connection failure during iRule DNS lookup can crash TMM
691287	2-Critical		tmm crashes on iRule with GTM pool command
685915	2-Critical		Allow unsigned DNS notifies if a DNS express zone's target server has no TSIG key configured
682335	2-Critical		TMM can establish multiple connections to the same gtmd
680069	2-Critical	K81834254	zxfrd core during transfer while network failure and DNS server removed from DNS zone config★
678861	2-Critical	K00426059	DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★
672504	2-Critical	K52325625	Deleting zones from large databases can take excessive amounts of time.
667542	2-Critical		DNS Express does not correctly process multi-message DNS IXFR updates.
562921	2-Critical		Cipher 3DES and iQuery encrypting traffic between BIG-IP systems
706128	3-Major		DNSSEC Signed Zone Transfers Can Leak Memory
705503	3-Major		Context leaked from iRule DNS lookup
703545	3-Major		DNS::return iRule "loop" checking disabled
700527	3-Major		cmp-hash change can hang iRule DNS lookup
699339	3-Major	K24634702	Geolocation upgrade files fail to replicate to secondary blades
696808	3-Major	K35353213	Disabling a single pool member removes all GTM persistence records
690166	3-Major		ZoneRunner create new stub zone when creating a SRV WIP with more subdomains
687128	3-Major		gtm::host iRule validation for ipv4 and ipv6 addresses
679149	3-Major		TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]
673684	3-Major		DNSSEC Key Generation event failure during BIG-IP initialization can result in syncing empty DNSSEC keys to GTM sync group
672491	3-Major	K10990182	net resolver uses internal IP as source if matching wildcard forwarding virtual server
667469	3-Major	K35324588	Higher than expected CPU usage when using DNS Cache
660263	3-Major		DNS transparent cache message and RR set activity counters not incrementing
647033	3-Major		Improve DNS TSIG Handling
617286	3-Major	K14649433	Frequent DNS Express zone transfers can prevent updated zone data becoming available.
616021	3-Major	K93089152	Name Validation missing for some GTM objects
580537	3-Major		The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data
650038	4-Minor		tcp connect: errno and comm_point_tmm_recv_from messages
636997	4-Minor		big3d may crash
636994	4-Minor		big3d may crash
636992	4-Minor		big3d may crash
636986	4-Minor		big3d may crash
636982	4-Minor		big3d may crash
674754	5-Cosmetic		ZoneRunner: GUI "Email Contact" field silently ignores invalid char '@' in Email Contact
588229	5-Cosmetic		DNS protocol default profiles can be deleted after being modified.

Application Security Manager Fixes

ID Number	Severity	Solution Article(s)	Description
699720	2-Critical		ASM crash when configuring remote logger for WebSocket traffic with response-logging:all
698565	2-Critical		bd core due to specific wrong configuration
697303	2-Critical		BD crash
696073	2-Critical		BD core on a specific scenario
694934	2-Critical		bd crashes on a very specific and rare scenario
691670	2-Critical		Rare BD crash in a specific scenario
686108	2-Critical		User gets blocking page instead of captcha during brute force attack
685230	2-Critical		memory leak on a specific server scenario
684312	2-Critical		During Apply Policy action, bd agent crashes, causing the machine to go Offline
674302	2-Critical		BD crash upon startup
674256	2-Critical	K60745057	False positive cookie hijacking violation
576123	2-Critical	K23221623	ASM policies are created as inactive policies on the peer device
734417	3-Major		No "Loading..." feedback when updating DoS Application profile
717756-1	3-Major		High CPU usage from asm_config_server
711011	3-Major		'API Security' security policy template changes
710327	3-Major		Remote logger message is truncated at NULL character.
707147	3-Major		High CPU consumed by asm_config_server_rpc_handler_async.pl
706665-1	3-Major		ASM policy is modified after pabnagd restart
705774	3-Major		Add a set of disallowed file types to RDP template
704143	3-Major		BD memory leak
703833	3-Major		Some bot detected features might not work as expected on Single Page Applications
702946	3-Major		Added option to reset staging period for signatures
702008	3-Major		ASM REST: Missing DB Cleanup for some tables
701841	3-Major		Unnecessary file recovery_db/conf.tar.gz consumes /var disk space
701792	3-Major		JS Injection into cached HTML response causes TCP RST on the fictive URLs
701327	3-Major		failed configuration deletion may cause unwanted bd exit
700989	3-Major		Better detecting browser extentsions
700726	3-Major		Search engine list was updated, and fixing case of multiple entries
700705	3-Major		TS cookie is set on a scenario when it is not needed
700564	3-Major		JavaScript errors shown when debugging a mobile device with ASM deviceID enabled
700143	3-Major		ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages
699898	3-Major		Wrong policy version time in policy created after synchronization between active and stand by machines.
699868	3-Major		Filter by custom period is not working properly in some cases
698940	3-Major		Add new security policy template for API driven systems - "API Security"
698919	3-Major		Anti virus false positive detection on long XML uploads
698757	3-Major	K58143082	Standby system saves config and changes status after sync from peer
697756	3-Major		Policy with CSRF URL parameter cannot be imported as binary policy file
696265	3-Major		BD crash
695563	3-Major		Improve speed of ASM initialization on first startup
694922	3-Major		ASM Auto-Sync Device Group Does Not Sync
694657	3-Major		ASM GUI displaying inconsistent policy sync version information
693451	3-Major		Proactive Bot Defense has false positive selenuim detection for UCBrowser
693449	3-Major		Updating tests according to canIUse database
691897	3-Major		Names of the modified cookies do not appear in the event log
691664	3-Major		Violation rating is not exposed to the iRules
691477	3-Major		ASM standby unit showing future date and high version count for ASM Device Group
690883	3-Major		BIG-IQ: Changing learning mode for elements does not always take effect
689987	3-Major		Requests are not logged on new virtual servers after UCS load while ASM is running
689982	3-Major		FTP Protocol Security breaks FTP connection
689878	3-Major		Memory Leak in ASM Sync Listener Process on lightweight platform (such as vCMP guest)
689281	3-Major		ASM REST 'eq' and 'ne' were inconsistent for case sensitivity
689262	3-Major		[REST] Policy Diff: canMerged* fields should be enum and not boolean
688825	3-Major		A normalization type is missing
686765	3-Major		Database cleaning failure may allow MySQL space to fill the disk entirely
686763	3-Major		asm_start is consuming too much memory
686517	3-Major		Changes to a parent policy that has no active children are not synced to the secondary chassis slots.
686500	3-Major		Adding user defined signature on device with many policies is very slow
686470	3-Major		Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load.
686452	3-Major		File Content Detection Formats are not exported in Policy XML
685964	3-Major		cs_qualified_urls bigdb does not cause configured URLs to be qualified.
685771	3-Major		Policies cannot be created with SAP, OWA, or SharePoint templates
685207	3-Major		DoS client side challenge does not encode the Referer header.
685164	3-Major	K34646484	In partitions with default route domain != 0 request log is not showing requests
683508	3-Major		WebSockets: umu memory leak of binary frames when remote logger is configured
681670	3-Major		iApp scripts that create ASM policies may stop working if the parent policy is mandated
681109-5	3-Major	K46212485	BD crash in a specific scenario
680353	3-Major		Brute force sourced based mitigation is not working as expected
679990	3-Major		False negative selenium is not detected in firefox browser
679384	3-Major	K85153939	The policy builder is not getting updates about the newly added signatures.
678307	3-Major		Generic vulnerability XML schema does not validate correctly
678293	3-Major	K25066531	Uncleaned policy history files cause /var disk exhaustion
677658	3-Major		'Accept Request' in Event Log does not make any change on Header Character Set
676809	3-Major		Vulnerability Assessment feature supports more AppScan vulnerabilities
676416	3-Major		BD restart when switching FTP profiles
676223	3-Major		Internal parameter in order not to sign allowed cookies
675287	3-Major		New requests are not added to Request Log due to full disk partition
674494-5	3-Major	K77993010	BD memory leak on specific configuration and specific traffic
673302	3-Major		Username is reported in the session report after logout
668184	3-Major		Huge values are shown in the AVR statistics for ASM violations
667414	3-Major		JSON learning of parameters in WebSocket context is not working
665992	3-Major	K40510140	Live Update via Proxy No Longer Works
663535	3-Major		Sending ASM cookies with "secure" attribute even without client-ssl profile
662273	3-Major		Policy Builder created too many suggestions when entities limits are reached
635551	3-Major	K43184134	ASM/DoSL7 Challenges should support CORS requests
627406	3-Major		Adding a GUI option to set httponly atribute on ASM cookeis
609966	3-Major		Adding info about delete first 10000 out of XXX instead of showing alert
605649	3-Major	K28782793	The cbrd daemon runs at 100% CPU utilization
563866	3-Major		Consistently log the fragment in query_string and HTTP_QUERY for ASM/LTM
562356	3-Major		ASM config syncronization stops working
532521	3-Major		IP reputation Spam Sources category is not enforced
486827	3-Major		There is no syslog destination for dosl7 logging
305866	3-Major		Missing option to mask values from HTTP headers and cookies in logs
227218	3-Major		Adding an option to change TS cookies names
685743	4-Minor		When changing internal parameter 'request_buffer_size' in large request violations might not be reported
685193	4-Minor		If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies
675232	4-Minor		Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction
674253	4-Minor		Unable to discover ASM policies with EM 3.1.1
666310	4-Minor		Each save operation on the Policy Properties page records extra audit messages in the Audit Log.
665470	4-Minor		Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised
636682	4-Minor	K73828041	MySQL vulnerability CVE-2016-6663
608988	4-Minor		Error when deleting multiple ASM Policies
554273	4-Minor		Upgrade from before 11.4.x fails due to Logging Profile Data Inconsistency★
540158	4-Minor		URLs with different path parameters values are seen as different URLs
445825	4-Minor		Autosync occurring in Sync-Failover ASM
407420	4-Minor		PSM - SMTP 500 error when HELO message is fragmented

Application Visibility and Reporting Fixes

ID Number	Severity	Solution Article(s)	Description
679861-1	1-Blocking		Weak Access Restrictions on the AVR Reporting Interface
726089-1	2-Critical		Modifications to AVR metrics page
721474-2	2-Critical		AVR does not send all SSLO statistics to offbox machine.
713273-1	2-Critical		BIG-IP sys db variable avr.stats.internal.maxentitiespertable resets back to default value on services restart
710947	2-Critical		AVR does not send errdef for entity DosIpLogReporting.
710315-2	2-Critical		AVR-profile might cause issues when loading a configuration or when using CMI configuration
710110	2-Critical		AVR does not publish DNS statistics to external log when usr-offbox is enabled.
698226	2-Critical		Filters under Security :: Reports :: DoS :: URL Latencies work incorrectly
696642	2-Critical		monpd core is sometimes created when the system is under heavy load.
688813-3	2-Critical	K23345645	Some ASM tables can massively grow in size.
715153-2	3-Major		AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem
712118-1	3-Major		AVR should report on all 'global tags' in external logs
711929	3-Major		AVR should not send statistic on hidden rows for module InterfaceTraffic and module InterfaceHealth
703196	3-Major		Reports for AVR are missing data
700322	3-Major		Upgrade may fail on a multi blade system when there are scheduled reports in configuration★
700035	3-Major		/var/log/avr/monpd.disk.provision not rotate
696212	3-Major		monpd does not return data for multi-dimension query
685727	3-Major		GEO dimension query failure
683474-1	3-Major		The case-sensitive problem during comparison of 2 Virtual Servers
679088	3-Major		Avr reporting and analytics does not display statistics of many source regions
624956	3-Major		AVR: Changes to some entities on AVR DNS tmsh reports
608242	3-Major		Add the ability to modify cspm cache cookie name (currently "f5_cspm")
686510	4-Minor		If tmm was restarted during an attack, the attack might appear ongoing in GUI

Access Policy Manager Fixes

ID Number	Severity	Solution Article(s)	Description
679221	1-Blocking		APMD may generate core file or appears locked up after APM configuration changed
720214	2-Critical		NTLM Authentication might fail if Strict Update in iApp is modified
720189	2-Critical		VDI settings in APM Webtop have the incorrect URL for Citrix Receiver client download
719149-1	2-Critical		VDI plugin might hang while processing native RDP connections
718136-1	2-Critical		32-bit F5 VPN and Endpoint Inspector apps are discontinued on Linux
716747	2-Critical		TMM core with SWG Transparent
714716	2-Critical		Apmd logs password for acp messages when in debug mode
711427-1	2-Critical		Edge Browser does not launch F5 VPN App
710116	2-Critical		VPN clients experience packet loss/disconnection
708005	2-Critical		Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources
707676	2-Critical		memory leak in Machine Certificate Check agent of the apmd process
703208	2-Critical		PingAccessAgent causes TMM core
702296	2-Critical		Importing the LocalDB csv file fails
702278	2-Critical		Potential XSS security exposure on APM logon page.
700724	2-Critical		Client connection with large number of HTTP requests may cause tmm to restart
700522	2-Critical		APMD restarts when worker threads are stuck
700090	2-Critical		tmm crash during execution of a per-request policy when modified during execution.
699686	2-Critical		localdbmgr crash
699117	2-Critical		Editing OAuth Client / Resource Server Request objects in the GUI results in invalid configuration
694078	2-Critical		TMM core with APM
692557	2-Critical		When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted.
692369	2-Critical		TMM crash caused by SSOv2 form based due to null config
690116	2-Critical		websso might crash when logging set to debug
689591	2-Critical		When pingaccess SDK processes certain POST requests from the client, the TMM may restart
686282	2-Critical		APMD intermittently crash when processing access policies
684782-1	2-Critical	K22913225	APM eam process may be in restart loop with a core file generated each time when log level was changed from LOGLEVEL_DEBUG3 to LOGLEVEL_ERROR.
677368	2-Critical		Websso crash due to uninitialized member in websso context object while processing a log message
660826-4	2-Critical		BIG-IQ Deployment fails with customization-templates
631286	2-Critical		URI cache entries should be replaced /expired for euie hash table
722969-3	3-Major		Import with 'reuse' rewrites shared objects
720695-3	3-Major		Export then import of Profile/Policy with advanced customization is failing
715207	3-Major		coapi errors while modifying per-request policy in VPE
714961	3-Major		antserver creates large temporary file in /tmp directory
714902	3-Major		Restjavad may hang if discover task fails and the interval is 0
714700-1	3-Major		SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy
713156	3-Major		AGC cannot do redeploy in exchange and adfs use case
712315	3-Major		LDAP and AD Group Resource Assign are not displaying Static ACLs correctly
709274	3-Major		RADIUS Accounting requests egress different self-IPs since upgrade to v13.1
704580	3-Major		apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP
704211	3-Major		Import/export is failing with lease pool
703793	3-Major		tmm restarts when using ACCESS::perflow get' in certain events
703429	3-Major		Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services
703171	3-Major		High CPU usage for apmd, localdbmgr and oauth processes
702487	3-Major		AD/LDAP admins with spaces in names are not supported
702263	3-Major		An access profile with large number of SAML Resources (>200) causes APM error ERR_TOOBIG while loading.
702222	3-Major		RADIUS and SecurID Auth fails with empty password
701740	3-Major		apmd leaks memory when updating Access V2 policy
701737	3-Major		apmd may leak memory on destroying kerberos cache
701736	3-Major		memory leak in Machine Certificate Check agent of the apmd process
701639	3-Major		Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by BIG-IP as SP.
698984	3-Major		Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned
697636	3-Major		ACCESS is not replacing headers while replacing POST body
696340	3-Major		Import of objects from non-Common partitions linked to objects in Common partition may fail
695953	3-Major		Custom URL Filter object is missing after load sys config TMSH command
694624	3-Major		SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor
692307	3-Major		User with 'operator' role may not be able to view some session variables
688046	3-Major		Change condition and expression for Protocol Lookup agent expression builder
687937	3-Major		RDP URIs generated by APM Webtop are not properly encoded
685862	3-Major		BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message
685593	3-Major		Access session iRules can fail with error "Illegal argument"
684937	3-Major	K26451305	[KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users
684583	3-Major		Buitin Okta Scopes Request object uses client -id and client-secret
684399	3-Major		Connectivity profiles UI shows (Not Licensed) when LTM base is presented
684370	3-Major		APM now supports VMware Workspace ONE integration with VIDM as ID Provider
684325	3-Major		APMD Memory leak when applying a specific access profile
683837	3-Major		Web browsers may strip query parameters from the logout URL after completing SAML single logout profile.
683741	3-Major		APM now supports VMware Workspace ONE integration with vIDM as ID Provider
683389	3-Major		Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file
683297	3-Major		Portal Access may use incorrect back-end for resources referenced by CSS
683113	3-Major	K22904904	[KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users
683110	3-Major		APM client_packaging and sandbox objects are not handled when using tmsh auth partition to manage partition
682751	3-Major		Kerberos keytab file content may be visible.
682500	3-Major	K03903649	VDI Profile and Storefront Portal Access resource do not work together
682271	3-Major		Portal Access may handle JavaScript getter/setter definitions incorrectly
681836-1	3-Major		Portal Access: JavaScript code may be corrupted in debug mode
681726	3-Major		Portal Access: support for JavaScript EventSource object
681415	3-Major		Copying of profile with advanced customization or images might fail
680112	3-Major	K18131781	SWG-Explicit rejects large POST bodies during policy evaluation
679898	3-Major		When two BIG-IP virtual servers are configured with multi-domain SSO, under certain conditions user may encounter HTTP redirect loop.
678851	3-Major		Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()
678427	3-Major	K03138339	Safari 11 displays F5 EPI and F5 VPN launch confirmation dialogs twice
678376	3-Major		Portal Access: handling of cssText property of CSSStyleSheet object has been corrected
677682	3-Major		When BIG-IP is deployed as SAML identity provider(IdP), allow APM session variables to be used in entityID property.
675866	3-Major		WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO
675775	3-Major		TMM crashes inside dynamic ACL building session db callback
675066	3-Major		Resource server failure message update
673860-2	3-Major		App-service is not supported by import/export
673748	3-Major	K19534801	ng_export, ng_import might leave security.configpassword in invalid state
673500	3-Major		Portal Access: support of relative URLs in HTML tags <link rel=import ...>
673085	3-Major		Enhancing the error message for metadata import/export failure for SAML SP and IdP objects.
671839	3-Major		Support client side end point inspection for Microsoft Office Applications
671597	3-Major		Import, export, copy and delete is taking too long on 1000 entries policy
671323	3-Major		Reset PIN Fail if Token input field is not 'password' field
667167	3-Major		Indirect invocation for History object methods fails using Portal Access
658278	3-Major		Network Access configuration with Layered-VS does not work with Edge Client
656784	3-Major	K98510679	Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM
652479	3-Major		Client-side JavaScript parser cannot recognize constructions like { if(a) break\n}
641034	3-Major		Use RDP URIs to launch MS RemoteApps from APM Webtop on Mac
639124	3-Major		Access Policy Section Unexpectedly Shown
635509	3-Major		APM does not support Vmware'e Blast UDP
632646	3-Major		APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.
629334	3-Major		Portal Access: JavaScript expressions in parentheses may be rewritten incorrectly
617823	3-Major		Multi domain login support with Citrix logon prompt
612792	3-Major		Support RDP redirection for connections launched from APM Webtop on iOS
612118	3-Major		Nexthop explicit proxy is not used for the very first connection to communicate with the backend.
607912	3-Major		Citrix Desktop/application name defined at broker is not correctly displayed.
600704	3-Major		Session variables cannot be used in Managed Endpoint Notification
536831	3-Major		APM PAM module does not handle local-only users list correctly
527553	3-Major		Support Third-party OTP providers and APM Native OTP authentication for Citrix Receiver clients
446673	3-Major		APM does not support Vmware View 'Log in as current user' feature
697856	4-Minor		Profile from Common imported to other partition should still point to log-settings in Common
697510	4-Minor		Portal Access: Internet Explorer may encounter JavaScript error in multi-window Web application
694288	4-Minor		VPE object names cannot contain special characters
691017	4-Minor		Preventing ng_export hangs
685888	4-Minor		OAuth client stores incorrectly escaped JSON values in session variables
684414	4-Minor		Retrieving too many groups is causing out of memory errors in TMUI and VPE
678652	4-Minor		[APM] Usability: update tmsh error message to include access profile name
673717	4-Minor		VPE loading times can be very long
671627	4-Minor	K06424790	HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.
639028	4-Minor		Reset of unsupported User Identifcation Methods for profiles of type OAuth-Resource-Server, SSL-VPN, System Authentication during upgrades★
534474	4-Minor		Dependency on Adobe Flash removed from the BIG IP Dashboard
349180	4-Minor		Variable Assign agent now allows to set VPN Dialup Entry/Windows Logon Integration name for Windows

Wan Optimization Manager Fixes

ID Number	Severity	Solution Article(s)	Description
687075	2-Critical	K78238591	tmm ASSERT %s spdy pcb initialized
686056	2-Critical		TMM crash with SIGSEGV on update iclient conn_stats
674367	3-Major	K20983428	SDD v3 symmetric deduplication may stop working indefinitely

Service Provider Fixes

ID Number	Severity	Solution Article(s)	Description
703515-2	2-Critical	K44933323	MRF SIP LB - Message corruption when using custom persistence key
701889	2-Critical		Setting log.ivs.level or log-config filter level to informational causes crash
698338	2-Critical		Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection
689343	2-Critical		Diameter persistence entries with bi-directional flag created with 10 sec timeout
685708-1	2-Critical		Routing via iRule to a host without providing a transport from a transport-config created connection cores
701680	3-Major		MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds
700571	3-Major		SIP MR profile, setting incorrect branch param for CANCEL to INVITE
699431-2	3-Major		Possible memory leak in MRF under low memory
696049	3-Major	K55660303	High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running
692310	3-Major	K69250459	ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body
691048	3-Major	K34553736	Support DIAMETER Experimental-Result AVP response
688942	3-Major	K82601533	ICAP: Chunk parser performs poorly with very large chunk
679114	3-Major	K92585400	Persistence record expires early if an error is returned for a BYE command
676709	3-Major	K37604585	Diameter virtual server has different behavior of connection-prime when persistence is on/off
674747	3-Major	K30837366	sipdb cannot delete custom bidirectional persistence entries.
673814	3-Major	K37822302	Custom bidirectional persistence entries are not updated to the session timeout
670781	3-Major		Support for SIP method SERVICE and BENOTIFY
656901	3-Major		MRF add 'existing_connection_only' and 'outgoing_connection_instance_seed' two iRule commands
618222	3-Major		Loop detection implemention logic violates branch parameter compliance with RFC3261

Advanced Firewall Manager Fixes

ID Number	Severity	Solution Article(s)	Description
721610-1	2-Critical		GUI does not show selfIP active firewall policies in non-0 route domains
720045	2-Critical		IP fragmented UDP DNS request and response packets dropped as DNS Malformed
717909-4	2-Critical		tmm can abort on sPVA flush if the HSB flush does not succeed
713707-1	2-Critical		ix600 platforms will now have DoS Enforcement in Software Mode enabled automatically
710755	2-Critical	K30572159	Crash when cached route information becomes stale and the system accesses the information from it.
708888	2-Critical	K79814103	Some DNS truncated responses may not be processed by BIG-IP
705161	2-Critical	K23520761	TMM may crash when processing TCP DNS traffic
704207	2-Critical		DNS query name is not showing up in DNS AVR reporting
698333	2-Critical	K43392052	TMM core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families)
694849	2-Critical		TMM crash when packet sampling is turned for DNS BDOS signatures.
692328	2-Critical		Tmm core due to incorrect memory allocation
690919	2-Critical		AFM pktclass daemon halt on NAT policy rule configuration
677473	2-Critical		MCPD core is generated on multiple add/remove of Mgmt-Rules
667353-1	2-Critical		Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table
644822-5	2-Critical	K19245372	FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned
630137-1	2-Critical		Dynamic Signatures feature can fill up /config partition impacting system stability
712710-1	3-Major		TMM may halt and restart when threshold mode is set to stress-based mitigation
708840-1	3-Major		13.0.0-to-13.1.0 upgrade operation on VIPRION 2250 blades might fail if global whitelist is configured
704528	3-Major		tmm may run out of memory during IP shunning
699772	3-Major		Chromebook legal browser detected as running selenium by Proactive Bot Defense
699179	3-Major		Modifying a Netflow profile requires that there are zero connections on the virtual servers that it is attached to
698806	3-Major		Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces
696201	3-Major		Anomaly threshold floor calculation (for bins with very low learnt threshold) during signature generation
695775	3-Major		Changes in browsers tests for Device ID calculation
693782	3-Major		Mobile UC browser has been blocked by Proactive Bot Defense
693780	3-Major		Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices
693663	3-Major		Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode
693112	3-Major		Latest Opera Mini on Android is blocked by proactive bot defense
691367	3-Major		Attack-destination for a DoS vector was not predicting right thresholds in some cases
689856	3-Major		Some Edge 15 browsers hang with Device ID / Fingerprint
688369	3-Major		dos-hidden profile created in non-Common partition - search engines not bypassed
686376	3-Major		Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon
681178	3-Major		No way to determine AFM functional area mapping to log signature IDs for logs
679722	3-Major		Configuration sync failure involving self IP references
668004	3-Major		GUI: Allowed edit for NAT section in logging profile for users with Manager role
651113	3-Major		RFE to support AVR reporting for FW NAT translations
644241	3-Major		No warning messages when the firewall rule configuration contains mix of source and destination using IPv4 and IPv6 addressing
631418	3-Major		Packets dropped by HW grey list may not be counted toward AVR.
617170	3-Major		Port misuse policies could be created if AFM is not provisioned
613836	3-Major		Error message in ltm log when adding a DoS profile to virtual server in cluster setup
693825	4-Minor		Improved cases of legetimitae browsers getting captcha
693775	4-Minor		Proactive Bot Defense sends CAPTCHA to the Safari 5-6.2

Policy Enforcement Manager Fixes

ID Number	Severity	Solution Article(s)	Description
702705	2-Critical		Core observed during lease query testing when RADIUS Authentication is configured in DHCP profile
696383	2-Critical		PEM Diameter incomplete flow crashes when sweeped
696294	2-Critical		TMM core may be seen when using Application reporting with flow filter in PEM
694717	2-Critical		Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.
616008	2-Critical	K23164003	TMM core may be seen when using an HSL format script for HSL reporting in PEM
697718	3-Major		Increase PEM HSL reporting buffer size to 4K.
696789	3-Major		PEM Diameter incomplete flow crashes when TCL resumed
695968	3-Major		Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.
694319	3-Major		CCA without a request type AVP cannot be tracked in PEM.
694318	3-Major		PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.
689007	3-Major		PEM CMP-HASH misconfiguration does not generate error log
684333	3-Major		PEM session created by Gx may get deleted across HA multiple switchover with CLI command
678820	3-Major		Potential memory leak if PEM Diameter sessions are not created successfully.
677494	3-Major		Flow filter with Periodic content insertion action could leak insert content record
677148	3-Major		Periodic content insertion creates duplicate records if same policy is added to Global high and subscriber specific
667700	3-Major		Web UI: PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed
642068	3-Major		PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens
624231	3-Major		No flow control when using content-insertion with compression
680729	4-Minor	K64307999	DHCP Trace log incorrectly marked as an Error log.

Carrier-Grade NAT Fixes

ID Number	Severity	Solution Article(s)	Description
721570-2	1-Blocking	K20285019	TMM core when trying to log an unknown subscriber
708830	3-Major		Inbound or hairpin connections may get stuck consuming memory.
691338	3-Major		Using an iRule to change virtual servers prevents correct DAG detection for PBA and DNAT modes
689632	3-Major		New source-translation stat - Total End Points(IPv4/IPv6) deprecates the old stat Total End Points
681070	3-Major		NAT66 may fail if configured with a single translation address
643879	3-Major		NAT64 Hairpin connections can be incorrectly logged using NAT44 log templates
518333	3-Major		New LSN Stat,Total End Points (IPv4/IPv6), deprecates the stat Total End Points

Fraud Protection Services Fixes

ID Number	Severity	Solution Article(s)	Description
697363	2-Critical		FPS should forward all XFF header values
684852	2-Critical		Obfuscator not producing deterministic output
710701	3-Major		"Application Layer Encryption" option is not saved in DataSafe GUI
709319-1	3-Major		Post-login client-side alerts are missing username in bigIQ
706771	3-Major		FPS ajax-mapping property may be set even when it should be blocked
706651	3-Major		Cloning URL does not clone "Description" field
705559	3-Major		FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request
695847	3-Major		FPS: empty POST alert request may be forwarded to application server
694090	3-Major		Having multiple frames (window scopes) with specific names cause script failure.
690024	3-Major		Add the ability to rerun the URL CRC calculation via before-load function
686422	3-Major		URI reported in alert may not contain the actual traffic URI
685211	3-Major		Send multiple fields as username identifier in phishing alert
685174	3-Major		When script-src does not exist, FPS creates the script-src directive while ignoring the policy defined by default-src
681591-3	3-Major		False positive WebSafe automatic transactions 'Bot' alerts
678748	3-Major		Slowness in IE when Removed Scripts Detection enabled
677919-1	3-Major		Enhanced Data Manipulation AJAX Support
674909	3-Major		Application CSS injection might break when connection is congested
674293	3-Major		Prevent login failure caused by user deleting cookies
662311	3-Major		CS alerts should contain actual client IP address in XFF header
659290	3-Major		FPS should indicate live-update status (new content available/downloaded/auto-downloaded/download-failed)
643340	3-Major		False-positive alerts due to secure channel and cookies expiration
634175	3-Major		datasyncd obfuscation can cause up to performance degradation
633449-3	3-Major		Browser autocomplete may cause login to fail
675672	4-Minor		sys db antifraud.domainavailabilityurls does not work
671212	4-Minor		P+NAB-12.1.1-IE9 truncating request if path do not end with"/"

Anomaly Detection Services Fixes

ID Number	Severity	Solution Article(s)	Description
700320-1	2-Critical		tmm core under stress when BADOS configured and attack signatures enabled
701288	3-Major		Server health significantly increases during DoSL7 TPS prevention
691462	3-Major		Bad actors detection might not work when signature mitigation blocks bad traffic

Traffic Classification Engine Fixes

ID Number	Severity	Solution Article(s)	Description
724847-2	2-Critical		DNS traffic does not get classified for AFM port misuse case
698396	2-Critical		Config load failed after upgrade from 12.1.2 to 13.x or 14.x★
699103	3-Major		tmm continuously restarts after provisioning AFM
689614	3-Major		If DNS is not configured and management proxy is setup correctly, Webroot database fails to download

Device Management Fixes

ID Number	Severity	Solution Article(s)	Description
694485	2-Critical		Configuration sync does not sync iControl LX or iApp LX objects
708305	3-Major		Discover task may get stuck in CHECK_IS_ACTIVE step
705593-6	3-Major		CVE-2015-7940: Bouncy Castle Java Vulnerability

iApp Technology Fixes

ID Number	Severity	Solution Article(s)	Description
693694	3-Major		tmsh::load within IApp template results in unpredicted behavior

Protocol Inspection Fixes

ID Number	Severity	Solution Article(s)	Description
691646	2-Critical		MCPD crashes while fetching page Security :: Protocol Security : Inspection Profiles with 500 IPS profiles
691265	3-Major		Protocol Inspection custom signatures require that http_header keyword have a leading space character
671716	3-Major		UCS version check was too strict for IPS hitless upgrade

 

Cumulative fix details for BIG-IP v14.0.0 that are included in this release

734417 : No "Loading..." feedback when updating DoS Application profile

Component: Application Security Manager

Symptoms:
When updating a DoS Application profile or cancelling changes, the GUI does not print the "Loading..." graphic at the top of the page. No feedback is provided.

Conditions:
Working with the DoS Application profile when ASM is provisioned.

Impact:
No feedback is provided possibly causing the administrator's confusion when updating the profile.

Workaround:
There is no workaround at this time.

Fix:
The DoS Application profile GUI now shows the "Loading..." message at the top of the page when updating the profile or cancelling changes.

---

726089-1 : Modifications to AVR metrics page

Component: Application Visibility and Reporting

Symptoms:
AVR metrics page does not use current best practices

Conditions:
AVR enabled

Impact:
Unexpected output when displaying the AVR metrics page

Workaround:
N/A

Fix:
AVR metrics page now follows best practices

---

725545 : Ephemeral listener might not be set up correctly

Component: Local Traffic Manager

Symptoms:
When ephemeral listeners are set up across a cluster, the transaction might fail.

Conditions:
When using Network Access tunnel with proxy ARP and no SNAT.

Impact:
The client-assigned IP address might intermittently fail to be resolved via ARP on the serverside/leasepool VLAN.

Workaround:
None.

Fix:
The ephemeral listener is now set up correctly.

---

724847-2 : DNS traffic does not get classified for AFM port misuse case

Component: Traffic Classification Engine

Symptoms:
When DNS query name has a label length of greater than 23 bytes, it does not get classified as DNS.

Conditions:
-- AFM provisioned.
-- A port misuse policy for DNS and a service policy configured.
-- DNS query name with label length of greater than 23 bytes.

Impact:
DNS does not get classified properly for some cases.

Workaround:
There is no workaround at this time.

Fix:
Allowed DNS label length is now 64 bytes, so any DNS query name where each label name is fewer than 64 byes is now properly classified.

---

723300 : TMM may crash when tracing iRules containing nameless listeners on internal virtual servers

Component: Local Traffic Manager

Symptoms:
TMM may crash when tracing iRules containing nameless listeners on internal virtual servers.

Conditions:
-- Using iRule tracing.
-- Internal virtual servers.
-- Listener iRule, where the listener has no name.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes when tracing iRules containing nameless listeners on internal virtual servers.

---

723130 : Invalid-certificate warning displayed when deploying BIG-IP VE OVA file

Component: TMOS

Symptoms:
The OVA signing certificate that signs BIG-IP Virtual Edition (VE) OVA files expired. When deploying a BIG-IP VE from an OVA file, an invalid-certificate warning might be displayed due to the expired OVA signing certificate.

Conditions:
This issue may be encountered during the creation of new instances of BIG-IP VE in clients that check the validity of the OVA signing certificate (e.g., VMware).

Note: Existing BIG-IP VE instances are not subject to this issue.

Impact:
There might be questions about the integrity of the OVA file, and in some cases, might not be able to deploy a new instance from an OVA file.

Workaround:
The expired OVA signing certificate has been replaced with a valid signing certificate.

Fix:
The expired OVA signing certificate has been replaced with a valid signing certificate.

---

722969-3 : Import with 'reuse' rewrites shared objects

Component: Access Policy Manager

Symptoms:
If a policy is exported and then imported with 'reuse' it rewrites objects on the server instead of simply reusing them.

Conditions:
-- Exporting profile A.
-- Importing profile B, with 'reuse' configured.
-- The objects in both profiles are named the same and are the same type.

Impact:
-- 'Reused' objects on the system are modified.
-- Policy A requires 'apply', because objects shared with Policy B are overwritten.

Workaround:
None.

Fix:
Import with 'reuse' no longer rewrites shared objects

---

722893-2 : The TMM - host interface may stall when the kernel memory is fragmented

Component: Local Traffic Manager

Symptoms:
MCP logs 'Removed publication with publisher id TMMx' and the affected TMM restarts.

Conditions:
This occurs when the following conditions are met:
-- Linux kernel memory fragmentation exists.
-- Another operation is occurring, including (among others):
  + Config-sync with full reload is initiated.
  + Running tcpdump.

Impact:
Degraded performance and unexpected failover when tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The internal driver has been improved, allowing it to work in low- and/or fragmented-memory conditions.

---

722594-1 : TCP flow may not work as expected if double tagging is used

Component: Local Traffic Manager

Symptoms:
TCP flow may have an incorrect ACK number, and the flow may stall or reset. The BIG-IP system sends an ACK that is higher than it should be based on the data received from the client.

Conditions:
Double tagging is used.

Impact:
TCP connection fails.

Workaround:
Change the db variable tm.tcplargereceiveoffload value to disable.

Fix:
TCP flow now has the correct ACK number when double tagging is used.

---

721610-1 : GUI does not show selfIP active firewall policies in non-0 route domains

Component: Advanced Firewall Manager

Symptoms:
Selecting a self-IP containing '%' does not filter the policy/rules.

Conditions:
This occurs when the following conditions are met:
-- Using the GUI.
-- Viewing active policies for a selfIP in a non-Common partition.
-- The self-IP is in RDx (where RD is route domain, and x is not 0 (zero), as designated by the percent (%) sign).

Impact:
Active Rules page do not show filtered policy/rules for a selected self-IP.

Workaround:
Use tmsh to find the policy attached to a given self-IP

Fix:
GUI now shows filtered FW policies for self-IP containing '%'.

---

721570-2 : TMM core when trying to log an unknown subscriber

Solution Article: K20285019

Component: Carrier-Grade NAT

Symptoms:
Using CGNAT or FW-NAT with subscriber-id logging enabled can cause a TMM core when the subscriber ID is unknown.

Conditions:
-- A LSN pool or FW-NAT source translation that has a logging profile with subscriber-id enabled.
-- A PEM profile that allows unknown subscribers.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Config PEM to deny connections from unknown subscribers.

Fix:
The system no longer crashes. It logs 'unknown' for unknown subscribers.

---

721474-2 : AVR does not send all SSLO statistics to offbox machine.

Component: Application Visibility and Reporting

Symptoms:
When using the 'use-offbox' option, AVR does not send SSLO statistics to the offbox system.

Conditions:
-- AVR provisioned.
-- Use-offbox is enabled.

Impact:
SSLO statistics are not available for BIG-IQ analytics.

Workaround:
There is no workaround.

Fix:
AVR now sends SSLO statistics to offbox systems when the 'use-offbox' option is enabled.

---

720695-3 : Export then import of Profile/Policy with advanced customization is failing

Component: Access Policy Manager

Symptoms:
An exported policy containing advanced customization fails to import.

Conditions:
-- Export policy containing advanced customization.
-- Import the same policy.

Impact:
Import fails.

Workaround:
None.

Fix:
Import of exported policy containing advanced customization now succeeds.

---

720214 : NTLM Authentication might fail if Strict Update in iApp is modified

Component: Access Policy Manager

Symptoms:
Exchange Proxy NTLM Authentication failure when iApp strict updates is disabled initially and then turned on. NTLM authentication fails with STATUS_NO_LOGON_SERVERS.

Conditions:
The Strict Update option in the iApp is modified.

Impact:
Any service using NTLM authentication will be disrupted.

Workaround:
Restart ECA and NLAD modules to work correctly again. To do so, run the following commands:

bigstart restart nlad
bigstart restart eca

Fix:
NTLM authentication now works as expected when Strict Update in the iApp is modified.

---

720189 : VDI settings in APM Webtop have the incorrect URL for Citrix Receiver client download

Component: Access Policy Manager

Symptoms:
VDI settings have HTML5 package URL instead of Citrix Receiver download link. Hyperlink directs to HTML5 package link.

Conditions:
-- Citrix VDI is configured in Replacement mode.
-- HTML5 package is configured using Citrix client bundle.
-- Citrix HTML5 client bundle is used with Connectivity profile attached to the virtual server.

Impact:
The incorrect package is downloaded to the APM Webtop user.

Workaround:
None.

Fix:
Fixed the hyperlink for Citrix Receiver download in VDI settings of Webtop.

---

720045 : IP fragmented UDP DNS request and response packets dropped as DNS Malformed

Component: Advanced Firewall Manager

Symptoms:
AFM/DHD treats the IP fragmented UDP DNS packet (request or response) as DNS Malformed packet and drops these packets.

Conditions:
-- AFM/DHD is enabled (provisioned and licensed).
-- DNS Malformed vector is enabled at Device context (by default, it's always enabled).
-- AFM/DHD receives fragmented IP packet for UDP DNS request or response.

Impact:
AFM/DHD incorrectly treats such packets as DNS malformed and drops them.

If AFM/DHD receives any DNS request/response UDP packet that is fragmented at the IP layer, the system drops the packet, interrupting DNS service between client/servers through BIG-IP systems.

Workaround:
None.

Fix:
This issue is now fixed, as follows:

a) For IP fragmented UDP DNS request packet, AFM parses the first IP fragment to retrieve the L4 (UDP) header and DNS header and Question section.

  - If this information is available in the first IP fragment, AFM processes the packet for further DoS checks.
  - If this information is not available in first IP fragment, AFM drops the fragment as DNS Malformed.

b) For IP fragmented UDP DNS response packet, AFM parses the first IP fragment to retrieve the L4 (UDP) header and DNS header and Question section.

  - If this information is available in the first IP fragment, AFM processes the packet for further DOS checks.
  - If, however, this information is not available in first IP fragment, default behavior is that AFM allows such fragmented DNS response packet through. This behavior can be changed to drop incomplete IP fragmented DNS response packet by setting db variable 'Dos.dns.respfrag.allow' to 'false'.

---

719149-1 : VDI plugin might hang while processing native RDP connections

Component: Access Policy Manager

Symptoms:
Rarely, during processing of native RDP connections, the VDI plugin might hang, which prevents launch of VDI resources (Native RDP, Citrix, VMware View) from the APM Webtop.

Conditions:
APM Webtop is configured with native RDP resource.

Impact:
VDI resources (Native RDP, Citrix, VMware View) cannot be launched from APM Webtop.

Workaround:
None.

Fix:
Fixed rare VDI plugin hang caused by processing of native RDP connections.

---

718885-4 : Under certain conditions, monitor probes may not be sent at the configured interval

Solution Article: K25348242

Component: Global Traffic Manager (DNS)

Symptoms:
When sufficient resources are configured with the same monitor interval, and the monitor timeout value is no more than two times the monitor interval, the monitored resource may be marked as unavailable (due to a timeout) then immediately changed to available.

Conditions:
Monitor interval is lower than the number of resources configured with the same monitor interval.

Impact:
Monitor probes are not consistently performed at the configured interval.

Workaround:
Set the monitor interval to a value greater than the number of resources monitored using that same interval value.

The key to this workaround is to ensure that the sum of the resources monitored at a given interval is not greater than the interval. That can be accomplished several ways depending on your configuration and requirements.

For example, if the monitoring interval is 30 seconds and there are 40 different monitors with a 30-second interval and each monitor is assigned to exactly one resource, there are at least two options:

-- Change the interval for 10 of the monitors to a different value.

-- Set the monitor interval to 40.

Note: If you change the monitor interval, make sure to also change the timeout value to follow best practices:
timeout value = (3 x interval) + 1.

Fix:
Monitoring is now consistently performed at the configured interval regardless of the number of resources with the same monitor interval.

---

718136-1 : 32-bit F5 VPN and Endpoint Inspector apps are discontinued on Linux

Component: Access Policy Manager

Symptoms:
32-bit F5 VPN and Endpoint Inspector apps are not available for new installation or update on Linux.

Conditions:
Use a browser (Mozilla Firefox or Google Chrome) to establish network access (VPN) for 32-bit F5 VPN and Endpoint Inspector apps.

Impact:
APM end user cannot establish network access (VPN) on 32-bit Linux using a browser. APM does not offer 32-bit F5 VPN and Endpoint Inspector apps for installations or update.

Workaround:
Use 32-bit CLI VPN client.

Fix:
Because of increased size, low usage, and industry trends, F5 has discontinued support of the desktop Linux 32-bit VPN and Endpoint Inspection apps.

---

718071 : HTTP2 with ASM policy not passing traffic

Component: Local Traffic Manager

Symptoms:
HTTP2 traffic does not pass traffic if an ASM policy is applied.

Conditions:
-- HTTP2 virtual server.
-- ASM policy applied.

Impact:
Traffic does not pass.

Workaround:
No workaround.

Fix:
HTTP2 and ASM now work correctly together.

---

717909-4 : tmm can abort on sPVA flush if the HSB flush does not succeed

Component: Advanced Firewall Manager

Symptoms:
When the BIG-IP system comes up, or when tmm/dwbld/iprepd restarts, tmm does a flush of sPVA. If the operation does not succeed, the system can wait for 10 seconds, which might cause an abort due to heartbeat failure. tmm crash

Conditions:
-- BIG-IP system comes up, or tmm/dwbld/iprepd restart.
-- HSB flush does not succeed within ~3 seconds (it is supposed to succeed within ~3 seconds unless something is wrong with the HSB).

Impact:
tmm will have to be restarted. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
The system now checks asynchronously to determine whether or not the flush sPVA has succeeded.

---

717900 : TMM crash while processing APM data

Solution Article: K27044729

---

717756-1 : High CPU usage from asm_config_server

Component: Application Security Manager

Symptoms:
Use of Automatic policy builder might result in high CPU usage of asm_config_server (and ASM slowdown).

Conditions:
- Automatic policy builder.
- Several entity types learning in 'Add all entities' configuration.

Impact:
ASM availability impacted.

Workaround:
-- Switch to Manual policy builder.
-- Set entity types learning to compact / selective / never.

Fix:
Policy builder no longer puts unnecessary load on ASM configurations.

---

717391-1 : advCustHelp - how to add, remove, and modify advanced customization without it

Component: Access Policy Manager

Symptoms:
Beginning in v13.x, advCustHelp does not work as expected.

Conditions:
Using advCustHelp with version v13.x, or later.

Impact:
Cannot use advCustHelp to add, remove, or modify advanced customization.

Workaround:
Here are the commands to substitute:

-- To list all customization groups on the device:
tmsh list apm policy customization-group

-- To list one customization group, use the following command:
tmsh list apm policy customization-group NAMEOFCG

-- To add new advanced customization, use the following command:
modify apm policy customization-group NAMEOFCG templates add { NAMEOF.INC { local-path PATHTOFILE } }

-- To delete advanced customization, use the following command:
modify apm policy customization-group NAMEOFCG templates delete { NAMEOF.INC }

-- To update files, use the following command:
modify apm policy customization-group NAMEOFCG templates modify { NAMEOF.INC { local-path PATHTOFILE } }

Fix:
Beginning in this release, advCustHelp has been removed.

Behavior Change:
Beginning in v13.x, you cannot use advCustHelp to add, remove, or modify advanced customization.

Here are the commands to substitute:

-- To list all customization groups on the device:
tmsh list apm policy customization-group

-- To list one customization group, use the following command:
tmsh list apm policy customization-group NAMEOFCG

-- To add new advanced customization, use the following command:
modify apm policy customization-group NAMEOFCG templates add { NAMEOF.INC { local-path PATHTOFILE } }

-- To delete advanced customization, use the following command:
modify apm policy customization-group NAMEOFCG templates delete { NAMEOF.INC }

-- To update files, use the following command:
modify apm policy customization-group NAMEOFCG templates modify { NAMEOF.INC { local-path PATHTOFILE } }

---

716992 : The ASM bd process may crash

Solution Article: K75432956

---

716747 : TMM core with SWG Transparent

Component: Access Policy Manager

Symptoms:
TMM core when running an SWG-Transparent. There will be a log message in /var/log/apm near the time of crash with this:

err tmm[20598]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_initiate_swgt_policy_done, Line: 17000.

Conditions:
Forward proxy with an access profile of type SWG-Transparent.

Happens every time with an On-Demand Cert Auth agent in the access policy. Is sometimes seen in other situations, but much less frequently.

Impact:
TMM core. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
TMM no longer cores with SWG Transparent.

---

715747-1 : TMM may restart when running traffic through custom SSLO deployments.

Component: Local Traffic Manager

Symptoms:
TMM restarts with a SIGSEGV signal and dumps core.

Conditions:
This issue is known to happen when passing traffic through some custom SSLO deployments (e.g., iRule-based configurations).

Impact:
TMM restarts. If the system is in a high availability configuration, a failover occurs. Traffic disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
TMM no longer restarts.

---

715207 : coapi errors while modifying per-request policy in VPE

Component: Access Policy Manager

Symptoms:
System reports errors about coapi in /var/log/ltm when modifying a per-request policy in the Visual Policy Editor (VPE).

err coapi: PHP: requested conversion of uninitialized member.

Conditions:
-- The per-request policy being modified is attached to the virtual server.
-- Using VPE.

Impact:
The impact can vary by version.
-- In some versions it represents a stray error log.
-- In other versions the 'Accepted Languages' in the Logon Page agent does not have the full list.
-- In other versions, there are server 500 errors when modifying agents.

Workaround:
To work around this issue, perform the following procedure: 1. Remove the per-request policy from the virtual server.
2. Modify the policy.
3. Add the policy back to the virtual server.

Fix:
The underlying coapi errors have been resolved, which should also resolve the associated impacts.

---

715153-2 : AVR can generate many files in /var/avr/loader folder, which might cause disk-usage problem

Component: Application Visibility and Reporting

Symptoms:
-- The folder /var/avr/loader contains many files (e.g., more than 1500 files).
-- monpd is not running.

Conditions:
This occurs when the following conditions are met:
-- Avrd is running.
-- monpd is down.

Impact:
AVR writes many files to /var/avr/loader. Depending on disk usage, this might cause disk-usage problems.

Workaround:
There are two possible workarounds:
-- Restart monpd. When monpd starts up, it deletes the files under /var/avr/loader.
-- Delete all files under /var/avr/loader.

Fix:
There is now a limit for the /var/avr/loader folder, so that it can contain no more than 1100 files. This prevents disk-usage problems.

---

714961 : antserver creates large temporary file in /tmp directory

Component: Access Policy Manager

Symptoms:
SWG Analytics (running through the antserver daemon) creates a large temporary file in the /tmp directory due to a lack of write permissions on the appropriate directory.

Conditions:
-- SWG provisioned.
-- Viewing SWG Analytics.

Impact:
/tmp is temporarily populated with a large file that might fill up the directory if it is already close to capacity.

Workaround:
There is no workaround at this time.

Fix:
System now writes to /shared/tmp/ant_server so that it no longer writes to /tmp, so the issue no longer occurs.

---

714902 : Restjavad may hang if discover task fails and the interval is 0

Component: Access Policy Manager

Symptoms:
If a discover task fails because of a network issue, the system tries to run the task again at the next scheduled time. If the discover interval is set to 0, the system retries immediately, which may cause restjavad hang.

Conditions:
If a provider has configured discover interval 0 and the discover task failed because of network issues.

Impact:
The discover task tries to use a lot CPU when restjavad continuously retries the task.

Workaround:
Change the discover interval to 1 hour or more.

Fix:
Now, if the discover interval is 0 and the discover task fails because of a network issue, the system sends the task to the finished state and does not retry anymore.

---

714716 : Apmd logs password for acp messages when in debug mode

Component: Access Policy Manager

Symptoms:
Apmd logs password when executing policy via iRule.

Conditions:
-- APM is licensed and provisioned
-- Executing policy via iRule using iRule command 'ACCESS::policy evaluate'.
-- Clear text password is supplied for authentication
-- Debug mode active

Impact:
Apmd logs clear text password

Workaround:
Use '-secure' option when providing/setting password session variable in iRule, for example:

-- ACCESS::session data get [-sid <sid>] [-secure] <key> -ssid <session_id>
-- ACCESS::session data set [-sid <sid>] [-secure] <key> [<value>]

Fix:
Apmd now no longer logs password in debug mode when evaluating policy via iRule.

---

714700-1 : SSO for native RDP resources is not compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy

Component: Access Policy Manager

Symptoms:
To address a vulnerability in their CredSSP implementation Microsoft released set of updates for all versions of Windows (https://aka.ms/credssp). Although the APM implementation is not affected by this vulnerability, the Microsoft Windows Server fix introduces compatibility issues. The update adds new Group Policy 'Encryption Oracle Remediation', which, if set to 'Force Updated Clients' on the server might break SSO for APM's native RDP resources.

Conditions:
-- RDP server has https://aka.ms/credssp update installed.
-- 'Encryption Oracle Remediation' Group Policy on the RDP server is set to 'Force Updated Clients'.

Impact:
SSO for native RDP resources does not work.

Workaround:
Set 'Encryption Oracle Remediation' Group Policy on the RDP server to 'Mitigated'.

Fix:
SSO for native RDP resources is now compatible with the 'Force Updated Clients' setting of 'Encryption Oracle Remediation' Group Policy.

---

714626 : When licensing through a proxy, setting the db variables for proxy.host, proxy.port, etc., has no effect.

Solution Article: K30491022

Component: TMOS

Symptoms:
When the BIG-IP system is behind a proxy server, the licensing process does not work, despite having set the db variables for proxy.host, proxy.port, proxy.protocol, etc.

Conditions:
-- The BIG-IP system is behind a proxy server that gates internet access.
-- Attempting to license (or revoke the license of) the BIG-IP system is not possible using GUI or tmsh since communications with the license server will fail.

Impact:
Cannot license, reactivate license, or revoke the license of the BIG-IP system.

Workaround:
Instead of using GUI or tmsh, run the following command, substituting your proxy specification for <proxy> and your license registration key for <reg-key>:

/usr/local/bin/SOAPLicenseClient --proxy <proxy> --basekey <reg-key> --certupdatecheck

Fix:
Licensing/revoke licensing works as expected by simply setting the tmsh sys db variables proxy.host, proxy.port, etc.

---

714369-1 : ADM may fail when processing HTTP traffic

Solution Article: K62201098

---

714350-1 : BADOS mitigation may fail

Solution Article: K62201098

---

713707-1 : ix600 platforms will now have DoS Enforcement in Software Mode enabled automatically

Component: Advanced Firewall Manager

Symptoms:
The sys db variable dos.forceswdos controls DoS enforcement in software mode. ix600 platforms with TurboFlex licenses restrict DoS enforcement to software mode. The default for dos.forceswdos is 'disable', so DoS enforcement does not work on those platforms until this setting is changed to 'enabled'.

Conditions:
-- ix600 platforms, as detailed in the following list:

  + BIG-IP i2600
  + BIG-IP i4600
  + BIG-IP i5600
  + BIG-IP i7600
  + BIG-IP i10600
  + BIG-IP i12600
  + BIG-IP i15600
  + BIG-IP i11600

-- TurboFlex license.

-- Using software versions 13.1.x-14.0.0.

Impact:
The dos.forceswdos db variable is set to false by default in the configuration, meaning that DoS works in Hardware mode on capable hardware platforms. However, due to licensing restrictions for ix600 platforms, DoS enforcement can run only in software mode. For ix600, if the dos.forceswdos setting is not changed to true, DoS enforcement does not work at all.

Workaround:
Manually set the sys db variable dos.forceswdos to true to enable DoS enforcement in software mode.

Note: In its default value 'false', DoS enforcement is in hardware mode, which is not supported by ix600. If you upgrade the license from ix600 to ix800, this db variable is still set to 'true', meaning DoS is operating in software mode. To run DoS in hardware mode on ix800 platforms, set the db variable to false.

Fix:
This change supports licensing behavior on ix600 platforms with Turboflex licenses, and enables DoS enforcement in supported software mode automatically (sets db variable to true). To have DoS enforcement in hardware mode requires ix800 or higher licenses, whenever available, and requires that the sys db variable dos.forceswdos be set to false.

---

713273-1 : BIG-IP sys db variable avr.stats.internal.maxentitiespertable resets back to default value on services restart

Component: Application Visibility and Reporting

Symptoms:
After a BIG-IP system reset, a modified setting for the BIG-IP sys db variable avr.stats.internal.maxentitiespertable returns to the default value.

Conditions:
1. avr.stats.internal.maxentitiespertable value is modified from the default.
2. The BIG-IP system restarts.

Impact:
avr.stats.internal.maxentitiespertable returns to its default value.

Workaround:
After BIG-IP system reset, specify the value of avr.stats.internal.maxentitiespertable again.

Fix:
A modified avr.stats.internal.maxentitiespertable value no longer returns to the default value after BIG-IP system restart.

---

713156 : AGC cannot do redeploy in exchange and adfs use case

Component: Access Policy Manager

Symptoms:
In AGC exchanges or Active Directory Federation Services (ADFS) configurations, the system creates an SSL HTML form and SSO HTML form control object. Because of the limitation of ICRD, the system cannot directly delete SSO HTML form control objects.

Conditions:
-- Redeploy occurs in an AGC exchange ADFS configuration.
-- Modifying existing configurations.

Impact:
Redeploy fails, configuration remain unmodified.

Workaround:
Do a undeploy, followed by a deploy.

Fix:
Redeploy now succeeds.

---

713066-4 : Connection failure during DNS lookup to disabled nameserver can crash TMM

Solution Article: K10620131

Component: Global Traffic Manager (DNS)

Symptoms:
TMM restart as a result of a DNS lookup to disabled nameserver.

Conditions:
DNS lookup that tries to connect to a nameserver that is not reachable for some reason.

This could be an explicit 'RESOLV::lookup' command in iRule, or it could be DNS lookups internally triggered by APM or HTTP.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
Verify connectivity to nameserver.

As an alternative, refrain from using RESOLV::lookup in iRules.

Fix:
This issue is now fixed.

---

712710-1 : TMM may halt and restart when threshold mode is set to stress-based mitigation

Component: Advanced Firewall Manager

Symptoms:
When auto-DoS vector's threshold mode is set to stress-based mitigation, but the vector is in disabled state, TMM may halt and restart.

Conditions:
-- Threshold mode is set to stress-based mitigation.
-- Vector is disabled.

Impact:
TMM restarts. Traffic disrupted while TMM restarts.

Workaround:
There is no workaround other than not setting threshold mode to stress-based mitigation if the vector is disabled.

Fix:
TMM no longer restarts when threshold mode is set to stress-based mitigation and the vector is in disabled state.

---

712475-4 : DNS zones without servers will prevent DNS Express reading zone data

Solution Article: K56479945

Component: Local Traffic Manager

Symptoms:
DNS Express does not return dig requests.

Conditions:
DNS Express is configured a zone without a server.

Impact:
DNS Express does not return dig requests.

Workaround:
You can use either of the following workarounds:
-- Remove the zone without the server.
-- Configure a server for the zone.

Fix:
DNS zones without servers no longer prevent DNS Express reading zone data.

---

712437-4 : Records containing hyphens (-) will prevent child zone from loading correctly

Solution Article: K20355559

Component: Local Traffic Manager

Symptoms:
The dig command returns no record with SOA from the parent zone even though dnsxdump shows that the record exists.

Conditions:
-- Parent zone has a record containing - (a hyphen) and the preceding characters match the child zone. For example,
 myzone.com -- parent
 foo.myzone.com -- child
 
-- In myzone.com, you have a record of the following form:
foo-record.myzone.com

Impact:
DNS can not resolve records correctly.

Workaround:
None.

Fix:
DNS now handles the case in which the parent zone has a record containing - (a hyphen) and the preceding characters match the child zone.

---

712315 : LDAP and AD Group Resource Assign are not displaying Static ACLs correctly

Component: Access Policy Manager

Symptoms:
In VPE LDAP and AD Group Resource Assign are not displaying static acls when they are configured.

Conditions:
While attempting to assign Static ACls via AD or LDAP Group Resource assign (aka Group Mapping) Static ACLs are not displayed.

Impact:
Users are not able to assign Static ACLs with AD and LDAP Group Mapping via VPE.

Workaround:
Static ACLs are assignable with TMSH.

Fix:
Functionality is restored and Static ACLs are being displayed in AD and Ldap Group Resource Assign aka Group Mapping

use:
tmsh modify apm policy agent resource-assign

---

712118-1 : AVR should report on all 'global tags' in external logs

Component: Application Visibility and Reporting

Symptoms:
AVR reports only 'ssgName' from the global tags.

Conditions:
-- A BIG-IQ operation configures the 'tag file' (/var/config/rest/downloads/app_mapping.json) on the BIG-IP system.
-- Statistics are sent to the BIG-IQ system.

Impact:
Not all the tags are sent to the BIG-IQ system.

Workaround:
There is no workaround at this time.

Fix:
AVR now reports statistics on all tags to the BIG-IQ system.

---

711929 : AVR should not send statistic on hidden rows for module InterfaceTraffic and module InterfaceHealth

Component: Application Visibility and Reporting

Symptoms:
AVR sends data on all interfaces, hidden and not hidden. It should send information only on not-hidden interfaces.

Conditions:
-- Tmstat table interface_stat exists.
-- Viewing statistics for module InterfaceTraffic and module InterfaceHealth.

Impact:
Irrelevant data is sent.

Workaround:
None.

Fix:
AVR now sends data only on not-hidden interfaces.

---

711427-1 : Edge Browser does not launch F5 VPN App

Component: Access Policy Manager

Symptoms:
On Microsoft Windows v10, use Edge Browser to establish VPN. Edge Browser does not launch F5 VPN App.

Conditions:
On Windows 10, use Edge Browser to establish VPN.

Impact:
APM end user cannot establish VPN tunnel using Edge Browser.

Workaround:
Use Mozilla Firefox or Google Chrome.

Fix:
You can now use Windows 10 to launch Edge Browser to establish VPN connections.

---

711011 : 'API Security' security policy template changes

Component: Application Security Manager

Symptoms:
Parameter-related Learn/Alarm/Block settings in 'API Security' security policy template should be 'ON' by default.

Conditions:
Learn/Alarm/Block settings in 'API Security' security policy template.

Impact:
Settings not active.

Workaround:
None.

Fix:
Parameter-related Learn/Alarm/Block settings in 'API Security' security policy template are now 'ON' by default.

---

710947 : AVR does not send errdef for entity DosIpLogReporting.

Component: Application Visibility and Reporting

Symptoms:
AVR does not send errdef for entity DosIpLogReporting.

Conditions:
-- AVR is configured.
-- View the DosIpLogReporting report.

Impact:
There is no errdef for module DosIpLogReporting

Workaround:
None.

Fix:
Added errdef for module DosIpLogReporting.

---

710755 : Crash when cached route information becomes stale and the system accesses the information from it.

Solution Article: K30572159

Component: Advanced Firewall Manager

Symptoms:
The crash happens intermittently when the cached route information becomes stale and the system accesses the information from it.

Conditions:
Use stale cached route information.

Impact:
This condition can lead to a crash as the route information is no longer valid, and can lead to illegal memory access.

Workaround:
None.

Fix:
The system now fetches the latest egress route/interface information before accessing it.

---

710701 : "Application Layer Encryption" option is not saved in DataSafe GUI

Component: Fraud Protection Services

Symptoms:
"Application Layer Encryption" checkbox will remain enabled if un-checked via DataSafe GUI and will not be saved.

Conditions:
- Install DataSafe license
- Provision FPS
- Create URL

Impact:
Cannot enable/disable "Application Layer Encryption" via DataSafe GUI.

Workaround:
Application Layer Encryption can be enabled or disabled via TMSH command line or REST API.

Fix:
"Application Layer Encryption" option is saved if changed via DataSafe GUI.

---

710424-1 : Possible SIGSEGV in GTMD when GTM persistence is enabled.

Solution Article: K00874337

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM persistence is enabled, GTMD may occasionally crash and restart.

Conditions:
GTM persistence is enabled.

Impact:
GTMD may occasionally restart.

Workaround:
Disable GTM persistence.

Fix:
GTMD will no longer crash and restart when persistence is enabled.

---

710327 : Remote logger message is truncated at NULL character.

Component: Application Security Manager

Symptoms:
When a request including binary null character has been sent to an remote logger, configured for ASM, the request will arrive to the remote destination and will be truncated exactly at binary NULL character.

Conditions:
-- ASM provisioned.
-- ASM policy attached to a virtual server.
-- ASM remote logger attached to a virtual server.
-- Request including binary NULL character is sent to the remote logger destination.

Impact:
Partial request is logged at the remote logger destination.

Workaround:
None.

Fix:
Binary NULL character is now escaped before being sent to the remote logger destination, so the request is no longer truncated.

---

710315-2 : AVR-profile might cause issues when loading a configuration or when using CMI configuration

Component: Application Visibility and Reporting

Symptoms:
Some fields in AVR-profile contain lists of items. Those lists can be set only if the relevant flag is set to 'true'. In case of a flag configuration change, the system must keep the lists as they were and not reset them, so they can be available in case the flag changes back again.

Validation settings were created such that the lists flag is set to 'true' by default, but this can cause the load/merge process to break if the list was set, and afterwards the flag was set to 'false'.

Conditions:
Setting the relevant flag to 'false' after creating a list of items.

The relevant fields in AVR-profile that have that logic are:
-- IPs-list.
-- Subnets-list.
-- Countries-list.
-- URLs-list.

Impact:
Management load and sync process may not work as expected.

Workaround:
None.

Fix:
Validation for those fields when the associated flag is set to 'false' will be skipped in a load/merge scenario.

---

710314 : TMM may crash while processing HTML traffic

Solution Article: K94105051

---

710140 : TMM may consume excessive resources when processing SSL Intercept traffic

Solution Article: K20134942

---

710116 : VPN clients experience packet loss/disconnection

Component: Access Policy Manager

Symptoms:
VPN clients experience packet loss/disconnection.

Conditions:
In certain scenarios, the tunnel establishment procedure might leak a small memory. If the tmm is running for a longer duration, this small leak can accumulate and result in out-of-memory condition

Impact:
Connections start to drop as tmm runs out of memory. TMM will eventually run out of memory and connections could be terminated. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
VPN clients no longer experience packet loss/disconnection, and TMM no longer restarts.

---

710110 : AVR does not publish DNS statistics to external log when usr-offbox is enabled.

Component: Application Visibility and Reporting

Symptoms:
AVR does not send DNS statistics to external logs when analytics global setting usr-offbox is enabled, if the following security analytics settings are set to disable:
-- collected-stats-internal-logging.
-- collected-stats-external-logging.

Conditions:
-- Security analytics settings collected-stats-internal-logging is disabled.
-- Security analytics settings collected-stats-external-logging is disabled.
-- Analytics global settings usr-offbox is enabled.

Impact:
DNS statistic are not sent to external log.

Workaround:
To work around this issue, perform the following procedure:
1. Provision ASM or AFM.
2. Run the tmsh command to set to enabled the security analytics setting collected-stats-external-logging.
2. Deprovision ASM/AFM.

Fix:
AVR now publishes DNS statistics to external logs when usr-offbox is enabled, as expected.

---

709544-1 : VCMP guests in HA configuration become Active/Active during upgrade★

Component: TMOS

Symptoms:
When devices in a Device Service Cluster (DSC) are upgraded, multiple devices might become Active simultaneously.

During upgrade, the process erroneously clears the management-ip during reboot, and then synchronizes to other members of the DSC. If the system is not performing an upgrade, the error is repaired as the device starts up, and has no visible effect. If an upgrade is being performed, the management-ip cannot be repaired, and the DSC members lose contact with each other, so they all become Active.

Conditions:
-- Running on VIPRION chassis systems, either natively, or as a vCMP guest.
-- Upgrading from any affected versions (TMOS v12.1.3, TMOS v13.0.0, TMOS v13.0.1, TMOS v13.1.0), to any other version.

Impact:
When multiple devices become Active simultaneously, traffic is disrupted.

Workaround:
There is no workaround other than to remain in Active/Active state until upgrade is complete on all chassis in the DSC are finished. See K43990943: VIPRION systems configured for high availability may become active-active during the upgrade process :: https://support.f5.com/csp/article/K43990943 for more information on how to mitigate this issue.

Fix:
The erroneous management-ip change is not made, and the HA failover mechanism operates correctly across upgrade.

---

709334 : Memory leak when SSL Forward proxy is used and ssl re-negotiates

Component: Local Traffic Manager

Symptoms:
When looking at tmsh show sys memory you will see
ssl_compat continue to grow and fails to release memory.

Conditions:
-SSL Forward Proxy In use
-SSL Re-negotiations happening

Impact:
Eventually memory reaper will kick in.

Workaround:
There is no workaround at this time.

Fix:
ssl_compat now properly releases connections on re-negotiation.

---

709319-1 : Post-login client-side alerts are missing username in bigIQ

Component: Fraud Protection Services

Symptoms:
A client-side alert that contains a FPS-Username header with a value, but an empty fpm_username parameter - will be reported with "Unknown" username in bigIQ.

Conditions:
1. post login (alert is sent after submitting username parameter) client side alerts
2. alert-pool points to bigIQ IP (not Alert-Server)

Impact:
Post login client side alerts are missing username (will show as "Unknown" in bigIQ, works well with Alert-Server).

Workaround:
Route all client-side alerts to another virtual server and strip of the empty fpm_username parameter from payload/query-string.

Fix:
FPS will always send username in the fpm_username parameter in case it was empty and FPS has username value.

---

709274 : RADIUS Accounting requests egress different self-IPs since upgrade to v13.1

Component: Access Policy Manager

Symptoms:
RADIUS Accounting requests egress different self-IPs since upgrade to v13.1
* START accounting message egresses floating self-IP
* STOP accounting message egresses local self-IP
Some radius messages will come from Floating address, some from Self IP address. The Radius server should be configured to accept all self and floating address of all the devices in the HA group, to ensure all messages are received.

Conditions:
RADIUS server configured with pool option.

Impact:
Causes RADIUS server to be unable to reconcile accounting messages.

Workaround:
In order to reconcile accounting messages they can be tracked through the Acct-Session-Id in RADIUS AVP's message which would be the same for the corresponding START and STOP messages to uniquely identify the session.

---

708888 : Some DNS truncated responses may not be processed by BIG-IP

Solution Article: K79814103

Component: Advanced Firewall Manager

Symptoms:
On 13.1.x DNS responses with truncated bit set are dropped when AFM DNS DoS is enabled.

Conditions:
-- AFM DNS DoS is enabled.
-- Using 13.1.x.

Impact:
Clients do not receive truncated DNS responses.

Workaround:
Disable DNS DoS protection by changing the dos.dnsport variable to another port for which there is no valid traffic. For instance:

tmsh modify sys db dos.dnsport value 54

---

708840-1 : 13.0.0-to-13.1.0 upgrade operation on VIPRION 2250 blades might fail if global whitelist is configured

Component: Advanced Firewall Manager

Symptoms:
Upgrading from 13.0.0 to 13.1.0 on VIPRION 2250 blades might fail if global whitelist is configured. After the upgrade, the system will stay offline.

Conditions:
-- Global whitelist configured.
-- Running on VIPRION 2250 blades.

Impact:
System fails to run normally.

Workaround:
Remove global whitelist before upgrading to 13.1.0, add it back after upgrading.

Fix:
This issue no longer occurs in fixed versions, so you can upgrade from 13.0.0 to a post-13.1.0 version of the software without encountering this issue.

---

708830 : Inbound or hairpin connections may get stuck consuming memory.

Component: Carrier-Grade NAT

Symptoms:
When inbound or hairpin connections require a remote Session DB lookup and the lookup request or response messages get lost, the connections can get stuck in an embryonic state. They will be stuck in this state until they timeout and expire. In this state UDP connections will queue inbound packets. If the client application continues to send packets, the connection may never expire. The queued packets will accumulate consuming memory. If the memory consumption becomes excessive, connections may be killed and “TCP: Memory pressure activated” and “Aggressive mode activated” messages will appear in the logs.

Conditions:
A LSN pool with inbound and/or hairpin connections enabled. Lost Session DB messages due to heavy load or hardware failure. Remote lookups are more likely when using PBA mode or NAPT mode with default DAG.

Impact:
Excessive memory consumption that leads to dropped connections.

Workaround:
There is no workaround at this time.

Fix:
When Session DB messages are lost, the connection will be killed and any queued packets will be discarded. If the client application resends packets they will be treated as a new connection.

---

708653 : TMM may crash while processing TCP traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash while processing TCP traffic

Conditions:
TCP profile enabled

Impact:
TMM crash leading to a failover event

Fix:
TMM processes TCP traffic as expected

---

708305 : Discover task may get stuck in CHECK_IS_ACTIVE step

Component: Device Management

Symptoms:
The discover tasks is running periodically after user creates the task. But it may get stuck in the middle steps and fail to run periodically.

Conditions:
When HA failover group is set up and a discover task is created on one of the devices.

Impact:
The discover task will periodically pull the OpenID information and update oauth jwt and jwk configurations in MCP. If the task sticks, the jwt and jwk configuration will not sync to the latest version and may cause access policy fail.

Workaround:
If the task is stuck in any step that is not SLEEP_AND_RUN_AGAIN for more than one minute, manually cancel and delete the task and create the same task again.

Fix:
Discover task no longer gets stuck in CHECK_IS_ACTIVE step.

---

708114 : TMM may crash when processing the handshake message relating to OCSP, after the SSL connection is closed

Solution Article: K33319853

Component: Local Traffic Manager

Symptoms:
TMM crashes when receiving the HUDEVT_SSL_OCSP_RESUME_CLNT_HS after the SSL connection is closed.

Conditions:
-- The SSL connection has been closed.
-- SSL receives the HUDEVT_SSL_OCSP_RESUME_CLNT_HS message.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The system now ensures that SSL can still properly process the messages, even when the SSL connection is closed.

---

708054 : Web Acceleration: TMM may crash on very large HTML files with conditional comments

Component: TMOS

Symptoms:
Web Acceleration feature may not handle big HTML file with improper conditional comments inside in some cases. TMM may crash processing such files if Web Acceleration profile is attached to VIP.

Conditions:
- HTML file with conditional comments inside:
  <!--[if condition...]> ... <![endif]-->

- The size of "condition" from the pattern above is comparable with RAM size of BIG-IP box, i.e. ~8-10GB.

Impact:
TMM crash interrupts all active sessions.

Workaround:
There is no workaround at this time.

Fix:
Now Web Acceleration feature can handle long HTML conditional comments correctly.

---

708005 : Users cannot use Horizon View HTML5 client to launch Horizon 7.4 resources

Component: Access Policy Manager

Symptoms:
When using VMware View HTML5 client, end users are able to authenticate and see available View resources on the APM webtop. However, any attempt to launch the resource (desktop or application) in HTML5 mode momentarily appears to function, but then redirects to the initial APM login page.

Conditions:
This occurs when the following conditions are met:
-- BIG-IP APM is protecting VMware Horizon View 7.4 resources.
-- End user tries to launch a View resource from the APM webtop using the Horizon View HTML5 client.

Impact:
End user cannot launch VMware View resources with View HTML5 client.

Workaround:
You can use the following workarounds:

-- If you are already running Horizon 7.4, use native View clients instead.

-- If you have not upgraded to Horizon 7.4, stay on an older Horizon release until this issue is resolved.

-- If you are running BIG-IP APM release 13.1.0, you can add the following iRule to the virtual server that handles HTML5 client connections:

when HTTP_REQUEST {
    if { ([info exists tmm_apm_view_uuid]) &&
         ([HTTP::method] == "GET") &&
         ([HTTP::uri] ends_with "/portal/webclient/sessiondata")} {
        HTTP::cookie remove "sessionDataServiceId"
    }
}

when HTTP_RESPONSE {
    if { ([info exists tmm_apm_view_uuid]) } {
        set cookieNames [HTTP::cookie names]
        foreach aCookie $cookieNames {
            set path [HTTP::cookie path $aCookie]
            if {[string length $path] > 0} {
                HTTP::cookie path $aCookie "/f5vdifwd/vmview/$tmm_apm_view_uuid$path"
            }
        }
    }
}

Important:
-- After applying the iRule and before attempting a connection, be sure to clear all cache and cookies from the client systems. Otherwise, the test operation may need to be executed before exhibiting successful behavior.
-- The iRule workaround is for BIG-IP APM release 13.1.0. It is not supported for older BIG-IP releases.

Fix:
Horizon View version 7.4 in HTML5 mode now functions correctly with APM.

---

707676 : memory leak in Machine Certificate Check agent of the apmd process

Component: Access Policy Manager

Symptoms:
apmd process leaks memory in Machine Certificate Check agent

Conditions:
- Machine Certificate Check agent is configured in an Access Policy
- inspected machine certificate is revoked by CRL

Impact:
apmd may grow in size. this may lead to apmd process or some other processes at BIG-IP to be killed by OOM-killer

Workaround:
There is no workaround

Fix:
The memory leak is fixed.

---

707447 : Default SNI clientssl profile's sni_certsn_hash can be freed while in use by other profiles.

Component: Local Traffic Manager

Symptoms:
SSL SNI mechanism creates a hash containing a mapping between SAN entries in a given profile's certificate and the profile. This hash is owned by the default NI profile, however is held by the other profiles on the VIP without a reference. If a connection utilizes SNI to use a non-default SNI profile *and* the default SNI profile reinitializes its state for any reason, the prf->sni_certsn_hash can be cleared and freed, leaving the existing connection(s) with profiles that refer to the freed hash. If then the connection attempts a renegotiation that causes the hash to be used, the freed hash can cause a fault should it have been reused in the meantime (i.e. the contents are invalid).
       
The fix: When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from
non-default SNI profile, stop the search and return NULL.

Conditions:
SNI configured with one default SNI profile, one or multiple SNI profiles. The default SNI profile is changed and renegotiation with SNI(with non-default SNI profile) is issued.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
There is no workaround at this time.

Fix:
When the default SNI profile is initializing, and SSL handshake is searching SAN/COMMON cert from non-default SNI profile, stop the search and return NULL.

---

707320 : Upgrades from pre-12.0.0 BIG-IPs to 12.0.0 with WideIPs with ipv6-no-error-response enabled will no longer delete AAAA-type WideIPs

Component: TMOS

Symptoms:
A pre-12.0.0 WideIP with ipv6-no-error-response enabled and a IPv4 last-resort-pool will only spawn an A-type WideIP after the upgrade

Conditions:
Pre-12.0.0 WideIP with an IPv4 last-resort-pool and ipv6-no-error-response enabled.

Impact:
Loss of the AAAA-type WideIP configuration item

Workaround:
There is no workaround at this time.

Fix:
Fixed issue where upgrading a Pre-12.0.0 WideIP with a last-resort-pool with only IPv4 pool members, and ipv6-no-error-respons enabled would only create an A-Type WideIP after the upgrade. Now, the AAAA-type WideIP will also be greated, with no-error-response enabled.

---

707310-3 : DNSSEC Signed Zone Transfers of Large Zones Can Be Incomplete (missing NSEC3s and RRSIGs)

Component: Global Traffic Manager (DNS)

Symptoms:
It is possible that when performing a sufficiently large DNSSEC signed zone transfer (e.g., ~1 KB records) that the final packet (or several packets) of NSEC3s and RRSIGs could be missing from the zone. This issue can be detected using a free third-party tool such as ldns-verify-zone or some other DNSSEC validating tool.

Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc.), or from DNS Express.

Impact:
The DNSSEC signed zone transfer could be incomplete, that is missing some NSEC3s and RRSIGs. An incomplete DNSSEC zone is considered an invalid zone.

Workaround:
There is no workaround at this time.

Fix:
DNSSEC signed zone transfers from general authoritative DNS Servers as well as from DNS Express are now complete regardless of the number of records in the zone.

---

707246 : TMM would crash if SSL Client profile could not load cert-key-chain successfully

Component: Local Traffic Manager

Symptoms:
TMM would crash if SSL Client profile could not load cert-key-chain successfully, and SSL is working in the fwd-proxy-mode.

Conditions:
1. SSL is working in the fwd-proxy-mode.
2. SSL could not load the cert-key-chain in the clientssl profile successfully. There could be couple of reasons:

2.1.We fail to configure the password required by the cert-key-chain.
2.2.Configured cert-key-chain type is not supported.
2.3.cert-key-chain name is incorrect.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure the cert-key-chain in the clientssl profile correctly.

Fix:
If we fail to load the cert-key-chain in the clientssl profile, and ssl is working in the fwd-proxy-mode, we will mark the corresponding ssl clientssl profile as invalid, then we will not accept the incoming SSL handshake destined to this profile.

---

707244 : iRule command clientside and serverside may crash tmm

Component: Local Traffic Manager

Symptoms:
Using clientside and serverside command in iRules may crash tmm.

Conditions:
Using such HTTP commands as HTTP::password in clientside and serverside nesting script.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this point.

Fix:
Fix clientside and serverside command do not work with certain HTTP commands.

---

707226-1 : DB variables to disable CVE-2017-5754 Meltdown/PTI mitigations

Component: TMOS

Symptoms:
Mitigations might CVE-2017-5754 Meltdown/PTI (Page Table Isolation) can negatively impact performance.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Conditions:
Mitigations for CVE-2017-5754 Meltdown/PTI (Page Table Isolation) enabled.

Impact:
Meltdown/PTI mitigations may negatively impact performance.

Workaround:
Disable CVE-2017-5754 Meltdown/PTI mitigations.

To turn off mitigations for CVE-2017-5754 Meltdown/PTI, run the following command:

tmsh modify sys db kernel.pti value disable

Note: Turning off these mitigations renders the system vulnerable to CVE-2017-5754 Meltdown; but in order to take advantage of this vulnerability, they must already possess the ability to run arbitrary code on the system. Good access controls and keeping your system up-to-date with regards to security fixes will mitigate this risk on non-VCMP systems. vCMP systems with multiple tenants should leave these mitigations enabled.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

Fix:
On releases that provide mitigations for CVE-2017-5754 Meltdown/PTI, the protection is enabled by default, but can be controlled using db variables.

Please see https://support.f5.com/csp/article/K91229003 for additional Spectre and Meltdown information.

---

707186 : TMM may crash while processing HTTP/2 traffic

Solution Article: K45320419

---

707147 : High CPU consumed by asm_config_server_rpc_handler_async.pl

Component: Application Security Manager

Symptoms:
During a period of heavy learning from Policy Builder, typically due to Collapse Common elements, the backlog of events can cause a process to consume high CPU.

Conditions:
1) Automatic Policy Builder is enabled
2) An element is configured to "Always" learn new entities, and collapse common elements
3) An extended period of heavy learning due to traffic is enountered

Impact:
A process may consume high CPU even after the high traffic period is finished.

Workaround:
Kill asm_config_server.pl (This will not affect traffic)

Optionally modify one of the following
A) Learn "Always" to another mode
B) Turn off Collapse common URLs
C) Change from Automatic Learning to Manual

---

707109 : Memory leak when using C3D

Component: Local Traffic Manager

Symptoms:
When using the Client Certificate Constrained Delegation Support (C3D) feature, memory can leak.

Conditions:
Traffic passes through a virtual server with C3D enabled.

Impact:
Memory is leaked.

Workaround:
There is no workaround.

Fix:
When using C3D memory no longer leaks.

---

706998 : Memory leak when OCSP is configured in clientSSL profile for C3D, or in serverSSL profile for server authentication

Component: TMOS

Symptoms:
There is a memory leak when OCSP is configured in the clientSSL profile for C3D feature, or in serverSSL profile for server certificate authentication.

Conditions:
OCSP is configured in the clientSSL profile for C3D feature, or in serverSSL profile for server certificate authentication.

Impact:
TMM will run out of memory.

Workaround:
There is no workaround at this time.

Fix:
The memory leak has been fixed.

---

706771 : FPS ajax-mapping property may be set even when it should be blocked

Component: Fraud Protection Services

Symptoms:
Ajax mapping may be set only when 1) ajax-encryption is enabled OR 2) ajax-integrity AND strong-integrity are enabled.

The bug allows to set ajax-mapping even for the following (invalid) configuration:

  ajax-encryption: disabled
  ajax-integrity: enabled
  strong-integrity: disabled

Conditions:
1)
  ajax-encryption: disabled
  ajax-integrity: enabled
  strong-integrity: disabled

2)
  non-empty ajax-mapping

Impact:
System will set the ajax-mapping field when it should have been blocked.

Workaround:
There is no workaround at this time.

Fix:
FPS should block ajax-mapping configuration when the pre-conditions weren't met.

---

706665-1 : ASM policy is modified after pabnagd restart

Component: Application Security Manager

Symptoms:
ASM policy modifications might occur after the the pabnagd daemon is restarted. Modifications include the following:

-- Length attributes might change from 'any' to a low auto learning value.
-- Check signature / metachars might change from unchecked to checked.

This applies for the following entity types:
filetypes, URLs, parameters, cookies, WS URLs, content profiles.

Conditions:
-- Configuration containing a policy in which automatic learning mode is configured.
-- Restart of pabnagd (the automated policy-building operations daemon).

Impact:
ASM policy is modified.

Workaround:
Switch policy builder to manual learning mode.

Fix:
Prevent unwanted adjust operations from being called on policy-catchup complete.

---

706651 : Cloning URL does not clone "Description" field

Component: Fraud Protection Services

Symptoms:
When cloning URL using the "Clone URL" feature in FPS/DataSafe GUI, description field is not cloned to new URL.

Conditions:
Provision and license FPS/DataSafe.

Impact:
Not all expected configuration values of the URL are cloned.

Workaround:
There is no workaround.

Fix:
Description field is now cloned to the new URL.

---

706631-3 : A remote TLS server certificate with a bad Subject Alternative Name should be rejected when Common Criteria mode is licensed and configured.

Component: Local Traffic Manager

Symptoms:
According to RFC2818, if the certificate sent by the TLS server has a valid Common Name, but the Subject Alternative Name does not match the Authenticate Name in the server-ssl profile, the connection should be terminated.

Conditions:
-- A server-ssl profile is enabled on a virtual server and has the 'authenticate-name' property set.

-- The TLS server presents a certificate in which the Subject Alternative Name does not match the configured authenticate-name.

-- Common Criteria mode licensed and configured.

Impact:
A TLS connection succeeds which should fail.

Workaround:
There is no workaround at this time.

Fix:
A remote TLS server certificate with a bad Subject Alternative Name is now rejected when Common Criteria mode is licensed and configured.

---

706534 : L7 connection mirroring may not be fully mirrored on standby BigIP

Component: Local Traffic Manager

Symptoms:
As a result of a known issue L7 connection mirroring may not be fully mirrored on standby BigIP

Conditions:
L7 VIP with mirroring configured
Connections with transfer of substantial size.

Impact:
Connections may be mirrored initially but removed after some time.
If there is a failover these connections may not be correctly handled.

Workaround:
Disabling LRO via
tmsh modify sys db tm.tcplargereceiveoffload value disable

May workaround this issue

Fix:
BIG-IP now fully mirrors all L7 connections

---

706305 : bgpd may crash with overlapping aggregate addresses and extended-asn-cap enabled

Component: TMOS

Symptoms:
bgpd may crash on a BIG-IP system configured for dynamic routing announcing multiple overlapping aggregate-addresses with extended asn capabilities enabled.

Conditions:
- BGP enabled on route-domain
- BGP configured to announce several overlapping aggregate-addresses
- BGP configured with extended-asn-cap enabled.

Impact:
Inability for the unit to use BGP

Workaround:
Disabling extended-asn-cap or not announcing multiple overlapping aggregate addresses may allow to workaround this issue.

Fix:
bgpd no longer crashes with overlapping aggregate addresses and extended-asn-cap enabled

---

706176 : TMM crash can occur when using LRO

Solution Article: K51754851

---

706128 : DNSSEC Signed Zone Transfers Can Leak Memory

Component: Global Traffic Manager (DNS)

Symptoms:
TMM might leak memory when performing DNSSEC signed zone transfers. You can detect this issue by examining system memory before and after performing zone transfers.

For example:

tmsh show sys memory raw | grep dnssec

Conditions:
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc) or from DNS Express.

Impact:
TMM leaks memory related to the signed zone transfer.

Workaround:
There is no workaround at this time.

Fix:
TMM no longer leaks DNSSEC zone transfer related memory.

---

706087-1 : Entry for SSL key replaced by config-sync causes tmsh load config to fail

Component: TMOS

Symptoms:
After config-sync, the secondary unit's key file does not match the passphrase stored for the key. This is a generic problem where config-sync is not synchronizing any differing file-objects on the secondary unit that happen to have the same cache_path as the primary.

Conditions:
If the cache_path of the encrypted key happens to be the same on the HA-pair, but the keys are different and have different passphrases.

Impact:
Secondary unit will fail to load the config during boot-up, so it will be offline. Other file-objects that had the same cache_path but where different files do not sync. The latter may not be noticed since nothing fails on the secondary unit.

Workaround:
Check if the cache_path of the encrypted key is the same on both systems prior to config-sync and that the sha1sum are different. If this is the case, remove the key on one of the systems and re-install the key and make sure the cache_path name is different.

Fix:
The key files (in the cache_path) will sync despite having the same name. The problem goes away. The same goes for any file-object that happened to have the same cache_path prior to sync.

---

706086 : PAM RADIUS authentication subsystem hardening

Solution Article: K62750376

---

705818 : GUI Network Map Policy with forward Rule to Pool, Pool does not show up

Component: TMOS

Symptoms:
When a Virtual Server has a Policy with a rule to forward request to a Pool, the Pool should be associated to the Virtual Server on the Network Map.

Conditions:
Create a Virtual Server with a Policy to forward requests to a Pool.

Impact:
The relationship of the Virtual Server to the Pool via the indirect Policy Rule is not visible in the network map.

Workaround:
No workaround to the visual.

Fix:
Associate Virtual Server with Policy that forwards requests to a Pool on the Network Map.

---

705794 : Under certain circumstances a stale http2 stream can cause a tmm crash

Component: Local Traffic Manager

Symptoms:
A HTTP2 stream is getting overlooked when cleaning up a HTTP2 flow.

Conditions:
Currently only known is that the closing_stream is not empty. Exact entrance conditions not clear.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
HTTP2 flows are properly cleaned up to prevent a tmm crash.

---

705774 : Add a set of disallowed file types to RDP template

Component: Application Security Manager

Symptoms:
Universally dangerous filetypes are not included in RDP policy template.

Conditions:
The user creates a new policy using the RDP template.

Impact:
Universally dangerous filetypes are not disallowed.

Workaround:
Dangerous filetypes can be added to policies created from RDP template.

Fix:
Universally dangerous filetypes are now included in RDP policy template.

---

705730 : Config fails to load due to invalid SSL cipher after upgrade from v13.1.0

Component: TMOS

Symptoms:
Config with apparently invalid SSL cipher entry fails to load after upgrade from v13.1.0, and requires a manual config load after upgrade: 'tmsh load sys config'

This occurs because starting in v13.1.0, 'https' monitors rely upon SSL-attributes configured through a 'serverssl' profile, which does not support the 'kEDH' cipher; but the 'kEDH' cipher was a default cipher for previous releases (where 'https' relied upon 'OpenSSL').

Conditions:
-- Config uses 'https' monitors.
-- Upgrade occurs from v13.1.0 to a later version.

Impact:
The configuration fails to load, an error message is issued, and the device remains offline until a manual config load is performed.

Workaround:
You can use either of the following workarounds:

-- After upgrade from v13.1.0, perform manual config load by running the following command: tmsh load sys config

(This works because upon a manual config load command ('tmsh load sys config'), the system replaces the existing 'https' ciphers with defaults appropriate for a 'serverssl' profile in the new version of the software. Even though the system posts an error referencing the invalid 'kEDH' cipher, the device will become 'Active' seconds later, and new default ciphers will be established for 'https' monitors.)

-- Remove 'https' monitors prior to upgrade, and add again after upgrade.

Fix:
Config loads without error after upgrade from v13.1.0.

---

705611 : The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used

Component: Local Traffic Manager

Symptoms:
The TMM may later crash after a configuration change done under load if the HTTP/2 profile is used.

Conditions:
A configuration change occurs. The configuration change is large enough, or the TMM load large enough that the change is not synchronous. The change involves a HTTP/2 profile.

Data traffic progresses through a partially initialized HTTP/2 virtual server, potentially causing a later crash.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Large configuration changes to the TMM involving a HTTP/2 profile will no longer potentially cause a TMM crash.

---

705593-6 : CVE-2015-7940: Bouncy Castle Java Vulnerability

Component: Device Management

Symptoms:
An attacker could extract private keys used by Bouncy Castle in elliptic curve cryptography with a few thousand queries.

Conditions:
No specific conditions.

Impact:
None. BIG-IP software does not use the impacted library features.

Fix:
Version 1.59 of the library is installed on the BIG-IP system at the following paths:
/usr/share/java/rest/libs/bcprov-1.59.jar
/usr/share/java/rest/libs/bcpkix-1.59.jar

---

705559 : FPS: false positive "no strong integrity param" when none of the configured data-integrity params are present in request

Component: Fraud Protection Services

Symptoms:
A false positive "no strong integrity param" is sent when none of the configured data-integrity parameters are present in the request.

Conditions:
1. a protected URL has at least one parameter configured with data0integrity check enabled
2. enhanced data manipulation is enabled
3. a request without any of the data-integrity parameters is sent to the protected URL

Impact:
A false positive "no strong integrity param" alert is sent.

Workaround:
There is no workaround at this time.

Fix:
"No strong integrity param" alert should be suppressed in case that none of the data-integrity parameters were sent.

In case that forcing all data-integrity parameters was enabled (tmsh modify sys db antifraud.autotransactions.parameternameintegrity value enable) - the alert will be sent.

---

705503 : Context leaked from iRule DNS lookup

Component: Global Traffic Manager (DNS)

Symptoms:
The memory usage increases, and stats are inaccurate.

Conditions:
Call RESOLV::lookup from an iRule.

Impact:
Memory leak that accumulates over time and inaccurate stats.

Workaround:
There is no workaround other than not using RESOLV::lookup in an iRule.

Fix:
Memory leak no longer occurs.

---

705456 : VCMP Guests unable to install block-device-image ISOs when http->https redirection is enabled

Component: TMOS

Symptoms:
ISOs of type block-device-image do not show up on VCMP Guests and are not available for installation when http->https redirection is enabled.

Conditions:
VCMP Guest has http->https redirection enabled.

Impact:
Not all available images are installable.

Workaround:
User must manually copy images to VCMP guest.

Fix:
Configured iControl REST to allow appropriate daemons access when http->https is enabled.

---

705161 : TMM may crash when processing TCP DNS traffic

Solution Article: K23520761

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, when processing TCP DNS traffic, TMM may crash

Conditions:
DNS profile enabled
TCP profile enabled
AVR enabled
ASM enabled

Impact:
TMM crash, leading to a failover event.

Fix:
TMM processes TCP DNS traffic as expected

---

704666 : memory corruption can occur when using certain certificates

Component: Local Traffic Manager

Symptoms:
If a certificate has an extremely long common name, or an extremely long alternative name and is attached to an SSL profile, memory corruption can occur when loading the profile.

Conditions:
An SSL profile is loaded with a certificate containing an extremely long common name or subject alternative name.

Impact:
TMM could crash.

Workaround:
Do not use certificates with extremely long common names

Fix:
A length check has been added to avoid corruption when using extremely long common names.

---

704580 : apmd service may restart when BIG-IP is used as SAML SP while processing response from SAML IdP

Component: Access Policy Manager

Symptoms:
Under certain conditions apmd service may restart when processing response from SAML IdP.

Conditions:
BIG-IP is configured as SAML SP. BIG-IP is processing SAML message from IdP

Impact:
Temporarily users will not be able to authenticate agains BIG-IP
until apmd service starts up.

Workaround:
There is no workaround at this time.

Fix:
apmd service will no longer restart when processing messages from IdP.

---

704528 : tmm may run out of memory during IP shunning

Component: Advanced Firewall Manager

Symptoms:
If no AppIQ is configured on an AFM-provisioned system, over time the system can run out of memory causing tmm to crash/restart.

Conditions:
-- Blacklist profile is configured with blacklist categories.
-- AppIQ is not configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
If no AppIQ is configured, the system now handles the shunned IP's that are to be sent to ECM server.

---

704512 : Automated upload of qkview to iHealth can time out resulting in error

Component: TMOS

Symptoms:
The automated upload of qkview files to iHealth via the support page of the BIG-IP GUI can time out waiting for an analysis from iHealth. Sometimes, iHealth can take several minutes to complete analysis, and this is a realistic scenario.

If the BIG-IP system times-out waiting for completion of the analysis, the link to the iHealth record is not stored.

Conditions:
iHealth takes longer than three minutes to complete analysis of a qkview file after uploading.

Impact:
Support history will not contain links to completed qkviews.

Workaround:
Run qkview from the command line and upload to iHealth manually.

Fix:
The iHealth link is now stored immediately after the qkview is successfully uploaded, and the timeout is not considered an error.

---

704435 : Client connection may hang when NTLM and OneConnect profiles used together

Component: Local Traffic Manager

Symptoms:
In deployments where a NT LanManager (NTLM) authentication profile and a OneConnect profile are used together in a LTM virtual server to label an authenticated connection to a Domain Controller (DC); if the persisted connection to the DC is re-used, the connection may hang. A connection in this state may not be cleaned up by the sweeper, resulting in a memory leak.

Conditions:
The NTLM and OneConnect profiles are associated with a LTM virtual server.

Impact:
A client connection won't be serviced and TMM memory will leak. Over a long time period, this may result in more widespread service disruptions.

Workaround:
Avoid the use of OneConnect profiles on virtual servers that use NTLM profiles. The connections to the Domain Controller won't be pooled, but all other features will be retained.

Fix:
Fixed a problem that prevented NTLM and OneConnect profiles from working properly on the same LTM virtual server.

---

704282 : TMM halts and restarts when calculating BWC pass rate for dynamic bwc policy

Component: TMOS

Symptoms:
Rarely, TMM halts and restarts when calculating the BWC pass rate for dynamic bwc policy.

Conditions:
-- Using BWC dynamic bwc policy.
-- Fair share rate is low.

For this to happen, the fair share rate of the instance of dynamic policy has to be less than than 32 times the average packet size of the instance of policy.

For example, if the average packet size is 1 KB, then the fair share would be under 32 KB.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
F5 does not recommend running the BWC under 64Kbps.

Either decrease the number of subscribers or increase the max-rate of dynamic policy.

Fix:
TMM no longer halts and restarts when calculating the BWC pass rate for dynamic bwc policy when fair share rate is low.

---

704211 : Import/export is failing with lease pool

Component: Access Policy Manager

Symptoms:
Importing policy with lease pool might result in an error.

Conditions:
This occurs when exporting a policy from /Common, or importing to a partition, and the route domain is not specified in the lease pool.

Impact:
Export does not work properly.

Workaround:
To work around this issue, use the following procedure:
1. Detach the leasepool,
2. Export the policy.
3. Import the policy.
4. Create a new leasepool.
5. Attach to the newly imported policy

Fix:
Fixed an issue exporting and importing lease pools.

---

704207 : DNS query name is not showing up in DNS AVR reporting

Component: Advanced Firewall Manager

Symptoms:
DNS query name is not showing up in DNS AVR reporting.

Conditions:
Sending traffic to Virtual with DNS profile.

Impact:
No query information for DNS is reported in AVR.

Workaround:
There is no workaround at this time.

Fix:
After fix, the query name is now showing up in AVR reporting.

---

704143 : BD memory leak

Component: Application Security Manager

Symptoms:
A BD memory leak.

Conditions:
websocket traffic with specific configuration

Impact:
Resident memory increases, swap getting used.

Workaround:
Make sure the web socket violations are not due to bad websocket URL configuration, that they are turned on in Learn/Alarm or block and that there is a local logger configured and attached.

---

704073 : Repeated 'bad transition' OOPS logging may appear in /var/log/ltm and /var/log/tmm

Solution Article: K24233427

Component: Local Traffic Manager

Symptoms:
'bad transition' OOPS messages may be repeatedly logged to /var/log/ltm and /var/log/tmm over time, polluting the log files.

Conditions:
Although there are no definitive user-discernible conditions, use of SSL functionality might increase the likelihood of logging.

Impact:
Log pollution and potential for performance degradation.

Workaround:
Suppress the logging using the following command:
tmsh modify sys db tmm.oops value silent

Fix:
The 'bad transition' OOPS logging has been demoted to internal, debug builds only.

---

703940-1 : Malformed HTTP/2 frame consumes excessive system resources

Solution Article: K45611803

---

703914 : TMM SIGSEGV crash in poolmbr_conn_dec.

Component: Local Traffic Manager

Symptoms:
TMM cores in poolmbr_conn_dec function.

Conditions:
A connection limit is reached on a VS having an iRule using LB::reselect and a pool using request queueing.

Impact:
TMM core, traffic interruption, possible failover.

Workaround:
Do not use LB::reselect, disable request queueing on a pool associated with the VS.

Fix:
TMM correctly handles LB:reselect on virtual servers with pools using request queueing.

---

703848 : Possible memory leak when reusing statistics rows in tables

Component: TMOS

Symptoms:
The handling of the pointers to memory in the statistics tables includes a path that zeros out a pointer to more memory that should be free'd. This means the memory is not free'd for that case.

Conditions:
This condition is usually only hit when the entire file is being deleted and so it doesn't matter that the list is not fully traversed.

Impact:
When slabs are being reused this bug may cause a memory leak.

Workaround:
There is no workaround at this time.

Fix:
The code has been fixed to properly follow the list.

---

703833 : Some bot detected features might not work as expected on Single Page Applications

Component: Application Security Manager

Symptoms:
Some client side features do not work correctly when enabling single page application.

Conditions:
Enabling single page application (on DoS or ASM), and Web Scraping-> Persistent Client Identification

Impact:
Captcha challenge causes a loop of ajax requests.

Workaround:
There is no workaround at this time.

Fix:
Fixing Persistent Client Identification for Single Page Applications.

---

703793 : tmm restarts when using ACCESS::perflow get' in certain events

Component: Access Policy Manager

Symptoms:
tmm will restart when using 'ACCESS::perflow get' if the per-request policy has not been started yet.

Conditions:
Use 'ACCESS::perflow get' iRule in an event that runs before the per-request policy (e.g., CLIENT_ACCEPTED).

Impact:
tmm cores and traffic flow will be interrupted while it restarts.

Workaround:
None.

Fix:
Initialization of certain variables was reworked so that the iRule command will not cause a core anymore if the per-flow value is unavailable due to the per-request policy not having been started yet.

---

703545 : DNS::return iRule "loop" checking disabled

Component: Global Traffic Manager (DNS)

Symptoms:
In ID 517347, checking was added to attempt to detect infinite loops caused by improper use of the DNS::return iRule command.

This is occasionally catching false positive loops resulting in connections being dropped incorrectly.

Conditions:
A virtual with a DNS profile that is using the udp profile instead of the udp_gtm_dns profile. An iRule that uses the DNS::return command.

Impact:
If a loop is erroneously detected, the connection will be dropped.

Workaround:
Where possible use the udp_gtm_dns profile instead of udp on virtuals with a DNS profile.

Where possible, use a "return" command immediately after the "DNS::return" command to prevent accidentally calling DNS::return multiple times.

Fix:
The loop detection logic has been removed.

---

703515-2 : MRF SIP LB - Message corruption when using custom persistence key

Solution Article: K44933323

Component: Service Provider

Symptoms:
If the custom persistence key is not a multiple of 3 bytes, the SIP request message may be corrupted when the via header is inserted.

Conditions:
Custom persistence key is not a multiple of 3 bytes

Impact:
The SIP request message may be corrupted when the via header is inserted.

Workaround:
Pad the custom persistence key to a multiple of 3 bytes in length.

Fix:
All persistence key lengths work as expected.

---

703429 : Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services

Component: Access Policy Manager

Symptoms:
Citrix Receiver for Android (v3.13.1) crashes while accessing PNAgent services through F5 BIG-IP APM virtual server. The application closes just after entering the credentials.

Conditions:
-- Citrix Receiver for Android (v3.13.1) is used.
-- PNAgent replacement mode is configured for BIG-IP APM virtual server.

Impact:
No access to published Applications and Desktops through Citrix Receiver for Android.

Workaround:
None.

Fix:
System now provides valid data to Citrix Receiver for Android client.

---

703305 : Unable to save an 'Enable ASM' policy rule action with an ASM profile selected

Component: TMOS

Symptoms:
An error is returned instead of the policy rule being saved.

Conditions:
-- LTM and ASM are provisioned.
-- Security ASM profile.
-- LTM policy.
-- Within a policy, create a rule that enables ASM with the policy just created.

Impact:
Unable to save an 'Enable ASM' policy rule action.

Workaround:
Create policy using tmsh.

Fix:
ASM Policy can now be updated properly in policy rule page's enable ASM action

---

703298 : Licensing and phonehome_upload are not using the sync'd key/certificate

Component: TMOS

Symptoms:
After config-sync, the secondary unit's key passphrase does not decrypt the cached key file.

Conditions:
The original file for f5_api_com.key is used instead of the cached file.

Impact:
phonehome_upload will fail on the secondary unit because the passphrase doesn't match the key file.

Workaround:
After sync, copy the file /config/filestore/files_d/Common_d/certificate_key_d/:Common:f5_api_com.key_xxxx over to /config/ssl/ssl.key/f5_api_com.key using the following commands:

# cd /config/filestore/files_d/Common_d/certificate_key_d
# cp -a :Common:f5_api_com.key_xxxx /config/ssl/ssl.key/f5_api_com.key :Common:f5_api_com.key_xxxx

Once the /config/ssl/ssl.key file is in sync, then loading the config with either cached or un-cached file will work fine.

Fix:
The system now removes the source-path files and only keeps the cache-path files. phonehome_upload now will work on the standby unit after a config-sync. Without the source-path files which do not get sync'd, there is no danger of re-loading them.

---

703208 : PingAccessAgent causes TMM core

Component: Access Policy Manager

Symptoms:
PingAccessAgent can cause TMM to core due to accessing freed memory.

Conditions:
It happens in edge case situation. Exact steps are still under investigation. Suspicion is that the client aborts the connection while TMM/PingAccessAgent module is still awaiting response from the PingAccessAgent back-end server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

---

703196 : Reports for AVR are missing data

Component: Application Visibility and Reporting

Symptoms:
Some data collected by AVR is missing on some aggregation levels and thus missing from the reports.

Conditions:
Using AVR statistics.

Impact:
Expected AVR statistics may be missing.

Workaround:
Run the following shell command on BIG-IP:

sed -i "s|\(\s\)*SET\ p_aggr_to_ts.*$|$1$(grep "SET p_aggr_to_ts" /var/avr/avr_srv_code.sql | sed 's/truncate(/CEILING/' | sed 's/,0)//')|" /var/avr/avr_srv_code.sql

Fix:
Time-range selection for aggregation is fixed and now statistics should be aggregated correctly to the next level.

---

703191-1 : HTTP2 requests may contain invalid headers when sent to servers

Component: Local Traffic Manager

Symptoms:
HTTP requests handled by an HTTP/2 virtual server may have blank header names when proxied through to the server or when handled via iRules.

Conditions:
-- Virtual server has the HTTP/2 profile assigned.
-- Client and the BIG-IP system negotiate/use HTTP/2.

Impact:
HTTP/2 applications may generate CSRF-related errors. Alternately, the server may return intermittent (and from the client's perspective, spurious) 400 Bad Request responses.

Workaround:
There is no workaround other than to remove the HTTP/2 profile from the virtual server.

---

703171 : High CPU usage for apmd, localdbmgr and oauth processes

Component: Access Policy Manager

Symptoms:
High CPU Usage for apmd, localdbmgr, and oauthd with large configurations.

Conditions:
APM provisioned
BIG-IP has Large configuration (i.e Large number of Virtual servers).
A full config sync happens from one device-A(With large configuration) to device-B.
The above said processes on Device-B will have high CPU usage.

OR

Same situation occurs when loading BIG-IP configuration with a large number of virtual servers.

Impact:
The user traffic may not be processed by APM until it is done processing all the config changes. The amount of time service is down depends on how large the configuration is.

Workaround:
No Workaround.

Fix:
The software has been optimized to reduce the CPU Usage.

---

702946 : Added option to reset staging period for signatures

Component: Application Security Manager

Symptoms:
In cases where a staging period was started, but no traffic passed through security policy, you might want to reset the staging period when traffic starts, but there is no option to do so.

Conditions:
Staging enabled for signatures in policy.

Impact:
There is a suggestion to enforce the signature before any traffic can influence this decision.

Workaround:
If all signatures are staged, you can enforce them all, and then enable staging again.

Note: Apply policy is required between actions.

Fix:
Added option to reset the staging period for all or specific signatures. In modal windows shown after clicking 'Change properties...' on the Policy Signatures screen, when 'No' is not selected for 'Perform Staging', the system presents a checkbox: Reset Staging Period.

---

702792 : Upgrade creates Server SSL profiles with invalid cipher strings

Component: Local Traffic Manager

Symptoms:
Upgrade of BIG-IP creates Server SSL profiles for custom HTTPS monitors that may have an invalid Ciphers attribute. This will not prevent the configuration from loading, but attempting to modify the existing SSL profile or create a new one with matching configuration will fail:

    01070312:3: Invalid keyword 'kedh' in ciphers list for profile /Common/name-of-server-ssl-profile

Conditions:
Custom HTTPS monitors configured prior to an upgrade will result in these profiles being created during the upgrade. The default HTTPS cipherlist is 'DEFAULT:+SHA:+3DES:+kEDH', which is a valid OpenSSL cipher list, but is not a valid Client SSL / Server SSL cipher list.

Impact:
Upgrade creates configurations that are challenging to manage as a result of MCPD validation.

Workaround:
Reconfigure the cipher list to be valid according to both the OpenSSL cipher list and the Client SSL / Server SSL cipher list expectations.

For instance, "DEFAULT:+SHA:+3DES:+EDH" instead of "DEFAULT:+SHA:+3DES:+kEDH".

---

702705 : Core observed during lease query testing when RADIUS Authentication is configured in DHCP profile

Component: Policy Enforcement Manager

Symptoms:
Tmm may halt and restart when RADIUS Authentication is configured in DHCP profile.

Conditions:
1. RADIUS Authentication is configured in a DHCP profile.
2. DHCP response does not have proper info.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
This version handles these conditions, so tmm does not halt and restart.

---

702520 : Same AZ failover in AWS fails in some configurations with two or more objects sharing the same IP address.

Solution Article: K53330514

Component: TMOS

Symptoms:
BIG-IP fails to reattach floating addresses to local interfaces during failover, when two or more objects are configured with the same IP address in a given traffic group.

Failover fails with the following error in /var/log/ltm: err logger: /usr/libexec/aws/aws-failover-tgactive.sh (traffic-group-1): Failed to reassign some or all address(es): <IP address> <the same IP address> on interface <eni address>.

Conditions:
-- AZ AWS failover.
-- Same IP address is used for two or more virtual addresses, self IPs, NAT, SNAT translation.

Note: Having two virtual servers with the same IP address (but different ports) does not cause the problem. Also, there is no conflict when using the same IP address for different traffic groups.

Impact:
Failover will fail; some or all IP addresses will not be transferred to the active BIG-IP system.

Workaround:
The only workaround is to change the configuration to use unique IP addresses for conflicting objects.

Fix:
This issue has been resolved.

---

702487 : AD/LDAP admins with spaces in names are not supported

Component: Access Policy Manager

Symptoms:
If admin is imported from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) and the name contains spaces, Visual Policy Editor (VPE), import/export/copy/delete, etc., fail, and post an error message similar to the following: sourceMCPD::loadDll User 'test user' have no access to partition 'Common'.

Note: Names containing spaces are not supported on BIG-IP systems.

Conditions:
-- Admin name containing spaces is imported from AD or LDAP.
-- Attempt to perform operations in VPE.

Impact:
VPE, import/export/copy/delete do not work.

Workaround:
There is no workaround other than to not use admin names containing spaces.

Fix:
VPE and utilities operations are now supported, even for admins with spaces in names. However, F5 recommends against using spaces in admin names, and recommends that you modify the admin name to remove the spaces.

---

702439-1 : Non-default HTTP/2 header_table_size causes HTTP/2 streams to be reset

Solution Article: K04964898

Component: Local Traffic Manager

Symptoms:
If the HTTP/2 configuration header_table_size is changed from the default value of 4096, then streams will be reset with a RST_STREAM error.

Conditions:
The header_table_size field in the HTTP/2 profile is changed from the default.

Impact:
HTTP/2 connections will be unusable.

Workaround:
Set the header table size argument back to its default.

Fix:
The HTTP/2 filter correctly handles the dynamic header table resize notifications triggered by a non-default header table size. Streams will not be reset with a RST_STREAM error.

Additionally, the BIG-IP system will now send the correct number of dynamic header table resize notifications when the table is resized by the client multiple times between header blocks.

---

702310 : The ':l' and ':h' options are not available on the tmm interface in tcpdump

Component: TMOS

Symptoms:
The ':l' and ':h' options are not available on the tmm interface in tcpdump.

Conditions:
Running tcpdump.

Impact:
Packet capture on the tmm interface from the Linux side or the host side of tmm interface is not possible.

Workaround:
There is no workaround at this time.

Fix:
The tmm interface now accepts ':l' and ':h' and packets on this interface can be captured from the Linux side or the host side.

---

702296 : Importing the LocalDB csv file fails

Component: Access Policy Manager

Symptoms:
Using the Excel sheet to edit and save the LocalDB CSV breaks the Import functionality.

Conditions:
Admin Exports the LocalDB CSV file ( Access->Authentication->Local User DB->Users -> Export to CSV)
Admin edits the file using Excel Sheet and saves it
Admin Imports the CSV file

Impact:
File saved using Excel Sheet cannot be used for Import

Workaround:
Dont use excel sheet to edit the file.
Use a simple text editor (like Textpad , vim) to edit and save the file.

---

702278 : Potential XSS security exposure on APM logon page.

Component: Access Policy Manager

Symptoms:
Potential XSS security exposure on APM logon page.

Conditions:
-- A LTM virtual server with an Access Policy assigned to it.
-- The Access Policy is configured to use a 'Logon Page' VPE agent, followed by AAA agent with 'Max Logon Attempts Allowed' set to a value greater than 1.

Impact:
Potential XSS security exposure.

Workaround:
1. Using APM Advance Customization UI, remove setOrigUriLink(); call in logon.inc from the next JS function:

369 function OnLoad()
370 {
371 var header = document.getElementById("credentials_table_header");
372 var softTokenHeaderStr = getSoftTokenPrompt();
373 if ( softTokenHeaderStr ) {
374 header.innerHTML = softTokenHeaderStr;
375 }
376 setFormAttributeByQueryParams("auth_form", "action", "/subsession_logon_submit.php3");
377 setFormAttributeByQueryParams("v2_original_url", "href", "/subsession_logon_submit.php3");
378 // ===> REMOVE THIS ONE setOrigUriLink();
----

Fix:
Potential security exposure has been removed from APM logon page.

---

702263 : An access profile with large number of SAML Resources (>200) causes APM error ERR_TOOBIG while loading.

Component: Access Policy Manager

Symptoms:
Using a SAML SP intiated use case (APM is IdP) and having a large Access Policy with 200 or more SAML resources assigned to users. Each time a new SAML resource is added to the above Access Policy, the whole SSO service becomes unusable. No new sessions can be established. We generate an internal metadata that consists of the names of all the SAML resources and the SSO name in our code. This has a limit of size 4K and these errors are seen on hitting this limit.

Errors seen:

01490514:3: (null):Common:00000000: Access encountered error: ERR_TOOBIG. File: ../modules/hudfilter/access/access.c, Function: access_create_saml_meta_data, Line: 21001
014d1014:3: /Common/SAML_SSO_access:Common:7a34161c:SAML SSO: Error(16) Unable to find SAML SSO/SP Connector object matching SAML Authn Request

Conditions:
A SAML SSO Access policy has a large number of SAML Resources assigned to it (such that the combined length of their names >= 4K), we hit the hard limit of 4K in the code.

Impact:
We get error on running the Access Policy, the whole SSO service becomes unusable. No new sessions can be established.

Workaround:
Delete any unused SAML resources from SAML SSO access policy so that the combined length of the names of all SAML resources assigned to Access policy is < 4K.

Fix:
We removed the hard limit of 4K for the internal metadata we create so that we don't hit this issue.

---

702232-2 : TMM may crash while processing FastL4 TCP traffic

Solution Article: K25573437

---

702222 : RADIUS and SecurID Auth fails with empty password

Component: Access Policy Manager

Symptoms:
If password value is empty, the following error message will be logged in /var/log/apm:

err apmd[14259]: 014902f0:3: /Common/profile_name:Common:eb69a5gd: RADIUS Agent: Failed to read Password Source session variable:

Conditions:
This occurs only when following conditions are met:
- RADIUS or SecurID auth agent is included in the access policy.
- Empty password value is used for authentication.

Impact:
User may not be authenticated.

Workaround:
- Add variable assignment agent before RADIUS/SecurID auth agent in the access policy.
- Set 'session.logon.last.password' (or whatever password source is used for authentication) to a random value.

Fix:
RADIUS/SecurID auth agent allows empty password value for authentication.

---

702151 : HTTP/2 can garble large headers

Component: Local Traffic Manager

Symptoms:
The HTTP/2 filter may incorrectly encode large headers.

Conditions:
A header that encodes to larger than 2048 bytes may be incorrectly encoded.

Impact:
The garbled header may no longer conform to the HPACK spec, and cause the connection to be dropped. The garbled header may be correctly formed, but contain incorrect data.

Fix:
The HTTP/2 filter correctly encodes large HTTP headers.

---

702008 : ASM REST: Missing DB Cleanup for some tables

Component: Application Security Manager

Symptoms:
Finished REST tasks that are not deleted by the client that initiated them are meant to be cleaned periodically. Certain tasks are not included in this cleanup job.

Conditions:
The following tasks are not reaped automatically if left uncleaned by the REST client that initiated them:

From 13.0.x:
-- /mgmt/tm/asm/tasks/apply-server-technologies
-- /mgmt/tm/asm/tasks/bulk
-- /mgmt/tm/asm/tasks/export-policy-template
-- /mgmt/tm/asm/tasks/export-requests
-- /mgmt/tm/asm/tasks/import-policy-template

From 13.1.0:
-- /mgmt/tm/asm/tasks/export-data-protection
-- /mgmt/tm/asm/tasks/import-data-protection
-- /mgmt/tm/asm/tasks/import-certificate
-- /mgmt/tm/asm/tasks/policy-diff
-- /mgmt/tm/asm/tasks/policy-merge
-- /mgmt/tm/asm/tasks/update-enforcer

Impact:
DB space usage grows with each ASM REST task that is not cleaned up.

Workaround:
REST Clients that initiate tasks can delete them after verifying the task has reached a final state.

Fix:
REST tasks left behind are now be pruned by the DB Cleanup process.

---

701898 : Certain virtual address route-advertisement settings break upgrades from 13.0.0 hotfix rollups

Component: TMOS

Symptoms:
Upgrading from a version of 13.0.0 other than the base build may result in failure depending on the values of the virtual address route-advertisement setting. If set to "selective", "any", or "all", the configuration will fail with an error similar to this in /var/ltm/log:

load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- Loading schema version: 13.0.0 Syntax Error:(/config/bigip.conf at line: 1790) invalid property value "route-advertisement":"selective"

Conditions:
- Upgrading from a version of 13.0.0 other than the base (i.e. HF1 or later).
- Upgrading to 13.1.0 or later.
- At least one virtual address with its route-advertisement value set to "selective", "any", or "all".

Impact:
Configuration will not load.

Workaround:
Prior to the upgrade:
1. Note any virtual address route-advertisement settings that are "selective", "any", or "all".
2. Change all of these values to either "enabled" or "disabled" (note that this will change their route advertisement behavior temporarily).
3. Perform the upgrade.
4. Change the route advertisement settings back to their original values.

---

701889 : Setting log.ivs.level or log-config filter level to informational causes crash

Component: Service Provider

Symptoms:
Certain log messages for internal virtual server (IVS) at 'informational' log level, cause TMM to crash when they are logged. The messages are logged at the end of an HTTP transaction to or from an IVS.

Conditions:
Information level logging enabled:

- sys db log.ivs.level informational or
- log-config filter level set to info

A transaction that passes HTTP to/from an internal virtual server.

Impact:
TMM crashes and restarts, causing loss of connections.

Workaround:
Avoid setting log.ivs.level to 'informational' or higher level and/ log-config filter level to 'info' or higher. By default the level is 'error' which does not trigger the bug.

Fix:
Informational messages for internal virtual server (IVS) are logged as expected and TMM does not crash.

---

701841 : Unnecessary file recovery_db/conf.tar.gz consumes /var disk space

Component: Application Security Manager

Symptoms:
A file, /ts/var/install/recovery_db/conf.tar.gz ,is saved unnecessarily during UCS file save, and consumes /var disk space.

Conditions:
UCS file is saved.

Impact:
The /var filesystem can become full; this may degrade system performance over time, and can eventually lead to traffic disruptions.

Workaround:
Manually delete /ts/var/install/recovery_db/conf.tar.

Fix:
Unnecessary file recovery_db/conf.tar.gz is no longer written.

---

701792 : JS Injection into cached HTML response causes TCP RST on the fictive URLs

Component: Application Security Manager

Symptoms:
TCP RST being sent when a browser requests a fictive URL that starts with either of the following strings:
-- /TSPD/xxx...xxx?type=x
-- /TSbd/xxx...xxx?type=x.

Conditions:
This occurs in either of the following scenarios:
-- ASM policy is attached to a virtual server, and any of the following is enabled: Cross-Site Request Forgery (CSRF), Web Scraping/Single Page Application/AJAX Blocking internal.

-- DoS profile with Single Page Application enabled is attached to a virtual server.

Impact:
CSRF/Web Scraping/Single Page Application/AJAX Blocking page features might not work. This happens intermittently when the back-end server's HTML page (the one where the fictive URL is injected) is cached in the browser for more than two days.

Workaround:
Use an iRule to disable caching for HTML pages where a fictive URL is injected.

Fix:
The system now disables cached headers to HTML responses where a fictive URL is injected.

---

701740 : apmd leaks memory when updating Access V2 policy

Component: Access Policy Manager

Symptoms:
A small leak occurs in the apmd process when processing mcp notifications about configuration updates.

Conditions:
-- Changing an Access Policy configurations.
-- apmd receives a notification about it.

Impact:
apmd grows in size very slowly. The issue does not have any immediate and significant impact on BIG-IP system functionality.

Workaround:
There is no workaround at this time.

Fix:
apmd no longer leaks a small amount when processing MCP notifications.

---

701737 : apmd may leak memory on destroying kerberos cache

Component: Access Policy Manager

Symptoms:
ampd leaks memory in AD Query agent.

Conditions:
The leak happens on either:
1. A kerberos cache reset is requested (any of the caches - GROUP/PSO/KERBEROS).
OR
2. Any changes to associated AAA AD Server were made and new Access Policy is applied.
OR
3. AD Query was not able to make ldap_bind to KDC and the error is NOT a timeout (e.g. invalid administrator password).

Impact:
The ampd leaks memory and may cause unstable behavior.
The apmd process, or some other daemon may be killed by OOM killer when it tries to allocate memory.

Workaround:
There is no workaround at this time.

Fix:
After fix, there is no leak in AD Query agent of the apmd process.

---

701736 : memory leak in Machine Certificate Check agent of the apmd process

Component: Access Policy Manager

Symptoms:
apmd process leaks memory in Machine Certificate Check agent

Conditions:
Machine Certificate Check agent is configured in an Access Policy

Impact:
apmd may grow in size. this may lead to apmd process or some other processes at BIG-IP to be killed by OOM-killer

Workaround:
There is no workaround at this time.

Fix:
The memory leak is fixed.

---

701690 : Fragmented ICMP forwarded with incorrect icmp checksum

Solution Article: K53819652

Component: Local Traffic Manager

Symptoms:
Large fragmented ICMP packets that traverse the BIG-IP might have their source or destination IP addresses changed and transmitted with the checksum incorrectly calculated.

Conditions:
A FastL4 virtual server able to transmit ICMP frames (ip-protocol ICMP or any), or SNAT/NAT only when a fragmented ICMP packet is received and is expected to be passed through the virtual server (or SNAT or NAT).

Impact:
Large ICMP echo packets (greater than MTU) will be dropped by the recipient due to the checksum error. No echo response will be seen.

Workaround:
Turn on IP fragment reassembly on the FastL4 profile associated with the virtual server.

---

701680 : MBLB rate-limited virtual server periodically stops sending packets to the server for a few seconds

Component: Service Provider

Symptoms:
Applying rate-limiting to MBLB SIP or Diameter virtual servers might cause the virtual server to periodically stop sending packets to the pool member server for a few seconds.

Conditions:
-- MBLB SIP or Diameter virtual server.
-- Rate-limited is applied.

Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.

Workaround:
There is no workaround at this time.

Fix:
MBLB rate-limited virtual server now correctly sends packets to the server.

---

701678 : Non-TCP and non-FastL4 virtual server with rate-limits may periodically stop sending packets to server when rate exceeded

Component: Local Traffic Manager

Symptoms:
TMM may periodically stop sending packets to the server for a few seconds when the configured virtual server rate-limited value is exceeded.

Conditions:
-- Virtual configured with rate-limit.
-- Uses a UDP profile (i.e., not using TCP or FastL4).
-- The idle-timeout is set to immediate.

Impact:
The virtual server might intermittently stop sending packets to the pool member server for a few seconds.

Workaround:
None.

Fix:
UDP rate-limited virtual server now correctly sends packets to the server.

---

701639 : Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by BIG-IP as SP.

Component: Access Policy Manager

Symptoms:
Session variables in Requested Authentication Context Class in SP do not get resolved when Authentication Request is generated by the BIG-IP system as SP. They are sent as is. This is a behavior change from v12.1.2/v12.1.3/v13.0.0, where, the value gets substituted in the SP's AuthnRequest sent to IDP.

Conditions:
On configuring Requested Authentication Context Class in SP to define a session variable similar to the following:
%{session.client.type}

Impact:
The generated Authentication Request does not have the session variable resolved. The string is sent as is. The Authentication Request fails and the session cannot be established.

Workaround:
None.

Fix:
The system now resolves the session variable in the configured Authentication Context Class for SP while generating the Authentication Request.

---

701626 : GUI resets custom Certificate Key Chain in child client SSL profile

Solution Article: K16465222

Component: TMOS

Symptoms:
In the GUI, editing a client SSL profile or selecting a different parent profile changes the Certificate Key Chain to default (i.e., /Common/default.crt and /Common/default.key).

Conditions:
This happens in the following scenario:

1. Using the GUI, create a client SSL profile.
2. Configure the new profile to inherit from a client SSL profile other than the default, clientssl.
3. Click the Custom box for Certificate Key Chain and select a different cert and key from the default.
4. Click Update.
5. In the GUI, change any setting in the newly created profile, or select a different parent profile (but not the clientssl profile).
6. Click Update again.

Impact:
The system resets Certificate Key Chain to default, even though the Custom box is checked.

Workaround:
To work around this issue in the GUI, click the Custom checkbox next to the 'Certificate Key Chain' option in the parent profile. This will set the value of inherit-certkeychain to false , preventing the issue from occurring.

You can also use tmsh to update parent profile settings to avoid the occurrence of this issue..

Fix:
GUI no longer resets custom Certificate Key Chain in child client SSL profiles.

---

701447 : CVE-2017-5754 (Meltdown)

Solution Article: K91229003

---

701445 : CVE-2017-5753 (Spectre Variant 1)

Solution Article: K91229003

---

701359-1 : BIND vulnerability CVE-2017-3145

Solution Article: K08613310

---

701327 : failed configuration deletion may cause unwanted bd exit

Component: Application Security Manager

Symptoms:
Immediately after the deletion of a configuration fails, bd exists.

Conditions:
When deleting a configuration fails.

Impact:
Unwanted bd restart.

Workaround:
None.

Fix:
bd will exit upon a failed configuration only when configured to exit on failure.

---

701288 : Server health significantly increases during DoSL7 TPS prevention

Component: Anomaly Detection Services

Symptoms:
Mitigation of DoSL7 TPS affects server health value.

Conditions:
-- DoSL7 TPS configured together with BADOS.
-- DoSL7 TPS is active.

Impact:
-- Incorrect Server Health reporting.
-- Might activate Behavioral DoS (BADoS) false-attack detection when attacks mitigated by DoSL7 TPS are stopped.

Workaround:
None.

Fix:
Server health now displays the actual backend server state, and does not incorrectly grow.

---

701244 : An incorrect data manipulation in cipher encrypt and decrypt could cause TMM crash with SIGABRT

Solution Article: K81742541

Component: Local Traffic Manager

Symptoms:
TMM receives SIGABRT from failover daemon, sod, due to heartbeat failure shortly after TMM starts up.

Conditions:
In some rare scenarios, TCP fast open encrypt/decrypt key may not be properly initialized when traffic comes into the BIG-IP system.

Impact:
Multiple TMM threads can get into a loop, causing heartbeat failure. TMM restarts, Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The incorrect data manipulation in cipher encrypt and decrypt has been fixed.

---

701202 : SSL memory corruption

Solution Article: K35023432

Component: Local Traffic Manager

Symptoms:
In some instances random memory can be corrupted causing TMM core.

Conditions:
SSL is configured (either client-ssl or server-ssl) and SNI is used to select a non-default profile.

Impact:
TMM crash, disrupting traffic.

Workaround:
There is no workaround at this time.

Fix:
The memory corruption issue has been fixed.

---

701147 : ProxySSL does not work properly with Extended Master Secret and OCSP

Solution Article: K36563645

Component: Local Traffic Manager

Symptoms:
SSL handshake fails if the BIG-IP system is operating in ProxySSL mode, while client and server negotiate to use the Extended Master Secret and OCSP features together.

Conditions:
1. Virtual server is configured to work in ProxySSL mode.
2. Client and server negotiate the SSL handshake with the Extended Master Secret.
3. Client and Server negotiate to use the OCSP.

Impact:
ProxySSL does not work properly with Extended Master Secret and OCSP simultaneously.

Workaround:
None.

Fix:
Included the certificate status message in the calculation of Extended Master Secret.

---

700989 : Better detecting browser extentsions

Component: Application Security Manager

Symptoms:
Browser extensions are not always detected

Conditions:
enabling "Web Scraping -> Suspicious Clients -> Detect browsers with Scraping Extensions", and choosing disallowed extensions.

Impact:
Browsers with disallowed extensions are not blocked.

Workaround:
None.

Fix:
Improving browser extensions detection.

---

700897 : sod is unable to handle the maximum (127) allowable traffic groups if there are 8 devices in the DG

Component: TMOS

Symptoms:
sod consumes excessive amount of CPU time, and the traffic-group Active and Next-Active locations do not stabilize.

Conditions:
When the number of devices in the failover device group or the number of traffic groups is large. The limit varies by platform capacity, but any Device Service Cluster with more than 4 devices or more than 32 traffic groups can experience this issue.

Impact:
If the Active location is unstable, traffic will not be processed correctly. Excessive CPU consumption and network traffic interferes with other control plane functions including the UI.

Workaround:
There is no workaround at this time.

Fix:
sod now handles network traffic more efficiently and limits network traffic to minimize interference with other components.

---

700895 : GUI Network Map objects in subfolders are not being shown

Solution Article: K34944451

Component: TMOS

Symptoms:
Objects created in subfolders under a partition are not showing up in the GUI Network Map when selecting the partition.

Conditions:
-- Create a virtual server under a subfolder.
-- View Network Map while /Common is the active partition.

For example:

1. Create a subfolder such as /Common/subfolder.
2. In that subfolder, create a virtual server such as /Common/subfolder/virtualserver1.
3. Select /Common as the partition.
4. View the Network Map.

The virtual server /Common/subfolder/virtualServer1 is not shown on the Network Map.

Impact:
Cannot see the objects in the subfolder.

Workaround:
Select the partition 'All[Read Only]' to see all objects in subfolders.

---

700889 : Software syncookies without TCP TS improperly include TCP options that are not encoded

Solution Article: K07330445

Component: Local Traffic Manager

Symptoms:
When sending a software syncookie and there is no TCP timestamp option, tmm sends back TCP options like window scaling (WS), sackOK, etc. The values for these options are encoded in the timestamp field which is not sent. When the final ACK of the 3WHS arrives (without a timestamp), there is no way to know that the BIG-IP system negotiated the use of SACK, WS and other options that were encoded in the timestamp. This will leave the client believing that options are enabled and the BIG-IP believing that they are not.

Conditions:
TCP timestamps are disabled by the client, or in the TCP profile.

Impact:
In one known case, the client was Windows 7 which apparently disables timestamps by default. Users might experience poor connection performance because the client believed it was using WS, and that the BIG-IP system would scale up the advertised window. However, the BIG-IP system does not using WS in this case, and used the window size from the TCP header directly, causing the BIG-IP system to send small packets (believing it had filled the window) and wait for a response.

Workaround:
Specifically prevent the WS issue by lowering the send_buffer_size and receive_window_size to less than or equal to 65535.

Fix:
Added dependency between the window scale option and the timestamp option in a SYN/ACK response.

---

700862 : tmm SIGFPE 'valid node'

Solution Article: K15130240

Component: Local Traffic Manager

Symptoms:
A rare TMM crash with tmm SIGFPE 'valid node' may occur if the host is unreachable.

Conditions:
The host is unreachable.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
This fix handles a rare TMM crash when the host is unreachable.

---

700833 : fipskey.nethsm is now deprecated

Component: Local Traffic Manager

Symptoms:
Because tmsh commands for SafeNet HSMs have reached parity with fipskey.nethsm, the BIG-IP software is deprecating fipskey.nethsm beginning in this release. fipskey.nethsm no longer works on SafeNet HSMs. It continues to work on Thales HSMs, but with a warning that it will stop working soon.

Conditions:
-- Configure the BIG-IP system to work with an external nethsm.
-- Use a workflow or script that references fipskey.nethsm with a SafeNet HSM or Thales HSM.

Impact:
Workflows and scripts that use fipskey.nethsm with a SafeNet HSM will no longer work, and workflows and user scripts with a Thales HSM will now receive a warning when they use fipskey.nethsm.

Workaround:
Use tmsh instead of fipskey.nethsm.

Fix:
fipskey.nethsm is now deprecated because the tmsh commands have reached feature parity with it.

Behavior Change:
fipskey.nethsm no longer works with SafeNet HSMs, and warns that Thales will be deprecated very soon.

---

700757 : vcmpd may crash when it is exiting

Component: TMOS

Symptoms:
vcmpd may crash when it is exiting. The system logs an error message similar to the following in /var/log/ltm:

err vcmpd[14604]: 01510000:3: Uncaught exception: basic_string::_S_create

It's possible that vcmpd will then not start up, logging errors similar to the following in /var/log/ltm:

umount(/var/tmstat-vcmp/<guest name>) failed: (16, Device or resource busy

Conditions:
vCMP must be in use.

Impact:
vcmpd cores, but does so when already exiting. It is possible that vcmpd will then be unable to restart itself, and will need to be manually restarted.

Workaround:
If vcmpd cannot restart itself, you can manually restart it by running the following command:

tmsh restart sys service vcmpd

Fix:
Prevented vcmpd from crashing when exiting.

---

700726 : Search engine list was updated, and fixing case of multiple entries

Component: Application Security Manager

Symptoms:
Default search engine list does not identify current search engines, and blocks traffic unnecessarily. Part of the issue is that when adding custom search engines, there may be multiple search engines which match the User-Agent header, and this causes the match to fail.

Conditions:
Site accessed by search engines.

Impact:
Traffic from search engines is blocked unnecessarily.

Workaround:
Manually add search engines.

Fix:
Search engine list has been updated to reflect current common search engine usage. Also, this version removes the check of multiple search engines, so that now when multiple Search Engines are matched, the Search Engine bypasses the challenges.

---

700724 : Client connection with large number of HTTP requests may cause tmm to restart

Component: Access Policy Manager

Symptoms:
tmm may restart while processing client request

Conditions:
- PingAccess profile is configured on the virtual server.

- Client connection sends over 64k HTTP requests that result in BIG-IP's connection to the PingAccess policy server.

Impact:
Traffic will be disrupted while TMM restarts.

Workaround:
Modify HTTP profile used by affected virtual to specify the limit of HTTP requests per connection "maximum requests per connection" to be less then 64k, e.g. 63000 or less.

Fix:
Traffic will no longer be disrupted when client sends over 64k uncached requests on the same TCP connection.

---

700705 : TS cookie is set on a scenario when it is not needed

Component: Application Security Manager

Symptoms:
A TS cookie arrives with the response.

Conditions:
A policy that doesn't have any cookie-related features turned on.

Impact:
An unneeded TS cookie arrives with the response. There is no particularly negative effect as a result; just a bit more throughput than might be expected.

Workaround:
Although you can remove the unneeded cookies using an iRule, this is not recommended because it is not always clear whether or not specific cookies are used.

Fix:
The system no longer issues cookies on a scenario where it is not needed.

---

700597 : Local Traffic Policy on HTTP/2 virtual server no longer matches

Component: Local Traffic Manager

Symptoms:
Local Traffic Policies may not match properly when a virtual server is handling HTTP/2 traffic.

Conditions:
Virtual server with Local Traffic Policy and HTTP/2 profile.

Impact:
Traffic fails to pass through the virtual server, or fails to be processed as expected.

Workaround:
If able, use HTTP rather than HTTP/2. Or disable the policy. Otherwise there is no workaround.

Fix:
Traffic now processed as expected.

---

700576 : GUI - Server SSL Profile shows irrelevant options when "Server Certificate" is set to "Ignore"

Component: Local Traffic Manager

Symptoms:
In the GUI, the ServerSSL Profile options "Expire Certificate Response Control" and "Untrusted Certificate Response Control" are shown as stand alone options, yet those settings are not honored when the "Server Certificate" option is set to "Ignore" (default).

Conditions:
Create server SSL profile with "Server Certificate" option is set to "Ignore" (default).
It shows "Expire Certificate Response Control" and "Untrusted Certificate Response Control" options, yet those settings are not honored.

Impact:
No functional Impact, it may cause confusion allowing view/modify for irrelevant options.

Workaround:
No functional Impact, Expire Certificate Response Control" and "Untrusted Certificate Response Control" options can be ignored when "Server Certificate" option is set to "Ignore" (default).

Fix:
"Expire Certificate Response Control" and "Untrusted Certificate Response Control" server SSL profile options are hidden when "Server Certificate" option is set to "Ignore" (default).

---

700571 : SIP MR profile, setting incorrect branch param for CANCEL to INVITE

Component: Service Provider

Symptoms:
BIG-IP SIP profile MR does not maintain the Via 'branch parameter' ID when the Via header insertion is enabled for INVITE and CANCEL for the same INVITE.

Conditions:
This happens only when the following conditions are both met:
-- The transport connection that issued INVITE has been terminated.
-- A new transport is used to issue CANCEL

Impact:
The result is different branch IDs for the BIG-IP system-generated Via header. INVITE is only cancelled on the calling side, while on the called side, the line will ring until time out.

Workaround:
None.

Fix:
The branch parameter value calculation now remains consistent throughout the connection.

---

700564 : JavaScript errors shown when debugging a mobile device with ASM deviceID enabled

Component: Application Security Manager

Symptoms:
When debugging a mobile device with ASM Device ID enabled, the Google Chrome browser console log contains JavaScript errors similar to the following: net::ERR_UNKNOWN_URL_SCHEME.

Note: In order to view the Chrome browser console log, you must use BrowserStack from a developer's console, or physically connect the phone by cable, enable 'usb debug',
enable 'device discovery' on Chrome on the desktop, and view the console from there.

Conditions:
-- ASM policy is attached on a virtual server with deviceID enabled.
-- Device ID collection request has been sent from a mobile device.
-- Chrome browser console log is opened.

Impact:
Mobile device app developers might be concerned about the errors, potentially asking about why the ASM JavaScript code attempts to access UNKNOWN_URL_SCHEME in a mobile device.

The errors occur because Device ID enabled on an ASM policy uses the JavaScript request URI argument 'chrome-extension' to detect the existence of malicious browser extension. However, Chrome on Android/iOS does not support 'chrome-extension'.

Workaround:
Disable Device ID in ASM policy.

Fix:
The system now avoids checking Chrome extensions on mobile devices, so no UNKNOWN_URL_SCHEME errors occur.

---

700556 : TMM may crash when processing WebSockets data

Solution Article: K11718033

---

700527 : cmp-hash change can hang iRule DNS lookup

Component: Global Traffic Manager (DNS)

Symptoms:
An iRule that uses RESOLV::lookup can hang repeatedly when cmp-hash configuration is changed.

Conditions:
An iRule must be in the middle of a call to RESOLV::lookup when a vlan cmp-hash configuration is changed.

Impact:
The iRule call can hang repeatedly.

Workaround:
Restart the TMM. This will interrupt client traffic.

Fix:
The iRule connection is reestablished when the pending query expires, so subsequent RESOLV::lookup calls do not hang per TMM.

---

700522 : APMD restarts when worker threads are stuck

Component: Access Policy Manager

Symptoms:
APMD restarts and logs a message about all threads being stuck.

Conditions:
A race condition allows the busy thread count to remain higher than the actual value. If it reaches the maximum thread count, APMD will restart.

Impact:
APMD can restart unexpectedly.

Workaround:
There is no workaround.

Fix:
The race condition is corrected and the restarts are eliminated.

---

700433 : Memory leak when attaching an LTM policy to a virtual server

Solution Article: K10870739

Component: Local Traffic Manager

Symptoms:
MCP's memory increases when deleting and adding an LTM policy attached to a virtual server.

Conditions:
-- LTM policies must be in use.
-- A policy with at least one rule. (Note: A rule with actions or conditions will leak more memory.)
-- Add the policy to a virtual server.

Impact:
MCP may run slower when memory is low. If all memory is used up, MCP will crash, which will cause a failover or outage.

Workaround:
None.

Fix:
The system now prevents MCP from leaking memory when attaching an LTM policy to a virtual server.

---

700426-1 : Switching partitions while viewing objects in GUI can result in empty list

Solution Article: K58033284

Component: TMOS

Symptoms:
In LTM Pool List, Node List, and Address Translations pages, switching partitions while viewing objects in the GUI can result in empty list.

Conditions:
This issue is present when all of the following conditions are met:
-- One partition contains multiple pages of objects.
-- The page count in one partition is greater than the page count in another.
-- The active page number is greater than 1.
-- You switch to a partition whose max number of pages is lower than the active page number.

For example, in the GUI:
1. Create two non-Common partitions.
2. In one partition, create enough pools so that they do not fit on one page.
3. In the second partition, create only enough pools for one page.
4. On the Local Traffic :: Pools list page in the first partition, navigate to the second page of objects.
5. Switch to the other partition.
6. Note that the displayed page contains no objects.

Impact:
The list of pools is empty despite the fact that there are pools available.

Workaround:
Return to the first page of objects before switching to any other partition.

Fix:
The system now resets to the first page if the page number is greater than the page count, so the partition's objects display correctly.

---

700405 : Disabling TCP segmentation offload can lead to a tmm assert

Component: TMOS

Symptoms:
If using vmxnet3 or virtio tmm drivers (not unic), if TCP segmentation offload is disabled while processing traffic, a tmm assert may be observed and tmm will restart. The tmm assert appears similar to the following:

 notice tso ioctl for member:0 of /Common/internal failed with value: 32tso ioctl for member:0 of /Common/external failed with value: 32panic: ./local/net/packet.h:328: Assertion "packet_ref: not free" failed.

Conditions:
-- Deploy Virtual Edition (VE) using vmxnet3 or virtio tmm drivers.
-- Continuously pass traffic through the system.
-- Disable the DB variable tm.tcpsegmentationoffload.

Impact:
Sometimes tmm will restart, which will lead to traffic group failovers. This is a fairly rare situation, and disabling TCP segmentation offloading is not something routinely done, but if done while under load, this failure might occur.

Workaround:
There is no workaround at this time.

Fix:
This issue no longer occurs.

---

700393 : Under certain circumstances a stale http2 stream can cause a tmm crash

Component: Local Traffic Manager

Symptoms:
Tmm may crash due to a stale/stalled HTTP2 stream.

Conditions:
http2 profile in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
Stale/stalled HTTP2 streams are handled correctly to prevent a tmm crash.

---

700386 : mcpd may dump core on startup

Component: TMOS

Symptoms:
mcpd may generate a core file upon startup, with a message being logged that overdog restarted it because mcpd failed to send a heartbeat for five minutes.

Conditions:
This can happen only at startup.

Impact:
mcpd restarts, but resumes normal operation.

Workaround:
None.

Fix:
mcpd no longer generates a core on startup.

---

700385 : Behavioral Clarification For Tcl After Command

Component: Local Traffic Manager

Symptoms:
Flows with after commands accrue in the TMM due to not-yet-executed after scripts, causing memory pressure.

Conditions:
After command used in a Tcl script with a timeout beyond the connection lifetime.

Impact:
Potential memory pressure, leading to out of memory and TMM failover. Traffic disrupted while tmm restarts.

Workaround:
If the after command does not need to execute after the flow has been expired, use one of the *_CLOSED events to cancel the after command.

Fix:
After commands on a closed or aborted flow will now be removed as soon as possible, rather than waiting for their timer to fire and detect they cannot be run, thereby significantly decreasing memory pressure.

---

700322 : Upgrade may fail on a multi blade system when there are scheduled reports in configuration★

Component: Application Visibility and Reporting

Symptoms:
Unable to upgrade to newer version or hotfix fail. Secondary slot always fails upgrade with the following error in var/log/liveinstall.log:

error: status 256 returned by command: F5_INSTALL_SESSION_TYPE=install tmsh -f save sys ucs /var/tmp/fbSBcyXrsz.ucs
info: >++++ result:
info: Saving active configuration...
info: Thrift: Tue Dec 19 10:53:45 2017 TSocket::open() connect() <Host: localhost Port: 9090>Connection refused
info: Error during config save.
info: Unexpected Error: UCS saving process failed.

Conditions:
1) System has two or more slots (multi-blade)
2) There are scheduled reports in configuration.

Impact:
Upgrade fails.

Workaround:
1) Save configuration for scheduled reports aside.
2) Remove all scheduled reports from configuration.
3) Perform upgrade.
4) Add scheduled reports back to configuration.

Fix:
On secondary blades monpd listens on slot-specific local address 127.0.3.X, so tmsh should use this address when it establishes connection to monpd (instead of 127.0.0.1)

---

700320-1 : tmm core under stress when BADOS configured and attack signatures enabled

Component: Anomaly Detection Services

Symptoms:
Tmm core under stress. Note: This issue has a very low probability of occurring.

Conditions:
-- Out of memory.
-- BADOS configured.
-- Attack signatures enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None, except to not configure attack signatures.

Fix:
Added protection for the case when context adm_filters allocation is failed.

---

700315-1 : Ctrl+C does not terminate TShark

Solution Article: K26130444

Component: TMOS

Symptoms:
A running TShark process on the BIG-IP system has problems exiting when the user is finished capturing and presses CTRL+C while listening on a tmm VLAN or 0.0.

Conditions:
-- Using TShark on a tmm VLAN or 0.0.
-- Pressing Ctrl+C to exit.

Impact:
TShark does not exit as expected when pressing CTRL+C.

Workaround:
To recover, you can move the process to the background (CTRL+Z) and then halt the process, by running a command similar to the following: kill -9 'pidof tshark'

Fix:
Ctrl+C now terminates TShark as expected.

---

700250 : qkviews for secondary blade appear to be corrupt

Solution Article: K59327012

Component: TMOS

Symptoms:
Normally, a qkview created on a multi-blade system will include a qkview for every blade on the system. Those qkview files have an error that makes the tar-ball appear corrupt.

Conditions:
Running a qkview on a system with blades.
Attempt to access the tar-ball using the following command: tar -tvzf 127.3.0.2.qkview | tail.

Impact:
The system posts the following messages:
    gzip: stdin: unexpected end of file
    tar: Child returned status 1
    tar: Error is not recoverable: exiting now


Confuses troubleshooters into thinking that the blade qkview files are corrupt, which they are not.

Workaround:
None.

Fix:
By not always writing an errant newline, the problem is solved.

---

700247-1 : APM Client Software may be missing after doing fresh install of BIG-IP VE

Solution Article: K60053504

Component: TMOS

Symptoms:
apm client software checks is broken in VM created with BIG-IP-13.1.0.1.0.0.8.ALL-scsi.ova.

Conditions:
Any software instance created by deployment of any OVA for the affected software versions.

Impact:
APM endpoint inspection feature (for Mac, windows and Linux clients). [Users affected]
Configuration of APM client software check APM Visual policy editor. [Admin UI]
APM Client package @ Connectivity / VPN : Connectivity : Profiles if you select "Web Browser Add-ons for BIG-IP Edge Client" option. [Admin UI]

Workaround:
Try the "epsec refresh" commands again after removing all environment locks on the shared RPM database using the following command:

rm /shared/lib/rpm/__db.*
epsec refresh

Fix:
After deployment of a new OVA for the fixed version(s), the problem no longer occurs.

---

700143 : ASM Request Logs: Cannot delete second 10,000 records of filtered event log messages

Component: Application Security Manager

Symptoms:
Attempting to delete request logs by a filter (10,000 at a time), only works once. Subsequent delete by filter actions do not remove additional earlier logs.

Conditions:
System has over 10,000 ASM request logs by a selected filter, and delete all by filter is used multiple times.

Impact:
Only the latest 10,000 events are deleted.

Workaround:
No work around for deleting by a filter.
Delete all (without filter) works, and deleting selected requests works.

Fix:
Deletion by filter correctly deletes subsequent sets of 10,000 rows per action.

---

700090 : tmm crash during execution of a per-request policy when modified during execution.

Component: Access Policy Manager

Symptoms:
Modify/delete of per-request policy during heavy traffic flow causes tmm to crash.

Conditions:
While a per-request policy (macro) is getting executed.
Admin deletes the parent policy item (at the same time).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not modify per-request policy during heavy traffic flow.

Fix:
The situation is fixed, if the policy that is getting executed currently has been deleted, look for its continuation in the deleted policy list.

---

700061 : Restarting service MCPD or rebooting BIG-IP device adds 'other' file read permissions to key file

Component: TMOS

Symptoms:
Restarting service MCPD or rebooting the BIG-IP device adds Unix 'other' read file permissions for key files.
Key files Unix permission changes from '-rw-r-----' to
'-rw-r--r--'

Conditions:
1. Restarting the service MCPD
2. Rebooting BIG-IP device.

Impact:
Key file Unix read permission changes from '-rw-r-----' to
'-rw-r--r--'

Workaround:
There is no workaround at this time.

Fix:
Fix made sure restart of service MCPD and reboot of device does not change key files Unix read permissions from '-rw-r-----' to
'-rw-r--r--'

---

700057 : LDAP fails to initiate SSL negotiation because client cert and key associated file permissions are not preserved

Component: TMOS

Symptoms:
After upgrading to an affected build, the default key will have incorrect group ownership.

Conditions:
Upgrade or load a .ucs with SSL keys configured.

Impact:
File permissions are not preserved in the .ucs file. The httpd process will not be able to use the default key, so anything using it will fail.

Workaround:
Run the following two commands:
tmsh save /sys config
tmsh load /sys config

Fix:
The system now preserves correct permissions for default.key across upgrade and ucs load.

---

700035 : /var/log/avr/monpd.disk.provision not rotate

Component: Application Visibility and Reporting

Symptoms:
the log file may fill-up /var partition

Conditions:
there is no special condition for this issue - if the log is big it won't rotate

Impact:
the log file may fill-up /var partition

Workaround:
1. gzip /var/log/avr/monpd.disk.provision
2. touch /var/log/avr/monpd.disk.provision

Fix:
added /var/log/avr/monpd.disk.provision to the rotate mechanisem.

---

699979 : Support for Safenet Client Software v7.x

Component: Local Traffic Manager

Symptoms:
The BIG-IP system is not compatible with SafeNet v7.x.

Conditions:
Attempting to use a BIG-IP system with the Safenet v7.x client software.

Impact:
No support provided for the SafeNet network HSMs.

Workaround:
There is no workaround other than using an HSM with the supported SafeNet client software.

Fix:
The BIG-IP system now supports SafeNet v7.x in the following configuration:

-- Client software: 7.1.
-- HSM software: 7.1.
-- HSM firmware 7.0.2.

---

699898 : Wrong policy version time in policy created after synchronization between active and stand by machines.

Component: Application Security Manager

Symptoms:
After synchronization, the policy version time in the policy created on the standby BIG-IP system is different from the policy version time on the original policy on the active BIG-IP system.

Conditions:
Synchronizing the new policies on the active system with new policies on the standby system.

Impact:
Policy version timestamp on standby system is not synchronized properly.

Workaround:
Run full synchronization again from active system to the group.

Fix:
The policy version time in the policy created on the standby BIG-IP system now matches the policy version time on the original policy on the active BIG-IP system.

---

699868 : Filter by custom period is not working properly in some cases

Component: Application Security Manager

Symptoms:
When in Requests (Event Correlation, Brute Force) page custom time period defined in filter - it is not working correctly, wrong dates filtered

Conditions:
Sever and client machines use different time zones

Impact:
User cannot filter effectively by custom time period

Workaround:
User can shift time period to compensate difference between server and his client machine

Fix:
Time range filter was fixed to work correctly and not depends from client machine timezone anymore

---

699772 : Chromebook legal browser detected as running selenium by Proactive Bot Defense

Component: Advanced Firewall Manager

Symptoms:
No real impact to the traffic, when selenium only is detected, but if the Proactive Bot Defense detects other headless browser properties in couple with the selenium detection it could lead to the headless browser detection score above limits and drop the request.

Conditions:
1. ASM or DoS Provisioned.
2. DoS Application profile assigned to a virtual server.
3. Proactive Bot Defense and Block suspicious browsers sections are enabled in the DoS Application profile configuration.

Impact:
No real impact to the traffic.

Workaround:
Disable Proactive Bot Defense or change browser_legit_min_score_drop sys db to be higher value.

list sys db dosl7.browser_legit_min_score_drop
sys db dosl7.browser_legit_min_score_drop {
    value "120"
}

Fix:
Selenium detection is changed for chromebooks

---

699720 : ASM crash when configuring remote logger for WebSocket traffic with response-logging:all

Component: Application Security Manager

Symptoms:
ASM may crash when configuring remote logger for WebSocket traffic virtual server.

Conditions:
-- Virtual server handling WebSocket traffic.
-- ASM remote logger on the same virtual server.

Impact:
ASM crash; system goes offline.

Workaround:
Use either of the following workarounds:

-- Remove remote logger.
-- Have response logging for illegal requests only.

Fix:
The system now handles memory correctly and avoids crashing in this specific scenario.

---

699686 : localdbmgr crash

Component: Access Policy Manager

Symptoms:
When localdbmgr process is restarted, occasionally, the process crashes and a core file will be generated.

Conditions:
-- APM is provisioned.
-- localdbmgr process is restarted.

Impact:
Although the process restarts, there is no impact to the APM functionality.

Workaround:
None.

Fix:
localdbmgr no longer crashes during shutdown.

---

699455 : SAML export does not follow best practices

Solution Article: K50254952

---

699451 : OAuth reports do not follow best practices

Solution Article: K30500703

---

699431-2 : Possible memory leak in MRF under low memory

Component: Service Provider

Symptoms:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Conditions:
MRF may leak a session db record when a memory allocation failure occurs when adding a connection to an internal table. In this the table entry will not be cleaned up when the connection closes.

Impact:
The table entry will be remain until the box resets.

Workaround:
There is no workaround at this time.

Fix:
The code has been fixed to remove the table entry when a memory allocation failure occurs while adding the record.

---

699346 : NetHSM capacity reduces when handling errors

Solution Article: K53931245

---

699339 : Geolocation upgrade files fail to replicate to secondary blades

Solution Article: K24634702

Component: Global Traffic Manager (DNS)

Symptoms:
Geolocation upgrade files fail to replicate to secondary blades.

Conditions:
-- Multiblade VIPRION platforms/vCMP guests.
-- Upgrading geolocation files on the primary blade.
-- Viewing the geolocation files on the secondary blades.

Impact:
Geoip database is not updated to match primary blade.

Workaround:
Use either of the following workarounds:

-- Use the root account to manually create the /shared/GeoIP/v2 directory on secondary blades, and then run geoip_update_data on primary blade.

-- On primary blade:
1. Edit /etc/csyncd.conf as shown below.
2. Restart csyncd.
3. Run geoip_update_data.

To edit /etc/csyncd.conf:

Merge the following two terms:
 monitor dir /shared/GeoIP {...)
 monitor dir /shared/GeoIP/v2 {...}

into one term, as follows:
monitor dir /shared/GeoIP {
        queue geoip
        pull pri2sec
        recurse yes
        defer no
        lnksync yes
        md5 no
        post "/usr/local/bin/geoip_reload_data"
}

Fix:
Geolocation upgrade files now correctly replicate to secondary blades.

---

699298 : 13.0.0 Hotfix HF3 3.0.1679 TMM CORED due to SIGSEGV.

Component: Local Traffic Manager

Symptoms:
TMM may crash when woodside congestion-control is in use.

Conditions:
When woodside congestion-control is in use.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Other congestion control algorithms can be used as a workaround.

Fix:
This fix handles a rare TMM crash when woodside congestion-control is in use.

---

699281-2 : Version format of hypervisor bundle matches Version format of ISO

Component: TMOS

Symptoms:
Recently F5 incorporated 4th element into versioning scheme. 4th and 5th are separated by dash (instead of dot) in ISO name. This change/bug insures that names of hypervisor bundles also use dash between 4th and 5th elements.

Conditions:
Applies to hypervisor bundles (for example ova files for vmware).

Impact:
Version format in names of hypervisor bundles matches version format of ISO file

Workaround:
Version format in names of hypervisor bundles matches version format of ISO file

Fix:
Version format in names of hypervisor bundles matches version format of ISO file (usage of dash between 4th and 5th elements).

---

699179 : Modifying a Netflow profile requires that there are zero connections on the virtual servers that it is attached to

Component: Advanced Firewall Manager

Symptoms:
To change a Netflow profile that is attached to a virtual server, zero connections must be present on the virtual server.

Conditions:
Attempting to change a Netflow profile that is attached to a virtual server.

Impact:
Cannot modify Netflow profile.

Workaround:
Either make sure that there are zero connections when modifying an attached Netflow profile, or detach the Netflow profile you wish to modify temporarily from all virtual servers that it is attached to.

To make changes when the virtual server has active connections (ongoing stream of Netflow packets):

1. Change the Netflow profile in virtual server to none.
2. Change virtual server state to disabled (after this step, there will be 0 active connections for the virtual server).
3. Change Netflow profile in virtual server to new profile.
4. Change virtual server state to enabled.

Fix:
The system now disallows modifications to Netflow virtual servers with non-zero connection counts.

---

699135 : tmm cores with SIGSEGV in dns_rebuild_response while using host command for not A/AAAA wideip

Component: Global Traffic Manager (DNS)

Symptoms:
tmm cores with SIGSEGV in dns_rebuild_response.

Conditions:
1. Create a wideip of type other than A/AAAA.
2. Create a iRule with a host command for the previously created wideip.
3. Create a related zonerunner record with the same name and type.
4. Dig against the wideip with type any.
5. Observe that tmm cores.

Impact:
tmm cores.

Workaround:
Don't use host command for non type A/AAAA wideips.

---

699117 : Editing OAuth Client / Resource Server Request objects in the GUI results in invalid configuration

Component: Access Policy Manager

Symptoms:
APM offers OpenID Connect Client / Resource Server starting in BIG-IP 13.1. The configuration is composed of many objects necessary for the configuration to work correctly.

One of the objects specifies the request data included in the authorization requests to 3rd party OpenID Connect Authorization Servers.

Conditions:
Administrator uses the GUI:
 Access => Federation => OAuth Client / Resource Server => Request

to modify the request objects.

Impact:
It is not possible to create a valid configuration using the GUI. If attempted, an error will occur from the 3rd party as a result of the invalid request. The error may be similar to:

"Some requested scopes were invalid."

Workaround:
Use TMSH to create the request object configuration, with a command such as:

create apm aaa oauth-request my_custom_GoogleAuthRedirectRequest description customized method get parameters replace-all-with { access_type { value offline } client_id { type client-id } include_granted_scopes { value true } redirect_uri { type redirect-uri } response_type { type response-type } scope { type scope } } type auth-redirect-request

Fix:
Using the GUI to create, copy, and modify APM OAuth Client / Resource Server Request objects will now result in a configuration that can function properly.

---

699103 : tmm continuously restarts after provisioning AFM

Component: Traffic Classification Engine

Symptoms:
tmm continuously restarts when the Webroot database is getting downloaded to a BIG-IP system with less than 16 GB RAM and AFM provisioned.

Conditions:
-- Webroot URL categorization configured for Traffic Classification.
-- BIG-IP system with less than 16 GB RAM.
-- AFM is provisioned.

Impact:
tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than to ensure that more than 16 GB RAM is available when AFM is provisioned.

Fix:
The BIG-IP system with less than 16 GB RAM and AFM provisioned now prevents downloading the Webroot database or any updates if it is not already downloaded.

Note: If the Webroot database already exists before upgrade to this release, Webroot lookup will continue to work.

---

699076 : URI::path iRules command warns end and start values equal

Component: Local Traffic Manager

Symptoms:
URI::path iRules command warns end and start values equal

Conditions:
The end and start values equal

Impact:
Warning message shows in console.

Workaround:
Ignore the warning.

Fix:
The issue is fixed in 14.0 release.

---

699012 : TMM may crash when processing SSL/TLS data

Solution Article: K43121447

---

698992 : Performance degraded

Component: Performance

Symptoms:
Portal access performance had a slight performance degradation. This was identified to be due to a new queuing strategy implemented to improve per-request policy auth use-case performance for higher end platforms in the 13.0 release. The nature of the problem is such that overall system degradation may be observed if APM is provisioned and per-request policy is not used.

Conditions:
APM is provisioned, but functionality is not related to per-request policy.

Impact:
Performance will be slightly lower under load.

Workaround:
None.

Fix:
The queuing strategy was altered to take minimal CPU resources when idle.

---

698984 : Auto-disable TMM.HTTP.TCL.Validation when APM is provisioned

Component: Access Policy Manager

Symptoms:
The db variable Tmm.HTTP.TCL.Validation is enabled by default. This db variable should be disabled when APM is provisioned/enabled, and when ACCESS::restrict_irule_event is disabled and HTTP_RESPONSE_RELEASE events are detected with the assigned iRules.

Conditions:
Steps to Reproduce:
1. Define the following iRule in the virtual server.

when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
    set u [ HTTP::uri ]
    log local0. "XXX: [ HTTP::uri ]"
}
when HTTP_RESPONSE_RELEASE {
    log local0. "XXX: [ HTTP::status ] [ HTTP::header Location ]"
    set l [ HTTP::header Location ]
    if { $l starts_with {/my.policy} } {
       append l {?modified_by_irule=1}
       HTTP::header replace Location $l
    } elseif { $l starts_with {/renderer/agent_logon_page_form.eui} } {
        # Next response will be the real response to the client.
        ACCESS::log "XXX: lp_seen"
        set lp_seen 1
    }
    if { [ HTTP::status ] == 200 && [ info exists lp_seen ] && $lp_seen == 1 } {
        unset lp_seen
        HTTP::header insert X-MyAppSpecialHeader 1
    }
}
2. Configure START :: LOGON PAGE :: ALLOW policy.
3. Access the virtual server.

Impact:
TCP reset triggered when it should not. With respect to the specific condition described, the system should post the logon page.

Workaround:
Manually disable Tmm.HTTP.TCL.Validation.

Fix:
Tmm.HTTP.TCL.Validation is now disabled automatically when APM provisioned during the upgrades. This is correct behavior.

---

698940 : Add new security policy template for API driven systems - "API Security"

Component: Application Security Manager

Symptoms:
No security policy template for API Security for API driven systems.

Conditions:
-- Using API.
-- Attempting to define REST API protection, Web Socket protection.

Impact:
No policy template.

Workaround:
None.

Fix:
Added new security policy template for API driven systems - 'API Security'.

---

698919 : Anti virus false positive detection on long XML uploads

Component: Application Security Manager

Symptoms:
A false positive virus-detected violation. The description of the violation explains that the ICAP server was not contacted.

Conditions:
-- A long XML upload or payload.
-- The assigned XML profile is configured to be inspected by the ICAP server.

Impact:
Violation is detected where no violation has occurred (false positive violation).

Workaround:
Increase the internal parameter max_raw_request_len to the required length of the XML.

Note: This workaround will affect the amount of logged data from ASM.

Fix:
Fixed a false positive virus-detected violation related to long XML uploads.

---

698916 : TMM crash with HTTP/2 under specific condition

Component: Local Traffic Manager

Symptoms:
TMM may crash when upgrading an HTTP/1.1 connection to an HTTP/2 connnection.

Conditions:
-- HTTP/2 gateway enabled.
-- Pool member supports protocol switching.

Impact:
TMM crash, leading to a failover event.

Workaround:
There is no workaround other than removing the HTTP/2 profile from the virtual server.

Fix:
TMM properly handles protocol upgrade requests from pool members when HTTP/2 is enabled, so no crash occurs.

---

698813-1 : When processing DNSX transfers ZoneRunner does not enforce best practices

Solution Article: K45435121

---

698806 : Firewall NAT Source Translation UI does not show the enabled VLAN on egress interfaces

Component: Advanced Firewall Manager

Symptoms:
Egress Interfaces are not checked in the Source Translation page even if they are configured.

Conditions:
Create a source translation object with egress Interfaces set to 'Enabled on...', select Egress Interfaces from the list, and hit 'Finished'. Egress Interfaces will not be checked with the originally configured values.

Impact:
Egress Interfaces will not be checked even if they are configured.

Workaround:
Use tmsh to check if the object is actually configured with Egress Interfaces

Fix:
Egress Interfaces will be selected whenever a user tries to create a source Translation object with Egress Interfaces.

---

698757 : Standby system saves config and changes status after sync from peer

Solution Article: K58143082

Component: Application Security Manager

Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.

Conditions:
-- Manual sync device-group configuration.
-- Modify existing policy encoding to uppercase (via tmsh).
-- ASM configuration.

Impact:
The high availability (HA) configuration goes out of SYNC.

Workaround:
Use either of the following workarounds:
-- Push the sync back from the Standby device to the Active device, and then again from the Active to Standby.

-- Put the device group into auto-sync state and push the config from the Active to the Standby. After the Sync state resolves and the ASM configuration is finished loading, the device group can be put back to Manual sync.

Fix:
Change requested encoding to lowercase.

---

698565 : bd core due to specific wrong configuration

Component: Application Security Manager

Symptoms:
A bd core is encountered.

Conditions:
The redirect URL blocking response has the erase cookies JavaScript tag attached.

Impact:
A bd core, failover, traffic disturbance.

Workaround:
There is no workaround other than not putting JavaScript in the redirection URL.

Fix:
This bd core no longer occurs.

---

698461 : tmm may crash in fastl4 TCP

Component: Local Traffic Manager

Symptoms:
tmm crash and BIGIP fail over.

Conditions:
Virtual with fastl4 and TCP profile configured and used.
LRO is used.

Impact:
tmm may crash

Fix:
the crash is fixed.

---

698429 : Misleading log error message: Store Read invalid store addr 0x3800, len 10

Component: TMOS

Symptoms:
On rare occasions, messages like these can appear in /var/log/ltm:

Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash computed from read key:9d:e6:90:...
Oct 20 14:21:04 localhost err mcpd[4139]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Symmmetric Unit Key decrypt
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071027:5: Master key OpenSSL error: 1506270960:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:587:
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Attempting Master Key migration to new unit key.
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning chmand[5559]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
Oct 20 14:21:04 localhost warning mcpd[4139]: 012a0004:4: halStorageRead: unable to read storage on this platform.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071029:5: Cannot open unit key store
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Reloading the RSA unit to support config roll forward.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Loading keys from the file.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Read the unit key file if exists.
Oct 20 14:21:04 localhost notice mcpd[4139]: 01071038:5: Unit key hash from key header: 9d:e6:90:...

These messages are due to a transient failure reading the system's unit key from the virtual EEPROM on a vCMP guest. The error handling from this failure causes misleading messages, but it does successfully read the unit key during this error recovery.

Conditions:
These messages can only happen on a vCMP guest with SecureVault, and are very rare.

Impact:
None. These messages do not indicate an actual problem with the system.

---

698424 : Traffic over a QinQ VLAN (double tagged) will not pass

Solution Article: K11906514

Component: Local Traffic Manager

Symptoms:
Traffic on a QinQ VLAN will not pass.

Conditions:
This issue exists when a VLAN is configured as a QinQ VLAN (i.e., a double-tagged VLAN).

Impact:
Traffic on a QinQ VLAN will not pass.

Workaround:
Disabling LRO may workaround this issue.

Fix:
Traffic on a QinQ VLAN now passes successfully.

---

698407 : OSPF tag updates may not be propagated through process redistribution

Component: TMOS

Symptoms:
If BIG-IP receives an OSPF LSA with an external tag set and the ensuing route is redistributed into another protocol, including an OSPF process, updates to the tag may not be preserved.

Conditions:
-- Redistributing routes from OSPF process to another protocol or process.
-- OSPF LSAs with external route tag != 0.
-- External route tag changes to 0.

Impact:
Routing policy may not be executed correctly leading to misrouted or discarded traffic.

Workaround:
Clearing the affected route resolves the issue. This might require clearing the OSPF process. To do so, follow this process:

In imish, run the following command:

clear ip ospf

This interrupts routing that relies on OSPF until the network reconverges.

Fix:
OSPF external tag updates are correctly propagated through redistribution.

---

698396 : Config load failed after upgrade from 12.1.2 to 13.x or 14.x★

Component: Traffic Classification Engine

Symptoms:
Sys load fails with following errors,
....
Loading schema version: 14.0.0
0107153e:3: Application id out of the valid range of [8192-16384).
Unexpected Error: Loading configuration process failed.

Conditions:
When an CEC IM is applied to 12.1.2 and then when we upgrade to 13.x or 14.x, sys load will fail.

Impact:
System will fail to come to Active state after upgrade.

Workaround:
It can be fixed by manually deleting /var/libdata/dpi/conf/classification_update.conf

---

698338 : Potential core in MRF occurs when pending egress messages are queued and an iRule error aborts the connection

Component: Service Provider

Symptoms:
The system may core.

Conditions:
-- Egress messages are queued waiting for MR_EGRESS event to be raised.
-- Current MR event exits with an error, thus aborting the connection.

Impact:
The system cores and will restart.

Workaround:
None.

Fix:
The system now returns pending messages back to the originator if the connection aborts due to an iRule error.

---

698333 : TMM core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families)

Solution Article: K43392052

Component: Advanced Firewall Manager

Symptoms:
TMM would core upon matching a past (saved) dynamic signature of a specific family (network or dns) after the dynamic signature is disabled for that family on the parent context (but still enabled for other families).

Conditions:
This occurs in the following scenario:
-- Enable Network and DNS BDOS simultaneously (on DoS Device config).
-- Generate dynamic signature that has both network and DNS metrics.
-- Wait for signature to be moved to 'past' (persist) state.
-- Disable either network or DNS BDOS (but not both).
-- TMM cores if the traffic matches this signature.

Impact:
Traffic interruption due to TMM restart. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
In this release, if the dynamic signature is disabled for a specific family on a parent context (but not disabled for other family on that context), any past attack signature for the context is now deleted from the system.

---

698226 : Filters under Security :: Reports :: DoS :: URL Latencies work incorrectly

Component: Application Visibility and Reporting

Symptoms:
When filtering data by a field in the 'Security :: Reports :: DoS :: URL Latencies' form, the filtering fails and the monpd process crashes.

Conditions:
There is some statistical data for DoS.

Impact:
Reports based on GUI filters are not complete.

Workaround:
No workaround.

Fix:
The system now creates the correct query for this filter, so the issue no longer occurs.

---

698084 : IPsec log messages in /var/log/ltm missing module ID to reach bigiq logs

Solution Article: K03776801

Component: TMOS

Symptoms:
Some groups of messages logged by tmipsecd are missing the errdefs annotation that identifies IPsec as the module. Messages reported when tunnels go up and down, or problems with listeners, go only to ltm logs, with no visibility to bigiq logs.

Conditions:
Missing the IPsec module subset ID.

Impact:
Missing IPsec messages in the bigiq logs.

Workaround:
No workaround at this time.

Fix:
The IPsec module subset ID has been added to tmipsecd log messages, so those messages will reach bigiq logs. Some log messages previously appearing only in /var/log/ltm now also appear in ipsec.log and also reach bigiq logs.

---

698080-4 : TMM may consume excessive resources when processing with PEM

Solution Article: K54562183

---

698050 : Under certain extreme conditions, big3d may core

Component: Global Traffic Manager (DNS)

Symptoms:
While running at 100% CPU, big3d loses connection with mcpd. Instead of big3d attempting to reconnect, a core is created.

Conditions:
It has been determined that the likely cause of this crash is due to missing valid file descriptor/connection check.

Impact:
Lost iQuery connection.

Workaround:
None.

Fix:
This fix adds a check so that big3d will retry the connection instead of creating a core.

---

698013 : TACACS+ system auth and file descriptors leak

Solution Article: K27216452

Component: TMOS

Symptoms:
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure):

-- httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files].
-- httpd[###]: PAM audit_open() failed: Too many open files
-- Other errors that refer to 'Too many open files'.

This might eventually lead to lack of HTTP-based access to the BIG-IP system.

Conditions:
-- Remote system authentication configured to use TACACS+.
-- Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST.
-- Repeated automated access using iControl is the fastest route.

Impact:
In some circumstances, the leak might accumulate to the point that no file descriptors are available and administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.

Workaround:
Workaround options:
1. Use only SSH for administrative access.
2. Restart httpd as needed.

---

698000 : Connections may stop passing traffic after a route update

Solution Article: K04473510

Component: Local Traffic Manager

Symptoms:
When a pool is used with a non-translating virtual server, routing updates may lead to an incorrect lookup of the nexthop for the connection.

Conditions:
-- Pool on a non-translating virtual server.
-- Routing update occurs.

Impact:
Connections may fail after routing updates. New connections will not be affected.

Workaround:
Use a route to direct traffic to the ultimate destination rather than using a pool to indicate the nexthop.

Fix:
Routing updates no longer interrupts traffic to connections using a pool member to reach the nexthop.

---

697856 : Profile from Common imported to other partition should still point to log-settings in Common

Component: Access Policy Manager

Symptoms:
If an access profile exported from the Common partition has log-settings in the Common partition, if the access profile is then imported to another partition, import fails with error that /partition/log-setting-name is not available.

Conditions:
If access profile is exported from Common partition and imported to non-common partition.

Impact:
There are no default log facilities (e.g., default-log-settings) in the partition. You must create them manually.

Workaround:
To work around this issue, use the following procedure:

1. Create log objects with the proper name in the target partition.
2. Import the access profile.

Fix:
Now all policies exported from Common are expecting log objects to be presented in Common regardless of target partition.

---

697756 : Policy with CSRF URL parameter cannot be imported as binary policy file

Component: Application Security Manager

Symptoms:
A policy with at least 1 CSRF URL parameter defined cannot be imported as a binary policy file.

Conditions:
A policy has at least 1 CSRF URL parameter defined.

Impact:
The policy cannot be imported as a binary policy file.

Workaround:
There is no workaround at this time.

Fix:
A policy with CSRF URL parameters defined can now be imported as a binary policy file.

---

697724 : Login LDAP Attribute for Active Directory configurations incorrectly capitalizes sAMAccountName

Component: TMOS

Symptoms:
When configured for Active Directory remote authentication, the BIG-IP incorrectly modifies the sAMAccountName parameter with all lower-case letters.

Conditions:
The BIG-IP is configured for remote auth for Active Directory.

Impact:
Remote auth for Active Directory authentication failure.

Workaround:
Use TMSH to fix this attribute.

Fix:
Now use correct case for the sAMAccountName parameter.

---

697718 : Increase PEM HSL reporting buffer size to 4K.

Component: Policy Enforcement Manager

Symptoms:
Before this fix, PEM HSL reporting buffer size is limited by 512 bytes.

Conditions:
If any PEM HSL flow reporting stream goes beyond 512 bytes, it will be truncated.

Impact:
Part of PEM HSL flow reporting information will be lost.

Fix:
We increase PEM HSL reporting buffer size to 4K, which should be enough for uses cases we currently know.

---

697636 : ACCESS is not replacing headers while replacing POST body

Component: Access Policy Manager

Symptoms:
If the first request for a session is a POST, APM will save the POST to replay after the policy completes. When the POST is restored after policy completion and released to the backend, the headers are the same as the most recent client request, not the original POST. In particular, the Content-Length header will not match the original POST.

Conditions:
First request for the session is a POST.

Impact:
Backend servers may complain of an incomplete HTTP POST due to a mismatching Content-Length header.

Workaround:
None.

Fix:
Now, the system takes all headers from the original POST, except the Authorization header that Kerberos RBA needs, which is taken from the most recent client request.

---

697615 : Neurond may restart indefinitely after boot, with neurond_i2c_config message

Component: TMOS

Symptoms:
The neurond daemon may continually restart after a reboot. The problem may persist even after a reboot of the BIG-IP system. Manually stopping and starting neurond will not resolve the problem.

Conditions:
- This occurs only on BIG-IP platforms that contain a specific hardware part running v13.1.0.
- The issue happens only after a reboot of the BIG-IP system.

Impact:
The BIG-IP system constantly logs messages similar to the following:

emerg logger: Re-starting neurond


The /var/log/neurond logfile contains messages similar to the following:

-- neurond_i2c_config_steps: STEP 20 Checking for Lane Alignment
-- neurond_i2c_config_steps: Timeout waiting for good rx_align for ILK1 of NSP
-- neurond_i2c_config: neurond_i2c_config_steps failed.

Workaround:
If you are not using FIX features, disabling the neurond service is a safe option.

If your configuration relies on the FIX feature, a cold reboot by removing the BIG-IP system from the power may resolve the problem. However, multiple retries are sometimes necessary to get the part to initialize.

Fix:
This release increases the number of initialization retries to handle this condition, so continual restart no longer occurs.

---

697510 : Portal Access: Internet Explorer may encounter JavaScript error in multi-window Web application

Component: Access Policy Manager

Symptoms:
If Web application uses references to objects in different window, these references may become invalid after closing/reloading their window. In Internet Explorer, Portal Access may not work correctly if Web application uses references to forms or links in another window. This error appears if Web application uses emulation modes in Internet Explorer.

Conditions:
- Internet Explorer in any emulation mode
- Multi-window Web application which uses inter-window object references

Impact:
Web application may not work correctly

Fix:
Now multi-window Web applications work correctly in Internet Explorer via Portal Access.

---

697363 : FPS should forward all XFF header values

Component: Fraud Protection Services

Symptoms:
For BIG-IP alerts, FPS will insert a single XFF with the client IP and discard all XFF values/headers in the original request (the request which triggered the alert)

Conditions:
Alert generated on BIG-IP side.

Impact:
Original XFF information will be lost: only a single XFF header (containing client IP) will be present.

Workaround:
None.

Fix:
FPS now copies all original XFF headers to the generated alert.

---

697303 : BD crash

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
-- The internal parameter relax_unicode_in_json is set to 1.
-- Specific traffic scenario.

Impact:
BD crash, failover, and traffic disturbance.

Workaround:
Turn off the internal parameter relax_unicode_in_json.

Fix:
BD no longer crashes under these conditions.

---

697259 : Different versioned vCMP guests on the same chassis may crash.

Solution Article: K14023450

Component: Local Traffic Manager

Symptoms:
The vCMP guest TMM crashes soon after startup.

Conditions:
-- You are using BIG-IP software versions 12.1.0-12.1.2.
-- vCMP guests are deployed in a chassis.
-- You configure a new guest running unaffected software alongside an existing or new guest running affected software. In other words, the issue occurs if you mix guests running affected and non-affected versions in a single vCMP host.

Impact:
vCMP guests running older versions of the software might crash. Blades continuously crash and restart. Traffic cannot pass. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Different versioned vCMP guests on the same chassis no longer crash.

---

696808 : Disabling a single pool member removes all GTM persistence records

Solution Article: K35353213

Component: Global Traffic Manager (DNS)

Symptoms:
Disabling a single pool member removes all GTM persistence records.

Conditions:
1. WideIP with persistence enabled.
2. drain-persistent-requests no.
3. GTM pool member toggled from enabled to disabled.

Impact:
All GTM persistence records are accidently cleared.

Workaround:
Set drain-persistent-requests yes.

Fix:
When drain-persistent-requests is set to no, only the persistence records associated with the affected pool members are cleared when a resource is disabled.

---

696789 : PEM Diameter incomplete flow crashes when TCL resumed

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, and the irule is resumed because of timeout.

Conditions:
PEM Diameter flow not fully created, suspended by iRule, and the iRule is resumed by timeout.

Impact:
The tmm will restart and all flows will reset.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by iRule resumed by timeout.

---

696732-1 : tmm may crash in a compression provider

Solution Article: K54431534

Component: TMOS

Symptoms:
TMM may crash with the following panic message in the log files:

panic: ../codec/compress/compress.c:1161: Assertion "context active" failed.

Conditions:
-- Running on the following platforms: BIG-IP i-series or VIPRION 4400 blades.
-- Virtual servers are performing compression.

Impact:
TMM crashes, Traffic disrupted while tmm restarts.

Workaround:
Do not use compression, or use software compression instead of hardware compression. To configure for software compression, run the following command:

tmsh modify sys db compression.strategy value softwareonly

---

696642 : monpd core is sometimes created when the system is under heavy load.

Component: Application Visibility and Reporting

Symptoms:
When system is under heavy load, aggregation of statistics tables in the database sometimes takes too much time and watchdog is triggered. When that happens, watchdog aborts the application and produces a core file.

Conditions:
-- System under heavy load.
-- Setting and resetting DoS profile on virtual servers.
-- Using AVR.
-- Displaying aggregated statistics.

Impact:
System produces monpd core file, when no real crash occurs.

Workaround:
None.

Fix:
Watchdog trigger no longer creates core by default under these conditions.

---

696525 : B2250 blades experience degraded performance.

Component: Performance

Symptoms:
B2250 blades have degraded performance by up to 17%. This is caused by connections not being offloaded to hardware as often as expected.

Conditions:
This occurs when the FastL4 profile is configured to offload to hardware and the service provider DAG is configured and in use on B2250 blades.

Impact:
Performance will be degraded due to more connections being handled in software.

Workaround:
None.

Fix:
The performance issue for the B2250 blades has been fixed.

---

696468-1 : Active compression requests can become starved from too many queued requests.

Component: TMOS

Symptoms:
From the "tmctl compress" table: the cur_ctx value for QAT is equal or higher than 512, and the cur_active remains at zero.

CPU utilization per tmm in this condition may be quite high.

Conditions:
At least 512 contexts with no traffic wait in the compression queue and prevent new requests from getting compression service.

Impact:
Compression on a per-tmm basis can stop servicing new requests.

Workaround:
Switch to software compression.

Fix:
Soften the restriction so that accumulated contexts with no traffic cannot not prevent busy contexts from getting compression time.

---

696383 : PEM Diameter incomplete flow crashes when sweeped

Component: Policy Enforcement Manager

Symptoms:
If a PEM Diameter flow is not fully created, for example suspended by an iRule, the sweeper may encounter a tmm crash.

Conditions:
-- PEM Diameter flow not fully created.
-- The flow is suspended by an iRule.
-- There is a CMP state change (likely) or a manual cluster-mirror change (less likely) while the flow is suspended.

Impact:
The tmm restarts and all flows reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The PEM diameter flow is now created in such a way to prevent any crash by the sweeper.

---

696340 : Import of objects from non-Common partitions linked to objects in Common partition may fail

Component: Access Policy Manager

Symptoms:
Export of objects from non Common partitions linked to objects in Common partition may fail with error like Import Error: 01070734:3: Configuration error: /Common/xyz is not found. Unexpected Error: Validating configuration process failed.

Conditions:
Original object is in local partition have reference to object in Common partition

Impact:
Certain configurations become unexportable

Workaround:
Please use objects in the same partition while importing/exporting

Fix:
Now export and import working correctly

---

696294 : TMM core may be seen when using Application reporting with flow filter in PEM

Component: Policy Enforcement Manager

Symptoms:
TMM core with flow filter when Application reporting action is enabled

Conditions:
If Application reporting is enabled along with flow filter

Impact:
TMM restart causing service interruption

Fix:
Initialize the application start buffer so as to prevent the TMM core

---

696265 : BD crash

Component: Application Security Manager

Symptoms:
BD crash.

Conditions:
ecard_max_http_req_uri_len is set to a value greater than 8 KB.

Impact:
Potential traffic disturbance and failover.

Workaround:
Change the value of ecard_max_http_req_uri_len to a size lower than 8 KB.

Fix:
Fixed a BD crash scenario.

---

696260 : GUI Network Map as Start Screen presents database error

Solution Article: K53103420

Component: TMOS

Symptoms:
If the Network Map is set as the Preferences Start Screen, the GUI will display a database error page.

Conditions:
Set System :: Preferences : Start Screen to Network Map.

Impact:
Error page is displayed.

Workaround:
Navigate to the Network Map via the left navigation menu: Local Traffic :: Network Map.

Fix:
The Screen Start now launches successfully into the Network Map page.

---

696212 : monpd does not return data for multi-dimension query

Component: Application Visibility and Reporting

Symptoms:
When querying 'time-series' data for multiple-dimensions, most multi-dimension queries receive an empty response.

Conditions:
This occurs because the order of entities in the query is not sorted by priority.

Impact:
The corresponding dashboard displays incorrect statistics.

Workaround:
There is no workaround at this time.

Fix:
The monpd process now performs two queries in order to get the 'time-series' data for multi-dimensions:
-- The first query gets the top entities.
-- The second query gets data that is 'drilled down' by the top entities, the ones received from the first query.

---

696201 : Anomaly threshold floor calculation (for bins with very low learnt threshold) during signature generation

Component: Advanced Firewall Manager

Symptoms:
AFM might generate a dynamic signature for those bins that have a very low learnt threshold during the learning phase, if the current traffic rate spikes and increases above the anomaly threshold floor db variable value as specified by l4bdos.anomaly.threshold.floor

Conditions:
AFM dynamic signature feature is enabled.

Impact:
This might cause AFM to generate signatures with higher false positives.

This is specifically due to incorrect application of db variable setting 'l4bdos.anomaly.threshold.floor' that should be interpreted as the 'floor' value of learnt thresholds for any bin. So, if the learnt threshold of a bin is lower than this db variable, the baseline threshold of the bin should be set to the db variable for anomaly detection phase.

Workaround:
There is no workaround at this time.

Fix:
This issue is fixed by making sure that db variable 'l4bdos.anomaly.threshold.floor' is used as the 'floor' value of baseline thresholds for those bins that have a learnt threshold lower than this db variable.

---

696113 : Extra IPsec reference added per crypto operation overflows connflow refcount

Component: TMOS

Symptoms:
The size of the refcount field in connflow became smaller, making the length of some crypto queues in IPsec able to reach and exceed the maximum refcount value.

Conditions:
When a large data transfer under an IPsec SA creates a queue of crypto operations longer than the connflow's refcount can handle, the refcount can overflow.

Impact:
Unexpected tmm failover after refcount overflow.

Workaround:
There is no workaround at this time.

Fix:
An object tracking crypto operations now adds a sole reference to the connflow as long as the count of crypto operation pending is nonzero.

---

696073 : BD core on a specific scenario

Component: Application Security Manager

Symptoms:
bd process crashes, and core file created in the /shared/core/ directory.

Conditions:
Specific request and response characteristics that relates to CSP headers sent by the server.

Impact:
Failover in high availability units.

Workaround:
Disable CSP headers handling in ASM by running the following commands:

/usr/share/ts/bin/add_del_internal add csp_enabled 0
bigstart restart asm

Fix:
The system now reinitializes the CSP headers before each response headers event, so this issue no longer occurs.

---

696049 : High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running

Solution Article: K55660303

Component: Service Provider

Symptoms:
High CPU load on generic message if multiple responses arrive while asynchronous Tcl command is running.

Conditions:
Multiple response messages arrive on a connection while an asynchronous Tcl command is running on that connection.

Impact:
High CPU load might occur as multiple responses will be assigned the same request_sequence_number.

Workaround:
None.

Fix:
Request_sequence_numbers are not assigned to response messages until the Tcl event is executed for that message. This avoids assigning the same number to multiple events.

---

695968 : Memory leak in case of a PEM Diameter session going down due to remote end point connectivity issues.

Component: Policy Enforcement Manager

Symptoms:
Memory leak resulting in a potential OOM scenario.

Conditions:
1. PEM configured with Gx
2. Flaky Diameter connection
3. Subscriber creation via PEM

Impact:
Potential loss of service.

Workaround:
There is no workaround at this time.

Fix:
Freed Diameter messages appropriately.

---

695953 : Custom URL Filter object is missing after load sys config TMSH command

Component: Access Policy Manager

Symptoms:
The user will not be able to see the custom URL Filter object that is created either through TMSH/GUI.
If the filter object is referred in Access Policy, the policy will fail to load during "load sys config" command.
01070712:3: Values (/Common/custurlfilter) specified for URL Filter Lookup Agent (/Common/prp_act_url_filter_lookup_ag): foreign key index (name_FK) do not point at an item that exists in the database.
Unexpected Error: Loading configuration process failed.

Conditions:
The custom URL Filter object is missing after the user does "load sys config" command in TMSH. Please note that SWG is not provisioned in this case.

Impact:
(1) The access policy will fail to load if it refers the URL Filter object. The user will not be able to use the URL Filter object in the policy.

Workaround:
(1) Provision SWG, and recreate the URL Filter
or
(2) Change bigip.conf to include the URL Filter object

Fix:
Fix is to make sure, during load sys config, custom URL filter gets saved properly and always visible, and usable in the policy.

---

695925 : tmm crash when showing connections for a CMP disabled virtual server

Component: Local Traffic Manager

Symptoms:
tmm crashes when performing 'tmsh show sys connection' and there is a connection from a secondary blade to a CMP-disabled virtual server.

Conditions:
This occurs when all of the following conditions are met:

-- There is a CMP-disabled virtual server.

-- There is a connection to that server from the control plane of a secondary blade (this can include monitoring traffic).

-- Connections are displayed that include the connection from the secondary blade ('tmsh show sys connection').

Impact:
tmm crashes and restarts impacting traffic.

Workaround:
Do not use 'cmp-enabled no' virtual servers when there will be connections from the BIG-IP control plane to the virtual server.

Avoid using tmsh show sys connection

---

695901 : TMM may crash when processing ProxySSL data

Solution Article: K46940010

---

695873-1 : Entry for ssl key removed from tmsh causes tmsh load config to fail

Component: TMOS

Symptoms:
As part of phonehome, the licensing process uses an encrypted key which keeps it's passphrase securely in tmsh.

Conditions:
If the tmsh entry is deleted, then the key can no longer be used and issuing a new registration key will fail to create a new key and the bigip.conf will no longer load.

Impact:
The bigip.conf will not load without having to edit out the key and certificate entries. Also, phonehome will not work since there is no passphrase for the encrypted key.

Workaround:
Edit out the section for f5_api_com.key in /config/bigip.conf and run tmsh load sys config. Then remove the key: rm -f /config/ssl/ssl.key/f5_api_com.key and reinstall the license registration key.

Fix:
The fix will test if the tmsh has a reference to the f5_ap_com.key and delete the actual key during the license process which will then generate a new key and passphrase, thus updating tmsh.

---

695847 : FPS: empty POST alert request may be forwarded to application server

Component: Fraud Protection Services

Symptoms:
empty POST alert request forwarded to app server when trigger irule event is enabled

Conditions:
1. empty POST alert request
2. trigger irule events is enabled in FPS profile

Impact:
alert is erroneously forwarded to the application server

Workaround:
drop the empty POST alert request with an irule

Fix:
FPS will not forward alerts to the application server

---

695775 : Changes in browsers tests for Device ID calculation

Component: Advanced Firewall Manager

Symptoms:
Some browser tests are inaccurate.

Conditions:
Device ID collection is enabled on either the ASM Policy or DoS Profile.

Impact:
Device ID might be inaccurate in some cases.

Workaround:
None.

Fix:
Removed some tests.

---

695707 : BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection

Component: Local Traffic Manager

Symptoms:
BIG-IP does not retransmit DATA_FIN when closing an MPTCP connection.

Conditions:
Close an MPTCP connection.

Impact:
If a DATA_ACK is not received for the DATA_FIN, the connection will stall until it times out.

Workaround:
There is no workaround at this time.

Fix:
Keep the retransmission timer running if an MPTCP connection can retransmit a DATA_FIN.

---

695563 : Improve speed of ASM initialization on first startup

Component: Application Security Manager

Symptoms:
ASM initialization on first startup takes a long time.

Conditions:
Provision ASM.

Impact:
ASM initialization takes a long time.

Workaround:
There is no workaround at this time.

Fix:
ASM initialization on first startup is faster.

---

694947 : bcm56xxd restart causes error logs from stpd, lldpd and lacpd.

Component: TMOS

Symptoms:
When bcm56xxd restarts as a result of an interface bundling change, other daemons (lldpd, stpd, lacpd) lose connectivity for the duration of the restart. This loss of connectivity results in the following errors being logged:

-- err stpd[11965]: 01290003:3: HalmsgTerminalImpl_::sendMessage() Unable to send to any BCM56XXD address
-- err stpd[11965]: 01280012:3: HAL packet request sendMessage failed (slot 0)
-- err lacpd[10147]: 01290003:3: HalmsgTerminalImpl_::sendMessage() Unable to send to any BCM56XXD address
-- err lacpd[10147]: 01160005:3: HalMsgHandler.cpp:125 - HAL send PDU request failed
-- lldpd[11052]: 01290003:3: HalmsgTerminalImpl_::sendMessage() Unable to send to any BCM56XXD address
-- err lldpd[11052]: 01570004:3: HAL send PDU request failed

Conditions:
Enabling or disabling bundling on 40 GB interface.

Impact:
Restart of bcm56xxd, which also results in restart of other daemons and logging of error messages to LTM log. Traffic disrupted while daemons restart.

Workaround:
None.

Fix:
Enabling or disabling bundling on 40 GB interface now presents a message similar to the following:

Are you sure? Y/N (changing the interface bundling will restart bcm56xxd, cause loss of connectivity to other daemons and impact traffic).

---

694934 : bd crashes on a very specific and rare scenario

Component: Application Security Manager

Symptoms:
When the system is configured in a specific way and the request sender responds incorrectly, bd crashes.

Conditions:
This rarely encountered crash occurs when there is a very specific BIG-IP system configuration, and ICAP is configured but not responding.

Impact:
bd crashes.

Workaround:
None.

Fix:
The bd crash no longer occurs under these conditions.

---

694922 : ASM Auto-Sync Device Group Does Not Sync

Component: Application Security Manager

Symptoms:
In rare circumstances a device may enter an untrusted state and confuse the device group.

Conditions:
1) ASM sync is enabled on an autosync device group
2) A new ASM entity is created on a device

Impact:
ASM configuration is not correctly synchronized between devices

Workaround:
1) Remove ASM sync from the device group (Under Security ›› Options : Application Security : Synchronization : Application Security Synchronization)
2) Restart asm_config_server.pl on both devices and wait until they come back up
3) Change the device group to a manual sync group
4) On the device with the good configuration re-enable ASM sync for the device group
5) Make a spurious ASM change, and push the configuration.
6) Change the sync type back to automatic

Fix:
Devices no longer spuriously enter an untrusted state

---

694899 : PHP Vulnerability: CVE-2017-16642

Component: TMOS

Symptoms:
In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.

Impact:
None. BIG-IP is Not Vulnerable.

Workaround:
None.

Fix:
PHP updated

---

694897 : Unsupported Copper SFP can trigger a crash on i4x00 platforms.

Component: TMOS

Symptoms:
PFMAND can crash when an unsupported Proline Copper SFP is inserted in the 1G interfaces.

Conditions:
-- Using Proline CuSFP, Part number FCLF8521P2BTLTAA.
-- Inserted into 1 GB interfaces.
-- On i4x00 platforms.

Impact:
PFMAND cores.

Workaround:
Use only F5 branded Copper SFPs

Fix:
This release updates SFP string parsing in PFMAND to account for NULL terminated vendor information.

---

694849 : TMM crash when packet sampling is turned for DNS BDOS signatures.

Component: Advanced Firewall Manager

Symptoms:
TMM crashes upon traffic matching a DNS BDOS signature if packet sampling is turned on by enabling db variable (l4bdos.signature.sample.packet.frequency).

Conditions:
DB variable l4bdos.signature.sample.packet.frequency is modified to a non-zero value (to collect DNS packet info upon matching a DNS dynamic signature).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the packet sampling feature for BDOS signatures by setting the db variable l4bdos.signature.sample.packet.frequency to default value (0).

Fix:
TMM no longer crashes when packet sampling is turned on and traffic matches DNS BDOS signature.

---

694778 : Certain Intel Crypto HW fails to decrypt data if the given output buffer size differs from RSA private key size

Component: Local Traffic Manager

Symptoms:
SSO-enabled Native RDP resources cannot be accessed via hardware (HW) BIG-IP systems with 'Intel Cave Creek' coprocessor (i.e., SSL connection cannot be established with the db variable 'crypto.hwacceleration' enabled, and RSA key used).

Conditions:
The failure might occur in the following scenario:
-- Running on Intel Cave Creek Engine (e.g., BIG-IP 2000 (C112) or 4000 (C113)).
-- Client OS is Mac, iOS, or Android.
-- HW crypto is enabled
-- Using a virtual server with a client SSL profile and 2048 bit RSA key on.
-- Native RDP resource with enabled SSO is used on hardware BIG-IP with 'Intel Cave Creek' coprocessor.
-- Output buffer size differs from RSA private key size.

Impact:
-- SSL connection fails.
-- RDP client cannot launch the requested resource (desktop/application).

Workaround:
There is no workaround other than to disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable

Fix:
SSL connection can now be established as expected. SSO-enabled Native RDP resources now can now be accessed via hardware BIG-IP systems with 'Intel Cave Creek' coprocessor (e.g., BIG-IP 2000 (C112) or 4000 (C113) platforms) from Mac, iOS, and Android clients.

---

694740 : BIG-IP reboot during a TMM core results in an incomplete core dump

Component: TMOS

Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then HSB panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On this platform, the reboot occurs before the core file is fully written, resulting in a truncated core.

Conditions:
An HSB lockup occurs, triggering a core dump and a nic_failsafe reboot.

Impact:
The reboot happens before the core dump completes, resulting in an incomplete core dump which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.

Workaround:
No workaround; does not hinder device operation, but does prevent post-crash analysis.

Fix:
Reboot is delayed until TMM core file is completed.

---

694717 : Potential memory leak and TMM crash due to a PEM iRule command resulting in a remote lookup.

Component: Policy Enforcement Manager

Symptoms:
TMM crashes

Conditions:
PEM iRule command that would result in an inter-TMM lookup on a long lived flow that would result in the PEM iRule command being hit several times. For example, a long lived flow with multiple HTTP transactions.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Always release the connFlow reference associated with the TCL command to avoid a memory leak and potential crash.

---

694697 : clusterd logs heartbeat check messages at log level info

Solution Article: K62065305

Component: Local Traffic Manager

Symptoms:
The system reports clusterd logs heartbeat check messages at log level info, similar to the following.

-- info clusterd[6161]: 013a0007:6: Skipping heartbeat check on peer slot 3: Slot is DOWN.
-- info clusterd[5705]: 013a0007:6: Checking heartbeat of peer slot: 2 (Last heartbeat 0 seconds ago)

Conditions:
log.clusterd.level set to info.

Impact:
This is a cosmetic issue: clusterd heartbeat messages will be logged at info to the /var/log/ltm.

Workaround:
Set log.clusterd.level to notice.

Fix:
The log level of clusterd logs heartbeat check messages has changed. For 'Skipping heartbeat check' messages, the log level is now debug, and 'Checking heartbeat of peer slot' messages log level is verbose and now reports on which bp the heartbeat was received.

---

694696 : On multiblade Viprion, creating a new traffic-group causes the device to go Offline

Component: TMOS

Symptoms:
All devices in the failover device group will go offline, resulting in traffic disruption and possible failovers.

Conditions:
When a new traffic-group is created on a multiblade Viprion system that is a member of a sync-failover device group.

Impact:
Traffic to all other traffic-groups is disrupted for several seconds.

Workaround:
There is no workaround at this time.

Fix:
Creating a new traffic-group does not disrupt existing traffic-groups.

---

694657 : ASM GUI displaying inconsistent policy sync version information

Component: Application Security Manager

Symptoms:
There is an inconsistency in how ASM-config derives the current policy revision, and in how it determines what is the 'latest' revision number for a policy.

When upgrading machine the system attempts to restore the 'last active version' of each policy. The system determines the latest version by the highest revision number, which is now wrong. So an older version of the policy is restored.

Conditions:
Inactivate policy and activate again.

Impact:
The policy revision numbers start again, so the GUI appears to be displaying incorrect information, which can cause confusion.

Workaround:
None.

Fix:
The system now ensures the correct revision sequence in Policy History, so this issue no longer occurs.

---

694656 : Routing changes may cause TMM to restart

Solution Article: K05186205

Component: Local Traffic Manager

Symptoms:
When routing changes are made while traffic is passing through the BIG-IP system, TMM might restart. This isn't a general issue, but can occur when other functionality is in use (such as Firewall NAT).

Conditions:
-- Routing changes occurring while BIG-IP is active and passing traffic.

-- Dynamic routing, due to its nature, is likely increase the potential for the issue to occur.

-- Usage of Firewall NAT functionality is one specific case known to contribute to the issue (there may be others).

Impact:
TMM restarts, resulting in a failover and/or traffic outage.

Workaround:
If dynamic routing is not in use, avoiding static route changes may avoid the issue.

If dynamic routing is in use, there is no workaround.

Fix:
TMM now properly manages routing information for active connections.

---

694624 : SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor

Component: Access Policy Manager

Symptoms:
APM Webtop's SSO enabled Native RDP resources can't be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113)) from Mac, iOS and Android clients. Each launch attempt generates following errors in /var/log/apm:
... err vdi[123] ... {45.C} RsaDecryptData error: AsyncError:5: InvalidData
... err vdi[123] ... {45.C} An exception is thrown: handshake: decryption failed or bad record mac

Conditions:
Native RDP resource with enabled SSO is used on hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113)).
The client OS is Mac, iOS or Android.

Impact:
RDP client can't launch requested resource (desktop/application).

Workaround:
Disable crypto HW acceleration with following command:
tmsh modify sys db crypto.hwacceleration value disable

Fix:
SSO enabled Native RDP resources now can be accessed via hardware BIG-IP with "Intel Cave Creek" coprocessor (e.g. BIG-IP 2000 (C112) or 4000 (C113) platforms) from Mac, iOS and Android clients.

---

694547 : TMSH save sys config creates unneeded generate_config processes.

Component: TMOS

Symptoms:
When saving a configuration through TMSH or iControl REST, a process called generate_config is created.

Conditions:
Run tmsh save sys config, or the same command through iControl REST.

Impact:
One generate_config process will be generated per save operation. If config save occurs often, these extraneous processes can slowly fill up the process table.

Workaround:
There is no real workaround except to not save the config often enough to fill up process table with these extraneous processes.

If the process table is full, to recover, you can restart tmsh, scriptd, or restjavad to clear out these unneeded processes.

Fix:
tmsh save sys config no longer generates generate_config processes.

---

694485 : Configuration sync does not sync iControl LX or iApp LX objects

Component: Device Management

Symptoms:
Configuration sync operations do not sync iControl LX or iApp LX objects. In DHD DDos appliances, protected objects are essentially iApp LX blocks, and sometimes the system does not sync them to high availability (HA) peer.

Conditions:
This issue occurs when there are dtca.key and dtca.crt files under the /config/ssl/ssl.key/ and /config/ssl/ssl.crt/ directories that do not match the same files on a peer device.

Impact:
iControl LX or iApp LX objects do not sync to HA peer. The Config Sync indicator on the BIG-IP system will say 'in sync'.

Workaround:
One possible workaround is to manually discover other BIG-IP devices in the REST device group by providing usernames and passwords. To do so, you can use a curl command similar to the following:
 
curl -X POST -d '{"address":"other_BIG-IP_mgmt_ip", "userName": "admin", "password":"admin_pw"}' http://localhost:8100/shared/resolver/device-groups/tm-shared-all-big-ips/devices

Fix:
dtca.key and dtca.crt are file objects that are managed by MCP. MCP keeps the correct copy of the these files in File Objects cache. iAppLX reads these from MCP and File objects cache rather than /config/ssl/ssl.key.

---

694319 : CCA without a request type AVP cannot be tracked in PEM.

Component: Policy Enforcement Manager

Symptoms:
May cause diagnostic issues as not all CCA messages cannot be tracked.

Conditions:
1. PEM with Gx/Gy configured
2. PCRF sends CCA's without a request type AVP

Impact:
May hamper effective diagnostics.

Workaround:
Mitigation:
Configure the PCRF to always include a request type in its CCAs.

Fix:
Add a statistics counter to track CCA's that do not request type AVPs.
Name of new counter:cca_unknown_type

---

694318 : PEM subscriber sessions will not be deleted if a CCA-t contains a DIAMETER_TOO_BUSY return code and no request type AVP.

Component: Policy Enforcement Manager

Symptoms:
Subscriber sessions in PEM will be stuck in a "Marked for Delete" state.

Conditions:
1. PEM provisioned with Gx.
2. PCRF responds to a CCR-t with a DIAMETER_TOO_BUSY return code and no Request type AVP.

Impact:
Subscriber sessions stuck in delete pending resulting in a potential increase in memry consumption over a period of time.

Workaround:
Mitigation:
PCRF (remote Diameter end point) must send a CCA-t with a request type AVP in case a DIAMETER_TOO_BUSY return code is present.

Fix:
Handle the DIAMETER_TOO_BUSY return code on a CCA-t regardless of the request type AVP.

---

694288 : VPE object names cannot contain special characters

Component: Access Policy Manager

Symptoms:
When a VPE object is created or renamed with one or more special characters, the characters are silently removed and the name of the object is saved without them.

Special characters stripped from name of the VPE object when creating or renaming said VPE object

Conditions:
VPE object is created or renamed with one or more of the following special characters:
`~!@#$%^&*={}|:"<>?\;',.?

Impact:
There is no functional impact. This is working as expected even though it is not documented.

Workaround:
Do not include special characters when naming a VPE object.

Fix:
The system now posts the following message in this case:

VPE objects, such as a message box or macro, cannot contain special characters such as brackets, exclamation points, or question marks. The VPE removes the special characters when saving the object.

This is now documented. The following characters are not allowed in VPE object names:

`~!@#$%^&*={}|:"<>?\;',.?

---

694274 : [RHSA-2017:3195-01] Important: httpd security update - EL6.7

Solution Article: K23565223

---

694090 : Having multiple frames (window scopes) with specific names cause script failure.

Component: Fraud Protection Services

Symptoms:
There are some variables that appear to be global. Therefore, when changing the 'window' scope, script ran into a logic error

Conditions:
Multiple frames (window scopes) with specific names.

Impact:
Having multiple frames (window scopes) with specific names cause script failure.

Workaround:
None.

Fix:
Moved these global variables to be local and scope-independent.

---

694078 : TMM core with APM

Component: Access Policy Manager

Symptoms:
Intermittent tmm core under load.

Conditions:
-- Provision at least APM.

-- Additional required conditions are not well understood.

-- Seems more likely to occur when APM is provisioned with other modules, especially ASM or AVR.

Impact:
The BIG-IP system stops processing traffic while the TMM restarts.

Workaround:
None.

Fix:
Tmm core no longer occurs.

---

693996 : MCPD sync errors and restart after multiple modifications to file object in chassis

Solution Article: K42285625

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
Making multiple changes to the same file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.

---

693979-1 : Autoscale is not functional because of the change in file permission of the /shared/vadc/aws/iid-document document

Component: TMOS

Symptoms:
The /shared/vadc/aws/iid-document's file permission changed and as a result the autoscale feature was failing.

Conditions:
Whenever autoscale is triggered

Impact:
The autoscale feature does not work

Workaround:
The permission of /shared/vadc/aws/iid-document was never set explicitly. It inherited file permission flags from /shared/vadc/. We set the file permission explicitly.

Fix:
The autoscale feature is functional after changing file permissions of /shared/vadc/aws/iid-document.

---

693964 : Qkview utility may generate invalid XML in files contained in Qkview

Component: TMOS

Symptoms:
When Qkview runs, it may gather XML files that are not well-formed, and contain ASCII control characters. This is most commonly seen with mcp_module.xml.

An XML validator may report an error such as:

    mcp_module.xml:536081: parser error : PCDATA invalid Char value 29
      <msgs></msgs>
            ^

Conditions:
-- Running Qkview.
-- An ASCII control character exists within a certain string field.

Impact:
The control character will be written verbatim into XML without encoding. Automated tools (e.g., iHealth) that attempt to process these files may fail.

Workaround:
iHealth automatically detects and corrects this issue in uploaded Qkviews.

You can analyze the XML files with some other tool, a tar.gz, so it can be unpacked, the XML files edited to correct the formatting, and then repacked. The xmllint command-line tool (present on the BIG-IP system) can also recover valid XML by removing the invalid characters.

To do so, you can run a command similar to the following:

    xmllint --recover mcp_module.xml --output mcp_module.xml

Fix:
Qkview no longer writes control characters in XML text, but instead processes them as expected.

---

693910 : Traffic Interruption for MAC Addresses Learned on Interfaces that Enter Blocked STP State (2000/4000/i2800/i4800 series)

Component: Local Traffic Manager

Symptoms:
Some MAC addresses might experience delayed forwarding after the interface on which they are learned transition to a STP blocked state. This is because the FDB entries are not being flushed on these interfaces after they change to a block state. Traffic destined to these MAC addresses gets dropped until their associated entries in the FDB age out.

Conditions:
MAC addresses are learned on a STP forwarding interface that transitions to a blocked interface following a topology change.

Impact:
Traffic interruption for up to a few minutes for MAC addresses learned on the affected interface.

Workaround:
None.

Fix:
FDB entries are now flushed by interface whenever an interface transitions to a STP block state.

---

693884 : ospfd core on secondary blade during network unstability

Component: TMOS

Symptoms:
ospfd core on secondary blade while network is unstable.

Conditions:
-- Dynamic routing configured with OSPF on a chassis.
-- During a period of network instability.

Impact:
Dynamic routing process ospfd core on secondary blade.

Workaround:
None.

---

693825 : Improved cases of legetimitae browsers getting captcha

Component: Advanced Firewall Manager

Symptoms:
Some legitimate browsers may be detected as suspicious.

Conditions:
Proactive Bot Defense, Block suspicious browsers is enabled.

Impact:
In some cases legit users might get Captcha.

Workaround:
None.

Fix:
Improve tested to determine suspicious browsers.

---

693782 : Mobile UC browser has been blocked by Proactive Bot Defense

Component: Advanced Firewall Manager

Symptoms:
A request from UC Browser installed on a mobile device is blocked (got RST packet or captcha).

Conditions:
-- ASM or DoS is provisioned.
-- Proactive Bot Defense enabled within DoS profile.
-- The DoS profile attached to a virtual server.

Impact:
Requests from mobile UC browser are blocked.

Workaround:
To work around this issue, you can use either of the following workarounds:
-- Disable Proactive Bot Defense.
-- Change browser_legit_min_score_drop sys db to be higher value. To do so, use a configuration similar to the following:

list sys db dosl7.browser_legit_min_score_drop
sys db dosl7.browser_legit_min_score_drop {
    value "120"
}

Fix:
Mobile UC browser is no longer blocked by Proactive Bot Defense checks.

---

693780 : Proactive Bot Defense sends CAPTCHA to the UC browser on iOS devices

Component: Advanced Firewall Manager

Symptoms:
When a request arrives from UCBrowser running on iOS and without TSPD_101 (proactive bot defense cookie). The big-ip respond with captcha challenge.

Conditions:
Dos profile attached to a virtual.
Dos profile has application security enabled.
Dos profile has proactive bot defense enabled.

Impact:
UC browser end-user presented with captcha challenge.

Workaround:
Increase proactive bot defense score.
list sys db dosl7.browser_legit_min_score_captcha
sys db dosl7.browser_legit_min_score_captcha {
    value "60"
}

Fix:
User agent parser has been changed (adjusted) for the UC browser. The UC browser is detected as safari ios.

---

693775 : Proactive Bot Defense sends CAPTCHA to the Safari 5-6.2

Component: Advanced Firewall Manager

Symptoms:
Safari 5-6.2 gets CAPTCHA when Proactive Bot Defense si enabled and a request arrives without valid Proactive Bot Defense cookie.

Conditions:
1. ASM or DoS Provisioned.
2. DoS Application profile assigned to a virtual server.
3. Proactive Bot Defense and Block suspicious browsers sections are enabled in the DoS Application profile configuration.

Impact:
Legitimate users of Safari 5-6.2 are challenged with captcha.

Workaround:
Disable Proactive Bot Defense or change browser_legit_min_score_drop sys db to be higher value.

list sys db dosl7.browser_legit_min_score_drop
sys db dosl7.browser_legit_min_score_drop {
    value "120"
}

Fix:
CanIUse db has been updated to support Safari 5-6.2

---

693744 : High CPU Usage by the TMM Can Cause SOD to Kill vCMP Guests

Solution Article: K64721111

---

693694 : tmsh::load within IApp template results in unpredicted behavior

Component: iApp Technology

Symptoms:
tmsh::load command within IApp template triggers transaction within transaction and it is not supported by the MCP. One of the unexpected behavior seen is with the template having ASM policy and LTM policy. IApp framework doesn't let user to reconfigure the application service without turning off strict updates and also on rerunning, breaks association of LTM Policy with ASM Policy

Conditions:
tmsh::load command need to be used in in template to create ASM policy. With this tmsh::create there is no issue seen.

Impact:
Association b/w LTM Policy and ASM Policy broken

Workaround:
Use tmsh::create or tmsh::modify to create/update ASM policy through IApp template

---

693682 : iHealth should show sfdisk info for vda for Z101 vcmp guests.

Component: TMOS

Symptoms:
After collecting a qkview, the data regarding the output from sfdisk doesn't show /dev/vd* devices since it is looking for /dev/sd* or /dev/hd* only.

Conditions:
All qkviews are affected

Impact:
Information regarding the /dev/vd* devices is missing from the qkview.

Workaround:
The command can be run manually and sent as a separate diagnostic: /usr/sbin/sfdisk -l /dev/vdX where X is the device letter (e.g., /dev/vda)

Fix:
The fixed qkview now captures /dev/vd* devices

---

693663 : Proactive Bot Defense sends CAPTCHA to the Firefox browser on iOS only in desktop mode

Component: Advanced Firewall Manager

Symptoms:
When a request arrives from Firefox running on iOS in desktop mode and without TSPD_101 (proactive bot defense cookie). The big-ip respond with captcha challenge.

Conditions:
Dos profile attached to a virtual.
Dos profile has application security enabled.
Dos profile has proactive bot defense enabled.

Impact:
Firefox (iOS desktop mode only) end-user presented with captcha challenge.

Workaround:
Increase proactive bot defense score.
list sys db dosl7.browser_legit_min_score_captcha
sys db dosl7.browser_legit_min_score_captcha {
    value "60"
}

Fix:
User agent parser has been changed (adjusted) for the Firefox browser running in desktop mode. The browser is detected as safari pc and the browser version is taken from Mac version number.

---

693611 : IKEv2 ike-peer might crash on stats object during peer modification update

Solution Article: K76313256

Component: TMOS

Symptoms:
A crash occurs upon passing traffic through the IPsec interface.

Conditions:
When an ike-peer is updated, or first defined at startup.

Impact:
Tmm restarts on crash.

Workaround:
No workaround is known at this time.

Fix:
IKEv2 ike-peer no longer crashes on stats object during peer modification update.

---

693582 : Monitor node log not rotated for icmp monitor types

Component: Local Traffic Manager

Symptoms:
When Monitor Logging is enabled for an LTM node or pool member using certain monitor types, the monitor node log under /var/log/monitors/ is not rotated or compressed when log rotation occurs.

Conditions:
This occurs if Monitor Logging is enabled for an LTM node or pool member and the LTM node or pool member uses any of the following monitor types:
- icmp
- gateway-icmp

Impact:
Depending on the affected BIG-IP version in use, affects may include:
1. The active monitor node log is not rotated (not renamed from *.log to *.log.1).
2. The active monitor node log is rotated (renamed from *.log to *.log.1), but subsequent messages are logged to the rotated log file (*.log.1) instead of to the 'current' log file name (*.log).
3. The active monitor node log is not compressed (*.log.2.gz) when log rotation occurs.

Workaround:
To allow logging to the correct monitor node log file to occur, and for rotated monitor node log files to be compressed, disable Monitor Logging for the affected node or pool member(s).
If symptom #1 (from Impact section above) occurs, Monitor Logging can be re-enabled after log rotation has occurred.
To address symptom #2 or #3 (from Impact section above), Monitor Logging can be re-enabled immediately.
For more information on Monitor Logging, see:
K12531: Troubleshooting health monitors

---

693451 : Proactive Bot Defense has false positive selenuim detection for UCBrowser

Component: Application Security Manager

Symptoms:
Proactive Bot Defense reports about selenium detection and blocks legitimate users of UCBrowser.

Conditions:
1. ASM or DoS Provisioned.
2. DoS Application profile assigned to a virtual server.
3. Proactive Bot Defense and Block suspicious browsers sections are enabled in the DoS Application profile configuration.

Impact:
Legitimate UCBrowser user blocked or presented with captcha challenge.

Workaround:
Disable Proactive Bot Defense or change browser_legit_min_score_drop sys db to be higher value.

list sys db dosl7.browser_legit_min_score_drop
sys db dosl7.browser_legit_min_score_drop {
    value "120"
}

Fix:
Fixed clientside userAgent parser, after the fix the userAgent parsed correctly as UCBrowser and selenuim tests are done accordingly.

---

693449 : Updating tests according to canIUse database

Component: Application Security Manager

Symptoms:
Some browser capabilities are changed.

Conditions:
Proactive Bot Defense, Block suspicious browsers is enabled.

Impact:
Browsers might get scored wrongly, and therefore get captcha/tcp rst when they shouldn't (Or not get when they should).

Workaround:
None.

Fix:
Updating internal database according to CanIUse DB.

---

693422 : Proxy host synchronization

Component: TMOS

Symptoms:
The DB variable proxy.host is not synced to the peer. The other related db variables (proxy.port, proxy.protocol, proxy.username, and proxy.password) are synced to the peer.

Conditions:
When using proxy in a high availability (HA) configuration.

Impact:
You must manually configure the db variable proxy.host on each of the units in the HA configuration.

Workaround:
Manually change the proxy.host on the peer unit.

Fix:
Now the DB variable proxy.host is synced to the peer.

---

693312 : vCMPd may crash when processing bridged network traffic

Solution Article: K03165684

---

693308 : SSL Session Persistence hangs upon receipt of fragmented Client Certificate Chain

Component: Local Traffic Manager

Symptoms:
When a very large Client Certificate Chain, typically exceeding 16,384 bytes, is received by BIG-IP on a virtual service, and Session Persistence is enabled, the handshake hangs.

Conditions:
[1] SSL client authentication is enabled on the backend server
[2] No SSL profile is specified on the BIG-IP device for the virtual service, on both, client and server side
[3] An SSL connection is initiated from the front-end client, via the BIG-IP's virtual service, to the backend server.
[4] The client certificate chain is passed to the BIG-IP device as part of initiating the connection.

Impact:
The backend server will not be securely accessible via SSL because the connection hangs

Workaround:
Disable SSL Session Persistence.

Fix:
Whenever a fragmented message is received by a BIG-IP virtual service, subsequent messages contain a 5-byte header, each, which should be accounted for. Upon taking this into consideration, no more multiple-of-5 bytes are found missing while the message is being parsed by the Session Persistence parser, and the parser no longer hangs.

---

693285 : Overriding Profile Max Age in RAM Cache

Component: Local Traffic Manager

Symptoms:
The max age setting on the AAM profile sets the maximum age of every document in the cache. When a client request matches a document that has exceeded the profile max age, that document is verified with the origin web server before being served to the client.

Conditions:
When a document has a max-age that is larger than the max age of the profile.

Impact:
Documents with a max-age value greater than the max age setting of the profile are validated more often with the origin web server.

Workaround:
None.

Fix:
The system now uses the f5-no-pma token list to tell RAM cache not to use the profile max age (pma) value to determine when to validate the document. Instead, the system uses the document's max-age, Expiration, or the HTTP heuristic value.

---

693211 : CVE-2017-6168

Solution Article: K21905460

---

693112 : Latest Opera Mini on Android is blocked by proactive bot defense

Component: Advanced Firewall Manager

Symptoms:
Proactive bot defense blocks opera mini.

Conditions:
1. ASM or DoS Provisioned.
2. DoS Application profile assigned to a virtual server.
3. Proactive Bot Defense and Block suspicious browsers sections are enabled in the DoS Application profile configuration.

Impact:
End user cannot surf a website using Opera Mini browser on Android.

Workaround:
There is no workaround at this time.

Fix:
CanIUse db has been updated to support opera mini.

---

693106 : IKEv1 newest established phase-one SAs should be found first in a search

Component: TMOS

Symptoms:
Some IKEv1 implementations might delete "duplicate" phase one IKE SAs, even though not yet expired, keeping only the most recently negotiated IKE-SA. If this happens, and BIG-IP uses an older SA to negotiate, then phase two negotiation can fail.

If at all possible, we want BIG-IP to prefer the newest SA for a given remote peer. If a peer deletes a second SA without notifying BigIP, preferring a newest SA may mitigate the problem.

Conditions:
The situation seems mostly easily arranged when two peers initiate a new IKE-SA at the same time, so that both are negotiated concurrently, since neither has yet been established. Afterward, there are two IKE-SAs for one remote peer, nearly the same age.

If the other end deletes a duplicate without sending a DELETE message to BigIP, we might accidently use the older SA of a pair.

Impact:
If BIG-IP picks a mature IKE-SA for phase two negotiation that has been deleted by a peer, then BIG-IP's attempt to negotiate a new phase two SA will fail.

Workaround:
Try to configure other IPsec implementations to avoid deleting duplicate IKE-SAs.

Fix:
At the momenet a new IKE-SA is established, we now move that SA to the head of the hashmap bucket searched for that remote peer in the future. This makes us more likely to use the newest SA from the perspective of a remote peer, the next time we initiate another phase two negotiation ourselves.

---

693098 : IKEv1 logging 'No need for ISAKMP mode config' event

Component: TMOS

Symptoms:
An unnecessary and distracting log line appears in /var/log/ltm when a IKEv1 security association is negotiated: No need for ISAKMP mode config.

This is an internal mechanism related to dynamic IP address allocation at negotiation time, which the BIG-IP system does not support.

Conditions:
When a remote peer is configured for IKEv1.

Impact:
No impact beyond the message in /var/log/ltm for each SA negotiated.

Workaround:
None.

Fix:
IKEv1 no longer sends the event involved, because the system does not depend on this event.

---

693030 : Cannot SSH in with password after deploying Azure VE

Component: TMOS

Symptoms:
Password provided by user and accepted by Azure might be rejected by the BIG-IP. This results in the inability to immediately SSH-in with a password after successfully deploying Azure Virtual Edition (VE).

This occurs because BIG-IP system applies its own password check for the password provided in the Azure user interface, such as Portal, ARM template, etc. The result is that Azure VE administrators cannot SSH-in immediately after deployment has succeeded. They must wait for 1-2 minutes, or no longer than 5 minutes, to let VE set the BIG-IP password after deployment.

Weak passwords will be accepted, but you will be warned after SSH login that you need to change to use stronger passwords for both 'admin' and provided users as soon as possible. The message appears similar to the following: Warning: Password is too weak. Please set a stronger one for 'admin' and 'tester' users ASAP.

Note: This is true only for password-based authentication. There is no impact on key-based authentication. VE Administrators can still SSH-in immediately after deployment has succeeded.

Conditions:
Azure VE with password-based authentication.

Impact:
There is no significant impact on interactive SSH into Azure VE, while automated deployments have no logic to retry or delay SSH-in attempts until the password is set.

Workaround:
Wait 1-2 minutes (no longer than 5 minutes) after successful deployment to let VE set the BIG-IP password.

Fix:
Behavior changes after applying a BIG-IP password check.

---

693007 : Modify b.root-servers.net IPv4 address 192.228.79.201 to 199.9.14.201 according to InterNIC

Component: Global Traffic Manager (DNS)

Symptoms:
The current IPv4 address for b.root-servers.net is 192.228.79.201. The IPv4 address for b.root-servers.net will be renumbered to 199.9.14.201, effective 2017-10-24. The older number will be invalid after that date.

Conditions:
Several profiles contain the b.root-servers.net IPv4 address as 192.228.79.201.

Impact:
The impact is likely minimal, at most a single timeout for pending TLD queries when they happen to round-robin onto an old IP address, probably not more often than the hint's TTL, which is more than a month, and even this should cause a timeout only when the old IP actually stops responding.

Workaround:
Update the root hints for all affected profiles manually except the hardwired ones.

Fix:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24.

Behavior Change:
The IPv4 address for b.root-servers.net has been renumbered to 199.9.14.201, effective 2017-10-24, according to InterNIC. The old IPv4 address (192.228.79.201) will continue to answer queries for at least 6 months.

---

692970 : Using UDP port 67 for purposes other than DHCP might cause TMM to crash

Component: Local Traffic Manager

Symptoms:
DHCP relay presumes that a flow found via lookup is always a server-side flow of type DHCP relay. Hence TMM can crash when DHCP relay makes a server connection if UDP port 67 is used for another purpose, in which case a wrong DHCP server flow could be selected.

Conditions:
A UDP port 67 is configured for a purpose other than DHCP relay.

Impact:
TMM restart causes traffic interruption or failover.

Workaround:
Do not use UDP port 67 for other virtual servers, or configure a drop listener on certain VLANs that cannot avoid using UDP port 67.

Fix:
TMM no longer crashes with DHCP flow validation.

---

692941 : GTMD and TMM SIGSEGV when changing wide IP pool in GTMD

Component: Global Traffic Manager (DNS)

Symptoms:
Changing wide IP causes gtmd and tmm core under certain conditions.

Conditions:
-- GTM pool is removed when it is referenced by a persist record.
-- That record is accessed before it is purged.

Impact:
gtmd and tmm core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Changing wide IP no longer causes gtmd and tmm core when GTM pool is removed when it is referenced by a persist record, and that record is accessed before it is purged.

---

692890-1 : Adding support for BIG-IP 800 in 13.1.x

Component: TMOS

Symptoms:
Installing software version 13.1.0 fails on BIG-IP 800.

# tmsh show sys soft


---------------------------------------------------------Sys::Software Status
Volume Product Version Build Active Status
---------------------------------------------------------
HD1.1 BIG-IP 13.1.0 0.0.1868 no failed (Failed to install.)
HD1.2 BIG-IP 13.0.0 0.0.1645 yes complete
HD1.3 BIG-IP 11.6.0 0.0.401 no complete

---------------------------
Sys::Software Update Check
---------------------------
  Check Enabled true
  Phonehome Enabled true
  Frequency weekly
  Status none
  Errors 0

The system logs the following messages in /var/log/liveinstall.log:

info: Hardware is lm capable
info: System is lm capable
info: Adding application-package ltm7-application/noarch to transaction.
info: Adding application-package ros7-application/noarch to transaction.
info: Adding application-package sam-main/noarch to transaction.
info: Adding application-package sum-application/noarch to transaction.
info: Adding application-package ts-application/noarch to transaction.
info: Adding application-package wa-master/noarch to transaction.
info: Adding application-package (lm) woc-application-lm/noarch to transaction.
error: Product has no root package for Mercury
error: couldn't get package list file for LTM.ROS.SAM.SUM.TS.WA.WOC group Terminal error: Failed to install.
*** Live install end at 2018/01/02 13:29:45: failed (return code 255) ***

Conditions:
-- Installing/upgrading to v13.1.x.
-- Using the BIG-IP 800 platform.

Impact:
Install/upgrade will fail.

Workaround:
None.

Fix:
Installation now completes successfully on the BIG-IP 800 platform.

---

692753 : shutting down trap not sent when shutdown -r or shutdown -h issued from shell

Component: TMOS

Symptoms:
Shutting down trap not sent when shutdown -r or shutdown -h issued from shell.

Conditions:
When user access the linux shell and issues "shutdown -h" or "shutdown -r", the BIG-IP does not send shutting down trap.

Impact:
None.
Since this is user triggered command, the user is aware of the shutdown event, so the lack of trap is not critical.

Workaround:
None

Fix:
The shutdown trap is sent when user issues "shutdown -r" or "shutdown -h" from the linux shell.

---

692683 : Core with /usr/bin/tmm.debug at qa_device_mgr_uninit

Component: TMOS

Symptoms:
Running a debug version of tmm (/usr/bin/tmm.debug) on BIG-IP 2xxx and 4xxx platforms, crashes at qa_device_mgr_uninit when issuing either of the following commands:
-- bigstart stop tmm
-- bigstart restart tmm

Conditions:
Running a debug version of tmm.
-- BIG-IP 2xxx and 4xxx platforms.
-- Running either of the following commands:
   + bigstart stop tmm
   + bigstart restart tmm

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not using a debug version of tmm on BIG-IP 2xxx and 4xxx platforms.

Fix:
tmm no longer halts and restarts under these conditions.

---

692557 : When BIG-IP as SAML IdP processes signed authentication requests from external SAML SP, a block of memory may become corrupted.

Component: Access Policy Manager

Symptoms:
After processing signed authentication requests from external SAML SP, SAML IdP may corrupt a block of tmm memory.

Conditions:
- BIG-IP system is configured as SAML IdP.
- IdP is configured with external SP's signing certificate.
- External SP sends signed authentication request.

Impact:
Various possible negative effects, including TMM core. Traffic disrupted while tmm restarts.

Workaround:
None.

---

692369 : TMM crash caused by SSOv2 form based due to null config

Component: Access Policy Manager

Symptoms:
Service outage because of tmm restart.

Conditions:
When SSO V2 client initiated is configured and user sending a small POST request with a small payload (< 4K)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

---

692328 : Tmm core due to incorrect memory allocation

Component: Advanced Firewall Manager

Symptoms:
In a rare condition after providing afm, we get a tmm core.
You will see the following line in avrd.log
/usr/bin/avrinstall -c20 -t10 -s2401000 --provisionAVR=0 --provisionASM=0 --provisionAFM=0 --provisionPBD=0 --provisionAPM=0 --provisionFPS=0 --provisionPEM=0 --provisionVCMP=0

Conditions:
AFM provisioned.
Attack started.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
We check that the shared memory was allocated correctly before reporting on an attack.

---

692310 : ICAP modified HTTP 1.1 request/response without content-length gets "chunked" even with no body

Solution Article: K69250459

Component: Service Provider

Symptoms:
When a modified HTTP v1.1 request or response is returned from an ICAP server and has no body (and also no content-length), a 'Transfer-Encoding: chunked' header is added and a zero-length chunk is appended.

Conditions:
-- HTTP profile.
-- Either request-adapt or response-adapt profile.
-- Modified HTTP v1.1 request/response has no body (and no content-length header).

Impact:
The HTTP server or client to which the modified request or response is destined, receives invalid HTTP and might behave in an unexpected manner.

Workaround:
Use an iRule to detect the lack of a Content-Length header in the modified request or response, and insert 'Content-Length: 0'.

For example with modified request:

when ADAPT_REQUEST_HEADERS {
    if {([HTTP::method] eq "GET") and (not [HTTP::header exists 'Content-Length'])} {
        HTTP::header insert Content-Length 0
    }
}

Similarly when ADAPT_RESPONSE_HEADERS {} for a response.

Fix:
A modified HTTP v1.1 request or response with no body is never 'chunked'.

---

692307 : User with 'operator' role may not be able to view some session variables

Component: Access Policy Manager

Symptoms:
When a user with 'operator' role tries to view the session variables, the GUI may show the following error: An error has occurred while trying to process you request.

Conditions:
This occurs when there is a huge blob of data associated with the user whose session variable is being viewed. For example Active Directory (AD) user accounts with thumbnailphoto and userCertificate user attributes containing binary data.

Impact:
User cannot view the session variables for those particular sessions. This data is available, however, via clicking on the Session ID.

Workaround:
Find this data via clicking on the session ID.

Fix:
User with 'operator' role can now view all expected session variables

---

692239 : AOM menu power off then on results in 'Host Power Cycle Event' SEL log entries posted every two seconds

Solution Article: K31554905

Component: TMOS

Symptoms:
When using the AOM menu to power off then on the host CPU on i5600, i5800, i7600, i7800, i10600, i10800 platforms, the AOM creates a 'Host Power Cycle Event' SEL log entry every two seconds. The SEL log will continue to grow until external power to the appliance is fully power cycled.

Conditions:
-- Running on i5600, i5800, i7600, i7800, i10600, i10800 platforms.
-- With an older version of CPLD code installed (e.g., CPLD 0x45), bring up the AOM menu using ESP shift-9, then select 'p' and '0' from the menu to power off the host CPU complex.
-- Wait a few seconds, then select 'p' and '1' to power on the host CPU complex.

Impact:
This will result in ongoing 'Host Power Cycle Event' messages to post the the SEL log ( tail /var/log/sel ) every two seconds.

The SEL log will continue to grow and wrap as this message continues to post to the SEL log every two seconds.

This results in a very large number of SEL entry fetches by the host CPU to the AOM and can places a substantial load on the AOM interface.

Workaround:
The actual fix is to install a newer version of i5600, i5800, i7600, i7800, i10600, i10800 platform CPLD code (e.g., CPLD 0x54 or CPLD 0x55).

Another workaround is to fully power cycle the appliance.
However, every time AOM menu is used to power off then on the host, this SEL log entry will re-appear.

Fix:
This issue is fixed in newer versions of the i5600, i5800, i7600, i7800, i10600, i10800 platforms CPLD (e.g., v0x54 or 0x55).

---

692189 : errdefsd fails to generate a core file on request.

Component: TMOS

Symptoms:
Should errdefsd crash or be manually cored for the purpose of gathering diagnostic information, no core file will be generated.

Conditions:
Forcing errdefsd to core for diagnostic purposes.

Impact:
Increased communication required with F5 Support when attempting to diagnose problems with errdefsd.

Workaround:
1. Add the following lines to the official errdefsd script, /etc/bigstart/scripts/errdefsd:
16a17,19
> # set resource limits, affinity, etc
> setproperties ${service}
>
2. Run the following command: bigstart restart errdefsd

Fix:
errdefsd now generates a core file when forced to core.

---

692179 : Potential high memory usage from errdefsd.

Component: TMOS

Symptoms:
errdefsd memory usage grows with each config-sync or config update.

Conditions:
Ever increasing errdefsd memory usage is visible when the following conditions are met:
-- Config updates are frequent.
-- management-port logging is not being used.

Impact:
In extreme cases, errdefsd memory usage might increase userland memory-pressure. Note, however, that it isn't actually using the extra memory, so while Virtual Memory Size (VSZ) might be high, Resident Set Size (RSS) need not be.

Workaround:
A workaround for this problem is to periodically send logs to a management-port destination. The destination may be as simple as a dummy UDP port on 127.0.0.1. Adding such a destination to the publisher for an existing, active log source will work. errdefsd just needs a reason to process and flush accumulating configurations.

Fix:
The changes in this bug force errdefsd to check for config changes once every second in addition to checking whenever management-port destination logs come in.

---

692165 : A request-log profile may not log anything for the $VIRTUAL_POOL_NAME token

Component: TMOS

Symptoms:
For some HTTP requests, a request-log profile can log nothing for the $VIRTUAL_POOL_NAME token (which expands to an empty string in the resulting logs).

Conditions:
- The virtual server where the request-log profile is used also uses OneConnect.

- The client uses HTTP Keep-Alive and sends multiple HTTP requests over the same TCP connection.

Impact:
For all HTTP requests the client sends except the first one, the $VIRTUAL_POOL_NAME token logs nothing. As a result, a BIG-IP Administrator may struggle to determine which pool serviced which request.

Workaround:
The $SERVER_IP and $SERVER_PORT tokens work for all requests, and so if those are also being logged it may be possible to deduce the pool name from that information.

However, there is no workaround to make the $VIRTUAL_POOL_NAME token work all of the time.

---

692158-3 : iCall and CLI script memory leak when saving configuration

Component: TMOS

Symptoms:
Whenever an iCall script or CLI script saves the configuration, the scriptd process on the device will leak memory.

Conditions:
Use of iCall or CLI scripts for saving config.

Impact:
Repeated invocation may cause the system to run out of memory causing tmm to restart disrupting traffic.

Workaround:
Do not save the configuration from iCall or CLI scripts.

---

692095 : bigd logs monitor status unknown for FQDN Node/Pool Member

Solution Article: K65311501

Component: Local Traffic Manager

Symptoms:
While monitoring FQDN nodes or pool members, bigd may log the current or previous monitor status of the node or pool member as 'unknown' in messages where that state internally could have been logged as 'checking' or 'no address' for FQDN template nodes. Other states for FQDN configured nodes or pool members log monitor status as expected. Messages are similar to the following:

notice bigd[####]: 01060141:5: Node /Common/node_name monitor status unknown [ ip.address: unknown ] [ was up for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: unknown ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060141:5: Node /Common/node_name monitor status up [ ip.address: up ] [ was unknown for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status unknown. [ ] [ was unchecked for ##hrs:##mins:##sec ]
notice bigd[####]: 01060145:5: Pool /Common/pool_name member /Common/node_name monitor status up. [ ] [ was unknown for ##hrs:##mins:##sec ]

Conditions:
This may occur of the FQDN template node or pool member is in a 'checking' or 'no address' state.
The 'checking' state may occur if the DNS resolution of the FQDN node or pool member name is in progress.
The 'no address' state may occur if no IP addresses were returned by the DNS server for the configured FQDN node or pool member name.

Impact:
Unable to triage state of FQDN nodes or pool members identified in these log messages, to determine whether further troubleshooting is required, or what specific problem condition might require further investigation.

Workaround:
None.

Fix:
An FQDN-configured node or pool member logs each internal monitor status, including for scenarios of 'checking' and 'no address' for FQDN template nodes which were previously logged as 'unknown'.

---

691897 : Names of the modified cookies do not appear in the event log

Component: Application Security Manager

Symptoms:
A modified domain cookies violation happened. When trying to see additional details by clicking the violation link, the name and value of the modified cookie is empty.

Conditions:
A modified domain cookies violation happens.

Note: This can happen only if there are also non-modified or staged cookies.

Impact:
Expected violation details are not displayed.

Workaround:
There is no workaround at this time.

Fix:
Issue with modified domain cookie violation details is now fixed.

---

691806 : RFC 793 - behavior receiving FIN/ACK in SYN-RECEIVED state

Solution Article: K61815412

Component: Local Traffic Manager

Symptoms:
The BIG-IP system resets connection with RST if it receives FIN/ACK in SYN-RECEIVED state.

Conditions:
The BIG-IP system receives FIN/ACK when it is in SYN-RECEIVED state.

Impact:
The BIG-IP system resets connection with RST.

Workaround:
None.

Fix:
The BIG-IP system now responds with FIN/ACK to early FIN/ACK.

---

691785 : The bcm570x driver can cause TMM to core when transmitting packets larger than 6144 bytes

Component: Local Traffic Manager

Symptoms:
The bcm570x driver will cause TMM to core with the log message:

panic: ifoutput: packet_data_compact failed to reduce pkt size below 4.

Conditions:
-- Running on a platform that uses the bcm570x driver (BIG-IP 800, 1600, 3600).
-- A packet larger than 6144 bytes is transmitted from the BIG-IP system.

Impact:
TMM core. Failover or outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Removed the panic statement that caused TMM to core. TMM will now log an error and drop the packet instead.

---

691670 : Rare BD crash in a specific scenario

Component: Application Security Manager

Symptoms:
BD crash or False reporting of signature ID 200023003.

Conditions:
JSON/XML/parameters traffic (should not happen with the enforce value signature).

Impact:
Failover, traffic disturbance in the core case. False positive violation or blocking in the other scenario.

Workaround:
Removing attack signature 200023003 from the security policy stops the issue.

Fix:
Fix a bug in the signatures engine that causes a false positive reporting of a signature. In some rare cases, this false reporting may cause a crash.

A newly released attack signature update changes the signature in a way that it no longer causes the issue to happen.

---

691664 : Violation rating is not exposed to the iRules

Component: Application Security Manager

Symptoms:
Cannot create an iRule that relates to the violation rating.

Conditions:
An iRule that uses the violation rating.

Impact:
Missing iRule functionality.

Workaround:
There is no workaround at this time.

Fix:
This release adds the violation_rating to the iRules.

---

691646 : MCPD crashes while fetching page Security :: Protocol Security : Inspection Profiles with 500 IPS profiles

Component: Protocol Inspection

Symptoms:
MCPD crashes while fetching page Security :: Protocol Security : Inspection Profiles with 500 IPS profiles

Conditions:
Adding more than 300,000 protocol inspection checks.

Impact:
mcpd crash.

Workaround:
None.

Fix:
Added limitation in MCPD for creating profiles.

---

691589-2 : When using LDAP client auth, tamd may become stuck

Component: TMOS

Symptoms:
When a virtual server uses an LDAP auth profile for client authentication, the system can get into a state where all authentications time out. This condition persists until tamd restarts. Traffic analysis between the BIG-IP system and the LDAP server shows that the BIG-IP system makes a TCP handshake with the server, then immediately sends FIN. Tamd cores may be seen.

Conditions:
-- Virtual server using LDAP auth profile.
-- BIG-IP system makes a TCP handshake with the server, then immediately sends FIN.

Impact:
Authentication to the virtual server fails until tamd is restarted.

Workaround:
To recover, restart tamd by running the following command: bigstart restart tamd

Fix:
tamd no longer becomes stuck when using LDAP client auth.

---

691504 : PEM content insertion in a compressed response may cause a crash.

Solution Article: K54562183

---

691498 : Connection failure during iRule DNS lookup can crash TMM

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM crashes in the DNS response cache periodic sweep.

Conditions:
The DNS resolver connection fails after a successful lookup response is cached. This has been reproduced with a failure due to a lost route. Other failures such as down ports do not cause a crash.

Impact:
The TMM cores and automatically restarts, Traffic disrupted while tmm restarts.

Workaround:
No known workaround.

Fix:
The reference counting of the resolver connection was fixed.

---

691497 : tmsh save sys ucs <file> fails due to missing patch file in /config/.diffVersions

Solution Article: K41835995

Component: TMOS

Symptoms:
The .diffVersions directory has config change-diffs saved into patch files every time tmsh saves the configs. This is used for diagnostic purposes only.

Conditions:
When doing a 'tmsh save sys ucs <file>', it is possible that a background 'tmsh save sys config' gets run at the same time, causing a patch file to be deleted that the ucs-save feature now expected to exist.

Impact:
The ucs-save feature complains about the missing patch file and exits.

Workaround:
Re-run the 'tmsh save sys ucs <file>' ignoring the missing patch file message. That missing file doesn't need to be restored.

Fix:
With this defect fixed, patch files that end up missing once 'tmsh load sys ucs <file>' is started will not be reported as an error, and the tmsh command will complete normally.

---

691491 : 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces

Solution Article: K13841403

Component: TMOS

Symptoms:
2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms may return incorrect SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces

Conditions:
-- 2000/4000, 10000, i2000/i4000, i5000/i7000/i10000, i15000, B4000 platforms.
-- SNMP query of network interfaces via OID sysIfxStatHighSpeed.

Impact:
Value returned for 10G/40G/100G interfaces may be incorrect.

Workaround:
Use OID sysInterfaceMediaActiveSpeed.

Fix:
The BIG-IP system now correctly returns SNMP sysIfxStatHighSpeed values for 10G/40G/100G interfaces.

---

691477 : ASM standby unit showing future date and high version count for ASM Device Group

Component: Application Security Manager

Symptoms:
Policy builder is changing configuration of standby unit.

Conditions:
The system state changes from active to standby (also when blade is changed from master to non-master).

Impact:
Unexpected changes are made to the policy on standby device (CID increment).

Workaround:
Restart pabnagd when switching device from active to standby (also when blade is changed from master no non-master):

killall -s SIGHUP pabnagd

Fix:
Policy builder now updates its state correctly and doesn't make changes to a policy on a standby device.

---

691462 : Bad actors detection might not work when signature mitigation blocks bad traffic

Component: Anomaly Detection Services

Symptoms:
When signature detected and mitigating no bad actors detection

Conditions:
1. Signatures detected and mitigating
2. Attack traffic is not significantly higher than the good traffic

Impact:
No bad actors detected.
Only signatures provides DoS protection.
BIG-IP CPU utilization is higher than necessary

Workaround:
No workaround at this time.

Fix:
The fix takes in account also SIGNATURES DROPS to decide when bad actors detection should be more agressive.

---

691367 : Attack-destination for a DoS vector was not predicting right thresholds in some cases

Component: Advanced Firewall Manager

Symptoms:
When attack-destination is enabled for a vector, then thresholds predicted by attack-destination (bad dest ip) were not correct in some cases.

Conditions:
It can occur when attack-destination is enabled for a DoS vector in a config.

Impact:
Some times wrong threshold values could be predicted for the DoS vector if attack-destination is enabled.

Workaround:
There is no workaround at this time.

Fix:
This has been fixed in the code.

---

691338 : Using an iRule to change virtual servers prevents correct DAG detection for PBA and DNAT modes

Component: Carrier-Grade NAT

Symptoms:
When redirecting the traffic by using iRule 'virtual <virtual_server>' on a PBA or DNAT LSN pool associated virtual server, the system resets the connection and logs errors similar to the following:

err tmm2[19158]: 01670024:3: Unsupported DAG mode for LSN pool(/Common/session1_pool) mode PBA on interface _loopback
err tmm2[19158]: 01670024:3: Unsupported DAG mode for LSN pool(/Common/dnat_pool) mode DNAT on interface _loopback

This occurs because using an iRule to change virtual servers prevents correct DAG detection for PBA and DNAT modes.

Conditions:
-- LSN pool is configured in either PBA or DNAT mode.
-- An iRule redirects traffic to a different virtual server.

Impact:
Connections fail using this iRule.

Workaround:
To work around this issue, configure the lsn-pools with NAPT mode.

Fix:
LSN can now detect the correct DAG mode after the virtual server is set using an iRule, so this issue no longer occurs.

---

691287 : tmm crashes on iRule with GTM pool command

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes with a SIGSEGV when a GTM iRule executes a 'pool' command against Tcl variables that have internal string representations, which can occur when a value is a result of (some) string commands (e.g., 'string tolower') or if the value comes from a built-in iRules command (such as 'class').

For example:

when DNS_REQUEST {
    pool [string tolower "Test.com"]
}

or:

when DNS_REQUEST {
    pool [class lookup pool-dg key-value]
}

Conditions:
GTM iRule executes a 'pool' command against Tcl variables that have internal string representations.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Pass the 'pool' argument through 'string trim'. For instance:

when DNS_REQUEST {
    pool [string trim [class lookup pool-dg key-value]]
}

Fix:
tmm no longer crashes on GTM iRules that use the 'pool' command.

---

691265 : Protocol Inspection custom signatures require that http_header keyword have a leading space character

Component: Protocol Inspection

Symptoms:
When using the term 'http_header' as an attribute of a content check, there must be a leading space between it and the content semicolon ';' delimiter. Also, 'http_header' cannot be applied for the second or subsequent content checks if preceding content checks do not have it. It also must be the first attribute of a content check.

This example fails validation because there is no space between ';' and 'http_header':

alert tcp any any -> any any (content:User-agent;http_header; content:"mortest"; distance:1; nocase; sig_id:100020;)

This example fails validation because 'http_header' is first used for the second content check. It also fails because 'http_header' comes after 'distance' and 'nocase' for the second content check:

alert tcp any any -> any any (content:User-agent; content:"mortest"; distance:1; nocase; http_header; sig_id:100020;)

Conditions:
This occurs when either of the following conditions are true:
-- http_header is used for a content check that is not the first content check.
-- http_header is used after other content parameters, such as 'distance' and 'nocase'.

Impact:
Custom signature fails validation.

Workaround:
Use the following workarounds:
-- Use 'http_header' for initial content checks.
-- Use 'http_header' before other content attributes, such as 'distance' and 'nocase'.

Fix:
Protocol Inspection no longer requires such unnecessarily restrictive constraints when using the http_header keyword.

---

691224 : Fragmented SSL Client Hello message do not get properly reassembled when SSL Persistence is enabled

Solution Article: K59327001

Component: Local Traffic Manager

Symptoms:
Node Server rejects received-and-incomplete ClientHello message and connection terminates.

Conditions:
This occurs when the following conditions are met:
-- SSL Persistence is enabled.
-- There is no ClientSSL and ServerSSL profile.
-- The BIG-IP device receives fragments of a ClientHello message (typically, 11 bytes each) from an SSL front-end client.

Impact:
With Session Persistence enabled
-- The parser fails to reassemble fragmented ClientHello messages prior to passing it on to the backend server.
-- As a result, the backend server responds as if it has received an incomplete ClientHello message, rejects the handshake, and terminates the connection.

Workaround:
The issue disappears when SSL Persistence is disabled.

---

691210 : Traffic stops on tmm restart when guest VLAN tagging is used for BIG-IP VE.

Component: TMOS

Symptoms:
Traffic stops after tmm restart. BIG-IP Virtual Edition (VE) becomes unresponsive and requires power cycle.

Conditions:
This occurs when the following conditions are met:
-- Using VE.
-- Data plane interfaces are SR-IOV VF.
-- Guest VLAN tagging is used.
-- tmm restart.

Impact:
BIG-IP system stops working, and management connection may be lost, requiring power cycle.

Workaround:
Use VLAN tagging from host.

Fix:
The BIG-IP system now continues to work after tmm restart when guest VLAN tagging is used with SR-IOV interfaces for BIG-IP VE.

---

691196 : one Cisco NEXUS switch and 2 BIG-IP WCCP web caches do not work together

Component: TMOS

Symptoms:
The one Cisco CATALIST switch and 2 BIG-IP WCCP works perfect.
The one Cisco NEXUSswitch and 2 BIG-IP WCCP does not work together.
The difference is in the "WCCP Message Type: 2.0 I see you (11)" generated by NEXUS router.

Existing code did not support offset (expect "Number of elements" always equal 0) as CATALIST and other switches set.
But NEXUS use this element and it produce some offset in frames.

As result BIG-IP can't understand it for case 1 NEXUS and two (or more) BIG-IP's

This point is badly described in WCCP draft and investigation was based on WireShark dissector.

Conditions:
1 NEXUS and two (or more) BIG-IP's have interability problem

Impact:
1 NEXUS and two (or more) BIG-IP's can't work together.

Workaround:
avoid such configuration.

Fix:
Problem was fixed and it is working perfect now.

---

691095 : CA bundle manager loses certificates in the CA bundle if the serial number is longer than 4 bytes

Component: Local Traffic Manager

Symptoms:
CA certificates with long but different serial numbers are treated identical and duplicate, thus get lost in the CA certificate merge operation. Only one would be left.

Conditions:
- The CA bundle file is managed by the CA bundle manager.

- The file contains certificates with large serial numbers.

Impact:
Certificates with large serial numbers are treated as duplicate, and removed.

Workaround:
There is no workaround at this time.

Fix:
Large serial numbers are treated correctly.

---

691048 : Support DIAMETER Experimental-Result AVP response

Solution Article: K34553736

Component: Service Provider

Symptoms:
When the Diameter server returns an answer message with an Experimental-Result AVP, but doesn't have Result-Code AVP inside, then the server side flow is aborted.

Conditions:
Diameter answer message doesn't have Result-Code AVP available, but with Experimental-Result AVP.

Impact:
The server side flow is aborted.

Workaround:
Use iRule to insert Result-Code AVP in all Diameter answer messages.

Fix:
This release supports DIAMETER Experimental-Result AVP response.

---

691017 : Preventing ng_export hangs

Component: Access Policy Manager

Symptoms:
Sometimes ng_export is stuck while reading tmsh thru the pipe because of buffer issues. Export is trying to read more data from tmsh while data is lost in the middle of the read operation.

Conditions:
-- ng_export receives tmsh replies through buffer of constant size x.
-- During the read operation, tmsh returns a buffer size of x minus k, where k is very small random number (less than 50).

Note: K is very small random number, which makes this issue difficult to describe.

Impact:
The export operation hangs.

Workaround:
None.

Fix:
ng_export is now using non-blocking socket and loops to wait for data or terminate gracefully

---

690919 : AFM pktclass daemon halt on NAT policy rule configuration

Component: Advanced Firewall Manager

Symptoms:
AFM pktclass daemon halts when it receives NAT policy rule configuration with an invalid (non-existent) address (or port) list attached (triggered either by running the 'tmsh merge' command or by manually modifying bigip*.conf files).

Conditions:
User modifies AFM NAT policy configuration to include a non-existent firewall address (or port) list in a NAT policy rule either by running the 'tmsh merge' command or by manually modifying bigip*.conf files.

These conditions cause MCP validation to be skipped and thus, pktclass daemon (pccd) aborts when it receives an invalid address (or port) list configuration for a NAT policy rule.

Impact:
AFM pktclass daemon (or pccd) halts with following error message in /var/log/ltm:

pccd[20954]: 015d0000:3: [NAT] commit failed.

Workaround:
No not modify AFM NAT policy rule configuration either by running the 'tmsh merge' command or by manually modifying bigip*.conf files.

Use TMSH/GUI commands/options to manage AFM NAT configuration.

Fix:
MCP validation issue has been fixed to now detect the invalid address (or port) list condition in an AFM NAT policy rule when you attach a non-existent list either by running the 'tmsh merge' command or by manually modifying bigip*.conf files.

MCP now catches the invalid configuration and posts an alert, preventing the pktclass daemon (pccd) from halting.

---

690890 : Running sod manually can cause issues/failover

Component: TMOS

Symptoms:
If multiple instances of the system failover daemon are executed, improper behavior results. The system failover daemon is run internally by the system service manager (bigstart). When accidentally or intentionally executing the command 'sod', the second running instance will disrupt the failover system.

Conditions:
Accidentally or intentionally executing the command 'sod'.

Impact:
System might failover, reboot, or perform other undesirable actions that result in traffic interruption.

Workaround:
Do not attempt to invoke the 'sod' daemon directly. There is no use case for executing 'sod' directly, it is managed by 'bigstart'.

Fix:
The failover daemon detects that an instance is already running, and exits without disrupting the system.

---

690883 : BIG-IQ: Changing learning mode for elements does not always take effect

Component: Application Security Manager

Symptoms:
When changing learning mode for an element type (e.g., WebSocket URLs), if no other changes are made to the default '*' entity, then suggestions are not created correctly.

Conditions:
Changes are deployed from a BIG-IQ device, where the learning mode for an element type (e.g., WebSocket URLs) is changed (e.g., from Never to Always), and no other changes are made to the default '*' entity.

Impact:
Suggestions are not created correctly.

Workaround:
Modify the '*' entity as well (change description).

Fix:
Learning mode changes are correctly handled from BIG-IQ.

---

690819 : Using an iRule module after a 'session lookup' may result in crash

Component: TMOS

Symptoms:
'session lookup' does not clean up an internal structure after the call finishes. If another iRule module uses the values in this internal structure after a 'session lookup', it may result in a core or other undesired behavior.

Conditions:
Calling 'session lookup' in an iRule where a result is successfully retrieved, and then calling another module.

Impact:
The system may core, or result in undefined and/or undesired behavior.

Workaround:
Check the return value of 'session lookup' before using another iRule module.

If 'session lookup' says that the entry exists, call 'session lookup' again for a key that is known to not exist.

---

690793 : TMM may crash and dump core due to improper connflow tracking

Solution Article: K25263287

Component: TMOS

Symptoms:
In rare circumstances, it is possible for the embedded Packet Velocity Acceleration (ePVA) chip to try to process non-ePVA connflows. Due to this improper internal connflow tracking, TMM can crash and dump core.

Conditions:
This issue can occur on any system equipped with an ePVA and configured with virtual servers that make use of it to accelerate flows.

While no other conditions are required, it is known that modifying a FastL4 virtual server to Standard while the virtual server is processing traffic is very likely to cause the issue.

Impact:
TMM crashes and dumps core. A redundant unit will fail over. Traffic may be impacted while TMM restarts.

Workaround:
It is not recommended to switch virtual server profiles while running traffic. To change virtual server profiles, it is recommended to halt traffic to the system first.

However, this does not eliminate entirely the chances of running into this issue.

Fix:
The system now checks for HSB flow status update data and prevents false positive matches to virtual servers with non-FastL4 profiles.

---

690778 : Memory can leak if the STREAM::replace command is called more than once in the STREAM_MATCHED event in an iRule

Solution Article: K53531153

Component: Local Traffic Manager

Symptoms:
Memory leak; the memory_usage_stat cur_allocs will increase each time the iRule is invoked.

Conditions:
This occurs when using an iRule that calls the STREAM::replace command more than once in the iRule's STREAM_MATCHED event.

Impact:
Memory leak; eventually the system will run out of memory and TMM will restart (causing a failover or outage). Traffic disrupted while tmm restarts.

Workaround:
Change the way the iRule is written so that the STREAM::replace command is not called more than once in the iRule's STREAM_MATCHED event.

Fix:
Prevented memory leak in stream code.

---

690756 : APM depends on undocumented internal behavior of HTTP iRule commands after a retry is initiated

Component: Local Traffic Manager

Symptoms:
Using the ACCESS::restrict_irule_events disable command to allow iRule events triggered by APM-generated responses to be visible to the iRule no longer works.

Conditions:
-- ACCESS::restrict_irule_events disable.
-- HTTP iRules commands used in HTTP_RESPONSE_RELEASE after a retry has been triggered by APM.

Impact:
iRule execution is aborted.

Workaround:
The only possible workaround is to abandon the iRule, and implement the functionality using a VIP-targeting-VIP configuration.

Note: This might not be acceptable in many cases either because of functionality loss (e.g., client certificate auth), or because there are complicated issues specifically solved by iRules.

Fix:
APM triggers a new iRule event when it retries a request. This new event allows iRules to be notified when this occurs.

The HTTP_RESPONSE_RELEASE event is no longer triggered on an internal retry as no response will be sent.

A BigDB variable has been added to disable run-time validation of HTTP iRule commands. This is intended to ease the roll-forward of old APM iRules.

---

690699 : Fragmented SSL handshake messages cause Proxy SSL handshake to fail

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system uses Proxy-SSL mode, and the virtual server receives a fragmented SSL handshake message, SSL handshake might fail.

Conditions:
1. BIG-IP (VIP) uses Proxy-SSL mode.

2. The BIG-IP system receives a fragmented SSL handshake message (this is especially common when the certificate message is larger than 16 KB, which requires it to be fragmented).

Impact:
If the system receives SSL Fragmented SSL handshake message, SSL handshake is rejected.

Workaround:
The only workaround is to trim down the list of acceptable client CAs advertised in the CertificateRequest message.(specifically, use client certificate chains that are smaller than 16 KB).

Fix:
The system now checks whether the SSL handshake message is fragmented by comparing the message length and the handshake record length.

The system then assembles the fragmented message and performs the required correctness check if it is fragmented.

---

690166 : ZoneRunner create new stub zone when creating a SRV WIP with more subdomains

Component: Global Traffic Manager (DNS)

Symptoms:
Creating SRV wideip will result in stub zone creation even there are already matching zones.

Conditions:
Creating SRV wideip with three more layers than existing zone.

Impact:
Unnecessary stub zones created.

---

690116 : websso might crash when logging set to debug

Component: Access Policy Manager

Symptoms:
If the authentication type is HTTP headers and the log level is set to debug, an incorrect parameter gets printed, and if it happens to be NULL the websso daemon crashes.

Conditions:
-- Authentication type is HTTP headers.
-- Log level is debug for websso (the single-sign-on (SSO) functionality for Web access through the BIG-IP APM system).

Impact:
websso might crash.

Workaround:
Set log level to Informational.

Note: The data logged specifically for debug level is targeted toward developers, and is rarely useful in a production environment.

Fix:
The correct data is logged and websso does not crash.

---

690042 : Potential Tcl leak during iRule suspend operation

Solution Article: K43412307

Component: Local Traffic Manager

Symptoms:
TMM's Tcl memory usage increases over time, and does not decrease. Memory leak of Tcl objects might cause TMM to core.

Conditions:
-- iRules are in use.
-- Some combination of nested proc calls and/or loops must go at least five levels deep.
-- Inside the nested calls, an iRule executes a suspend operation.

Impact:
Degraded performance. TMM out-of-memory crash. A failover or temporary outage might occur. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer leaks memory.

---

690024 : Add the ability to rerun the URL CRC calculation via before-load function

Component: Fraud Protection Services

Symptoms:
If there is a page that changes its URL (such as single-page application) without POST request, WebSafe does not recalculate the new URL CRC on the client side.

Conditions:
Page that changes its URL (such as single-page application) without POST request.

Impact:
WebSafe does not recalculate the new URL CRC on the client side, which causes an FP alert.

Workaround:
None.

Fix:
The system now performs URL CRC calculation to the before-load function.

---

689987 : Requests are not logged on new virtual servers after UCS load while ASM is running

Component: Application Security Manager

Symptoms:
Requests are not logged on new virtual servers after UCS load while ASM is running.

Conditions:
UCS file is loaded with different virtual servers while ASM is running.

Impact:
Requests are not logged on newly added Virtual Servers.

Workaround:
You can use either of the following workarounds:
-- Restart ASM.

-- Disassociate the logging profile and re-associated it with all affected virtual servers.

Note: As a best practice, it is recommended that you always perform a full restart after UCS load. To do so, run the following command: bigstart restart.

Fix:
Now logging profiles are associated with virtual servers after load is complete.

---

689982 : FTP Protocol Security breaks FTP connection

Component: Application Security Manager

Symptoms:
FTP Protocol Security breaks FTP connection.

Conditions:
-- ASM provisioned
-- FTP profile (Local Traffic :: Profiles : Services : FTP) with 'Protocol Security' enabled is assigned to a virtual server.

Impact:
-- RST on transaction.
-- bd PLUGIN_TAG_ABORT messages in mpidump.

Workaround:
Create and use a custom "FTP Security Profile" instead of the system default one.

1. Navigate to Security :: Protocol Security : Security Profiles : FTP.
2. Create a custom FTP Security Profile alongside the system default named 'ftp_security'.
3. Navigate to Security :: Protocol Security : Profiles Assignment : FTP.
4. From the Assigned Security Profile drop-down menu, choose the newly created custom FTP Security Profile, instead of the pre-selected system default 'ftp_security'.

Fix:
This release fixes an issue where the system default 'ftp_security' profile configuration was not fully loaded.

---

689878 : Memory Leak in ASM Sync Listener Process on lightweight platform (such as vCMP guest)

Component: Application Security Manager

Symptoms:
Following several sync errors, a memory leak occurs in the ASM sync listener process (asm_config_server.pl).

Conditions:
-- asm-sync is enabled on an auto-sync Device Group.

-- Errors occur during attempts to sync, either due to full disk or in response to one or more of the following uses in GUI or REST API:
 + Creating/importing/deleting policies.
 + Accepting many suggestions at once.
 + Adjusting Policy Building Settings.

-- The platform is a minimally configured vCMP guest

Impact:
RAM is increasingly consumed, eventually leading to swap usage until the device reaches a panic state.

Workaround:
Restart asm_config_server on all devices using the following command:
 killall asm_config_server.pl

Fix:
Memory leak no longer occurs in ASM Sync Listener Process on lightweight platform (such as a vCMP guest).

---

689856 : Some Edge 15 browsers hang with Device ID / Fingerprint

Component: Advanced Firewall Manager

Symptoms:
On some of the Edge 15 browsers, the page hangs when going through the Device ID / Fingerprint client-side code.

Conditions:
This happens when Device ID or Fingerprint is enabled in either the ASM Policy, DoS Profile, or Antifraud Profile.

Impact:
Affected browsers cannot access the website when Device ID / Fingerprint is enabled. The page remains on the white page and the browser may show the following message: Page is not responding.

Workaround:
You might be able to work around this issue by disabling the device-id attribute that is causing the problem using a command similar to the following:
 tmsh modify security device-id attribute att25 collect disabled

There is no need to restart any process after making this change.
There should not be a significant impact after making this change.

Fix:
Edge 15 browsers no longer hang with Device ID / Fingerprint enabled.

---

689691 : iStats line length greater than 4032 bytes results in corrupted statistics or merge errors

Component: TMOS

Symptoms:
You can create dynamic statistics using the istats command and iStats directive in iRules. The maximum length of the line (the sum of all columns) is 4032 bytes. If the user attempts to create an iStat whose column sizes when summed exceed this value then there will be errors in the ltm and logs, and the statistic will not be incremented or merged. Log messages appear similar to the following:
-- notice 4: tmstat_row_alloc(1520): tmstat segment blade/tmm0 appears to be damaged at 0x42e2d50.
-- err tmm[21822]: 01220001:3: TCL error: /Common/istat_it <HTTP_REQUEST> - Error: tmstat_row_alloc(1520): tmstat segment blade/tmm0 appears to be damaged (line 1) invoked from within "ISTATS::incr "ltm.virtual [virtual name] counter $host-$path" 1".

Conditions:
An iStat is created or modified such that the sum of the column widths is greater than 4032 bytes.

Impact:
Statistics corruption or merge errors occur. The statistic is not maintained. This is a system limit. An iStat should not be created such that its record length exceeds the 4032-byte limit.

Workaround:
This is a system limit. An istat should not be created such that it's record length exceeds the limit.

Fix:
Line length enforcement was added and an error log is output when the length is exceeded. Now, when the limit is reached, there are no corruption or merge errors. The system posts messages similar to the following in the tmm log file:

-- notice iStat for table 'ltm_virtual' column 'www_qqwabc3584' cannot be added as row size '4040' is too long at 0x46dcd90

To avoid errors like this, do not add columns to iStats in iRule directives.

---

689632 : New source-translation stat - Total End Points(IPv4/IPv6) deprecates the old stat Total End Points

Component: Carrier-Grade NAT

Symptoms:
The statistic 'Total End Points' displays incorrect values when an IPv6 address with small prefix is configured in Dynamic PAT under source translation.

Conditions:
Any IPv6 address with small prefix configured under Dynamic PAT in source translation.

Impact:
Statistics provided are incorrect.

Workaround:
None.

Fix:
This release introduces a new statistic, 'Total Endpoints (IPv4/IPv6)', which displays the correct statistics. Refer to the new stat, 'Total End Points (IPv4/IPv6)', for correct information when IPv6 addresses are configured in Dynamic PAT under source translation.

---

689614 : If DNS is not configured and management proxy is setup correctly, Webroot database fails to download

Component: Traffic Classification Engine

Symptoms:
If DNS is not configured and management proxy is setup correctly, Webroot database fails to download and cloud lookup fails as well.

Conditions:
DNS is not configured and management proxy is setup.

Impact:
Webroot database download & cloud lookup fails.

Workaround:
There is no workaround at this time.

Fix:
Code change is in place to download Webroot database & lookup cloud category via configured proxy.

---

689591 : When pingaccess SDK processes certain POST requests from the client, the TMM may restart

Component: Access Policy Manager

Symptoms:
BIG-IP's tmm may restart when processing certain client's POST requests body on which need to be inspected by the PingAccess policy server.

Conditions:
- BIG-IP virtual server is configured as policy decision point with PingAccess policy server.
- User sends a POST request to BIG-IP.
- Policy configured on PingAccess server requires inspection of the body of the POST request sent by the user.

Impact:
Traffic will be temporarily disrupted while tmm restarts.

Fix:
TMM will no longer restart when processing client's POST requests that need to be inspected by the PingAccess policy server.

---

689577 : ospf6d may crash when processing specific LSAs

Solution Article: K45800333

Component: TMOS

Symptoms:
When OSPFv3 is configured and another router in the network performs a graceful restart, ospf6d may crash.

Conditions:
-- OSPFv3 in use.
-- Graceful restart initiated by another system.

Impact:
OSPFv3 routing will interrupted while the daemon restarts and the protocol re-converges.

Workaround:
Disabling graceful restart on other network systems will prevent ospf6d from crashing on the BIG-IP system. However, it will cause a routing interruption on a system that restarts.

Fix:
The ospf6d daemon no longer crashes when a graceful restart occurs in the network.

---

689567 : Some WOM/AAM pages in the GUI are visible to users with iSeries platforms even when AAM cannot be provisioned

Component: TMOS

Symptoms:
Several pages in the Acceleration tab (e.g., Acceleration :: Quick Start : Symmetric Properties) display a warning message that directs you to provision AAM in order to access WOM utilities. These pages are visible even if it is impossible for you to provision AAM, which is confusing.

Conditions:
You have an iSeries platform with no AAM license.

Impact:
The impact is cosmetic only. The page is confusing because it suggests that AAM can be provisioned without the proper license (e.g., that WOM/AAM can be set up with only an LTM license), which it cannot. You can safely ignore the warning messages.

Workaround:
No workaround at this time.

Fix:
GUI elements for WAM/WOM/AAM are no longer visible on iSeries platforms.

---

689561 : HTTPS request hangs when multiple virtual https servers shares the same ip address

Component: Local Traffic Manager

Symptoms:
SSL forward proxy reuses the server ssl session when client ip, server ip and server port matches the ssl session. when multiple virtual https servers share the same ip address, it could happen server ssl reuse a session previously from other virtual server. in such a situation, client cannot forge certificate and hangs the ssh handshake.

Conditions:
multiple virtual https servers share the same ip address, and they internally share the ssl sessions. we saw it happens in several google domain.

Impact:
client cannot access some https web server.

Workaround:
A workaround is disabling the "Session Ticket" in the server ssl profile, since we do not support session id resumption in the server ssl, this will cause it do full handshake to web server every time, so server_certchain will not be NULL.

Fix:
it matches the client ip, server ip and port as well as the server name in the SNI to the server ssl session cache. it will not reuse the sessions does not match virtual server name after the fix.

---

689449 : Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured

Component: Local Traffic Manager

Symptoms:
As a result of a known issue, in some circumstances the system may experience an unconstrained TMM memory growth when a virtual server is configured for spdy/http2 and http with fallback-host.

Conditions:
- VIP configured with spdy/http2 and http with fallback-host.

Impact:
TMM may eventually enter aggressive sweeper mode where this memory will be released. In the process it is possible that some legitimate connections will killed.

Workaround:
No workaround at this time.

Fix:
BIG-IP no longer attempts to send a response with a configured fallback host in HTTP profile, when a connection is aborted by a client or due to an internal error. It prevents the internal flow to stay in memory after the connection has died.

---

689437 : icrd_child cores due to infinite recursion caused by incorrect group name handling

Solution Article: K49554067

Component: TMOS

Symptoms:
Every time the virtual server stats are requested via REST, icrd_child consumes high CPU, grows rapidly toward the 4 GB max process size (32-bit process), and might eventually core.

Conditions:
Virtual server stats are requested via iControl REST with a special string that includes the dotted group names.

Impact:
icrd_child consumes high CPU, grows rapidly, and might eventually core.

Workaround:
Clear the virtual server stats via reset-stats and icrd_child no longer cores.

Fix:
icrd_child parsing logic update is needed to not enter recursion.

---

689375 : Unable configure 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled

Solution Article: K01512833

Component: Local Traffic Manager

Symptoms:
TMUI hides several SSL client/server settings when 'Proxy SSL' is enabled, including the 'Generic Alert' setting, so you cannot set it.

Conditions:
Enable 'Proxy SSL' on SSL client/server profile in TMUI.

Impact:
TMUI hides many config settings, including 'Generic Alert'. You cannot modify 'Generic Alert' setting on SSL client/server profile using the GUI when 'Proxy SSL' is enabled.

Workaround:
Modify the same setting through TMSH modify client/server SSL profile command, as follows:

tmsh modify ltm profile client-ssl <profile_name> generic-alert disabled

tmsh modify ltm profile server-ssl <profile_name> generic-alert disabled

Fix:
You can now modify 'Generic Alert' setting on SSL client/server profile through TMUI when 'Proxy SSL' is enabled.

---

689343 : Diameter persistence entries with bi-directional flag created with 10 sec timeout

Component: Service Provider

Symptoms:
Diameter persistence entries have timeout value less than 10 seconds, although the configured persistence timeout is 120 seconds

Conditions:
When Diameter custom persistence "DIAMETER::persist key 1" bi-directional iRule is used.

Impact:
The persist timeout is less than 10 seconds, thus subsequent requests will be dispatched to other pool member.

Workaround:
Don't use bi-directional persistence iRule. Use AVP persistence type with session-id as the persist key.

Fix:
When the Diameter custom persistence iRule "DIAMETER::persist key 1" is used, the persist timeout value will be set correctly as configured.

---

689281 : ASM REST 'eq' and 'ne' were inconsistent for case sensitivity

Component: Application Security Manager

Symptoms:
ODATA standard states that $filter operators 'eq' and 'ne' are case-sensitive comparisons. For some fields, the comparison is performed as case-insensitive.

Conditions:
'eq' or 'ne' are used in an ODATA $filter and are expected to be case sensitive.

Impact:
Case insensitive results are returned

Workaround:
None.

Fix:
'eq' and 'ne' are now always case-sensitive.

---

689262 : [REST] Policy Diff: canMerged* fields should be enum and not boolean

Component: Application Security Manager

Symptoms:
canMergeFirstToSecond and canMergeSecondToFirst fields under policy-diff/<id>/differences represent true or false while it should represent the following:
- merge-allowed
- merge-not-allowed
- merge-by-details

Conditions:
Create policy diff with an item that contains inherited and non-inherited values.

Impact:
REST display inaccurate data for these fields.

Workaround:
Review details field that contain the following for each diff item detail: canMergeFirstToSecond/canMergeSecondToFirst

Fix:
This release fixes the values for canMergeFirstToSecond/canMergeSecondToFirst fields.

---

689211 : IPsec: IKEv1 forwards IPv4 packets incorrectly as IPv6 to daemon after version was { v1 v2 }

Component: TMOS

Symptoms:
If you accidentally change an ike-peer version to { v1 v2 } for both IKEv1 and IKEv2 support then IKEv1 does not work when version is changed to { v1 }. Note: This is not a recommended action.

Packets from a remote peer after this appear to arrive via IPv6 and will not match the IPv4 config of the actual peer, so tunnels cannot be established.

Conditions:
Transiently changing an ike-peer version to { v1 v2 } before fixing it with 'version replace-all-with { v1 }' to target IKEv1 alone.

Impact:
IKEv1 tunnels cannot be established when the remote peer initiates. (If the local peer initiates, negotiation may succeed anyway, until the SA is expired or deleted.) After this, tmm forwards packets to racoon improperly.

Workaround:
After changing version to v1 alone, issue the following command to have the config work correctly:
 bigstart restart

Fix:
Added check for the IPv6 flag in the packet, in addition to testing for a v4-in-v6 address; this corrects the corner case of an address containing all zero when forwarded.

---

689089 : VIPRION cluster IP reverted to 'default' (192.168.1.246) following unexpected reboot

Component: Local Traffic Manager

Symptoms:
The cluster configuration file can be lost or corrupted, resulting in the out-of-band cluster management IP reverting to the default value.

Conditions:
Unexpected system restart while the configuration file is being updated may cause the file to become corrupted. If this occurs, the following error will be logged during blade startup:

"err clusterd[8171]: 013a0027:3: Chassis has N slots, config file has 0, ignoring config file"

Where "N" is the number of physical slots in the chassis (2, 4, or 8).

Impact:
Management IP reverts to 192.168.1.246, resulting in loss of access to the chassis through the out-of-band management network.

Workaround:
If this occurs, the management IP can be restored using TMSH or the UI through an in-band self IP, or with TMSH through the management console port.

Fix:
The configuration file update logic has been changed to prevent file corruption during update.

---

689007 : PEM CMP-HASH misconfiguration does not generate error log

Component: Policy Enforcement Manager

Symptoms:
PEM requires the DAG to be configured with key as source-ip. If this configuration is not done, the iRule PEM::session fails without a warning. In the case of lookup, the command returns an empty string

Conditions:
-- The default tmm image (tmm.default) is running.
-- The cmp-hash is not configured for SP-DAG.
-- There is a query from iRule (or a session creation attempt using data-traffic).

Impact:
The commands fail. There is no error logged in /var/log/tmm or /var/log/ltm. No warning about misconfiguration.

Workaround:
No workaround for tmm.default.

Fix:
There is now an error logged in /var/log/tmm or /var/log/ltm to warn about any misconfiguration.

---

689002 : Stackoverflow when JSON is deeply nested

Component: TMOS

Symptoms:
When the returned JSON payload from iControl REST is very large and deeply nested, the JSON destruction could trigger stack overflow due to deep recursion. This will crash icrd_child.

Conditions:
Deeply nested JSON returned from iControl-REST.

Impact:
icrd_child process coredumps.

Workaround:
None.

Fix:
The fix changes the destruction mechanism into an iterative solution, to completely avoid the stack overflow.

---

688942 : ICAP: Chunk parser performs poorly with very large chunk

Solution Article: K82601533

Component: Service Provider

Symptoms:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system buffers the entire chunk and reevaluates the amount of data received as each new packet arrives.

Conditions:
ICAP server returns large payload entirely in a single chunk, or otherwise generates very large chunks (MB to GB range).

Impact:
The BIG-IP system uses memory to buffer the entire chunk. In extreme cases the parser can peg the CPU utilization at 100% as long as packets are arriving.

Workaround:
If possible, configure the ICAP server to chunk the response payload in mulitple normal sized chunks (up to a few tens of KB).

Fix:
When an ICAP response contains a very large chunk (MB-GB), the BIG-IP system streams content back to the HTTP client or server as it arrives, without undue memory use or performance impact.

---

688911 : LTM Policy GUI incorrectly shows conditions with datagroups

Solution Article: K94296004

Component: TMOS

Symptoms:
When editing an LTM policy rule, the GUI defaults to using the datagroup value, overriding previous rule values, because the policy rule introduced the datagroups.

Conditions:
Editing a policy rule.

Impact:
The previous rule values are overridden by the datagroup's values.

Workaround:
Use TMSH to modify the rule.

Fix:
The GUI was updated to default to using the policy rule's values and not the datagroup values.

---

688825 : A normalization type is missing

Component: Application Security Manager

Symptoms:
A possible undetected attack may happen (false-negative).

Conditions:
Attacker uses a specific attack vector to bypass the ASM.

Impact:
Unsecured content might be passed to server instead of being blocked.

Workaround:
None.

Fix:
Additional normalization was added.

---

688813-3 : Some ASM tables can massively grow in size.

Solution Article: K23345645

Component: Application Visibility and Reporting

Symptoms:
/var/lib/mysql mount point gets full.

Conditions:
Many combinations of IP addresses, Device IDs (and other ASM dimensions) in traffic over very long period of time (potentially weeks/months).

Impact:
While other dimensions are being collapsed correctly, the Device ID field is not being collapsed causing the growth in size.
-- High disk usage.
-- Frequent need to clear AVR data.

Workaround:
Manually delete AVR mysql partitions located in /var/lib/mysql/AVR.

Fix:
Over time, no of the AVR_STAT_ASM_HTTP_CLIENT_IP_X#...MYD file exceeds 300 MB, so this problem no longer occurs.

---

688744 : LTM Policy does not correctly handle multiple datagroups

Solution Article: K11793920

Component: Local Traffic Manager

Symptoms:
Policy in use where the conditions reference two or more datagroups, but only the conditions that refer to the first datagroup have any effect.

Conditions:
LTM Policy where the conditions reference two or more datagroups.

Impact:
LTM Policy conditions do not check against second and subsequent datagroups, resulting in policy not working as intended.

Workaround:
Only mitigation is to refactor the policy so that it does not refer to more than one datagroup-based condition.

Fix:
LTM Policy correctly handles policies referencing multiple datagroups

---

688629 : Deleting data-group in use by iRule does not trigger validation error

Component: Local Traffic Manager

Symptoms:
iRule aborts due to failed commands, causing connflow aborts.

Conditions:
-- Delete a data group.
-- iRule uses that data-group on a virtual server

Impact:
In use data-group can be deleted without error. iRule aborts leading to connflow aborts.

Workaround:
Don't delete data-groups in use by an iRule.

Fix:
An attempt to delete a data-group in use by an iRule now triggers a validation error.

---

688625 : PHP Vulnerability CVE-2017-11628

Solution Article: K75543432

---

688586 : DTLS does not retransmit ServerHello message if it is lost

Component: Local Traffic Manager

Symptoms:
DTLS does not retransmit ServerHello message if it is lost

Conditions:
The first DTLS ServerHello message is lost

Impact:
It cannot be re-transmit and the handshake fails.

Fix:
Re-transmit ServerHello message when it is lost.

---

688571 : Untrusted cert might be accepted by the server-ssl even though when 'untrusted-cert-response-control drop' is configured in the server-ssl profile.

Solution Article: K40332712

Component: Local Traffic Manager

Symptoms:
If the server-ssl profile is configured with 'untrusted-cert-response-control drop', and the system receives the certificate from the backend server which is not trusted by current BIG-IP system, the expected behavior is that the system should end the connection.

But the current server-side behavior is that the system still accepts the untrusted certificate and establishes the SSL connection with backend server.

Conditions:
-- The BIG-IP system receives a certificate from the backend server that is not trusted by the BIG-IP system.

-- Configure the 'untrusted-cert-response-control drop' in the server-ssl profile.

-- The corresponding server-ssl is configured at the virtual server.

Impact:
Virtual server might communicate with the backend server that sends the untrusted certificate to the BIG-IP system. Untrusted cert could still be accepted by the server-ssl virtual server even though 'untrusted-cert-response-control drop' is configured in the server-ssl profile.

Workaround:
None.

Fix:
When the system receives the untrusted certificate from backend server and the server-ssl profile is configured with 'untrusted-cert-response-control drop', the system will end the current SSL handshake procedure instead of continuing to proceed to finish it.

---

688570 : BIG-IP occasionally sends MP_FASTCLOSE after an MPTCP connection close completes

Component: Local Traffic Manager

Symptoms:
After an MPTCP connection closes properly, the BIG-IP will occasionally start sending MP_FASTCLOSE.

Conditions:
An MPTCP connection is closed.

Impact:
The MPTCP connection on the remote device is closed, but the connection on the BIG-IP remains open until the fastclose retransmission times out.

Workaround:
There is no workaround at this time.

Fix:
Fixed event processing at the end of a connection.

---

688557 : Tmsh help for ltm sasp monitor incorrectly lists default mode as 'pull'

Solution Article: K50462482

Component: Local Traffic Manager

Symptoms:
The description of the 'mode' parameter shown by tmsh help for the ltm sasp monitor indicates that the default value for the 'mode' parameter is 'pull' (where the load balancer sends Get Weight Requests to the GWM).
As of BIG-IP v13.0.0 and v12.1.2-hf1, the default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).
This is a change from prior versions of BIG-IP, where the default value for the 'mode' parameter was 'pull'.

Conditions:
The incorrect description appears when issuing the 'tmsh help ltm monitor sasp' command on BIG-IP v13.0.0, v12.1.2-hf1, and later.

Impact:
Incorrect information about the default value for the 'mode' parameter for the ltm sasp monitor.

Workaround:
The default value for the 'mode' parameter is actually 'push' (where the load balancer receives Send Weights from the GWM).

Fix:
The 'tmsh help ltm monitor sasp' command now lists the correct default value for the 'mode' parameter.

---

688406 : HA-Group Score showing 0

Solution Article: K14513346

Component: TMOS

Symptoms:
The 'show sys ha-group' command incorrectly displays a "0" for the total score even if the pools/trunks/clusters components have non-zero scores.

Conditions:
If the sys ha-group object is not currently assigned to any traffic-group.

Impact:
The total score is not calculated. An incorrect score value is displayed.

Workaround:
Refer to the component Score Contributions displayed using the following command: show sys ha-group detail.

Fix:
The total HA-Group Score is now displayed correctly.

---

688369 : dos-hidden profile created in non-Common partition - search engines not bypassed

Component: Advanced Firewall Manager

Symptoms:
The hidden dos profile /Common/asm-hidden/dos-hidden might be created in a non-Common partition, causing error messages and not bypassing of known search engines.

(This profile is created automatically when provisioning ASM.)

When this happens:
-- An error message appears in /var/log/ltm:
  - err mcpd[6558]: 01070726:3: DoS Profile Compiled Signatures /Common/asm-hidden/dos-hidden dos-hidden /Common/asm-hidden/ASM-search-engine-Google in partition Common cannot reference DOS application /Common/asm-hidden/dos-hidden dos-hidden in partition partition1

-- The /Common/asm-hidden/dos-hidden profile is saved in the config file of the partition (/config/partitions/<partition>/bigip.conf) instead of /config/bigip.conf.

Conditions:
This happens when provisioning ASM using the GUI, and the partition (on the top-right corner) is set to any partition other than the Common one.

Note: The GUI page 'System :: Resource Provisioning' does not allow changing the partition (it is grayed out). The partition must be changed on a different page, such as Virtual Servers.

Impact:
The impact is that the system does not bypass known Search Engines when sending the JavaScript challenges.

Also, on 12.1.x, this error message is written to /var/log/asm:
-- err tsconfd[31293]: dcc|ERR|Oct 11 07:14:04.065|31293| [tsconfd::ASMCONFIG_CALL, update dos bot signature] Failed due to ASMConfig exception: 01070726:3: DoS Profile Compiled Signatures /Common/asm-hidden/dos-hidden dos-hidden /Common/asm-hidden/ASM-search-engine-Yandex in partition Common cannot reference DOS application /Common/asm-hidden/dos-hidden dos-hidden in partition partition_1.

Workaround:
To prevent the problem from happening, make sure the Common partition is selected when provisioning ASM. (Change it on a different page to Common, and then come back to the provisioning page and provision ASM. This only works if ASM was not yet provisioned before.)

If the problem has already occurred, run the following commands to solve the problem:
tmsh delete security dos profile /Common/asm-hidden/dos-hidden
tmsh save sys config
tmsh load sys config
tmsh save sys config

Fix:
The system now creates the hidden dos profile /Common/asm-hidden/dos-hidden in the Common partition correctly, and correctly bypasses known Search Engines when sending JavaScript challenges.

---

688148 : IKEv1 racoon daemon SEGV during phase-two SA list iteration

Component: TMOS

Symptoms:
The wrong list linkage is iterated when phase-two SAs are deleted.

Conditions:
Deleting phase-two SAs, either manually or in response to notifications.

Impact:
IKEv1 tunnel outage until the racoon daemon restarts.

Workaround:
None.

Fix:
Fixed list iteration to use the correct list linkage, so iterating one phase-one SAs list does not instead visit the global list of phase-two SAs.

---

688046 : Change condition and expression for Protocol Lookup agent expression builder

Component: Access Policy Manager

Symptoms:
Protocol lookup agent shows the incorrect condition and expression in the expression builder when included in the per-request policy.

Conditions:
This occurs when the protocol lookup agent is used in the expression builder for branching.

Impact:
Cannot follow successful branch in per-request policy.

Workaround:
To work around this issue:
1. Include Protocol lookup agent in the expression builder.
2. Click the 'change' link right next to the existing expression.
3. Go to the Advanced tab and change the expression to one of the following (depending on whether you are using HTTPS or HTTP):
-- "expr { [mcget {perflow.protocol_lookup.result}] == "https" }"
-- "expr { [mcget {perflow.protocol_lookup.result}] == "http" }"
4. Click Finished.

Fix:
Protocol lookup agent now shows correct condition and expression in the expression builder.

---

688011 : Dig utility does not apply best practices

Solution Article: K02043709

---

688009 : Appliance Mode TMSH hardening

Solution Article: K46121888

---

688005 : The maximum-connection count doubles pva traffic counts for virtuals

Component: Local Traffic Manager

Symptoms:
The counters maintaining virtual server statistics double count packets processed by the pva hardware. This makes maximum connection counts for pva unreliable.

Conditions:
Connections utilizing PVA incorrectly report PVA counts.

Impact:
Fast L4 virtuals may report unreliable maximum connection counts.

Fix:
The bug has been fixed such that counts are maintained correctly.

---

687937 : RDP URIs generated by APM Webtop are not properly encoded

Component: Access Policy Manager

Symptoms:
RDP URIs used to launch Native RDP resources form APM Webtop on Android/iOS/Mac are not properly encoded. As a result, RDP client might misinterpret the URI, in cases in which some RDP parameter contains the ampersand ( & ) symbol.

Conditions:
Native RDP resource is launched via RDP URI from APM Webtop.

One of RDP parameters contains symbol that should be URI encoded, e.g., '&'.

Impact:
RDP client misinterprets URI, which may result in failure to open RDP resource.

Workaround:
None.

Fix:
RDP URIs used to launch Native RDP resources from APM Webtop on Android/iOS/Mac are now properly encoded.

---

687807-1 : The presence of a file with the suffix '.crt.csr' in folder /config/ssl/ssl.csr/ causes a GUI exception

Component: Local Traffic Manager

Symptoms:
When there is a file named *.crt.csr in folder /config/ssl/ssl.csr/, the GUI posts an error on page: System :: Device Certificates : Device Certificate :: Device Certificate: An error has occurred while trying to process your request.

Conditions:
The presence of a file with the suffix '.crt.csr' in folder /config/ssl/ssl.csr/.

Impact:
-- Using iCRD with 'sys crypto' fails.
-- The BIG-IP GUI exhibits the following behavior:
   + Inconsistently manages those files improperly.
   + May return errors on System :: Device Certificates : Device Certificate :: Device Certificate (e.g., 'An error has occurred while trying to process your request.').
   + May confuse objects (e.g., 'web-server.crt' and 'web-server.crt.csr').
   + GUI cannot create an archive (System :: File Management : SSL Certificate List :: Archive) containing these files, and reports an error.

Workaround:
Rename the csr file suffix from '.crt.csr' to '.csr'.

Fix:
The system now accepts csr files with any kind of suffix extension.

---

687797 : iControl REST /mgmt/tm/sys/crypto/cert endpoint cannot be used to return the details of all SSL certificates present in the configuration at once.

Component: TMOS

Symptoms:
iControl REST /mgmt/tm/sys/crypto/cert endpoint cannot return the details of all SSL certificates present in the configuration at once.

Requests to said endpoint may return a 400 HTTP status code and a stack trace indicating a timeout exception.

Conditions:
This issue is more likely to occur with configurations that include a large number of SSL certificates.

Impact:
The iControl REST /mgmt/tm/sys/crypto/cert endpoint cannot be used to return the details of all SSL certificates present in the configuration at once.

Workaround:
You can request the details of one SSL certificate at a time from that particular endpoint (for instance, /mgmt/tm/sys/crypto/cert/~Common~my1.crt).

Or you can request the details of all SSL certificates present in the configuration at once by using the /mgmt/tm/sys/file/ssl-cert endpoint (which is not affected by this issue).

Fix:
The efficiency of the iControl REST /mgmt/tm/sys/crypto/cert endpoint has been improved.

---

687658-1 : Monitor operations in transaction will cause it to stay unchecked

Component: TMOS

Symptoms:
If a monitored object is deleted and created or modified in the same transaction, and any of its monitor configuration is changed (either the monitor, or the state user-down), the monitor state will become unchecked.

Conditions:
This only happens within transactions.

Note: Using the command 'modify ltm pool <name> members replace-all-with' is considered a transaction containing a delete and create of pool members.

Impact:
Monitor state never returns to its correct value.

Workaround:
Do not do these operations in transactions. For pool members, use 'modify ltm pool <name> members modify' instead of replace-all-with.

---

687635 : Tmm becomes unresponsive and might restart

Component: Local Traffic Manager

Symptoms:
Under certain conditions, the tmm process can become unresponsive, and eventually be restarted by the watchdog process.

Conditions:
Problem occurs when there is an unexpected interaction between HTTP and SSL handlers during an abnormal connection shutdown.

Impact:
Tmm becomes unresponsive and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Tmm correctly shuts down HTTPS connection.

---

687617 : DHCP request-options when set to "none" are reset to defaults when loading the config.

Component: TMOS

Symptoms:
Config load resets the request-option in "tmsh sys management-dhcp" to its default value when they are set to "none" in configuration.

Conditions:
- A config load in which request-option in "tmsh sys management-dhcp" is set to "none".

Impact:
User configuration is reverted as a side-effect of config load.

Workaround:
request-option specify the minimal set of configuration that DHCP server must provide as part of the lease. Setting it to "none" defeats the whole purpose of DHCP. It's better to set it to a minimal value like "routers, subnet-mask" in order to have management connectivity.

Fix:
DHCP request-options when set to "none" are reset to defaults when loading the config.

---

687603 : tmsh query for dns records may cause tmm to crash

Solution Article: K36243347

Component: Local Traffic Manager

Symptoms:
tmm experiences segmentation fault.

Conditions:
Run 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.

Impact:
Core file / system outage. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
tmm experiences segmentation fault when running the 'tmsh show ltm dns cache records key cache <cache>' query when dns cache contains malformed records.

---

687534 : If a Pool contains ".." in the name, it is impossible to add a Member to this pool using the GUI Local Traffic > Pools : Member List page

Component: TMOS

Symptoms:
- Create a pool with name containing two dots (that is, the string '..')
- Go to the GUI Local Traffic :: Pools : Member List page and click the Add button to add a member.
- There is a No Access error preventing you from adding a member to the pool

Conditions:
This issue occurs when a pool name contains .. in the name.

Impact:
Cannot add a Member to the pool using the GUI.

Workaround:
Use tmsh to add pool members to an existing pool using a command similar to the following.
 tmsh modify ltm pool <pool name> members add { <member info> }

Fix:
For pools with '..' in the name, it is now possible to add members after pool creation using the GUI Local Traffic :: Pools : Member List page.

---

687368 : The Configuration utility may calculate and display an incorrect HA Group Score

Solution Article: K64414880

Component: TMOS

Symptoms:
The Configuration utility may calculate and display a high availability (HA) Group Score of 0, while in reality the correct HA Group Score is greater than 0.

Conditions:
This issue occurs when a particular HA Group object (for example, a Pool) has no available members, and the 'Minimum Member Count' option is not used (this is the default).

Impact:
This issue is cosmetic as it is limited to what the Configuration utility calculates and displays to the user. Internally, the system uses the correct HA Group Score to determine the role of the unit. However, it is possible for a BIG-IP Administrator to be mislead by this issue and take a wrong or unnecessary corrective action because of it.

Workaround:
You can use the TMSH utility from the command line to display the correct HA Group Score.

Fix:
The Configuration utility no longer calculates and displays an incorrect HA Group Score.

---

687353 : Qkview truncates tmstat snapshot files

Solution Article: K35595105

Component: TMOS

Symptoms:
Qkview truncates the snapshot files it collects in /shared/tmstat/snapshots/.

Conditions:
Files are larger than 5 MiB, or the 'max file size' limit specified when running Qkview (the -s argument).

Note: 5 MiB is qkview utility's default maximum file size value.

Impact:
Snapshot data may not be collected in qkview. This may result in data being lost if the issue is only identified once important data has rotated out of history.

Workaround:
To specify no file size limit when collecting qkviews, use the following tmsh command:
qkview -s0

---

687205 : Delivery of HUDEVT_SENT messages at shutdown by SSL may cause tmm restart

Component: Local Traffic Manager

Symptoms:
During flow shutdown, SSL may deliver HUDEVT_SENT messages, causing additional messages to be queued by higher filters, which may result in a tmm crash and restart.

Conditions:
This happens in response to a relatively rare condition that occurs during shutdown, such as HUDEVT_SENT queued after HUDCTL_SHUTDOWN.

Impact:
Possible tmm restart. Traffic disrupted while tmm restarts.

Workaround:
None.

---

687182 : LTM Policy error message: Action occurs before conditions

Component: Local Traffic Manager

Symptoms:
With LTM Policy now supporting more tmm events, you may experience an error when updating an LTM Policy and see one of the following error messages:

-- Policy '<name>', rule '<name>'; defines an action which occurs before one of its conditions, or before a condition in an earlier rule with lower ID.

-- Policy '<name>'; an action occurs before conditions in another rule. For best-match, all actions must happen later than all conditions.

Conditions:
You have defined a policy where at least one of the actions is set to fire at a time before the associated condition. For example, defining an action to occur at http-request time which depends on a condition that is evaluated at http-response time.

For first-match policies, rules are validated in ID/ordinal order, and actions events on later rules must occur at or after condition events in the current and prior rules.

For best-match policies, all actions must occur at or after than all conditions.

For all-match policies, action and condition events need to be consistent with a rule, and there is no inter-rule dependence.

Impact:
Policy cannot be saved.

Workaround:
None.

Fix:
LTM Policy supports more LTM framework events, so policy authors need to be aware of event ordering and ensure that actions occur at or after associated conditions.

---

687128 : gtm::host iRule validation for ipv4 and ipv6 addresses

Component: Global Traffic Manager (DNS)

Symptoms:
gtm::host iRule isn't validating that the host given matches the type of WideIP it is attached to.

Conditions:
An AAAA-type wideip with a ipv4 gtm::host iRule, or A-type wideip with an ipv6 gtm::host iRUle.

Impact:
Incorrect host information was being returned.

Workaround:
Only attach gtm::host of IPv4 type to A-type WideIPs, and gtm::host rules of IPv6 to AAAA-type WideIPs.

Fix:
FIxed issue allowing incorrect gtm::host iRule commands to trigger on incorrect wideip types.

---

687075 : tmm ASSERT %s spdy pcb initialized

Solution Article: K78238591

Component: Wan Optimization Manager

Symptoms:
TMM may crash when using SPDY with iClient over iSession. System logs a message similar to the following:
 notice panic: ../modules/hudfilter/spdy/spdy.c:4108: Assertion "spdy pcb initialized" failed.

Conditions:
Connections are abandoned by external client.

These connections might be suffering from connection closing in mid-conversation.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
Remove SPDY.

Fix:
The system now handles this condition, so the tmm crash no longer occurs.

---

686972 : The change of APM log settings will reset the SSL session cache.

Component: Local Traffic Manager

Symptoms:
If you change the configuration of APM log settings, it might cause the SSL session cache to be reset. Also, subsequent resumption of SSL sessions may fail after such change causing a situation where full ssl handshakes may occur more frequently.

Conditions:
-- Change the configuration of APM log settings.
-- SSL session cache is not empty.

Impact:
The change of APM log settings resets the SSL session cache, which causes the SSL session to initiate full-handshake instead of abbreviated re-negotiation.

Workaround:
Follow this procedure:
1. Change access policy.
2. The status of that access policy changes to 'Apply Access Policy'.
3. Re-apply that.

Fix:
The change of APM log settings now limits its effect on APM module instead of affecting other (SSL) module's data.

---

686926 : IPsec: responder N(cookie) in SA_INIT response handled incorrectly

Component: TMOS

Symptoms:
IKEv2 negotiation fails when a responder uses N(cookie) in the SA_INIT response, because the BIG-IP system does not expect a second response with the same zero message_id always used by SA_INIT.

Conditions:
Any time a responder sends N(cookie) in the first response to SA_INIT from a BIG-IP initiator.

Impact:
The SA negotiation fails when a responder includes N(cookie) in a SA_INIT response, because a second response appears to have an out-of-order message ID when BIG-IP believe the first message_id of zero was already handled earlier.

Workaround:
None.

Fix:
The BIG-IP system now correctly tracks a need to receive a SECOND response with message_id zero, to finish the SA_INIT exchange, whenever the first SA_INIT response caused the BIG-IP system to resend the first request with the cookie included.

---

686906 : Fragmented IPv6 packets not handled correctly on Virtual Edition

Component: TMOS

Symptoms:
Use of IP fragmentation with IPv6 packets might not be handled correctly by BIG-IP Virtual Edition (VE) platforms. The initial fragmented are received, but subsequent fragments are discarded.

Conditions:
VE with IPv6 packets and IP fragmentation.

Impact:
Traffic which depends upon fragmented IPv6 packets will not be successfully processed.

Workaround:
There is no workaround at this time.

Fix:
These fragments are now handled correctly in the same manner as IPv4.

---

686890 : X509_EXTENSION memory blocks leak when C3D forges the certificate.

Component: Local Traffic Manager

Symptoms:
One X509_EXTENSION memory block leaks when C3D forges the certificate.

Conditions:
When C3D forges the certificate.

Impact:
X509_EXTENSION memory blocks leak when forged certificate is successful.

Workaround:
None.

Fix:
The system now frees the leaked X509_EXTENSION when C3D forges the certificate.

---

686816 : Link from iApps Components page to Policy Rules invalid

Component: TMOS

Symptoms:
In an application that contains a Local Traffic policy, the link from the Components page to the Rule will not be valid.

Conditions:
-- Application creates or contains a Local Traffic Policy.
-- Click the link from the iApps Components page to the Policy Rules page.

Impact:
Cannot navigate to the policy rule directly from the Components page.

Workaround:
Click on the Policy within the Components page to navigate to the Rule from that page.

Fix:
Link from iApps Components page to Policy Rules now navigates to the Rule, as expected.

---

686765 : Database cleaning failure may allow MySQL space to fill the disk entirely

Component: Application Security Manager

Symptoms:
Database cleaning failure may allow MySQL space to fill the disk entirely, which prevents any modification of ASM policy configuration.

In /var/log/ts/asm_config_server.log you might see these errors repeatedly:

Jun 9 09:38:45 10gal-f5-5000-2 crit g_server_rpc_handler.pl[16654]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::handle_error): Code: 999, Error message = DBD::mysql::db do failed: The table 'NEGSIG_SIGNATURES' is full

Conditions:
This occurs if database cleaning failures occur.

Impact:
Disk will fill up, and you will be unable to modify ASM policies.

---

686763 : asm_start is consuming too much memory

Component: Application Security Manager

Symptoms:
asm_start is consuming too much memory.

Conditions:
Roll forward a device with a large ASM configuration.

Impact:
Increase memory pressure on the device.

Workaround:
Run the following command: restart asm

Fix:
asm_start no longer increases its memory footprint during upgrade.

---

686631 : Deselect a compression provider at the end of a job and reselect a provider for a new job

Component: Local Traffic Manager

Symptoms:
The system might potentially retain a compression context, even though there is no data to be compressed or decompressed. This can affect the calculation of the load of the compression provider.

Conditions:
-- A connection is up.
-- Compression context is active.
-- There is no data for the compression provider.

Impact:
It affects the compression provider selection.

Workaround:
None.

Fix:
The system now deselects a provider at the end of a compression/decompression operation, and reselects a provider at the beginning of another compression/decompression operation.

---

686517 : Changes to a parent policy that has no active children are not synced to the secondary chassis slots.

Component: Application Security Manager

Symptoms:
Changes to a parent policy that has no active children are not synced to the secondary chassis slots.

Conditions:
-- ASM provisioned.
-- Having a parent policy that has no active children.

Impact:
On a chassis failover, the new Primary slot will have an outdated version of the parent policy.

Workaround:
None.

Fix:
Changes to a parent policy that has no active children are now synced to the secondary chassis slots.

---

686510 : If tmm was restarted during an attack, the attack might appear ongoing in GUI

Component: Application Visibility and Reporting

Symptoms:
Attack appears ongoing, even though it ended.

Conditions:
Rare condition of tmm restart during an attack.

Impact:
The GUI falsely shows the attack as ongoing, even though it ended.

Workaround:
No workaround.

Fix:
Now, when tmm is restarted during an attack, this specific attack is shown as ended in DoS overview page after 15 minutes.

---

686500 : Adding user defined signature on device with many policies is very slow

Component: Application Security Manager

Symptoms:
Adding or modifying a user-defined signature on a device with many policies is very slow.

Conditions:
The user adds or modifies a user-defined signature.

Impact:
The process takes a long time.

Fix:
Adding or modifying a user-defined signature now takes a reasonable amount of time.

---

686470 : Enable AJAX Response Page or Single Page Application support causes the part of the web page failed to load.

Component: Application Security Manager

Symptoms:
AJAX requests are not sent, JavaScript errors, AJAX-based web-app malfunctions.

Conditions:
1a. Single page application enabled either via a DoS application profile or in an ASM policy.
1b. AJAX Response Page enabled via ASM policy.

2. Web Application client side code uses jQuery or any other AJAX clientside framework.

Impact:
AJAX request might not be sent, and the overall website's clientside functionality related to the AJAX requests might not work as expected.

Workaround:
Disable Single Page Application support.

Fix:
Fixed Single Page Application AJAX hook to support the AJAX response onload callback re-assignment.

---

686452 : File Content Detection Formats are not exported in Policy XML

Component: Application Security Manager

Symptoms:
If a policy is configured with Data Guard enabled with File Content Detection, the selected File Content Detection Formats are not correctly exported in the Policy XML.

When the policy is then imported, the Data Guard settings will be invalid and cannot be changed until the File Content Detection Formats are configured again.

Conditions:
A policy is configured with Data Guard enabled with File Content Detection, and then exported in XML format.

Impact:
When the policy is then imported, the Data Guard settings will be invalid and cannot be changed until the File Content Detection Formats are configured again.

The formerly selected file content formats will not be correctly identified.

Workaround:
Use Binary Policy import/export.

Fix:
File Content Detection Formats are correctly exported.

---

686422 : URI reported in alert may not contain the actual traffic URI

Component: Fraud Protection Services

Symptoms:
URI reported in alert may not contain the actual traffic URI.

Conditions:
The alert was triggered for a wildcard-configured URL.

Impact:
Request URI is not reported correctly. The reported URI will contain the configured URL instead of traffic URL. For example:
-- A configured URL: /*.
-- Traffic URI: /a/b/c?n=v.
-- Reported URI: /*.
-- Reported URI should be traffic URI: /a/b/c?n=v.

Workaround:
None.

Fix:
FPS always normalizes traffic URI and reports that in the alert payload.

---

686389 : APM does not honor per-farm HTML5 client disabling at the View Connection Server

Component: Access Policy Manager

Symptoms:
Current logic for determining whether to offer HTML5 client option works for Horizon 6.x (and earlier) but it does not work for Horizon 7.x.

With Horizon 7.x, VMware has enhanced the XML so that each resource includes a flag to indicate whether HTML5 client is enabled (absence of <html-access-disabled/> tag). APM does not honor this flag to show HTML5 client option to APM end user only if it has been enabled for that resource.

Conditions:
-- APM webtop with a VMware View resource assigned.
-- HTML5 Access disabled for some of the RDS farms managed by the broker.

Impact:
APM offers HTML5 client launch option and actually runs it if requested, although it is disabled at the backend.

Workaround:
There is no workaround at this time.

Fix:
For Horizon 7.x, the system now honors the <html5-access-disabled> flag in broker responses to disable HTML5 client for those RDS desktops and apps that have this flag set.

Behavior Change:
Before this fix, all the RDS desktops and apps were available for HTML5 client if it was installed on VCS.
Now, for those desktops and apps where HTML5 access has been deliberately disabled at the broker, only the native client option will be available.

---

686376 : Scheduled blob and current blob no longer work after restarting BIG-IP or PCCD daemon

Component: Advanced Firewall Manager

Symptoms:
When there are scheduled firewall rules, and the BIG-IP system is restarted or PCCD daemon is restarted, new blob compilation succeeds, but TMM fails to activate the new blob. Both GUI and TMSH show error status: Firewall rules deployment failed. After the system gets in this state it cannot be fixed except by removing or disabling all scheduled firewall rules.

Conditions:
-- There are scheduled firewall rules.
-- The BIG-IP system is restarted or the PCCD daemon is restarted.

Impact:
After this failure, firewall rules are not applied on data traffic.

Workaround:
Remove or disable all scheduled firewall rules.

Fix:
New blob deployed and new firewall rules applied successfully.

---

686307 : Monitor Escaping is not changed when upgrading from 11.6.x to 12.x and later

Solution Article: K10665315

Component: Local Traffic Manager

Symptoms:
When upgrading, monitor attributes such as receive string and send string might contain escape sequences that must be processed after the upgrade. However, due to a problem introduced by the LTM policy upgrade script, this processing is not performed, resulting in monitors not functioning correctly after the upgrade.

Note: Without LTM policies in the configuration, monitors upgrade without problem.

Conditions:
-- Upgrading and rolling forward monitor configuration data.
-- LTM policy data present.

Impact:
Monitors may not work after upgrade.

Workaround:
No workaround at this time.

Fix:
This release addresses the underlying problem so the issue no longer occurs.

---

686305 : TMM may crash while processing SSL forward proxy traffic

Solution Article: K64552448

---

686282 : APMD intermittently crash when processing access policies

Component: Access Policy Manager

Symptoms:
APMD process may crash intermittently (rare) when processing access policies.

Conditions:
This rarely encountered issue occurs when any one of the following conditions exist:

-- iRule is configured with 'ACCESS::policy evaluate'.
-- NTLM authentication configured and ECA plugin is involved (for example VDI RDG).
-- Kerberos authentication is configured with RBA enabled.

Impact:
APM end users cannot pass access policy, cannot login.

Workaround:
None.

Fix:
APMD no longer intermittently crashes when processing access policies.

---

686228 : TMM may crash in some circumstances with VLAN failsafe

Solution Article: K23243525

Component: Local Traffic Manager

Symptoms:
TMM may crash when managing traffic in response to the VLAN failsafe traffic generating mechanisms

Conditions:
- VLAN failsafe is configured with low timers.
- VLAN failsafe is triggered and multiple responses are received for traffic generating in fast succession.

Impact:
A TMM may core file may be produced. Traffic disrupted while tmm restarts.

Workaround:
Relax the timer to the default VLAN failsafe timer setting.

Fix:
TMM no longer crashes in some circumstances with VLAN failsafe.

---

686190 : LRO performance impact with BWC and FastL4 virtual server

Component: TMOS

Symptoms:
Using Bandwidth controller (BWC) might result in a very large drop in performance of up to 75%. In this release, Large receive offload (LRO) is enabled by default.

Conditions:
-- BWC is configured.
-- Virtual server has a FastL4 profile assigned.
-- LRO is enabled (enabled by default in 13.1.0).

Impact:
Very large performance impact to the BWC policy (up to 75%). For example, if the BWC policy rate limit is set to 100Mb, the actual rate limit could be 25Mb.

Workaround:
Disabling LRO recaptures most of the performance degradation related to using FastL4. To disable LRO (this is a system-wide setting), run the following command:
 tmsh modify sys db tm.largereceiveoffload value disable

Important note: Although you can disable LRO to recapture much of the 13.0.0-level performance, you will likely still experience some impact: 2-5% for small files, 17-22% degradation for the '10 requests per connection' benchmark. The only guaranteed way to avoid performance degradation is to remain on version 13.0.0.

---

686124 : IPsec: invalid SPI notifications in IKEv1 can cause v1 racoon faults from dangling phase2 SA refs

Component: TMOS

Symptoms:
Deleting SAs on a remote peer can cause improper handling in the IKEv1 racoon daemon when invalid SPI notifications are processed.

Conditions:
Events causing deletion of phase one IKE SAs.

Impact:
IPsec IKEv1 tunnels will halt or restart. Connectivity between remote private networks will be interrupted.

Workaround:
None.

Fix:
Phase one and phase two SA relationships are now more robust, tolerating operations that occur in any order, so tearing down old data structures will be done safely.

---

686111 : Searching and Reseting Audit Logs not working as expected

Solution Article: K89363245

Component: TMOS

Symptoms:
Clicking the Search and Reset buttons on Audit Logs might post the following error message: An error has occurred while trying to process your request.

Conditions:
Clicking the 'Search' or 'Reset' button on Audit Logs.

Impact:
Cannot search Audit Logs.

Workaround:
Use tmsh or bash.

Fix:
Searching and Reseting Audit Logs now works as expected.

---

686108 : User gets blocking page instead of captcha during brute force attack

Component: Application Security Manager

Symptoms:
Unexpected blocking page while captcha is configured.

Conditions:
-- Brute force configured with alarm and captcha mitigation.
-- The only source configured is username.
-- These are the first failed login requests after a system start up or after a login page configuration change.

Impact:
Unexpected blocking page mitigation where captcha mitigation was expected.

Workaround:
There are two workarounds:

-- Access the login page at least 10 times within 5 minutes.

-- Run the following command: tmsh modify sys db asm.cs_qualified_urls value <YOUR_LOGIN_URL>

Fix:
Fixed an issue with unexpected blocking page while captcha is configured.

---

686065 : RESOLV::lookup iRule command can trigger crash with slow resolver

Component: Local Traffic Manager

Symptoms:
If thousands of connections are serviced by an iRule that performs a lookup for the same FQDN before the FQDN can be resolved, tmm may crash.

Conditions:
iRule with RESOLV::lookup.
Slow DNS resolver.
Thousand of connections triggering resolution of the same name.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Remove RESOLV::lookup from the workflow if it is not required.

Fix:
The scenario now works as expected and no longer results in a crash.

---

686056 : TMM crash with SIGSEGV on update iclient conn_stats

Component: Wan Optimization Manager

Symptoms:
TMM may crash with SIGSEGV on update iclient conn_stats

Conditions:
Connections are abandoned by external client.

These connections might be suffering from connection closing in mid-conversation.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

This is very rare event.

Workaround:
No workaround

Fix:
The system now handles this condition, so the tmm crash no longer occurs.

---

686029 : A VLAN delete can result in unrelated VLAN FDB entries being flushed on shared VLAN member interfaces

Component: TMOS

Symptoms:
FDB flushing on VLAN deletes is performed by VLAN member interface reference only, without regard to VLAN tags. This can result in unrelated VLAN FDB entries also being flushed on shared VLAN member interfaces.

Conditions:
Issuing a VLAN delete with other VLANs using shared tagged member interfaces with the VLAN being deleted.

Impact:
FDB entries for unrelated VLANs will be flushed if they share the same tagged VLAN member interfaces as the VLAN being deleted.

Workaround:
None.

Fix:
Correct FDB flushing on VLAN deletes, by limiting the scope to be VLAN specific.

---

685964 : cs_qualified_urls bigdb does not cause configured URLs to be qualified.

Component: Application Security Manager

Symptoms:
cs_qualified_urls is configured but is not functional.

Conditions:
-- cs_qualified_urls is configured.
-- A request to the URL listed in the bigdb arrives.
-- The URL is seen as non-qualified although configured.

Impact:
URLs that are not supposed to getting through configuration.

Workaround:
None.

Fix:
Fixed a bigdb issue with cs_qualified_urls variable.

---

685915 : Allow unsigned DNS notifies if a DNS express zone's target server has no TSIG key configured

Component: Global Traffic Manager (DNS)

Symptoms:
If a DNS Express zone that has Verify Notify TSIG checked gets a notify with no TSIG at all, unsigned notifies are not processed.

Conditions:
Unigned notify is received when Verify Notify TSIG is checked.

Impact:
Unsigned notifies are not processed

Workaround:
There is no workaround at this time.

Fix:
This fix corrects an issue in TSIG handling when combined with NOTIFY messages for zone transfers

---

685888 : OAuth client stores incorrectly escaped JSON values in session variables

Component: Access Policy Manager

Symptoms:
1) The slash (/) is double escaped (\\/). The slash is common in URLs.
2) Unicode escaped characters (\uXXXX) are not correctly un-escaped into UTF-8 characters, ends up unrecognizable.

Conditions:
Occurs in 13.1 and earlier releases when OAuth servers response in JSON, such as the OIDC User Info.

Impact:
APM applications who read JSON node session variables may not get the correct values.

Workaround:
1) For double escaped slash, workaround is like,
session.oauth.client.last.UserInfo.picture = return [string map {{\\/} /} [ mcget {session.oauth.client.last.UserInfo.picture} ]]

2) For incorrect UTF-8 characters, there is no workaround.

Fix:
Unicode escaped characters are now correctly handled.

---

685862 : BIG-IP as SAML IdP/SP may include last x509 certificate found in the configured bundle in signed SAML Response or single logout message

Component: Access Policy Manager

Symptoms:
When BIG-IP is used as SAML IdP, and signing is configured, BIG-IP will sign the message by configured signing key, and include last certificate from the configured signing certificate chain in the SAML protocol message. Expected behavior is to include first certificate from the configured signing certificate chain.
The same applies to SAML SP generating SLO request/response messages.

Conditions:
All of the following:
- BIG-IP is used as SAML IdP or SAML as SP with SLO configured.
- BIG-IP generates signed SAML response containing assertion or SLO request/response
- Configured on BIG-IP signing certificate is a security chain and not a single certificate

Impact:
Impact is based on the SAML implementation on the receiving end of message sent by BIG-IP.
Some implementation may drop signed SAML message if last certificate from the bundle is included in the message. Other implementations will accept such signed messages. Note that signing operation itself is performed correctly by BIG-IP using configured signing certificate, and digital signature will contain correct value.

Workaround:
Instead of using signing certificate chain, change BIG-IP SAML IdP/SP configured signing certificate to refer to a standalone signing certificate (single X509 object) by extracting first certificate from the chain.

Fix:
After the fix, BIG-IP will include first certificate found within configured signing certificate (chain).

---

685771 : Policies cannot be created with SAP, OWA, or SharePoint templates

Component: Application Security Manager

Symptoms:
Attempting to create a security policy using "OWA Exchange", "SAP NetWeaver", or "SharePoint" Policy Template fails.

Conditions:
Attempt to create a security policy using "OWA Exchange", "SAP NetWeaver", or "SharePoint" Policy Templates

Impact:
Policy creation fails.

Workaround:
None.

Fix:
Policies can be created using these factory templates.

---

685743 : When changing internal parameter 'request_buffer_size' in large request violations might not be reported

Component: Application Security Manager

Symptoms:
When the internal 'request_buffer_size' is set to a large value, long requests might be blocked, and no violation is reported.

Conditions:
-- Internal parameter 'request_buffer_size' is set to a large value (~50 KB or larger).
-- Request is long (~50 KB or longer).
-- Violations found.

Impact:
Requests might be blocked, and no reason is reported.

Workaround:
Reset internal 'request_buffer_size' to default.

Fix:
The system now handles the case in which the internal 'request_buffer_size' is set to a large value, so long requests are no longer blocked, and the violation is reported.

---

685727 : GEO dimension query failure

Component: Application Visibility and Reporting

Symptoms:
In ASM reports, when adding a filter to 'Client Countries' the filter creation fails.

The system writes the following error in monpd log:
SELECT SQL_CALC_FOUND_ROWS ..., FACT.country_code `id`
...

Because : Unknown column 'vip_crc' in 'where clause'.

Conditions:
Adding 'Client Countries' filter to ASM reports.

Impact:
The filter creation fails.

Workaround:
To work around this issue, perform the following procedure:
1. Edit /etc/avr/monpd/monp_asm_entities.cfg.
2. Remove the following line from section [asm_repev_geo]: dim_authz_filter=vip_crc.
3. Restart monpd.

Fix:
This release removes dim_authz_filter=vip_crc from [asm_repev_geo] in monp_asm_entities.cfg.

---

685708-1 : Routing via iRule to a host without providing a transport from a transport-config created connection cores

Component: Service Provider

Symptoms:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Conditions:
Using MR::message route command without specifying a transport to use (virtual or config) will core if the connection receiving the request was created using a transport-config.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Specify a transport to use for creating a new outgoing connection in the MR::message route command.

Fix:
The system will no longer core.

---

685615 : Incorrect source mac for TCP Reset with vlangroup for host traffic

Component: Local Traffic Manager

Symptoms:
BIG-IP outbound host TCP RST packets have incorrect source-mac-address.

Conditions:
BIG-IP host traffic is exiting via VLANs in a VLAN group.

Impact:
TCP Reset for traffic exiting the BIG-IP system with incorrect source-mac-address, which could include monitor traffic.

Workaround:
Use transparent mode on the VLAN group.

Fix:
source-mac-address for host traffic is correctly set.

---

685593 : Access session iRules can fail with error "Illegal argument"

Component: Access Policy Manager

Symptoms:
Certain Access iRules can cause an argument error to occur when it shouldn't.

Conditions:
ACCESS::session iRules are used

Impact:
Might see an error in iRule logs indicating, "session ID lookup failed - Illegal argument (line 1)". Tcl error occurs and the connection is reset.

Fix:
Fixed the issue that would cause the error to occur.

---

685519 : Mirrored connections ignore the handshake timeout

Component: Local Traffic Manager

Symptoms:
Mirrored connections that do not complete the TCP 3-way-handshake do not honor the configured TCP handshake timeout on active and standby systems.

Conditions:
High availability mirroring enabled on virtual server with attached FastL4 profile.

Impact:
Unestablished TCP sessions in the connection table stay open for the duration of the TCP idle-timeout.

Workaround:
None.

Fix:
Mirrored connections now honor the TCP handshake timeout.

---

685475 : Unexpected error when applying hotfix

Solution Article: K93145012

Component: TMOS

Symptoms:
Software 'install hotfix' commands fail with a message similar to the following: Image (BIGIP-11.6.1.0.0.317.iso) has a software image entry in MCP database but does not exist on the filesystem.

Conditions:
Before installing the hotfix, the necessary full (base) software image prerequisite was added to the images directory, but then was removed before issuing the hotfix command.

For example, to apply 'Hotfix-BIGIP-11.6.1.2.0.338-HF2.iso', the system must have access to the base image; 'BIGIP-11.6.1.0.0.317.iso'.

Impact:
Cannot apply hotfix until the full base image is present.

Workaround:
Perform the following procedure:
1. Copy the base image to the images directory on the BIG-IP system.
2. Restart the 'lind' daemon.
3. Try the hotfix installation process again.

Fix:
Issuing a 'install hotfix' command when the base image is not available sends the system into a 'wait' state. The process status is 'waiting for base image', which should make clear what needs to be done. When the base image becomes available (in the images directory), the hotfix installation proceeds.

---

685467 : Certain header manipulations in HTTP profile may result in losing connection.

Component: Local Traffic Manager

Symptoms:
HTTP profile has an option 'Insert X-Forwarded-For' which adds a header when a request is forwarding to a pool member. When a virtual server has iRule with a collect command like SSL::collect, it is affected by the HTTP profile processing. Same issue has an option 'Request Header Erase' available in HTTP profile.

Conditions:
A virtual server meets the following conditions:
-- ClientSSL profile.
-- HTTP profile with option 'Insert X-Forwarded-For' enabled and/or configured option 'Request Header Erase'.
-- iRule that has an 'SSL::collect' command in at least two events (e.g., CLIENTSSL_HANDSHAKE and CLIENTSSL_DATA).

Impact:
TCP connection is reset, and no response is provided to a client.

Workaround:
Use iRule to insert X-Forwarded-For with an appropriate IP address and/or remove headers configured in 'Request Header Erase' option of HTTP profile.

Fix:
An issue of a resetting connections due to configuration options 'Insert X-Forwarded-For' and 'Request Header Erase' in HTTP profile no longer happens.

---

685458 : merged fails merging a table when a table row has incomplete keys defined.

Component: TMOS

Symptoms:
There is as timing issue in merged where it will fail processing a table row with incomplete keys defined.

Conditions:
There are no specific conditions required, only that merged is running, which is true on every BIG-IP system, when the BIG-IP system is processing a table row with incomplete keys defined.

Although this issue is not dependent on configuration or traffic, it appears that it is more prevalent on vCMP hosts.

Impact:
There will be a few second gap in available statistics during the time when a core is being created and merged restarts.

Workaround:
None.

Fix:
merged now detect this scenario, a table row with incomplete keys defined, and does not fail.

---

685442 : racoon daemon for IPsec IKEv1 listens on 0.0.0.0

Component: TMOS

Symptoms:
The racoon daemon binds to all addresses on the Linux host.

Conditions:
When the IKEv1 racoon daemon processes the config file written by tmipsecd.

Impact:
- IPsec tunnels may be established on unexpected IP addresses on the BIG-IP system.
- Port scans or security audits may show the IPsec service on unexpected IP addresses.

Workaround:
No workaround.

Fix:
The auto-generated racoon daemon config file no longer listens to 0.0.0.0 'any' addresses.

Behavior Change:
In previous releases, the racoon daemon would bind to all addresses on the Linux host. In this version, The IKEv1 racoon daemon no longer listens on 0.0.0.0.

---

685254 : RAM Cache Exceeding Watchdog Timeout in Header Field Search

Solution Article: K14013100

Component: Local Traffic Manager

Symptoms:
SOD halts TMM while RAM cache is processing a header.

Conditions:
When RAM cache is attempting to match an ETag and fails to find it in the header field.

Impact:
The search continues until a match is found in memory, or a NUL byte is encountered. If the search takes too long, sod kills RAM cache on a watchdog timeout violation.

Workaround:
No workaround at this time.

Fix:
SOD no longer halts TMM while RAM cache is processing a header.

---

685233 : tmctl -d blade command does not work in an SNMP custom MIB

Solution Article: K13125441

Component: TMOS

Symptoms:
tmctl -d blade commands run in an SNMP custom MIB fail.

Conditions:
-- Using an SNMP custom MIB.
-- Running tmctl -d blade commands.

Impact:
Unable to configure a custom MIB to gather data via a tmctl -d blade command.

Workaround:
Instead of tmctl -d blade, use the following command:
 tmctl -d /var/tmstat/blade.

Fix:
The blade command has been added to the set of commands that can be executed by snmpd.

---

685230 : memory leak on a specific server scenario

Component: Application Security Manager

Symptoms:
The bd process memory increases.

Conditions:
A specific server scenario of handling the traffic.

Impact:
Swap may be used. The kernel OOM killer may be invoked. Possible traffic disturbance.

Workaround:
There is no workaround at this time.

Fix:
A memory leaked related to a specific server scenario was fixed.

---

685211 : Send multiple fields as username identifier in phishing alert

Component: Fraud Protection Services

Symptoms:
If a customer has more than one field representing the username, phishing users alerts cannot be configured for all the fields.

Conditions:
A customer has more than one field that represents the username.

Impact:
Customer won't be able to configure phishing users alerts for all the fields.

Workaround:
N/A

Fix:
FPS supports sending multiple fields as the username identifier in phishing users alerts.

---

685207 : DoS client side challenge does not encode the Referer header.

Component: Application Security Manager

Symptoms:
XSS reflection when DoS client side is enabled as a mitigation, or a proactive bot defense is enabled.

Conditions:
1. Login to the client IP address and send the ab request.
2. Once the DoS attack starts, sends the curl request
hl=en&q=drpdrp'-alert(1)-'drpdrp".
3. Unencoded Referer header is visible.

Impact:
The XSS reflection occurs after triggering the DoS attack.

Workaround:
None.

Fix:
DoS client side challenge now encodes the Referer header.

---

685193 : If Inheritance is None in the Parent Policy and there are at least 1 child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies

Component: Application Security Manager

Symptoms:
If Inheritance is None in the Parent Policy and there is at least one child policy, the number of Comments shown in Inheritance Settings is equal to number of child policies.

Conditions:
1) Create Parent policy and set some section's Inheritance to None.
2) Create child policy and assign it to the parent created above.
3) Go to the Parent Policy Inheritance Setting tab, you will see that number of comments for sections with None will be equal to number of child policies.

Impact:
There is an incorrect number of Comments shown in Inheritance Settings

Workaround:
None.

Fix:
The correct number of comments will be shown for each section in Inheritance Setting tab for Parent Policy. In case of None inheritance nothing will be shown.

---

685174 : When script-src does not exist, FPS creates the script-src directive while ignoring the policy defined by default-src

Component: Fraud Protection Services

Symptoms:
When script-src does not exist, FPS creates the script-src directive while ignoring the policy defined by default-src. This is also true for other directives such as img-src, style-src, etc.

Conditions:
Content-Security-Policy configured as follows:

Content-Security-Policy: default-src 'unsafe-inline'

For example, for the following header:
 default-src 'unsafe-inline'

FPS modifies it to:
 default-src 'unsafe-inline'; script-src 'self' 'nonce-RANDOM-VAL'

Impact:
Application might not work because of FPS restricting inline script execution.

Workaround:
None.

Fix:
The 'unsafe-inline' will not be injected into script-src or style-src directives if it is present in default-src directive.

---

685164 : In partitions with default route domain != 0 request log is not showing requests

Solution Article: K34646484

Component: Application Security Manager

Symptoms:
No requests in request log when partition selected, while they can be seen when 'All [Read Only]' is selected.

Conditions:
Select a partition whose default route domain is not 0 (zero).

Impact:
No requests in request log.

Workaround:
As a partial workaround, you can use [All], but it's read only.

Fix:
Fixed filter by Source IP, which worked incorrectly in partitions whose default route domain was not 0 (zero).

---

685110 : With a non-LTM license (ASM, APM, etc.), ephemeral nodes will not be created for FQDN nodes/pool members.

Component: Local Traffic Manager

Symptoms:
1. FQDN Node/pools fails to populate with members.

2. An error similar to the following is logged in /var/log/ltm when an FQDN node or pool member is created:

err mcpd[####]: 01070356:3: Ratio load balancing feature not licensed.

Conditions:
1. License a BIG-IP system with non-LTM license lacking the ltm_lb_ratio feature.
Such licenses include APM and/or ASM licenses for certain newer platforms which do not support the AAM module.
Affected platforms include certain iSeries and Virtual Edition (VE) releases.
2. Configure an FQDN node/pool member. Do not specify a 'ratio' value.

Impact:
Unable to use FDQN nodes/pool members with non-LTM license.

Workaround:
None.

Fix:
Non-LTM license (ASM, APM, etc.), ephemeral nodes are now created for FQDN nodes/pool members.

---

685056-1 : VE OVAs is not the supported platform to run VMware guest OS customization

Component: TMOS

Symptoms:
VMware vCenter fails to create customization specification wizard because the BIG-IP Virtual Edition (VE) OVA's OSType is set to 'Other 64-bit'.

Conditions:
When applying VMware guest OS customization on VMware BIG-IP VE.

Impact:
VMware guest OS customization fails (cannot create customization specification wizard).

Workaround:
You can use either of the following workarounds:
 - Apply VMware guest OS customization with 'ovftool'.
 - Manually set OSType to 'Other 3.x Linux 64-bit'.

Fix:
OS type embedded in .ovf file in VE OVAs has been changed from 'Other 64-bit' to 'Other 3.x Linux 64-bit' to enable VMware guest OS customization.

Behavior Change:
In this release, the OS type set in .ovf file in the BIG-IP VE SCSI OVA images for VMware has been changed from 'Other 64bit' to 'Other 3.x Linux 64bit'. This enables 'VMware Guest Customization' via VMware vCenter.

---

685020 : Enhancement to SessionDB provides timeout

Component: TMOS

Symptoms:
In some cases, calls made to SessionDB never return from the remote TMM.

Conditions:
-- Using add, update, delete, and lookup commands to remote TMM.
-- SessionDB request is not returned.

Impact:
Calls made to SessionDB never return from the remote TMM.

Workaround:
None.

Fix:
The system initiates a timeout after 2 seconds. If a timeout occurs, the calling command receives a result of err==ERR_TIMEOUT.

A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.

# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|

Behavior Change:
A new sys db variable was added to enable the timeout for the iRule table command. It defaults to false. Below is the new definition followed by the tmsh command to set the value.

# Enable or disable iRule table cmd timeout override to cause all
# requests to be 'remembered' so that we do not leak them
# if subsystems fail.
[Tmm.SessionDB.table_cmd_timeout_override]
default=false
type=enum
realm=common
enum=|true|false|

---

684942 : Disabled PHP configuration option 'allow_url_fopen'

Component: TMOS

Symptoms:
PHP configuration option has allow_url_fopen set to 'On'.

Conditions:
BIG-IP system uses PHP for the Configuration Utility.

Impact:
System security improvement is needed to disable allow_url_fopen configuration option.

Workaround:
None.

Fix:
Changed PHP configuration of allow_url_fopen from "On" to 'Off'.

---

684937 : [KERBEROS SSO] Performance of LRU cache for Kerberos tickets drops gradually with the number of users

Solution Article: K26451305

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over period of time.
Websso process CPU usage is very high during this time. The latency can vary between APM end users.

Conditions:
-- A large number of APM end users have logged on and are using Kerberos SSO.
-- Running APM.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
LRU cache performance no longer drops linearly with the number of caches Kerberos tickets, the latency of HTTP request processing has been significantly improved.

---

684852 : Obfuscator not producing deterministic output

Component: Fraud Protection Services

Symptoms:
Proactive defense challenge is not passed.

Conditions:
The obfuscator does not produce the same output for the same pair of key and seed. Therefore, on multi-blade devices, or on active-active deployments, when the request to the page (url=/) and the request to the javascript (/TSPD/*?type=10) each go to a different blade or a different device.

More frequently, it happens when the page and javascript are loaded from the same blade, but the javascript is stored in the cache.

Then another refresh, and the request goes to the second blade. Because the javascript in the cache was received from the first blade, it does not match the page.

Impact:
Proactive defense challenge is not passed; challenge remains on blank page on chassis.

Workaround:
None.

Fix:
Obfuscator now uses common Random object.

---

684782-1 : APM eam process may be in restart loop with a core file generated each time when log level was changed from LOGLEVEL_DEBUG3 to LOGLEVEL_ERROR.

Solution Article: K22913225

Component: Access Policy Manager

Symptoms:
APM eam process might go into a restart loop, with a core file generated at each restart, when log level is changed from LOGLEVEL_DEBUG3 to LOGLEVEL_ERROR.

Conditions:
Change log level from LOGLEVEL_DEBUG3 to LOGLEVEL_ERROR (which you might do to implement the workaround in K82304591: OAM ASDK log files may grow to consume excessive disk space, https://support.f5.com/csp/article/K82304591).

Impact:
eam restart loop, with a core file generated each time it restarts.

Workaround:
Delete any unwanted accessgate from APM. For every accessgate configured on the APM, you must also configure and enable a corresponding accessgate on the OAM server.

---

684649-1 : Inconsistent DAGv2 state between B4400 blades after upgrade★

Component: TMOS

Symptoms:
B4400 blades in the VIPRION chassis might encounter inconsistent DAGv2 state after upgrading from v12.1.x to v13.0.0 or v13.1.0. You might see messages similar to the following continuously logged into /var/log/tmm on the Standby unit:

notice CDP: Selected DAG state from primary PG 0 for CMP state 03 with clock 6765

Conditions:
Upgrading VIPRION B4400 blades from v12.1.x to v13.0.0 or v13.1.0.

Impact:
There is no traffic impact on the Active BIG-IP system, but the issue causes the Standby BIG-IP system to constantly update its DAGv2 table.

Workaround:
Reboot one of the B4400 blades in the Active BIG-IP system.

Fix:
DAGv2 state is now consistent between B4400 blades after upgrade.

---

684583 : Buitin Okta Scopes Request object uses client -id and client-secret

Component: Access Policy Manager

Symptoms:
Buitin Okta Scopes Request object uses client credentials instead of resource server credentials.

Conditions:
Buitin Okta Scopes Request object

Impact:
Scope request with Buitin Okta Scopes Request object fails.

Workaround:
Use modified Request object.

Fix:
Buitin Okta Scopes Request object is fixed to use resource server credentials.

---

684494 : Changed /var/log mount options

Component: TMOS

Symptoms:
The filesystem mounted at /var/log now has the nodev, nosuid, and noexec options enabled.

Conditions:
/var/log mount options.

Impact:
Security hardening of /var/log/ mount point.

Workaround:
Security hardening. No workaround needed.

Fix:
Increased security of /var/log mount point.

---

684414 : Retrieving too many groups is causing out of memory errors in TMUI and VPE

Component: Access Policy Manager

Symptoms:
Retrieving too many groups might cause out-of-memory errors in TMUI and VPE. TMUI might end up with HTTP 502 and VPE fails with HTTP 500

Conditions:
LDAP/AD server with over 20,000 groups.

Impact:
It's hard to perform LDAP/AD group mapping because there are no group names in the dialog box, which complicates work on such a large number of groups.

Workaround:
The only solution is to remove /shared/tmp/gmcache folder and use manual groupmapping.

Fix:
Retrieving too many groups no longer results in memory errors in TMUI and VPE, even on LDAP/AD servers with over 20,000 groups.

---

684399 : Connectivity profiles UI shows (Not Licensed) when LTM base is presented

Component: Access Policy Manager

Symptoms:
In APM, the connectivity profile UI shows (Not Licensed) when LTM base is presented

Conditions:
when LTM and APM is provisioned.

Impact:
UI shows FEC profile as not licensed. But user can still choose FEC profile.

Workaround:
Ignore the not licensed warning.

---

684391 : Existing IPsec tunnels reload. tmipsecd creates a core file.

Component: TMOS

Symptoms:
Existing IPsec tunnels reload. tmipsecd creates a core file.

Conditions:
Although an exact replication of the issue has not been reliable, the one instance occurred after the following conditions:
-- Remote peer repeatedly tries to establish a tunnel.
-- The IPsec IKEv1 daemon 'racoon' is dead.

Impact:
Existing IPsec tunnels reload when tmipsecd aborts. tmipsecd creates a core file.

Workaround:
None.

Fix:
Exception handling in tmipsecd has been improved so that tmipsecd will not reload when encountering some unusual conditions.

---

684370 : APM now supports VMware Workspace ONE integration with VIDM as ID Provider

Component: Access Policy Manager

Symptoms:
When VMware Horizon resources are behind APM, you can see available desktops and application on VMware Workspace One (WS1) portal, but you cannot launch them.

Conditions:
-- VMware virtual desktops and applications are hosted on VMware Horizon behind APM.
-- Authenticate with VMware Identity Manager (VIDM) and see available virtual desktops and applications on WS1 portal.
-- Attempt to launch a virtual desktop or application with VMware HTML5 client.

Impact:
BIG-IP users get authenticated with VIDM and can see available desktops and applications on the WS1 portal, but cannot launch a desktop or application with View HTML5 client.

Workaround:
Not applicable.

Fix:
APM now supports VMware Workspace One (WS1) with VMware Identity Manager (VIDM) as the Identity Provider and APM as a service provider, protecting VMware Horizon desktops and applications.

---

684333 : PEM session created by Gx may get deleted across HA multiple switchover with CLI command

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may get cleaned up with terminate cause of FATAL GRACE TIMEOUT, if multiple high availability (HA) failover is being performed using the following command: tmsh run sys failover standby.

Conditions:
Multiple HA failover performed using the following command: tmsh run sys failover standby.

Impact:
PEM session created using Gx may get deleted.

Workaround:
Initiate failover using alternate commands, such as the following:
 tmm big start restart.

---

684325 : APMD Memory leak when applying a specific access profile

Component: Access Policy Manager

Symptoms:
Access profile having CheckMachineCert agent, while updating profile using 'Apply access policy', each time it leaks 12096 bytes of memory.

Conditions:
-- Access profile configured with agent 'CheckMachineCert'.
-- Repeatedly update the profile using 'Apply access policy'.

Impact:
APMD process stops after repeated application of the script.

Workaround:
None.

Fix:
APMD no longer leaks memory when applying Access profile configured with agent 'CheckMachineCert'.

---

684319 : iRule execution logging

Component: Local Traffic Manager

Symptoms:
iRule execution can block tmm from getting CPU cycles.

Conditions:
when executing iRule TCL with e.g. a tight while loop, tmm will miss to sent its heartbeat. This change adds additional logging around this.

Impact:
Logging shows now iRule perpetrator.

Workaround:
No workaround.

Fix:
tmm will now log the following message should the configurable execution limit exceed:

 notice tmm9[20262]: 01010338:5: Virtual /Common/http_respond iRule /Common/responder <HTTP_REQUEST> execution ran for 631 ticks (192.168.24.24:38169 -> 10.209.31.20:80 TCP)
 notice tmm9[20262]: 01010029:5: Clock advanced by 632 ticks

---

684312 : During Apply Policy action, bd agent crashes, causing the machine to go Offline

Component: Application Security Manager

Symptoms:
During Apply Policy action, bd agent crashes, causing with this error:
--------------------
crit perl[21745]: 01310027:2: ASM subsystem error (bd_agent,): bd_agent exiting, error:[Bit::Vector::new_Dec(): input string syntax error at /usr/local/share/perl5/F5/CfgConvert.pm line 66, <$inf> line 1. ]
--------------------

Causing bd and bd_agent processes restart, and causing the machine to go Offline.

Conditions:
-- ASM provisioned.
-- Applying policy.
-- Corrupted data was attempted to be loaded during an Apply Policy action.

Impact:
bd and bd_agent processes restart, causing the machine to go Offline while the processes restart..

Workaround:
None.

Fix:
During Apply Policy action, bd agent no longer crashes when attempting to load corrupted data.

---

684218 : vADC 'live-install' Downgrade from v13.1.0 is not possible

Component: TMOS

Symptoms:
vADC v13.1.0 has a new storage format that is incompatible with earlier versions. It should be possible to use the '--format' option of 'image2disk' to downgrade a v13.1.0 vADC system, but it is not.

Conditions:
Running v13.1.0, attempt software downgrade to 11.5.4, for example:

image2disk --format=volumes --nosaveconfig 11.5.4

Impact:
request is not allowed. no changes are made.

Workaround:
deploy a new 11.5.4 software image via the hypervisor environment

---

684033 : CVE-2017-9798 : Apache Vulnerability (OptionsBleed)

Solution Article: K70084351

---

683837 : Web browsers may strip query parameters from the logout URL after completing SAML single logout profile.

Component: Access Policy Manager

Symptoms:
When user initiates SAML single logout (SLO) on BIG-IP (either SP or IdP), BIG-IP will attempt to log out user from all external SAML providers by following SLO profile.
After SLO profile is completed, user will be redirected back to original URL that started SLO procedure. Newer versions of browsers are known to strip query parameters from this final URL. This may cause redirect to a URL with no query parameter.

Conditions:
BIG-IP is used for SAML deployments as SP or IdP.
Single logout profile is configured on BIG-IP.
Single logout begins on BIG-IP with URL containing a query parameters.

Impact:
Final SLO redirect to original logout URL may be missing a query parameters. Behavior will differ based on the application behind BIG-IP.

Workaround:
n/a

Fix:
Issue is now addressed in a way that browsers will no longer strip query parameters from the final SLO redirect.

---

683741 : APM now supports VMware Workspace ONE integration with vIDM as ID Provider

Component: Access Policy Manager

Symptoms:
When VMware Horizon resources are behind APM, APM end user is able to see available desktops and application on VMware Workspace ONE portal but is not able to launch them.

Conditions:
-- VMware virtual desktops and applications are hosted on VMware Horizon behind APM.
-- APM end user authenticates with VMware Identity Manager (IDM) and sees available virtual desktops and applications on Workspace ONE portal.
-- APM end user attempts to launch a virtual desktop or application with VMware native client.

Impact:
Users authenticates but is not able to launch a desktop or application with View native client.

Workaround:
None.

Fix:
APM now supports VMware Workspace ONE with VMware IDM as Identity Provider and APM as service provider, protecting VMware Horizon desktops and applications.

---

683697 : SASP monitor may use the same UID for multiple HA device group members

Solution Article: K00647240

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, the SASP monitor running on one member of an HA group (failover device group) may use the same LB UID as another member of the device group.

The LB UID used to connect to the Server/Application State Protocol (SASP) Group Workload Manager (GWM) is required to be unique for each client connecting to the GWM.

As a result, only the first HA group member using the duplicated UID is able to successfully use the SASP monitor.

The SASP monitor instance running on the HA group member using the duplicated UID will fail to connect to the SASP GWM.

Conditions:
This occurs under rare timing conditions when using the SASP monitor on a BIG-IP system that belongs to an HA group.

It is possible that the necessary timing conditions may occur if the external SASP monitor daemon is forcibly restarted (such as for troubleshooting purposes).

Impact:
The SASP monitor is unable to monitor pool member availability on all members of the HA group.

Workaround:
Forcing the mcpd process to reload the configuration (as described in article K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030) allows recovery from this condition.

It is possible that less-intrusive measures such as restarting the external SASP monitor daemon (such as by sending a SIGTERM to the SASPD_monitor process) may also allow recovery. Due to the rare occurrence of this symptom, this solution has not been confirmed.

Fix:
The SASP monitor reliably uses a unique UID across HA group members, allowing all HA group members to successfully connect to the SASP GWM.

---

683683 : ASN1::encode returns wrong binary data

Component: Local Traffic Manager

Symptoms:
ASN1::encode returns incorrect data for certain integer values. For example, for integer 49280, ASN1::encode returns 02030000.

Conditions:
The problem happens in an implicit UTF encoding/decoding, and it is not obvious what data triggers the error.

This is because it implicitly converts the Tcl object type from byte array to string and later back to byte array, but because of the UTF de-coding algorithm, certain bytes get changed.

Impact:
The returned binary is wrong.

Workaround:
Use binary scan for the value that is incorrectly encoded by the command.

Fix:
ASN1::encode ENCODE mode now works so that it avoids the implicit type-conversion byte array to string back to byte array, which gets the original byte array changed during UTF-8 decoding.

---

683565 : Lack of meaningful information about 'codec alert' errors triggered by SSL traffic issues.

Component: Local Traffic Manager

Symptoms:
Some problematic SSL traffic can cause the SSL processing engine to encounter errors and generate 'codec alert' errors in the LTM log. These errors do not convey any meaningful information about the actual problem that occurred.

Conditions:
Various SSL traffic issues seen by BIG-IP.

Impact:
BIG-IP system Administrators cannot make any decisions if there is a lack of information about SSL traffic issues.

Workaround:
There is no workaround at this time.

Fix:
Added support to log the causes for 'codec alert' errors as debug logs.

---

683508 : WebSockets: umu memory leak of binary frames when remote logger is configured

Component: Application Security Manager

Symptoms:
ASM out of memory error messages in /var/log/asm.

Conditions:
-- Virtual server configured with WebSocket profile.
-- ASM remote logger configured and assigned to the virtual server.

Impact:
ASM out of memory, memory leak.

Workaround:
Remove ASM remote logging profile from a virtual server.

Fix:
This release correctly releases unused memory after WebSocket message is sent to the logging destination.

---

683474-1 : The case-sensitive problem during comparison of 2 Virtual Servers

Component: Application Visibility and Reporting

Symptoms:
Failed to load "incident types volume graph" if incident was filtered by Virtual Server

Impact:
Chart of incident data will not be displayed.

Workaround:
Avoid to create virtual servers that have the same letters, differing only by capital letters verses small letters.

Fix:
monpd process uses a case-sensitive comparison of virtual servers

---

683389 : Error #2134 when attempting to create local flash.net::SharedObject in rewritten ActionScript 3 file

Component: Access Policy Manager

Symptoms:
Flash ActionScript3 application shows Error #2134 when trying to call flash.net::SharedObject.getLocal with localPath specified.

Conditions:
Attempt to create local SharedObject.

Impact:
Affected Flash applications are not working when accessed through Portal Access.

Workaround:
None.

Fix:
Addressed an issue in Portal Access which caused rewritten Flash files to show Error #2134 on attempt to create local SharedObject.

---

683297 : Portal Access may use incorrect back-end for resources referenced by CSS

Component: Access Policy Manager

Symptoms:
If HTML page contains reference to external CSS file with URL beginning with '//', then host-less references in this CSS file are handled incorrectly by Portal Access.

Conditions:
- HTML page at http://example.host/page.html:

    <link rel=stylesheet href=//another.host/some/path/my.css>

- and this CSS contains reference with absolute path like this:

    html { background-image: url(/misc/image/some.png); }

Portal Access uses 'http://example.host' as back-end for this image instead of correct 'http://another.host'.

Impact:
Web application may not work correctly.

Workaround:
Use iRule to correct back-end host.

Fix:
Portal Access uses correct back-end host for references in CSS files included with scheme-less URL.

---

683284 : tcpdump optin added to capture on "all interfaces" from linux side using the option "any:l"

Component: TMOS

Symptoms:
tcpdump can be used to capture packets from the Linux side (using the Linux kernel's tcpdump instead of capturing from tmm). However this cannot be done on all interfaces and VLANs at the same time. The command needs to specify a particular VLAN for its Linux side capture.

Conditions:
Running tcpdump .

Impact:
Linux side tcpdump capture can be done on only one single vlan at a time.

Workaround:
There is no workaround at this time.

Fix:
tcpdump now accepts the option 'any:l' which allows capture on all interfaces and VLANs at the same time from the Linux side.

---

683282 : tcpdump option added to capture on 'all interfaces' from host side using the option '0.0:h'

Component: TMOS

Symptoms:
tcpdump can be used to capture packets to and from the host side, which means an administrator can see the packets that are sent from tmm to the Linux kernel (and vice-versa). However, this only could be done on a specific VLAN. Now, the '0.0:h' interface option to capture all host side traffic on all interfaces and VLANs works.

Conditions:
No specific conditions needed, interface option '0.0:h' never worked.

Impact:
The tcpdump interface option '0.0:h', to capture all host side traffic on all interfaces and VLANs, the operation captures no packets and will exit with the following message: tcpdump: Host modifier not supported on this interface.

Workaround:
There is no workaround at this time.

Fix:
tcpdump now accepts the interface option '0.0:h' and will capture all host side traffic on all VLANs.

---

683246 : SNMP trap suppression should be based upon OID rather than trap text

Component: TMOS

Symptoms:
There are two db variables that allow trap suppression to be configured. They are snmp.bigiptraps.suppress.interval and snmp.bigiptraps.suppress.count. The suppression is cleared with each new trap issued so it does not successfully suppress traps when multiple traps are issued in the suppression interval.

Conditions:
Configuring SNMP trap suppression.

Impact:
It can appear that trap suppression is not working if multiple traps are being issued in the suppression interval.

Workaround:
There is no workaround at this time.

Fix:
The trap suppression processing has been improved to consider the full trap contents.

---

683131 : Hotfix install fails on vCMP guest when both guest and host have the same base version ISO present★

Component: TMOS

Symptoms:
BIG-IP software installations will fail and report a status of:

    waiting for cleanup; multiple base builds found (BIG-IP 13.0.0)

Conditions:
- Perform software installation in a vCMP guest when guest is running v13.0.0 or newer.
- Ask the guest to install a hotfix (e.g. "tmsh install /sys software hotfix 13.0.0-hf2.iso volume HD1.2 create-volume") to a boot location that does not have a base software version installed.
- Hypervisor has a valid copy of the the correct base image (e.g. v13.0.0 build 0.0.1645)
- Guest has a valid copy of the correct base image (e.g. v13.0.0 build 0.0.1645)

Impact:
Software installation fails, and will not complete/continue.

Workaround:
Delete the base software image from either the hypervisor or guest's file system

Fix:
The condition no longer causes an error; the installation request successfully runs to completion.

---

683114 : Need support for 4th element version in Update Check

Component: TMOS

Symptoms:
Previously, there was no 4th element version Update Check functionality.

Conditions:
Using Update Check.

Impact:
No 4th element version support provided.

Workaround:
None.

Fix:
There is now 4th element version support in Update Check.

---

683113 : [KERBEROS SSO][KRB5] The performance of memory type Kerberos ticket cache in krb5 library drops gradually with the number of users

Solution Article: K22904904

Component: Access Policy Manager

Symptoms:
APM performance of handling HTTP request drops gradually when Kerberos SSO is being used over a period of time.

Websso CPU usage is very high.

The BIG-IP system response can rate drop to the point that the clients disconnect after waiting for a response. The system logs error messages similar to the following: Failure occurred when processing the work item.

Conditions:
-- Running APM.
-- A large number of APM end users (~20 KB) have logged on and are using Kerberos SSO.

Impact:
Increased latency of HTTP request processing.

Workaround:
Reduce the number of cached Kerberos user tickets by lowering the cache lifetime.

Fix:
Improvements to the krb5 library have been implemented for better scalability, so the latency of HTTP request processing has been significantly improved.

---

683110 : APM client_packaging and sandbox objects are not handled when using tmsh auth partition to manage partition

Component: Access Policy Manager

Symptoms:
APM objects, client_packaging, and sandbox are not created and deleted along with partition folder if it is created and deleted using the command: tmsh auth partition.

Conditions:
- Create partition using the command: tmsh auth partition
- Delete partition that is created by the command: tmsh sys folder command, or the GUI, by using the command: tmsh auth partition

Impact:
- Certain APM functions associated with client_packaging and sandbox are missing.

- Deletion fails.

Workaround:
Use the 'tmsh sys folder; command or the GUI to create and delete partitions.

Fix:
Using 'tmsh auth partition' to create and delete partition can achieve the same result as using 'tmsh sys folder' or the GUI, e.g., create and delete client_packaging and sandbox along with the partition folder.

---

683061 : Rapid creation/update/deletion of the same external datagroup may cause core

Component: Local Traffic Manager

Symptoms:
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued.
-- notice tmm[15187]: 01010259:5: External Datagroup (/Common/Datagroup_1) queued for update.
-- err tmm[15187]: 01010258:3: External Datagroup (/Common/Datagroup_1) creation failed: initial load error, deleting.

Conditions:
Using external datagroup, rapidly creating updating and then deleting it.

Impact:
TMM fails

Workaround:
Allow TMM enough time to finish processing external data-group before starting another operation. Depending on the size of the datagroup anywhere from 1s to 10s or more may be needed. The LTM log can be examined for the create/finished message to help determine how much wait time is required.

---

683029 : Sync of virtual address and self IP traffic groups only happens in one direction

Component: TMOS

Symptoms:
If you have a virtual address and a self IP that both listen on the same IP address, changing the traffic group of the self IP will make an equivalent change to the traffic group of the virtual address. However, this does not work in reverse. Changing the traffic group of the virtual address will not cause a change of the traffic group of the self IP.

Conditions:
You have a virtual address and a self IP that both listen on the same IP address. (The subnet mask need not be the same.)

Impact:
This is by design, but is counterintuitive, and there is no warning message that this is the case. Setting the traffic group on both objects will always work properly.

Workaround:
Care should be taken to ensure that the desired traffic group is set on both objects.

---

682944 : key-id missing for installed netHSM key for standby BIG-IP system in HA setup

Component: Local Traffic Manager

Symptoms:
In a BIG-IP high availability (HA) configuration, the nethsm key installed has empty key-id string for the standby BIG-IP system. That is, the BIG-IP system that actually gets the key installed has the key-id string properly displayed. But its peer BIG-IP system does not display a key-id string associated with the installed key.

Conditions:
-- nethsm key installed.
-- Standby BIG-IP system in an HA configuration.

Impact:
The peer BIG-IP system has no key-id string properly displayed.

Workaround:
Even though key-id does not display, the key is present on the peer BIG-IP system and can be used there.

Fix:
The netHSM key for standby BIG-IP system in HA configurations now shows up after a successful configsync.

---

682837-1 : Compression watchdog period too brief.

Component: TMOS

Symptoms:
Compression TPS can be reduced on certain platforms when sustained, very high compression request traffic is present.

Conditions:
Very high sustained system-wide compression request traffic.

Impact:
Accelerated compression throughput can drop significantly; some flows dropped.

Workaround:
Switch to software compression.

Fix:
Compression request monitor tuned to account for systems with smaller bandwidth.

---

682751 : Kerberos keytab file content may be visible.

Component: Access Policy Manager

Symptoms:
Kerberos keytab file content may be visible.

Conditions:
Import a Kerberos keytab file.

From the command line, check the file permissions. It is readable.

Impact:
keytab is similar to a private key file and should not be readable.

Workaround:
Use chmod to change the keytab file permission manually so that it is not world-readable.

Fix:
Kerberos keytab file content is no longer visible.

---

682500 : VDI Profile and Storefront Portal Access resource do not work together

Solution Article: K03903649

Component: Access Policy Manager

Symptoms:
Accessing a Citrix Storefront portal access resource and clicking on the application does not work since VDI returns HTTP status 404.

Conditions:
-- VDI profile is attached to the Virtual server.
-- Access policy has Citrix Storefront portal access resource.
-- Citrix remote-desktop resource is attached.

Impact:
Citrix Storefront portal access resource cannot be used to launch applications.

Workaround:
None.

Fix:
Citrix Storefront portal access resources can now be used with Citrix Remote desktop resources.

---

682482-1 : LTM Policy with 'requires {ssl-persistence}' load issue resolved in 13.1.0★

Component: Local Traffic Manager

Symptoms:
There was an LTM Policy with 'requires {ssl-persistence}' that was found and fixed during v13.1.0 project development.

Note: Because this issue was fixed in v13.1.0 before release, you will not encounter this issue; this release note is included to track the Behavior Change.

Conditions:
LTM policy that has 'requires {ssl-persistence}'.

Impact:
Configuration load fails.

Note: This occurs only in internal releases and was never included in an external release.

Workaround:
Change the configuration and load it manually.
- If policy is active for the ssl-client-hello event, change ssl-persistence to client-ssl.

- If policy is active for the ssl-server-handshake event, change ssl-persistence to server-ssl.

- If policy is active for both ssl-client-hello and ssl-server-handshake events, change ssl-persistence to client-ssl - server-ssl.

Fix:
13.1.0 configurations with policies that 'require {ssl-persistence}' are migrated successfully.

Behavior Change:
Beginning in v13.1.0, LTM Policy supports many more framework events than before, and certain 'requires' aspects had to be replaced. In previous releases, ssl-persistence was used for client-side and server-side events. Now policies that contain client SSL or server SSL will have specific 'requires' aspect for that side.

Here are some examples of how the values changed:
- If policy is active for the ssl-client-hello event, ssl-persistence should be client-ssl.

- If policy is active for the ssl-server-handshake event, ssl-persistence should be server-ssl.

- If policy is active for both ssl-client-hello and ssl-server-handshake events, ssl-persistence should be client-ssl - server-ssl.

When updating LTM policies that already contain these values, the system changes them as follows:

-- The system changes the 'requires' stanza to client-ssl, if policy condition or action references these events:
    - ssl-client-hello
    - ssl-client-serverhello-send

-- The system changes the 'requires' stanza to server-ssl, if policy condition or action references these events:
    - ssl-server-hello
    - ssl-server-handshake
    
-- The system changes the 'requires' stanza to reflect both client-ssl and server-ssl, if the policy condition or action references both a client and a server event:
    - client-ssl server-ssl

---

682344 : lindex does not recognize multi dimension array indexing

Component: Local Traffic Manager

Symptoms:
lindex command reports failure when it is given multi indices, e.g. script "lindex $dnsServer 0 0" fails with error, wrong # args

Conditions:
lindex command is used with multi indices.

Impact:
Fails in validation and thus config load.

Workaround:
Use lindex command to each dimension separately.

Fix:
Will submit fix.

---

682335 : TMM can establish multiple connections to the same gtmd

Component: Global Traffic Manager (DNS)

Symptoms:
TMM can establish multiple connections to the same gtmd, and tmm may core.

Conditions:
This timing-related issue involves coordination between license blob arrival, gtmd connection teardown/establishment, and gtmd restart.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Fixed, if there is an existing connflow, don't start another connection.

---

682308 : Empty IP Address field of object created in a partition with route domain in GUI is auto-filled after save

Component: TMOS

Symptoms:
Config objects such as RADIUS server in APM or traffic class in LTM that contain the IP address field, when left empty and created in a partition that is associated with a route domain, the value is auto-changed to '::0.0.0.0' after save.

Conditions:
Configuring APM RADIUS authentication with an empty nas-ip-address.

Impact:
The value in the database does not change. This is a cosmetic issue only and represents on functional issue.

Workaround:
Use tmsh to see APM RADIUS authentication nas-ip-address using the following command:

tmsh list apm aaa radius <name>

Fix:
Empty APM RADIUS authentication nas-ip-address is no longer automatically filled.

---

682271 : Portal Access may handle JavaScript getter/setter definitions incorrectly

Component: Access Policy Manager

Symptoms:
In JavaScript, literal object definition may contain getter/setter definitions for some property, for example:

var c = { get a() { return a; }, set a(v) { if (v) a = v; } };

The object 'c' has the property 'a' with explicit getter/setter functions.

If name of such property is equal to any name to be rewritten, then Portal Access may generate incorrect JavaScript code.

Conditions:
- JavaScript code with literal object definition;
- Property with getter/setter definition in this object;
- Property name is one of rewritten names, like 'location' or 'onerror'.

Impact:
JavaScript code cannot be executed due to incorrect syntax after rewriting.

Workaround:
Use iRule to replace rewritten property names by original ones.

Fix:
Now Portal Access does not rewrite property names in getter/setter definitions for JavaScript objects.

---

682213 : TLS v1.2 support in IP reputation daemon

Solution Article: K31623549

Component: TMOS

Symptoms:
The IP reputation daemon opens SSL connections to the Webroot BrightCloud server using TLS 1.0 protocol.

Conditions:
This occurs when using IP reputation.

Impact:
Because IP reputation services are used to accept/deny connections to critical business applications, there might be concerns about the service. Also some configurations might require that all transactions exfiltrating a PCI-controlled environment leverage secure protocols and ciphers, which won't be the case for IP reputation services.

Workaround:
None.

Fix:
Webroot updated BrightCloud servers to support TLS 1.2. This is additional support. To preserve backward compatiblity, the servers support TLS 1.0, TLS 1.1, TLS 1.2, SSL 2.0 and SSL 3.0.

In addition, this software version supports TLS 1.2 on the client side by customizing the SDK used by the IP reputation daemon.

---

682104 : HTTP PSM leaks memory when looking up evasion descriptions

Component: Local Traffic Manager

Symptoms:
http_psm_description_lookup leaks xfrags containing PSM evasion descriptions.

Conditions:
When PSM looks up evasion descriptions.

Impact:
Memory leaked each time might eventually cause out of memory to the TMM.

Workaround:
None.

Fix:
This fix will stop the memory leakage.

---

681955 : Apache CVE-2017-9788

Solution Article: K23565223

---

681935 : B2000 Series Blades Low Throughput With Two Member Trunk

Component: TMOS

Symptoms:
Trunk throughput is significantly less than twice the data rate of the individual interface members when combining them into a trunk.

Conditions:
B2000 Series blades with two interfaces configured together as a trunk with traffic exceeding the rate of the single interface capacity. Note that performance degradation can vary widely depending on source and destination IP and port combinations.

Impact:
Degraded Performance.

---

681836-1 : Portal Access: JavaScript code may be corrupted in debug mode

Component: Access Policy Manager

Symptoms:
Sometimes Portal Access corrupts JavaScript code if it is running in debug mode.

Conditions:
- Portal Access in debug mode (i.e., with debug log setting).
- JavaScript code.

Impact:
Web application may not work correctly.

Workaround:
Disable debug logging mode for Portal Access.

Fix:
Now Portal Access does not corrupt JavaScript code in debug logging mode.

---

681814 : Changes to a cipher group are not propagated to the ssl profiles until the configuration is reloaded

Component: Local Traffic Manager

Symptoms:
Changes to a cipher group, even indirect changes such as changing an underlying cipher rule, will not be propagated to the ssl profiles until the configuration is reloaded.

Conditions:
An ssl profile is using cipher groups (instead of the cipher string) and some changes are made to that group.

Impact:
The available ciphers on an ssl profile might not be as expected.

Workaround:
Either always reload the configuration after changing a cipher group, or use the existing cipher string mechanism instead.

Fix:
With this change, changes to a cipher group will be correctly propagated to the ssl profiles.

---

681782 : Unicast IP address can be configured in a failover multicast configuration

Solution Article: K30665653

Component: TMOS

Symptoms:
Failover multicast configuration does not work when configured with a unicast IP address. Although this is an invalid configuration, the system does not prevent it.

Conditions:
Specify a unicast IP address under 'Failover Multicast Configuration' for network failover in high availability configurations.

Impact:
Failover multicast configuration does not work.

Workaround:
Specify a multicast IP address under 'Failover Multicast Configuration' for network failover.

Fix:
The system now prevents specifying a unicast IP address when configuring multicast failover.

---

681757 : Upgraded volume may fail to load if a Local Traffic Policy uses the forward parameter 'member'

Solution Article: K32521651

Component: Local Traffic Manager

Symptoms:
In response to this issue, you might see the following symptoms:
-- System remains inoperative
-- Screen alerts similar to the following are posted: 'Configuration has not yet loaded'.
-- Configuration fails to load after upgrade to v12.1.0 or higher.

The system records an error message similar to the following in the ltm log file:

 emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 010716de:3: Policy '/Common/Policy', rule 'Policy-Rule'; target 'forward' action 'select' does not support parameter of type 'member'. Unexpected Error: Loading configuration process failed.

Conditions:
Local Traffic Policy with a forward action that selects a target of type 'member'.

Impact:
Configuration fails to load on upgrade.

Workaround:
Modify the local traffic policies to use a target type of 'node' before upgrading, or, after upgrading, edit the config file and modify 'member' to 'node' in the local traffic policy, and then reload the configuration.

Fix:
Upon upgrade to v12.1.0 or later, policies that perform the action 'forward - select - member' will be automatically changed to 'forward - select - node', and configuration will load successfully.

---

681726 : Portal Access: support for JavaScript EventSource object

Component: Access Policy Manager

Symptoms:
Most modern browsers (e.g., Google Chrome, Mozilla Firefox, and macOS Safari) support the EventSource object, which allows receipt of server-generated messages via a permanent HTTP connection. The URL used to establish this connection should be rewritten; otherwise connection may not be used.

Conditions:
Web application uses EventSource object.

Impact:
No Portal Access support for EventSource object. Web application may not work correctly.

Workaround:
Use an iRule to rewrite the URL used in the EventSource object, and to disable rewriting for corresponding server responses.

Fix:
Now the EventSource object is supported by Portal Access and can be used in Web applications.

---

681724-1 : Update iSeries LCD firmware to v2.03.085.00.0

Component: TMOS

Symptoms:
iSeries LCD firmware issues:
-- LTM error logs contain the following rare errors: 1.35V_DDR3: Device or resource busy.

-- There are cases when TMOS is under stress conditions that the LCD on iSeries devices can lock at red 'loading' screen.

Conditions:
-- This can occur if the ADC of the LCD microcontroller is busy updating counts when the request to read is issued.

-- iSeries platforms under stress.

Impact:
-- A rare error message similar to the following, appears in the LTM log: 1.35V_DDR3: Device or resource busy. There is no system impact.

-- LCD on iSeries devices can lock at red 'loading' screen. Appliance power cycle is required to correct the error.

Workaround:
None.

Fix:
Issues are resolved with an updated iSeries LCD image.

iSeries LCD firmware v2.03.085.00.0 fixes the following issues:
-- LTM error logs contain the following rare errors: 1.35V_DDR3: Device or resource busy.

-- There are cases when TMOS is under stress conditions that the LCD on iSeries devices can lock at red 'loading' screen.

---

681710-1 : Malformed HTTP/2 requests may cause TMM to crash

Solution Article: K10930474

---

681673 : tmsh modify FDB command permits multicast MAC addresses, which produces unexpected results

Component: Local Traffic Manager

Symptoms:
TMSH does not block modify FDB commands that add a multicast MAC addresses.

Conditions:
This occurs when the following is configured using tmsh commands when the mac-address is multicast:
 fdb vlan <vlan> records add {<mac-address> {interface <slot>/<port>}}.

Impact:
There is not enough information to map the outgoing MAC address to a multi-cast group, and therefore it gets a default entry added that has no ports mapped. The result is that the frame will not go out the interface indicated in the tmsh command yet no warning is provided.

Workaround:
None.

Fix:
TMSH modify FDB command is no longer permitted to add multicast MAC addresses, so this issue no longer occurs.

---

681670 : iApp scripts that create ASM policies may stop working if the parent policy is mandated

Component: Application Security Manager

Symptoms:
After enabling mandatory parent policies, iApp scripts that create ASM policies no longer work because no parent policy is assigned.

Conditions:
Mandatory parent ASM policy is enabled.

Impact:
iApp scripts for ASM do not function.

Workaround:
You can use either of the following workarounds:
-- Add parent policy assignment to the script (this is the recommended workaround).
-- Disable mandatory parent policies.

Fix:
iApp scripts that create ASM policies now work correctly if the parent policy is mandated.

---

681591-3 : False positive WebSafe automatic transactions 'Bot' alerts

Component: Fraud Protection Services

Symptoms:
'Bot score alerts' on pages that use JavaScript to automate click events.

Conditions:
-- WebSafe automatic transactions alerts turned on.
-- Non-zero score configured for 'bot score'.
-- Pages that use JavaScript to automate click events.

Impact:
False positive automatic transaction alerts.

Workaround:
Set 'bot score' to zero for these pages

Fix:
Allow configuring the following custom JavaScript to disable this feature:
    function(C){C.XX.DFCD=true;}

---

681499 : Deleting and recreating a route-domain can cause ICMP monitors in that route-domain to permanently fail

Component: Local Traffic Manager

Symptoms:
Pool members or nodes that utilize an ICMP monitor are marked down even though they are actually up. This issue only affects objects in route-domains that were removed and recreated.

Conditions:
The configuration utilizes ICMP monitors in a non-default route-domain and, at some point in the past, the route-domain was deleted and recreated while ICMP monitors were in use in that route-domain.

Impact:
Pool members or nodes are marked down incorrectly.

Workaround:
To avoid the issue, remove icmp monitors for pool-members and nodes before deleting the route-domain. Reapply the monitors after the route-domain is recreated.

To correct the issue, restart the bigd process using the following command: tmsh restart sys service bigd.

Fix:
Pool-members and nodes that utilize an ICMP monitor are no longer incorrectly marked down after the route-domain containing them is deleted and recreated.

---

681415 : Copying of profile with advanced customization or images might fail

Component: Access Policy Manager

Symptoms:
Copying a profile with advanced customization or images produces an error message similar to the following: 'Please specify language code' or similar

Conditions:
Access Profile has advanced customization group or customization image assigned to any of object connected to profile.

Impact:
Unable to copy policy.

Workaround:
None.

Fix:
Copying of profile with advanced customization or images now succeeds as expected.

---

681385-1 : Forward proxy forged cert lifespan can be configured from days into hours.

Component: Local Traffic Manager

Symptoms:
Once support for OCSP in place, you may need to forge certificates in lifespan shorter than one day. Previously, there was no way to configure that.

Conditions:
Configure forward proxy forged cert lifespan shorter than a day.

Impact:
None. This is a request for enhancement.

Workaround:
None.

Fix:
A new DB variable (tmm.ssl.certlifespaninhours) is added to support specifying hours instead of days:

[root@localhost:Active:Standalone] config # tmsh list sys db tmm.ssl.certlifespaninhours
sys db tmm.ssl.certlifespaninhours {
    value "disable"
}
[root@localhost:Active:Standalone] config # tmsh modify sys db tmm.ssl.certlifespaninhours value enable
[root@localhost:Active:Standalone] config # tmsh list sys db tmm.ssl.certlifespaninhours
sys db tmm.ssl.certlifespaninhours {
    value "enable"
}

When this variable is enabled, the configured lifespan is treated as hours. When this variable is disabled, the configured lifespan is treated as days.

Behavior Change:
Configured Forward proxy forged cert lifespan allows changing
from days to hours using a new DB variable: tmm.ssl.certlifespaninhours.

---

681256 : Virtual Edition GTM DNS Query Performance Degradation

Component: Performance

Symptoms:
The transaction rate for a DNS A record request synthetic test was up to fourteen percent lower for the BIG-IP Virtual Edition Release 13.1.0 compared to Release 13.0.0.

Conditions:
BIG-IP Virtual Edition 13.1.0 is deployed on a vSphere 6.0 or 6.5 system. Traffic consists solely of DNS A record requests at the rate of 700,000 requests per second. Ingress traffic is handled by an EXSi Intel ixgbe driver.

Impact:
The DNS transaction rate is up to fourteen percent lower on BIG-IP Virtual Edition 13.1.0 compared to 13.0.0.

Workaround:
DNS performance can be restored by altering the TMM scheduler maximum sleep duration to 250 usec. To do so, run the following command:
    tmsh modify sys db scheduler.maxsleepduration.ltm value 250000

The 250 usec value will improve DNS performance on a 10 GbE NIC, but reduce TCP performance on a 40 GbE NIC.

Fix:
Virtual Edition GTM DNS Query Performance Degradation has been addressed.

---

681243 : Error messages in Google Compute Engine that gateway is not in a connected network

Component: TMOS

Symptoms:
When running Virtual Edition (VE) in Google Compute Engine, some log messages are emitted of the form:

-- err mcpd[31409]: 01071a95:3: Admin IP (10.128.0.5/255.255.255.255): Gateway (::) for management route (/Common/dhclient_route1) is not in a connected network.
-- err mcpd[31409]: 01071a95:3: Admin IP (10.128.0.5/255.255.255.255): Gateway (10.128.0.1) for management route (/Common/default) is not in a connected network.

These messages are benign and can be ignored.

Conditions:
-- Deploy BIG-IP VE in Google Compute Engine.
-- Look at /var/log/ltm for the time period during startup.

Impact:
Spurious log messages.

Workaround:
There is no workaround at this time.

Fix:
These log messages are no longer emitted.

---

681178 : No way to determine AFM functional area mapping to log signature IDs for logs

Component: Advanced Firewall Manager

Symptoms:
There is no way to determine which log IDs are associated with which functional area in AFM.

Conditions:
-- AFM configured.
-- Logs are generated.

Impact:
Cannot determine the mapping between functional area and log IDs.

Workaround:
None.

Fix:
The following list defines which log IDs are associated with which functional area in AFM:

-- NETWORK_ACL = 23003137;
-- DOS_NETWORK = 23003138;
-- PROTOCOL_DNS = 23003139;
-- DOS_APPLICATION = 23003140;
-- DOS_PROTOCOL_DNS = 23003141;
-- IP_INTELLIGENCE = 23003142;
-- IPS_LOG = 27590657;
-- //23003143 is not being used
-- TRAFFIC_FLOW_STATS = 23003155;
-- TRAFFIC_SYNCOOKIE_STATS = 23003156;
-- THROTTLED_MESSAGES = 23003154;
-- PROTOCOL_SIP = 23003144;
-- DOS_PROTOCOL_SIP = 23003145;
-- PROTOCOL_HTTP = 23003146;
-- PEM_LOG = 24182785;
-- CONFIG_CHANGE_LOG= 23003158;
-- PORT_MISUSE_LOG = 23003157;
-- RTBH_LOG = 23003163;
-- SHUN_LOG = 23003159;
-- NAT_LOG = 23003161;
-- NAT_ERR_LOG = 23003162;
-- NAT_PB_LOG = 23003168;
-- DOS_THRESHOLD = 23003160;
-- DYNAMIC_SIGNATURES = 23003173;
-- BOTDEFENSE_REQUESTS = 23003147;
-- SCRUBBER_LOG = 23003172;
-- CLASSIFICATION_LOG = 27656193;
-- PROTOCOL_SSH_AUTH = 23003164;
-- PROTOCOL_SSH_ACTION = 23003165;
-- PROTOCOL_SSH_TRAFFIC = 23003167;
-- PROTOCOL_SSH_EVENTS = 23003166;

---

681175 : TMM may crash during routing updates

Solution Article: K32153360

Component: Local Traffic Manager

Symptoms:
When dynamic routing is configured and ECMP routes are received, certain routing updates may lead to a TMM crash.

Conditions:
-- Dynamic routing.
-- ECMP routes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable ECMP routes by configuring "max-paths 1" in ZebOS.

Fix:
TMM no longer crashes on routing updates when ECMP is in use.

---

681109-5 : BD crash in a specific scenario

Solution Article: K46212485

Component: Application Security Manager

Symptoms:
BD crash occurs.

Conditions:
A specific, non-default configuration with specific traffic.

The issue is much more likely to occur when the policy is not tuned correctly, in which case you might receive a potentially huge number of false positive attack signature matches on that payload. The crash might then occur if there is a subsequent 'Parameter value does not comply with regular expression' violation on that same payload.

For example, nothing prevents you from incorrectly associating a Content-Type and <type-value> with a Request Body Handling parser that is not designed to parse that type of data, such as the following:
  Content-Type :: *xml* :: form-data

This configuration is likely to result in a very long list of false-positive attack signatures. Because of the big message generated, The regex violation which is also likely to happen on the payload cannot be added to the filled message, which causes the crash.

Impact:
Failover, traffic disturbance.

Workaround:
In order to prevent this, correctly configure the header-based-content-profile property on URLs for cases where an unusual header requires a specific, potentially unexpected parsing mechanism.

A correctly configured header-based-content-profile property on URLs appears as follows:

In URL Properties, the Header-Based Content Profiles section of the wildcard URL is by default applying the value and content signature. Here, you can associate Content-Type with <type-value> with <parser-type>. By default, the correct definitions are as follows:
 Content-Type :: *form* :: Form Data
 Content-Type :: *json* :: JSON
 Content-Type :: *xml* :: XML

Fix:
Added a check to prevent a crash in a specific scenario.

---

681070 : NAT66 may fail if configured with a single translation address

Component: Carrier-Grade NAT

Symptoms:
When the number of addresses configured on an lsn-pool or source-translation object is fewer than the number of tmms in the system, there a chance for the outbound connection's translation to fail.

Conditions:
NAT66 configured with a single translation address configured in the lsn-pool or source-translation object.

Impact:
Sub-optimal performance. May cause functional/validation tests to fail.

Workaround:
Configure at least as many translation addresses on your lsn-pool or source-translation object as there are tmms on the BIG-IP system.

Fix:
NAT66 translations no longer fails when only a single translation address is configured.

---

680954 : mcpd emits an error message upon load when DER certificates are used

Component: TMOS

Symptoms:
mcpd may generate an error message of this format:

0107147f:3: Could not read certificate file (/Common/filename.crt).

Conditions:
Happens at load time when the configuration contains certificate file objects that were in DER format when they were imported.

Impact:
The error message is emitted, and the certificates are not verified, but the configuration loads successfully.

Workaround:
Use the PEM format instead of DER. This is more common, and the default in OpenSSL.

Fix:
Certificates in the DER format are now handled successfully.

---

680856 : IPsec config via REST scripts may require post-definition touch of both policy and traffic selector

Component: TMOS

Symptoms:
A new IPsec tunnel may not work after being configured over REST. While the configuration is correct, a log message similar to the following may appear in ipsec.log (IKEv2 example):

info tmm[24203]: 017c0000 [0.0] [IKE] [INTERNAL_ERR]: selector index (/Common/Peer_172.16.4.1) does not have corresponding policy

Conditions:
A new IPsec tunnel is configured over REST.

Impact:
The newly configured IPsec tunnel does not start.

Workaround:
The following methods cause the traffic-selector and ipsec-policy to be correctly related to one another:
-- Restart tmm.
-- Change the configuration, for example the Description field, of both the policy and the traffic selector. This may also be done using REST.

Fix:
A traffic selector can no longer use a deleted policy by name, and if recreated after deletion, the policy is correctly constructed.

---

680850 : Setting zxfrd log level to debug can cause AXFR and/or IXFR failures due to high CPU and disk usage.

Component: Global Traffic Manager (DNS)

Symptoms:
Enabling debug logging on zxfrd (DNSX) can result in excessive CPU and disk usage, as well as errors during DNS AXFR or IXFR processing.

Conditions:
log.zxfrd.level is set to debug by running the following command: tmsh modify sys db log.zxfrd.level value debug

Impact:
IXFRs or AXFRs may fail and be rescheduled due to high CPU usage by zxfrd, which causes it to fail to process data packets during a transfer.

Workaround:
To avoid this issue, do not set log.zxfrd.level to debug.

Fix:
With this change, the dump to /var/tmp/zxfrd.out occurs only when a new db variable, dnsexpress.dumpastext, is set to true. This enables turning on logging for debug without consuming all the CPU and disk necessary to dump packets and zone contents.

Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.

Behavior Change:
Previously, setting the zxfrd log level to debug caused all AXFR and IXFR requests and responses to be logged to /var/tmp/zxfrd.out. Doing so also caused the contents of all zones to be dumped, as text, to /var/tmp/zxfrd.out when the database was saved.

This was extremely CPU-, memory-, and disk-intensive. The CPU load could cause zxfrd to fail to process transfer data packets in a timely fashion, which could cause the master DNS server to close the connection.

With this fix, setting log.zxfrd.level debug no longer outputs this information.

Although it is not generally useful to output the contents of the transfer packets or the contents of the database, if this information is required for troubleshooting or information-verification purposes, you can set the new db variable: dnsexpress.dumpastext.

Note: Setting this value to true will cause the information to be dumped to stderr, which reveals the original issue, potentially causing transfer failures and high system resource usage. F5 recommends that you enable it only when directed to do so by F5 support staff.

---

680838 : IKEv2 able to fail assert for GETSPI_DONE when phase-one SA appears not to be initiator

Component: TMOS

Symptoms:
A tmm restart and corefile can occur in rare cases while negotiating an IKEv2 IPsec tunnel.

A child_sa managed to process GETSPI_DONE once in the IDLING state, where the ike_sa was expected to be the initiator, but it appeared not to be -- failing an assert.

Conditions:
The BIG-IP is negotiating an IPsec tunnel as the Initiator, but an unexpected state change associated with being the Responder occurs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM will no longer restart due to assertion failure.

---

680808 : qkview may not collect all data if there are deleted files in the filestore

Component: TMOS

Symptoms:
If files linked in /config/filestore/files_d/ are deleted or moved elsewhere in the filesystem, this will cause an error in mcpd, which will then cause qkview to abort collecting data from mcpd even if it has not finished.

Conditions:
files linked in /config/filestore/files_d/ are deleted or moved elsewhere in the filesystem

Impact:
Some data in the MCP database will be missing from qkview.

Fix:
qkview mcp module has been changed so that it will report errors from mcpd, but will continue processing.

---

680755 : max-request enforcement no longer works outside of OneConnect

Solution Article: K27015502

Component: Local Traffic Manager

Symptoms:
max-request enforcement does not work when OneConnect is not configured.

Conditions:
-- The max-request enforcement option is configured.
-- OneConnect is not configured.

Impact:
max-request enforcement does not work.

Workaround:
Always use OneConnect.

Fix:
max-request enforcement now works when OneConnect is not configured.

---

680729 : DHCP Trace log incorrectly marked as an Error log.

Solution Article: K64307999

Component: Policy Enforcement Manager

Symptoms:
The following sample DHCP debug log may be found repeatedly in the TMM logs.

<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>

Conditions:
Send a DHCP request through a DHCP virtual and wait for 30 seconds for the DHCP callback to trigger.

Impact:
Possible clutter in the TMM logs.

Workaround:
Set the db variable to critical. To do so, run the following command: setdb tmm.dhcp.log.level critical

Fix:
The following log can be seen only when DHCP debug logs are set to enabled.
<#> <date> <slot#> notice DHCP:dhcpv4_xh_timer_callback/1053: Entering: <mac-addr>

---

680606 : Using iRule HTTP::redirect or HTTP::respond inside HTTP_REQUEST causes connection reset.

Component: Local Traffic Manager

Symptoms:
When trying to run HTTP::redirect or HTTP::respond inside an HTTP_REQUEST event in which the destination host name is used (instead of an IP address), the HTTP connection is incorrectly reset.

Conditions:
-- iRule statement HTTP::redirect inside HTTP_REQUEST event.
-- Use DNS name server to resolve the host name.

Impact:
HTTP connection is unexpectedly reset.

Workaround:
None.

Fix:
Using HTTP::redirect or HTTP::respond inside HTTP_REQUEST event no longer causes a reset.

---

680556 : Under unknown circumstances sometimes a sessionDB subkey entry becomes corrupted

Component: TMOS

Symptoms:
TMM crashes with a subkey that has master_record field set to true.

Conditions:
The specific conditions under which this occurs are not known.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Although the issue is not known, the system now handles the situation without necessarily restarting tmm.

---

680388 : f5optics should not show function name in non-debug log messages

Component: TMOS

Symptoms:
For logging thresholds other than debug, the function name appears in log messages created by f5optics.

Conditions:
-- BIG-IP is running.
-- Logging thresholds is set to a value other than debug.

Impact:
Log files contain unexpected data.

Workaround:
There is no workaround at this time.

Fix:
With the fix, f5optics is not displaying function names in non-debug logging messages.

---

680353 : Brute force sourced based mitigation is not working as expected

Component: Application Security Manager

Symptoms:
Brute force mitigations are not working by the configured order under some conditions - for example a captcha is arriving instead of a drop.

Conditions:
-- Brute force is configured.
-- There is more than one source (for example, User and IP address).

Impact:
The incorrect mitigation is received.

Workaround:
None.

Fix:
Fixed an issue with brute force mitigations.

---

680345 : Change Captcha to be more flexible and dynamic

Component: Advanced Firewall Manager

Symptoms:
The captcha image is limited to 6 characters, which must be digits or alphanumeric characters, and is case insensitive.

Conditions:
This is related to the captcha functionality.

Impact:
Limited flexibility configuring captcha.

Workaround:
There is no workaround.

Fix:
New Captcha image capture settings have been added.

Behavior Change:
New Captcha image capture settings have been added.

---

680264-3 : HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags

Solution Article: K18653445

Component: Local Traffic Manager

Symptoms:
Intermittently, HTTP2 experiences protocol resets.

Conditions:
-- xfrag is 2 bytes in length.
-- The header length is greater than 128.
-- xfrag starts.

For example, the following returns the incorrect header length:
 (0xFF BYTE1) next byte, http2_arbint_read.

Impact:
Unexpected loss of HTTP2 frames due to protocol resets.

Workaround:
No effective workaround.

Fix:
HTTP2 now parses the request, regardless of its xfrags distribution.

---

680154 : f5.http iApp cannot add nodes with names containing four or fewer characters

Component: TMOS

Symptoms:
You are unable to deploy the f5.http iApp with node names of four or fewer characters that might already be used in other parts of the config.

Conditions:
Node name is short: four or fewer characters.

Impact:
iApp posts an error and does not deploy.

Workaround:
The bug is in uncompiled tcl code. The suggested workaround is to implement the fix. Edit /usr/share/tcl8.5/iapp/iapp*.tcl, and replace the 4 lines following the comment "# Detect a CIDR mask and pull it off the addr string" with these 5 lines:

    if { [regexp {/[0-9][0-9]?[0-9]?$} $addr] == 1 } {
        set loc [string first {/} $addr]
        set cidr_bits [string range $addr [expr {$loc + 1}] end]
        set addr [string range $addr 0 [expr {$loc - 1}]]
    }

Fix:
In this release, iApps now support very short node names (fewer than five characters).

---

680112 : SWG-Explicit rejects large POST bodies during policy evaluation

Solution Article: K18131781

Component: Access Policy Manager

Symptoms:
When an access profile of type SWG-Explicit is being used, there is a 64 KB limit on POST bodies while the policy is being evaluated.

==> /var/log/apm <==
err tmm[13751]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_SUPPORTED. File: ../modules/hudfilter/access/access.c, Function: hud_access_process_ingress, Line: 3048

Conditions:
This applies only during the policy evaluation. After the policy has been set to 'Allow', there is no limit.

Impact:
Unable to start an SWG-Explicit policy with a large POST body.

Workaround:
None.

Fix:
Modify the db variable 'tmm.access.maxrequestbodysize' with a value larger than the maximum post body size you would like to support. The maximum supported value is 25000000 (25 MB).

---

680086-1 : md5sum check on BMC firmware fails

Component: TMOS

Symptoms:
Checking the md5 sum of BMC firmware fails when issuing the command 'md5sum -c /usr/firmware/shuttle_x.x.xx.ima_enc.md5'. The command fails with the following message: (...) listed file could not be read".

Conditions:
iSeries appliances:
- i2000
- i4000
- i5000
- i7000
- i10000
- i15000

Impact:
'md5sum -c' does not work for BMC firmware checksums.

Workaround:
Indirectly check the md5sum by calculating it with 'md5sum /usr/firmware/shuttle*.ima_enc' and comparing it to 'cat /usr/firmware/shuttle*.ima_enc.md5'. Or use this command:

diff -sy <(md5sum < /usr/firmware/shuttle*.ima_enc | awk '{ print $1 }') <(cat /usr/firmware/shuttle*.ima_enc.md5 | awk '{ print $1 }')

Fix:
Fixed 'md5sum -c' not working for BMC firmware checksums.

---

680074 : TMM crashes when serverssl cannot provide certificate to backend server.

Solution Article: K09225420

Component: Local Traffic Manager

Symptoms:
TMM halts and restarts when server SSL cannot provide a certificate to the backend server.

Conditions:
-- The backend server is configured to require a client certificate to complete the SSL handshake.
-- The server SSL profile is not configured with a client certificate.

Impact:
TMM halts and restarts. Traffic disrupted while tmm restarts.

Workaround:
No workaround at this time.

Fix:
TMM no longer halts and restarts when server SSL cannot provide a certificate to the backend server.

---

680069 : zxfrd core during transfer while network failure and DNS server removed from DNS zone config★

Solution Article: K81834254

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd cores and restarts.

Conditions:
While zone transfer is in progress, the network fails and the DNS server is removed from the DNS zone configuration.

Impact:
zxfrd cores.

Workaround:
None.

Fix:
zxfrd no longer cores during transfer while network failure and DNS server removed from DNS zone config.

---

679990 : False negative selenium is not detected in firefox browser

Component: Application Security Manager

Symptoms:
Selenium is not detected in firefox browser by pbd.

Conditions:
PBD is enabled.
Running selenium on firefox browser.

Impact:
False negative selenium is not blocked in firefox browser.

Workaround:
There is no workaround at this time.

Fix:
Better detect selenium on firefox.

---

679898 : When two BIG-IP virtual servers are configured with multi-domain SSO, under certain conditions user may encounter HTTP redirect loop.

Component: Access Policy Manager

Symptoms:
After successful authentication on the primary auth virtual, and and successful redirect to application virtual, the user may click the back button on the web browser which will re-request the multi-domain auth url. This may result in HTTP redirect loop.

Conditions:
When BIG-IP is configured with multi-domain authentication service for their web applications sitting behind LTM+APM virtual servers.

APM multi-domain authentication service is configured with an access policy that does not contain a webtop and a "Primary Authentication URI" virtual server does not have an ltm pool assigned to it.

Impact:
User may encounter HTTP redirect loop

Fix:
User will not encounter HTTP redirect loops.

---

679861-1 : Weak Access Restrictions on the AVR Reporting Interface

Component: Application Visibility and Reporting

Symptoms:
The AVR reporting interface does not follow best practices for access restrictions.

Conditions:
AVR provisioned

Impact:
If accessed the AVR reporting interface may disclose:
 - Client and server IP addresses
 - URIs from client requests
 - Metadata about attacks detected by BIG-IP

Workaround:
Ensure that network access to the management port is restricted and that Port Lockdown setting for Self-IPs is not set to "Allow All". The default port lockdown of "Allow Default" provides mitigation against access via Self-IP.

Fix:
Stronger access restrictions enforced on the AVR reporting interface.

---

679854 : UIE persist may be inconsistent after a pool member is brought down

Component: Local Traffic Manager

Symptoms:
For Universal Inspection Engine (UIE) persist, requests might be load balanced to different pool member after the original persisted pool member is brought down.

Conditions:
-- UIE persist.
-- Original persisted pool member brought down.

Impact:
Inconsistent UIE persist.

Workaround:
None.

Fix:
The system now provides consistent UIE persist after pool member down.

---

679722 : Configuration sync failure involving self IP references

Component: Advanced Firewall Manager

Symptoms:
Configuration sync fails, generating an error similar to the following:

Caught configuration exception (0), Values (self-IP) specified for self IP (<name>): foreign key index (fw_enforced_policy_FK) do not point at an item that exists in the database..

Conditions:
-- There is another object, such as a firewall policy, that references a self IP address.
-- The self IP address is non-syncable; that is, its traffic group is set to 'traffic-group-local-only'.

Impact:
Sync operation fails.

Workaround:
Set the self IP address' traffic group to a value other than 'traffic-group-local-only', and then force a full load push from the first device.

Fix:
If a traffic group is non-syncable, modifying its traffic group to a syncable value (anything other than 'traffic-group-local-only') now causes the system to suggest synchronization.

---

679613 : i2000/i4000 Platforms Improperly Handle VLANs Created with a Value of '1'

Solution Article: K23531420

Component: Local Traffic Manager

Symptoms:
When an interface is associated with a VLAN whose tag value is '1', traffic is incorrectly sent out as untagged.

Conditions:
1. Create a VLAN with a tag value of '1'.
2. Associate an interface with the VLAN whose value is '1'.
3. Send traffic out that interface.

Impact:
Incorrect routing/switching of traffic.

Workaround:
Use VLANs with a tag value different from '1'.

---

679496 : Add 'comp_req' to the output of 'tmctl compress'

Component: Local Traffic Manager

Symptoms:
The output of 'tmctl compress' displays the total numbers of requests (tot_req), but does not distinguish between deflate (compression) requests and inflate (decompression) requests.

Conditions:
Viewing the output of the 'tmctl compress' command.

Impact:
Cannot determine the different types of requests.

Workaround:
There is no workaround at this time.

Fix:
This release now distinguishes between deflate (compression) requests and inflate (decompression) requests, as follows: there is an indicator, 'comp_req', for compression requests. The number of decompression request is tot_req - comp_req.

---

679494 : Change the default compression strategy to speed

Component: Local Traffic Manager

Symptoms:
The current default compression.strategy is 'latency', which does not perform properly, i.e., the provider selection algorithm does not react to load change fast enough.

Conditions:
Using compression.strategy to distribute workload among hardware and software compression providers.

Impact:
The work load may not be distributed evenly among hardware and software compression providers when compression.strategy is 'latency'.

Workaround:
Modify the tmsh sys db variable compression.strategy to 'speed'.

Fix:
The default compression strategy is now set to 'speed'.

---

679479 : AOM banner can appear after rebooting BIG-IP systems

Component: TMOS

Symptoms:
When performing multiple BIG-IP system reboots or host resets via the AOM menu, the AOM (BMC) device can become busy processing interrupts or other signals from the host and the AOM's IPMI main process will restart itself.

As a result of this intermittent issue, you might encounter the following symptoms:

1. Showing the AOM Banner on the host serial console (if connected):

    --- Press <ESC>( for AOM Command Menu.

2. System Event Log entry in the '/var/log/sel' file:

    0001 08/30/17 08:00:23 INF BMC boot marker.

Note: It is normal to see a 'BMC boot marker' log entry if you power-cycle the device.

Conditions:
Perform multiple BIG-IP reboots or host resets via the AOM menu.

Impact:
Because this issue is intermittent, there is no way to predict the number of reboots required to expose the issue. It might appear after 10, 50, or 100 reboots, or you might not experience the issue regardless of the number of reboots.

Note: If this situation occurs three times, the AOM will force a hard reset of itself by creating a watchdog timeout expiration.

Workaround:
There is no workaround to this issue at this time.

Fix:
Improved handling of usb/scsi/hdisk commands when booting BIG-IP REL7 system have eliminated this issue.

---

679384 : The policy builder is not getting updates about the newly added signatures.

Solution Article: K85153939

Component: Application Security Manager

Symptoms:
The policy builder is not getting updates about the newly added signatures.

Conditions:
When ASU is installed or user-defined signatures are added/updated.

Impact:
No learning suggestions for some of the newly added signatures.

Workaround:
Use either of the following workarounds:
-- One workaround is restarting the policy builder. This will revert the learning progress made in the last 24 hours:
 killall -s SIGHUP pabnagd

-- Manually change some Policy Attack Signature Set in Learning and Blocking Settings (e.g., disabling and re-enabling Learn checkbox).

Fix:
After the fix, Policy Builder will be aware of all newly added signatures.

---

679347 : ECP does not work for PFS in IKEv2 child SAs

Component: TMOS

Symptoms:
The original racoon2 code has no support for DH generate or compute using elliptic curve algorithms for (perfect forward security).

Additionally, the original interfaces are synchronous, but the only ECP support present uses API with async organization and callbacks, so adding ECP does not work.

Conditions:
Changing an ike-peer definition from the default phase1-perfect-forward-secrecy value of modp1024 to something using ECP: ecp256, ecp384, or ecp512.

Note: The first child SA is negotiated successfully.

Impact:
Once the first child SA expires (or is deleted), the IKEv2 tunnel goes down when another SA cannot be negotiated.

Workaround:
Use MODP for perfect-forward-secrecy instead of ECP.

Fix:
Full support for ECP as PFS has now been added, so a new child-SA negotiated in a IKEV2EXCH_CREATE_CHILD_SA exchange works as expected for ecp256, ecp384, and ecp512.

---

679221 : APMD may generate core file or appears locked up after APM configuration changed

Component: Access Policy Manager

Symptoms:
Right after clicking the 'Apply Access Policy' link, APMD may generate a core file and restart; or appears to be locked up.

Conditions:
-- Changing APM configuration, especially Per-Session and Per-Request Policy.
-- Configured for AD or LDAP Auth Agent.

Impact:
If APMD restarts, then AAA service will be interrupted for a brief period of time. If APMD appears to be locked up, then AAA service will be stopped until manually restarted.

Workaround:
None.

Fix:
APMD now processes the configuration changes correctly during 'modify apm profile access <profile name> generation-action increment' (TMSH) or 'Apply Access Policy' (GUI), and no service interruption occurs.

---

679149 : TMM may crash or LB::server returns unexpected result due to reused lb_result->pmbr[0]

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash or LB::server returns unexpected result.

Conditions:
GTM rule command LB::server is executed before a load balance decision is made or the decision is not to a real pool member.

Impact:
GTM rule command LB::server returns unexpected result. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
GTM rule command LB::server is now executed at the correct time, so TMM does not crash and LB::server returns expected results.

---

679135 : IKEv1 and IKEv2 cannot share common local address in tunnels

Component: TMOS

Symptoms:
When IKEv1 and IKEv2 IPsec tunnels are configured to use the same local IP address, either all the IKEv1 or all the IKEv2 tunnels will not establish.

Note: This is as designed: the system does not support using the same local self IP to establish both IKEv1 and IKEv2 tunnels. However, the system does not prevent it, and there is no indication of the reason for the failure.

Conditions:
-- Use the same self IP as the local address of an IPsec tunnel for IKEv1, as well as the local address of a tunnel for IKEv2.
-- Try to create competing listeners.

Impact:
Either the IKEv1 or IKEv2 tunnel will not work, because the listener for that tunnel fails to establish. Usually the IKEv1 tunnel will not work after tmm restart or BIG-IP reboot.

Workaround:
Use another self IP for the tunnel local address to keep IKEv1 and IKEv2 local tunnel addresses separate.

Note: If IKEv1 tunnels use one local address, while IKEv2 tunnels use another, everything works as expected.

Fix:
Logging in /var/log/ltm now reveals failure to establish listener, along with a suggestion to avoid sharing one local address across IKEv1 and IKEv2 tunnels.

---

679114 : Persistence record expires early if an error is returned for a BYE command

Solution Article: K92585400

Component: Service Provider

Symptoms:
When an error is returned for a SIP command, the persistence timeout is set to the transaction timeout.

Conditions:
An error is returned for a any SIP command.

Impact:
The persistence record will expire early when the call has not been ended.

Workaround:
None.

Fix:
For BYE commands, the timeout is not set to transaction timeout on failure.

---

679088 : Avr reporting and analytics does not display statistics of many source regions

Component: Application Visibility and Reporting

Symptoms:
1. The network reporting does not show the statistics related to some Source Regions.
2. In the Security=>Reporting=>Network=>Enforced Rules dashboard are impossible to select or find some Source Region using filtering .
For example, there are list of some missing Source Regions:
France, Ile-de-France, Ukraine, Kyyiv,Russian Federation, Tambovskaya oblast, South Africa, Western Cape and Spain,Madrid

Conditions:
This occurs when attempting to filter on the affected source regions.

Impact:
The network reporting does not show the statistics related to some Source Regions.

---

678925 : Using a multicast VXLAN tunnel without a proper route may cause a TMM crash.

Component: TMOS

Symptoms:
Using a multicast VXLAN tunnel without a proper route associated with the tunnel's local-address may cause a TMM crash.

Conditions:
When the following conditions are met:
- No route is associated with the tunnel's local-address.
- A selfip address is assigned to the tunnel.

Then, a connection using the tunnel may cause a TMM crash.

Note that the user can use the TMSH command "show net route lookup <address>" to check if there is a route associated with the tunnel's local-address.

Impact:
The TMM crashes and traffic is disrupted.

Workaround:
Make sure that there is a route associated with the tunnel's local-address, before using the tunnel.

Fix:
The TMM no longer crashes.

---

678861 : DNS:: namespace commands in procs cause upgrade failure when change from Link Controller license to other★

Solution Article: K00426059

Component: Global Traffic Manager (DNS)

Symptoms:
Upgrade fails with a message similar to the following.

emerg load_config_files: "/usr/bin/tmsh -n -g load sys config partitions all " - failed. -- 01070356:3: Link Controller feature not licensed. Unexpected Error: Loading configuration process failed.

Conditions:
Previously had Link Controller with DNS:: commands in an iRule proc.

Impact:
Upgrade fails.

Workaround:
Remove DNS:: commands from procs before upgrade.

Or use AFM instead of iRules.

---

678851 : Portal Access produces incorrect Java bytecode when rewriting java.applet.AppletStub.getDocumentBase()

Component: Access Policy Manager

Symptoms:
Java applets containing call of getDocumentBase() through a reference to java.applet.AppletStub are incorrectly rewritten.

Attempt to call incorrectly patched method causes following exception:
java.lang.VerifyError: (...) Illegal type in constant pool

Conditions:
This occurs when using rewrite on Java applets that call getDocumentBase().

Impact:
Affected Java applets cannot be started through Portal Access.

Workaround:
None.

Fix:
Rewritten applets with calls of java.applet.AppletStub interface methods are no longer causing java.lang.VerifyError exception during execution.

---

678820 : Potential memory leak if PEM Diameter sessions are not created successfully.

Component: Policy Enforcement Manager

Symptoms:
Memory leak resulting in reduction in available memory.

Conditions:
1. PEM configured with Gx.
2. PCRF Gx end point operationally DOWN
3. Subscriber creation attempt.

Impact:
Loss of service

Workaround:
There is no workaround at this time.

Fix:
Diameter context is freed in case of a failed Diameter session creation.

---

678801 : WS::enabled returned empty string

Component: Local Traffic Manager

Symptoms:
WS::enabled command returned empty string instead of 0 or 1 for status.

Conditions:
-- WS::enabled command is used to query the status of WebSocket processing.
-- WebSocket and HTTP profiles are configured on the virtual server.

Impact:
Unable to determine the status of WebSocket processing using iRule commands.

Workaround:
There is no workaround at this time.

Fix:
Invoke appropriate method via WebSocket Tcl code.

---

678748 : Slowness in IE when Removed Scripts Detection enabled

Component: Fraud Protection Services

Symptoms:
Removed Scripts Detection feature can cause Microsoft Internet Explorer version 11 (IE11) slowness.

Conditions:
Enable Removed Scripts Detection and navigate to the protected page using IE11.

Impact:
IE11 browser is slow to display pages.

Workaround:
None.

---

678716 : GUI Unexpected changes to sFlow values when configuring using the GUI

Component: TMOS

Symptoms:
When configuring the sFlow values in the GUI, the value can unexpectedly change if you choose Default in the drop down.

Conditions:
-- Configuring an HTTP Profile, Interface, or VLAN with sFlow values.
-- Select 'Default' from the drop down.

Impact:
The system might update the Global Settings value, which might cause confusion.

Workaround:
Use tmsh to independently update the sFlow values.

Fix:
The GUI now manages the sFlow values independently.

---

678662 : In the GUI System :: High Availability : HA Groups edit page, pools created outside the Common partition cannot be modified

Solution Article: K14222230

Component: TMOS

Symptoms:
In the HA Groups GUI edit page, only Pools created in the Common partition can be modified or deleted.

Conditions:
-- High Availability : HA Groups edit page.
-- Pools created outside the Common partition.

Impact:
Devices must be paired to access HA Group configuration.

Workaround:
Use TMSH to modify or delete any non-Common pools attached to an HA Group.

Fix:
Now user can edit/delete non-Common pools in a preexisting HA Group.

---

678652 : [APM] Usability: update tmsh error message to include access profile name

Component: Access Policy Manager

Symptoms:
The existing error message when deleting an access policy that is owned by an access profile is not descriptive:
01071111:3: Cannot delete access policy (/Common/delete_me_access_profile) because it is owned by a profile.

It does not specify which profile owns the access policy.

Conditions:
When you try to delete an access policy owned by an access profile from tmsh using a command similar to the following:
delete apm policy access-policy delete_me_access_profile

Impact:
This makes it difficult to debug, because the message does not state which access profile owns the access policy.

Workaround:
Manually check the access profiles to see which profile owns the access policy.

Fix:
The tmsh error message for deleting APM policy access-policy has been updated to include the name of the access profile that owns it.

---

678524 : Join FF02::2 multicast group when router-advertisement is configured

Component: Local Traffic Manager

Symptoms:
MLD snooping switches may not deliver router solicitation packets to BIG-IP, which breaks BIG-IP's router advertisement functionality. MLD snooping switches may not deliver the packets because BIG-IP has not joined the FF02::2 multicast group.

Conditions:
router-advertisement configured, MLD snooping switches.

Impact:
IPv6 hosts never receive router advertisements from BIG-IP in response to their router solicitations.

Workaround:
Disable MLD snooping on switches.

Fix:
BIG-IP now joins the FF02::2 multicast group when router-advertisements are configured.

Behavior Change:
BIG-IP now joins the FF02::2 multicast group when router-advertisement is configured.

---

678488 : BGP default-originate not announced to peers if several are peering over different VLANs

Solution Article: K59332320

Component: TMOS

Symptoms:
BGP default-originate is not announced to peers if several are configured as peers over different VLANs.

Conditions:
-- default-originate is configured on four similar neighbors.
-- The neighbors are reachable over different interfaces/subnets.

Impact:
Only some of the peered neighbors get the default route.

Workaround:
Add the following to the the BGP configuration:
 network 0.0.0.0/0

Fix:
All peered neighbors now get the default route.

---

678460 : HTTP 302 Redirect status text is HTTP-version dependent

Solution Article: K94298780

Component: Local Traffic Manager

Symptoms:
When using the HTTP::redirect iRule, it results in a response header beginning with the following string:
   HTTP/1.0 302 Found

This could be considered non-RFC compliant, since the HTTP version is 1.0, but the status text is correct for HTTP/1.1.

For strict RFC compliance
-- HTTP/1.0 responses should specify status text 'Moved Temporarily' (RFC 1945 Section 9.3).
-- HTTP/1.1 responses should specify 'Found' (RFC 7231 Section 6.4.3).

Conditions:
When using an iRule similar to the following
    HTTP::redirect
    redirect

Impact:
Clients should be relying upon the numeric HTTP status code, and not the status text that follows, so in theory, there should be no impact. However, those clients which use the status text for processing decisions must be ready to handle status text that doesn't match the specified HTTP version.

Workaround:
None.

Fix:
HTTP::redirect status string is consistent for HTTP version.

---

678427 : Safari 11 displays F5 EPI and F5 VPN launch confirmation dialogs twice

Solution Article: K03138339

Component: Access Policy Manager

Symptoms:
Safari 11 displays confirmation dialogs to launch F5 EPI or F5 VPN app twice. Although functionality is not affected, the user experience might be confusing.

Conditions:
-- Safari 11, F5 EPI, or F5 VPN app installed.
-- Endpoint check or VPN configured in access policy.

Impact:
None. The extra dialog box does not affect system functionality.

Workaround:
None.

Fix:
Confirmation dialog is now displayed only once.

---

678416-1 : Some tmm/umem_usage_stat counters may be incorrect under memory pressure.

Component: Local Traffic Manager

Symptoms:
After the BIG-IP system experiences severe memory pressure, the 'allocated' and 'max_allocated' counters from the tmm/umem_usage_stat table incorrectly show extremely high values.

Conditions:
The BIG-IP system experiences enough memory pressure that slabs are transferred between threads.

Impact:
The 'allocated' and 'max_allocated' counters from the tmm/umem_usage_stat table do not reflect actual values. However, there is no functionality issue as a result. This is a cosmetic issue only.

Workaround:
None.

Fix:
The system now manages better under memory pressure so that the tmm/umem_usage_stat counters correctly reflect actual values.

---

678388 : IKEv1 racoon daemon is not restarted when killed multiple times

Solution Article: K00050055

Component: TMOS

Symptoms:
IPsec IKEv1 tunnels will fail and stay down indefinitely if the IKEv1 racoon daemon crashes. racoon does not get restarted by tmipsecd. This can occur if racoon has crashed more than once beforehand.

Conditions:
The IPsec IKEv1 racoon daemon crashes, or is killed manually, multiple times.

Impact:
IPsec IKEv1 tunnels cannot be established because the racoon daemon is dead. The user will receive no CLI or web UI clues to indicate that racoon is dead. Attempts to reconfigure IPsec while racoon is dead will not resolve the problem.

Workaround:
Run the following command to restart the IPsec IKEv1 racoon and tmipsecd daemons at the same time:
tmsh restart sys service tmipsecd

Fix:
Fixed tmipsecd so it correctly tracks whether the IKEv1 racoon daemon is still running or needs a restart. This also covers odd timing, such as killing racoon right after it starts.

---

678380 : Deleting an IKEv1 peer in current use could SEGV on race conditions.

Component: TMOS

Symptoms:
When either deleting a peer in IKEv1 or updating it, this problem causes the v1 racoon daemon to crash with a SIGSEGV under some race conditions, intermittently.

Conditions:
This requires a peer using IKEv1, which gets updated or deleted while the IKEv1 racoon daemon is performing operations related to this peer.

Impact:
If the problem occurs, the IKEv1 racoon daemon restarts and interrupts IPsec traffic.

Workaround:
None.

Fix:
The system now checks whether the old peer definition is valid when navigating from phase-one SAs to the IKEv1 peer definition.

---

678376 : Portal Access: handling of cssText property of CSSStyleSheet object has been corrected

Component: Access Policy Manager

Symptoms:
The cssText property of the CSSStyleSheet object is supported only by Internet Explorer 9 (IE9) or later. In other browsers this property is undefined. Testing of this property rises an error in Google Chrome and Mozilla Firefox via Portal Access.

Conditions:
This occurs when parsing JavaScript code similar to the following:

var style = document.styleSheets[0];
if (style.cssText) {
 ...
}

Impact:
Web application may not work correctly.

Workaround:
None.

Fix:
Now the cssText property is handled correctly in all browsers via Portal Access.

---

678307 : Generic vulnerability XML schema does not validate correctly

Component: Application Security Manager

Symptoms:
The generic vulnerability XML schema file does not validate correctly.

Conditions:
The generic vulnerability XML schema file is used to validate an XML vulnerability file.

Impact:
The XML vulnerability file fails to validate correctly.

Workaround:
None.

Fix:
The generic vulnerability XML schema file now validates correctly.

---

678293 : Uncleaned policy history files cause /var disk exhaustion

Solution Article: K25066531

Component: Application Security Manager

Symptoms:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions, which might cause /var disk exhaustion.

Conditions:
There are hundreds of policy history files for non-existent policies stored under /ts/dms/policy/policy_versions.

Two possible causes might explain what caused the history files to be copied:
-- The device was synchronized from itself.
-- There was a UCS loaded on the device.

Impact:
/var disk usage is high.

Workaround:
Use the following one-liner to find unreferenced policy history files that can be deleted:

----------------------------------------------------------------------
perl -MData::Dumper -MF5::DbUtils -MFile::Find -e '$dbh = F5::DbUtils::get_dbh(); $sql = ($dbh->selectrow_array(q{show tables in PLC like ?}, undef, q{PL_POLICY_VERSIONS})) ? q{select policy_version, policy_id from PLC.PL_POLICY_VERSIONS} : q{select revision, policy_id from PLC.PL_POLICY_HISTORY}; %known_history_files = map { (qq{$_->[1]/$_->[0].plc} => 1) } @{$dbh->selectall_arrayref($sql)}; find({ wanted => sub { next unless -f $_; $_ =~ m|/policy_versions/(.*)$|; if (! $known_history_files{$1}) { print qq{$_\n} } }, no_chdir => 1, }, q{/ts/dms/policy/policy_versions});'
----------------------------------------------------------------------

Manually verity the file list output. If it seems correct, you can then delete the files by piping the output into 'xargs rm'.

In addition, you can delete the following file: /var/ts/var/install/recovery_db/conf.tar.gz.

---

678257 : import existing netHSM private key to BigIP

Component: Local Traffic Manager

Symptoms:
BIG-IP can only use the netHSM that is created at the BigIP.

Conditions:
When netHSM key is created from a non-BIG-IP client.

Impact:
BIG-IP user cannot reuse the pre-existing netHSM key that is not created at BigIP.

Workaround:
People need to recreate a new netHSM key from the BIG-IP connecting to the netHSM.

Fix:
We added this function as a new feature to the BIG-IP user. With this fix, people just need to specify the key label for the pre-existing netHSM key to install/import the key to bigip. The new key will just have the same name as the key label.

---

678254 : Error logged when restarting Tomcat

Component: TMOS

Symptoms:
An error is logged after restarting Tomcat and using the web UI.

Conditions:
Using the web UI to restart tomcat.

Impact:
An error is logged after restarting Tomcat and using the web UI.

Workaround:
There is no workaround.

Fix:
When restarting Tomcat and using the web UI, and error will be logged only if the debug flag is enabled.

---

678010 : Virtual-wire is not supported on 100 Gbit interface

Component: Local Traffic Manager

Symptoms:
Virtual-wire will not work on 100 Gbit interfaces. The traffic received on 100 Gbit interface operating in
virtual-wire mode.

Conditions:
-- Using virtual-wire.
-- Running on 100 Gbit interfaces.
-- VIPRION 4400N blades.

Impact:
The traffic will not be forwarded to the other member of virtual-wire.

Workaround:
Do not configure 100 Gbit interfaces in virtual-wire mode.

Fix:
Virtual-wire can now be configured on 100 Gbit interface.

---

677962 : Invalid use of SETTINGS_MAX_FRAME_SIZE

Component: Local Traffic Manager

Symptoms:
When BIG-IP negotiates settings over HTTP/2 connection, it adopts a value of peer's SETTINGS_MAX_FRAME_SIZE parameter as its own.

Conditions:
A virtual is configured with HTTP/2 profile.

Impact:
BIG-IP may accept a DATA frame with size above 16,384 bytes violating RFC.

Workaround:
There is no workaround at this time.

Fix:
BIG-IP no longer accepts DATA frames with sizes exceeding a default value of 16,384 bytes.

---

677958 : WS::frame prepend and WS::frame append do not insert string in the right place.

Component: Local Traffic Manager

Symptoms:
When WS::frame prepend and WS::frame append are used together in the same event, the strings are not inserted in the right place.

Conditions:
-- Both WS::frame prepend and WS::frame append commands are present in the same iRule event.
-- WebSocket and HTTP profile are configured on the virtual.
-- Client/server send and receive WebSocket frames.

Impact:
The user-supplied string is not inserted in the right place when sent to the end-point.

Workaround:
None.

Fix:
Separate buffers were now used for append and prepend, instead of reusing the same buffer.

---

677937 : APM tunnel and IPsec over IPsec tunnel rejects isession-SYN connect packets

Solution Article: K41517253

Component: TMOS

Symptoms:
APM client cannot connect to server when the APM tunnel is encapsulated in an IPsec tunnel.

Conditions:
This requires a relatively complicated network setup of configuring an APM tunnel over an IPsec tunnel (and iSession is in use).

Impact:
No connectivity between the client and the server.

Workaround:
Do not encapsulate APM tunnel in an IPsec tunnel. (The APM tunnel has its own TLS.)

Fix:
APM tunnel and IPsec over IPsec tunnel now correctly accepts isession-SYN connect packets.

---

677919-1 : Enhanced Data Manipulation AJAX Support

Component: Fraud Protection Services

Symptoms:
Need enhanced data manipulation detection to protect against modifying parameters in real-time (malware script in the browser) that are sent by JSON.

Conditions:
There is a malware script in the browser performing real-time modification of parameters that are sent by JSON.

Impact:
End-users already under attack could send manipulated JSON data to backend servers.

Workaround:
None.

Fix:
The Enhanced Data Manipulation Check has been improved so that it can now detect JSON data manipulation in the browser.

---

677682 : When BIG-IP is deployed as SAML identity provider(IdP), allow APM session variables to be used in entityID property.

Component: Access Policy Manager

Symptoms:
The entityID property of SAML IdP object ('apm sso saml') accepts only valid URI as the value. All other values are deemed invalid.

This creates a suboptimal configuration experience in certain use-cases. For instance, when the deployment contains two SAML IdP configuration objects that are essentially identical, with the only difference being the entityID value, validation prevents reusing the same object, and mandates creation of two independent configuration objects.

Conditions:
BIG-IP is used as SAML Identity Provider with two or more IdP configuration objects. The only difference between two (or more) configured IdP configuration objects is the value of entityID.

Impact:
None. This is a usability enhancement.

Workaround:
Creating multiple IdP objects.

Fix:
This enhancement supports configuring an APM session variable in the entityID property of SAML Identity Provider ('apm sso saml') objects, thus reducing the number of nearly duplicate IdP configuration objects.

NOTE: When a session variable is used in the entityID property of a SAML Identity Provider object, the SAML metadata exported by such object must be edited manually to replace the session variables with valid FQDN names before the metadata is shared with external parties.

---

677666 : /var/tmstat/blades/scripts segment grows in size.

Solution Article: K60909141

Component: Local Traffic Manager

Symptoms:
Over time the /var/tmstat/blade/scripts file size grows.

Conditions:
-- Using istats.
-- Deleting configurations.
-- Using ASM.

Impact:
Virtual size of merged process grows linearly with /var/tmstat/blades/scripts segment. This could lead to out of memory condition.

Workaround:
No known workarounds.

Fix:
Condition corrected.

---

677658 : 'Accept Request' in Event Log does not make any change on Header Character Set

Component: Application Security Manager

Symptoms:
'Accept Request' in Event Log does not make any change on Header Character Set.

Conditions:
Having a request with an 'Illegal meta character in header' violation.

Impact:
'Accept Request' in Event Log does not make any change on Header Character Set.

Workaround:
Learn from Traffic Learning, instead of Event Log.

Fix:
'Accept Request' in Event Log now learns on Header Character Set.

---

677525 : Translucent VLAN group may use unexpected source MAC address

Solution Article: K06831814

Component: Local Traffic Manager

Symptoms:
When a VLAN group is configured in translucent mode, IPv6 neighbor discovery packets sent from the BIG-IP system may have the locally unique bit flipped in the source MAC address.

Conditions:
VLAN group in translucent mode.

Impact:
In an HA configuration, switches in the network may have FDB entries for the standby system assigned to the port of the active system.

Workaround:
No workaround at this time.

Fix:
Translucent VLAN group no longer send neighbor discovery packets whose source MAC has the locally unique bit flipped.

---

677494 : Flow filter with Periodic content insertion action could leak insert content record

Component: Policy Enforcement Manager

Symptoms:
Subscriber using flow filter and periodic insert content could create multiple records for same insert content action.

Conditions:
If two flows belonging to the same subscriber matching 2 different rules of the same policy and alternates and in the meanwhile policy rule action is updated.

Impact:
More than one record being created for the same insert content action.

Workaround:
There is no workaround at this time.

Fix:
Update the insert content array as soon as the pemdb record is updated.

---

677485 : Discovery of DSC clustered BIG-IP systems fails due to secure value decryption error

Component: TMOS

Symptoms:
After initially configuring a DSC cluster, iControl-REST on BIG-IP systems might fail to decrypt the secure values due to a stale BIG-IP master key in its cache, and returns the secure values encrypted by the BIG-IP master key. BIG-IQ is unable to decrypt these secure values and fails to discover the BIG-IP system.

Conditions:
-- DSC cluster.
-- iControl REST.
-- BIG-IP system with stale BIG-IP master key in its cache.
-- BIG-IQ attempts to decrypt the secure values.

Impact:
Discovery fails due to secure value decryption error.

Workaround:
Restart iControl-REST server on the BIG-IP system.

On BIG-IP v12.0.0 and later:
-- In TMSH, run the following command:
restart sys service restjavad
-- On the console, run the following command:
bigstart restart restjavad

On BIG-IP v11.x.x:
-- In TMSH, run the following command:
restart sys service icrd
-- On the console, run the following command:
bigstart restart icrd

Fix:
The system now enforces obtaining the BIG-IP master key if the first decryption fails to proceed properly.

---

677473 : MCPD core is generated on multiple add/remove of Mgmt-Rules

Component: Advanced Firewall Manager

Symptoms:
MCP crashes with core. MCP automatically restarts causing other dependent daemons, including tmm, to restart. Corresponding messages (restarting mcp, restarting tmm, and so on) are broadcast in all command line connections (terminals). Core files are written into /shared/core directory. The BIG-IP system might become unusable while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped until all daemons restart.

Conditions:
-- AFM is licensed and provisioned.
-- There are firewall policies/rules defined in configuration.
-- Remove firewall rules/policies, especially rules attached to management-IP (might have to repeat this).

Impact:
The BIG-IP system might become unusable for few minutes while daemons restart, so both control-plane (tmsh/GUI) and data traffic processing are stopped. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
MCP no longer crashes, and other dependent daemons no longer restart. The BIG-IP system remains operational in both control-plane (tmsh/GUI) and data traffic processing.

---

677368 : Websso crash due to uninitialized member in websso context object while processing a log message

Component: Access Policy Manager

Symptoms:
Websso crashes occasionally on processing a log message on TMEVT_CLOSE event. This happens when a TMEVT_CLOSE event is received without receiving a request.

Conditions:
TMEVT_CLOSE event is received without receiving a request.

Impact:
Websso process crash.

Workaround:
No workaround

Fix:
Websso core is fixed by removing the webssocontext object reference from the log message.

---

677343 : Unsupported graph log level changed from error to notice

Component: Local Traffic Manager

Symptoms:
If the BIG-IP system does not have GTM or dnssec licensed, and the command tmsh show /sys performance is run, the statsd process will log an error in /var/log/ltm

err statsd[9036]: 011b032e:3: Graph 'dnsx' is not supported, possibly because it is not licensed, or a license has expired.

The fact that a graph is not supported or not license is not an error, so the log level for this message is set incorrectly.

Conditions:
- GTM or dnssec is not licensed.
- Running the following command: tmsh show /sys performance.

Impact:
The statsd process posts an error in /var/log/ltm. There is no impact to the functionality of the system

Workaround:
There is no workaround at this time.

Fix:
The unsupported graph message's log level was changed to notice.

---

677148 : Periodic content insertion creates duplicate records if same policy is added to Global high and subscriber specific

Component: Policy Enforcement Manager

Symptoms:
If same pem policy with insert content is added to global high and subscriber specific, insert content could add duplicate records. This result in a case where if the periodic content tag is absent, the periodic content insertion will not scheduled immediately, but will add only after the expiry of the current interval.

Conditions:
If same pem policy with insert content is added to global high and subscriber specific.

Impact:
if the periodic content tag is absent, the periodic content insertion will not scheduled immediately.

Workaround:
This is a wrong configuration, a pem policy should be included either in Global High, or subscriber specific, not both.

Fix:
Re-use the already created record in case of same policy attached to Global high and subscriber specific

---

676897 : IPsec keeps failing to reconnect

Solution Article: K25082113

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

Fix:
This release corrects this issue.

---

676854 : CRL Authentication agent will hang waiting on unresponsive authentication server.

Component: Access Policy Manager

Symptoms:
Some authentication requests never complete. APMD responsiveness degrades over time and eventually restarts.

Conditions:
The CRL Authentication server must be alive enough to accept connections but busy enough to drop requests without closing connections.

Impact:
APMD responsiveness degrades over time, usually weeks, before eventually restarting.

Workaround:
Restarting the CRL Authentication server usually releases the waiting threads and restores APMD responsiveness.
Using a BIG-IP monitor for the CRL backend can detect the issue and allow recovery before the need for APMD to restart.

Fix:
CRL agent now times out and returns an error when the CRL server becomes unresponsive.

Behavior Change:
The CRL Authentication agent now times out and returns an error instead of waiting forever. In previous releases, if enough threads were waiting, APMD performance degraded and eventually restarted.

---

676828 : Host IPv6 traffic is generated even when ipv6.enabled is false

Solution Article: K09012436

Component: Local Traffic Manager

Symptoms:
Observing IPv6 traffic from the BIG-IP system, even when ipv6.enabled is set to false.

Conditions:
sys db ipv6.enabled is false.

Impact:
Extraneous IPv6 traffic from the the BIG-IP system.

Workaround:
None.

Fix:
IPv6 traffic now properly observes the ipv6.enabled sys db variable.

---

676809 : Vulnerability Assessment feature supports more AppScan vulnerabilities

Component: Application Security Manager

Symptoms:
The Vulnerability Assessment feature for AppScan supports too few vulnerability IDs.

Conditions:
Using Vulnerability Assessment feature for AppScan.

Impact:
Loading a report from AppScan into ASM results in only a few resolvable vulnerabilities.

Workaround:
None.

Fix:
The Vulnerability Assessment now supports more AppScan vulnerabilities, making them resolvable.

---

676709 : Diameter virtual server has different behavior of connection-prime when persistence is on/off

Solution Article: K37604585

Component: Service Provider

Symptoms:
When using an Diameter MBLB profile with per-AVP persistence enabled and connection priming enabled, not all pool members may have a connection established as part of priming.

Conditions:
-- Diameter MBLB profile.
-- Per-AVP persistence enabled.
-- Connection priming enabled.

Impact:
It is possible that not all pool members will have a connection established as part of priming.

Workaround:
None.

Fix:
A Diameter MBLB profile with persistence and connection priming enabled may not prime connections properly.

---

676674 : Two-core vCMP Guest Swap on B2100 Blades

Component: TMOS

Symptoms:
Guests with 3.5GiB of memory go into swap.

Conditions:
vCMP guests with two cores on B2100 blades.

Impact:
Long wait times when using the GUI or CLI.

Workaround:
Set provision.extramb to 100.

Fix:
The system now better handles two-core vCMP guest on B2100 blades so no swapping occurs.

---

676557 : Binary data marshalled to TCL may be converted to UTF8

Component: Local Traffic Manager

Symptoms:
Binary data marshalled out of some iRule commands may be mistakenly converted to UTF8.

Conditions:
Unspecified commands return raw binary data (instead of strings). These commands may have their output incorrectly converted to UTF8. This will corrupt the binary data.

Impact:
Data corruption in some iRule commands

Workaround:
None.

Fix:
Binary output from certain iRule commands will not be corrupted into UTF8 strings.

---

676457 : TMM may consume excessive resource when processing compressed data

Solution Article: K52167636

---

676432 : i5000/i10000 Series platform serial console baud rate 38400 gets reset to 19200 after reboot

Component: TMOS

Symptoms:
i5000/i10000 Series platform serial console baud rate 38400 gets reset to 19200 after reboot.

Conditions:
-- Serial Console Baud Rate set to 38400.
-- i5000/i10000 Series platforms.
-- Reboot system.

Impact:
The baud rate becomes 19200 (the default) after reboot. Cannot set console baud-rate to 38400.

Workaround:
You can use either of the following workarounds:

-- Do not set 38400 as the baud rate. F5 does not recommend using 38400 baud rate on i5000/i10000 Series platforms.

-- Disable auto-baud detection by replacing a line in /sbin/agetty_serial, as follows:

Edit /sbin/agetty_serial to replace this line:
args="-L ${1} 0 ${3}"

with this line:
args="-8 -L ${1} ${2} ${3}"

Fix:
i5000/i10000 Series platform serial console baud rate 38400 no longer gets reset to 19200 after reboot.

---

676416 : BD restart when switching FTP profiles

Component: Application Security Manager

Symptoms:
Switching a Virtual Server from an FTP profile with Protocol Security enabled to an FTP profile with Protocol Security disabled, causes the BIG-IP system to go offline, generates errors in the bd log, and causes BD to restart.

Conditions:
-- Running FTP traffic with FTP profile with Protocol Security enabled.
-- On FTP service, change to FTP profile with Protocol Security disabled.

Impact:
BD restart, traffic disrupted, and failover in high availability (HA) configuration.

Workaround:
There is no workaround at this time.

Fix:
This version provides an improved mechanism for switching FTP profiles, so that now there is no BD restart.

---

676355 : DTLS retransmission does not comply with RFC in certain resumed SSL session

Component: Local Traffic Manager

Symptoms:
The DTLS FINISHED message is not retransmitted if it is lost in the Cavium SSL offloading platform. Specifically, it is the CCS plus FINISHED messages that are not retransmitted.

Conditions:
-- In the Cavium SSL offloading platform.
-- DTLS FINISHED Message is lost.

Impact:
When the DTLS FINISHED Message is lost in the Cavium SSL offloading platform, the CCS and FINISHED messages do not get retransmitted.

Workaround:
None.

Fix:
The FINISHED messages are saved before transmitting the Cavium encrypted FINISHED message, and starting the DTLS re-transmit timer. When the re-transmit timer expires, the CCS plus FINISHED messages will be retransmitted.

---

676223 : Internal parameter in order not to sign allowed cookies

Component: Application Security Manager

Symptoms:
ASM TS cookies may get big (up to 4k).

Conditions:
policy building is turned on (manual or automatic). There are allowed cookies.

Impact:
This increases web site throughput.

Workaround:
N/A

Fix:
Parameter to not to sign allowed cookies added.

---

676203 : Inter-blade mpi connection fails, does not recover, and eventually all memory consumed.

Component: TMOS

Symptoms:
TMM memory usage suddenly increases rapidly.

Conditions:
The inter-blade mpi connection fails and does not recover.

Impact:
Inter-blade mpi requests do not complete and the system eventually exhausts memory.

Workaround:
None.

Fix:
Inter-blade mpi connection now continues as expected, without memory issues.

---

676092 : IPsec keeps failing to reconnect

Component: TMOS

Symptoms:
When an IPsec Security Association (SA) does not exist on a remote IPsec peer, the BIG-IP system might be sent an INVALID-SPI notification, but might not delete the SA. The IPsec tunnel might not be renegotiated until the deleted SAs on the BIG-IP system are removed manually or age out.

Conditions:
-- The BIG-IP system and remote peer communicate over a lossy network.
-- The remote peer prematurely deletes an IPsec SA.

Impact:
IPsec tunnel appears to be up but suffers a connectivity loss until the SPIs are manually deleted or age out.

Workaround:
Manually delete the SA.

Fix:
The system now correctly handles these conditions so the issue no longer occurs.

---

675921-1 : Creating 5th vCMP 'ssl-mode dedicated' guest results in an error, but is running

Component: TMOS

Symptoms:
Creating 'ssl-mode dedicated' guests on the BIG-IP i5800, the 5th guest and beyond get an error, however they do become deployed with Status of 'running'.

Conditions:
-- Creating 5 (or more) 'ssl-mode dedicated' vCMP guests.
-- Running on the BIG-IP i5800 platform.

Impact:
5th guest and beyond result in an error.

Workaround:
There is no workaround other than not creating more than 4 'ssl-mode dedicated' vCMP guests when provisioning vCMP guests on the i5800 platform.

Fix:
The system now limits the maximum number of 'ssl-mode dedicated' vCMP guests to the number that the BIG-IP i5800 can physically support.

---

675866 : WebSSO: Kerberos rejects tickets with 2 minutes left in their ticket lifetime, causing APM to disable SSO

Component: Access Policy Manager

Symptoms:
Kerberos rejects tickets with 2 minutes left in their ticket lifetime. This causes tickets to be rejected by KDC, causing APM to disable SSO.

Conditions:
This occurs with Kerberos-protected resources using Windows Server 2012-based DC due to issue described in the Microsoft KB: Kerberos authentication fails when the computer tries to request a service ticket from a Windows Server 2012-based DC, https://support.microsoft.com/en-us/help/2877460/kerberos-authentication-fails-when-the-computer-tries-to-request-a-ser.

Impact:
Cannot access the Kerberos-protected resources.

Workaround:
None.

Fix:
Tickets are not used when the remaining lifetime is less than 5 minutes. Existing tickets with more than half the configured lifetime or at least 1 hour of lifetime remaining are used. If there are no such tickets, then new tickets are acquired and used.

---

675775 : TMM crashes inside dynamic ACL building session db callback

Component: Access Policy Manager

Symptoms:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time may cause TMM restart in dynamic ACL building session db callback.

Conditions:
Race condition between PPP tunnel close and Session expired happening on different TMM almost at the same time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Guard against NULL pointer dereference for dynamic ACL build.

---

675672 : sys db antifraud.domainavailabilityurls does not work

Component: Fraud Protection Services

Symptoms:
The sys db antifraud.domainavailabilityurls variable does not return expected results.

Conditions:
Trying to use sys db antifraud.domainavailabilityurls.

Impact:
sys db antifraud.domainavailabilityurls might provide confusing results. sys db antifraud.domainavailabilityurls is obsolete in 13.0.0, but the tmsh command returns correct config, which implies that there are two configurations for Domain Availability, when in fact there is only one.

Workaround:
Use the Anti-Fraud malware object, as follows:

modify security anti-fraud profile antifraud malware { detected-malware add { mal { domain-availability { blacklist-urls add { /url } } } } }

modify security anti-fraud profile antifraud malware { detected-malware modify { mal { domain-availability { whitelist-urls add { /other_url } } } } }

---

675367 : The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication

Solution Article: K95393925

Component: Local Traffic Manager

Symptoms:
The IMAP and POP3 monitors might fail if the mail server supports GSSAPI authentication.

Conditions:
An IMAP and POP3 monitor is configured and the server returns GSSAPI as an available authentication mechanism.

Impact:
The monitor fails and marks the server down, even when it might be available.

Workaround:
If possible, use one of the following workarounds:

-- Turn off GSSAPI authentication on the mail server.
-- Use an alternate monitor type.

---

675287 : New requests are not added to Request Log due to full disk partition

Component: Application Security Manager

Symptoms:
New requests are not added to the Request Log due to full disk partition /var/asmdata1.

Conditions:
Disk partition /var/asmdata1 is completely filled.

Impact:
New requests are not added to Request Log.

Workaround:
As a workaround, you can safely delete all files under /var/asmdata1/request_log. Afterwards, kill the asmlogd process and allow it to restart automatically. Alternatively, ASM can be restarted.

Fix:
In cases where there is not enough free space on the filesystem, so a request will not be saved to Request Log, the system logs an error on failure. In addition, the system now detects and deletes unneeded files from /var/asmdata1 to reclaim some free disk space when the problem occurs.

---

675232 : Cannot modify a newly created ASM policy within an iApp template implementation or TMSH CLI transaction

Component: Application Security Manager

Symptoms:
Errors encountered -

In TMSH CLI transaction:
----------------
transaction failed: 01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

In iApp template implementation:
----------------
script did not successfully complete: (01020036:3: The requested ASM policy (/Common/<some_policy>) was not found.
----------------

Conditions:
In an iApp template implementation or TMSH CLI transaction, create a new ASM policy and then try to modify it's active state.

Impact:
The policy is created but the modify action cannot find the policy.

Workaround:
iApps are built to work with ASM Policy Templates.

A new ASM Policy Template can be created from the desired ASM Policy.

That can be done via GUI and starting from from v13.0 via REST as well.

Then, the newly created ASM Policy Template can be referenced in the iApp template implementation or TMSH CLI transaction as follows:
-----------------
tmsh::create asm policy <some_policy> active policy-template NEWLY_CREATED_POLICY_TEMPLATE
-----------------

Fix:
iApp template implementation and TMSH CLI transaction can now modify a newly created ASM policy.

---

675188-1 : CVE-2017-9233: Expat vulnerability

Component: TMOS

Symptoms:
An infinite loop vulnerability due to malformed XML in external entity was found in entityValueInitProcessor function affecting versions of Expat 2.2.0 and earlier.

Conditions:
Version of expat in use on BIG-IP is v2.2.0 or earlier.

Impact:
BIG-IP is vulnerable to CVE-2017-9233 via the iControl interface.

Fix:
Update to expat v2.2.2

---

675066 : Resource server failure message update

Component: Access Policy Manager

Symptoms:
Resource server failure response does not display the intended message

Conditions:
APM enabled

Impact:
When the resource server returns an failure response the intended diagnostic content is not included

Fix:
The resource server failure message has been updated

---

674909 : Application CSS injection might break when connection is congested

Component: Fraud Protection Services

Symptoms:
Large CSS files configured for phishing protection injection in FPS (not fictive websafe CSS files) may be truncated upon response to client.

Conditions:
Inject into Application CSS enabled in Anti-Fraud Profile » Advanced » Phishing Detection

Large CSS file such as bootstrap files configured for Application CSS Locations.

Network congestion engaging TMM flow control.

Impact:
Pages may display incorrectly in client browser depending on application requirements with specific CSS. May break application functionality.

Workaround:
1) Remove affected large files from Application CSS Locations.

or

2) Disable Inject into Application CSS entirely.

Fix:
FPS now handles the case where injecting to application css was interrupted by congestion.

---

674818 : DHCP virtuals need ALH set to Enabled for DHCP to function.

Solution Article: K86400531

Component: Local Traffic Manager

Symptoms:
DHCP packets from the client will not be forwarded to the server if auto-lasthop (ALH) is Disabled on the DHCP virtual server. While the ALH setting on a DHCP virtual server can be modified via TMSH, it cannot be modified via the GUI.

Conditions:
DHCP virtual created with the resulting ALH setting as 'Disabled'.

Impact:
DHCP packets from the client are not forwarded to the server. Loss of DHCP functionality.

Workaround:
Set ALH to enabled on the DHCP virtual server using TMSH.

Fix:
GUI sets AutoLastHop=Enabled in the background when creating DHCP virtual servers.

---

674754 : ZoneRunner: GUI "Email Contact" field silently ignores invalid char '@' in Email Contact

Component: Global Traffic Manager (DNS)

Symptoms:
Changing the email address in ZoneRunner and using a '@' character does not work. System validation catches that the '@' is invalid, but the operation fails silently, and the new email address is not stored.

Note. The '@' character is invalid for the email field because it has other uses in zone files. A dot should be used instead of '@'.

Conditions:
Zone already exists in ZoneRunner.
Trying to update it with a new email address.

Impact:
Confusion as to why the GUI is ignoring the new email address they entered.

Workaround:
The '@' (at sign) character is invalid for ZoneRunner email fields because it has other uses in zone files. Use a '.' (dot, or period) character instead of '@'.

---

674747 : sipdb cannot delete custom bidirectional persistence entries.

Solution Article: K30837366

Component: Service Provider

Symptoms:
Custom bidirectional SIP persistence entries cannot be deleted using the sipdb tool.

Conditions:
Rules and SIP messages created custom bidirectional SIP persistence entries.

Impact:
Custom bidirectional SIP persistence entries exist and can be viewed with the sipdb utility. They cannot be deleted,
however.

Workaround:
None.

Fix:
The sipdb tool now supports deletion of bidirectional SIP persistence entries.

---

674745 : Ordering and OSPF configuration timing of IA routes on HA configuration can lead to differences in route table

Solution Article: K53106344

Component: TMOS

Symptoms:
In some specific circumstances, the configuration ordering and activation timing in an HA configuration of OSPF inter-area (IA) routes might lead to one unit learning the route off the peer instead of learning it from the configuration.

Conditions:
- Two or more units using very close or identical OSPF configurations.
- Announcement of IA summary routes that locally are blackholed.
- One unit is configured before the others, in a way that the peers learn the route before the configuration is introduced locally.

Impact:
A unit may prefer a route to the peer instead of a locally configured blackhole.

Workaround:
Do any of the following:
-- Restart the ospf process.
-- Run the command: clear ip ospf process.
-- Remove the ospf config and paste it back in.

---

674689 : ECDSA Key management support on BIG-IP using Thales and SafeNet external network HSM

Component: Local Traffic Manager

Symptoms:
There is no support for ECDSA key management on BIG-IP systems using external network HSM on Thales and SafeNet.

Conditions:
Creating ECDSA keys and certificates using tmsh/GUI and iControl. e.g.,
tmsh create sys crypto key ec_nethsm key-type ec-private curve- name prime256v1 security-type nethsm
tmsh create sys crypto cert ec_nethsm key ec_nethsm common-name www.ecdsa.com

Impact:
ECDSA Keys and Certificates cannot be created on external network HSM such as Thales and SafeNet on BIG-IP systems.

Workaround:
No workaround.

Fix:
ECDSA Key/cert management using external network HSM such as Thales and SafeNet is now supported on BIG-IP systems. The feature provides support on BIG-IP systems for external network HSM to create/list/delete/ operation for ECDSA keys and certificates along with using ECDSA sign operation during SSL handshake.

---

674576 : Outage may occur with VIP-VIP configurations

Component: Local Traffic Manager

Symptoms:
In some VIP-VIP configurations, TMM may produce a core with a 'no trailing data' assert.

Conditions:
VIP-VIP configuration.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround at this time.

Fix:
TMM no longer produces a core with a 'no trailing data' assert.

---

674494-5 : BD memory leak on specific configuration and specific traffic

Solution Article: K77993010

Component: Application Security Manager

Symptoms:
RSS memory of the bd grows.

Conditions:
-- Remote logger is configured.
-- IP has ignore logging configured.
-- Traffic is coming from the ignored logging IP.

Impact:
Potential memory exhaustion. The kernel might run out of memory and may kill bd, causing traffic disruption.

Workaround:
None.

Fix:
Freeing up the remote loggers data when deciding not to log remotly.

---

674455 : Serial console baud rate setting lost after running 'tmidiag -r' in Maintenance OS

Component: TMOS

Symptoms:
When booted into the Maintenance OS image from the grub boot menu, running tmidiag -r drops the serial console from the grub kernel line, which causes a loss of communication on the serial console after rebooting.

Conditions:
-- Booted into Maintenance OS.
-- Running the command: tmidiag -r

Impact:
Serial console baud rate settings are incorrect. Uses the bios baud rate on the console.

Workaround:
When booting, edit the grub kernel line to include console=ttyS0.

Note: The value is "tty", an uppercase "S" character, and zero, so ttyS0.

Fix:
tmidiag has been fixed to not strip out console=ttyS0.

---

674367 : SDD v3 symmetric deduplication may stop working indefinitely

Solution Article: K20983428

Component: Wan Optimization Manager

Symptoms:
In certain high availability (HA) configurations and after performing specific maintenance tasks involving failovers, SDD v3 symmetric deduplication may stop working indefinitely.

Conditions:
This issue occurs when all of the following conditions are met:

1) A BIG-IP HA configuration is deployed on each side of the WOM tunnel.
2) Symmetric deduplication is configured to use the SDD v3 codec.
3) Applications configured to benefit from symmetric deduplication are actively passing traffic.
4) Both BIG-IP HA pairs (the near and far sides) are failed over concurrently (although in more rare cases, even failing over a single pair is sufficient to reproduce the issue).

Impact:
Applications no longer benefit from symmetric deduplication, increasing the amount of data transmitted over the WAN.

Workaround:
Restarting the services on all BIG-IP units involved in the topology (without performing additional failovers after they return on-line) restores symmetric deduplication functionality. This will cause some downtime.

Fix:
Performing failovers in AAM environment no longer breaks SDD v3 symmetric deduplication.

---

674302 : BD crash upon startup

Component: Application Security Manager

Symptoms:
System does not start up, bd restart while updating the geolocation database.

Conditions:
-- Traffic is running through the system.
-- The geolocation database is being updated.

Impact:
The bd process restarts, which results in traffic disturbance and failover.

Workaround:
Update the geolocation database when there is no traffic.

Fix:
The system now correctly initializes the geolocation database before

---

674293 : Prevent login failure caused by user deleting cookies

Component: Fraud Protection Services

Symptoms:
When deleting cookies immediately before attempting to log in to a protected website, the login operation may fail.

Conditions:
-- Delete cookies while on the login page.
-- Attempt to log in immediately, without refreshing the page.

Impact:
Login failure.

Workaround:
There is no workaround at this time.

Fix:
The system no longer fails login under these conditions.

---

674256 : False positive cookie hijacking violation

Solution Article: K60745057

Component: Application Security Manager

Symptoms:
A false positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
Cookie hijacking violation when the device ID feature is turned off is almost never relevant, as it should be able to detect only cases where some of the TS cookies were taken. The suggestion is to turn off this violation.

---

674253 : Unable to discover ASM policies with EM 3.1.1

Component: Application Security Manager

Symptoms:
Enterprise Manager (EM) is unable to synchronize with the BIG-IP device with the error: 'Instance not found: ASM / Policy Template / <Policy Name>'.

Conditions:
This occurs in response to either of the following conditions:
-- The system has inactive ASM policies that have never been active.
-- The system is affected by the following 11.5.x known issue: Policy history revision files in the /var/ts/dms/policy/policy_versions/* directories are erased after a device group sync.

Impact:
EM is unable to synchronize with the device.

Workaround:
To work around this issue:
1) Apply or Delete inactive policies.
2) Push another sync from the peer device or apply the affected policies.

Fix:
EM now successfully discovers devices with policies that have never been applied or are missing the latest policy history file.

---

674145 : chmand error log message missing data

Component: TMOS

Symptoms:
When there is an error with communication between chmand and lopd, a message is logged giving information about the problem. That message is missing data useful to F5 for determining the cause of the communications error.

Messages similar to:
Jul 11 11:10:19 localhost warning chmand[7815]: 012a0004:4: getLopReg: lop response data does not match request, u16DataLen=0xb expected=0xb, u8Length=0x8 expected=0x, u8Page=0x28 expected=0x$, u8Register=0x50 expected=0xP

The expected data values are missing in this message, making it more difficult for F5 engineers to determine what caused the original communications problem.

Conditions:
This issue only occurs when there is some problem with the communication channel between chmand and lopd.

Impact:
Added difficulty for F5 to determine what problem caused the error message to be logged.

Fix:
The expected data values are properly printed in the log message.

---

674106 : Allow multiple client SSL profiles on a virtual server with different security requirements

Component: Local Traffic Manager

Symptoms:
When multiple client SSL profiles are attached to a virtual server, each must share the same ciphers, authenticate, authenticate depth, peer-cert mode, and, if peer-cert mode is require, CRL. Otherwise, the system posts an error similar to the following:

0107157c:3: Selected client SSL profiles do not match security policies for Virtual Server <vs-name>.

Conditions:
1. Create two client SSL profiles, one of which requires client certificate and the other does not.
2. Try to assign these profile to the same virtual server.

Impact:
Error message. Cannot attach multiple, differing client SSL profile.

Workaround:
Assure that all client SSL profiles attached to a virtual share the same security attributes.

Fix:
Now, each client SSL profile attached to a single virtual server can have different security settings.

---

673998 : Dhclient does not support standard supersede options on the BIG-IP system.

Component: TMOS

Symptoms:
Dhclient supports the supersede option through which locally set value/values can supersede DHCP server-provided values in the lease for a given option. This is achieved by adding the supersede-option and value pair in dhclient.conf. In case of the BIG-IP system, the modifications in dhclient.conf are overwritten by MCPD, and MCPD does not support specifying supersede-options.

Conditions:
-- BIG-IP configured with DHCP enabled.
-- Attempt to supersede DHCP server-provided values in the lease for a given option by adding the supersede-option and value pair in dhclient.conf.

Impact:
The system overwrites the modifications. Cannot supersede DHCP server-provided values in the lease for a given option.

Workaround:
None.

Fix:
The BIG-IP system now supports the standard supersede options, so you can direct dhclient to use locally-configured values over the ones provided by the DHCP server for a given option.

---

673996 : Unable to set 'media-fixed' on management port on BIG-IP i15000 platforms

Component: TMOS

Symptoms:
Changing 'media-fixed' on management port on BIG-IP i15000 platforms using tmsh command 'tmsh modify net interface mgmt media-fixed <speed>' does not take effect.

Conditions:
-- Connecting two BIG-IP i15000 units via management port.
-- Changing the 'media-fixed' value.

Impact:
Changing the 'media-fixed' value does not work.

Workaround:
Pull the management cable out and plug it back in to get the link up at the respective speeds.

Fix:
Users can now change the 'media-fixed' value using tmsh commands.

---

673951-3 : Memory leak when using HTTP2 profile

Solution Article: K56466330

Component: Local Traffic Manager

Symptoms:
Memory continues to grow despite reduced volume of traffic. Large number of spdy_frame and xdata allocated.

Conditions:
Virtual server configured with HTTP2 profile.

Impact:
Memory leak, which might eventually trigger aggressive sweeper and potential crash, resulting in failover.

Workaround:
None.

Fix:
Virtual server configured with HTTP2 profile no longer leaks memory.

---

673871 : ESXi host client fails to deploy a virtual machine from BIG-IP OVA file

Component: TMOS

Symptoms:
ESXi host client fails to deploy a virtual machine (VM) from the BIG-IP OVA file (probably because BIG-IP vmdk files are compressed).

Conditions:
Deploying BIG-IP OVA by ESXi.

Impact:
ESXi 6.5 does not support VMware vSphere Client, and failure to deploy via the ESXi host client leaves ovftool or booting off the product ISO as the only known viable options for ESXi 6.5.

Workaround:
Deploy the BIG-IP system by creating a new VM from the ISO file, and initially booting the VM off the official BIG-IP ISO to perform an installation.

Fix:
OVA image can now be deployed to a standalone host using the built-in web client.

---

673860-2 : App-service is not supported by import/export

Component: Access Policy Manager

Symptoms:
If Access Profile is created by an iApp and the configuration is grouped by app-service mechanism (i.e., it can be locked or managed via app-service filed in various objects), import/export does not work.

Conditions:
Access Profile that is created by iApp with app-service-based grouping.

Impact:
No import/export support. Difficult to backup and restore these types of profiles.

Workaround:
None.

Fix:
There is no longer an import error in this instance.

---

673832 : Performance impact for certain platforms after upgrading to 13.1.0.

Component: Performance

Symptoms:
Performance impact for certain platforms after upgrading to 13.1.0.

Conditions:
The following platforms, with Fast HTTP/OneConnect/Full Proxy configured.

-- i2800
-- i4800
-- i5800
-- i7800
-- i10800
-- i11800
-- B2250
-- B4450

Impact:
The performance impacts occur on the following platforms under the associated conditions:

-- i2800 2%-3% Full Proxy traffic.
-- i4800 2%-3% Full Proxy traffic.
-- i5800 3%-8% Fast HTTP/Full Proxy traffic.
-- i7800 3%-7% Fast HTTP/Full Proxy traffic.
-- i10800 3%-7% Fast HTTP/Full Proxy traffic.
-- i11800 2%-3% Fast HTTP traffic.
-- B2250 3%-6% OneConnect/Full Proxy traffic.
-- B4450 4%-10% Fast HTTP/OneConnect/Full Proxy traffic.

Workaround:
None.

Fix:
Performance impact for certain platforms has been eliminated.

---

673814 : Custom bidirectional persistence entries are not updated to the session timeout

Solution Article: K37822302

Component: Service Provider

Symptoms:
Custom bidirectional persistence entries will be created using the transaction timeout when processing the request, but will not be updated to the session timeout on a successful response.

Conditions:
-- Using custom bidirectional persistence.
-- Successful response message is received.

Impact:
The persistence timeout will prematurely time out.

Workaround:
Set the transaction timeout to the session timeout value.

Fix:
The persistence timeout is correctly updated to the session timeout value when a successful response message is received.

---

673811 : After an upgrade, IPsec tunnels may fail to start★

Component: TMOS

Symptoms:
After an upgrade, the post-upgrade ipsec-policy or ike-peer configuration may be different to the pre-upgrade version.

Conditions:
-- ipsec-policy or ike-peer uses default setting(s).
-- BIG-IP's software is upgraded.

Impact:
After an upgrade, tunnels may fail to establish or establish using a stronger cipher set.

Workaround:
After upgrade, set the configuration objects to the required values.

Fix:
The tmsh schema is improved to show IPsec values must be persisted by saving, even if they equal the default values. This way if software upgrade changes the defaults, the old default values will be used when explicitly saved in config. Thus users will not see default IPsec config values change.

---

673748 : ng_export, ng_import might leave security.configpassword in invalid state

Solution Article: K19534801

Component: Access Policy Manager

Symptoms:
If import/export of Access Profile or Access Policy results in an error, security.configpassword may retain temporary not <null> state, which can cause problems when the config is saved or loaded using the sys save config or sys load config commands.

Conditions:
Import or export of Access Profile or Access Policy fails with an error.

Impact:
Passwords in .conf might get mangled.

Workaround:
Set the security.configpassword db variable using the following command:
 modify sys db security.configpassword value "<null>"

---

673717 : VPE loading times can be very long

Component: Access Policy Manager

Symptoms:
When a configuration contains 2000-3000 Access Policy objects, the Visual Policy Editor (VPE) loading operations can take tens of seconds to load.

Conditions:
-- Access Policy configured with 2000-3000 Access Policy objects.
-- Open in VPE.

Impact:
Policies with thousands of entries can take tens of seconds or more to load.

Workaround:
None.

Fix:
Configuration load has been optimized, so VPE loading time is significantly shorter for these types of configurations.

---

673684 : DNSSEC Key Generation event failure during BIG-IP initialization can result in syncing empty DNSSEC keys to GTM sync group

Component: Global Traffic Manager (DNS)

Symptoms:
A DNSSEC key generation event is scheduled to occur (for example an expiration or rollover) while the Master Key is not yet initialized and mcpd is not in a full running state. The DNSSEC key generation fails because of the unavailablilty of the Master Key, but uninitialized mcpd may be unable to roll-back the transaction, resulting in syncing an empty DNSSEC key to the GTM sync group.

Conditions:
A DNSSEC key generation event is scheduled to occur (for example an expiration or rollover) during the time in which he Master Key is not yet initialized and mcpd is not in a full running state. This could be when a BIG-IP is being rebooted, performing a bigstart restart, or has been powered-off for some time and is being powered back up.

Impact:
It is possible that empty DNSSEC keys could be synced to the GTM sync group, over-writing previously valid key generations.

Workaround:
When powering off a GTM for an extended period of time, it is advisable to first remove the GTM from the sync group, so that whenever it is powered on again, it does not attempt sync before it is in a healthy state. You can also avoid this issue by performing reboot or bigstart restart during a window in which DNSSEC keys are not scheduled to expire or rollover.

Fix:
Now if a DNSSEC key generation event occurs (for example an expiration or rollover) while the Master Key is not yet initialized, we will delay all DNSSEC key generation events until the Master Key becomes available. A message will be logged in /var/log/ltm to inform the user we are delaying DNSSEC key generations for this reason.

---

673664 : TMM crashes when sys db Crypto.HwAcceleration is disabled.★

Component: Local Traffic Manager

Symptoms:
TMM crashes when sys db Crypto.HwAcceleration is disabled.

Conditions:
This occurs when sys db Crypto.HwAcceleration is disabled.

Impact:
TMM crash. Traffic disrupted while tmm restarts.

Workaround:
Enable crypto hardware acceleration using the following command:
tmsh modify sys db crypto.hwacceleration value enable

---

673607-8 : Apache CVE-2017-3169

Solution Article: K83043359

---

673595-8 : Apache CVE-2017-3167

Solution Article: K34125394

---

673500 : Portal Access: support of relative URLs in HTML tags <link rel=import ...>

Component: Access Policy Manager

Symptoms:
HTML components can be imported into HTML page via <link rel=import ...> tags. If the same HTML component is referenced by several such tags, only the first import is performed. But in the case of Portal Access, the browser cannot recognize identical URLs in some cases due to URL mangling. This may lead to unnecessary multiple loading of the same HTML component.

Conditions:
-- HTML page with several <link rel=import ...> tags referring to the same HTML component but using different representation of its URL, for example:

   <link rel=import href=/some/path/component.html>
   <link rel=import href=../component.html>

-- '/some/path' and '../' refer to the same back-end path.

-- Chrome browser.

Impact:
The component should be loaded once, but Portal Access rewrites both URLs. The browser cannot recognize its identity, so the component is loaded twice, and scripts inside are executed twice. Web application may not work correctly.

Workaround:
None.

Fix:
Now Portal Access supports relative URLs in HTML import tags correctly.

---

673491 : IKEv2: fewer logging format artifcacts with debug log-level★

Component: TMOS

Symptoms:
When IPsec log-level is debug, sometimes logged payloads have line breaks in the middle, and most lines are missing a single character at line end, such as a closing parenthesis or quote.

Conditions:
Log level set to debug, then passing v2 IPsec traffic.

Impact:
Distracting imperfections in debug log output.

Workaround:
No workaround at this time.

Fix:
A larger buffer was used to reduce line breaks. Missing characters at line's end were due to incorrect swapping of one function for another that reserved a byte for a terminating null, when the size to copy was the line length; so the size to copy had to be increased to include an end null so it could be removed without shortening the line.

---

673399 : HTTP request dropped after a 401 exchange when a Websockets profile is attached to virtual server.

Component: Local Traffic Manager

Symptoms:
The client sends a GET request with switching protocols and the server responds with a 401. Subsequent GET request from client is dropped.

Conditions:
HTTP and Websocket profiles are attached to the virtual server. The client sends a GET request with switching protocols indicating upgrade to Websockets, and the server responds with a 401. Subsequent GET request from client is dropped.

Impact:
Connection is reset.

Workaround:
Disable Websockets profile on the virtual server.

Fix:
We now check whether the Websockets filter is on the virtual server before attempting an insert.

---

673316 : Error when configuring a link local address as a default gateway

Solution Article: K06548092

Component: Local Traffic Manager

Symptoms:
When a link local address is configured as a default gateway there is an error when running the 'tmsh load sys config' command:
 Syntax Error:(/config/bigip.conf at line: 1017) "default" unknown property.

/config/bigip.config is incorrectly written with an empty interface value:
  cat bigip.conf|grep 'net route' -A4
  net route /Common/External_default_GW {
    gw 169.254.200.1
    interface
    network default
  }

Conditions:
-- config.allow.rfc3927 database key set to enable.

-- Link local address is configured as a default gateway, as shown in the following example:
  cat bigip.conf|grep 'net route' -A4
  net route /Common/External_default_GW {
    gw 169.254.200.1
    interface <== This is the error
    network default
  }

Impact:
The default gateway works, but bigip.conf may not be loaded via tmsh with the command 'load sys config'.

Workaround:
Modify the bigip.conf file, adding the correct interface, as shown in the following example, which uses 'interface Ext':
  cat bigip.conf|grep 'net route' -A4
  net route /Common/External_default_GW {
    gw 169.254.200.1
    interface Ext
    network default
}

---

673302 : Username is reported in the session report after logout

Component: Application Security Manager

Symptoms:
A username is reported after the user has logged out.

Conditions:
-- Session tracking with username is enabled.
-- The logged-in user just logged out.

Impact:
Username is reported. This lasts for the time the session is still valid, 1200 seconds, by default.

Note: The session expiration interval can be configured in the GUI.

Workaround:
None.

Fix:
The sentence: 'User tracking does not expire when going through the logout page.' was added to the original note.

---

673095-1 : Loading UCS with QinQ VLANs fails 'Can't free vlan entry, can't find vlan with oid'

Component: Local Traffic Manager

Symptoms:
Unable to load a UCS due to a VLAN validation error.

Conditions:
QinQ VLANs saved in a UCS file.

Impact:
Unable to reload the saved config.

Workaround:
Before loading the config, use tmsh to delete all VLANs. Then config will load successfully.

---

673085 : Enhancing the error message for metadata import/export failure for SAML SP and IdP objects.

Component: Access Policy Manager

Symptoms:
When problems occur during the import or export of SAML metadata for SP or IdP, a message is logged, but the information is insufficient to help determine why the import/export failed.

The system logs and error message similar to the following: MCP Error01070712:3: apm aaa saml-sp-connector <sp-connector> unable to parse metadata file /var/tmp/1498598319464.upload.

Conditions:
Metadata import/export failure for SAML SP and IdP.

Impact:
Generic message is logged. The message contains insufficient information for troubleshooting.

Workaround:
There is no workaround.

Fix:
This release enhances the error message logged during import/export failure of SAML SP or IdP metadata to provide additional info to help with troubleshooting.

Examples:

MCP Error01070712:3: apm aaa saml-sp-connector sp1 unable to parse metadata file /var/tmp/1506737815551.upload: invalid document structure .

MCP Error01070712:3: apm aaa saml-sp-connector sp2 unable to parse metadata file /var/tmp/1506737894866.upload: unable to create converter for 'ABC' encoding.

In addition, the SAX(XML parser) exception that is thrown is now modified to log the line number and column number of the location in the metadata file where exception occurred.

Example:

/var/tmp/mcpd.out - SAX Exception: line 1, char 40 message: invalid document structure.

---

672667 : CVE-2017-7679: Apache vulnerability

Solution Article: K75429050

---

672504 : Deleting zones from large databases can take excessive amounts of time.

Solution Article: K52325625

Component: Global Traffic Manager (DNS)

Symptoms:
When deleting a zone or large number of Resource Records, zxfrd can reach 100% CPU for large amounts of time.

Conditions:
With a significantly sized database, deletes might be very time-intensive.

Impact:
Because zxfrd takes an excessive amount of time deleting records, it can delay transfer requests

Workaround:
None.

Fix:
Dramatically improved algorithm, to remove significant delay in deletions.

---

672491 : net resolver uses internal IP as source if matching wildcard forwarding virtual server

Solution Article: K10990182

Component: Global Traffic Manager (DNS)

Symptoms:
If a net resolver is created and contains a forwarding zone that matches an existing wildcard forwarding virtual server, an incorrect internal IP address will be used as the source.

Upon listener lookup for the net resolver, the wildcard virtual server will be matched to the forwarding zone resulting in a loopback IP address being used as the source IP address.

Conditions:
When creating an AFM policy that restricts FQDNs, a net resolver is needed to resolve the FQDNs. If the forwarding zone of this net resolver matches a wildcard server, DNS queries from the net resolver will use a loopback IP address as the source IP address.

Impact:
Failed DNS queries as a result of incorrect source IP address.

Workaround:
None.

Fix:
This issue was resolved by ensuring listener lookup only matches the exact IP addresses, no-wildcards.

---

672176 : Removed long deprecated metric with typo: "occurences"

Component: Application Visibility and Reporting

Symptoms:
In BIG-IP v11.6.0 a new metric was added to ASM statistics: occurrences. However, this metric has a typo ('occurences'), and it was replaced by a metric with the correct spelling of 'occurrences'. The misspelled one was left in for backward compatibility, in case anyone used this metric name in any tmsh command or GUI widget.

Conditions:
ASM statistics with the misspelled 'occurences' entry.

Impact:
Misspelled word.

Workaround:
None.

Fix:
Even though the deprecated name was not available as auto-complete for many versions, it has now been removed completely. Existing scripts that may use automated tmsh commands with the misspelled metric name will fail with an error.

Behavior Change:
Even though the deprecated name 'occurences' was not available as auto-complete for many versions, it has now been removed completely. Existing scripts that might use automated tmsh commands with the misspelled metric name will fail with an error.

---

672124 : Excessive resource usage when BD is processing requests

Solution Article: K12403422

---

671839 : Support client side end point inspection for Microsoft Office Applications

Component: Access Policy Manager

Symptoms:
Microsoft Office Applications could be authenticated through BIG-IP APM. End Point inspection for Office applications are not supported in Windows.

Conditions:
1. Microsoft Office Applications are authenticated through BIG-IP APM.
2. Access policy has End Point Inspection agents.

Impact:
End Point inspection can not be run for Office Applications.

Workaround:
There is no workaround at this time.

Fix:
APM now supports End Point inspection agents for the access policy protecting Microsoft Office Applications running on Windows.

---

671741 : LCD on iSeries devices can lock at red 'loading' screen.

Component: TMOS

Symptoms:
There are cases when TMOS is under stress conditions that the LCD on iSeries devices can lock at red 'loading' screen.

Conditions:
-- iSeries platforms.
-- Device under stress.

Impact:
LCD on iSeries devices can lock at red 'loading' screen. Appliance power cycle is required to correct the error.

Workaround:
None. You must power cycle the device to correct the condition.

Fix:
This issue is resolved.

---

671716 : UCS version check was too strict for IPS hitless upgrade

Component: Protocol Inspection

Symptoms:
When we upgrade from one minor release to another, e.g. from 13.1 to 13.2, then UCS upgrade of IPS IM packages fail.

Conditions:
During upgrade from one minor release to another.

Impact:
The default library will be used instead of the last updated IM/IPS library in last build.

Workaround:
Install the IM package available for that new release.

---

671627 : HTTP responces without body may contain chunked body with empty payload being processed by Portal Access.

Solution Article: K06424790

Component: Access Policy Manager

Symptoms:
Some HTTP responses do not contain any body. For instance, responses with status codes 1xx, 204, or 304 must not include body. Portal Access adds 'Transfer-Encoding: chunked' header and may add chunked body with empty payload to such responses.

Conditions:
HTTP response without body processed by Portal Access

Impact:
Most browsers ignore invalid 'Transfer-Encoding' header and/or body for responses which must not include body at all. And yet, some traffic validators may refuse to pass invalid responses.

Workaround:
Use an iRule to remove 'Transfer-Encoding' header and/or body from HTTP responses with status codes 1xx, 204, and 304.

Fix:
Now Portal Access does not add invalid 'Transfer-Encoding' header and/or body to responses which have no body.

---

671597 : Import, export, copy and delete is taking too long on 1000 entries policy

Component: Access Policy Manager

Symptoms:
Huge policies with 10^3 items are impossible to import, export and copy.

Conditions:
When access policy has 1000+ entires.

Impact:
Import, export and copy are abandoned or fail due to out of memory condition.

Workaround:
Use ng_export, ng_import and ng_profile rather than UI to import/export.

Fix:
ng_export speed has been improved 5 times
ng_import and ng_profile are working 50 times faster because of avoiding denormalisation and optimisation

ng_export is still should be used from the console.

---

671498 : BIND zone contents may be manipulated

Solution Article: K02230327

---

671497 : TSIG authentication bypass in AXFR requests

Solution Article: K59448931

---

671447 : ZebOS 7 Byte SystemID in IS-IS Restart TLV may cause adjacencies to not form

Component: TMOS

Symptoms:
When using a BIG-IP system configured in an IS-IS network; adjacencies may fail to form with other vendor devices.

Conditions:
- BIG-IP configured to participate as a peer in a IS-IS network.
- IS-IS peers perform strict validation on the length of the Restart TLV.
-- The SystemID used by the BIG-IP system is of length 7 instead of 6. (ZebOS uses a 7-Byte SystemID.)

Impact:
IS-IS adjacencies may not form.

Workaround:
None.

Fix:
The BIG-IP system now uses a correct SystemID length in the Restart TLV.

---

671323 : Reset PIN Fail if Token input field is not 'password' field

Component: Access Policy Manager

Symptoms:
User is not able to reset the PIN when the password source field in RSA SecurID or RADIUS Auth agent is not set to default value(%{session.logon.last.password})

Conditions:
- APM is licensed and provisioned.
- RSA SecurID or RADIUS Auth agent is included in an access policy.
- Password source field in this agent is changed to a custom value.
- APM end user is challenged to reset the PIN or reenter the PIN/token.

Impact:
APM end users cannot reset the PIN or do not get authenticated.

Workaround:
There is no workaround other than not changing the default value in password source fields for RADIUS or RSA SecureID auth agent.

Fix:
APM end users can now successfully reset the PIN or reenter the token. They can also use custom password session variables for authentication.

---

671314 : BIG-IP system cores when sending SIP SCTP traffic

Solution Article: K37093335

Component: TMOS

Symptoms:
Virtual servers with an SCTP profile and a SIP message-routing profile may crash the TMM.

Conditions:
This flaw affects virtual servers that pass SCTP traffic, where the SIP message-routing profile has the record-route option enabled.

Impact:
TMM crashes and fails over, disrupting traffic processing. Traffic disrupted while TMM restarts.

Workaround:
Remove the record-route option, or change the traffic to use TCP or UDP instead of SCTP.

Fix:
This crash has been fixed.

---

671212 : P+NAB-12.1.1-IE9 truncating request if path do not end with"/"

Component: Fraud Protection Services

Symptoms:
SR 1-3168243165

Conditions:
Only one URL of the form "/path/to/resource/" or "/path/to/resource" is configured as protected.

Impact:
URLs which are equivalent by RFC are treated as different by FPS, which hinders FPS protection.

Workaround:
Configure both URLs:

/path/to/resource/
/path/to/resource

as protected with identical configuration.

Fix:
FPS matching now ignores trailing slashes, and disallows trailing slashes in configured URLs.

---

671044-1 : FIPS certificate creation can cause failover to standby system

Solution Article: K78612407

Component: TMOS

Symptoms:
FIPS certificate creation can cause failover or outage of a system under heavy load. The certificate creation could take longer than the default timeout, causing TMOS to think the FIPS chip is locked up.

Conditions:
Creating a FIPS certificate while the system is handling a high FIPS traffic load.

Impact:
Possible failover from active to standby, or an outage if there is no standby system, or if the certificate creation causes both active and standby systems to time out.

Workaround:
Setting crypto.queue.timeout to 2000 will avoid this problem. The actual timeout needed depends on the system type and how heavily loaded the FIPS chip is. 2000 should be more than sufficient for all currently supported BIG-IP platforms under high load.

Fix:
FIPS certificate creation no longer causes failover to standby system under these conditions.

---

671013 : Cannot see and edit the interface description in the GUI

Component: TMOS

Symptoms:
The interface description can be set in TMOS, but not the UI. Nor can the TMOS-set description be seen in the UI.

Conditions:
Attempting to view description information about an interface in the UI.

Impact:
There is no clear indicator in the UI of which physical interface maps to which cloud interface.

Makes the implementation more prone to configuration errors and it could take longer to troubleshoot service affecting interface failures.

Workaround:
Set the interface description in TMOS.

Fix:
Add Description field to Network Interface properties page to be editable and viewable on the Network Interface list page.

---

670781 : Support for SIP method SERVICE and BENOTIFY

Component: Service Provider

Symptoms:
SERVICE and BENOTIFY SIP requests are dropped.

Conditions:
SERVICE and BENOTIFY SIP requests sent by the SIP UAC.

Impact:
SERVICE and BENOTIFY SIP request will not be processed.

Workaround:
None.

Fix:
The MRF SIP Parser is extended to support two new SIP methods: SERVICE and BENOTIFY. The new stats for these methods are added.

Details of the message can be found in this Microsoft-provided document:

https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SIP/[MS-SIP].pdf

---

670757 : TMM crash from a possible memory corruption.

Component: TMOS

Symptoms:
When APM resumes an iRule event from an asynchronous session data lookup, the resumption fails due to a bad memory access resulting in a crash.

Conditions:
The following must be true for this to happen:
- APM provisioned and licensed.
- Use of APM iRule events.
- Session data lookup from iRule events.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None identified yet.

Fix:
Fixed internals for 'session lookup' iRule command to prevent possible memory corruption with other iRule commands.

---

670366 : Security Banner Text omits some non-English characters

Component: TMOS

Symptoms:
Some non-English characters in the Security Banner Text may be omitted when displaying them.

Conditions:
Entering some non-English characters in the Security Banner Text.

Impact:
Some of the non-English characters may be omitted when displaying the Security Banner Text.

Workaround:
Use only English characters in the Security Banner Text.

Fix:
The Security Banner Text no longer skips some non-English characters.

---

670197 : IPsec: ASSERT 'BIG-IP_conn tag' failed

Component: TMOS

Symptoms:
When using IPsec, tmm assert with 'BIG-IP_conn tag' failed.

Conditions:
The conditions under which this assert occurs when using IPsec are unknown.

Impact:
The tmm restarts and all connections are reset. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
When using IPsec, tmm no longer asserts with 'BIG-IP_conn tag' failed.

---

670103 : No way to query logins to BIG-IP in TMUI

Component: TMOS

Symptoms:
Cannot use the GUI to query logins to the BIG-IP system based on a time range or a specific user.

Conditions:
-- Using the GUI.
-- Gather login information.

Impact:
No support for queries.

Workaround:
None.

Fix:
Added support for using using the GUI to query logins to the BIG-IP system.

Behavior Change:
The ability to query logins on the BIG-IP, using the GUI, was added at System >> Logins : History. Users can query all available login data that is present on the BIG-IP. This information can be filtered by time, username, status, access method, and host.

---

669917 : Upgrade failure at Client SSL profile "cannot contain more than one set of same certificate/key type."★

Component: TMOS

Symptoms:
When upgrading the system, the clientssl profile /Common/crypto-server-default-clientssl might have contained a wrong structure, where it has two of RSA cert-key-chain and without cert and key outside of cert-key-chain block, and hence fails the validation during the upgrade.

For example, below is the case of the wrong structure.

    ltm profile client-ssl /Common/crypto-server-default-clientssl {
        app-service none
        cache-size 0
        cert-key-chain {
            default { <========== the 1st RSA cert-key-chain
                cert /Common/default.crt
                key /Common/default.key
            }
            default_SHA2 { <========== the 2nd RSA cert-key-chain
                cert /Common/default_SHA2.crt
                key /Common/default_SHA2.key
            }
        }
        ciphers DHE-RSA-AES256-GCM-SHA384
        defaults-from /Common/clientssl
        inherit-certkeychain false
        renegotiate-period 21600
    }

Conditions:
1. The system is being upgraded from a version that is greater than or equal to 11.6.0, where the clientSSL profile /Common/crypto-server-default-clientssl was introduced.
2. The user has customized configuration on the clientSSL profile /Common/crypto-server-default-clientssl, i.e., /Common/crypto-server-default-clientssl appears in the /config/bigip.conf file.

Impact:
Upgrade failure at Client SSL profile "cannot contain more than one set of same certificate/key type."

Workaround:
The workaround is to remove the additional default certkeychain and manually add "cert xxxxxxxx" and "key xxxxxxxxx".

In particular, modify /config/bigip.conf and change the profile to

    ltm profile client-ssl /Common/crypto-server-default-clientssl {
        app-service none
        cache-size 0
        cert /Common/default_SHA2.crt <======== add this
        cert-key-chain {
            default_SHA2 { <=========== leave only one RSA certkeychin here
                cert /Common/default_SHA2.crt
                key /Common/default_SHA2.key
            }
        }
        ciphers DHE-RSA-AES256-GCM-SHA384
        defaults-from /Common/clientssl
        inherit-certkeychain false
        key /Common/default_SHA2.key <========= add this
        renegotiate-period 21600
    }

and then do "tmsh load sys conf" again.

---

669585-2 : The tmsh sys log filter is unable to display information in uncompressed log files.

Component: TMOS

Symptoms:
You notice missing log information when reviewing system logs using the tmsh show sys log command.

Conditions:
One or more of the BIG-IP sytem backup log files, designated with .1, .2, etc are not compressed.
Note: Backup log files should end with the .gz extension. For example, ltm.1.gz.
You use the tmsh show sys log command to view log information for one or more days in the past.

Impact:
Unable to view the full range of backup log information.

Workaround:
To log in to the Advanced shell (bash).
To ensure all backup logs for a particular log type are compressed, use the following command syntax:

gzip /var/log/<log>.*

For example, to compress the full set of backup logs for the ltm log type, type the following command:

Note: The following message is expected if the log file is already compressed: gzip: /var/log/<log>.gz already has .gz suffix -- unchanged'

gzip /var/log/ltm.*

Fix:
Increased flexibility of log reading mechanism, to look for both compressed (ending in .gz) and uncompressed (ending in .#) log files.

---

669462 : Error adding /Common/WideIPs as members to GTM Pool in non-Common partition

Component: TMOS

Symptoms:
Unable to use Pool Members from /Common/ when outside of /Common/

Conditions:
Adding /Common/WideIPs as members in non-Common GTM Pool

Impact:
Unable to use pool-members from /Common/ when outside of /Common/

Workaround:
No workaround at this time.

Fix:
Fixed issue preventing users from using GTM pool-members within /Common/ on GTM Pools outside of /Common/

---

669288-2 : Cannot run tmsh utils unix-* commands in Appliance mode when /shared/f5optics/images does not exist.

Solution Article: K76152943

Component: TMOS

Symptoms:
From tmsh, running util unix-ls /var/log fails with the following error:

exception: (Failed to canonicalize "/shared/f5optics/images") (util/RealpathHelper.cpp, line 49), continuing...
Data Input Error: /var/log is not an accessible directory for the current mode.

Conditions:
-- A BIG-IP system configured for Appliance mode.
-- Upgrading from a pre-v12.x to v12.x or later.
-- Using a platform that does not have a /shared/f5optics/images directory.

These include the following BIG-IP blades and appliances:
B4400, i4x00, i10x00, i2x00, i7x00, i5x00

Impact:
There is no shell access to the file system when the BIG-IP system is in Appliance mode. This is the intended purpose of Appliance mode. Therefore, unix-* commands are the only way to list directories, and perform other operations specific to the operating system.

Workaround:
To work around this issue, create the /shared/f5optics/images directory. To do so, do the following:

 1. Boot the BIG-IP system into single-user mode.

 2. Create the directory /shared/f5optics/images with the following command:
  mkdir -m 777 -p /shared/f5optics/images.

 3. Reboot the BIG-IP system, and allow it to start up normally.

Fix:
The reported exception does not occur, and unix-* commands commands issued in Appliance mode run as expected.

---

669268-1 : Failover in the same availability zone of AWS may fail when AWS services are intermittently available.

Component: TMOS

Symptoms:
Intermittently available AWS services may lead to failure of curl requests to AWS or ec2 tools commands, resulting in failure of failover. As a result, public EIPs (for virtual servers) might remain pointing to the standby BIG-IP system.

Conditions:
AWS services are intermittently available.

Impact:
Failure of failover. Traffic will be routed to the standby BIG-IP system and lost.

Workaround:
Manually fail the systems over till failover succeeds at the desired BIG-IP system.

---

669255 : An enabled sFlow receiver can cause poor TMM performance on certain BIG-IP platforms

Solution Article: K20100613

Component: TMOS

Symptoms:
If the BIG-IP configuration includes at least one enabled sFlow receiver, certain platforms will experience poor TMM performance. Symptoms will include one or more of the following:

- Higher than normal ping latency to the BIG-IP Self-IP addresses.
- Higher than normal latency for applications flowing through BIG-IP virtual servers.
- TMM clock advanced messages in the /var/log/ltm file.
- Continuous activation and then quick deactivation of the idle enforcer for all TMM instances in the /var/log/kern.log file.

Conditions:
The BIG-IP configuration must include at least one enabled sFlow receiver (it doesn't matter whether this is reachable or not) and the platform type must be one of the following:

- BIG-IP i10000 series
- BIG-IP i7000 series
- BIG-IP i5000 series
- BIG-IP i4000 series
- BIG-IP i2000 series
- VIPRION B4450 blade

Impact:
The BIG-IP system operates at a suboptimal performance level.

Workaround:
If the sFlow receiver is not strictly necessary for the correct functioning of your deployment, this can be disabled or removed to work around the issue.

Fix:
Performance is no longer degraded on certain platforms when the configuration includes enabled sFlow receivers.

---

668826 : File named /root/.ssh/bigip.a.k.bak is present but should not be

Component: TMOS

Symptoms:
In AWS instances, a file /root/.ssh/bigip.a.k.bak is present which should not be. It is harmless to users other than that it is confusing.

Conditions:
After the first boot, this file should be deleted, but it is not.

Impact:
No real impact other than possibly confusion as this file isn't used in this environment. The file does not contain any sensitive data as it's a dangling symlink.

Workaround:
No need to workaround as the presence of the file is harmless. Users could manually remove this file if desired.

Fix:
This file is no longer present which is the correct state.

---

668737 : Advisory color Yellow added to Configuration Utility

Component: TMOS

Symptoms:
Yellow is not available as a valid choice for advisory banners in the Configuration Utility.

Conditions:
When using the advisory banner in the Configuration Utility GUI, located at System :: Configuration.

Impact:
Cannot render the advisory message with a yellow color.

Workaround:
There is no workaround at this time.

Fix:
The system now supports Yellow as a valid option for the advisory banner.

---

668624 : The Configuration Utility now disables the TLS 1.0 protocol by default★

Component: TMOS

Symptoms:
The TLS 1.0 protocol was removed from the list of SSL protocols allowed by default in the management utility. This impacts the iControl REST API, and if you are using configuration management tools like Ansible (which uses Python) compiled with an older OpenSSL version, this will cause the client to suddenly fail to connect with an error similar to the following: SSLError: EOF occurred in violation of protocol.

The protocol defaults can be seen with the following tmsh command:

# tmsh list sys httpd ssl-protocol
sys httpd {
   ssl-protocol "all -SSLv2 -SSLv3 -TLSv1"
}

Conditions:
This can occur when connecting to the configuration utility, including using the iControl REST API, with an HTTPS client that is not compiled with TLS 1.1 or TLS 1.2 support.

Impact:
BIG-IP systems refuse to allow TLSv1 connections, so the client will be unable to connect. This will most likely be encountered as a sudden inability to connect after upgrading.

Workaround:
While TLS 1.0 can be re-enabled on BIG-IP systems via the 'tmsh modify sys httpd ssl-protocol' command, this is not advised because the protocol is past the end-of-life date. It is highly recommended to upgrade the OpenSSL version on all client devices that connect to the BIG-IP configuration utility.

Fix:
TLS 1.0 is no longer in the default SSL protocols list, and all SSL clients need to have support for TLS 1.1 or 1.2 or they will be unable to connect.

Behavior Change:
The configuration utility no longer allows the TLS 1.0 protocol by default. The following tmsh command shows the before and after settings:

Prior to version 14.0.0:

# tmsh list sys httpd ssl-protocol
sys httpd {
   ssl-protocol "all -SSLv2 -SSLv3"
}

Beginning in version 14.0.0:

# tmsh list sys httpd ssl-protocol
sys httpd {
   ssl-protocol "all -SSLv2 -SSLv3 -TLSv1"
}

All clients connecting via SSL must have support for TLS 1.1 or 1.2 or they will be unable to connect.

---

668276 : BIG-IP does not display failed login attempts since last login in GUI

Component: TMOS

Symptoms:
The BIG-IP does not have a mechanism in the GUI to display information about login attempts.

Conditions:
n/a

Impact:
Administrators cannot use the GUI to evaluate login attempts to the BIG-IP.

Workaround:
Administrators can view the logs at /var/log/secure.

Fix:
New GUI pages were create to allow administrators, resource admins, and auditors to view information about login attempts to the BIG-IP. These pages are available at System >> Logins in the GUI.
The user logins summary, available at System >> Logins : Summary can be set as the default start screen for BIG-IP users. However, this process is not as straightforward as other pages, as these pages are available only to users with a role of admin, resource admin, or auditor. Because of these restrictions, setting this page as default is accomplished by setting a DB variable, UI.Users.RedirectSuperUsersToAuthSummary, to true.
When this DB variable is set to true, users with roles of admin, resource admin, or auditor will be redirected to the System >> Logins : Summary page. Users with other roles will be redirected to the Start Screen that is set in System >> Preferences.

---

668273 : Logout button not available in Configuration Utility when using Client Cert LDAP

Solution Article: K12541531

Component: TMOS

Symptoms:
When the BIG-IP system is configured to use the Client Cert LDAP for Remote Authorization, the Logout button is not available.

Conditions:
A BIG-IP system is configured to use Client Cert LDAP for Remote Authorization.

Impact:
BIG-IP system users cannot end the session on the BIG-IP system.

Workaround:
Close all windows to end the session.

Fix:
Now, when the BIG-IP system is configured to use Client Cert LDAP as the Remote Auth method, there is a Logout button in the window, and when the Logout button is clicked, the system displays a modal window to instruct the user on how to end the session.

---

668184 : Huge values are shown in the AVR statistics for ASM violations

Component: Application Security Manager

Symptoms:
Huge values are shown in the AVR statistics for ASM violations.

Conditions:
Out-of memory-condition in the ASM. Some other extreme conditions might also cause this behavior.

Impact:
ASM violation numbers are incorrectly reported.

Workaround:
None.

Fix:
An issue with bd sending wrong numbers to AVR was fixed.

---

668060 : DNS Pool members do not show up in DNS statistics table

Component: TMOS

Symptoms:
In DNS statistics, the pool members list shows only type A members, even if there are non-A members.

Conditions:
DNS pools having non-A members

Impact:
Cannot see the stats for non-A members for pools in DNS Statistics. Misleading if pools have non-A members but do not show up.

Workaround:
Use tmsh to get stats information.

Fix:
Both new dashboard and legacy dashboard (Flash) have this issue. This fix addresses only the new dashboard, which will show all pool members no matter their types.

---

668004 : GUI: Allowed edit for NAT section in logging profile for users with Manager role

Component: Advanced Firewall Manager

Symptoms:
NAT section cannot be edited by a user with Manager role.

Conditions:
-- BIG-IP user account configured with the Manager role.
-- Attempting to edit the NAT section in a logging profile.

Impact:
User with role Manager cannot edit related section in logging profile page

Workaround:
Use tmsh to accomplish the task.

Fix:
Manager now has write access to NAT section only in logging profiles.

---

667788 : System offline after deleting the datasync-global-dg device-group and manually re-creating it

Component: TMOS

Symptoms:
If the datasync-global-dg device-group is accidentally deleted and then manually re-created, other devices in the trust-domain might lose the datasync configuration, and go Offline until a workaround is applied or system is rebooted.

Conditions:
This might happen if the datasync-global-dg device-group is accidentally deleted and then manually re-created.

Note: This device-group should never be deleted.

Impact:
The devices might go offline.

Workaround:
Perform this procedure from the device in the Offline state:
1. Run the following command:
 tmsh save sys config
2. Run the following command:
 tmsh load sys config
3. If system is Offline, wait approximately 3 minutes until the system is ACTIVE. Otherwise, wait a few seconds.
4. Run the following command again:
 tmsh save sys config
5. Perform a force sync of datasync-global-dg. To do so:
   a. From the GUI of the same device (the device that was previously Offline).
   b. Select 'Sync Device to Group'.
   c. Make sure 'Overwrite Configuration' is checked.
   d. Click 'Sync'.
6. Wait until the devices are ACTIVE and 'In Sync'.

Fix:
The system no longer allows deleting the datasync-global-dg device-group: a configuration exception is thrown in this case.

---

667779 : iRule commands may cause the TMM to crash in very rare situations.

Component: Local Traffic Manager

Symptoms:
A TMM crash may occur in very rare situations.

Conditions:
A Tcl iRule command is used.

Impact:
A TMM Core. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Tcl iRule commands are more robust to extreme scenarios within the TMM.

---

667770 : SIGSEGV to tmm when performing multiple, repeated SSL profile updates, or during UCS restore

Solution Article: K12472293

Component: Local Traffic Manager

Symptoms:
The BIG-IP system sends a SIGSEGV to the TMM process when performing multiple change operations on configurations that contain a combination of SSL profiles and AVR (analytics).

Conditions:
-- Configuration contains a combination of SSL profiles and AVR.

-- Performing multiple, repeated SSL profile updates, or during UCS restore.

Impact:
The BIG-IP system sends a SIGSEGV to the TMM process. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.

Fix:
TMM no longer halts and restarts when performing multiple change operations on configurations that contain a combination of SSL profiles and AVR (analytics).

---

667700 : Web UI: PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed

Component: Policy Enforcement Manager

Symptoms:
PEM rule page only displays webroot categories for classification filter. Websense categories are not displayed. So User cannot create PEM rule with web sense classification filters from Web UI.

Conditions:
Creation of PEM rule with classification filter from Web UI

Impact:
None. User can update the configuration from TMSH.

Workaround:
Use TMSH to add websense classification filter to a PEM rule.

Fix:
GUI will display and allow addition of both web sense and webroot classification filters in PEM rule page.

---

667542 : DNS Express does not correctly process multi-message DNS IXFR updates.

Component: Global Traffic Manager (DNS)

Symptoms:
If DNS Express sends an IXFR query to a DNS server, and that server responds with an IXFR update that is larger than one DNS message, DNS Express processes only the first message.

DNS Express then updates the SOA serial number to match that of the IXFR, marks the IXFR as successful and the Zone as 'Green'.

There is no indication that the IXFR was incomplete.

DNS Express might then have, and might serve, incorrect data for that Zone.

Conditions:
An IXFR response from a DNS server spans multiple DNS messages.

Note: This is not a common condition, but it is possible.

Impact:
This might result in incomplete or otherwise inaccurate Zone data, which DNS Express will serve.

Workaround:
Note: Although this does have a workaround, there is no way for you to determine that the Zone is complete other than to query the entire zone and compare it to the zone from the master DNS server.

To workaround this issue:
1. Stop zxfrd.
2. Remove the database /var/db/zxfrd.bin.
3. Restart zxfrd.

This triggers a full transfer (AXFR) of the zone, as well as all the other zones.

Fix:
The system now continues the processing of DNS messages until the closing SOA RR is encountered.

---

667469 : Higher than expected CPU usage when using DNS Cache

Solution Article: K35324588

Component: Global Traffic Manager (DNS)

Symptoms:
CPU usage shows higher than expected usage when using the DNS Cache.

Conditions:
Usage of any of the 3 DNS Cache types, particularly on chassis with multiple blades.

Impact:
Higher than expected CPU usage.

Workaround:
No workaround at this time.

Fix:
Improvements have been made to the efficiency of the DNS Cache inter-tmm mirroring. These efficiencies may result in better CPU utilization and/or higher responses per second.

---

667414 : JSON learning of parameters in WebSocket context is not working

Component: Application Security Manager

Symptoms:
When a JSON parameter arrives in WebSocket, it is not sent to policy builder, and thus is not learned.

Conditions:
1. WebSocket traffic contains JSON data.
2. In the JSON profile, parse parameter is enabled.

Impact:
JSON parameter arriving in WebSocket is not learned.

Workaround:
None.

Fix:
The system now correctly reports a JSON parameter that arrives in WebSocket to the policy builder, so it is learned.

---

667353-1 : Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table

Component: Advanced Firewall Manager

Symptoms:
Intermittent TMM crash when AFM dynamic (behavioral) signature is enabled and past attack signatures incorrectly exist in the correlation stats table - issue is due to TMM (self) abort due to memory corruption in one of the TMSTAT tables AFM uses for correlating dynamic signatures.

Conditions:
Following conditions suffice to trigger the TMM crash due to self abort in one of the TMSTAT tables:

a) Generate a set of N dynamic signatures (few context).

b) When attack stops, the current set of signatures are moved to 'past' attack state.

c) If in between, TMM restarts (or receives MCP config again e.g via load), these past attack signatures are incorrectly created in tmstat table which is used only for the current attack signatures - this is the *cause* of the issue!

d) New attack appears that somewhat overlap with the 'past' signatures and this causes the following TMSTAT table to be corrupted over period of time.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

Fix:
This issue is fixed, the past attack signatures are never created in the correlation stats table (even for conditions explicitly described above)

---

667284 : Authentication statistics and logs added to Configuration Utility

Component: TMOS

Symptoms:
Information about failed login attempts to the BIG-IP system is not available in the Configuration Utility.

Conditions:
When using the Configuration Utility GUI.

Impact:
Administrators cannot easily determine whether there have been failed login attempts on the BIG-IP system.

Workaround:
Read logs in /var/log/security.

Fix:
New pages were created in the Configuration Utility that provide a view of successful and failed login attempts on the BIG-IP system.

---

667257 : CPU Usage Reaches 100% After Traffic Flowed Into CGNAT

Component: TMOS

Symptoms:
CPU usage reaches 100% after traffic flowed Into CGNAT. Issue with re-offloading to ePVA.

Conditions:
-- CGNAT configured.
-- Most traffic is FastL4 forwarding deterministic LDNS.
-- ePVA hardware is in use.

Impact:
Default configurations may suddenly show higher CPU performance profile usage after upgrade.

Workaround:
None.

Fix:
The following db variables have been added to control re-offload behavior:

sys db pva.reoffload.delay {
    value "5"
}
sys db pva.reoffload.exponential {
    value "true"
}

pva.reoffload.delay is in seconds. This is the amount of time that needs to expire before TMM attempts to re-offload the flow to the ePVA.

If pva.reoffload.exponential is 'true', then if there is a collision, there is an exponential backoff (5 seconds, 10 seconds, 20 seconds, and so on), before the flow is re-offloaded).

If pva.reoffload.exponential is 'false', then there is no backoff, and the flow is re-offloaded after the pva.reoffload.delay expires.

---

667173-3 : 13.1.0 cannot join a device group with 13.1.0.1

Component: TMOS

Symptoms:
13.1.0.1 cannot form device trust with a 13.1.0 device.

Conditions:
A device running 13.1.0 wanting to establish device trust with a device running 13.1.0.1 or vice versa.

Impact:
Cannot form Device Trust.

Workaround:
13.1.0 cannot initially form device trust with a 13.1.0.1 device. However, if you establish trust from the 13.1.0.1 device and then bring in the 13.1.0 device from 13.1.0.1, you can mitigate this issue. Once trust is formed, there should be no issue.

Fix:
13.1.0.1 now can form device trust with a 13.1.0 device.

---

667167 : Indirect invocation for History object methods fails using Portal Access

Component: Access Policy Manager

Symptoms:
Web-application does not function as expected, as rule does not rewrite links.

Conditions:
Web-application code contains indirect reference for History object methods. For example:

     hps = history.pushState;
      hps.call(history,{},"test","/test-history-pushState-ok.html")

Impact:
Web-application does not function as expected.

Workaround:
Use a custom iRule.

Fix:
The system now supports indirect invocation for History object methods.

---

667148 : Config load or upgrade can fail when loading GTM objects from a non-/Common partition

Solution Article: K02500042

Component: TMOS

Symptoms:
GTM configuration fails to load.

Conditions:
GTM config referencing non-/Common partition objects from /Common.

Impact:
GTM configuration fails to load, which may keep a system from becoming active

Workaround:
No workaround.

Fix:
Fixed issue preventing GTM configurations from loading when non-Common partitioned items present.

---

667082 : Dynamic Routing ZebOS using ip ospf <IP> message-digest-key command may fail.

Solution Article: K21090061

Component: TMOS

Symptoms:
Failure occurs when attempting to configure or load OSPF configurations in imish using an interface-level command similar to the following:
ip ospf <IP> message-digest-key <key index> md5 <password>.

Conditions:
This occurs when using the following command:
ip ospf <IP> message-digest-key.

Impact:
The command causes an error and cannot be used or loaded. This may cause OSPFv2 adjacencies to fail.

Workaround:
If possible, use the non-IP version of the interface-level command, similar to the following:
ip ospf message-digest-key <key index> md5 <password>.

Fix:
The BIG-IP system now correctly loads the ZebOS 'ip ospf <IP> message-digest-key' interface-level command.

---

666908 : Default GTM HTTPS monitor no longer supports EXPORT ciphers

Component: Global Traffic Manager (DNS)

Symptoms:
The default GTM https monitor (and its derivative built-in monitors like https_head_f5) supports EXPORT grade ciphers.

Conditions:
Default GTM HTTPS or its derivative built-in monitors like https_head_f5 are being used to monitor a node that only supports EXPORT ciphers.

Impact:
The node that GTM is monitoring is marked as GREEN/available.

Workaround:
None.

Fix:
Default GTM HTTPS monitor no longer supports EXPORT ciphers.

Behavior Change:
The built-in GTM HTTPS monitor used to support EXPORT ciphers. This meant that monitoring a node that only supported EXPORT ciphers from GTM with the HTTPS monitor would result in the node being marked as GREEN/available. Now the built-in GTM HTTPS monitor (and its derivative built-in monitors like https_head_f5) no longer support EXPORT ciphers. If GTM is monitoring a node that only supports EXPORT ciphers with a default HTTPS monitor (or a derivative built-in like https_head_f5), then the node will be marked DOWN/offline.

Note: If you want to continue monitoring a node from GTM that supports only EXPORT ciphers, you can create a custom HTTPS monitor and define the custom cipherlist field to allow EXPORT ciphers.

---

666888 : tcpdump may take several seconds to start capturing packets on vCMP guests

Solution Article: K16101312

Component: TMOS

Symptoms:
Running a tcpdump may take 3 or more seconds to start capturing packets.

Conditions:
This issue occurs when all of these conditions are met:
- tcpdump is being run within a vCMP guest on a VIPRION platform.
- The guest has more than one blade in-use.

Impact:
tcpdump takes a slightly longer-than-expected time to start capturing traffic.

Workaround:
Wait several additional seconds to ensure that the tcpdump operation has a sufficient interval to start capturing packets.

Fix:
tcpdump now starts capturing packets sooner.

---

666494 : Refine PUSH flag settings for sub MSS packets

Component: Local Traffic Manager

Symptoms:
Currently, in Auto mode, PUSH flag is set based on the application/network conditions. The system should instead append a PUSH flag to sub-MSS TCP segments (except 0 length pure ACK) to PUSH small segments faster to the receiving application in auto mode.

Conditions:
Non HTTP applications sending sub MSS packets.

Impact:
Non HTTP applications receive small segments slower if PUSH Flag is not present in sub-MSS TCP segments.

Workaround:
None.

Fix:
In Auto Mode, last sub-MSS TCP segments are always appended with PUSH flag.

---

666310 : Each save operation on the Policy Properties page records extra audit messages in the Audit Log.

Component: Application Security Manager

Symptoms:
When changes are made to 'Security :: Application Security : Policy : Policy Properties' and then saved, some extra audit messages are recorded to 'Security :: Application Security : Policy : Audit : Log'

Conditions:
Click 'Save' button on the Policy Properties page.

Impact:
There are extra audit messages are recorded to the Audit Log. This is a cosmetic that has no impact on functionality.

Workaround:
None.

Fix:
The previously used policy properties page has been replaced with a new one, so this issue no longer occurs.

---

665992 : Live Update via Proxy No Longer Works

Solution Article: K40510140

Component: Application Security Manager

Symptoms:
BIG-IP devices that need to use a proxy server to communicate with callhome.f5.com, no longer receive, or check for, automatic updates.

Conditions:
The BIG-IP device is behind a network firewall and outbound communication must be through a proxy.

Impact:
The BIG-IP will not be able to contact the callhome server to check for, or receive, updates.

Workaround:
Updates can be downloaded manually from the F5 Downloads server and installed directly on the BIG-IP.

Fix:
Proxy settings are correctly used when contacting the F5 callhome server.

---

665470 : Failed to load sample requests on the Traffic Learning page with VIOL_MALICIOUS_IP viol is raised

Component: Application Security Manager

Symptoms:
Failed to Learn page malicious IP addresses in a specific case.

Conditions:
-- IP intelligence is turn on.
-- Logging is turned off.

Impact:
Requests that should be learned are not.

Workaround:
Turn on logging.

Fix:
The system now Learns page malicious IP addresses when IP intelligence is turn on and logging is turned off.

---

665366 : ltmVirtualServStatCurrentConnsPerSec statistic is maintained only for rate-limited virtuals

Component: TMOS

Symptoms:
When the LTM virtual server statistic table is accessed through SNMP, the CurrentConnsPerSec counter is meaningful only for virtual servers that have rate limiting configured.

Conditions:
When using SNMP to query virtual server statistics.

Impact:
The CurrentConnsPerSec counter will be 0 unless the virtual server has rate limiting enabled. This may be confusing because the statistic's MIB description does not explain the statistic's use.

Workaround:
There is no workaround at this time.

Fix:
The MIB description has been updated.

---

665362 : MCPD might crash if the AOM restarts

Component: TMOS

Symptoms:
In very rare circumstances, mcpd might crash when the AOM restarts.

Conditions:
This can occur while AOM is restarting.

Impact:
System goes offline for a few minutes.

Workaround:
None.

Fix:
Added error handling to prevent crash. If this error occurs in the future it will not crash, but a restart of mcpd is required.

---

665354 : Silent reboot, identified with bad_tlp_status and completion_time_out in the sel log

Solution Article: K31190471

Component: TMOS

Symptoms:
The most common symptom is a reboot of the unit without much detail in the normal tmm or ltm logs. From there, inspect the SEL logs. In the SEL logs, you will see a message about a bad_tlp_status, followed shortly by a message about completion_time_out_status.

Those two messages together indicate this known issue.

Conditions:
-- There are empty 10 GB ports or 10 GB ports that have optics but are not connected to a proper link.
-- Running on one of the following platforms: i2600, i2800, i4600, i4800.

Impact:
The unit intermittently reboots.

Workaround:
To prevent the issue from occurring, you must populate all 10 Gb ports with optic cables and ensure they are connecting to a working peer link. A single 10 Gb empty or improperly connected port can cause a system reboot.

If that is not possible, however, there is no workaround, and you must contact F5 Technical Support to request a software update or engineering hotfix.

Important: A device Return Materials Authorization (RMA) will not prevent this issue.

Fix:
There is a BIG-IP system software update to disable the 10 Gb FPGA mac receiver until a valid link is detected. This eliminates the issue and prevents the ultra jumbo packet from being sent to the FPGA datapath.

---

665040 : F5 iRule signing certificate changed to SHA2

Component: Local Traffic Manager

Symptoms:
Before this version, the F5 iRule signing certificate was SHA1.

Conditions:
Using signed iRules on a version before this.

Impact:
iRule signing less secure

Fix:
iRule signing certificate is now SHA2. No usage interruptions or specific upgrade actions should be necessary.

---

664528 : SSL record can be larger than maximum fragment size (16384 bytes)

Solution Article: K53282793

Component: Local Traffic Manager

Symptoms:
SSL record containing handshake data can exceed maximum fragment size of 16384 bytes because handshake data is not fragmented.

Conditions:
This usually happen when a large certificate or certificate chain is configured for server or client authentication.

Impact:
SSL handshake will fail with client or server that properly checks the record size.

Workaround:
Use a certificate that is smaller in size.

Fix:
Properly fragment handshake data.

---

663911 : When running out of memory, MCP can report an incorrect allocation size

Component: TMOS

Symptoms:
If MCP runs out of memory, it may attempt to log how much memory it was allocating when this happened, with a message similar to the following:

Failed to allocate memory for size 260 at clone_message:952.

The memory size indicated in the message may be incorrect.

Conditions:
MCP runs out of memory while attempting an allocation.

Impact:
Misleading logs that make it more difficult to troubleshoot mcpd memory issues.

Workaround:
None.

Fix:
Now logging the correct memory allocation size.

---

663821 : SNAT Stats may not include port FTP traffic

Solution Article: K41344010

Component: Local Traffic Manager

Symptoms:
Using 'tmsh show ltm snat' command or the GUI, SNAT stats are not updated for port 21 traffic (FTP).

Conditions:
-- SNAT is configured.
-- FTP connections transverse the SNAT.

Impact:
Stats are not incremented in tmsh or GUI

Workaround:
None.

Fix:
SNAT Stats now include port FTP traffic, and values are incremented as expected.

---

663649 : Installer warning messages now printed to stderr rather than stdout

Component: TMOS

Symptoms:
Installer warning messages are printed to stdout rather than stderr.

Conditions:
-- Running a pre-14.0.0 install.
-- A warning is output.

Impact:
It may seem confusing or unconventional to see warnings going to stdout instead of sterr, as might be expected. There is no functional impact, however.

Workaround:
None.

Fix:
Installer warning messages are now printed to stderr rather than stdout.

---

663535 : Sending ASM cookies with "secure" attribute even without client-ssl profile

Component: Application Security Manager

Symptoms:
ASM cookies can be set with "secure" attribute on when BIG-IP works on SSL profile.

Conditions:
Enabling ASM, network to BIG-IP without client-ssl.

Impact:
When working with encrypted network in the client side but clear network in the ASM virtual, cookies cannot be set with "secure" attributes.

Workaround:
There is no workaround at this time.

Fix:
Added an internal parameter "assume_https", to decide always setting the "secure" attribute, even when the BIG-IP network is clear.

---

663366-1 : SEGV fault can occur during tmm 'panic' on i4x00 and i2x00 platforms.

Component: TMOS

Symptoms:
On the i4x00 and i2x00 platforms, TMM can encounter a second SEGV fault while crashing from an initial 'panic'.

Conditions:
-- i4x00 and i2x00 platforms.
-- TMM encounters a second SEGV fault while crashing from an initial 'panic'.

Impact:
TMM is crashing due to a 'panic'. No additional impact, as traffic is already disrupted while tmm restarts.

Workaround:
None.

Fix:
This release fixes the driver shutdown code to prevent SEGV during TMM panic.

---

662850 : Expat XML library vulnerability CVE-2015-2716

Solution Article: K50459349

---

662311 : CS alerts should contain actual client IP address in XFF header

Component: Fraud Protection Services

Symptoms:
When no XFF header exists, the alert server will use the sender IP address as the client IP address. Doing so is incorrect behavior because the sender IP address is always the BIG-IP system's IP address. Even if XFF headers exist, the client IP address as known to the BIG-IP system may be missing in the XFF header.

Conditions:
This occurs under either of the following conditions:
-- There is no XFF header in the original request.
-- An XFF header exists, but it does not contain the actual client IP address (as seen by the BIG-IP system).

Impact:
Alert server/BIG-IQ does not show the actual client IP address.

Workaround:
None.

Fix:
FPS now always appends the client IP address to the end of the last XFF header in the alert request. If there is no XFF header, FPS inserts one.

---

662273 : Policy Builder created too many suggestions when entities limits are reached

Component: Application Security Manager

Symptoms:
Policy Builder creating 2 times more suggestions than entity limit.

Conditions:
When policy is configured to create many entities ('add all entities' to entity types other than filetypes).

Impact:
When limit is reached Policy Builder doesn't accept anymore suggestions to add new entities - but creates 2 times more suggestions than limit (e.g. if default urls limit is 10,000 - after reaching entity limit up to 20,000 suggestions to add urls will be issued by pb).

Workaround:
Fix configuration so that the Policy Builder will not create so many suggestions:
- use 'selective' or 'never' learning mode for most entity types
- if there are many suggestions to create entities in 'selective' learning mode due to metachars or signatures, consider allowing metachars in global charset or disabling signatures for wildcard (or globally).

Fix:
Policy Builder will now create 1.1 times more suggestions to create entities than the configured limit.

---

661939 : Linux kernel vulnerability CVE-2017-2647

Solution Article: K32115847

---

661909 : First-time root and admin passwords must now comply with the password policy.

Component: TMOS

Symptoms:
The root and admin account passwords need to comply with the password policy, which is enforced by default in version 14.0 and beyond.

Conditions:
This occurs on new installations of BIG-IP version 14.0, the password policy is now enabled by default.

Impact:
All passwords will need to comply with the BIG-IP password enforcement policy.

Fix:
N/A

Behavior Change:
In versions prior to BIG-IP version 14.0.0, on first-time boot you could log in as root or admin using the default passwords, and the passwords would not be expire so you could use them indefinitely.
 
Beginning in BIG-IP version 14.0.0, on new installations the root and default passwords are marked as expired - on first time boot, after logging in with the default password you will be required to change your password before proceeding.  Additionally, the password policy is enabled by default so the new passwords will need to meet the password policy requirements.

---

660826-4 : BIG-IQ Deployment fails with customization-templates

Component: Access Policy Manager

Symptoms:
BIG-IQ involving multiple commands in a transaction to modify customization group fails.

Conditions:
Simulation by tmsh for what's done in BIG-IQ:

1) Add a log-on agent in your policy.

2) Edit the log-on agent customization (Advanced Customication: logon.inc and view.inc both)
This should create two customization templates.

3) Make a backup of the customization template files in some folder (/tmp). For example: To copy logon.inc and view.inc for logon agent in sjc-access policy?(sjc-access_act_logon_page_ag) below cp statements worked.

cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:logon.inc_74991_2 /tmp/logon.inc
:Common:sjc-access_act_logon_page_ag::logon.inc_74991_2

cp Common_d/customization_template_d/\:Common\:sjc-access_act_logon_page_ag\:\:view.inc_74991_2 /tmp/view.inc

4) tmsh

5) create /cli transaction

6) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { logon.inc { local-path /tmp/logon.inc } }

7) modify /apm policy customization-group sjc-access_act_logon_page_ag templates modify { view.inc { local-path /tmp/view.inc } }

8) submit /cli transaction

Impact:
BIG IQ operation failed with scenario involving change to customization group.

Workaround:
There is no workaround.

Fix:
BIG-IQ will be able to operate on customization group successfully.

---

660760 : DNS graphs fail to display in the GUI

Solution Article: K75105750

Component: TMOS

Symptoms:
Can no longer view the DNS graphs in the GUI after upgrading from an earlier release. The system reports the following error in the GUI when visiting GUI Statistic :: Performance :: DNS: Error trying to access the database.

Conditions:
This occurs when the BIG-IP system is licensed for the GTM module (mod_gtm) instead of the DNS module (mod_dnsgtm). This might occur in the case where the system is upgraded from an earlier release such as v10.2.4 (where the module was GTM) to a later release such as v12.1.1 (where the module is DNS).

Impact:
Accessing the DNS graphs in the GUI fails.

Workaround:
None.

Fix:
The DNS graphs are now created in the GUI when the system is licensed for the GTM module (mod_gtm) or for the DNS module (mod_dnsgtm).

---

660263 : DNS transparent cache message and RR set activity counters not incrementing

Component: Global Traffic Manager (DNS)

Symptoms:
The message and Resource Record (RR) set counters for transparent caches do not increment to reflect traffic.

Conditions:
The cache is of type transparent.
-- Viewing statistics counters.

Impact:
The statistics counters stay zero.

Workaround:
There is no workaround.

Fix:
The system now enables the code that increments these counters for transparent caches similar to other type caches.

---

660239 : When accessing the dashboard, invalid HTTP headers may be present

Component: TMOS

Symptoms:
When accessing parts of the BIG-IP dashboard via the GUI, there might be invalid HTTP headers in the responses.

Conditions:
Access the dashboard via Statistics :: Dashboard.

Impact:
The invalid HTTP headers might cause issues with the dashboard if there are intervening proxies between the browser and the BIG-IP.

You may see such errors in the http error logs

Feb 20 08:47:58 myBIG-IP err httpd[13777]: [error] [client 10.20.30.40] Response header name '<PostData><![CDATA[table=log%5Fstat]]></PostData>Cache-Control' contains invalid characters, aborting request, referer: https://mybigip.com/tmui/dashboard/MonitorDashboardModule.swf

Workaround:
There is no workaround at this time.

Fix:
Eliminated invalid header data.

---

659290 : FPS should indicate live-update status (new content available/downloaded/auto-downloaded/download-failed)

Component: Fraud Protection Services

Symptoms:
Snmp trap is not available for live-update status change because FPS doesn't report live-update content status via syslog.

Conditions:
Live update content status changed.

Impact:
There is no syslog indication about live-update content status change so snmp trap is not available for live-update status change.

Workaround:
There is no workaround at this time.

Fix:
FPS will report status change via syslog.

---

658716 : MCPd SIGSEGV in boost::checked_delete

Component: TMOS

Symptoms:
MCPd SIGSEGV during tear down of DSC connections. System logs messages similar to the following to /var/log/ltm:
 warning mcpd[4822]: 01071aea:4: CMI heartbeat timer expired, status: 192.168.254.253.

Conditions:
During tear down of DSC connections, a heartbeat operation may be attempted on an already deleted connection.

Impact:
MCPd will be restarted, possibly resulting in other daemons restarting as well.

Workaround:
There is no workaround at this time.

Fix:
The system now handles this condition, so the issue no longer occurs.

---

658636 : When creating LTM or DNS monitors through batch/transaction mode newlines are improperly escaped.

Solution Article: K51355172

Component: TMOS

Symptoms:
- LTM/DNS monitors created via tmsh batch/transactions improperly escape newline characters.
- Expected escaping: \r\n
- Actual escaping: \\r\\n
- Impact: The URI sent is not correct,

Conditions:
When creating LTM or DNS monitors through batch/transaction mode when strings contain newline characters. For example, using the following commands to batch-create:

create gtm monitor http one_test_mon { send "GET / HTTP/1.0\r\nHost: abc.example.com\r\nUser-Agent: slb-healthcheck\r\nConnection: Close\r\n\r\n" recv "200"}
submit cli transaction
list gtm monitor http one_test_mon

The system creates the following monitor:

gtm monitor http one_test_mon {
    defaults-from http
    destination *:*
    interval 30
    probe-timeout 5
    recv 200
    send "GET / HTTP/1.0\\r\\nHost: abc.example.com\\r\\nUser-Agent: slb-healthcheck\\r\\nConnection: Close\\r\\n\\r\\n"

Impact:
Cannot use batch/transaction mode in TMSH to create LTM or DNS monitors. Cannot use LTM or DNS monitors created using batch/transaction mode in tmsh.

Workaround:
Create the monitor directly in tmsh without using batch/transaction mode.

Fix:
When creating LTM or DNS monitors through batch/transaction mode newlines are now properly escaped.

---

658410 : icrd_child generates a core when calling PUT on ltm/data-group/internal/

Component: TMOS

Symptoms:
icrd_child generates a core file when calling PUT on ltm/data-group/internal/.

Conditions:
Calling PUT on ltm/data-group/internal/.

Impact:
The iControl REST API is temporarily not available for configuration queries or modifications.

Workaround:
There is no workaround at this time.

Fix:
icrd_child no longer cores when calling PUT on ltm/data-group/internal/.

---

658278 : Network Access configuration with Layered-VS does not work with Edge Client

Component: Access Policy Manager

Symptoms:
When Network Access is configured in virtual server-to-virtual server targeting, the Edge client cannot connect.

Conditions:
Network Access is configured as follows :
-- The external-client-facing virtual server has the SSL profile attached.
-- The internal virtual server has the Access profile and connectivity profile attached.
-- The external-client-facing virtual server has an iRule that forwards the HTTP requests to the internal virtual server.

Impact:
When Edge client connects, the external-client-facing virtual server issues a request for '/pre/config.php?version=2.0', and the Edge client hangs.

Workaround:
None.

Fix:
Network Access configuration with Layered-VS now works with Edge Client.

---

657912 : PIM can be configured to use a floating self IP address

Component: TMOS

Symptoms:
Using PIM-Sparse Mode for multicast traffic with BGP for unicast routing/reverse path filtering may prevent PIM neighbor routers from switching from the RPT to the SPT.

Conditions:
-- PIM-Sparse Mode.
-- BGP.
-- Floating self IP address.

Impact:
Routers upstream and including BIG-IP will never receive PIM JOIN messages from the rendezvous point, which is required for traffic to switch from the RPT to the SPT. The sender's DR may continue to send traffic to the RP in register messages indefinitely.

Workaround:
Remove the floating self IP address from the traffic group or select a routing protocol that does not use it, such as OSPF.

Fix:
PIM can now send hello messages from a floating self IP address.

Behavior Change:
PIM can now send hello messages using a floating self IP address. Configure it in imish under the interface along with the PIM mode:

#imish
imish> enable
imish# configure terminal
imish(config)# interface external
imish(config-if)# ip pim use-floating-address

Upon failover, the previously active unit will send hellos from a non-floating self IP address, and the new active unit will begin sending hellos from the floating self IP address. No state is shared between the units; both will generate a new PIM generation ID, and the state of all multicast routes will be reset and need to reconverge.

---

657882 : Allow the system to retrieve a CRL from the CRLDP(CRL distribution point) and verify the SSL server's ceritificate status using the CRL.

Component: TMOS

Symptoms:
The system has no ability to download a CRL file from its CRLDP (which is usually a HTTP server).

Conditions:
-- SSL handshake.
-- Receive a certificate from the SSL server, which contains a CRLDP URL (usually an HTTP URL) as a certificate extension.

Impact:
The system cannot check the SSL server's certificate status by checking its CRL file.

Workaround:
There is no workaround.

Fix:
The system can now download the CRL file from the HTTP URL listed on SSL server's certificate and check the certificate's status against the CRL file.

---

656901 : MRF add 'existing_connection_only' and 'outgoing_connection_instance_seed' two iRule commands

Component: Service Provider

Symptoms:
If the MRF 'existing_connection_only' is not there, then MRF will forward the new message to either the existing connection or creating a new connection.

If the MRF 'outgoing_connection_instance_seed' is not there, then the generation of the connection's instance number will use some internal originating connection id. Same client IP with different src_port may end up to different outgoing connection.

Conditions:
If these two new iRule commands were not there.

Impact:
1. Won't always reuse the existing connection.
2. The requests from same client IP with different src_port, the outgoing connection may be different.

Workaround:
There is no workaround at this time.

Fix:
MR::message existing_connections_only <boolean> Gets or sets a flag that instructs the MRF to only forward the message using existing connections,
and if a connection to the selected host does not exist then the route will fail.

MR::message outgoing_connection_instance_seed <integer>Gets or if been set by this iRule then this seed will be used to generate the connection instance number instead of this generated by some internal originating connection id. (See MR::connection_instance iRule command).

If the number received is larger than 32 bit then the 64 bit number will be hashed to 32 bit number.

---

656784 : Windows 10 Creators Update breaks RD Gateway functionality in BIG-IP APM

Solution Article: K98510679

Component: Access Policy Manager

Symptoms:
After upgrading to Windows 10 Creators Update (version 1703), when attempting to connect to a remote desktop through APM with the Remote Desktop Gateway (RDG) feature, the remote desktop client is not able to authenticate and connect.

Windows 10 Version 1703 RDP client is using Negotiate HTTP authentication scheme, while APM requires NTLM scheme for RD Gateway.

Conditions:
- You are accessing Microsoft Remote Desktop through BIG-IP APM using Remote Desktop Gateway (RDG) feature.
- You upgrade to Windows 10 Creators Update (version 1703).

Impact:
Remote desktop client is not able to authenticate and connect to the desktop.

Workaround:
Use either of the following workarounds:

-- Force the Windows RDP client to use NTLM authentication scheme (instead of Negotiate) by setting Group Policy 'User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\RD Gateway\Set RD Gateway authentication method' to 'Ask for credentials, use NTLM protocol'.

-- Use the following iRule to convert Negotiate to NTLM:
when HTTP_REQUEST {
    set is_rdg_request [expr { [HTTP::method] starts_with "RDG_" }]
    if {!$is_rdg_request} { return; }

    set auth [HTTP::header Authorization]
    set is_nego_auth [expr { $auth contains "Negotiate" }]

    if { $is_nego_auth } {
        set auth [string map {"Negotiate" "NTLM"} $auth]
        HTTP::header replace Authorization $auth
    }
}
when HTTP_RESPONSE_RELEASE {
    if {!$is_rdg_request || !$is_nego_auth} { return; }

    catch {
        set auth [HTTP::header WWW-Authenticate]
        if { $auth contains "NTLM" } {
            set auth [string map {"NTLM" "Negotiate"} $auth]
            HTTP::header replace WWW-Authenticate $auth
        }
    }
}

Fix:
After upgrading to Windows 10 Creators Update (version 1703), the RDP client can still authenticate and connect via APM used as RD Gateway.

---

655671-3 : Polling time waiting for I2C bus transactions in the bcm56xxd daemon needs to be reduced

Component: TMOS

Symptoms:
On platforms that run the bcm56xxd daemon, the polling time that the system waits for I2C bus transactions to complete runs too long. On systems with I2C bus issues, this can lead to bcm56xxd core files, because the bcm56xxd daemon doesn't reset the watchdog so the watchdog timer kills the process.

Conditions:
This is an issue only when there is a stuck I2C bus, which occurs rarely.

Impact:
bcm56xxd process may core and restart. That typically resets the I2C bus, which resolves any issues.

Workaround:
None. Typically, the issue resolves itself.

Fix:
The number of times the bcm56xxd process polls for an I2C bus transaction to complete is reduced to prevent bcm56xxd core files.

---

654086 : Incorrect handling of HTTP2 data frames larger than minimal frame size

Component: Local Traffic Manager

Symptoms:
HTTP2 can vary frame size between 16K bytes (included) and 16 Mbytes (not included).

When a client sends a data frame spawning more than one TCP segment, the BIG-IP system incorrectly decrements the frame size twice from the receive window.

If the proxy flow control is disabled, this just creates an additional window update frame. If the proxy is in flow control, this causes a flow control error.

Conditions:
-- HTTP2 profile is configured on a virtual server.
-- Client sends a data frame larger than 16384 bytes, violating RFC. Note: The receiving maximum frame size of the BIG-IP is permanently set at 16384 bytes.

Impact:
HTTP2 resets the stream with FLOW_CONTROL_ERROR.

Workaround:
There is no workaround at this time.

Fix:
When a client sends HTTP2 a data frame exceeding a negotiated maximum frame size, the BIG-IP system correctly resets the stream.

---

653976 : SSL handshake fails if server certificate contains multiple CommonNames

Component: Local Traffic Manager

Symptoms:
SSL server side handshake fails when the external server certificate's Subject field contains multiple CommonNames.

Conditions:
This issue occurs when both of the following conditions are met:
-- The external server certificate's Subject field contains multiple CommonNames.
-- The certificate does not contain subjAltName extension (or if it does, the same names are not included in the subjAltName's dNSName list).

Impact:
Connection with external server cannot be established. In case of forward proxy, bypass or intercept will fail.

Workaround:
In case of forward proxy bypass, configure IP address bypass instead of hostname bypass since IP address bypass check happens before SSL handshake.

The second option is to update the external server's certificate to include the list of CommonNames in subjAltName extension as dNSName.

Fix:
The system now checks all CommonNames in a certificate's Subject field instead of checking only the longest one in length.

---

653759 : Chassis Variant number is not specified in C2200/C2400 chassis after a firmware update★

Component: TMOS

Symptoms:
Chassis Variant number is not specified when checking the log file /var/log/ltm, for example:

#grep queryFDD /var/log/ltm
...debug chmand[12982]: 012a0007:7: queryFDD returned 1 items for: update|F100|||NONE|NONE|NONE|0x0

This should contain the Variant number 400-0028-04, as follows:
...debug chmand[32663]: 012a0007:7: queryFDD returned 1 items for: update|F100|400-0028-04||NONE|NONE|NONE|0x0

Conditions:
-- B2100/B2150/B2200 blade in C2200/C2400 chassis.
-- Checking for the Chassis Variant number.

Impact:
This has no impact, since there are no Variants currently defined for the C2200/C2400 chassis.

Workaround:
There is no workaround at this time.

Fix:
Chassis Variant number is printed out as expected in the log file.

---

653152 : Support RSASSA-PSS-SIGN in F5 crypto APIs.

Component: TMOS

Symptoms:
Client certificate verification in BIG-IP v11.6.0 through v13.1.0 does not support client certificates that are signed using the RSASSA-PSS signature algorithm. Validation of such client certificates will fail.

Conditions:
- Client certificate signed with RSASSA-PSS algorithm.
- Client Certificate is set to 'Required' in Client SSL profile.
- Running any version of BIG-IP software from v11.6.0 through v13.1.0.

Impact:
SSL connections using client PSS certificates are rejected.

Workaround:
There is no workaround at this time.

Fix:
Validation of client certificates that are signed using the RSASSA-PSS signature algorithm now completes successfully.

---

652877 : Reactivating the license on a VIPRION system may cause MCPD process restart on all secondary blades

Component: TMOS

Symptoms:
All services on one or all secondary blades in a VIPRION chassis restart, and MCPD logs errors similar to the following:

-- err mcpd[9063]: 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)
-- err mcpd[9063]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3:Configuration error: DB validation exception, unique constraint violation on table (sflow_vlan_data_source) object ID (1168). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:sflow_vlan_data_source status:13)... failed validation with error 17237812.

In versions prior to v11.6.0, the error is: 'Can't save/checkpoint DB object,' rather than 'Can't update_indexes/checkpoint DB object'.

Conditions:
Multi-bladed VIPRION system, where the 'if-index' value for VLANs differs between blades.

You can check the 'if-index' value by running the following command on each blade: tmsh list net vlan all if-index.

Impact:
MCPD restart on all secondary blades results in partial service outage.

Workaround:
Reactivate the license only on a system that is standby/offline.

Fix:
Reactivating the license on a VIPRION system no longer causes MCPD process restart on one or all secondary blades.

---

652479 : Client-side JavaScript parser cannot recognize constructions like { if(a) break\n}

Component: Access Policy Manager

Symptoms:
javascript errors, web-application misfunction

Conditions:
dynamically created javascript at client side contains
constructions like:

 { if(a) break\n}

Impact:
web-application malfunction

Workaround:
Custom iRule can be used in some cases, but is not always possible.

---

651413 : tmsh list ltm node does not return an error when node does not exist

Solution Article: K34042229

Component: TMOS

Symptoms:
TMSH does not post an error message in response to the tmsh command to list a specific, non-existent LTM node, or when listing a set of non-existent nodes using regular expressions.

Conditions:
-- Running the command: tmsh list ltm node.
-- Running a regular expression to list a set of nodes.
-- The specified node does not exist.

Impact:
The command produces no output or error message. No indication of why there is no output, nor is there a description of the possible error condition.

Workaround:
None.

Fix:
TMSH now posts the appropriate, node-not-found error message when LTM nodes do not exist when running the command: tmsh list ltm node.

---

651113 : RFE to support AVR reporting for FW NAT translations

Component: Advanced Firewall Manager

Symptoms:
Prior to 14.0 release, FW NAT translation events are logged (if enabled) but were not reported using AVR infrastructure (similar to CGNAT module)

Conditions:
AFM provisioned and Firewall NAT configured.

Impact:
FW NAT users (new or migrating from CGNAT) would not have the ability to see AVR reports for various translation events. This may make NAT troubleshooting and/or NAT capacity planning difficult.

Workaround:
There is no workaround at this time.

Fix:
AVR reporting is now available for AFM NAT feature.

---

650322 : Invalid Hash More setting hash persistence profile

Component: TMOS

Symptoms:
On the Hash persistence profile, there is an option 'Hash More' which is available in the GUI. This setting is not valid.

Conditions:
Viewing the Hash persistence profile in the GUI.

Impact:
This setting is not valid. There is no impact because the setting is non-functional, but might be confusing.

Workaround:
None.

Fix:
The invalid option 'Hash More' has been removed from the Hash persistence profile.

---

650038 : tcp connect: errno and comm_point_tmm_recv_from messages

Component: Global Traffic Manager (DNS)

Symptoms:
When unbound (DNS cache) produces an error message, it's written to /var/log/ltm as a message from tmm. However, there is no indication that the message has anything to do with DNS caching.

As a result of this issue, you might see errors similar to the following:
-- err tmm5[14207]: tcp connect: errno 10
-- err tmm1[14244]: comm_point_tmm_recv_from failed: Software caused connection abort
-- err tmm3[11846]: recvfrom failed

Conditions:
-- Unbound (DNS cache) produces an error message.
-- Viewing these logged messages in /var/log/ltm.

Impact:
Some of these messages are benign, but there is no indication of that, or the associated functionality where the message was triggered. Difficulty troubleshooting the underlying issue.

Workaround:
None.

Fix:
Logged messages now indicate their association with DNS cache. For example:
-- info tmm4[19404]: DNScache: sending query
-- info tmm4[19404]: DNScache: response for example.com. A IN

---

649930 : The TCP autonagle feature is not supported in LTM Policy

Component: Local Traffic Manager

Symptoms:
In the TCP profile, the auto-Nagle feature is not supported in LTM Traffic Policies.

Conditions:
-- Using auto-Nagle in the TCP profile.
-- LTM Traffic Policies.

Impact:
The TCP auto-Nagle feature is not supported in LTM policies.

Workaround:
You can use iRules to enable or disable the TCP auto-Nagle feature.

Fix:
The TCP auto-Nagle feature is now supported in LTM Traffic Policies.

Behavior Change:
The TCP auto-Nagle feature is now supported in Traffic Policies.

---

649866-3 : fsck should not run during first boot on public clouds

Component: TMOS

Symptoms:
Although it is not needed, filesystem check runs during the first boot. This increases the boot time, especially for images that were created more than 180 days before the first boot, because twice year, booting up runs a more comprehensive fsck operation.

Conditions:
This occurs when booting up public cloud configurations of Virtual Edition (VE).

Impact:
Potentially unacceptable long boot times.

Workaround:
None.

Fix:
fsck does not run during first boot on public cloud configurations of VE. Running fsck is postponed until the second boot. If the more comprehensive fsck operation is required, it runs during the second boot as well.

---

649689 : Unsupported Power Supply Models Reported as 'Not-Present' When Inserted in 2xxx/4xxx/5xxx/7xxx/10xxx Series Platform

Component: TMOS

Symptoms:
Unsupported power supplies are misleadingly reported as "not-present" when inserted into the system even when power is actively supplied to them.

For example, if a system had a valid AC PSU in slot #1 but an unsupported PSU in slot #2:

#tmsh show sys hard|grep -A 4 Power
Chassis Power Supply Status
  Index Status Current
  1 up AC
  2 not-present NA

Conditions:
-- A power supply unit that fits mechanically into the system but is not supported electrically is inserted and powered on.
-- Inserted in 2xxx/4xxx/5xxx/7xxx/10xxx series platforms.

Impact:
Misleading information is given for the power supply as 'not-present' rather than 'unidentified'. System is in an unsupported electrical state and without power redundancy.

Workaround:
There is no workaround at this time.

Fix:
When an unsupported power supply is inserted into the system, it is now reported as 'unidentified'. In addition, a critical alarm will be raised to the LCD and written to the LTM log.

For example, if a system had a valid AC PSU in slot #1 but an unsupported PSU in slot #2:

# tmsh show sys hard|grep -A 4 Power
Chassis Power Supply Status
  Index Status Current
  1 up AC
  2 unidentified NA

The system reports the following critical alarm:
critical 0x12a0059 Chassis power module 2 is unidentified.

---

649275 : RSASSA-PSS client certificates support in Client SSL

Component: Local Traffic Manager

Symptoms:
Client certificate verification in BIG-IP v11.6.0 through 13.1.0 does not support client certificates that are signed using the RSASSA-PSS signature algorithm. Validation of such client certificates will fail.

Conditions:
- Client certificate signed with RSASSA-PSS algorithm.
- Client Certificate is set to 'Required' in Client SSL profile.
- Running any version from BIG-IP v11.6.0 through 13.1.0.

Impact:
SSL connections using client PSS certificates are rejected.

Workaround:
None.

Fix:
Validation of client certificates that are signed using the RSASSA-PSS signature algorithm now completes successfully.

---

649166 : When tcp checksum set to software-only, automatically disable TCP Segmentation Offload

Component: Local Traffic Manager

Symptoms:
TCP Segmentation Offload requires HW checksumming to be enabled. With HW checksum offload disabled, TSO needs to be disabled.

Conditions:
HW checksum disabled.

Impact:
Traffic might get lost

Workaround:
Manually disable TSO when disabling HW Checksum offload.

Fix:
Disabling HW checksum offload now disables TSO.

---

648320 : Downloading via APM tunnels could experience performance downgrade.

Component: Local Traffic Manager

Symptoms:
Multiple DTLS records can be packed into one UDP packet. When packet size is too large, packet fragmentation is possible at IP layer. This causes high number of packet drops and therefore performance downgrade.

Conditions:
When downloading using APM tunnels.

Impact:
High number of packet drops and inferior performance.

Workaround:
None.

Fix:
One DTLS record is now contained in each UDP packet to avoid packet fragmentation.

---

648271-3 : vCMP guest is unable to install a hotfix for block-device-images★

Component: TMOS

Symptoms:
If a partial Hotfix image file is on the BIG-IP system, a vCMP guest may attempt to install that improper image file since that guest does not have access to a MD5 checksum verification.

The most common error message encountered is 'Software compatibility tests failed.', which gives no indication of what actually went wrong. Other errors may be possible, depending on how the truncation/corruption affects installation.

Conditions:
-- vCMP guest trying to install a hotfix image

-- block-device-image installation started in vCMP guest

-- Installing a hotfix when both a 'valid' hotfix image file and an 'invalid' hotfix image file exist on the system.

Impact:
Software installations might fail on vCMP guests with a confusing error.

Workaround:
Remove the corrupt image files from the BIG-IP.

Fix:
Now, if a partial Hotfix image file exists on the BIG-IP system, a vCMP guest installs the correct software, or presents a meaningful error.

---

647198 : GUI to disable HEAD request

Component: TMOS

Symptoms:
Users are able to make HEAD HTTP request to GUI.

Conditions:
Users make an HEAD HTTP request and GUI allows it.

Impact:
GUI will allow HEAD HTTP request.

Workaround:
Configure the ssl.conf file to prevent HEAD HTTP request.

Fix:
Configure GUI to prevent HEAD HTTP request.

---

647033 : Improve DNS TSIG Handling

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP software has long supported TSIG-style transaction security for zone transfers. It has not supported them for standard queries, however.

A third-party DNS server requesting a zone transfer may first perform a standard SOA query to determine if a zone has changed prior to requesting a full transfer. This is vendor specific. When this request is TSIG signed, a BIG-IP system fails to properly respond.

Conditions:
A TSIG-signed DNS standard query arrives at a BIG-IP system, intended to be properly answered by the BIG-IP system itself, rather than being proxied to a pool member.

Impact:
This change affects DNS messages containing TSIG signatures. Those messages that do not contain these signatures are not affected. The handling of TSIG-signed messages has changed as described in the fix text.

Workaround:
This defect's workaround is limited to the case of a zone transfer client issuing a signed SOA query prior to conducting the actual transfer. In this case, it may be possible to configure the zone transfer client (DNS server requesting the transfer) to directly perform IXFR requests, rather than first issuing an SOA query first. If possible, this would avoid sending the BIG-IP a signed standard query (SOA), and thus allow transfers to occur.

Fix:
This fix corrects this defect, by adding support for properly handling queries of all types containing TSIG, as long as BIG-IP system possesses the correct TSIG key used to sign the received request.

When the request is received, if the key is found, the signature validates, and the signature is within the validity timespan, the request is handled, and the response is properly signed with the key.

If any of this fails, an error response (BADKEY, BADSIG, or BADTIME) is returned. The only exception to this behavior is: If the query contains a TSIG signature, and the key used is not found in the BIG-IP configuration, and the DNS profile's unhandled query action is 'allow', then the query is not touched, but rather simply proxied. This is done based on the possibility that some back-end server does have the needed key, and can therefore respond to the request.

This fix also impacts the handling of zone transfer NOTIFY messages that lack a TSIG. In past versions, these messages were allowed and acted upon even if the zone setting 'Verify Notify TSIG' was enabled. NOTIFY messages lacking a TSIG are now dropped if this setting is enabled.

---

647020 : Hide datasync-global-dg from the Device Group List page

Component: TMOS

Symptoms:
This device-group 'datasync-global-dg' is created and updated automatically, and should not be modified or deleted manually.

Conditions:
The 'datasync-global-dg' data-group gets deleted manually.

Impact:
The system may go offline, and errors may appear 'Can't associate Datasync Update Files'.

Workaround:
After accidentally deleting the datasync-global-dg device-group, the easiest way to resolve this issue is to perform the following procedure:
1. Run the following command:
 tmsh save sys config.
2. Run the following command:
 tmsh load sys config.
3. Wait a few seconds. If system is Offline, then wait about 3 minutes until the system is ACTIVE.
4. Run the following command:
 tmsh save sys config (for a second time).
5. Perform a force sync of datasync-global-dg:
   From the GUI of the same device (the device that was previously offline), select 'Sync Device to Group', making sure to check 'Overwrite Configuration', and click 'Sync'.
6. Wait until the devices are both ACTIVE and 'In Sync'.

Fix:
The device-group datasync-global-dg is now hidden from the Device Group List page, but still should appear in the 'Device Management Overview' page to allow controlling the sync.

---

644822-5 : FastL4 virtual server with enabled loose-init option works differently with/without AFM provisioned

Solution Article: K19245372

Component: Advanced Firewall Manager

Symptoms:
If AFM provisioned, a FastL4 virtual server with enabled loose-init option drops all RST packets that do not relate to any existing flows.

This behavior does not match the BIG-IP behavior when AFM is not provisioned.

Conditions:
AFM provisioned.
-- FastL4 virtual server.
-- Loose-init option enabled.

Impact:
RST packets that do not relate to any existing flows are dropped, while they should not be dropped if the loose-init option enabled.

Workaround:
No workaround.

Fix:
Fixed, so FastL4 virtual servers with enabled loose-init option will forward any RST packets.

---

644813 : Trunks are not created when /cm config-sync recover-sync is run

Component: TMOS

Symptoms:
-- Unexpected Error: Loading configuration process failed.
-- Config-sync not recovered.
-- Trunk configuration lost until the next 'save /sys config' operation.

Conditions:
1. Create a trunk.
2. Create a VLAN using trunk.
3. Create a self IP on the VLAN.
4. Issue the following command:
tmsh run cm config-sync recover-sync

Impact:
Unable to restore configuration.

Workaround:
None.

Fix:
Configuration is properly saved so that it can load.

---

644748 : Removing postfix call

Component: TMOS

Symptoms:
After saving the Platform page, the ltm log displays an error message regarding postfix, similar to the following:

err syscalld[14728]: 0127000f:3: Unexpected execv error: 2 (No such file or directory) for /usr/sbin/postfix.

Conditions:
This occurs in the GUI after saving the Platform page.

Impact:
The ltm log displays an error message regarding postfix. It is otherwise benign.

Workaround:
None.

Fix:
The ltm log no longer displays an error message regarding postfix.

---

644241 : No warning messages when the firewall rule configuration contains mix of source and destination using IPv4 and IPv6 addressing

Component: Advanced Firewall Manager

Symptoms:
Invalid firewall rules are accepted in the configuration without generating warning messages, but they are not enforced.

Conditions:
Firewall rule with a mix of source and destination addresses containing IPv4 and IPv6 addressing.

Note: Defining a rule with a mix of IPv4 and IPv6 addresses is invalid.

Impact:
Although the invalid rules can be defined, they are not enforced on traffic, and there is no message indicating that they will not be enforced.

Workaround:
There is no workaround at this time.

Fix:
A warning message is now generated when an AFM Rule contains both IPv4 and IPv6 addresses.

---

643879 : NAT64 Hairpin connections can be incorrectly logged using NAT44 log templates

Component: Carrier-Grade NAT

Symptoms:
NAT64 Hairpin connections are incorrectly logged using the NAT44 Session Create/Delete (outbound variant) templates.

Conditions:
The issue will occur when NAT64 hairpin connections are logged via syslog or IPFIX.

Impact:
Some information, such as the source IP address, may be malformed and/or missing from logs.

Workaround:
None.

Fix:
NAT64 hairpin connections now correctly use NAT64 logging template instead of NAT44 logging template.

---

643799 : Deleting a partition may cause a sync validation error

Component: TMOS

Symptoms:
Deleting a partition may cause the sync to peers to fail.

For example, on BIG-IP1:

tmsh delete auth partition P1
tmsh show cm sync-status
     Sync Summary
     Status Sync Failed
     Summary A validation error occurred while syncing to a remote device
     Details DG1: Sync error on BIG-IP2: Load failed from BIG-IP1 01070829:5: Input error: Invalid partition ID request, partition does not exist (P1)

Conditions:
Two or more BIG-IPs in a DSC device group, say DG1. A partition (P1) is created where the root partition folder (/P1) or a subfolder is assigned to DG1.

Objects have also been configured in the folder and the user deletes the partition, which will cause the folder and its contents to be deleted.

Impact:
The sync of this change may fail on peers.

Workaround:
Disable auto-sync on the device group if it's enabled, delete the partition on all of the peers, and re-enable auto-sync.

---

643768 : Invalid entries in SNMP allowed-address and SNMP community fields can cause upgrade failure.★

Component: TMOS

Symptoms:
If there are invalid entries in the SNMP allowed-address field, or in the SNMP communities source field, upgrade to v13.0.0 fails to load the configuration on validation of the input, with this error signature:

01070911:3: The requested host (<host-ip-address>) is invalid for allow in snmpd (/Common/snmpd),
Unexpected Error: Loading configuration process failed.

Conditions:
This can happen when upgrading from a release older than 13.0.0, and there is an invalid entry in the SNMP allowed-address field or communities source field, such as:

sys snmp {
    allowed-address { 1.0.0.0/2.0.0.0 "1.1.1.1 2.2.2.2" 3.3.3.3,4.4.4.4 }
    communities {
        /Common/test {
            community-name test
            source 1.0.0.0/foo
        }
    }
}

Impact:
Upgrade to 13.0.0 fails if the configuration contains these invalid values, due to input validation that was added in this version.

Workaround:
Remove the invalid entries from these 2 field types before doing an upgrade to 13.0.0.

Fix:
The fix removes the invalid entries from the configuration on upgrade automatically.

---

643340 : False-positive alerts due to secure channel and cookies expiration

Component: Fraud Protection Services

Symptoms:
When cookies and secure channel are expired, plugin will send 3 alerts.

Conditions:
Cookies and secure channel expire.

Impact:
False-positive alerts due to secure channel and cookies expiration.

Workaround:
There is no workaround at this time.

Fix:
Default expiration time set to 24 hours. This fix adds a page refresh after 20 hours.

---

642923 : MCP misses its heartbeat (and is killed by sod) if there are a large number of file objects on the system

Solution Article: K01951295

Component: TMOS

Symptoms:
MCP may timeout and be killed by the sod watchdog, causing mcpd to restart.

Conditions:
Certain operations, under certain conditions, on certain platforms, may take longer to complete than the mcpd heartbeat timeout (300 seconds). When that happens, the system considers mcpd unresponsive, and will kill mcpd before it has finished its task, resulting in this issue.

There are a number of ways that this issue may manifest.

For example, the default mcpd heartbeat timeout might be reached when loading a configuration file with a large number* of file objects configured (e.g., SSL certificates and keys, data-groups, APM customizations, EPSEC file updates, external monitors, or other data present in the filestore (/config/filestore)).

*Note: Depending the operations mcpd is performing, the performance of the hardware, the speed of disk access, and other potential factors, 3,000 is a relative estimate of the number of filestore objects that might cause this issue to occur.

Impact:
mcpd restarts, which causes a system to go offline and restart services.

Workaround:
To prevent the issue from occurring, you can temporarily disable the heartbeat timeout using the following command:

   modify sys daemon-ha mcpd heartbeat disable

Important: Disabling the heartbeat timer means that, should the mcpd process legitimately become unresponsive, the system will not automatically restart mcpd to recover.

Note: If you have a large number of objects (more than 3,000) in the filestore, and are able to reduce this by deleting their related configuration objects, you may be able to work around the issue.

To determine the specific cause of the issue, you can open a support case with F5, to inspect the resulting mcpd core file.

Fix:
A possible case where mcpd goes too long without updating the heartbeat has been fixed by replacing one algorithm with a more efficient one.

---

642068 : PEM: Gx sessions will stay in marked_for_delete state if CCR-T timeout happens

Component: Policy Enforcement Manager

Symptoms:
PEM sessions stay in the marked-for-delete state if CCR-T times out.

Conditions:
This occurs if PCRF does not respond to CCR-T packets from the BIG-IP system during session termination.

Impact:
PEM sessions remain in the marked-for-delete state.

Workaround:
Configure the required timeout value in the sys db variable tmm.pem.session.timeout.endpointdeleteresponse.

Note: The value must be greater than 0 (zero).

Fix:
PEM sessions no longer stay in the marked-for-delete state if CCR-T times out.

---

641513 : ePVA traffic stats are not accumulated for SNAT pool members

Component: TMOS

Symptoms:
SNAT pool members of a virtual server does not show any PVA related traffic stats after passing traffic.

Conditions:
A FastL4 virtual server using a SNAT pool for source address translation.

Impact:
Incomplete stats. No impact to traffic passing.

Workaround:
None.

Fix:
Fixed an issue with ePVA statistics collection.

---

641034 : Use RDP URIs to launch MS RemoteApps from APM Webtop on Mac

Component: Access Policy Manager

Symptoms:
RDP client versions do not handle URI encoding properly.

Conditions:
APM using RDP files to launch Microsoft RemoteApps from the APM Webtop on Apple Macintosh computers.

Impact:
URI encoding improperly handled.

Workaround:
None.

Fix:
APM now uses RDP URIs (instead of RDP files) to launch MS RemoteApps from APM Webtop on Mac. Mac MS RDP client 8.0.39 or later is required (as previous RDP client versions cannot handle URI encoding properly).

---

640766 : Linux kernel vulnerability: CVE-2016-10088 CVE-2016-9576

Solution Article: K05513373

---

640636 : F5 Optics seen as unsupported instead of misconfigured when inserted into wrong port on B4450 Blade

Component: TMOS

Symptoms:
Inserting a 40G optic into a 100G port, or inserting a 100G optic into a 40G shows the optic as "Unsuported Optic". That is not correct, it may be a supported optic, just inserted in the wrong port.

Conditions:
B4450 Blades with 100G or 40G optics inserted in a port that does not support that speed optic.

Impact:
The user may be confused on why the optic is not working, the error message is misleading when the optic is inserted in the wrong port.

Workaround:
If the optic shows up in "tmsh list net interface" as "Unsuported Optic" remove the optic and verify that the optic speed matches the port.

Fix:
The "tmsh list net interface" will now show:
 
module-description "F5 Qualified Optic in invalid port"

And the LCD warning message will show:
Optic OPT-XXXX not valid in Interface <InterfaceNumber>.

---

639124 : Access Policy Section Unexpectedly Shown

Component: Access Policy Manager

Symptoms:
When creating a Virtual Server, the Access Policy section is shown unexpectedly when Type is set to 'Internal' or Message Routing.'

Conditions:
Occurs when creating new Virtual Server and Type is set to 'Internal' or 'Message Routing.'

Impact:
Virtual Server properties will include "Access Policy" setting, which should not be allowed.

Workaround:
No workaround

Fix:
The virtual server will now only show the "Access Policy" section when Type is set to 'Standard.'

---

639028 : Reset of unsupported User Identifcation Methods for profiles of type OAuth-Resource-Server, SSL-VPN, System Authentication during upgrades★

Component: Access Policy Manager

Symptoms:
In previous releases, some invalid combinations of Profile Type and User Identification Methods were allowed via either the UI or tmsh.

Conditions:
Use of invalid Profile types and User Identification methods is possible and they wont work.

Impact:
It is possible to create and use non-allowed profile type-user identification methods. Then, during upgrades, the following Profile types will have their user identification method automatically set to the corresponding values in the following table because other methods are not supported.


Profile Type | User Identification Method
---------------------------------------------
OAuth-Resource-Server| OAuth Token
SSL-VPN | HTTP
System Authentication| HTTP

Workaround:
You can reconfigure the user identification method to list of allowed ones:

Profile Type | User Identification Method
---------------------------------------------
All | HTTP
LTM-APM | {HTTP | IP Address}
OAuth-Resource-Server| OAuth Token
SSL-VPN | HTTP
SWG-Transparent | IP Address
SWG-Explicit | {IP Address | Credentials}
System Authentication| HTTP

Fix:
During upgrades, the following Profile types will have their user identification method automatically set to the corresponding values in the following tables because other methods are not supported. Warning message will be logged for each upgrade set required. In earlier releases, users were not prevented from selecting such user id methods.


Profile Type | User Identification Method
---------------------------------------------
OAuth-Resource-Server| OAuth Token
SSL-VPN | HTTP
System Authentication| HTTP

---

638893 : Reference to SOL14556 instead of K14556 in tmsh modify net interface X.X media command

Component: TMOS

Symptoms:
Error message references solution number instead of Knowledgebase number:
 err mcpd[6492]: 01071ab6:3: The requested media 100TX-FD for interface 1.0 is invalid. Valid settings are: auto, 1000T-FD. Please see SOL14556 for details.

Conditions:
Incorrectly configure net interface media, e.g.,
modify net interface 1.0 media 100TX-FD.

Impact:
Posted message references SOL14556. The Ask F5 site now uses K numbers instead of SOL numbers. At some point, the previously used SOL numbers might no longer redirect, and the information originally in that article would be lost.

Workaround:
View knowledgebase article K14556: Copper 1 Gbps modules configured with media other than the 'auto' setting may not function, https://support.f5.com/csp/article/K14556.

Fix:
Updated tmsh output to reference the new knowledgebase numbering.

---

638091-5 : Config sync after changing named pool members can cause mcpd on secondary blades to restart

Component: TMOS

Symptoms:
After performing a ConfigSync, mcpd restarts and the following error is seen in /var/log/ltm:

     01070734:3: Configuration error: Invalid mcpd context, folder not found <foldername>

Conditions:
- Chassis cluster with at least two blades
- sync-failover device group set to full-sync and auto-sync disabled
- Changing a named pool-member in non-default partition without syncing between delete and create

Impact:
Secondary blades do not process traffic as they restart

Workaround:
To prevent blade restart, follow the workaround in K16592: ConfigSync may fail when deleting and recreating a pool member with a node name set (https://support.f5.com/csp/article/K16592).

To work around this issue, you can synchronize the configuration just after deleting the pool member and node, before re-creating the pool member. To do so, perform the following procedure:

Impact of workaround: Performing the following procedure may impact client connectivity to the node. You should perform this procedure only during a maintenance window.

1. Log in to the BIG-IP system Configuration utility.
2. Navigate to Local Traffic :: Pools, and select the Pool with the member you want to delete.
3. From the top of the menu, click Members.
4. Select the checkbox next to the pool member you want to delete, and click Remove.
5. Navigate to Local Traffic :: Nodes.
6. Select the checkbox next to the node with the same name, and click Delete.
7. Navigate to Device Management :: Overview.
8. Select the local device by hostname (self).
9. Click the Sync option.
10. If the ConfigSync was successful, you may now re-create the pool member.

Fix:
Config sync after changing named pool members no longer causes mcpd on secondary blades to restart.

---

636997 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected

---

636994 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected

---

636992 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected

---

636986 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected

---

636982 : big3d may crash

Component: Global Traffic Manager (DNS)

Symptoms:
Under certain conditions, big3d may crash or malfunction while processing GTM data

Conditions:
GTM enabled

Impact:
iQuery connection may be reset

Workaround:
None

Fix:
big3d processes GTM data as expected

---

636682 : MySQL vulnerability CVE-2016-6663

Solution Article: K73828041

Component: Application Security Manager

Symptoms:
For information, see K73828041: MySQL vulnerability CVE-2016-6663: https://support.f5.com/csp/article/K73828041.

Conditions:
For information, see K73828041: MySQL vulnerability CVE-2016-6663: https://support.f5.com/csp/article/K73828041.

Impact:
For information, see K73828041: MySQL vulnerability CVE-2016-6663: https://support.f5.com/csp/article/K73828041.

Fix:
For information, see K73828041: MySQL vulnerability CVE-2016-6663: https://support.f5.com/csp/article/K73828041.

---

635551 : ASM/DoSL7 Challenges should support CORS requests

Solution Article: K43184134

Component: Application Security Manager

Symptoms:
Bot protection is intermittently causing page not to load completely.

Conditions:
Enable ASM features that include challengers scripts such as : Web Scraping, Brute Force, Procative BOT Defense, DOSL7 Client Side mitigation, and then browse to a resource that makes a cross-origin HTTP request.

Impact:
Bot protection is intermittently causing page not to load completely.

Workaround:
Perform one of the following options:
1. Add this URL to whitelist url.
2. Insert "Access-Control-Allow-Origin" header via an iRule.

Fix:
Bot protection no longer intermittently causes incomplete page load.

---

635509 : APM does not support Vmware'e Blast UDP

Component: Access Policy Manager

Symptoms:
APM does not support Blast Extreme Adaptive Transport (BEAT) protocol which is required for Blast UDP

Conditions:
1. Vmware View Connection Server is configured for Blast UDP
2. Client attempts Blast UDP

Impact:
Since APM does not support Blast UDP, Vmware Horizon Client always uses TCP transport even when the network conditions dictate that UDP transport would be more efficient

Workaround:
None

Fix:
APM now adds support for Blast Extreme Adaptive Transport protocol, which in turn enables Blast UDP.

---

635191-3 : Under rare circumstances TMM may crash

Component: Local Traffic Manager

Symptoms:
tmm crash and BIG-IP failover.

Conditions:
There are no known, reproducible conditions under which this occurs. However, the tmm restart happens once, and then does not recur. The only way to determine that the issue exists is through a review of the core stack, which must be completed by F5 Support.

Impact:
tmm restart and failover. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The tmm restart and failover no longer occur.

---

634175 : datasyncd obfuscation can cause up to performance degradation

Component: Fraud Protection Services

Symptoms:
High bursts of CPU usage every day even with no ASM traffic.

Conditions:
This occurs when datasyncd's obfuscation activity is configured.

Impact:
This causes bursts of unusually high CPU utilization and potentially degraded overall system performance.

Workaround:
None.

Fix:
Fixed a performance issue with the datasyncd obfuscation algorithm.

---

633449-3 : Browser autocomplete may cause login to fail

Component: Fraud Protection Services

Symptoms:
Browser autocomplete on fields with substitute value enabled may cause login to fail.

Conditions:
WebSafe configured with substitute autocomplete value enabled on field.
Browser saves substituted value.

Impact:
Login fails.

Workaround:
Disable substitute value use.

---

633441 : Datasync Background Tasks running even without features requiring it

Component: TMOS

Symptoms:
The Datasync Background Tasks are running daily for several hours and consuming CPU. This is expected and required to generated dynamic versions of obfuscated JavaScript. However, this is running even if there are no features enabled which require JavaScript.

Conditions:
ASM is provisioned.

Impact:
Spikes of daily CPU usage during several hours even if there are no features requiring JavaScript.

Workaround:
If there are no features requiring JavaScript, then this command limits to a single version of obfuscated JavaScript, causing this CPU spike to remain a short one, and only once daily.

tmsh modify security datasync local-profile cs-asm-dosl7 max-gen-rows 1

Important: It is not recommended to keep this configuration if any of the JavaScript features are enabled in either ASM Policy or DoS profile, because it will significantly reduce the JavaScript security.

To re-enable full JavaScript obfuscation, run this command:

tmsh modify security datasync local-profile cs-asm-dosl7 max-gen-rows infinite

The log /var/log/datasync/datasyncd.log can be used to monitor the Background Tasks.

Fix:
The Datasync Background Tasks are now running only if there are features requiring JavaScript.

---

632875 : Non-Administrator TMSH users no longer allowed to run dig

Solution Article: K37442533

---

632646 : APM - OAM login with ObSSOCookie results in error page instead of redirecting to login page, when session cookie (ObSSOCookie) is deleted from OAM server.

Component: Access Policy Manager

Symptoms:
APM - OAM login with invalid ObSSOCookie results in error page instead of redirecting to login page.

Conditions:
This happens occasionally if a session cookie (ObSSOCookie) is deleted from OAM server, or an OAM session is deleted from server.

Impact:
OAM login with invalid ObSSOCookie results in error page. However, expected behavior is that user is redirected to login page if login with ObSSOCokkie fails.

Workaround:
No Workaround

Fix:
Issue is fixed - On authenticate with ObSSOCookie, read getStatus() API call to check the ObSSOCookie status and redirect to IDP if it is not 1 (LOGGEDIN, AWAITINGLOGIN). With this fix user will be redirected to IDP on logging with cookie that is deleted manually from the OAM server.

---

631977 : Potential information leak of HTTP headers

Component: Local Traffic Manager

Symptoms:
If a TRACE HTTP method is used, by default the BIG-IP system is transparent and will forward that request to the Origin Web Server (OWS). The OWS will reflect any headers seen in that request back in the response.

If sensitive headers are added by the BIG-IP system, then the OWS will most likely cause those headers to be in the response.

This may affect persistence cookies decrypted by the BIG-IP system.

Conditions:
The BIG-IP system is configured to decrypt certain headers, or to insert 'private' headers passed to the OWS.

A TRACE HTTP method is used. The OWS will reflect the headers it sees back to the client, leaking information.

Impact:
Any response from the origin web server will be forwarded to the client, including information added to that request by the BIG-IP system.

Workaround:
The HTTP filter by default will be transparent to TRACE requests. They may be rejected by changing the 'unknown method' option from 'allow' to 'reject'. If TRACE is removed from the list of known HTTP methods, then TRACE requests will be rejected.

TRACE requests may also be rejected programmatically by iRules or by L7 Policies.

Similar functionality for filtering HTTP methods exists in the PSM and ASM modules.

Fix:
None.

---

631418 : Packets dropped by HW grey list may not be counted toward AVR.

Component: Advanced Firewall Manager

Symptoms:
If the system supports hardware grey list, packets dropped by HW grey list may not be counted toward AVR.

Conditions:
AFM license, HW grey list support.

Impact:
User visibility.

Workaround:
There is no workaround at this time.

Fix:
The issue is fixed.

---

631369 : Empty external data-groups fail to load

Component: Local Traffic Manager

Symptoms:
Config will fail to load after upgrade or ucs restore with error regarding an empty or missing data group:
01070630:3: The requested data group file (/config/filestore/.stage_d/130_d/Common_d/data_group_d/:Common:empty_48650_1) was not found or empty).

Conditions:
Config references an empty or missing datagroup.

Impact:
Config fails to load.

Workaround:
Remove references to empty or missing datagroups.

Fix:
You can now use an empty file as an external data-group, and it will simply behave as though it has 0 elements.

---

631316-1 : Unable to load config with client-SSL profile error★

Solution Article: K62532020

Component: TMOS

Symptoms:
Config loading fails with an error similar to the following: 'Client SSL profile cannot contain more than one set of same certificate/key type.'

Conditions:
This occurs when both of the following conditions are met:
 -- The system is loading config.
 -- The config contains a client SSL profile which has an RSA cert-key-chain whose key is default (/Common/default.key), but whose chain is non-empty, or the cert is different from /Common/default.crt. For example:

    cert-key-chain {
        cert /Common/default.crt <==== default cert
        chain /Common/chainCA.crt <==== non-empty
        key /Common/default.key <==== default key
        rsa {
            cert /Common/default.crt <==== default cert
            chain /Common/chainCA.crt <==== non-empty
            key /Common/default.key <==== default key
        }
    }

Impact:
Configuration can not be loaded.

Workaround:
Remove or adjust the problematic client SSL profile by editing the appropriate bigip.conf file (/config/bigip.conf or /config/partitions/<name>/bigip.conf, depending on the partition the profile resides in), and then load the configuration again.

Steps:
1. Open the configuration file in a text editor.
2. Load the file /config/bigip.conf (or /config/partitions/<name>/bigip.conf, if the client SSL profile is in a partition).
   
3. Update the client SSL profile by setting .crt and .key to non-default, as shown in the following example:

    cert-key-chain {
        cert /Common/kc.crt <==== changed to non-default
        chain /Common/chainCA.crt
        key /Common/kc.key <==== changed to non-default
        rsa {
            cert /Common/kc.crt <==== changed to non-default
            chain /Common/chainCA.crt
            key /Common/kc.key <==== changed to non-default
        }
    }

4. Save your changes, and then run the following command:
 tmsh load sys conf

---

631286 : URI cache entries should be replaced /expired for euie hash table

Component: Access Policy Manager

Symptoms:
Tmctl stats for "access_uri_info" gradually grows and can lead to TMM memory exhaustion.

Conditions:
APM or SWG use case.

Impact:
TMM memory exhaustion.

Workaround:
Restart tmm.

Fix:
A limit of how many entries will be stored in the URI cache is implemented. The default is 2048 entries, this DB variable can be set to control the max limit:

access.max.euie_uri.cache.entries

The DB variable allows a range of 2048 - 8192.

---

630137-1 : Dynamic Signatures feature can fill up /config partition impacting system stability

Component: Advanced Firewall Manager

Symptoms:
When the AFM DoS Dynamic Signatures feature is enabled, inadequate file housekeeping results in the /config/filestore partition filling up. mcpd halts the other running daemons and the system becomes unresponsive.

Conditions:
AFM DoS Dynamic Signatures feature enabled

Configuration changes made but not saved

Device receives traffic.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
Make all configuration changes via Configuration Tool (UI) or issue a 'save sys config partitions all' command.

If rolling back the configuration is a requirement, before making changes to the configuration, save a configuration snapshot to a file with the 'save sys config file <filename>' command. You can then load the previous configuration with a 'load sys config file <filename>' command.

---

629678 : A secondary mirroring address may be used when the primary address is available.

Component: Local Traffic Manager

Symptoms:
TMM tries to establish a mirroring connection to both the primary and the secondary mirroring address. If the secondary mirroring address is connected faster, it will be used even when the primary address is available.

Conditions:
The secondary mirroring address is connected faster than the primary.

Impact:
The secondary mirroring address is used when the primary address is available.

Workaround:
There is no workaround at this time.

Fix:
The primary mirroring address takes priority over the secondary mirroring address.

---

629334 : Portal Access: JavaScript expressions in parentheses may be rewritten incorrectly

Component: Access Policy Manager

Symptoms:
In some cases Portal Access rewrites incorrectly JavaScript expressions enclosed into parentheses.

Conditions:
JavaScript code with the following constructions:
- (a.b) (...)
- (a[b]) (...)
- (b) = ...
Assuming 'b' is an element to be rewritten.
Some examples:
- (window.open) ("", "_blank");
- (form["submit"])();
- (location) = "http://some.org/";

Impact:
JavaScript code may not work correctly. In some cases, JavaScript code becomes syntactically incorrect.

Workaround:
Use iRule to remove parentheses around JavaScript expressions where necessary.

Fix:
Now JavaScript expressions in parentheses are rewritten correctly.

---

629329 : Incorrect message logged when vCMP guest repartitions a host VLAN

Component: TMOS

Symptoms:
When you delete and re-create a VLAN on a vCMP guest using the same VLAN name, subsequent configuration loads will report a warning:

Vlan allowed mismatch found: hypervisor (<hypervisor IP>), guest (/Common/<guest>:-1) and (/Common/<vlan>).

Conditions:
This occurs if you repartition a host VLAN on a vCMP guest.

Impact:
A warning is displayed, but the warning is benign and can be ignored.

---

628739 : BIG-IP iSeries does not disallow configuring of management IP outside the management subnet using the LCD

Component: TMOS

Symptoms:
Configuring the management IP outside the management subnet succeeds without error.

Conditions:
On the LCD, navigate to the 'Setup' tab, and select 'Management'.
1. Set the default Gateway for the network.
2. Now set an IP address outside the Gateway subnet.
3. Notice no errors and commit is successful.

Impact:
Admin IP and Gateway for management route (/Common/default) not in a connected network.

Workaround:
Do not configure the IP and Gateway outside the management route.

Fix:
LCD no longer allows invalid configuration of mgmt IP (with gateway IP outside mgmt subnet).

---

627406 : Adding a GUI option to set httponly atribute on ASM cookeis

Component: Application Security Manager

Symptoms:
ASM cookies are set without the httponly attribute. Adding the attribute is allowed only using internal configuration.

Conditions:
ASM is provisioned.

Impact:
ASM cookies are not 'httponly', and changing this can only be done via the command line.

Workaround:
None.

Fix:
Added a GUI option to set the 'httponly' attribute under Options : Application Security : Advanced Configuration : System Variables.

---

625901 : SNAT pools allow members in different partitions to be assigned, but this causes a load failure

Component: TMOS

Symptoms:
SNAT pools allow members in different partitions to be assigned, but this is prohibited at load time.

Conditions:
The SNAT pool is in a partition different from that of the member you are trying to add to it.

Impact:
Load will fail with an error like the following:

01070726:3: SNAT pool translation address /p1/mysnatpool /p2/1.2.3.4%5 in partition PARE cannot reference SNAT Translation /p2/1.2.3.4%5 in partition p2

Workaround:
Use a SNAT pool member in the same partition.

---

624956 : AVR: Changes to some entities on AVR DNS tmsh reports

Component: Application Visibility and Reporting

Symptoms:
Some entities have been changed for AVR DNS reports on TMSH command.
The attack-type entity is no longer available since DNS no longer provides this information to AVR, instead, there is attack-vector entity. The transaction-outcome entity was renamed to dns-transaction-outcome as part of clear separation for all transaction-outcomes.

Conditions:
Accessing AVR DNS reports using TMSH

Impact:
Old scripts that using the previous entities for DNS reports will break.

Workaround:
N/A

Fix:
The attack-type entity is no longer available on AVR reports for DNS. Instead, the attack-vector (vector) entity is provided to AVR.
The transaction-outcome entity was renamed to dns-transaction-outcome on AVR reports.

---

624231 : No flow control when using content-insertion with compression

Component: Policy Enforcement Manager

Symptoms:
Packets can get queued in PEM and cause performance impact.
It could cause memory corruptions in some cases

Conditions:
This issue can happen when system there is are a lot of connections with compression enabled, hardware offload is not enabled, and content insertion is enabled

Impact:
Performance impact to flows and possible system crash.

Workaround:
Enable hardware offload and use the pem throttle feature for content insertion

---

621314 : SCTP virtual server with mirroring may cause excessive memory use on standby device

Solution Article: K55358710

Component: TMOS

Symptoms:
If a SCTP virtual server has high availability (HA) mirroring enabled, the send buffer on the standby may have extremely high memory usage until the connections close.

Conditions:
SCTP virtual server has mirroring enabled.

Impact:
TMMs will have high memory usage on standby device.

Workaround:
Disable mirroring on the SCTP virtual server.

Fix:
SCTP virtual server with mirroring no longer causes excessive memory use on standby device.

---

620954 : Rare problem in pam_tally; message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable

Component: TMOS

Symptoms:
Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message:
 PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.

Conditions:
High concurrent authentication attempts may trigger this issue. For example, open a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), then close the connection. If done frequently enough, there is an occasional authentication failure.

Impact:
This intermittent authentication failure results in users not being able to login.

Workaround:
Since this is an intermittent authentication failure, wait a few seconds and then attempt to log in again.

---

618222 : Loop detection implemention logic violates branch parameter compliance with RFC3261

Component: Service Provider

Symptoms:
Branch parameter compliance with RFC3261 dictates that:
 ACK for a non-2xx response will have the same branch ID as the INVITE whose response it acknowledges.
However in BIG-IP if loop detection is enabled, the branch parameter value differs.

Conditions:
This occurs when loop detection flag is enabled in the sipsession object.

Impact:
Branch parameter value of INVITE and ACK for a non-2xx response even though its part of the same transaction. Violates RFC3261.

Workaround:
Disable loop detection flag in sipsession object.

Fix:
#tmsh modify ltm message-routing sip profile session sipsession loop-detection disabled

---

617865 : Missing health monitor information for FQDN members

Component: Local Traffic Manager

Symptoms:
Health monitor information and status are both missing for FQDN nodes and pool members.

Conditions:
FQDN nodes and pool members configured.

Impact:
GUI does not show health monitors info/status in node properties page, pool member properties page, or monitor instances page. Difficulty checking health monitor info/status for FQDN members.

Workaround:
Check logs for this info.

Fix:
The system now exposes health monitors info/status and the GUI shows them in node properties page, pool member properties page, and monitor instances page.

---

617823 : Multi domain login support with Citrix logon prompt

Component: Access Policy Manager

Symptoms:
Domain session variable is not populated.

Conditions:
Only one domain can be supported by statically configuring the domain in access policy.

Impact:
Only single domain logon supported.

Workaround:
No workaround

Fix:
Support multiple domains using Citrix logon prompt for Citrix Receivers.

---

617643 : iControl.ForceSessions enabled results in GUI error on certain pages

Component: TMOS

Symptoms:
GUI pages display "An error has occurred while trying to process your request."

Conditions:
Visiting pages related to PKI (cert/key), SNMP, AFM or licensing tasks when iControl.ForceSessions is enabled.

Impact:
Unable to use GUI for certain tasks when iControl.ForceSessions is enabled.

Workaround:
Use shell for related administrative tasks or if feature is not used, disable with the following command:

tmsh# modify sys db icontrol.forcesessions value disable

Fix:
Enable GUI to adapt when the icontrol.forcesessions is set to 'enable'.

---

617286 : Frequent DNS Express zone transfers can prevent updated zone data becoming available.

Solution Article: K14649433

Component: Global Traffic Manager (DNS)

Symptoms:
If DNS Express performs a zone transfer more frequently than every 15 seconds, the new data will not become available until there is a 15 second period with no zone transfers.

Conditions:
DNS Express performs a zone transfer more frequently than every 15 seconds.

Impact:
Updated data in zone transfers is not available.

Workaround:
If possible, configure environment such that there is a 15 second window between zone updates.

or

If possible, disable notifies from the master dns server and lower the refresh time of the SOA record, forcing dnsX to check serial numbers of the zone at refresh interval and refresh the zone if needed.

Fix:
DNS Express no longer has the 15 second delay, so updated data in zone transfers is immediately available.

---

617170 : Port misuse policies could be created if AFM is not provisioned

Component: Advanced Firewall Manager

Symptoms:
You cannot select Port Misuse Policies from the menu but if you select Service Policies from the Network menu Port Misuse Policies, you can still create them from the upper horizontal Tabs. Changes are saved to the configuration file but are ignored.

Conditions:
-- AFM is not provisioned.
-- You select Service Policies in the GUI.

Impact:
The system indicates that a Port Misuse Policy is in effect when it is not.

Workaround:
When AFM is not provisioned Port Misuse Policy should not be available

Fix:
Removed Port Misuse Policy from upper Tabs if AFM is not provisioned, so this issue no longer occurs.

---

616021 : Name Validation missing for some GTM objects

Solution Article: K93089152

Component: Global Traffic Manager (DNS)

Symptoms:
The BIG-IP system fails to prevent control characters from being embedded within GTM object names. Once the objects exist in the configuration, the BIG-IP system fails to load GTM configurations where objects containing control characters are referenced by other objects.

The following GTM objects are susceptible to this control character issue:

gtm datacenter
gtm prober-pool
gtm device
gtm application
gtm region entry
gtm virtual server
gtm server
gtm link
gtm pool

Conditions:
-- A GTM object with a control character in the name.
-- That object is referenced by another object.

Reproduction example:

create gtm datacenter "start^Mend"
create gtm server test datacenter "start^Mend" address add { 1.2.3.4 }
save sys config gtm-only
load sys config gtm-only

Impact:
Causes the config to fail to load.

Workaround:
Remove control characters prior to creating GTM objects.

---

616008 : TMM core may be seen when using an HSL format script for HSL reporting in PEM

Solution Article: K23164003

Component: Policy Enforcement Manager

Symptoms:
TMM core resulting in potential loss of service.

Conditions:
Requires a PEM HSL reporting action with an HSL format script against a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
In an iRule against the virtual server, set a Tcl variable in the first line after an iRule event. Unset the same Tcl variable in the last line of the iRule event.

Fix:
TMM core no longer occurs when using an HSL format script for HSL reporting in PEM.

---

615274-1 : CVE-2016-2183: "SWEET32" Vulnerability (Apache)

Solution Article: K13167034

---

615245 : For the attributes that contain URI value in them, the passwords within the URI are stored in clear-text in the configuration file, audit file, tmsh history file

Component: TMOS

Symptoms:
The URI specification RFC 3986 allows the inclusion of the username and password in the URI string.

example: http://username:password@example.com/resource

There are a few attributes in the configuration objects that represent a URI

example: sys/file/ssl-cert::source-path

sys file ssl-cert /Common/dummy {
    cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:dummy_38971_1
    revision 1
    source-path http://admin:secret@10.154.128.224/dummy.crt
}

The usage of URI attribute similar to the example of sys/file/ssl-cert::source-path results in the password to be logged in clear-text in various locations. This possess a security risk as the log files could be available to unprivileged users.

Currently the URI attributes are visible in the /var/log/audit, /config/<partition>/<folder>/BIG-IP*.conf,
/<username>/.tmsh-history-<username> files.

Conditions:
Performing CRUD operation on a configuration object that contains a URI attribute. The TMSH, iControl REST interface are used for the CRUD operation. The username, passwords are present in the URI value.

Impact:
The clear-text passwords are exposed in the /var/log/audit, /config/<partition>/<folder>/BIG-IP*.conf,
/<username>/.tmsh-history-<username> files.

Workaround:
None

Fix:
The passwords contained in URI are sanitized in the /var/log/audit, /<username>/.tmsh-history-<username> files.

These are encrypted in the /config/<partition>/<folder>/BIG-IP*.conf file.

excerpt from /config/bigip.conf

sys file ssl-cert /Common/dummy1.crt {
    cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:dummy1.crt_64358_2
    source-path http://:@10.154.128.224/dummy.crt
    source-path-password $M$mZ$WTgYeTHGVoo81Lw/fLJCBg==
    source-path-user admin
}


The password section within the URL field accepts these characters:

You can ONLY use the following characters:
"a-z", "A-Z", "0-9", "-", ".", "_", "~", "!", "$", "&", "'", "(", ")", "*", "+", ",", ";", "=", ":", percent-encoded for the entire UTF-8 character set.

Behavior Change:
Generally, the source-path attribute in the configuration objects represents URI fields.

Pre-change the source-path attribute contained clear-text passwords. This can be seen in the TMSH list action, iControl REST POST/PATCH/PUT API.

Post-change the source-path contains sanitized password [****] in the TMSH list, iControl REST API response.

---

613836 : Error message in ltm log when adding a DoS profile to virtual server in cluster setup

Component: Advanced Firewall Manager

Symptoms:
In a cluster environment, when adding DoS profile to a virtual server, ltm log shows a configuration exception error message complaining about a file missing.

Conditions:
-- The setup is a cluster.
-- DoS profile is created and attached to a virtual server.

Impact:
No functional impact, but unnecessary error message is seen in ltm log.

Workaround:
None.

Fix:
Unnecessary error message no longer occurs.

---

613521 : Add iRule support for no-padding RSA encryption

Component: Local Traffic Manager

Symptoms:
There is no support for no-padding RSA encryption.

Conditions:
When CRYPTO::encrypt iRule is used.

Impact:
No option for no padding.

Workaround:
There is no workaround at this time.

Fix:
This release adds a new option RSA_NO_PADDING to iRule CRYPTO.

Note: RSA_NO_PADDING has weaker security. You should use it only if your implementation requires it.

---

612792 : Support RDP redirection for connections launched from APM Webtop on iOS

Component: Access Policy Manager

Symptoms:
Launching Native RDP resource from APM Webtop might fail on iOS.

Conditions:
1. Native RDP resource is launched from APM Webtop on iOS.
2. The RDP connection is redirected from one RDP server to another. This typically happens in RDP farm (multiple RDP servers) deployments.

Impact:
Native RDP resource can't be launched.

Workaround:
iOS RDP client version 8.1.35 allows workaround with following “Variable Assign” agent in Access Policy:
  Custom Variable:
    session.client.platform
  Custom Expression:
    set client_os [mcget {session.client.platform}];
    return [expr {$client_os == "iOS" ? "Android" : $client_os}];

Fix:
RDP redirection is now supported for connections launched from APM Webtop on iOS. Launching RDP resources from APM Webtop now requires at least version 8.1.35 of iOS RDP client.

---

612118 : Nexthop explicit proxy is not used for the very first connection to communicate with the backend.

Component: Access Policy Manager

Symptoms:
In SWG / forward proxy, nexthop explicit proxy is not used for the very first connection to communicate with the backend.

Conditions:
SWG per-request policy with proxy select agent.

Impact:
The BIG-IP system directly communicates with the backend to fetch server certificates.

Workaround:
None.

Fix:
Next-hop proxy gets used for all the connections that use proxy-select agent even for fetching the backend cert. In earlier version it would use the default route to fetch the certificate.

In transparent mode for https traffic, the proxy select agent is able to use the host & port information gathered from the backend certificate as the per-request policy can run before the cert fetching process. Therefore there is no longer a requirement for the per-request policy to have a category lookup agent before the proxy select agent.

---

609966 : Adding info about delete first 10000 out of XXX instead of showing alert

Component: Application Security Manager

Symptoms:
When deleting requests by filter, delete is limited by 10K requests. Pop-up alert window is shown to explain this to user.

Conditions:
User tries to delete more than 10K requests by filter.

Impact:
Pop-up alert is shown, requiring user to click OK to continue.

Workaround:
Just click OK in alert window.

Fix:
Pop-up message eliminated, 10K limit explained in the action button itself.

---

608988 : Error when deleting multiple ASM Policies

Component: Application Security Manager

Symptoms:
Error when attempting to delete multiple ASM policies at once.

Conditions:
Multiple ASM policies are selected for deletion that have multiple XML profiles configured on their URLs.

Impact:
Operation fails with ASM subsystem error messages in asm log.

Workaround:
Delete policies one at a time.

Fix:
Multiple ASM policy delete finishes successfully.

---

608348 : Config sync after deleting iApp f5.citrix_vdi.v2.3.0 could leave an extra tunnel object on synced system

Component: TMOS

Symptoms:
After deleting an iApp build from the f5.citrix_vdi.v2.3.0 template then running a config sync, the system that received the sync could have a tunnel object left over which should have been deleted.

Running 'tmsh load sys config verify' after this sync would give the following error.
01070734:3: Configuration error: The object (Tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect) is owned by a non-existent application (/Common/test-citrix-app-svc.app/test-citrix-app-svc).
Unexpected Error: Validating configuration process failed.

Conditions:
This occurs when the iApp has been deployed in a sync group, then the iApp is deleted, then a config sync is initiated.

Impact:
Config validation fails, and you must delete the tunnel manually.

Workaround:
On the system that received the sync, edit /config/BIG-IP_base.conf to remove the following objects (replace "test-citrix-app-svc" with the name of the deleted iApp):
a. vlan from net route-domain: /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
b. net fdb tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect
c. net tunnels tunnel /Common/test-citrix-app-svc.app/test-citrix-app-svc_connect

Fix:
The autogenerated tunnel is now successfully removed on receiving devices.

---

608242 : Add the ability to modify cspm cache cookie name (currently "f5_cspm")

Component: Application Visibility and Reporting

Symptoms:
AVR uses cspm cache cookie for page load time calculations.
The cookie name is currently f5_cspm constantly

Conditions:
When page load time metric is requested, AVR injects the cspm cache cookie.

Impact:
The admin does not have the ability to change the cspm cache cookie name.

Workaround:
N/A

Fix:
Admins can now change the value of the default db variable, Avr.CspmCacheCookieName, and rename this cookie as required.

---

607912 : Citrix Desktop/application name defined at broker is not correctly displayed.

Component: Access Policy Manager

Symptoms:
Title of the Citrix desktop or application resource is not displayed correctly.

Conditions:
Title parameter is absent in the ICA file.

Impact:
User-defined 'display name' of Citrix desktop is absent.

Workaround:
No workaround.

Fix:
Title parameter is now inserted in the ICA file so that it is correctly displayed.

---

607520 : Send MSS on SYN,ACK when SYN does not have any options

Component: Local Traffic Manager

Symptoms:
When the SYN does not have any options set, TCP does not set any options on the SYN-ACK.

Conditions:
TCP receives SYN without options.

Impact:
No options are set on SYN-ACK.

Workaround:
None.

Fix:
You can now use a newly introduced sysdb variable TM.TcpSendSynAckMSSAlways to enable or disable this feature. If SYSdb TM.TcpSendSynAckMSSAlways is enabled and profile MSS is not equal to default MSS, TCP always sets the MSS option to the Profile MSS value on SYN-ACK.

Behavior Change:
In earlier versions, if SYN did not have any options set, the system did not set any options on the SYN-ACK. There is now a new sysdb variable TM.TcpSendSynAckMSSAlways, which you can use to enable or disable this feature. If SYSdb TM.TcpSendSynAckMSSAlways is enabled and profile MSS is not equal to default MSS, TCP always sets the MSS option to the Profile MSS value on SYN-ACK.

---

607426 : Analytics UI time format determined by System clock preferences

Component: Application Visibility and Reporting

Symptoms:
Currently there is no consistent way to display timestamps. Some places use 12-hour notation while other 24-hour. Analytics UI has been using 24-hour historically. However, now that the BIG-IP system has a setting for this under System :: Preferences, Analytics will use this value to determine whether timestamps display in 12-hour or 24-hour format.

Conditions:
Viewing timestamps.

Impact:
Analytics pages will use 12-hour format on systems that are set to display 12-hour by default. This differs from the always-24-hour format that appeared in the past.

Workaround:
None.

Fix:
Analytics pages use system preferences to determine whether 12-hour or 24-hour time formats are displayed.

Behavior Change:
Analytics UI time format is now determined by System clock preferences. Previously, there was no consistent way of displaying timestamps. Some places use 12-hour notation while other 24-hour. Analytics UI has been using 24-hour historically. However, now that the BIG-IP system has a setting for this under System :: Preferences, Analytics will use this value to determine whether timestamps display in 12-hour or 24-hour format.

---

606799 : GUI total number of records not correctly initialized with search string on several pages.

Solution Article: K16703796

Component: TMOS

Symptoms:
GUI total number of records not correctly initialized with search string on several pages.

Conditions:
Searching on the Data Group File List, iFile List, and lw4o6 File Object List pages.

Impact:
GUI shows that there are two pages, but advancing to the second page shows empty page.

Workaround:
Avoid searching in the Data Group File List, iFile List, and lw4o6 File Object List pages to view all items.

Fix:
Searching in the Data Group File List, iFile List, and lw4o6 File Object List pages works as expected.

---

605649 : The cbrd daemon runs at 100% CPU utilization

Solution Article: K28782793

Component: Application Security Manager

Symptoms:
The cbrd daemon runs at 100% CPU utilization.

You may notice this issue while inspecting:

- The performance graphs for the BIG-IP device.
- SNMP reports from the BIG-IP device.
- The output of utilities such as top or ps.

Note: The cbrd daemon performs XML Content-Based Routing on the BIG-IP system. However, the daemon runs regardless of provisioning and whether the feature is actually being utilized or not.

Conditions:
This is a rarely occurring event whose cause is not known.

Impact:
The cbrd daemon may run inefficiently. Additionally, other control-plane processes running on the BIG-IP device may also be detrimentally affected (depending on the size of the BIG-IP device and its configuration).

Workaround:
You can try to work around this issue by restarting the cbrd daemon using the following command:
bigstart restart cbrd

As the issue occurs rarely, you may not experience this issue again for a long time. This is, however, only a temporary workaround, and will have to be repeated as needed.

---

604811 : Under certain conditions TMM may crash while processing OneConnect traffic

Component: Local Traffic Manager

Symptoms:
TMM may crash while processing OneConnect traffic

Conditions:
Removing the OneConnect profile from a virtual server while passing traffic.

Impact:
TMM crash leading to a failover event

Fix:
TMM now processes profile removals as expected

---

601572 : MySQL vulnerability CVE-2016-2047

Solution Article: K53729441

---

600704 : Session variables cannot be used in Managed Endpoint Notification

Component: Access Policy Manager

Symptoms:
In Managed Endpoint Notification text, you cannot use session variables.

Conditions:
Admin wants to send Managed Endpoint notification to users

Impact:
Admin is not able to add dynamic data (like onetime password) in notification sent to user.

Workaround:
None

Fix:
APM now supports session variables in Managed Endpoint Notification.

---

598085 : Expected telemetry is not transmitted by sFlow on the standby-mode unit.

Component: TMOS

Symptoms:
The expected telemetry is not transmitted by sFlow on the standby-mode unit. In a high-availability (HA)/redundant BIG-IP configuration, standby BIG-IP units are failing to generate sFlow telemetry packets containing unit-specific data.

Conditions:
In a high-availability/redundant BIG-IP configuration with sFlow configured.

Impact:
The sFlow data being transmitted by the standby unit consists of packet samples of the HA Heartbeat traffic, and no other telemetry information.

Workaround:
None.

---

594751 : LLDP VLAN Information not Transmitted to Neighbors When Interfaces are Added to a Trunk after the Trunk has Already Been Assigned to a VLAN

Solution Article: K90535529

Component: Local Traffic Manager

Symptoms:
Vlan Name and Vlan Tag values are not seen by the LLDP neighbors of the BIG-IP system.

Conditions:
1. LLDP is enabled globally and per interface.

2. Interfaces are added to a trunk after it has already been assigned to a VLAN.

For instance, assume the following protocol were followed for creating an LLDP trunk:

tmsh modify net lldp-globals enabled
tmsh modify net interface 1.1 lldp-admin txrx lldp-tlvmap 114680
tmsh modify net interface 1.2 lldp-admin txrx lldp-tlvmap 114680
tmsh create net trunk myTrunk
tmsh create net vlan myVlan
tmsh modify net trunk myTrunk interfaces add { 1.1 1.2 }
tmsh modify net vlan myVlan interfaces add { myTrunk }

The neighbor to this BIG-IP unit would not see the Vlan Name and Vlan Tag information of this trunk because the interfaces were added after the trunk was already assigned to a VLAN.

Impact:
LLDP Neighbors are unable to see VLAN information for the LLDP interfaces of the BIG-IP.

Workaround:
If the configuration has not yet been performed, the issue can be prevented by assigning all the desired interfaces to a trunk before assigning the trunk to a VLAN.

If the problem already exists, it can be remedied by performing a restart of the LLDP service. This should not impact dataplane services outside of LLDP. To do so, run the following command:
 bigstart restart lldpd

Fix:
VLANs are now properly applied to any interfaces added to a trunk if the trunk already belongs to any VLANs.

---

592048 : Modification to custom provisioning does not yield expected results.

Component: TMOS

Symptoms:
When a system is configured with one or more custom provisioning profiles, modifications to these profiles have no immediate effect. Moreover, there is no indication the system must be rebooted before these changes take effect.

Conditions:
Modify one or more custom provisioning profiles.

Impact:
Provisioning modifications do not have any effect until the system is rebooted.

Workaround:
Reboot after provisioning changes.

---

589856-4 : iControl REST : possible to get duplicate transaction ids when transactions are created by multiple clients

Component: TMOS

Symptoms:
When 2 iControl REST clients using the same username create transactions simultaneously, they can potentially get the same transaction id. This completely messes up both the client code execution.

Conditions:
Client requests to create transaction are close to each other in time.

Impact:
Transaction semantics are not followed, and unintended errors may occur

---

589233-1 : vCMPd may crash when processing bridged network traffic

Solution Article: K03165684

---

589083-7 : TMSH and iControl REST: When logged in as a remote user who has the admin role, cannot save config because of permission errors.

Solution Article: K46205123

Component: TMOS

Symptoms:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation fails because of permission errors.

Using iControl, the system posts an error similar to the following: Error processing request for URI:http://localhost:8110/mgmt/tm/sys/config
{code:400,message: Can't create tmsh temp directory \"/config/.config.backup\" Permission denied, errorStack:[]}.

Using TMSH (e.g., running the command: tmsh save sys config), the system posts an error similar to the following:

Can't create tmsh temp directory "/config/.config.backup" Permission denied

Conditions:
This occurs when the following conditions are met:
-- Remote Authentication is configured.
-- User is logged in as a remote user who has the admin role.
-- Using TMSH or iControl for remotely authenticated user operations.

Impact:
Cannot save the configuration.

Workaround:
Use one of the following workarounds:
-- Use the GUI to save the configuration.
-- Have a locally authenticated user with admin role save the configuration.

Fix:
When a remotely authenticated user who has the admin role uses TMSH or iControl to save the configuration, the operation now completes as expected, without permission errors.

---

588229 : DNS protocol default profiles can be deleted after being modified.

Component: Global Traffic Manager (DNS)

Symptoms:
A protocol default profile can be deleted in some cases.

Conditions:
The protocol default profile is not a parent to any other profile and has been modified.

Impact:
Default protocol profile can be deleted. If a default profile has been deleted, the config might get into an invalid state, and a config reload might be necessary.

Workaround:
Do not attempt to delete a protocol default profile.

Fix:
Default profiles are not deletable under any circumstances.

---

584696 : MCP debug (/service/mcpd/debug), "Rule checker library has not been initialized"

Component: TMOS

Symptoms:
Running the command 'load sys config' fails with the following message: Rule checker library has not been initialized.

Conditions:
At least one of the following:

-- The /service/mcpd/debug file is present.
-- bigip_base.conf has the following config:

sys daemon-log-settings mcpd {
    log-level debug
}

Impact:
Cannot load config in debug mode.

Workaround:
To work around this issue, from the shell, call the following:
 setenforce 0

Fix:
Can now load config in debug mode.

---

581851-7 : mcpd process on secondary blades unexpectedly restarts when the system processes multiple tmsh commands

Solution Article: K16234725

Component: TMOS

Symptoms:
The Master Control Program Daemon (MCPD) on secondary blades may unexpectedly restart when the BIG-IP system processes multiple, concurrent TMOS Shell (tmsh) commands.

Under these circumstances, a race condition may occur and cause the mcpd process on the secondary blades to fail to correctly process concurrent updates from the primary blade.

As a result of this issue, you may encounter one or more of the following symptoms:

-- The mcpd process on secondary blades unexpectedly restarts.
-- You notice error messages in the /var/log/ltm file on the BIG-IP system that appears similar to the following example:
 + err mcpd[<PID>]: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset

 + err mcpd[<PID>]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070823:3: Read Access Denied: The current update partition ([None]) does not match the object's partition (Common), stats not reset

-- Depending on your high availability (HA) configuration, the device may unexpectedly fail over to another system in the device group.

Conditions:
This issue occurs when all of the following conditions are met:

-- You have a VIPRION platform or Virtual Clustered Multiprocessing (vCMP) guest configuration that uses two or more blades.
-- You attempt to run multiple, concurrent tmsh commands on the BIG-IP system. For example, you run a tmsh command to continually reset persistence records and at the same time run another tmsh command to continually reset the TCP statistics.

Impact:
The BIG-IP system may experience performance degradation when the secondary blades become unavailable while the mcpd process restarts. Depending on your HA configuration, the device may fail over.

Workaround:
None.

Fix:
This issue no longer occurs.

---

580537 : The GeoIP update script geoip_update_data cannot be used to install City2 GeoIP data

Component: Global Traffic Manager (DNS)

Symptoms:
The geoip_update_data script will not install a City2 GeoIP data.

Conditions:
Attempting to install the City2 GeoIP data.

Impact:
The City2 GeoIP data must be installed manually.

Workaround:
The City2 GeoIP data can be installed manually by extracting the contents of the RPM and updating the associated files. The commands are:

rpm -U <full path to the City2 GeoIP RPM file>
rm /shared/GeoIP/F5GeoIP.dat
ln -s /shared/GeoIP/F5GeoIPCity2.dat /shared/GeoIP/F5GeoIP.dat
rm /shared/GeoIP/v2/F5GeoIP.dat

Fix:
The geoip_update_data script was updated to support installing City2 GeoIP data.

---

576123 : ASM policies are created as inactive policies on the peer device

Solution Article: K23221623

Component: Application Security Manager

Symptoms:
ASM policies are created as inactive policies on the peer device.

Conditions:
This occurs when the following conditions are met:
-- ASM Sync is enabled on a Sync-Only auto-sync Device Group.
-- There is either no failover group, or the failover group is a manual sync group.

Impact:
ASM policies are created as inactive policies on the peer device, resulting in an inconsistency between peers.

Workaround:
You can use either of the following workarounds:
-- Set the device group with ASM sync enabled to manual sync.
-- Enable auto-sync for the failover group.

Fix:
This release fixes the ASM Synchronization mechanism so that ASM policies are correctly created on the peer device

---

575848 : Traffic statistics on a SNAT object might not be updated if traffic is ePVA accelerated.

Solution Article: K03803451

Component: TMOS

Symptoms:
Traffic statistics on a SNAT object might not be updated if traffic is ePVA accelerated.

Conditions:
SNAT object on a ePVA capable platform.

Impact:
Some traffic-related statistics (pkts/bytes in/out) are not updated.

Workaround:
To get these statistics, convert the global SNAT to an appropriate virtual server.

Fix:
The BIG-IP system now correctly updates traffic statistics on a SNAT object if traffic is ePVA accelerated.

---

573750 : New option to re-schedule datasync background tasks

Component: TMOS

Symptoms:
The datasync framework runs tasks in the background for use by the data plane. This is currently obfuscation of JavaScript for ASM and FPS, and generation of RSA keys for FPS.

This happens during several hours every day in a low priority process.

Conditions:
The process starts every day at the same time, according to the time in which ASM or FPS were first provisioned. The time persists across upgrades, and is synced in the trust domain using the datasync-global-dg device-group.

Impact:
There is currently no simple way to reschedule these background tasks.

Workaround:
There is no workaround at this time.

Fix:
There is now a simple method to reschedule the daily start time of the Datasync Background Tasks on GUI and TMSH/REST.

In the GUI you can find this in Security :: Options : Background Tasks.

In tmsh it is available via tmsh security datasync background-tasks.

---

572079 : Command history and audit logs add additional escaping

Solution Article: K80155193

Component: TMOS

Symptoms:
The same command in TMSH command history contains extra slashes.

When cut-n-paste is used, slashes are multiplying.

Conditions:
Command entered into tmsh includes escape (backslash) characters.

Impact:
Commands repeated from the history may not match what was entered and will be interpreted as displayed.

The audit logs may contain additional quoting or escaping when compared to the command that was run.

Workaround:
When repeating commands from the history that contain escaping, remove the added escaping before running.

Fix:
Command history and audit logs no longer add additional escaping.

---

566477 : Too many annotations on dashboard line charts

Solution Article: K13744538

Component: TMOS

Symptoms:
The dashboard lines charts are difficult to read because there are many annotations (red-filled circles on the bottom part of the diagram).

Conditions:
Reading any line chart with a time period other than the last five minutes reveals this issue.

Impact:
The user finds it difficult to read dashboard line charts.

Workaround:
None. This is a cosmetic issue that does not indicate a problem.

---

563866 : Consistently log the fragment in query_string and HTTP_QUERY for ASM/LTM

Component: Application Security Manager

Symptoms:
ASM logging terminates the URL with the number sign '#' if it exists. The part after the '#' is logged as the query string.

Conditions:
-- HTTP Request arrives into ASM.
-- The URL contains a '#', for example:
GET /something/something/dark/side#theforce HTTP/1.1
The full request URL needs to get logged in remote logging.

Impact:
The full HTTP Request line does not get logged as expected.

Workaround:
There is no workaround at this time.

Fix:
A new remote logging field was added, 'fragment'. ASM is now logging the part after the '#' in this field.

---

563661 : Datastor may crash

Component: TMOS

Symptoms:
In rare cases datastor may crash to protect the system from corruption. After datastor restarts, tmm may crash when attempting to communicate with datastor.

Conditions:
WAM provisioned and enabled

Impact:
Datastor and TMM crashes. Traffic disrupted while tmm restarts.

---

562921 : Cipher 3DES and iQuery encrypting traffic between BIG-IP systems

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP systems use the iQuery protocol to securely communicate with other BIG-IP systems. The BIG-IP system supports the AES/3DES ciphers for encrypting iQuery traffic. Some of these ciphers are now considered unsecure.

Conditions:
The value is hardcoded into the product.

Note: This is completely independent of the TMM profiles or the httpd cipher values.

Impact:
There is no way to configure this; the value is hardcoded. Scanner operations performed on your configuration will report this as an unsecure cipher.

Workaround:
If you do not need iQuery at all, you can block port 4353 completely. For those who do need it, there is no workaround.

Fix:
The cipher list in use is now
"AESGCM:AES:!ADH:!AECDH:!PSK:!aECDH:!DSS:!ECDSA:!AES128:-SHA1:AES256-SHA"

---

562356 : ASM config syncronization stops working

Component: Application Security Manager

Symptoms:
Rarely, you might have ASM synchronization configured, but there is no evidence that the synchronization is occurring, and the policy changes are not synchronized.

The following messages can be seen in '/var/log/ts/asm_config_server.log':
-------------------------
F5::ASMConfig::Handler::SyncHandler::sync_general_ucs_request,,ASM is now entering sync recovery state. Requesting complete configuration from /Common/<peer_machine_name>

F5::ASMConfig::Handler::send_to_relay,,Failed on sending sync_send_ucs to /Common/<peer_machine_name>: Can't call method "send" on an undefined value at /<path>/Handler.pm line <line_number>.

F5::ASMConfig::Handler::spawn_relay_handler,,Sync recovery state timed out. State may be inconsistent with other peers
-------------------------

Please notice the values in '<...>', in the log examples above, which may differ.

Conditions:
It is not known what triggers this, but it occurs when ASM is provisioned, ASM sync is enabled, and HA pair is configured. It is possible that it occurs when mcpd memory consumption becomes excessive.

Impact:
ASM sync does not occur

Workaround:
None

---

560045 : Serverside nexthop info not available

Component: TMOS

Symptoms:
There is no info available for server nexthop (VLAN, MAC address).

Conditions:
Running the TMSH command: tmsh show sys conn all-properties

Impact:
No info regarding server nexthop. Troubleshooting asymmetric routing deployments is more difficult.

Workaround:
There is no workaround at this time.

Fix:
Command 'tmsh show sys conn all-properties' shows VLAN and MAC address of server nexthop.

---

554273 : Upgrade from before 11.4.x fails due to Logging Profile Data Inconsistency★

Component: Application Security Manager

Symptoms:
In some rare cases a Logging Profile which had remote logging configuration and was then updated to only log locally may be left with the old remote logging data attached. This leads to an invalid state during upgrade.

Conditions:
Upgrading from before 11.2.x, to 11.5.x, 11.6.x, or 12.0.0 through 12.1.1

A Logging Profile with the following attributes:
1) Anomaly logging enabled
2) Remote logging disabled
3) A row exists in LOGPROF_REMOTE_CONFIG for the Logging Profile

Impact:
All ASM configuration will not be upgraded and will be lost.

Workaround:
Make a spurious change to the problematic Logging Profile and save. This will remove the data inconsistency.

Fix:
Upgrade no longer fails due to the data inconsistency.

---

544106-2 : Bundled state for B2250 40G interfaces may not be displayed or show as "unsupported"

Component: TMOS

Symptoms:
After a clean install, the Bundled attribute for the B2250 interfaces may not be displayed or show as "unsupported".

Examples:

[root@localhost:/S2-green-P:NO LICENSE:Standalone] config # tmsh list net interface bundle
net interface 2/1.1 {
    bundle not-supported <--this is expected if there is no bundling info for the interface.
}
...
net interface 2/2.1 {
    bundle not-supported <------error!
}
net interface 2/2.2 {
    bundle not-supported <-----error
}
net interface 2/2.3 {
    bundle not-supported <---error
}
net interface 2/2.4 {
    bundle not-supported <----error
}
net interface 2/mgmt {
    bundle not-supported
}
[root@localhost:/S2-green-P:NO LICENSE:Standalone] config # tmsh list net interface 2/2.1 2/2.2 2/2.3 2/2.4
net interface 2/2.1 {
    if-index 706 <--------should say "bundle disabled"
    mac-address 00:23:e9:82:d4:c7
    media-max 40000-FD
    mtu 9198
}
...

Conditions:
Perform a clean install on a B2250 (an install where both the image is replaced and the interface configuration is overwritten with an initial configuration).

Impact:
The "bundle" property is not available.

Workaround:
Run the following tmsh command to restore bundling properties:
"tmsh modify net interface 1/2.1 bundle enabled/disabled"

Fix:
Bundled state for B2250 40G interfaces are now displayed with the correct interface designation.

---

540158 : URLs with different path parameters values are seen as different URLs

Component: Application Security Manager

Symptoms:
URLs with different path parameters values are seen as different URLs. The parameters themselves are enforced as part of a URL and not as parameters values.

Conditions:
An application uses path parameters (where the URL path is composed from different parameters values)

Impact:
This causes the URL with different values to be seen as different URLs, making the automatic policy builder cumbersome or unworkable.

Workaround:
There is no workaround at this time.

Fix:
Added a path parameter configuration and enforcement.

---

536831 : APM PAM module does not handle local-only users list correctly

Component: Access Policy Manager

Symptoms:
The following log messages are shown in /var/log/secure, when remote-auth (APM based) is configured and when trying to authenticate local users:

-- notice httpd[8281]: pam_apm: module returning Failure, ClientHandler auth failed!(admin)
-- notice httpd[8281]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=X.X.X.X attempts=1 start="Wed Jan 17 14:49:21 2018"

This failure log shows that the system first attempts to authenticate local users (like admin, root, etc.) remotely.

Conditions:
This occurs when following conditions are met:
- APM is provisioned on a BIG-IP system.
- APM-based remote-auth is configured.
- Local users (like admin, root, etc.) attempt to log into the management interface of that BIG-IP system.

Impact:
Local users credentials are sent to remote authentication servers which will return auth failure. However, in the second attempt, the system attempts to authenticate a user locally, and it will succeed, as expected. Check below logs:

-- notice httpd[8281]: pam_apm: module returning Failure, ClientHandler auth failed!(admin)
-- notice httpd[8281]: 01070417:5: AUDIT - user admin - RAW: httpd(mod_auth_pam): user=admin(admin) partition=[All] level=Administrator tty=/sbin/nologin host=X.X.X.X attempts=1 start="Wed Jan 17 14:49:21 2018"

Workaround:
None.

Fix:
Local users are authenticated locally. The system no longer sends request to remote servers for local users.

---

535122 : [tmsh/iCRD/GUI] Do not automatically add extensions to SSL key/cert/crl/csr file objects

Component: TMOS

Symptoms:
Using iControl REST's process (iCRD) with 'sys crypto' always fails, and the GUI does not work with SSL file objects created without extensions using tmsh (with 'sys file') during the create process.

Conditions:
-- Creating SSL certificates/keys/CRL/CSR objects using iControl (with 'sys crypto') or tmsh (with 'sys file').
-- Specifying the file extension associated with the object: .crt/.key/.crl/.csr.

Impact:
The system creates a file with two extensions, for example, specifying the filename csrname.crt creates a file named csrname.crt.csr in folder /config/ssl/ssl.csr/.

-- Using iCRD with 'sys crypto' fails.
-- The BIG-IP GUI exhibits the following behavior:
   + Inconsistently manages those files improperly.
   + May return errors (e.g., 'An error has occurred while trying to process your request.' or 'No certificate.').
   + May confuse two objects (e.g., 'web-server' and 'web-server.crt').
   + GUI cannot create an archive (System :: File Management : SSL Certificate List :: Archive) containing one of these files, and reports an error similar to the following: Key management library returned bad status: -2, Not Found.

Workaround:
When creating SSL-related file objects via tmsh 'sys file' or iCRD with 'sys crypto', do include a file extension (.crt/.key/.crl/.csr) in the object name, even if it is the extension associated with the type of object. This is because the system explicitly adds the appropriate file extension during the create operation for ('sys crypto') but does not add extensions for ('sys file').

Fix:
tmsh, iCRD, and GUI no longer implicitly add extensions to key/cert/csr/crl file objects to create/query/delete commands. The system will use the exact name/label specified during the create operation.

Behavior Change:
tmsh, iControl REST daemon (iCRD), and the GUI no longer implicitly adds extensions to key/cert/csr/crl file objects when using create/query/delete commands, and the system will use the exact name/label specified. For example, if you specify the name 'test' when using tmsh, iCRD, or the GUI to create a key and a certificate, the system will create the key named 'test' and certificate named 'test' (without an extension). Therefore, you must always specify the correct extension for the type of object you are creating.

iControl SOAP has no change in behavior with file objects. A new hidden/non-default header was added for KeyManagement iControl SOAP calls, which when provided, makes iControl keymgmt APIs behave like tmsh 'sys crypto' APIs by not implicitly adding extensions. Note that this header is not enabled by default and is currently used by the GUI.

---

534474 : Dependency on Adobe Flash removed from the BIG IP Dashboard

Component: Access Policy Manager

Symptoms:
Adobe Flash technology has inherent security issues and due to the approaching EOL, it became necessary to remove the dependency of Adobe Flash from the BIG-IP Dashboard.

Conditions:
This is an existing feature in BIG-IP which uses Adobe Flash

Impact:
Adobe Flash has security issues which, after EOL of the software, may cause issues.

Workaround:
Because the Dashboard has a dependency on Flash technology, there is no workaround other than not to use the Dashboard.

Fix:
Dashboard is no longer dependent on the Flash technology, and has been replaced with a more modern GUI which does not use Flash technology.

---

532521 : IP reputation Spam Sources category is not enforced

Component: Application Security Manager

Symptoms:
An IP address that is a spam source is not blocked or issues an alarm.

Conditions:
-- IP reputation is licensed and updated.
-- The IP reputation feature is configured in the ASM.

Impact:
Traffic coming from an IP address of a spammer might get through ASM. Note that if the IP address has other IP reputation categories, it will be blocked.

Workaround:
An iRule can detect this category and issue a custom violation.

Fix:
This release adds the spam source category to the IP reputation feature.

---

531934 : Support SSL serverside certificate validation using OCSP and CRLDP (CRL distribution point)

Component: Local Traffic Manager

Symptoms:
The system does only basic checks for the SSL certificate sent from SSL servers without going through valid protocols (for example, OCSP, CRL, SCVP). It at most allows a user to configure a pre-downloaded static CRL file for certificate authentication. However, in SSL forward proxy mode the SSL servers and hence their certificates dynamically change, so certificate authentication against a static CRL file is not an optimal configuration.

Conditions:
When the system needs to do SSL handshake with SSL servers.

Impact:
If the SSL server (or HTTP server) is using a revoked certificate, there is no way that the system can know which is a vulnerability.

Workaround:
There is no workaround.

Fix:
The system can now verify the status of the certificate from the SSL servers, by sending outbound queries to OCSP or CRLDP.

---

527553 : Support Third-party OTP providers and APM Native OTP authentication for Citrix Receiver clients

Component: Access Policy Manager

Symptoms:
Citrix Receiver clients could not be authenticated using Third-party OTP providers or APM Native OTP.

Conditions:
APM is configured as Citrix Integration or Replacement mode and uses OTP based authentication.

Impact:
OTP based second factor authentication could not be used.

Workaround:
None.

Fix:
Support Third-party OTP providers and APM Native OTP authentication for Citrix Receiver clients

---

523282 : CVE-2015-3152 : MySQL BACKRONYM Vulnerability

Solution Article: K16845

---

518333 : New LSN Stat,Total End Points (IPv4/IPv6), deprecates the stat Total End Points

Component: Carrier-Grade NAT

Symptoms:
The stat Total End Points displays an incorrect value when an IPv6 address with a small prefix is configured in LSN Pool.

Conditions:
Any IPv6 address with a small prefix is configured as pool member for an LSN pool.

Impact:
The statistic shows incorrect values when an IPv6 address with small prefix is configured in LSN pools.

Workaround:
None.

Fix:
This release introduces a new stat, Total Endpoints (IPv4/IPv6), which displays the correct statistic values. Refer to the new statistic, Total End Points (IPv4/IPv6) for correct information when IPv6 addresses are added in LSN Pool.

---

514703 : gtm listener cannot be listed across partitions

Component: TMOS

Symptoms:
Unable to reference (perform operations: list, create, modify ...) gtm listeners across partitions.

Conditions:
-- In one partition.
-- Listener in another partition.
-- Attempt to perform operations on the listener in the other partition.

For example, the current partition is /Common, and a listener exists in /DifferentPartition, and you try to perform operations on the listener under /DifferentPartition.

Impact:
Cannot perform any operations on that listener. The listener will be listed as non-existent.

Workaround:
Change to the partition where the listener exists before performing any operations on it.

Fix:
The system can now reference GTM listeners across partitions.

---

514470 : tmm shows stats for unused TCP4 SYN cache and TCP SYN cache.

Component: Local Traffic Manager

Symptoms:
On the LTM do command 'tmsh show sys mem |grep -i syn', tmm shows stats for unused TCP4 SYN cache and TCP SYN cache.

Conditions:
LTM do command 'tmsh show sys mem |grep -i syn'.

Impact:
Shows TCP4 SYN cache and TCP SYN cache. These two stats are not used and do not reflect any actual mem usage in LTM.

Workaround:
None.

---

513317 : Add X25519 support for SSL ECDHE.

Component: Local Traffic Manager

Symptoms:
There is no X25519 support for SSL ECDHE.

Conditions:
Trying to use X25519 for SSL ECDHE.

Impact:
SSL client/server will not be able to use X25519 for ECDHE.

Workaround:
In a typical configuration, this does not impact SSL connections unless SSL client/server exclusively requires X25519 for ECDHE. For most application, P-256/P-384 will be used instead.

Fix:
Added X25519 support for SSL ECDHE.

---

495443-6 : ECDH negotiation failures logged as critical errors.

Solution Article: K16621

Component: Local Traffic Manager

Symptoms:
When a failure occurs in an SSL negotiation involving Elliptic Curve Diffie-Hellman (ECDH) key agreement, a critical error may be logged. However, an SSL negotiation failure is not a critical issue.

Conditions:
An SSL negotiation failure involving ECDH key agreement.

Impact:
Spurious critical error logs.

Workaround:
Treat SSL ECDH negotiation failures as non-critical errors.

Fix:
These ECDH failures are now logged as non-critical errors.

---

491560 : Using proxy for IP intelligence updates

Component: TMOS

Symptoms:
When connecting to the proxy server, the iprepd daemon doesn't send in CONNECT request the value of DB variable iprep.server but its locally resolved IP address.

Conditions:
The following DB variables are configured to use proxy:
proxy.host
proxy.port

This presents a problem when the proxy server is configured to allow only IPs that have a reverse lookup.

Impact:
When the proxy sees the traffic it denies it, because the reverse lookup for that server IP is not present.

Workaround:
Use one of the workarounds:

-- Do not use proxy.

-- Check the server IP address regularly and maintain proxy white list manually.

Fix:
Now the iprepd daemon sends CONNECT request with the value of DB variable iprep.server and lets the proxy server do the DNS lookup.

---

486827 : There is no syslog destination for dosl7 logging

Component: Application Security Manager

Symptoms:
It's not possible to configure the syslog destination for dosl7 logging.

Conditions:
A customer wants to configure a syslog destination for dosl7

Impact:
There is an error message when attempting to attach to the virtual server a publisher that has a destination with a non splunk/arcsight destination.

Workaround:
A possible workaround should be to send the splunk logging to another machine that has syslog-ng configured as logger and alertd to make traps from it. (not nice)

---

471237 : BIG-IP VE instances do not work with an encrypted disk in AWS.

Solution Article: K12155235

Component: TMOS

Symptoms:
BIG-IP VE instances cannot use encrypted disks in AWS as encryption-decryption introduces some data corruption in the disk that causes failure in some of the TMOS daemons at run-time.

Conditions:
Deploy a BIG-IP VE guests in AWS with an encrypted disk.

Impact:
TMM cores at startup, and does not start.

Workaround:
Do not use encrypted disks in AWS for BIG-IP VE instances.

Fix:
BIG-IP VE instances can now work with an encrypted disk in AWS.

---

470807-1 : iRule data-groups are not checked for existence

Component: Local Traffic Manager

Symptoms:
When an iRule specifies a data-group that is not in Common, or that does not have an explicit path to it, it does not result in an error when the iRule is saved, or during runtime.

Conditions:
User saves an iRule with a data-group not in Common or with an explicit path to it.

Impact:
When such an iRule is saved, it can cause all traffic to fail.

Workaround:
None.

---

468505 : TMSH crypto commands do not work with the TMSH batch mode

Solution Article: K16177

Component: TMOS

Symptoms:
tmsh crypto commands will fail when executed in tmsh batch mode.

Conditions:
tmsh batch mode and 'sys crypto' commands.

Impact:
tmsh crypto commands will fail when executed in tmsh batch mode.

Workaround:
Run the tmsh 'sys crypto' commands outside of a 'cli transaction' i.e. not in batch mode.

---

464650 : Failure of mcpd with invalid authentication context.

Component: TMOS

Symptoms:
MCPd cores.

Conditions:
It is not known what triggers this core.

Impact:
Mcpd restarts

Workaround:
None.

Fix:
Failure of mcpd with invalid authentication context no longer occurs.

---

463097 : Clock advanced messages with large amount of data maintained in DNS Express zones

Solution Article: K09247330

Component: Local Traffic Manager

Symptoms:
Clock advanced messages with a large amount of data maintained in DNS Express (DNSX) zones, the TMM can suffer from clock advances when performing the DB reload.

Conditions:
Large enough zones into DNSX (several hundred thousand to several million records depending on hardware).

Impact:
Clock advance messages in log. No traffic can be passed for this duration. When DNS Express zones are updated, you may see messages similar to the following in the /var/log/ltm log: notice tmm[25454]: 01010029:5: Clock advanced by 121 ticks.

Workaround:
Prevent all updates to DNSX zones.

Fix:
AXFR and IXFR to DNS Express (DNSX) with large zones has been significantly improved. DNSX DB now reside in /shared to resolve DB size issues.

---

452283 : An MPTCP connection that receives an MP_FASTCLOSE might not clean up its flows

Component: Local Traffic Manager

Symptoms:
An MPTCP connection that never expires can be seen using the command "tmsh show sys conn". Its idle time periodically resets to 0.

Conditions:
A virtual server is configured with a TCP profile with "Multipath TCP" enabled.
BIG-IP receives an MP_FASTCLOSE while the BIG-IP is advertising a zero window.

Impact:
A connection remains that never expires; its idle time periodically resets to 0.

Workaround:
There is no workaround at this time.

Fix:
Fixed MP_FASTCLOSE handling.

---

446673 : APM does not support Vmware View 'Log in as current user' feature

Component: Access Policy Manager

Symptoms:
Even though 'Log in as current user' feature is enabled on Vmware View Connection server, when a Windows user accesses a View resource through APM, user is asked to authenticate.

Conditions:
1. 'Log in as current user' feature is enabled on Vmware View Connection server.
2. Vmware View Connection Server is behind APM.
3. Windows user is in same Active Directory domain as View Connection Server and is already logged into Windows desktop.
4. User attempts to access a View resource through APM.

Impact:
User is required to authenticate to APM.

Workaround:
There is no workaround at this time.

Fix:
APM now supports "Logon as current user" feature for Horizon client on Windows.Once logged into Windows desktop, user can access View resources without being prompted to login.

---

445825 : Autosync occurring in Sync-Failover ASM

Component: Application Security Manager

Symptoms:
On Primary/ACTIVE, Secondary/STBY configurations, when the ASM device group is selected from the GUI on a secondary/STBY system, config sync automatically occurs and pushes the config from STBY to ACTIVE systems, overwriting existing policies on ACTIVE.

Conditions:
-- Configure high availability for Sync-Failover.
-- Enable ASM sync on the Sync-Failover device group.

Impact:
The system automatically performs a config sync operation, and pushes the config from STBY to ACTIVE systems, overwriting existing policies on ACTIVE.

Workaround:
None.

Fix:
When enabling ASM sync on a Sync-Failover device group, automatic sync no longer occurs if the Sync-Failover device group is 'In Sync' before enabling ASM sync on it.

---

441800 : LTM Policy allows user-specified status code for redirect action

Component: Local Traffic Manager

Symptoms:
Previously an HTTP redirect always specified a status code of 302. Now you can specify a return code in the range of 300-399, with a default value of 302. Of particular interest is the ability to return 301 to indicate 'Permanent redirect'.

Conditions:
LTM Policy with an action of 'forward-redirect'.

Impact:
Previously, the only value available was 301. You can now specify any status code in the Redirect range.

Workaround:
This is new functionality, and there is nothing to mitigate or work around.

Fix:
You may now specify any status code in the range 300-399 for LTM Policy redirect action. The default value is 302.

Behavior Change:
The system now provides additional capability for user-specified status codes for redirect actions. Previously an HTTP redirect always specified a status code of 302. Now, you can specify a return code in the range of 300-399, with the default value of 302.

---

440620 : New connections may be reset when a client reuses the same port as it used for a recently closed connection

Component: Local Traffic Manager

Symptoms:
If a client reuses the same port that it used for a recently closed connection, the new connection may receive a RST in response to the client's SYN.

Conditions:
A client reuses the same port that it used for a recently closed connection. The 4-tuple of local address, local port, remote address, and remote port must be the same to trigger this issue.

Impact:
New connections reusing a 4-tuple may be reset for a brief period following a connection close.

Workaround:
Lowering the "Close Wait" and "Fin Wait 1" timeouts in the TCP profile will shorten the amount of time that a particular 4-tuple remains unusable.

Fix:
Improved abort handling to better clean up hanging connections.

---

430350 : Utility to parse LOP error entries

Component: TMOS

Symptoms:
When LOP (Lights Out Processor) communication errors occur and are logged in the LTM log, the log entries reference LOP Object IDs, result codes, etc. that are indecipherable (without source code access).

Conditions:
When the LOP is down or not responding for some reason.

Impact:
Lack of a means to decode the log entries prevents support engineers, BIG-IP administrators, etc. from performing initial triage of these errors to determine whether they can be safely ignored (e.g., relate to other errors logged or known conditions such as removal of a power supply), or require further investigation.

Workaround:
Currently, such questions can only be answered by opening a SR for analysis.

Fix:
Using the lopd_debug utility, one can easily decipher the error messages.
# lopd_debug -h
lopd_debug: [ -h ] Help : Display this message
            [ -f filename ] Parse File : Parse <filename> for LOP errors
            [ -S status# (hex) ] Status : Display the Status of LOP communication
            [ -a action# (hex) ] Action : Display the Action performed by LOP
            [ -o objectId# (hex) ] Object : Display the Object Id
            [ -s slotId# (hex) ] Slot : Display the Slot
            [ -r returnCode# (hex) ] Return Code : Display the Return Status of LOP communication

---

407420 : PSM - SMTP 500 error when HELO message is fragmented

Component: Application Security Manager

Symptoms:
False positive SMTP blocking

Conditions:
The SMTP HELO message arrives in more than one TCP packet

Impact:
A false positive blocking, 500 error message.

---

405432 : OpenSSL certificate directories excluded in qkview/ihealth.

Component: TMOS

Symptoms:
When examining qkview captured files, all the certificates are excluded.

Conditions:
A normal qkview uploaded to iHealth does not show any certificates.

Impact:
Cannot view the certificates to determine whether there are related issues. If the qkview contains an OpenSSL key file in a directory that gets captured, the key file might be exposed in the iHealth (qkview) output.

Workaround:
Certificates must be transferred manually or examined on the BIG-IP system directly.

Fix:
Certificates are now included. All OpenSSL key files are excluded, regardless of location. Also, the certificate files are searched for included private keys.

Behavior Change:
OpenSSL Certificate directories are now included in qkview. OpenSSL Keys are excluded, no matter where they are placed.

---

402691 : The fields displayed in the 'tmsh show net ipsec' should be visible through SNMP

Component: TMOS

Symptoms:
The status information about traffic selectors in IPsec can be displayed with the TMSH command 'show net ipsec', but there is no way to manage the BIG-IP system and gather data using SNMP.

Conditions:
Using SNMP to query the BIG-IP system for IPsec traffic selector status.

Impact:
Use TMSH or customized SNMP solutions.

Workaround:
None.

Fix:
The IPsec SPD stat table has been added to the F5-BIG-IP-SYSTEM MIB.

---

400550-1 : LCD listener error during shutdown

Component: TMOS

Symptoms:
During shutdown you see this error message: 012a0004:4: LCD listener write to LCDd exception: Psuedo Terminal: File I/O Error [Bad file descriptor] at PseudoTermDev.cpp:93

Conditions:
This can occur when shutting down a blade on a VIPRION 4400 platform.

Impact:
This occurs on shutdown and is cosmetic, and can be ignored.

---

381122 : Provisioning a module may fail to reload page.

Component: TMOS

Symptoms:
Provisioning a module may fail to reload page.

Conditions:
Provisioning a module and automatically reloading.

Impact:
An error may be displayed although the reprovisioning may be successful.

Workaround:
There is no workaround.

Fix:
Provisioning a module no longer fails to reload page.

---

373568 : Unable to create and update data-group in a single transaction

Component: TMOS

Symptoms:
Transaction fails with data-group not found error. This can occur if an iApp creates and modifies a data-group in the same transaction.

Conditions:
Creating and updating data-group in a single transaction.

Impact:
Unable to create and update data-group in a single transaction which, if split, could leave stray data-group objects if the update fails.

Workaround:
Split the data-group create and update into seperate transactions and handle cleanup if update transaction fails.

---

370573 : iRule STREAM command internal error causes connection drop

Component: Local Traffic Manager

Symptoms:
The connection might drop when STREAM::expression command is used.

Conditions:
The regular expression in STREAM::expression command has look-ahead pattern.

Impact:
The connection gets dropped.

Workaround:
There is no workaround other than not using the look-ahead pattern.

Fix:
iRule STREAM command internal error no longer causes connection drop.

---

349180 : Variable Assign agent now allows to set VPN Dialup Entry/Windows Logon Integration name for Windows

Component: Access Policy Manager

Symptoms:
It is not possible to customize the name of the VPN Dialup Entry/Windows Logon name. Default name was a localized version of the following: <Resource Name> - Go to <Virtual Server address> instead of dialing directly.

Conditions:
When Network Access resource is accessed,

Impact:
VPN Dialup Entry/Windows Logon is created using default name. It is not possible to change the default name of a Dialup Entry/Windows Logon.

Workaround:
None. This is a request for enhancement.

Fix:
Now BIG-IP Administrators may change the name of VPN Dialup Entry/Windows Logon name created on Microsoft Windows using the Variable Assign Visual Policy Editor agent and specifying a value for the connection_name_txt property under the Configuration Variable section.

---

305866 : Missing option to mask values from HTTP headers and cookies in logs

Component: Application Security Manager

Symptoms:
While the ASM policy already provides an option to mask values from HTTP parameters and Content Profiles in the logs, there is no option to mask values from HTTP headers and cookies.

Conditions:
HTTP headers or cookies arrive with sensitive values.

Impact:
You cannot select HTTP headers or cookies from which to mask values.

Workaround:
There is no workaround at this time.

Fix:
The HTTP header and cookie properties have a new option 'Mask Value in Logs'. On the HTTP parameters and Content Profiles the previous option 'Sensitive Data' is renamed to 'Mask Value in Logs'.

---

273104 : Modulate tcp_now on a per-tuple basis to hide uptime in tcp timestamps

Component: Local Traffic Manager

Symptoms:
Nmap can be used to determine the uptime of a BIG-IP by sampling timestamps and their update frequency.

Conditions:
Always.

Impact:
Nmap can be used to determine the uptime of a BIG-IP by sampling timestamps and their update frequency.

Fix:
Each TCP connection starts with a random Timestamp. Disabled by default. Sys db tm.tcpsendrandomtimestamp can be used to enable/disable TCP random Timestamp.

---

251162 : The error message 'HTTP header exceeded maximum allowed size' may list the wrong profile name

Solution Article: K11564

Component: Local Traffic Manager

Symptoms:
If you apply a custom HTTP profile to a virtual server, and the maximum header size defined in the profile is exceeded, the BIG-IP system lists the wrong profile name in the corresponding log message. Instead of logging the profile name associated with the virtual server, the BIG-IP system logs the profile name as http.

For example:

tmm1[5133]: 011f0005:3: HTTP header (34083) exceeded maximum allowed size of 32768 (Client side: vip=http_10.1.0.30 profile=http pool=apache2)

Conditions:
-- You apply a custom HTTP profile to a virtual server.
-- The maximum header size defined in the profile is exceeded.

Impact:
The BIG-IP system lists the wrong profile name in the corresponding log message. This is a cosmetic error, as the correct profile is affected. Only its name is incorrectly reported.

Workaround:
None.

---

227218 : Adding an option to change TS cookies names

Component: Application Security Manager

Symptoms:
TS cookies, the internal cookies used in ASM, have fixed prefix and are easy to detect.

Conditions:
ASM or DoS are provisioned.

Impact:
ASM is easily detected.

Workaround:
There is no workaround at this time.

Fix:
Adding BigDB variables to control the cookies' prefix and suffix base.

---

225373 : Dual-stack IPv4/IPv6 on the management interface needs supporting.

Component: Local Traffic Manager

Symptoms:
Ability to configure dual-stack IPv4/IPv6 on the management interface.

Conditions:
Attempting to configure dual-stack IPv4/IPv6 on the management interface.

Impact:
Needs support for dual-stack IPv4/IPv6 on the management interface.

Workaround:
None.

Fix:
This release adds support for dual-stack IPv4/IPv6 on the management interface on the BIG-IP system.

Behavior Change:
The BIG-IP system now supports dual-stack IPv4/IPv6 on the management interface. This allows having two IP addresses configured at the same time on the management interface.

Note: Only one IPv4 address and one IPv6 address can be configured. Configurations with two IPv4 addresses or two IPv6 addresses on the management interface are not supported.

---

Known Issues in BIG-IP v14.0.x


TMOS Issues

ID Number	Severity	Solution Article(s)	Description
721364-1	1-Blocking		Per-App VE BYOL license does not support three wildcard virtual servers
708956-3	1-Blocking		During system boots up, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'
737900-1	2-Critical		mcpd might crash on an unlicensed system
737055-1	2-Critical		Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy
726487-3	2-Critical		VIPRION secondary MCPD, Node Name encodes IP address which differs from supplied
723722-1	2-Critical		MCPD crashes if several thousand files are created between config syncs.
721350-3	2-Critical		The size of the icrd_child process is steadily growing
719597-1	2-Critical		HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0
717785-4	2-Critical		Interface-cos shows no egress stats for CoS configurations
716391-1	2-Critical	K76031538	High priority for MySQL on 2 core vCMP may lead to control plane process starvation
715820-3	2-Critical	K61422392	vCMP in HA configuration with VIPRION chassis might cause unstable data plane
711683-1	2-Critical		bcm56xxd crash with empty trunk in QinQ VLAN
708968-1	2-Critical		OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address
707100-1	2-Critical		Potentially fail to create user in AzureStack
706688-2	2-Critical		Automatically add additional certificates to BIG-IP system in C2S and IC environments
706423-3	2-Critical		tmm may restart if an IKEv2 child SA expires during an async encryption or decryption
703669-1	2-Critical		Eventd restarts on NULL pointer access
703045-2	2-Critical		If using TMSH commands with deprecated attributes in iAPP, the upgrade will fail.
695341	2-Critical		If FIPS card goes bad and cannot initialize, the BIG-IP system will continuously reboot
691188	2-Critical		TMM core files might be truncated due to lack of space
688421	2-Critical		bigdb_open error is observed during system bootup of VIPRION 2200, 2400, 4400, 4480 chassis, and BIG-IP 5200, 5250, 10255, 10350, and 12050 platforms.
583306-1	2-Critical		Using management port as config sync address might allow its deletion.
481235	2-Critical		Rare Watchdog Restart of TMM and Datastor
737901-3	3-Major		Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode
737397-2	3-Major		User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP
737346-2	3-Major		After entering username and before password, the logging on user's failure count is incremented.
734846-2	3-Major		Redirection to logon summary page does not occur after session timeout
734836-2	3-Major		Network Map summary counts pool members more than once if they are shared across pools
734527-3	3-Major		BGP 'capability graceful-restart' for peer-group not properly advertised when configured
727467-2	3-Major		Some iSeries appliances can experience traffic disruption when the HA peer is upgraded from 12.1.3 and earlier to 13.1.x and later.
727297-2	3-Major		GUI TACACS+ remote server list should accept hostname
725791-5	3-Major		Potential HW/HSB issue detected
722682-3	3-Major		Fix of ID 615222 results in upgrade issue for GTM pool member with colon -- config failed to load★
722380-1	3-Major		The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.
721342-2	3-Major		No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments.
721020-2	3-Major		Changes to the master key are reverted after full sync
720961-4	3-Major		Upgrading in Intelligence Community AWS environment may fail
720819-3	3-Major		Certain platforms may take longer than expected to detect and recover from HSB lock-ups
720713-1	3-Major		TMM traffic to/from a i10600/i10800 device in vCMP host mode may fail
720651-1	3-Major		Running Guest Changed to Provisioned Never Stops
720610-1	3-Major		Updatecheck logs bogus 'Update Server unavailable' on every run
720461-1	3-Major		qkview prompts for password on chassis
720269-1	3-Major		TACACS audit logging may append garbage characters to the end of log strings
720104-2	3-Major		BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'
719396-2	3-Major	K34339214	DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.
718817-1	3-Major		Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.
718800-1	3-Major		Cannot set a password to the current value of its encrypted password
718525-2	3-Major		PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting
718291-1	3-Major		iHealth upload error doesn't clear
714986-4	3-Major		Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot
714974-1	3-Major		Platform-migrate of UCS containing QinQ fails on VE★
714903-3	3-Major		Errors in chmand
714654-1	3-Major		Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM
714303-2	3-Major		X520 virtual functions do not support MAC masquerading
714216-1	3-Major		Folder in a partition may result in load sys config error
713708-6	3-Major		Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI
712102-1	3-Major	K11430165	customizing or changing the HTTP Profile's IPv6 field hides the field or the row
712033-3	3-Major		When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name
711249-3	3-Major		NAS-IP-Address added to RADIUS packet unexpectedly
710976-2	3-Major		Network Map might take a long time to load
710232-1	3-Major		platform-migrate fails when LACP trunks are in use
709936-1	3-Major	K38121141	Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.
709559-1	3-Major		LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name
709444-1	3-Major		"NTP not configured on device" warning seen when NTP symmetric key authentication is configured
709192-2	3-Major		GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart
708484-1	3-Major		Network Map might take a long time to load
708063	3-Major		In older RAID BIG-IP systems, storage provisioning is not possible when a drive is missing.
707740-5	3-Major		Fixed issue preventing GTM Monitors from being deleted when used on mulitple Virtual Servers with the same ip:port combination
707585-2	3-Major		Use native driver for 82599 NICs instead of UNIC
707445-4	3-Major	K47025244	Nitrox 3 compression hangs/unable to recover
707391-1	3-Major		BGP may keep announcing routes after disabling route health injection
705651-2	3-Major		Async transaction may ignore polling requests
705037-1	3-Major	K32332000	System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart
704804-4	3-Major		The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address
704733-3	3-Major		NAS-IP-Address will be sent with the bytes backwards
704449-1	3-Major		Orphaned tmsh processes might eventually lead to an out-of-memory condition
704247-1	3-Major		BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted
703090-3	3-Major		With many iApps configured, scriptd may fail to start
701249-3	3-Major		RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1
700827-3	3-Major		B2250 blades may lose efficiency when source ports form an arithmetic sequence.
698933	3-Major		Setting metric-type via ospf redistribute command may not work correctly
698619-3	3-Major		Disable port bridging on HSB ports for non-vCMP systems
698432-1	3-Major		Invalid error messages: warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10
696731-4	3-Major	K94062594	The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled
694439	3-Major		With management ip is set as IPv6, the downgrade fails when loading the config because of trailing slash in BIG-IP_base.conf.★
688231-1	3-Major		Unable to set VET, AZOT, and AZOST timezones
684096-3	3-Major		stats self-link might include the oid twice
682269	3-Major		Cannot send messages to LCD if tmm or mcpd fail to come up.
678397	3-Major		tmsh 'mv' command does not update the PostgreSQL database with new object name
677234	3-Major		vCMP evaluation license expiration causes guests to enter failed state
673018	3-Major		Parsed text violates expected format error encountered while upgrading or loading UCS★
671712-3	3-Major		The values returned for the ltmUserStatProfileStat table are incorrect.
668041-3	3-Major	K27535157	Config load fails when an iRule comment ends with backslash in a config where there is also a policy.
667618-5	3-Major		Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts
664440	3-Major		session_lookup_all() doesn't find all entries during intra-cluster redistribution.
648264	3-Major		IPsec over iSession stops working after upgrading to 11.6.1 from 11.6.0★
642276	3-Major	K00713065	Addition of new blade puts software management in a degraded state.★
641450-6	3-Major	K30053855	A transaction that deletes and recreates a virtual may result in an invalid configuration
639619-2	3-Major		UCS created on 11.6.0 that contains a secure attribute DWBL (Dynamic White/Black lists) feed list fails to upgrade to 13.0.0 with AFM and LTM on Virtual Edition (VE).★
611424	3-Major	K11322409	iControl-REST object member stats query produces incorrectly nested JSON when object not specified with full path
606032-4	3-Major		Network Failover-based HA in AWS may fail
574095	3-Major		Invalid characters allowed in hostname
560429	3-Major		LTM iRule table set command cannot always set value of record with extremely short timeout
547581	3-Major	K01444423	iControl REST: Errors may occur when fetching large number of objects using iControl REST API
479670	3-Major		Status incorrect for vCMP host and guest with different blades as primary
435592-1	3-Major		Error when creating for reconfiguration iApp Application Services: Error parsing template:MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())'
725612-2	4-Minor		syslog-ng remote destination needs unique name that changes on address change.
723988-1	4-Minor		IKEv1 phase2 key length can be changed during SA negotiation
713134-1	4-Minor		Small tmctl memory leak when viewing stats for snapshot files
711397	4-Minor		Custom dashboards do not upgrade from previous versions
708415-3	4-Minor		Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled
707631-3	4-Minor		The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI
707267-2	4-Minor		REST Framework HTTP header limit size increased to 8 KB
704336-5	4-Minor		Updating 3rd party device cert not copied correctly to trusted certificate store
703509-3	4-Minor		Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled
694491-1	4-Minor		Errant log message appears as an error
689491-2	4-Minor		cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled
685582-8	4-Minor		Incorrect output of b64 unit key hash by command f5mku -f
685340	4-Minor		On an appliance IPv6 management IP config is not correctly preserved through an .iso install
675208	4-Minor		BWC priority groups cannot be shared across different BWC policies although the configuration allows it.
671921	4-Minor		SNMP traps cannot be delivered to non-default route domains
664869	4-Minor		Duplicate wildcard virtual server address creation
653418-1	4-Minor		Host Processor Superuser keys in /root/.ssh/authorized_keys no longer necessary
648917-2	4-Minor		Need to re-provision vCMP after upgrading to 13.1.x or later on the BIG-IP 10350F platform
598917-1	4-Minor		TMSH and GUI might display a different common name from that is used by the system and displayed in the past.
587804	4-Minor		Symmetric Unit Key decrypt failure on base load
562997	4-Minor		TMM may leak memory when renaming pools
554625	4-Minor		Datagroups have a large impact on configuration save times
500402	4-Minor	K33178590	'Data publisher not found or not implemented' mcpd error message when iRule is loaded from tmsh.
494258	4-Minor		TMSH setting certain values for 'ip-protocol' has incorrect behavior
488915	4-Minor		If you configure the remote user authentication server such as LDAP, make sure it is available.
470264	4-Minor		Tcpdump captures nothing when filtered by VLAN tag
720669-1	5-Cosmetic		Within the GUI, the 'MQTT-TLS' service port is incorrectly reported as 'common.all.MQTT-TLS'.
713519-1	5-Cosmetic		Enabling MCP Audit logging does not produce log entry for audit logging change
713491-3	5-Cosmetic		IKEv1 logging shows spi of deleted SA with opposite endianess
662725	5-Cosmetic		tmsh kernel default log levels does not match documentation
654438	5-Cosmetic		Unclear error string when setting invalid score values

Local Traffic Manager Issues

ID Number	Severity	Solution Article(s)	Description
737758-3	2-Critical		MPTCP Passthrough and VIP-on-VIP can lead to TMM core
737445-1	2-Critical		Use of TCP Verified Accept can disable server-side flow control
726239-5	2-Critical		TMM panic via SIGABRT from sod
724868-3	2-Critical		dynconfd memory usage increases over time
724213-2	2-Critical		Modified ssl_profile monitor param not synced correctly
721571-2	2-Critical		State Mirroring between BIG-IP 12.1.3.* and 13.* systems may cause TMM core on standby system during upgrade★
716900-3	2-Critical		TMM core when using MPTCP
716213-5	2-Critical		BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic
710221-1	2-Critical	K67352313	Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled
709828-1	2-Critical		fasthttp can crash with Large Receive Offload enabled
700056-2	2-Critical	K05350542	MCPD process may lock up and restart when applying Local Traffic Policy to virtual server
571651-5	2-Critical	K66544028	Reset Nitrox3 crypto accelerator queue if it becomes stuck.
431480-6	2-Critical		Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message
738523-1	3-Major		SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages
738521-3	3-Major		i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.
738450-2	3-Major		Parsing pool members as variables with IP tuple syntax
726734-3	3-Major		DAGv2 port lookup stringent may fail
726319-1	3-Major		'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses
726232-3	3-Major		iRule drop/discard may crash tmm
723306-2	3-Major		Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
722363-3	3-Major		Client fails to connect to server when using PVA offload at Established
721621-3	3-Major		Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node
721261-2	3-Major		v12.x Policy rule names containing slashes are not migrated properly
720799-1	3-Major		Virtual Server/VIP flaps with FQDN pool members when all IP addresses change
720440-2	3-Major		Radius monitor marks pool members down after 6 seconds
720293-4	3-Major		HTTP2 IPv4 to IPv6 fails
719600-1	3-Major		TCP::collect iRule with L7 policy present may result in connection reset
718867-1	3-Major		tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades★
717346-1	3-Major	K13040347	[WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
716716-1	3-Major		Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core
715883-1	3-Major		tmm crash due to invalid cookie attribute
715785-1	3-Major		Incorrect encryption error for monitors during sync or upgrade
715756-1	3-Major		Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only
715750-1	3-Major		The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.
715467-1	3-Major		Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY
714559-4	3-Major		Removal of HTTP hash persistence cookie when a pool member goes down.
714503-1	3-Major		When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl
714495-1	3-Major		When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"
714384-2	3-Major		DHCP traffic may not be forwarded when BWC is configured
713951-6	3-Major		tmm core files produced by nitrox_diag may be missing data
713934-1	3-Major		Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response
713585-2	3-Major	K31544054	When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long
712819-1	3-Major		'HTTP::hsts preload' iRule command cannot be used
712664-1	3-Major		IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address
712489-1	3-Major		TMM crashes with message 'bad transition'
711981-6	3-Major		BIG-IP system accepts larger-than-egress MTU, PMTU update
711281-6	3-Major		nitrox_diag may run out of space on /shared
710028-1	3-Major		LTM SQL monitors may stop monitoring if multiple monitors querying same database
709963-1	3-Major		Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
709837-1	3-Major		Cookie persistence profile may be configured with invalid parameter combination.
709133-1	3-Major		When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur
709132-2	3-Major		When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur
708068-1	3-Major		Tcl commands like "HTTP::path -normalize" do not return normalized path.
707961-1	3-Major		Unable to add policy to virtual server; error = Failed to compile the combined policies
707951-3	3-Major		Stalled mirrored flows on HA next-active when OneConnect is used.
707691-5	3-Major		BIG-IP handles some pathmtu messages incorrectly
706505-3	3-Major		iRule table lookup command may crash tmm when used in FLOW_INIT
706102-1	3-Major		SMTP monitor does not handle all multi-line banner use cases
704764-1	3-Major		SASP monitor marks members down with non-default route domains
704450-4	3-Major		bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
704381-6	3-Major		SSL/TLS handshake failures and terminations are logged at too low a level
702450-2	3-Major		The validation error message generated by deleting certain object types referenced by a policy action is incorrect
699598-1	3-Major		HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR
698211-4	3-Major	K35504512	DNS express response to non-existent record is NOERROR instead of NXDOMAIN.
693244-3	3-Major		BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned
688553-4	3-Major		SASP GWM monitor may not mark member UP as expected
682283-1	3-Major		Malformed HTTP/2 request with invalid Content-Length value is served against RFC
679687-2	3-Major		LTM Policy applied to large number of virtual servers causes mcpd restart
678450-1	3-Major		No 'F5RST port in use' sent when new connection arrives to port in use with strict preserve.
677709	3-Major		pkcs11d daemon can generate a very large number of log messages
672502	3-Major		When installing a new netHSM client to a BIG-IP volume, the pre-existing netHSM client installed to other BIG-IP volumes will be overwritten and could be unusable
672410	3-Major		High CPU load when HTTP/2 gateway is configured with source-persistence.
672312-4	3-Major		IP ToS may not be forwarded to serverside with syncookie activated
620053-3	3-Major		Gratuitous ARPs may be transmitted by active unit going offline
602708-5	3-Major	K84837413	Traffic may not passthrough CoS by default
588521-1	3-Major	K93066363	Port/Protocol packet filter might fail to capture IPv6 fragments.
476010	3-Major		Inband monitor does not mark pool member offline as expected
473787	3-Major		System might fail to unchunk server response when compression is enabled
439860	3-Major		Missing SNMP alerts for Virtual Server enabled/disabled.
722534-2	4-Minor		load sys config merge not supported for iRulesLX
719247-1	4-Minor	K10845686	HTTP::path and HTTP::query iRule functions cannot be set to a blank string
716922-1	4-Minor		Reduction in PUSH flags when Nagle Enabled
713533-1	4-Minor		list self-ip with queries does not work
712637-1	4-Minor		Host header persistence not implemented
708249-1	4-Minor		nitrox_diag utility generates QKView files with 5 MB maximum file size limit
699426-4	4-Minor		RRD cpu files are not updated when statsd has no prior knowledge of blades joining a cluster.
693901-5	4-Minor		Active FTP data connection may change source port on client-side
686675	4-Minor		Monitor's adaptive-limit is not restricted to a minimum of the adaptive noise floor
682241	4-Minor		Escaped '#' is preserved in fields set through 'tmsh'
681465	4-Minor		When from-nethsm option is specified, there is no error when 'security-type' is 'normal' or 'password'.
680680	4-Minor		The POP3 monitor used to send STAT command on v10.x, but now sends LIST command
657822	4-Minor	K83148199	SMB monitor marks node down★
636568	4-Minor		LTM: Rateshaper: For all rate shaper deployment use pfifo and fred as default.
594064-6	4-Minor	K57004151	tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.
472412	4-Minor		When you force-offline a node, the associated pool member State shows Disabled, but behaves like it is Forced Offline.
222145	4-Minor	K9747	Incorrect netmask is set for the wildcard network virtual server
612870	5-Cosmetic		No monitor displayed for 'tmsh show monitor' and 'tmsh show monitor <monitor_type>'

Global Traffic Manager (DNS) Issues

ID Number	Severity	Solution Article(s)	Description
737726-1	2-Critical		If named is restarted and zrd is not restarted, ZoneRunner can lose contact with the DNS server daemon
722741-2	2-Critical		Damaged tmm dns db file causes zxfrd/tmm core
737529-3	3-Major		[GTM] load or save configs removes backslash \ from GTM pool member name
726255-1	3-Major		dns_path lingering in memory with last_access 0 causing high memory usage
723792-1	3-Major		GTM regex handling of some escape characters renders it invalid
723288-1	3-Major		DNS cache replication between TMMs does not always work for net dns-resolver
723095-3	3-Major		Add record type breaks commands 'modify gtm pool type all'; errors on nonexistent pool
719644-3	3-Major		If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★
715448-3	3-Major		Providing LB::status with a GTM Pool name in a variable caused validation issues
714507-1	3-Major		[tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server
710032-2	3-Major		'No Access' error when viewing GSLB Server's Virtual Server that has a name indicating a partition that does not exist on that bigip.
688335-6	3-Major	K00502202	big3d may restart in a loop on secondary blades of a chassis system
688266-6	3-Major		big3d and big3d_install use different logics to determine which version of big3d is newer
679316-6	3-Major		iQuery connections reset during SSL renegotiation
712335-2	4-Minor		GTMD may intermittently crash under unusual conditions.
699733-1	4-Minor		DNS NOTIFY not sent to mgmt IP under Zone Transfer Clients list after DNS Express zone update

Application Security Manager Issues

ID Number	Severity	Solution Article(s)	Description
716788-1	2-Critical		TMM may crash while response modifications are being performed within DoSL7 filter
606983-1	2-Critical		ASM errors during policy import
737500-1	3-Major		Apply Policy and Upgrade time degradation when there are previous enforced rules
734228	3-Major		False-positive illegal-length violation can appear
724414-1	3-Major		ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled
722862	3-Major		ASM CAPTCHA sends non url-encoded payload when captcha is submitted by pressing 'Enter'
721752-3	3-Major		Null char returned in REST for Suggestion with more than MAX_INT occurrences
721399-1	3-Major		Signature Set cannot be modified to Accuracy = 'All' after another value
719459-1	3-Major		Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled
719005-2	3-Major		Login request may arrive corrupted to the backend server after CAPTCHA mitigation
718232-3	3-Major		Some FTP servers may cause false positive for ftp_security
716940-1	3-Major		Traffic Learning screen graphs shows data for the last day only
716324-1	3-Major		CSRF protection fails when the total size of the configured URL list is more than 2 KB
715128-2	3-Major		Simple mode Signature edit does not escape semicolon
713282-2	3-Major		Remote logger violation_details field does not appear when virtual server has more than one remote logger
712362-4	3-Major		ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase
711818-4	3-Major		Connection might get reset when coming to virtual server with offload iRule
711405-2	3-Major	K14770331	ASM GUI Fails to Display Policy List After Upgrade
704643-2	3-Major		Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule
687759	3-Major		bd crash
638014	3-Major		ASM end users blocked due to 'ASM Cookie Hijacking' violation after upgrade.
592504-1	3-Major		False positive illegal length violation can appear
722294-1	4-Minor		Reported session ID keeps changing for the same user session when ASM doesn't track sessions
720581-1	4-Minor		Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files
688833	4-Minor		Inconsistent XFF field in ASM log depending violation category
602243	4-Minor		Sync only device-group, with ASM sync enabled, triggers config conflicts
700812	5-Cosmetic		asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview
694073	5-Cosmetic		All signature update details are shown in 'View update history from previous BIG-IP versions' popup

Application Visibility and Reporting Issues

ID Number	Severity	Solution Article(s)	Description
726852-1	2-Critical		AVR inject CSPM event when there is no analytics profile on the virtual server
737867-2	3-Major		Scheduled reports are being incorrectly displayed in different partitions
737863-2	3-Major		Advanced Filters for Captured Transactions not working on Multi-Blade Platforms
703225-1	3-Major		DoS Visibility does not support display of more than 500 attacks and/or virtual servers

Access Policy Manager Issues

ID Number	Severity	Solution Article(s)	Description
722013-2	2-Critical		MCPD restarts on all secondary blades post config-sync involving APM customization group
737355-2	3-Major		HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files
737064-1	3-Major		ACCESS::session iRule commands may not work in serverside events
734316-1	3-Major		Per-Request Policy may require enabling SSL Forward Proxy Bypass
726616-2	3-Major		TMM crashes when a session is terminated
725867-1	3-Major		ADFS proxy does not fetch configuration for non-floating virtual servers
725840-1	3-Major		Customization group object is not deleted when SAML resource object is deleted
720030-5	3-Major		Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)
713655-1	3-Major		RouteDomainSelectionAgent might fail under heavy control plane traffic/activities
710884-2	3-Major		Portal Access might omit some valid cookies when rewriting HTTP request.
710044-4	3-Major		Portal Access: same-origin AJAX request may fail in some case.
707953-3	3-Major		Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page
706797-2	3-Major		Portal Access: some multibyte characters in JavaScript code may not be handled correctly
706374-5	3-Major		Heavy use of APM Kerberos SSO can sometimes lead to memory corruption
704587-3	3-Major	K15450552	Authentication with UTF-8 chars in password fails for ActiveSync users
704524-5	3-Major		[Kerberos SSO] Support for EDNS for kerberos DNS SRV queries
703984-8	3-Major		Machine Cert agent improperly matches hostname with CN and SAN
701800-1	3-Major		SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x
698836-1	3-Major		APM session counts not available after installing an APM session count License
686071	3-Major		Log level change not saved to UCS.
683307	3-Major		F5 APM webtop spawns a pop up windows with text 'webpage cannot be displayed' when running F5 VPN or F5 EPI first time
660654	3-Major		'epsec refresh' works incorrectly if install package is deleted
651169	3-Major		The Dashboard does not show an alert when a power supply is unplugged
626403	3-Major		iOS receiver optional two factor auth slider is not displayed
705803	4-Minor		Internet Explorer does not offer F5 VPN or F5 EPI for installation when UAC is disabled

WebAccelerator Issues

ID Number	Severity	Solution Article(s)	Description
706642-1	2-Critical		wamd may leak memory during configuration changes and cluster events
701977-6	3-Major		Non-URL encoded links to CSS files are not stripped from the response during concatenation
569715	3-Major		BOLT client browser is recognized incorrectly
569714	3-Major		Maxthon browser is recognized as Chrome
569713	3-Major		Puffin browser is recognized as Chrome
567617	3-Major		Database Changes not Propagated to All Blades
560889	3-Major		Some User-Agent strings are parsed incorrectly resulting in a wrong browser family
560820	3-Major		ICC may handle incorrectly when used with IEMobile client
558969	3-Major		Optimization to JPEG-XR fails on Edge browsers
558952	3-Major		Edge Mobile browser is recognized as Chrome
674992	4-Minor		AAM traffic report's time period doesn't always apply
539809	4-Minor		Debug header may show misleading information when Symmetric deployment is configured

Service Provider Issues

ID Number	Severity	Solution Article(s)	Description
738070-1	3-Major		Persist value for the RADIUS Framed-IP-Address attribute is not correct
727288-2	3-Major		Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC
709383-1	3-Major		DIAMETER::persist reset non-functional

Advanced Firewall Manager Issues

ID Number	Severity	Solution Article(s)	Description
726090	2-Critical		No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense
724532-3	2-Critical		SIG SEGV during IP intelligence category match in TMM
726154-3	3-Major		TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies
724679-1	3-Major		Non-attacking IP addresses could be logged along with attacking IP addresses when DoS detects an attack
720242-1	3-Major		GUI for AFM rules shows protocol value IPENCAP for rules under rule-list
643134	3-Major	K76726444	Support IPv6 IP protocol 0(hopopt) in firewall rule
635939	3-Major		Replacing scrubber virtual server / route domain causes incorrect scrubbing threshold
707054-2	4-Minor		SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162

Policy Enforcement Manager Issues

ID Number	Severity	Solution Article(s)	Description
699531-5	2-Critical		Potential TMM crash due to incorrect number of attributes in a PEM iRule command
676491	2-Critical		BIG-IP as a DHCP relay while in a DHCP relay chain will use its self-IP as the relay agent.
726647-4	3-Major		PEM content insertion in a compressed response may truncate some data
726011-3	3-Major		PEM transaction-enabled policy action lookup optimization to be controlled by a sys db
711093-4	3-Major		PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled
709610-4	3-Major		Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM
676346-1	3-Major		PEM displays incorrect policy action counters when the gate status is disabled.
663874-1	3-Major	K77173309	Off-box HSL logging does not work with PEM in SPAN mode.
648802-4	3-Major		Required custom AVPs are not included in an RAA when reporting an error.
565668	3-Major		PEM session usage via iRules immediate following PEM session creation via iRules may result in the usage not working as expected.
719107-1	4-Minor		Message type is not displayed in CLI and incorrect message type is displayed in GUI for Subscriber Management diameter protocol profile message type CCA-T.
657223	4-Minor		When triggered by a DHCP Lease query, subscriber ID with DHCP Option 37/38 is not supported.
556785	4-Minor		Not all HTTP transactions make it through credits to iRule failures when FastL4 is enabled.
555229	4-Minor		Transactional PEM policies without an HTTP profile on the virtual server do not result in transactional classification.

Carrier-Grade NAT Issues

ID Number	Severity	Solution Article(s)	Description
734446-1	2-Critical		TMM crash after changing LSN pool mode from PBA to NAPT
723658-2	2-Critical		TMM core when processing an unexpected remote session DB response.
669645-4	2-Critical	K44021449	tmm crashes after LSN pool member change
721579-2	4-Minor		LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing

Fraud Protection Services Issues

ID Number	Severity	Solution Article(s)	Description
738669-1	3-Major		Login validation may fail for a large request with early server response
737368-2	3-Major		Fingerprint cookie large value may result in tmm core.
719186-1	3-Major		Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts
716318-1	3-Major		Engine/Signatures automatic update check may fail to find/download the latest update
693706-1	3-Major		HTML field obfuscation is not supported with SPA
686438	3-Major		Loop of JS errors in Edge browser
630269	3-Major		Support Substitute value in ajax with application/x-www-form-urlencoded content-Type

Anomaly Detection Services Issues

ID Number	Severity	Solution Article(s)	Description
714334-2	2-Critical		admd stops responding and generates a core while under stress.
718772-1	3-Major		The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists)

Traffic Classification Engine Issues

ID Number	Severity	Solution Article(s)	Description
737379-1	3-Major		URLCAT doesn't work when we have uppercase characters in feedlist
726303-2	3-Major		Unlock 10 million custom db entry limit

Device Management Issues

ID Number	Severity	Solution Article(s)	Description
710809-3	3-Major		Restjavad hangs and causes GUI page timeouts

 

Known Issue details for BIG-IP v14.0.x

738669-1 : Login validation may fail for a large request with early server response

Component: Fraud Protection Services

Symptoms:
in case of large request/response, if FPS needs to store ingress and ingress chunks in buffer for additional processing (ingress :: for parameter parsing, egress :: for login validation's banned/mandatory strings check or scripts injection), if the server responds fast enough, the buffer may contain mixed parts of request/response. This may have several effects, from incorrectly performing login-validation to generating a tmm core file.

Conditions:
-- Login validation is enabled and configured to check for banned/mandatory string.
-- A username parameter is configured.
-- There are no parameters configured for encrypt/HTML Field Obfuscation (HFO), and no decoy parameters.
-- There is a large request and response.
-- The system response very quickly.

Impact:
This results in one or more of the following:
-- Login validation failure/skip.
-- Bad response/script injection.
-- tmm core. In this case, traffic is disrupted while tmm restarts.

Workaround:
None.

---

738523-1 : SMTP monitor fails to handle multi-line '250' responses to 'HELO' messages

Component: Local Traffic Manager

Symptoms:
When monitoring an SMTP server that emits multi-line '250' responses to the initial 'HELO' message, the monitor fails. If monitor logging is enabled on the pool member, the system posts an error similar to the following in the monitor log:

09:50:08.580145:(_Tcl /Common/mysmtp): ERROR: failed to complete the transfer, Failed to identify domain.

Conditions:
-- Monitoring an SMTP server.
-- SMTP server is configured to return a multi-line '250' response to the initial 'HELO' message.

Impact:
The pool member is marked down even though it is actually up.

Workaround:
None.

---

738521-3 : i4x00/i2x00 platforms transmit LACP PDUs with a VLAN Tag.

Component: Local Traffic Manager

Symptoms:
A trunk configured between a BIG-IP i4x00/i2x00 platform and an upstream switch may go down due to the presence of the VLAN tag.

Conditions:
LACP configured between a BIG-IP i4x00/i2x00 platform and an upstream switch.

Impact:
Trunks are brought down by upstream switch.

Workaround:
There is no workaround other than disabling LACP.

---

738450-2 : Parsing pool members as variables with IP tuple syntax

Component: Local Traffic Manager

Symptoms:
There is a config loading warning at tmsh similar to the following: unexpected end of arguments;expected argument spec:PORT.

Conditions:
Tcl variable is used for the IP tuple instead of a plain value.

Impact:
iRule LB::reselect command may not recognize an IP tuple when it is a variable. tmsh warning shows.

Note: There is no warning in the GUI.

Workaround:
Use plain value instead of variable.

---

738070-1 : Persist value for the RADIUS Framed-IP-Address attribute is not correct

Component: Service Provider

Symptoms:
Using the RADIUS Framed-IP-Address attribute as a persistence value does not work correctly.

Conditions:
Using RADIUS and persisting on the Framed-IP Address attribute (RADIUS AVP 8).

Impact:
RADIUS requests may not get persisted to the servers they should be.

Workaround:
Use an iRule to persist instead, e.g.:

ltm rule radius-persistence {
    when CLIENT_DATA {
    persist uie [RADIUS::avp 8]
}
}

---

737901-3 : Management MAC address and host VLAN MAC address is the same on iSeries platforms when in vCMP mode

Component: TMOS

Symptoms:
On iSeries platforms, when a VLAN is attached to a vCMP guest, the management MAC address and the host VLAN MAC address will be the same.

Conditions:
-- Creating a VLAN on the host and attaching it to a vCMP guest.
-- iSeries platforms.

Impact:
The management MAC address is the same as the Host VLAN MAC address, resulting in the same MAC being used for the VLAN traffic originating from the vCMP Host along with the Host's mgmt Interface traffic, potentially resulting in issues relating to the inability to differentiate traffic to mgmt port or traffic ports.

Workaround:
There is no workaround at this time.

---

737900-1 : mcpd might crash on an unlicensed system

Component: TMOS

Symptoms:
On an unlicensed system with a built-in iRule attached to a virtual server, mcpd might crash.

Conditions:
-- Unlicensed system (including as a result of the service agreement check date validation treating a license as invalid).
-- At least one built-in, system-supplied iRule is attached to a virtual server.
-- mcpd loads from the config files, such as when having just upgraded.

Impact:
On an unlicensed system, mcpd might crash repeatedly.

Workaround:
Perform the following procedure:

1. Reactivate the license on the system from the command-line, following the instructions in K2595: Activating and installing a license file from the command line :: https://support.f5.com/csp/article/K2595.

2. License the system.

Note: Running commands (e.g., tmsh show /sys hardware) on VIPRION systems while mcpd is down might fail or otherwise not work as expected.

---

737867-2 : Scheduled reports are being incorrectly displayed in different partitions

Component: Application Visibility and Reporting

Symptoms:
Scheduled analytics reports are being displayed in the list regardless of selected partition. However, you can only open reports belonging to the selected partition, even if they belong to 'Common'.

Conditions:
System configured with multiple partitions.

Impact:
It makes it difficult to modify reports from different partitions.

Workaround:
Switch to the report's partition before editing it.

---

737863-2 : Advanced Filters for Captured Transactions not working on Multi-Blade Platforms

Component: Application Visibility and Reporting

Symptoms:
On multi-blade systems, when you navigates to System :: Logs : Captured Transactions, click on Expand Advanced Filters, choose something, and click Update, the GUI reports a 'Could not get captured events' message.

Conditions:
-- Multi-blade systems.
-- AVR provisioned.
-- AVR HTTP Analytics Profile configured with 'Internal Traffic Capturing Logging Type' option enabled.

Impact:
The Captured Transactions filter does not work.

Workaround:
None.

---

737758-3 : MPTCP Passthrough and VIP-on-VIP can lead to TMM core

Component: Local Traffic Manager

Symptoms:
If a FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled, TMM may produce a core upon receiving certain traffic.

Conditions:
A FastL4 virtual server has an iRule that uses the 'virtual' command to direct traffic to a virtual server with a TCP profile attached that has MPTCP passthrough enabled, and certain traffic is received.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not using an iRule with the 'virtual' command to direct traffic to a virtual server with MPTCP passthrough enabled.

---

737726-1 : If named is restarted and zrd is not restarted, ZoneRunner can lose contact with the DNS server daemon

Component: Global Traffic Manager (DNS)

Symptoms:
ZoneRunner displays the following error message when attempting to list resource records: No route to host.

Conditions:
-- named is restarted outside of the normal start up procedure.
-- zrd is not restarted.

Impact:
ZoneRunner cannot communicate with named, and thus cannot display resource records.

There are temporary addresses created on the loopback address to facilitate communication between the zrd and named processes. When named is restarted, these temporary address are inadvertently removed.

Workaround:
Restart the zrd process using the following command:
bigstart restart zrd

---

737529-3 : [GTM] load or save configs removes backslash \ from GTM pool member name

Component: Global Traffic Manager (DNS)

Symptoms:
GTM config fails to load, and posts an error similar to the following:

Syntax Error:(/config/bigip_gtm.conf at line: 47) the "create" command does not accept wildcard configuration identifiers

Conditions:
GTM server virtual server name contains a backslash (\) character.

Impact:
GTM config fails to load.

Workaround:
Edit bigip_gtm.conf manually and add the \ character.

Important: The system removes the \ (which results in further validation failures) in response to any of the following actions:
-- Load the GTM config.
-- Make changes to the GTM config, and you or the system saves it.
-- cpcfg operation.
-- Upgrade the system.

---

737500-1 : Apply Policy and Upgrade time degradation when there are previous enforced rules

Component: Application Security Manager

Symptoms:
When there are previously enforced rules present in the system, the time to apply changes made to a policy, and the time to upgrade the configuration to a new version suffers.

Conditions:
-- Signature Staging is enabled.
-- Updated Signature Enforcement is set to 'Retain previous rule enforcement and place updated rule in staging'.
-- Signatures are enforced on a policy.
-- A new ASM Signature Update is installed, which modifies the matching rule for some enforced signatures.

Impact:
The time to apply changes made to a policy, and the time to upgrade the configuration to a new version, suffers from a inefficiently performing query related to the existence of previously enforced rules.

Workaround:
There is no workaround at this time.

---

737445-1 : Use of TCP Verified Accept can disable server-side flow control

Component: Local Traffic Manager

Symptoms:
Unexpectedly high memory usage, aggressive sweeper messages, TCP memory pressure messages in logs.

Conditions:
Verified Accept is enabled in TCP profiles that are associated with virtual servers.

Impact:
Excessive memory usage.

Workaround:
There is no workaround other than disabling Verified Accept.

---

737397-2 : User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP

Component: TMOS

Symptoms:
Unable to archive certificates or keys using GUI and iControlSOAP.

Conditions:
When the user is in Certificate Manager role.

Impact:
Unable to backup certificates or keys.

Workaround:
The user in Certificate Manager role is still be able to export the key and see its PEM string. So you can manually create an archive file by copying the PEM string into a file.

---

737379-1 : URLCAT doesn't work when we have uppercase characters in feedlist

Component: Traffic Classification Engine

Symptoms:
A URL does not get classified when there are uppercase characters in the feedlist.

Conditions:
Using uppercase characters in the feedlist.

Impact:
URL is not classified as expected.

Workaround:
There is no workaround at this time.

---

737368-2 : Fingerprint cookie large value may result in tmm core.

Component: Fraud Protection Services

Symptoms:
The JavaScript component calculates part of the fingerprint cookie value. In some rare cases, large values are generated and may result in tmm core.

Conditions:
A large value (more than 35 characters) inside the fingerprint cookie.

Impact:
Memory overrun, tmm core in some cases.

Workaround:
N/A

---

737355-2 : HTTP Strict-Transport-Security (HSTS) headers not being added to all APM generated files

Component: Access Policy Manager

Symptoms:
HTTP Strict-Transport-Security (HSTS) headers are missing for some APM-generated files.

Conditions:
This occurs when the following conditions are met:
-- HTTP profile is configured with HSTS enabled.
-- HTTP GET requests for APM renderer files, including CSS, JS, and image files from the webtop.

Impact:
Without these headers, the user agent (browser) may switch to non-secure communication.

Workaround:
None.

---

737346-2 : After entering username and before password, the logging on user's failure count is incremented.

Component: TMOS

Symptoms:
Listing login failures (i.e., using the following command: 'tmsh show auth login-failures') shows a failed login for the user who is currently logging in via console or SSH.

Conditions:
-- A user is logging in via console or SSH.
-- Between the time the system presents the password prompt and and the user enters the password.

Note: This does not apply to GUI or iControl REST logins.

Impact:
If many logins for the same user get to this state simultaneously, it may be enough to exceed the lockout threshold, locking the user out.

Workaround:
None.

---

737064-1 : ACCESS::session iRule commands may not work in serverside events

Component: Access Policy Manager

Symptoms:
-- 'ACCESS::session sid' will returns empty.
-- 'ACCESS::session data get <varname>' returns empty.

Conditions:
-- Using IP-based sessions
-- ACCESS::session iRule commands in a serverside iRule event, such as HTTP_PROXY_CONNECT.
-- Using SSL Bypass. Note: This issue is known to occur when using SSL Bypass, but this is not the only configuration that exhibits the problem.

Impact:
iRules may not work as expected.

Workaround:
There is no workaround at this time.

---

737055-1 : Unable to access BIG-IP Configuration Utility when BIG-IP system is behind a Reverse proxy

Component: TMOS

Symptoms:
When a BIG-IP management interface is accessed through a Reverse Proxy, you cannot login to the Configuration Utility. Instead the system presents a blank page, as the Reverse Proxy IP/hostname is in the Referer header instead of that of the BIG-IP system.

Conditions:
You are accessing the BIG-IP Configuration Utility through a Reverse Proxy.

Impact:
You are unable to login to the Configuration Utility.

Workaround:
Configure their Reverse Proxy to place the IP address of the BIG-IP system in the Referer header.

---

734846-2 : Redirection to logon summary page does not occur after session timeout

Component: TMOS

Symptoms:
After a BIG-IP Administrator user session times out, the user is not automatically redirected to the logon summary page, despite being configured to do so.

Conditions:
-- The BIG-IP system is configured to redirect to the logon summary page immediately after logging in, using the following db variable:
ui.users.redirectsuperuserstoauthsummary = true

-- The BIG-IP Administrator users' session automatically times out.

Impact:
The system does not comply with government security requirements that BIG-IP Administrator users be sent automatically to the logon summary. BIG-IP Administrator users must manually navigate to the logon summary page

Workaround:
Manually navigate to the logon summary page.

---

734836-2 : Network Map summary counts pool members more than once if they are shared across pools

Component: TMOS

Symptoms:
On the page at Local Traffic :: Network Map, in the summary view, the total number of pool members shows a larger number if there are pool members referenced by multiple pools.

Conditions:
-- Network Map summary view.
-- Pool members referenced by multiple pools.

Impact:
The number of pools value is higher than the actual number of pools because of how the system tracks a single pool member referenced in multiple pools.

Workaround:
There is no workaround at this time.

---

734527-3 : BGP 'capability graceful-restart' for peer-group not properly advertised when configured

Component: TMOS

Symptoms:
BGP neighbor using peer-group with 'capability graceful-restart' enabled (which is the default). However, on the system, peer-group defaults to disable. Because there is no config statement to enable 'capability graceful-restart' after restart, it gets turned off after config load, which also turns it off for any BGP neighbor using it.

Conditions:
- Neighbor configured to use peer-group.
- Peer-group configured with capability graceful-restart, but with the default: disabled.

Impact:
Because peer-group is set to disable by default, and there is no operation to enable it after restart, 'capability graceful-restart' gets turned off after config load, and neighbors using it from peer-group get turned off as well.

Workaround:
Re-issue the commands to set peer-group 'capability graceful-restart' and 'clear ip bgp *' to reset BGP neighbors.

---

734446-1 : TMM crash after changing LSN pool mode from PBA to NAPT

Component: Carrier-Grade NAT

Symptoms:
TMM crashes after changing LSN pool mode from PBA to NAPT when long lived connections are killed due to the PBA block lifetime and zombie timeout expiring.

Conditions:
An LSN pool using PBA mode with a block lifetime and zombie timeout set and long lived connections.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Instead of changing the LSN pool mode from PBA to NAPT, create a new LSN pool configured for NAPT and change the source-address-translation pool on the virtual servers that use the PBA pool.

The PBA pool can be deleted after the virtual servers are no longer using it.

---

734316-1 : Per-Request Policy may require enabling SSL Forward Proxy Bypass

Component: Access Policy Manager

Symptoms:
For some SSL/TLS traffic, the per-request policy does not complete, leading to hanging connections and/or connection resets.

Conditions:
Reproducible with any forward proxy configuration involving per-request policies. This includes Secure Web Gateway (SWG) and SSL Orchestrator (SSLO).

To reproduce, the SSL Forward Proxy Bypass feature must be disabled in the client and server SSL profiles. This is equivalent to 'always intercept'.

Impact:
Policy execution may stall. Clients may experience hanging connections and/or connection resets.

Workaround:
Perform the following procedure:
1. Enable the SSL Forward Proxy Bypass feature in the client and server SSL profiles.
2. Set the default action to 'Intercept'.

---

734228 : False-positive illegal-length violation can appear

Component: Application Security Manager

Symptoms:
A false-positive illegal-length violation.

Conditions:
A chunked request where the request length is more than half of the configured max-request length.

Impact:
False-positive illegal-length violation.

Workaround:
Configure a higher max request length violation.

---

727467-2 : Some iSeries appliances can experience traffic disruption when the HA peer is upgraded from 12.1.3 and earlier to 13.1.x and later.

Component: TMOS

Symptoms:
- CPU core 0 can be seen utilizing 100% CPU.
- Other even cores may show a 40% increase in CPU usage.
- Pool monitors are seen flapping in /var/log/ltm.

Conditions:
-- Active unit on a pre-12.1.3.1 release.
-- Standby peer upgraded to a post 13.1.0 release.
-- Device is an iSeries device (i5600 or later).

*This issue may also affect iSeries HA peers on the same software version if the devices do not share the same model number.

Impact:
- High CPU usage.
- Traffic disruption.

Workaround:
Minimize impact on affected active devices by keeping the upgraded 13.1.x unit offline as long as possible before going directly to Active. For example, on the unit to be upgraded (pre-upgrade):
-- Run the following command: tmsh run sys failover offline persist
-- Run the following command: tmsh save sys config
-- Upgrade to 13.1.0.7
-- Unit comes back up on 13.1.0.7 as 'Forced Offline and does not communicate with the active 12.1.3 at all
-- Set up HA group and make sure the 12.1.3 Active unit's HA score is lower than 13.1.0.7.
-- Run the following command on the unit running 13.1.0.7: tmsh run sys failover online. This unit goes directly to Active and takes over traffic.

At this point, the 12.1.3 unit starts to show symptoms of this issue, however, because it is no longer processing traffic, there is no cause for concern.

---

727297-2 : GUI TACACS+ remote server list should accept hostname

Component: TMOS

Symptoms:
Cannot add hostnames to the Remote - TACACS+ server list in the GUI.

Conditions:
-- On the System :: Users : Authentication page with Remote - TACACS+ specified.
-- Add hostname to the server list.

Impact:
Validation does not accept a hostname. Cannot add hostname as a server.

Workaround:
Use tmsh to add a hostname.

---

727288-2 : Diameter MRF CER/DWR e2e=0, h2h=0 does not comply with RFC

Component: Service Provider

Symptoms:
Diameter message routing framework sends Capabilities-Exchange-Request (CER)/Device-Watchdog-Request (DWR) with hop-by-hop (h2h) ID and end-to-end (e2e) ID set to 0 as the server.

Conditions:
Diameter Message Routing Framework (MRF) in use

Impact:
The BIG-IP system sends CER and DWR to remote peers.
However, the BIG-IP system sends e2e=0 and h2h=0 as the server ID in the CER and DWR requests. This does not comply with RFC 6733 (https://tools.ietf.org/html/rfc6733).

Workaround:
Use an DIAMETER_EGRESS iRule event to change the hop-by-hop ID and end-to-end server ID.

---

726852-1 : AVR inject CSPM event when there is no analytics profile on the virtual server

Component: Application Visibility and Reporting

Symptoms:
When there is a request for page load time in the analytics profile, and changes to the configuration remove the analytics profile, AVR will continue to inject the Client Side Performance Monitoring (CSPM) cookie.

Conditions:
-- Request for page-load-time statistic.
-- The analytics profile has been removed from the virtual server.

Impact:
Page-load-time cookie is injected when it should not be.

Workaround:
Uncheck the page-load-time checkbox before removing the profile from the virtual server.

---

726734-3 : DAGv2 port lookup stringent may fail

Component: Local Traffic Manager

Symptoms:
Under certain circumstances tmm might not be able to find a local port, and the connection may fail. This happens, for example, for active FTP with mirroring enabled.

Conditions:
Active FTP with mirroring enabled.

Impact:
Connection cannot get established.

Workaround:
There is no workaround other than to disable mirroring.

---

726647-4 : PEM content insertion in a compressed response may truncate some data

Component: Policy Enforcement Manager

Symptoms:
HTTP compressed response with content insert action can truncate data.

Conditions:
PEM content insertion action with compressed HTTP response.

Impact:
Data might be truncated.

Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.

---

726616-2 : TMM crashes when a session is terminated

Component: Access Policy Manager

Symptoms:
TMM crashes when it is releasing the memory used by a session that is terminated. Either one of the following error messages might appear in the TMM log:

-- notice panic: ../kern/umem.c:4166: Assertion "valid type" failed.

-- notice panic: ../kern/page_alloc.c:705: Assertion "vmem_hashlist_remove not found" failed.

Conditions:
The memory used by a session is corrupted during the lifetime of the session. This issue happens infrequently.

Impact:
TMM restarts, causing service interruption if the BIG-IP system is not part of a high-availability setup.

Workaround:
There is no workaround at this time.

---

726487-3 : VIPRION secondary MCPD, Node Name encodes IP address which differs from supplied

Component: TMOS

Symptoms:
MCPD on secondary blade of VIPRION exits and restarts, logging errors similar to the following:

-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.

-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.

Conditions:
-- VIPRION platform.
-- Non-primary blade.
-- Modified default route domain for a partition.
-- Deleting and creating pool members during configuration save from a different client.

Impact:
Failovers and traffic degradation while blade restarts.

Workaround:
There is no workaround other than not to delete/create pool members from a different client while saving configuration changes in another client.

---

726319-1 : 'The requested Pool Member ... already exists' logged when FQDN resolves to different IP addresses

Component: Local Traffic Manager

Symptoms:
When FQDN nodes and pool members are used in LTM pools, a message similar to the following may be logged if the DNS server returns a different set of IP address records to resolve the FQDN name:

err mcpd[20479]: 01020066:3: The requested Pool Member (****) already exists in partition ****.

Conditions:
This message may be logged when the DNS server returns a different set of IP address records to resolve the FQDN name, and new ephemeral pool members are created corresponding to the new IP addresses.

This may occur intermittently depending on timing conditions.

Impact:
These log messages are cosmetic and do not indicate any impact to traffic or BIG-IP operations.

Workaround:
None.

---

726303-2 : Unlock 10 million custom db entry limit

Component: Traffic Classification Engine

Symptoms:
Cannot add more than 10 million custom db entries.

Conditions:
This happens when you try to add more than 10 million custom db entries.

Impact:
Not able to add more than 10 million entries.

Workaround:
There is no workaround at this time.

---

726255-1 : dns_path lingering in memory with last_access 0 causing high memory usage

Component: Global Traffic Manager (DNS)

Symptoms:
dns_path not released after exceeding the inactive path ttl.

Conditions:
1. Multiple tmm's in sync group
2. Multiple dns paths per GTM needed for load balancing.

Impact:
High memory usage.

Workaround:
There is no workaround at this time.

---

726239-5 : TMM panic via SIGABRT from sod

Component: Local Traffic Manager

Symptoms:
TCP receives SIGABRT during TCP persist mode.

Conditions:
When TCP is in persist mode.

Impact:
Lack of stability on the device. Traffic disrupted while tmm restarts.

Workaround:
None.

---

726232-3 : iRule drop/discard may crash tmm

Component: Local Traffic Manager

Symptoms:
TMM crash after an iRule attempts to drop packet.

Conditions:
Virtual server with UDP profile, and following iRule:
when LB_SELECTED {
    drop
    # discard - drop is the same as discard
}

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

---

726154-3 : TMM restart when there are virtual server and route-domains with the same names and attached firewall or NAT policies

Component: Advanced Firewall Manager

Symptoms:
TMM might restart when changing firewall or NAT configurations on a virtual server with the same name as a route-domains.

Conditions:
- There is a virtual server and a route-domain that have the same name in the configuration.
- A firewall or NAT policy is being attached or removed from one or both of the virtual server or route-domain.

Impact:
TMM might halt and traffic processing temporarily ceases. TMM restarts and traffic processing resumes.

Workaround:
There is no workaround other than not to use the same name for virtual server and route-domain objects.

---

726090 : No Bot Defense Logs when ASM Policy is used without Proactive Bot Defense

Component: Advanced Firewall Manager

Symptoms:
Device ID challenges are not logged in the Bot Defense Request Log (local and remote) when associating the Bot Defense logging profile to the virtual server.

Conditions:
-- Device ID is enabled on the ASM Policy.
-- DoS profile with Proactive Bot Defense is not associated with the virtual server.

Impact:
There are no logs to show the browser challenges and the requests from clients that do not support JavaScript.

Workaround:
There is no workaround at this time.

---

726011-3 : PEM transaction-enabled policy action lookup optimization to be controlled by a sys db

Component: Policy Enforcement Manager

Symptoms:
There is no way to disable optimization if time-based actions are enabled in the PEM policy and a statistical transaction-based action enforcement is desired.

Conditions:
If the PEM classification tokens do not change.

Impact:
Time-based actions such as insert content may not get applied to such flows.

Workaround:
None.

---

725867-1 : ADFS proxy does not fetch configuration for non-floating virtual servers

Component: Access Policy Manager

Symptoms:
If the virtual address of a virtual server has a non-floating traffic group (e.g., traffic-group-local-only), ADFS proxy does not perform periodic configuration updates, including listing allowed URIs from ADFS, and thus blocks all the requests (by responding with 404).

Conditions:
-- Virtual address of virtual server has non-floating traffic group.

-- ADFS proxy feature is enabled on the virtual server.

Impact:
All the requests to ADFS are blocked.

Workaround:
Set floating traffic group for virtual address (e.g., traffic-group-1).

---

725840-1 : Customization group object is not deleted when SAML resource object is deleted

Component: Access Policy Manager

Symptoms:
Customization group object for the corresponding SAMLResource object is in the configuration store, even after SAMLResource is deleted in GUI/TMSH.

Conditions:
-- Customization Object is in the configuration store.
-- Delete the SAMLResource.

Impact:
There is no functional impact, but additional configuration objects exist in the configuration store.

Workaround:
Delete the customization group object manually in TMSH.

The BIG-IP system administrator can delete those customization groups if the corresponding SAML resources are deleted or do not exist in the configuration.

The command 'list apm policy customization-group' lists all the customization groups. The SAML-specific customization groups end with '_resource_saml_customization' and are prefixed with the SAML resource name (SAML resource name concatenated with literal 'resource_saml_customization').

---

725791-5 : Potential HW/HSB issue detected

Component: TMOS

Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.

With a burst of CRC errors in the SRAM for ePVA transformation cache, it won't trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This is because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.

In these cases, there might be the following messages in /var/log/tmm*:

  Device error: hsb_lbb* tre2_crc_errs count *

Conditions:
Traffic is offloaded to HSB hardware for acceleration.

Impact:
Hardware accelerated traffic drop.

Workaround:
Switch traffic to software acceleration.

---

725612-2 : syslog-ng remote destination needs unique name that changes on address change.

Component: TMOS

Symptoms:
Changing syslog server IP address requires syslog-ng restart to take effect. Syslog operations do not use the new remote destination address on syslog service reconfiguration.

Conditions:
1. Add Remote Syslog server (Server A) using System :: Logs :: Configuration :: Remote Syslog.
2. Click Update (Syslog messages go out toward Server A).
3. Remove Server A from configuration.
4. Add new Server B (different IP address).
5. Click Update.

Impact:
Syslog messages still go out toward Server A.

Workaround:
Restart the syslog service using the following command:
bigstart restart syslog-ng

Messages now properly go out toward Server B (the new IP address).

---

724868-3 : dynconfd memory usage increases over time

Component: Local Traffic Manager

Symptoms:
dynconfd memory usage slowly increases over time as it processes various state-related messages.

Conditions:
No special conditions as dynconfd is a core LTM process. Large numbers of pool members combined with flapping might increase the rate of memory usage increase.

Impact:
dynconfd grows over time and eventually the system is pushed into swap. Once swap is exhausted, the Linux OOM killer might terminate critical system processes, disrupting operation.

Workaround:
Periodic restarts of dynconfd avoids the growth affecting the system.

---

724679-1 : Non-attacking IP addresses could be logged along with attacking IP addresses when DoS detects an attack

Component: Advanced Firewall Manager

Symptoms:
During an attack, MySQL might log IP addresses that are not part of an attack along with the IP addresses that are part of the attack.

Conditions:
This occurs when the system detects a BadEndpoint attack.

Impact:
The system might log messages related to IP addresses that are not part of the attack. These IP addresses are not part of the attack and may be ignored.

Workaround:
None.

---

724532-3 : SIG SEGV during IP intelligence category match in TMM

Component: Advanced Firewall Manager

Symptoms:
TMM restart while matching traffic from source IP to IP Intelligence category.

Conditions:
Multiple configuration changes that include deleting the custom IP intelligence categories.

Impact:
TMM restart. Traffic disrupted while tmm restarts.

Workaround:
None.

---

724414-1 : ASM UMU memory leak when WebSocket url has json profile with parse parameters enabled

Component: Application Security Manager

Symptoms:
When ASM inspects WebSocket frames, the bd daemon memory is leaking; eventually ASM stops inspecting traffic and sends resets or bypass requests.

Conditions:
ASM module is provisioned.
-- ASM policy and WebSocket profile are attached to a virtual server.
-- WebSocket URL has JSON profile attached to it.
-- JSON profile has parse parameters flag enabled (this is the default).

Impact:
ASM may reset connections; failover might occur.

Workaround:
There are two workarounds:
-- Remove JSON profile from WebSocket URL in the ASM policy.

-- Disable parse parameters flag in the json profile.

---

724213-2 : Modified ssl_profile monitor param not synced correctly

Component: Local Traffic Manager

Symptoms:
After modifying the ssl_profile attribute on an HTTPS monitor on a device within a high availability (HA) configuration, and after performing a full ConfigSync, the corresponding monitor on the peer-sync unit does not have the updated value.

Conditions:
-- An HTTPS monitor is used on BIG-IP systems in an HA configuration.
-- in-tmm monitor is enabled (for more information on in-tmm monitoring see K11323537: Configuring In-TMM monitoring at https://support.f5.com/csp/article/K11323537)
-- The ssl_profile field is modified on an HTTPS monitor.
-- A sync-to-peer (full ConfigSync, not incremental sync) is attempted to propagate the modified ssl_profile value to the peer units.

Impact:
The ssl_profile value for the HTTPS monitor on the peer unit is set to none, resulting in the two devices reporting themselves as in-sync, but having potentially different HTTPS monitor configurations.

Workaround:
Do not run HTTPS monitors using in-tmm monitors, and instead use the traditional HTTPS monitor configuration for SSL-attributes (cipherlist, key, cert, and compatibility attributes on HTTPS monitor).

Note: Using these attributes will generate deprecation warnings, but the configuration should still take effect.

---

723988-1 : IKEv1 phase2 key length can be changed during SA negotiation

Component: TMOS

Symptoms:
Using IKEv1, if phase2 key length does not agree on both sides, a responder accepts whatever the initiator proposes as key length, but only after an initiator is authenticated. This results in key length downgrade or upgrade at a trusted peer's request, because the IKEv1 daemon was configured to obey the other peer's key length request.

Conditions:
The value of the ike-phase2-encrypt-algorithm on both sides agree on the encryption algorithm, but differ in key length. For example, if the initiator picks AES128 when the responder expects AES256.

Impact:
The responder accepts AES128 anyway. Although phase1 key length must be an exact match, when phase2 key length does not match, this allows an initiating peer to change the key length a responder uses, thus changing the strength configured by that responder.

Workaround:
No workaround is known at this time.

---

723792-1 : GTM regex handling of some escape characters renders it invalid

Component: Global Traffic Manager (DNS)

Symptoms:
The memory footprint of big3d increases.

Conditions:
GTM monitor recv string such as the following: ^http\/\d\.\d[23]\d\d

Impact:
Escaped characters are mishandled. This causes the regex compilation to fail and leak memory. The monitor marks the server it is monitoring UP as long as the server returns any response.

Workaround:
If you notice big3d memory footprint increase and you have a monitor recv string that has escaped characters such as '^http\/\d\.\d[23]\d\d', try changing the recv string to something similar to the following: ^HTTP/[0-9][.][0-9] [23][0-9]{2}

---

723722-1 : MCPD crashes if several thousand files are created between config syncs.

Component: TMOS

Symptoms:
If more than several thousand (typically 20,000, but number varies by platform) files, for example SSL certificates or keys, are created between config syncs, the next config sync operation will take too long and mcpd will be killed by sod.

Conditions:
Creation of several thousand SSL certificates or keys followed by a config sync operation.

Impact:
Traffic is disrupted while the MCPD process restarts.

Workaround:
Run a config sync operation after every ~5000 files created.

---

723658-2 : TMM core when processing an unexpected remote session DB response.

Component: Carrier-Grade NAT

Symptoms:
Using CGNAT or FW-NAT on a cluster may cause a TMM core if there are intra-cluster communication issues that cause CMP state transitions.

The system writes messages to /var/log/tmm* similar to the following:

   notice CDP: exceeded 1/2 timeout for PG 1
   notice CDP: PG 1 timed out
   notice CDP: New pending state 0f -> 0d
   notice Immediately transitioning dissaggregator to state 0xd
   notice cmp state: 0xd
   notice CDP: New pending state 0d -> 0f
   ...
   notice cmp state: 0xf
   notice CDP: exceeded 1/2 timeout for PG 1

Conditions:
-- A LSN pool or FW-NAT source translation that has persistence enabled.
-- Intra-cluster communication issues that cause CMP state transitions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

---

723306-2 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition

Component: Local Traffic Manager

Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:

    01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.

Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.

Impact:
Inability to load config, with created internal virtual server.

Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on different partition.

---

723288-1 : DNS cache replication between TMMs does not always work for net dns-resolver

Component: Global Traffic Manager (DNS)

Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.

Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.

Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.

Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.

Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)

---

723095-3 : Add record type breaks commands 'modify gtm pool type all'; errors on nonexistent pool

Component: Global Traffic Manager (DNS)

Symptoms:
tmsh command returns an error similar to the following message:
01070227:3: Pool Member references a nonexistent Pool (/Common/poolname of type NAPTR)

Conditions:
Changing the record type on GTM pool members by running the following command: tmsh modify gtm pool type all members add.

Impact:
Unable to add pool members quickly to all pools of the same type.

Workaround:
There is no workaround at this time.

---

722862 : ASM CAPTCHA sends non url-encoded payload when captcha is submitted by pressing 'Enter'

Component: Application Security Manager

Symptoms:
When an APM end-user gets the ASM CAPTCHA page, types the correct CAPTCHA letters and presses the 'Enter' key, rather than clicking the Submit button. The CAPTCHA letters are sent to the BIG-IP system along with other request parameters, these additional parameters are forwarded to the backend server incorrectly as non-url-encoded, they should be url-encoded.

Conditions:
This occurs when the following conditions are met:
-- ASM provisioned.
-- DoS application or ASM policy attached to a virtual server.
-- DoS application or ASM policy has CAPTCHA enabled.
-- User submits the CAPTCHA form using the 'Enter' key.

Impact:
Application receives unexpected content, which might cause the backend server's application business logic to not work as expected.

Workaround:
Disable CAPTCHA within the DoS application or ASM policy.

---

722741-2 : Damaged tmm dns db file causes zxfrd/tmm core

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd/tmm cores on startup.

Conditions:
Damaged tmm dns db file.

Impact:
System remains in a tmm-restart loop caused by tmm opening a corrupted tmmdns.bin on startup and segfaulting. Traffic disrupted while tmm restarts.

Workaround:
Delete the damaged db files.

---

722682-3 : Fix of ID 615222 results in upgrade issue for GTM pool member with colon -- config failed to load★

Component: TMOS

Symptoms:
Loading configuration process failed after upgrade.

Conditions:
1. GTM pool member has colon in the name.
2. Upgrade to versions that has fix for ID 615222.

Impact:
Configuration load fails.

Workaround:
Add "\\" before the first ":" after upgrade.

---

722534-2 : load sys config merge not supported for iRulesLX

Component: Local Traffic Manager

Symptoms:
iRulesLX configurations are (for the most part) contained in the file system, rather than the 'traditional' BIG-IP config files. An attempt to merge configurations containing iRulesLX using the tmsh command 'load sys config merge' options fails with an error similar to the following:

# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ilx plugin test-plugin {
  from-workspace test-ws
}
Validating configuration...
Unexpected Error: "basic_string::at"

Conditions:
The configuration being merged contains iRulesLX.

Impact:
The merge will fail with the error: Unexpected Error: "basic_string::at". The previous configuration will continue to work.

Workaround:
There is no workaround at this time for merging iRulesLX configuration. If the iRulesLX configuration is removed from the configuration to be merged, the merge will work.

---

722380-1 : The BIG-IP system reboots while TMM is still writing a core file, thus producing a truncated core.

Component: TMOS

Symptoms:
If an HSB lockup occurs on i10600 and i10800 platforms, then TMM panics and generates a core file for post-analysis. HSB also triggers a nic_failsafe reboot. On these platforms, the reboot occurs before the core file is fully written, resulting in a truncated core.

Conditions:
An HSB lockup occurs on an i10600 or i10800 platform, triggering a core dump and a nic_failsafe reboot.

Impact:
The reboot happens after the core dump begins before it completes, resulting in a truncated core dump, which is not useful for analyzing why the HSB lockup occurred. Traffic disrupted while tmm restarts.

Workaround:
None.

---

722363-3 : Client fails to connect to server when using PVA offload at Established

Component: Local Traffic Manager

Symptoms:
A client can fail to connect to the server on subsequent attempts if using FastL4 with hardware (HW) acceleration.

When this issue occurs, the profile_bigproto_stat/rxsynatestablished stat is non-zero.

Conditions:
A FastL4 virtual server is configured with offload_state = EST.

Impact:
Clients fail to connect to the server.

Workaround:
There is no workaround other than to disable PVA acceleration.

---

722294-1 : Reported session ID keeps changing for the same user session when ASM doesn't track sessions

Component: Application Security Manager

Symptoms:
A reported session ID is not maintained for the same user session.

Conditions:
-- Simple, feature-less policy (i.e., policy contains only attack signatures).

-- There are no cookies coming in from the server.

Impact:
The TS cookie is not created since there is no cookie-enforcing feature that is turned on (such as session tracking). Although this is correct behavior, it might result in confusion when there is a different, random session ID on each request.

Workaround:
Turn on a cookie-related feature (such as session tracking).

---

722013-2 : MCPD restarts on all secondary blades post config-sync involving APM customization group

Component: Access Policy Manager

Symptoms:
After performing a series of specific config-sync operations between multi-blade systems, the MCPD daemon restarts on all secondary blades of one of the systems.

Each affected blade will log an error message similar to the following example:

-- err mcpd[5038]: 01070711:3: Caught runtime exception, Failed to collect files (snapshot path () req (7853) pmgr (7853) not valid msg (create_if { customization_group { customization_group_name "/Common/Test-A_secure_access_client_customization" customization_group_app_id "" customization_group_config_source 0 customization_group_cache_path "/config/filestore/files_d/Common_d/customization_group_d/:Common:Test-A_secure_access_client_customization_66596_1" customization_group_system_path "" customization_group_is_system 0 customization_group_access 3 customization_group_is_dynamic 0 customization_group_checksum "SHA1:62:fd61541c1097d460e42c50904684def2794ba70d" customization_group_create_time 1524643393 customization_group_last_update_time 1524643393 customization_group_created_by "admin" customization_group_last_updated_by "admin" customization_group_size 62 customization_group_mode 33188 customization_group_update_revision 1

Conditions:
This issue occurs when all of the following conditions are met:

- You have configured a device-group consisting of multi-blade systems (such as VIPRION devices or vCMP guests).

- Systems are provisioned for APM.

- The device-group is configured for incremental manual synchronizations.

- On one system (for example, source_system), you create an APM configuration object (for example, a connectivity profile) that causes the automatic creation of an associated customization group.

- You synchronize the configuration from the source_system to the device-group.

- On the source_system, you create a new configuration object of any kind (for example, an LTM node).

- Instead of synchronizing the newest configuration to the device-group, you synchronize the configuration from another device in the device-group to the source_system (which effectively undoes your recent change).

- The MCPD daemon restarts on all secondary blades of the source_system.

Impact:
While the MCPD daemon restarts, the blade is offline, and many other BIG-IP daemons need to restart along with MCPD.

-- If the source_system is Active, the load capacity of the system temporarily decreases proportionally to the number of blades restarting. Additionally, if the systems use the min-up-members or HA-Group features, losing a certain number of secondary blades may trigger a failover.

-- If the source_system is Standby, some of the previously mirrored information may become lost as TMM on secondary blades restarts along with MCPD. Should this system later become the Active system, traffic may be impacted by the lack of previously mirrored information.

Workaround:
None.

---

721752-3 : Null char returned in REST for Suggestion with more than MAX_INT occurrences

Component: Application Security Manager

Symptoms:
Unable to view ASM event log details for a majority of violations.

Conditions:
Suggestion with more than MAX_INT (2,147,483,647) occurrences.

Impact:
Null char returned in REST for Suggestion with more than MAX_INT occurrences.

Workaround:
Use the following sql command:

UPDATE PLC.PL_SUGGESTIONS set occurrence_count = 2147483647 where occurrence_count < 0;

---

721621-3 : Ephemeral pool member is not created/deleted when DNS record changes and IP matches static node

Component: Local Traffic Manager

Symptoms:
If an LTM pool is configured with only FQDN members, the DNS server resolves the FQDN to IP addresses that match statically-configured LTM nodes, and the IP address records returned by the DNS server change, an ephemeral pool member may not be added to the pool for the new IP address.

When in this state, if the FQDN template pool member is deleted from the pool, a new ephemeral pool member may be added corresponding to the last IP address record returned by the DNS server.

Conditions:
This may occur when:
1. Static nodes are configured which match addresses that may be returned in the DNS query for a given FQDN name.
2. An FQDN node is created with autopopulate disabled, for an address which may resolve to the same address as one of the static nodes.
3. This FQDN node is added (as a pool member) with autopopulate disabled, to a pool with no other non-FQDN members.
4. The DNS server resolves the FQDN name to an address that matches one of the static nodes.
5. A subsequent DNS query resolves the FQDN name to a different address that matches a different static node.

Impact:
In this case:
-- The original ephemeral member is removed from the pool.
-- A new ephemeral member for the new address may NOT be added to the pool.
-- In this state, if the FQDN template member is deleted from the pool, a new ephemeral member (i.e., the missing ephemeral with new IP address) is re-added to the pool.

Note. This symptom can occur only if the statically-configured node is created prior to an ephemeral pool member being created for the same IP address. If an ephemeral pool member and node are created first, it is not possible to create a statically-configured node or pool member using the same IP address.

Overall, traffic for the affected pool may not be sent to correct pool member (new ephemeral address).

If no other members are defined in the pool, traffic will be interrupted.

Workaround:
This issue can be prevented by:
-- Avoiding configuring a static (non-FQDN) node with an IP address that matches any address that might be returned by the DNS server when resolving the FQDN.
-- Adding a statically-configured pool member to the pool in addition to the FQDN template member.

Once the symptom occurs, recovery is possible by performing either of the following actions:
-- Delete the statically-configured node with the conflicting IP address.
-- Recreate the node using the following procedure:
1. Delete the FQDN template member from the pool.
2. Delete the orphaned ephemeral member from the pool.
3. Re-add the FQDN template member to the pool.

---

721579-2 : LSN Persistence TTL and Inbound Connection Age were reset in the middle of decreasing/increasing

Component: Carrier-Grade NAT

Symptoms:
When checking persistence TTL by using 'lsndb list all', TTL for 'LSN Persistence Entries' and Age for 'LSN Inbound Mapping Entries' are reset once at around the halfway point of the persistence timeout, even though there is no traffic.

Conditions:
-- LSN with persistence timeout configured.
-- Using the following command: lsndb list all.

Impact:
lsndb shows misleading stats.

Workaround:
There is no workaround at this time.

---

721571-2 : State Mirroring between BIG-IP 12.1.3.* and 13.* systems may cause TMM core on standby system during upgrade★

Component: Local Traffic Manager

Symptoms:
BIG-IP devices running 12.1.3.x (12.1.3 or a 12.1.3 point release) and 13.x software versions in a High-Availability (HA) configuration with state mirroring enabled may cause a standby system to produce a TMM core file.

Conditions:
-- State mirroring configured on two or more BIG-IP systems (state mirroring is enabled by default).
-- For VIPRION clusters or VIPRION-based vCMP guests, the systems are configured to mirror 'Between Clusters'.
-- The active system is running v12.1.3.x, and the standby system is running v13.x, e.g., as a result of an in-progress upgrade.

Impact:
TMM may crash on a standby system during upgrade.

This issue should not disrupt traffic, because the TMM is coring only on the standby unit.

Workaround:
To workaround this issue, disable State Mirroring prior to upgrading, and re-enable it once both devices are running v13.x, or complete the upgrade of both devices to v13.x.

1. You can disable mirroring using either the GUI or the command line.

1a. In the GUI:
-- Set the Primary and Secondary Local Mirror Address configurations to 'None' under Device Management :: Devices :: [Self] device :: Mirroring Configuration.

1b. From the command-line:
-- Run the following command:
tmsh modify cm device <name-of-self-device> mirror-ip any6 mirror-secondary-ip any6 && tmsh save sys config


Important: This action results in connection state loss on failover.


2. Once all devices are running the same software version, re-enable state mirroring by re-adding the device mirror IPs removed previously.

Note: F5 recommends that BIG-IP systems run with the same software version on all devices.

---

721399-1 : Signature Set cannot be modified to Accuracy = 'All' after another value

Component: Application Security Manager

Symptoms:
ASM Signature Set cannot be modified to Accuracy = 'All' after another value was used previously.

Conditions:
-- ASM Signature Set has a value set for Accuracy filter.
-- Accuracy is subsequently set to 'All'.

Impact:
The change to Accuracy = 'All' does not take effect. ASM Signature Set cannot be modified to Accuracy = 'All'.

Workaround:
You can use either of the following workarounds:

-- Delete and re-create the Signature Set with the desired value.
-- Modify the filter to a value that will match all results (such as Accuracy is greater than or equal to 'Low').

---

721364-1 : Per-App VE BYOL license does not support three wildcard virtual servers

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) admin cannot create three wildcard virtual servers for Per-App BYOL license. Only one wildcard virtual server is allowed.

Conditions:
Per-App VE with BYOL license.

Impact:
Per-App VE with BYOL license does not work as expected.

Workaround:
There is no workaround at this time.

---

721350-3 : The size of the icrd_child process is steadily growing

Component: TMOS

Symptoms:
The resident segment size (rss) for the icrd_child process continues to increase on issuing iCR GET requests. This increase is permanent and the rss does not drop back to its original size.

Conditions:
The following is an example config under which this issue occurs. Note this is an illustrative example; the actual issue might occur for various config objects.

GET tm/ltm/virtual?expandSubcollections=true wherein the virtual has some profiles associated with it.

ltm pool p-http { }
ltm virtual novel-1000 {
...
    pool p-http
    profiles {
        analytics { }
        http { }
        tcp { }
    }
....
}


# tmctl proc_pid_stat 'proc_name=icrd_child' -s proc_name,ppid,vsize,rss

On subsequent GET requests the rss size continues to increase.

Impact:
Increase in the rss of the icrd_child process. This increase could lead to icrd_child core or swapping of processes into the rss due to limited memory left for other processes.

Workaround:
There is no workaround.

---

721342-2 : No support for Per-App VE LTM and Per-App VE WAF images for various cloud environments.

Component: TMOS

Symptoms:
No Per-App Virtual Edition (VE) LTM or Per-App VE WAF images for various cloud environments.

Conditions:
Various Cloud environments (i.e., Azure, Google, AWS).

Impact:
No options to use various Per-App VE features.

Workaround:
None.

---

721261-2 : v12.x Policy rule names containing slashes are not migrated properly

Component: Local Traffic Manager

Symptoms:
When migrating from v12.x to v13.0.x, 13.1.x, or 14.0.x, LTM polices that have rules containing the slash character will not migrate properly, and roll-forward migration will fail.

Conditions:
-- BIG-IP systems running v12.x.
-- Configuration contains LTM Policy rules whose names include the slash (/) character.
-- Upgrading to v13.0.x, 13.1.x, or 14.0.x.

Impact:
Roll-forward migration fails with the error: illegal characters in rule name.

Workaround:
Edit the rule names within LTM Policies, replacing the now-illegal slash (/) character with a legal alternative, such as the underscore (_).

Alternately, prior to migration, rename the rules on the v12.x system, and then perform the upgrade.

---

721020-2 : Changes to the master key are reverted after full sync

Component: TMOS

Symptoms:
Changing the master key on a device that is in a device cluster are reverted when performing a full sync of any device-group. The master key is reset to its previous value.

Conditions:
-- The BIG-IP system is in a device cluster.
-- You change the master key from within TMSH.

Impact:
Subsequent configuration loads fail on the device.

Workaround:
There is no workaround.

---

720961-4 : Upgrading in Intelligence Community AWS environment may fail

Component: TMOS

Symptoms:
After importing an AWS instance into the Intelligence Community (IC) AWS environment you cannot upgrade to 13.1.0.2 (or later) because their license fails to validate afterwards.

Conditions:
-- Manually imported BIG-IP image into AWS IC.
-- Upgraded to 13.1.0.2 or newer.

Impact:
The system fails to validate the license after rebooting into the new software. Licenses are inoperative after the upgrade.

Workaround:
To work around this issue, perform the following procedure:
1. Redeploy a BYOL image from the IC marketplace.
2. Move over the license.
3. Configure the system.

---

720819-3 : Certain platforms may take longer than expected to detect and recover from HSB lock-ups

Component: TMOS

Symptoms:
In the unlikely event of a HSB lock-up, certain BIG-IP platforms may take longer than expected to detect and recover from the condition.

For instance, it may take several minutes for an affected unit to detect the condition and initiate the predefined failsafe action.

Instead, the recovery mechanism should trigger almost instantaneously.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is an i56xx/i58xx, i76xx/i78xx, or i106xx/i108xx platform.

-- The HSB locks-up due to a different issue.

Impact:
Traffic will be negatively impacted until the BIG-IP system detects and remedies the condition.

Workaround:
None.

---

720799-1 : Virtual Server/VIP flaps with FQDN pool members when all IP addresses change

Component: Local Traffic Manager

Symptoms:
When using FQDN pool members, if all ephemeral members are removed and replaced by a DNS query that returns an entirely new set of IP addresses (no overlap with previous DNS query results), all ephemeral pool members are removed before the new ephemeral pool members are created.

This results in a brief moment when there are no ephemeral members (that can receive traffic) in the pool.

Conditions:
A DNS query for the FQDN node in which the pool members belong, returns an entirely new set of IP addresses (no overlap with previous DNS query results).

Impact:
The brief moment during which there are no ephemeral members (that can receive traffic) in the pool can cause a Virtual Server or Virtual Address using that pool to flap.

Workaround:
It is possible to work around this issue by:
1. Adding a pool member with a statically-configured IP address.
2. Including multiple FQDN pool members in the pool, to limit the effect of the ephemeral members changing for a single FQDN pool member.

---

720713-1 : TMM traffic to/from a i10600/i10800 device in vCMP host mode may fail

Component: TMOS

Symptoms:
When a i10600/i10800 device is configured as a vCMP host and at least one vCMP guest is running (or ever ran), TMM traffic to the vCMP host may fail.

Note: Management port traffic to/from the device is unaffected.

Note: TMM traffic to/from the vCMP guests running on the device is unaffected. This issue affects only the vCMP host.

The most visible symptom is that TMM on the vCMP host fails to answer ARP requests that it receives for its own Self-IP addresses.

Conditions:
This issue occurs when all of the following conditions apply:

- i10600/i10800 device in vCMP host mode.

- At least one vCMP guest is deployed or was deployed, at some point.

Impact:
Inability to communicate to/from the vCMP host via its Self-IP addresses.

Workaround:
None.

---

720669-1 : Within the GUI, the 'MQTT-TLS' service port is incorrectly reported as 'common.all.MQTT-TLS'.

Component: TMOS

Symptoms:
In some sections of the GUI, the 'MQTT-TLS' service port may be incorrectly reported as 'common.all.MQTT-TLS'.

Conditions:
This is currently known to happen in the 'Virtual Server List' screen when a virtual server is configured to listen on port 8883 (a.k.a. MQTT-TLS).

Impact:
None. The issue is cosmetic and has no effect on traffic.

Workaround:
None.

---

720651-1 : Running Guest Changed to Provisioned Never Stops

Component: TMOS

Symptoms:
After changing a vCMP guest status to provisioned the guest remains running showing a status of stopping.

Conditions:
-- Guests deployed on a BIG-IP VCMP host.
-- Changing the state from deployed to provisioned.

Impact:
Guests do not stop and change status until vcmpd process is restarted.

Workaround:
There is no workaround.

---

720610-1 : Updatecheck logs bogus 'Update Server unavailable' on every run

Component: TMOS

Symptoms:
The updatecheck operation erroneously logs that the Update Server is unavailable on every run, successful or not.

Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.

Impact:
Misleading messages in the log file, implying that the update server is not available.

Workaround:
None.

---

720581-1 : Policy Merge creates incorrect references when merging XML Profiles that contain Schema Files

Component: Application Security Manager

Symptoms:
When using Policy Merge to add an XML Profile from policy A to policy B, if there are any Schema files (such as xsd or wsdl) associated with the profile, then the XML Profile added to policy B erroneously points to the file that is in policy A and does not create a new reference within policy B.

Conditions:
Policy Merge is used to add an XML Policy that contains a schema file from one policy to another.

Impact:
-- The reference to an object in another policy breaks BIG-IQ discovery.
-- The policy is not consistent after export/import.

Workaround:
None.

---

720461-1 : qkview prompts for password on chassis

Component: TMOS

Symptoms:
Qkview prompts for a password when executing getnodedates from the chassis module.

Conditions:
SSH auth keys are missing or corrupted.

Impact:
This blocks collecting qkview.

Workaround:
Edit the /user/bin/getnodedates script and add -oBatchMode=yes for the SSH command as shown in the following example:

        $date = `/usr/bin/ssh -q -oBatchMode=yes -oStrictHostKeyChecking=no $ip /bin/date`;

---

720440-2 : Radius monitor marks pool members down after 6 seconds

Component: Local Traffic Manager

Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.

Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.

Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.

Workaround:
There is no workaround at this time.

---

720293-4 : HTTP2 IPv4 to IPv6 fails

Component: Local Traffic Manager

Symptoms:
An IPv4-formatted virtual server with an IPv6-formatted pool member cannot establish the connection to the pool member if HTTP2 is configured.

Conditions:
-- IPv4 virtual Server.
-- IPv6 pool member.
-- HTTP2 profile.

Impact:
Traffic connection does not establish; no traffic passes.

Workaround:
None.

---

720269-1 : TACACS audit logging may append garbage characters to the end of log strings

Component: TMOS

Symptoms:
When using TACACS audit logging, you might see extra 'garbage' characters appended to the end of logging strings.

Conditions:
Using audit forwarding with a remote TACACS server.

Impact:
Confusing log messages. Remote TACACS logging might stop altogether after some time.

Workaround:
There is no workaround at this time.

---

720242-1 : GUI for AFM rules shows protocol value IPENCAP for rules under rule-list

Component: Advanced Firewall Manager

Symptoms:
When a user tries to set the protocol field to 'IPv4', it is displayed as IPENCAP after saving. This happens only for rules under RuleList.

Conditions:
This occurs only for rules under RuleList.

Impact:
Protocol value is displayed as 'IPENCAP' as opposed to 'IPv4'.

Workaround:
Use tmsh to see the actual value.

---

720104-2 : BIG-IP i2800/i2600 650W AC PSU has marketing name missing under 'show sys hardware'

Component: TMOS

Symptoms:
BIG-IP i2800/i2600 650W AC PSU is missing marketing name under 'show sys hardware' and displays 'unknown' when OID sysObjectID is queried.

Conditions:
-- Execute 'tmsh show sys hardware'.
-- Query for OID sysObjectID using snmpwalk.
-- Using BIG-IP i2800/i2600 platforms.

Impact:
System reports an empty marketing name when queried. Platform with 650W AC PSU not identified using tmsh command or snmpwalk.

Workaround:
There is no workaround at this time.

---

720030-5 : Enable EDNS flag for internal Kerberos DNS SRV queries in Kerberos SSO (S4U)

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests are generated without enabling EDNS0. Without this, internal DNS server (dnscached) truncates the UDP response if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in a lot of TIME_WAIT connections on the socket using dnscached.

Conditions:
APM end users using Kerberos SSO to access backend resources.

Impact:
Ability to create new DNS requests is affected, if there are numerous sockets in TIME_WAIT. This can result in scalability issues.

Workaround:
For BIG-IP software v12.x and later,

Edit the /etc/resolv.conf file to add an EDNS0 option.

There is no workaround if you are running a version earlier than 12.x.

---

719644-3 : If auto-discovery is enabled, GTM configuration may be affected after an upgrade from 11.5.x to later versions★

Component: Global Traffic Manager (DNS)

Symptoms:
When an LTM configuration has virtual server names containing period (.), a GTM configuration with auto-discovery enabled is upgraded from v11.5.x to a later version might lose consistency.

Conditions:
-- Upgrading GTM from v11.5.x to later versions (e.g., BIG-IP DNS v12.x).
-- Auto-discovery is enabled.
-- LTM configuration containing virtual server names containing the period character (.).
-- The same virtual server name is used in multiple partitions.

Impact:
The configuration after the upgrade might be affected in the following ways:
-- Missing virtual servers.
-- Deletion of some pool members.
-- Virtual servers with incorrect addresses.

Workaround:
There is no workaround at this time.

---

719600-1 : TCP::collect iRule with L7 policy present may result in connection reset

Component: Local Traffic Manager

Symptoms:
If an iRule utilizing TCP::collect and HTTP_REQUEST is on a virtual server with an L7 policy, the policy engine may cause the connection to be unexpectedly reset with a 'policy execution error' reset cause, and 'Unable to resume pending policy event on connflow' will be logged to /var/log/ltm.

Conditions:
TCP::collect and HTTP_REQUEST iRule with L7 policy on virtual server.

Impact:
Connections may be unexpectedly reset and errors logged to /var/log/ltm.

Workaround:
At the start of the HTTP_REQUEST event, issue an 'after 1' command to allow the policy engine to reach a consistent state before proceeding with the remainder of the iRule.

---

719597-1 : HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0

Component: TMOS

Symptoms:
When two VIPRION chassis with B2250 blades try to form a high availability (HA) connection, with one running v12.1.1 and the other running v13.1.0, HA connections between TMMs on Active and TMMs on Standby might fail.

Conditions:
-- Two VIPRION chassis with B2250 blades.
-- One blade running v12.1.1 and the other running v13.1.0.
-- Try to configure HA connection.

Impact:
Fail to form HA connection.

Workaround:
There is no workaround other than installing the same software on both blades.

---

719459-1 : Wrong add suggestions created for already existing response URLs when differentiate HTTP and HTTPS is disabled

Component: Application Security Manager

Symptoms:
Policy builder suggests adding already existing URLs (as HTTPS) learned from response.

Conditions:
-- Differentiate HTTP and HTTPS URLs is disabled.
-- Learn-from response is enabled.
-- Server responses contain HTTPS links for HTTP requests instead of using protocol-relative URLs.

Impact:
This is a cosmetic issue in that incorrect suggestions are created. There is no impact to functionality.

Workaround:
Add the incorrect suggestions to the 'ignore' list.

---

719396-2 : DHCP Client on BIG-IP sends host-name 'localhost' in DISCOVER packet after first boot.

Solution Article: K34339214

Component: TMOS

Symptoms:
DHCP Client on the BIG-IP system sends host-name 'localhost' in DISCOVER packet after first boot.

Note: The problem goes away after the first boot.

Conditions:
-- DHCP is enabled (this is the default on BIG-IP systems).
-- Initial startup.

Impact:
This can affect the lease given out by the DHCP server in the given network if the DHCP server is configured in such a way as to dynamically update the DNS based on the host-name option in the lease.

Workaround:
-- Empty the /var/lib/dhclient/dhclient.leases file.
-- Run the following command: bigstart restart dhclient

---

719247-1 : HTTP::path and HTTP::query iRule functions cannot be set to a blank string

Solution Article: K10845686

Component: Local Traffic Manager

Symptoms:
The HTTP::path and HTTP::query iRule functions generate an error if called with an argument that is a blank string, resulting in connection termination.

Conditions:
In an iRule where the argument is a blank string:
  HTTP::path ""
  HTTP::query ""

Impact:
Error encountered while executing iRule "HTTP::query $blank", and the connection is terminated with an error in the logs similar to the following:
   -- err tmm[17219]: 01220001:3: TCL error: /Common/ir_1-4045405141_query <HTTP_REQUEST>

Workaround:
To set HTTP::query to blank, use the following function:
HTTP::uri [HTTP::path]

To set HTTP::path to blank, use the following function:
HTTP::uri [HTTP::query]

---

719186-1 : Multipart/form-data requests may generate false positive 'missing strong integrity parameter' alerts

Component: Fraud Protection Services

Symptoms:
Multipart/form-data requests are not supported in FPS. FPS-protected pages which have the enhanced data-manipulation feature enabled, may generate a false-positive 'missing strong integrity parameter' alert for multipart/form-data requests.

Conditions:
-- FPS profile attached to a virtual server.
-- Multipart/form-data requests to a URL.
-- Enhanced data-manipulation feature enabled on a protected URL.

Impact:
False-positive 'missing strong integrity parameter' alert.

Workaround:
Use the ANTIFRAUD::disable_alert iRule command to drop the alert:

(set the static::drop_alert variable, probably matching URL name and checking that Content-Type header starts with 'multipart/form-data')

when ANTIFRAUD_ALERT {
    if {$static::drop_alert eq 1 &&
            [ANTIFRAUD::alert_type] eq "vtoken" &&
            [ANTIFRAUD::alert_component] eq "no_strong_integrity_param" } {
        ANTIFRAUD::disable_alert
        set static::drop_alert 0
    }
}

---

719107-1 : Message type is not displayed in CLI and incorrect message type is displayed in GUI for Subscriber Management diameter protocol profile message type CCA-T.

Component: Policy Enforcement Manager

Symptoms:
If versions earlier than v13.1.0 have Subscriber Management diameter protocol message type CCA-T, their message type is not displayed on the command-line interface (CLI) and is incorrectly displayed as CCR-I in the GUI when upgraded to later versions.

Conditions:
-- Upgrade to v13.1.0 or later.
-- Configuration has Subscriber Management diameter protocol message type CCA-T.

Impact:
incorrectly displayed as CCR-I in the GUI.

Note: This configuration has no effect.

Workaround:
Delete the Subscriber Management diameter protocol message that has no message-type when viewed from CLI.

---

719005-2 : Login request may arrive corrupted to the backend server after CAPTCHA mitigation

Component: Application Security Manager

Symptoms:
Login request arrives corrupted (specifically, some of the characters in the payload are changed).

Conditions:
-- A brute force CAPTCHA mitigation happens.
-- Specific traffic conditions.

Impact:
Login request fails.

Workaround:
None.

---

718867-1 : tmm.umem_reap_aggrlevel db variable setting does not persist across upgrades★

Component: Local Traffic Manager

Symptoms:
The db variable 'tmm.umem_reap_aggrlevel' (to set the memory-usage level at which aggressive connection-reaping begins) does not persist across upgrades; on upgrade it will be reset to its default value (80%).

Conditions:
-- The db variable 'tmm.umem_reap_aggrlevel' is set to a custom value (specifically, not '80').
-- The BIG-IP system is upgraded.

Impact:
The value for 'tmm.umem_reap_aggrlevel' has reset to '80', its default value.

Workaround:
Reset the variable's custom value after upgrade.

---

718817-1 : Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest can fail.

Component: TMOS

Symptoms:
Software installation on secondary blade of VIPRION or VIPRION-based vCMP guest fails due to a race condition.

There are log entries in /var/log/liveinstall.log:

-- error: status 256 returned by command: F5_INSTALL_SESSION_TYPE=install tmsh -f save sys ucs /var/tmp/kRf24pKXTQ.ucs.
-- info: tar: config/.ucs_base_mac: Cannot stat: No such file or directory.
-- info: Unexpected Error: UCS saving process failed.

Conditions:
-- Installing onto secondary VIPRION blade or onto VIPRION-based vCMP guest.

Impact:
Software installation fails.

Workaround:
You can use either workaround:
-- Add 'ignore .ucs_base_mac' to the 'monitor dir /config' stanza in /etc/csyncd.conf on all blades, and then restart csyncd on all blades by running "clsh bigstart restart csyncd"

-- Retry the installation until it succeeds.

---

718800-1 : Cannot set a password to the current value of its encrypted password

Component: TMOS

Symptoms:
Attempting to set a password to the current value of its encrypted password silently fails without changing the password. For example, running the following tmsh command sets the encrypted password to the value 'password':

modify auth user <username> encrypted-password password

Attempting to set the password to 'password' using the command does not report an error, but does not change the password (meaning that encrypted password remains 'password'):

modify auth user <username> password password

Conditions:
Changing a password to the value of encrypted-password.

Impact:
Difficult to recover from this situation because trying to simply change the password to the correct value doesnot work.

(It is likely this initially happened by accident: attempting to set 'password', but setting 'encrypted-password' instead.)

Workaround:
First, change the password to something else. Then, change it back to the correct value.

---

718772-1 : The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists)

Component: Anomaly Detection Services

Symptoms:
The generated signature creates incorrect predicate http.unknown_header (instead of http.unknown_header_exists).

Conditions:
Attack with traffic with 'unknown' header, for example
'Upgrade-Insecure-Requests: 1'.

Impact:
In the GUI, when the signature with the predicate 'unknown_header' is edited, this predicate is empty (instead of exists / does not exist).

Workaround:
There is no workaround.

---

718525-2 : PostGreSQL errors seen on startup after removing the mcpd binary database and rebooting

Component: TMOS

Symptoms:
After removing the mcpd binary database and restarting, occasionally there are errors similar to the following in /var/log/ltm:

warning postgres[7663]: [3-1] ERROR: duplicate key value violates unique constraint "vlan_pkey"

(The object type may be something other than 'vlan_pkey'.)

Conditions:
This occurs when you remove the mcpd binary database and reboot the system.

Impact:
The configuration does not load until 'bigstart restart' is executed.

Workaround:
None.

---

718291-1 : iHealth upload error doesn't clear

Component: TMOS

Symptoms:
If an error occurs that sets the iHealth error string, then this string is never cleared.

Conditions:
Setting an invalid hostname for db variable proxy.host.

Impact:
The system reports the following error string: curl: (56) Recv failure: Connection reset by peer. This error message is never cleared, despite running a successful upload. The bogus error message could result in unnecessary confusion after a successful upload.

Workaround:
To clear the error message, run the following command:
/usr/bin/guishell -c "update diags_ihealth_request set error_str='';"

---

718232-3 : Some FTP servers may cause false positive for ftp_security

Component: Application Security Manager

Symptoms:
A login might get rejected after a lower number of failed logins than is configured for 'Maximum Username Login Retries'. BIG-IP system posts the following error message: 530 Too many failed login attempts by the user.

Conditions:
-- The server sends unexpected ingresses that are rejected.
-- There is a value specified for 'Maximum Username Login Retries'.

Impact:
A legitimate user might be rejected and have to wait until the configured 'Re-enable login' time.

Workaround:
There is no workaround at this time.

---

717785-4 : Interface-cos shows no egress stats for CoS configurations

Component: TMOS

Symptoms:
No egress packet counts per CoS queue are reported on B21x0 and 5x00/7x00 platforms. The issue affects the egress packet statistics reporting per CoS queue only. The operation of the CoS feature is not affected and the egress packets statistics reporting per external interface is also not affected.

Conditions:
-- Valid 8 HW CoS feature configuration has been enabled and passing traffic.
-- BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.
-- Running the show net interface-cos command.

Impact:
Egress packet statistics reported per CoS queue shows no counts.

Workaround:
None.

---

717346-1 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total

Solution Article: K13040347

Component: Local Traffic Manager

Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.

Conditions:
Rarely occurring, unstable network could be one of the reasons.

Impact:
Cannot use stats for troubleshooting.

Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket

---

716940-1 : Traffic Learning screen graphs shows data for the last day only

Component: Application Security Manager

Symptoms:
Traffic Learning screen graphs shows data for the last day only.

Conditions:
Visit Learning screen 1 hour after policy creation.

Impact:
Statistics shown are for the last day. No statistics for longer or for shorter periods of time.

Workaround:
There is no workaround.

---

716922-1 : Reduction in PUSH flags when Nagle Enabled

Component: Local Traffic Manager

Symptoms:
When Nagle is enabled in the TCP profile, the number of PUSH flags generated by the BIG-IP system drops substantially compared to the Nagle-disabled case, or to the Nagle-enabled case prior to v12.1.2-HF1. This matters most when there is a single outstanding unsent segment in the send buffer awaiting acknowledgment of all other data.

Conditions:
-- Nagle is enabled.
-- Running BIG-IP software versions later than v12.1.2-HF1.

Note: The problem is only impactful when the client withholds ACKs when there is no PUSH flag.

Impact:
If the client withholds ACKs, this can save handset power, but it also causes Nagle's algorithm to withhold the last bit of data, increasing latency.

Workaround:
Set Nagle to the 'Auto' setting or 'Disabled'.

Mote: To take advantage of some of the Nagle benefits, use 'Auto'.

---

716900-3 : TMM core when using MPTCP

Component: Local Traffic Manager

Symptoms:
In some cases TMM may crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic interrupted while TMM restarts.

Workaround:
There is no workaround other than to disable MPTCP.

---

716788-1 : TMM may crash while response modifications are being performed within DoSL7 filter

Component: Application Security Manager

Symptoms:
TMM might crash when a response is modified by the DoSL7 filter while injecting an HTML response from a backend server.

Conditions:
-- ASM provisioned.
-- DoS application profile is attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts, failover may occur.

Workaround:
There is no workaround other than to remove the DoS application profile from the virtual server.

---

716716-1 : Under certain circumstances, having a kernel route but no TMM route can lead to a TMM core

Component: Local Traffic Manager

Symptoms:
TMM cores when the system has a kernel route configured, but no matching TMM route.

Conditions:
The scenario that can lead to this state is unknown.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
Either remove the kernel route, or add a matching TMM route.

---

716391-1 : High priority for MySQL on 2 core vCMP may lead to control plane process starvation

Solution Article: K76031538

Component: TMOS

Symptoms:
vCMP guest with only 2 cores may undergo control plane process starvation, which could lead to failover due to CPU starvation of sod.

Conditions:
-- A device using Intel Hyper-Threading Technology is configured with only 2 cores.
-- A module using MySQL is provisioned.

Impact:
Control plane processes may experience CPU starvation, including failover due to CPU starvation of sod. This is a rarely occurring issue.

Workaround:
Revert to pre-11.5.1 HF4 behavior by setting the scheduler.splitplanes.asmopt database key to false.
 
IMPORTANT: You should not revert to pre-11.5.1 HF4 behavior unless requested by F5 Support. However, if required, you can disable this new behavior and revert to pre-11.5.1-HF4 behavior. For instructions on how to do so, see K16469: Certain BIG-IP ASM control plane processes are now pinned to the highest-numbered logical CPU core :: https://support.f5.com/csp/article/K16469.

---

716324-1 : CSRF protection fails when the total size of the configured URL list is more than 2 KB

Component: Application Security Manager

Symptoms:
When the cross-site request forgery (CSRF) protection URL list is of a total size that is greater than 2 KB. As a result, CSRF injection fails.

Conditions:
- CSRF protection is enabled.
- The total length of the defined CSRF URL list is more than 2 KB.
- A protected URL is accessed.

Impact:
CSRF false-positive violation.

Workaround:
Use wildcards to minimize total CSRF URL size.

---

716318-1 : Engine/Signatures automatic update check may fail to find/download the latest update

Component: Fraud Protection Services

Symptoms:
Engine/Signatures automatic update check may fail to find/download the latest update if the timestamp of the factory update file is later than the timestamp of the update file in downloads.f5.com.

Note: This issue is relevant only for engineering hotfixes.

Conditions:
This occurs when the following conditions are met:
-- Engineering hotfix.
-- The factory update file timestamp is later than the timestamp of the update file in downloads.f5.com.

Impact:
Automatic update check will detect the wrong update file.

Workaround:
Manually check, and then download and install the update file from downloads.f5.com, if needed.

---

716213-5 : BIG-IP system issues TCP-Reset with error 'SSID error (Out of Bounds)' in traffic

Component: Local Traffic Manager

Symptoms:
When APM connects to Active Directory Federation Services (ADFS), a blank page is observed. The log file /var/log/ltm exhibits a TCP reset issued by the BIG-IP system. The TCP capture informs that the issue is due to an out-of-bounds error that occurs when traffic gets parsed by the SSL Persistence Parser (SSID).

Conditions:
-- SSL persistence (SSID) is enabled for a virtual host.
-- APM connects to ADFS.

Impact:
A blank page is observed due to the TCP reset.

Workaround:
No workaround is available.

---

715883-1 : tmm crash due to invalid cookie attribute

Component: Local Traffic Manager

Symptoms:
tmm crash due to invalid request-side cookie attribute.

Conditions:
While processing an HTTP request, an iRule tries to add a cookie attribute to a cookie that is only valid in an HTTP response (for instance, an 'expires' attribute).

Impact:
TMM cored. Traffic disrupted while tmm restarts.

Workaround:
None.

---

715820-3 : vCMP in HA configuration with VIPRION chassis might cause unstable data plane

Solution Article: K61422392

Component: TMOS

Symptoms:
When multiple vCMP guests are deployed in a high availability (HA) with VIPRION chassis, the data plane cluster might become unstable. When this issue occurs, the system posts repeated log messages in /var/log/ltm similar to the following:

-- CDP: exceeded 1/2 timeout for PG 3

Conditions:
-- Multiple vCMP guests are deployed.
-- HA configured.
-- Using VIPRION chassis.

Impact:
Unstable data plane might cause traffic disruption/packet drops.

Workaround:
None.

---

715785-1 : Incorrect encryption error for monitors during sync or upgrade

Component: Local Traffic Manager

Symptoms:
The system logs an error message similar to the following in /var/log/ltm:

err mcpd[6823]: 01071768:3: Encryption of the field (password) for object (<monitor name>) failed.

This may cause a configuration sync to fail, or an upgrade to fail.

Conditions:
The exact conditions are unknown, however it may occur under these circumstances:

-- Performing a config sync operation.
-- Performing an upgrade.

Impact:
Inability to sync peer devices, or an inability to upgrade.

Workaround:
There is no workaround at this time.

---

715756-1 : Clusterd may not trigger primary election when primary blade has critical filesystems mounted read-only

Component: Local Traffic Manager

Symptoms:
When filesystems critical to TMOS functional operation are mounted read-only, clusterd on that blade should trigger a primary election if it was primary. Either way, the cluster should be informed of this critical error state.

Conditions:
A critical filesystem (e.g., '/', '/var', '/var/run', '/config', '/shared') has been mounted read-only.

Impact:
The blade with read-only filesystems and degraded functionality might stay primary and claim to be passing traffic.

Workaround:
There is no workaround other than to avoid mounting filesystems read-only on a BIG-IP system.

---

715750-1 : The BIG-IP system may exhibit undesirable behaviors when receiving a FIN midstream an SSL connection.

Component: Local Traffic Manager

Symptoms:
Upon receiving a FIN midstream in an SSL connection, the BIG-IP system will immediately proxy the FIN to the remote host on the peer side. At this point, depending on the specific configuration of the remote host on the peer side, the BIG-IP system may exhibit behaviors that may be deemed undesirable.

For instance, if the remote host on the peer side acknowledges the FIN but ignores it and keeps sending data to the BIG-IP system, the BIG-IP system will drop all ingress data (i.e., not proxy it) while keeping the side that transmitted the original FIN open indefinitely.

Once the remote host on the peer side completes transmitting data and sends a FIN of its own, the BIG-IP system will finally release the side that sent the original FIN by allowing it to close.

Conditions:
This issue occurs when the following conditions are met:

-- A standard virtual server with the clientssl and serverssl profiles in use.

-- As part of a connection handled by the virtual server, one side sends a FIN midstream to the BIG-IP system.

Impact:
There is no real impact to the BIG-IP system because of this issue. However, both the client and the server can be negatively impacted by this issue.

For example, if the original FIN was received by the BIG-IP system on the clientside:

-- The client connection is not allowed to close for potentially a very long time. During this time, the client does not receive anything other than Keep-Alive packets from the BIG-IP system. This can delay or adversely impact applications on the client.

-- The server continues to send data to the BIG-IP system unnecessarily. After accounting for the fact this could be a lot of data and many connections could be in this state, the server and/or its surrounding network could become impacted/congested. At a minimum, this might cause a waste of resources.

Workaround:
There is no workaround at this time.

---

715467-1 : Ephemeral pool member and node are not updated on 'A' record changes if pool member port is ANY

Component: Local Traffic Manager

Symptoms:
If the 'A' record for an FQDN node is removed or replaced on the DNS server, then the BIG-IP system does not remove the old ephemeral pool member or create the new pool member and node.

Conditions:
-- FQDN nodes.
-- Pool members with a service port of ANY.

Impact:
Ephemeral pool member and nodes are not removed or updated when the DNS 'A' record is removed or changed.

Workaround:
There is no workaround at this time.

---

715448-3 : Providing LB::status with a GTM Pool name in a variable caused validation issues

Component: Global Traffic Manager (DNS)

Symptoms:
When utilizing an LB::status iRule where the GTM Pool name was provided in a variable, instead of directly written into the command, the system posts the following error message: Can't read 'monkey': no such variable.

Conditions:
LB::status pool a <Variable containing string>.

Impact:
Unable to use LB::status iRule.

Workaround:
There is no workaround at this time.

---

715128-2 : Simple mode Signature edit does not escape semicolon

Component: Application Security Manager

Symptoms:
When creating a user-defined ASM Signature in Simple mode, semicolon followed by space cannot be used in a keyword.

Conditions:
-- Using a user-defined ASM Signature in Simple mode.
-- There is a semicolon followed by a space in a keyword.

Impact:
The signature cannot be created.

Workaround:
The signature can be created in Advanced Mode by escaping semicolon as "|3B|".

---

714986-4 : Serial Console Baud Rate Loses Modified Values with New Logins on iSeries Platforms Without Reboot

Component: TMOS

Symptoms:
On an iSeries platform, when the console baud rate is changed through TMSH, new terminal sessions revert back to the previous baud rate instead of adopting the new setting unless the unit is rebooted.

Conditions:
1. Modify the console baud rate in BIG-IP through TMSH on an iSeries platform (i2xxx, i4xxx, i5xxx, i7xxx, i10xxx, i15xxx), for example: tmsh modify sys console baud-rate 9600.

2. Exit from the login prompt in the current terminal session, or kill it and start a new session.

Impact:
The BIG-IP system reverts to the previous baud rate instead of the new setting. Inability to create any new serial console connections with the modified baud-rate without a reboot.

Workaround:
The problem can be mitigated by manually reprogramming the TTY device and restarting the agetty process and bash login sessions. This closes any existing console connections, but newly established connections will connect at the modified baud rate.

1. Use TMSH to modify the baud rate to the desired speed by running a command similar to the following:

tmsh modify sys console baud-rate 9600

2. Re-program the TTY device with the desired speed by running a command similar to the following:

stty -F /dev/ttyS0 9600

3. Kill the existing agetty process so it will re-start at the new baud rate by running the following command:

/usr/bin/killall -q agetty

4. Restart bash logins by running the following command:

/bin/kill -HUP `/bin/ps -A | /bin/grep ttyS0 | /bin/grep -v grep | /bin/grep bash | /bin/awk '{print $1}'` >/dev/null 2>&1

---

714974-1 : Platform-migrate of UCS containing QinQ fails on VE★

Component: TMOS

Symptoms:
If you are doing platform-migrate from a hardware device to a Virtual Edition (VE) guest, and the UCS that came from the hardware device has a QinQ VLAN configuration, then the upgrade will fail.

Conditions:
-- VLAN with a QinQ configuration exists on the hardware configuration.
-- UCS file is saved on the hardware device.
-- UCS is copied to a VE guest.
-- Attempt to load the configuration using the following command: load sys ucs <UCS filename> no-license platform-migrate.

Impact:
The UCS load will fail and generate an error:

01071bd8:3: The tag-mode for requested member <VLAN name> has to be 'none' on platforms that do not support QinQ. Unexpected Error: Loading configuration process failed.

Workaround:
None.

---

714903-3 : Errors in chmand

Component: TMOS

Symptoms:
VIPRION cluster does not form; only primary blade stays online. Chassis manager chmand generated a core file. System logs the following error in ltm log: err clusterd[11162]: 013a0004:3: Error adding cluster mgmt addr, HAL error 7.

Conditions:
-- Restoring UCS.
-- Chassis starting up.
-- System in stressed condition, where there is very little or no memory available.

Impact:
Cluster does not form.

Workaround:
None.

---

714654-1 : Creating static route for advertised dynamic route might result in dropping the tmrouted connection to TMM

Component: TMOS

Symptoms:
While creating a static route, tmrouted disconnects with error: existing entry is not a dynamic.

Conditions:
Creating a static route for a network that already has an advertised dynamic route.

Impact:
TMM's connection to tmrouted goes down, which results in loss of the dynamic route for TMM.

Workaround:
There is no workaround other than not creating a static route for routes received through dynamic routing.

---

714559-4 : Removal of HTTP hash persistence cookie when a pool member goes down.

Component: Local Traffic Manager

Symptoms:
When HTTP cookie hash persistence is configured the cookie is removed when a pool member goes down. This is incorrect if pool members are using session replication.

Conditions:
- Cookie hash persistence is configured.
- A pool member that the persistence record points to goes down.
- Pool members are using session replication.

Impact:
Connected clients must establish a new session.

Workaround:
To configure HTTP cookie hash persistence, use an iRule similar to the following:

when CLIENT_ACCEPTED {
    persist cookie hash JSESSIONID
}

---

714507-1 : [tmsh] list gtm pool show does not list pool member depends-on if there is virtual server dependency in GTM server

Component: Global Traffic Manager (DNS)

Symptoms:
GTM pool member dependency cannot be listed correctly using the following command:
# tmsh list gtm pool

Conditions:
-- Virtual server dependency in GTM server.
-- Running the command: tmsh list gtm pool.

Impact:
1. Pool member dependencies are not listed.
2. Pool member dependency information is missing when saving config:
    # tmsh save sys config gtm-only

Workaround:
List specific gtm pools instead by running a command similar to the following:
# tmsh list gtm pool a p1

---

714503-1 : When creating a new iRulesLX rule, the GUI appends .tcl to rule filenames that already end in .tcl

Component: Local Traffic Manager

Symptoms:
When using the GUI to create a new iRulesLX rule with the extension .tcl as part of the rule name, the GUI will append another .tcl at the end of the file. This is problematic when attempting to view the iRule in the iRulesLX workspace (at Local Traffic :: iRules : LX Workspaces :: <workspace name>).

Conditions:
-- Creating a new iRulesLX iRule in the GUI.
-- Adding the extension .tcl.

Impact:
Cannot view or delete the iRule from the iRulesLX GUI.

Workaround:
Do not name rules with the .tcl extension. The system will do that for you.

---

714495-1 : When creating a new iRulesLX rule, TMSH appends ".tcl" to rule filenames that already end in ".tcl"

Component: Local Traffic Manager

Symptoms:
When using TMSH to create a new iRulesLX rule with the extension '.tcl' as part of the rule name, TMSH will append another '.tcl' at the end of the file. This is problematic when attempting to view the iRule in the GUI (in the iRulesLX workspace at Local Traffic :: iRules : LX Workspaces :: <workspace name>).

Conditions:
Creating a new iRulesLX iRule in TMSH.

Impact:
Cannot view or delete the iRule from the iRulesLX GUI.

Workaround:
Do not name rules with the '.tcl' extension.

---

714384-2 : DHCP traffic may not be forwarded when BWC is configured

Component: Local Traffic Manager

Symptoms:
DHCP traffic may not be forwarded when BWC is configured on the system.

Conditions:
-- DHCP virtual server configured.
-- BWC policy configured and attached to the route-domain.

Impact:
DHCP traffic may not be forwarded.

Workaround:
There is no workaround other than to remove the BWC policy.

---

714334-2 : admd stops responding and generates a core while under stress.

Component: Anomaly Detection Services

Symptoms:
admd stops responding and generates a core while under stress.

Conditions:
-- The BIG-IP system is under stress.
-- CPU starvation is occurring.

Impact:
admd core and restart.

Note: The admd process provides stress-based DoS detection and mitigation control. When admd is not running, there is no stress-based anomaly detection or behavioral statistics aggregation.

Workaround:
None.

---

714303-2 : X520 virtual functions do not support MAC masquerading

Component: TMOS

Symptoms:
MAC masquerading is not supported when using X520 virtual functions via SR-IOV in Virtual Edition (VE). This is due to a lack of functionality in the underlying hardware.

Conditions:
-- Use SR-IOV virtual functions as interfaces within VE.
-- Configure MAC masquerading with a shared MAC that should follow the active system after traffic group failovers.

Impact:
MAC masquerading will not function in this environment.

Workaround:
There is no workaround other than not to use MAC masquerading, as conventional failover works for this environment.

---

714216-1 : Folder in a partition may result in load sys config error

Component: TMOS

Symptoms:
If you run the command 'tmsh load sys config current_partition' in a partition that includes a folder, the command may return an error.

Conditions:
This occurs in the following scenario:
-- Create a partition.
-- Create a folder in that partition.
-- In the newly-created partition.
-- Save the configuration with the command 'save sys conf'.
-- In the same partition, run the following command to load the configuration: 'tmsh load sys config current_partition'.

Impact:
The load configuration process fails with an error that the folder does not exist.

Workaround:
There is no workaround at this time.

---

713951-6 : tmm core files produced by nitrox_diag may be missing data

Component: Local Traffic Manager

Symptoms:
When the nitrox_diag utility generates a tmm core file, that file might include data for only one tmm thread instead of all tmm threads.

Conditions:
-- Running the nitrox_diag utility.
-- Using devices with the Cavium Nitrox crypto card.
-- The nitrox_diag utility generates a tmm core file.

Impact:
The resulting core file might include data for only one tmm thread instead of all tmm threads, making it more difficult for F5 to diagnose reported problems with the Cavium Nitrox crypto card. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.

---

713934-1 : Using iRule 'DNS::question name' to shorten the name in DNS_REQUEST may result malformed TC response

Component: Local Traffic Manager

Symptoms:
Received malformed Truncated DNS response.

Conditions:
-- Using iRule 'DNS::question name' to shorten the name.
-- DNS response is longer than 4096 UDP limit.

Impact:
DNS request might not be resolved correctly.

Workaround:
There is no workaround at this time.

---

713708-6 : Update Check for EPSEC shows OPSWAT description without EPSEC version on GUI

Component: TMOS

Symptoms:
On the BIG-IP GUI, under System :: Software Management :: Update Check, after pressing 'Check now', the 'Available Update' shows a long string 'OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install' instead of the EPSEC version, e.g.: epsec-1.0.0-679.0.

Conditions:
-- Under System :: Software Management :: Update Check.
-- Press 'Check now'.

Impact:
Cannot determine what version is available by viewing 'Available Update'. Although this is how all the other updates work, it can result in a confusing BIG-IP user experience.

Workaround:
To have the browser show the link's destination address, view the browser's status fields while hovering the cursor over the following link text: OPSWAT Endpoint Security Integration Update. See readme_minimum_version.txt before install.

---

713655-1 : RouteDomainSelectionAgent might fail under heavy control plane traffic/activities

Component: Access Policy Manager

Symptoms:
If per-session access policy requests route domain selection during policy evaluation, the agent might hang and fail to retrieve route domain information. APMD might restart and produce a core file.

Conditions:
-- Policy sync operation.
-- System receives a query for route domain information.
-- There is a heavy load of control plane traffic to process.

Impact:
Poor performance and/or APMD restarts with a core file, causing brief disruption of the authentication service.

Workaround:
None.

---

713585-2 : When the system config has many iRules and they are installed on many virtual servers, the config loading time is significantly long

Solution Article: K31544054

Component: Local Traffic Manager

Symptoms:
Config load could be very long and CPU usage very high.

Conditions:
There are many iRule and they are installed on many virtual servers.

Impact:
BIG-IP system performance could be degraded during the load and may cause system lock up.

Workaround:
Run "tmsh modify sys db rule.validation value syntax", this causes iRule validation to check iRule syntax only; the semantic checks will not be performed.

---

713533-1 : list self-ip with queries does not work

Component: Local Traffic Manager

Symptoms:
"list net self" command always returns all Self IPs, regardless of the regex patterns.

Conditions:
list net self always returns all Self IPs

Impact:
You are unable to filter the Self IP list using a regex pattern.

---

713519-1 : Enabling MCP Audit logging does not produce log entry for audit logging change

Component: TMOS

Symptoms:
When you enable MCP audit logging, the action of changing the audit logging entry is not logged. All actions after the configuration change are logged.

Conditions:
This occurs when enabling MCP audit logging.

Impact:
The audit logging change itself is not logged in the audit logs.

Workaround:
None.

---

713491-3 : IKEv1 logging shows spi of deleted SA with opposite endianess

Component: TMOS

Symptoms:
Sometimes the IKEv1 racoon daemon logs a 32-bit child-SA spi with octets in backwards order (reversing the endianness).

Conditions:
When an SA is deleted.

Impact:
Logging typically shows a network byte order spi in the wrong order. Cosmetic interference with logging interpretation.

Workaround:
There is no workaround at this time.

---

713282-2 : Remote logger violation_details field does not appear when virtual server has more than one remote logger

Component: Application Security Manager

Symptoms:
Remote logger violation_details field appears empty.

Conditions:
-- More than one remote logger is attached to the virtual server.
-- A violation occurs.
-- Viewing the associated log.

Impact:
Violation_details field appears empty in logs.

Workaround:
There is no workaround at this time.

---

713134-1 : Small tmctl memory leak when viewing stats for snapshot files

Component: TMOS

Symptoms:
When viewing statistics for snapshot files, tmctl leaks a small amount of memory and displays the message:

tmctl: BUG: tmstat_dealloc invoked on a handle with rows outstanding; release all rows before calling tmstat_dealloc at <address>

Conditions:
Using tmctl to view statistics of snapshot files, for example:
tmctl -D /shared/tmstat/snapshots memory_usage_stat -s time,name,allocated,max_allocated name=access

Impact:
Errors written to output when running tmctl. The leak itself is very small and is only for tmctl (i.e., it does not have a cumulative, detrimental effect on the system that a TMM or MCP leak might).

Workaround:
None.

---

712819-1 : 'HTTP::hsts preload' iRule command cannot be used

Component: Local Traffic Manager

Symptoms:
Using the 'HTTP::hsts preload' iRule command in the GUI, you might see error message similar to the following:
01070151:3: Rule [/Common/test] error: /Common/test:3: error: ["invalid argument preload; expected syntax spec: "][HTTP::hsts preload enable].

The message is incorrect: the command has the correct format. However, the system does not run it.

Conditions:
Using the 'HTTP::hsts preload' iRule command in the GUI.

Impact:
The command does not run. Cannot use the 'HTTP::hsts preload' iRule command in the GUI.

Workaround:
None.

---

712664-1 : IPv6 NS dropped for hosts on transparent vlangroup with address equal to ARP disabled virtual-address

Component: Local Traffic Manager

Symptoms:
As a result of a known issue IPv6 NS may be dropped if corresponds for host on remote VLAN of transparent vlangroup and matches a Virtual address with disabled ARP setting

Conditions:
- transparent vlan-group
 - Virtual Address with ARP disabled
 - Virtual Address corresponds to remote IPv6 host address

Impact:
NS for the host is dropped.
Traffic will not reach the remote host as resolution does not complete.

Workaround:
Do not use overlapping Virtual-addresses with ARP disabled, or enable ARP.

---

712637-1 : Host header persistence not implemented

Component: Local Traffic Manager

Symptoms:
Online documentation describes a persistence mechanism which uses the HTTP Host: header. However, this mechanism is not implemented, and attempts to use it generates an error.

Conditions:
Online help for ltm persistence says that Host persistence can be enabled via iRule, but attempting to do so generates an error 'invalid argument host'.

Impact:
Although this does not impact any existing functionality, the documented function is not available.

Workaround:
There is no workaround at this time.

---

712489-1 : TMM crashes with message 'bad transition'

Component: Local Traffic Manager

Symptoms:
TMM crashes under a set of conditions in which the system detects an internal inconsistency. The system posts an error similar to the following in the LTM and TMM logs:
crit tmm[18755]: 01010289:2: Oops @ 0x2285e10:5157: bad transition

Conditions:
Conditions that cause this to happen are not predictable, but these might make it more likely:
-- FastL4 virtual server and HTTP are configured
-- db variable tmm.oops set to 'panic'.
-- Client sends three GET requests at once, and then closes the connection after a few seconds.
-- The server sends a partial 'Connection: close' response.

Impact:
TMM crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

---

712362-4 : ASM stalls WebSocket frames after legitimate websockets handshake with 101 status code, but without 'Switching Protocols' reason phrase

Component: Application Security Manager

Symptoms:
When the WebSocket HTTP handshake response comes without 'Switching Protocols' reason phrase at the first line, the ASM does not follow up WebSocket frames on the WebSocket's connection.

The system posts the following messages in /ts/log/bd.log:
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0269|101 Switching Protocols HTTP status arrived, but the websocket hanshake failed.
-- IO_PLUGIN|ERR |Mar 28 09:16:15.121|30539|websocket.c:0270|Possible reasons are websocket profile isn't assigned on a virtual server or handshake is illegal.

Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- WebSocket backend server sends 101 response without the 'Switching Protocols' phrase.

Impact:
WebSocket frames stalls.

Workaround:
#1 Change the backend server:
Change WebSocket backend server to return 101 response to include the 'Switching Protocols' reason phrase:

HTTP/1.1 101 Switching Protocols


#2 Use an irRule:
when SERVER_CONNECTED {
    TCP::collect 15
}
when SERVER_DATA {
    if { [TCP::payload 15] contains "HTTP/1.1 101 \r\n" } {
        TCP::payload replace 0 12 "HTTP/1.1 101 Switching Protocols"
    }
}

---

712335-2 : GTMD may intermittently crash under unusual conditions.

Component: Global Traffic Manager (DNS)

Symptoms:
GTMD may intermittently crash when an unexpected error occurs while creating a statistics row for a resource added to the configuration.

Conditions:
When a pool member is added to the system and there is an unexpected failure to create the associated statistics row.

Impact:
GTMD restarts.

Workaround:
There is no workaround at this time.

---

712102-1 : customizing or changing the HTTP Profile's IPv6 field hides the field or the row

Solution Article: K11430165

Component: TMOS

Symptoms:
Customizing or changing the HTTP Profile's IPv6 field hides the field or the row.

Conditions:
Customizing or changing the HTTP Profile's IPv6 field.

Impact:
The HTTP Profile's IPv6 field cannot be customized or changed.

Workaround:
Use tmsh to set the HTTP Profile's IPv6 field.

---

712033-3 : When making a REST request to an object in /stats that is an association list, the selfLink has a duplicate name

Component: TMOS

Symptoms:
When you make a REST request to association list in /stats you get a duplicate name in the selfLink after members in both the entries and the selfLink, e.g.:

# restcurl -X GET -u admin /tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats
{
  "kind": "tm:ltm:pool:members:membersstats",
  "generation": 3,
  "selfLink": "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/stats?ver\u003d14.0.0",
  "entries": {
    "https://localhost/mgmt/tm/ltm/pool/~Common~pool1/members/~Common~node1:8105/~Common~node1:8105/stats": {

Conditions:
When making a REST request to an object in /stats that is an association list.

Impact:
The selfLink has a duplicate name. SelfLinks for associations do not work.

Workaround:
None.

---

711981-6 : BIG-IP system accepts larger-than-egress MTU, PMTU update

Component: Local Traffic Manager

Symptoms:
A Path MTU (PMTU) message can lead to the BIG-IP system to falsely assume an egress MTU on the related flow to be larger than the interface egress MTU.

Conditions:
A valid PMTU message.

Impact:
BIG-IP sends larger-than-configured interface egress MTU messages.

Workaround:
None.

---

711818-4 : Connection might get reset when coming to virtual server with offload iRule

Component: Application Security Manager

Symptoms:
When IN_DOSL7_ATTACK event is triggered, and iRule has an async command in it, events might be released out of order, causing connection RST.

Conditions:
1. Have DoS profile with iRule turned on.
2. iRule is async (such as wait, DNS resolving, etc.).
3. Send POST request.

Impact:
Connection receives a RST.

Workaround:
There is no workaround at this time.

---

711683-1 : bcm56xxd crash with empty trunk in QinQ VLAN

Component: TMOS

Symptoms:
When an empty trunk (no members) is configured 'tagged' in a QinQ VLAN, bcm56xxd will continuously crash.

Conditions:
Trunk with no members, configured as 'tagged' in a QinQ VLAN.

Impact:
bcm56xxd continuously crashes.

Workaround:
Use either of the following workarounds:
-- Add members to the trunk.

-- Remove the trunk from the QinQ VLAN.

---

711405-2 : ASM GUI Fails to Display Policy List After Upgrade

Solution Article: K14770331

Component: Application Security Manager

Symptoms:
After upgrade to version 13.1.0 or later, ASM GUI fails to display the Policy List.

Conditions:
Using an 11.5.0 to 11.5.4-HF1 version that is affected by the issue of policies with duplicate REST IDs that occurred after restoring from policy history or using Policy Diff to compare policies.

Impact:
ASM GUI starting using the REST API from version 13.1.0, so any systems that have been affected by this issue on a previous version now cause the GUI to fail to display the Policy List.

Workaround:
On the device run the following script:
---------------------------------
perl -MF5::DbUtils -MF5::Utils::Rest -MF5::ASMConfig::Entity::Policy -e '$dbh = F5::DbUtils::get_dbh();
 $dbh->begin_work();
 $dbh->do("UPDATE PLC.PL_POLICIES a SET a.rest_uuid = \"\" WHERE a.rest_uuid IN ( SELECT rest_uuid FROM (SELECT rest_uuid FROM PLC.PL_POLICIES GROUP BY rest_uuid having count(*) > 1) b)");
 F5::Utils::Rest::populate_uuids(dbh => $dbh);
 $dbh->commit();'
---------------------------------
Note: In a management environment, this change must be pushed to the peer as a full sync. The easiest way to do so is to ensure that the ASM sync device group is in manual sync mode, and to push the config to the peers from the device where the script was run.

---

711397 : Custom dashboards do not upgrade from previous versions

Component: TMOS

Symptoms:
In previous releases, you could create customized dashboards using the Flash-based dashboard environment. This version of the software replaces the Flash-based dashboard with an HTML5-based dashboard. Because of the difference on dashboard widgets and technology differences, your customized Flash dashboards are not rolled forward during the upgrade to the new version.

Conditions:
-- Using pre-v14.0.0 software.
-- Creating custom, Flash-based dashboards.
-- Upgrading to v14.0.0 or later.

Impact:
You will not be able to see your previously saved, customized, Flash-based dashboards after upgrading to 14.0.0 or later. This occurs because of technological and framework differences between the old Flash-based dashboard and the new HTML5-based dashboard.

Workaround:
Although there is no direct workaround, the new dashboard lets you create customized dashboard views that do migrate with upgrades.

---

711281-6 : nitrox_diag may run out of space on /shared

Component: Local Traffic Manager

Symptoms:
Running nitrox_diag may lose collected data if there is insufficient free space for the tar file to be created.

Conditions:
-- Running nitrox_diag.
-- Insufficient free space available on /shared.

Impact:
Might lose data required to diagnose problems with Cavium Nitrox chips.

Workaround:
The only workaround is to ensure there is enough free space for the files to be created.

In general, planning enough space for two copies of a tmm core file and two copies of a qkview works. That might require approximately one gigabyte. Though more might be needed for systems with a large amount of RAM.

---

711249-3 : NAS-IP-Address added to RADIUS packet unexpectedly

Component: TMOS

Symptoms:
RADIUS authentication request contains NAS-IP-Address attribute with value 127.0.0.1.

Conditions:
VIPRION (single or multiblade) with no cluster member IP addresses configured.

Impact:
Authentication does not work as it has invalid/unrecognized source NAS-IP-Address.

Workaround:
Configure cluster member IP address or define hostname and address via global-settings remote-host.

---

711093-4 : PEM sessions may stay in marked_for_delete state with Gx reporting and Gy enabled

Component: Policy Enforcement Manager

Symptoms:
PEM sessions may stay in the marked-for-delete state after session deletion.

Conditions:
This occurs if Gx final usage reporting response comes before Gy delete response (CCA).

Impact:
PEM sessions remain in marked-for-delete state.

Workaround:
None.

---

710976-2 : Network Map might take a long time to load

Component: TMOS

Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.

For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.

In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.

# tmsh list ltm virtual vs
ltm virtual vs {
    creation-time 2018-03-06:18:27:53
    destination 0.0.0.0:any
    ip-protocol tcp
    last-modified-time 2018-03-06:18:27:53
    mask any
    profiles {
        myhttp { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        socks-tunnel
    }
    vs-index 5
}

Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.

-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.

Impact:
It takes tens of seconds to load the Network Map page.

Workaround:
None.

---

710884-2 : Portal Access might omit some valid cookies when rewriting HTTP request.

Component: Access Policy Manager

Symptoms:
Portal Access is not sending certain cookies to the backend application.

Conditions:
-- Request path and cookie path are equal.
-- The last character of request path is not a forward slash (/).

Impact:
Backend application does not receive some cookies and may decide that APM end users are not authenticated, when they are.

Workaround:
There is no workaround at this time.

---

710809-3 : Restjavad hangs and causes GUI page timeouts

Component: Device Management

Symptoms:
Restjavad stops responding, causing GUI page timeouts.

Conditions:
The conditions behind this issue are not known.

Impact:
restjavad is active, but all endpoints are nonresponsive.

Workaround:
Restart restjavad

---

710232-1 : platform-migrate fails when LACP trunks are in use

Component: TMOS

Symptoms:
Use of the platform-migrate option might fail due to some configurations being invalid on the new system. The error message generated appears as follows:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform.

Conditions:
You have a trunk with LACP enabled.
-- You are migrating from a hardware platform to a Virtual Edition (VE).

Impact:
Configuration fails to migrate.

Workaround:
After taking the old system offline, but before saving the UCS, disable LACP on all trunks.

---

710221-1 : Ephemeral node stays Unavailable on 'standby' BIG-IP system after a forced-offline FQDN node is re-enabled

Solution Article: K67352313

Component: Local Traffic Manager

Symptoms:
In an high availability (HA) configuration where an FQDN template-node on the 'active' unit is 'Force Offline', and the configuration is synchronized to the 'standby' unit, upon 'Enable' on that FQDN template-node in the 'active' unit (and the configuration is synchronized to the 'standby' unit), the ephemeral nodes associated with that FQDN template node remain Unavailable on the 'standby' unit.

Conditions:
HA configuration is configured with 'active' sync.
-- FQDN template-node is configured.
-- After ephemeral nodes are refreshed on the 'active' unit, it transitions to the 'standby' unit.
-- The FQDN template node on the (new-'active') unit is 'Force Offline' by the user.
-- The user explicitly 'Enable' that FQDN template node on the 'active' unit.

Impact:
The ephemerals on the 'standby' unit remain unavailable, even though the associated FQDN template node is 'available'. However, as no traffic is routed to the 'standby' unit, traffic is unaffected. Upon transition from 'standby' to' active', the ephemeral nodes will be refreshed and traffic should continue.

Workaround:
You can use either of these configuration options to prevent this issue from occurring:
-- Select 'Disabled' (rather than 'Force Offline') for the FQDN template node on the 'active' unit.
-- Configure the node without using FQDN.

---

710044-4 : Portal Access: same-origin AJAX request may fail in some case.

Component: Access Policy Manager

Symptoms:
If base URL for current HTML page contains default port number, same-origin AJAX request from this page may fail via Portal Access.

Conditions:
- HTML page with explicit default port in base URL, for example:
  <base href='https://some.com:443/path/'>

- Same-origin AJAX request from this page, for example:
  var xhr = new XMLHttpRequest;
  xhr.open('GET', 'some.file');

Impact:
Web application may not work correctly.

Workaround:
It is possible to use iRule to remove default port number from encoded back-end host definition in Portal Access requests, for example:

when RULE_INIT {
  # hex-encoded string for 'https://some.com'
  set ::encoded_backend {68747470733a2f2f736f6d652e636f6d}
  # '3a343433' is hex-encoded form for ':443'
  set ::pattern "/f5-w-${encoded_backend}3a343433\$"
  set ::remove_end [ expr { [ string length $::pattern ] - 2 } ]
  set ::remove_start [ expr {$::remove_end - 7} ]
}

when HTTP_REQUEST {
  if { [HTTP::path] starts_with "$::pattern" } {
    set path [ string replace [HTTP::path] $::remove_start $::remove_end "" ]
    HTTP::path "$path"
  }
}

---

710032-2 : 'No Access' error when viewing GSLB Server's Virtual Server that has a name indicating a partition that does not exist on that bigip.

Component: Global Traffic Manager (DNS)

Symptoms:
The user will get a 'No Access' error message instead of the virtual's properties.

Conditions:
At least 2 BIG-IP in a sync group.
One of the BIG-IP must have a partition that does not exist on the other with an LTM virtual server on that partition.
The issue will happen when a GSLB Server discovers that LTM virtual and displays it on its Virtual Server page.

Impact:
It makes the GSLB Server's virtual server's properties page unavailable in this case.

Workaround:
Use TMSH to view or edit the properties of that virtual server.

---

710028-1 : LTM SQL monitors may stop monitoring if multiple monitors querying same database

Component: Local Traffic Manager

Symptoms:
When using an SQL monitor to monitor the health of SQL database pool members, one of the health monitors may stop actively monitoring one or more pool members.

When this problem occurs, the following error messages may be logged in /var/log/DBDaemon-0.log:

[if debug = yes in monitor configuration]:
Using cached DB connection for connection string '<connection string>'

then multiple, periodic instances of the following message, referencing the same connection string:

Abandoning hung SQL query: '<query string>' for: '<connection string>'

or:

<connection string>(<thread-number>): Hung SQL query; abandoning

Conditions:
This may occur when all of the following conditions are met:
-- Using one of the following LTM monitors: mssql, mysql, oracle, postgresql.
-- Configuring multiple pool members for the same node (server).
-- Configuring multiple SQL monitors that query the same server and database.

And when one or both of the following conditions are met:
Either:
-- The SQL monitor is configured with a non-zero 'count' value.
Or:
-- An error occurs while querying a SQL database, such as [recorded in the DBDaemon log]:
java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost.

Impact:
When this problem occurs, the affected pool members are reported down, even though the database is actually up and responding correctly to traffic.

Workaround:
When this problem occurs, successful monitoring can be temporarily restored by disabling then re-enabling monitoring of affected pool members.

To avoid one possible trigger for this issue (and thus reduce the likelihood of this issue occurring), configure the 'count' parameter in the SQL monitor configuration to a value of '0'.

---

709963-1 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.

Component: Local Traffic Manager

Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.

Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.

Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.

Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.

---

709936-1 : Multiple NTP server/domain-searches in the DHCP lease can cause missing DNS/NTP configuration.

Solution Article: K38121141

Component: TMOS

Symptoms:
/var/log/boot.log has this error:
dhcp_config: save error: 01070911:3: The requested host (ntp-servers-ip) is invalid for servers in ntp (/Common/ntp).

Conditions:
- The BIG-IP system has DHCP enabled for management interface.
- Multiple NTP servers or domain-search are specified in the dhclient lease (stored at /var/lib/dhclient/dhclient.leases).

Impact:
- DNS and NTP servers are not configured in MCPD.
- Name resolution can break.

Workaround:
None.

---

709837-1 : Cookie persistence profile may be configured with invalid parameter combination.

Component: Local Traffic Manager

Symptoms:
Configuring Cookie persistence profile via TMSH or iControl REST allows invalid parameter combinations.

Conditions:
Cookie persistence profile is configured via TMSH or iControl REST. TMUI is not affected.

Impact:
Invalid parameters for any method type of a Cookie persistence profile are ignored by TMM, no functional impact.

Workaround:
Use only the allowed parameters of each method type when Cookie persistence is configured via TMSH or iControl REST.

---

709828-1 : fasthttp can crash with Large Receive Offload enabled

Component: Local Traffic Manager

Symptoms:
fasthttp and lro can lead to a tmm crash.

Conditions:
fasthttp and lro enabled. (lro is enabled by default >= 13.1.0)

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use fasthttp

---

709610-4 : Subscriber session creation via PEM may fail due to a RADIUS-message-triggered race condition in PEM

Component: Policy Enforcement Manager

Symptoms:
Session replacement fails as a result of a race condition between multiple RADIUS Accounting Start and Stop messages for the same subscriber.

Conditions:
This occurs when the following conditions are met:
-- These SysDB variables are set as follows:
sys db tmm.pem.session.radius.retransmit.timeout {
    value "0"
}
sys db tmm.pem.session.provisioning.continuous {
    value "disable"
}

-- Actions occur in the following order:
 1. PEM receives RADIUS START with subscriber ID1 and IP1.
 2. PEM receives RADIUS STOP with subscriber ID1 and IP1.
 3. PEM receives RADIUS START with subscriber ID1 and IP2.
 4. PEM receives RADIUS STOP with subscriber ID1 and IP2.

-- The time interval between steps 1 and 2 is very small (less than ~1ms).

Impact:
Subscriber session creation via PEM may fail.

Workaround:
There is no workaround other than to leave SysDbs variables set to the default values.

---

709559-1 : LTM v12.1.2 Upgrade fails if config contains "/Common/ssh" object name

Component: TMOS

Symptoms:
Loading configuration fails on upgrade

Conditions:
Must have a profile named "/Common/ssh" and must be upgrading to v12.1.2

Impact:
The system won't be functional

Workaround:
Delete or rename "/Common/ssh"

---

709444-1 : "NTP not configured on device" warning seen when NTP symmetric key authentication is configured

Component: TMOS

Symptoms:
When NTP symmetric key authentication is configured, as per https://support.f5.com/csp/article/K14120, and the BIG-IP is part of a device service cluster, then a warning similar to this will be seen periodically in /var/log/ltm:

warning mcpd[6317]: 01071af0:4: NTP not configured on device 1.2.3.4 - within a trust

Conditions:
- NTP symmetric key authentication must be configured.
- The BIG-IP must be part of a device service cluster.
- Non-authenticated NTP servers must not be in-use.

Impact:
Incorrect NTP warnings are seen periodically in /var/log/ltm.

Workaround:
There is no workaround at this time.

---

709383-1 : DIAMETER::persist reset non-functional

Component: Service Provider

Symptoms:
When the iRule DIAMETER::persist reset is called, it is meant to remove existing persistence records from diadb. Without this bug fix, calling DIAMETER::persist reset has no effect and the persistence record remains.

Conditions:
Diameter session profile has persistence enabled and an iRule attempts to remove a persistence record.

Impact:
not provided by ENE

Workaround:
none

---

709192-2 : GUI/iControl SOAP - KeyManagement export_all_to_archive_file failing immediately after HTTPD restart

Component: TMOS

Symptoms:
The export operation of SSL keys and certificate into a .tgz archive file fails when the httpd daemon is restarted.

Conditions:
-- Export SSL Keys and certificates into archive file.
-- httpd is restarted.

Impact:
Export of SSL Keys and certificates into archive file does not work immediately after httpd restart via GUI/iControl.

Workaround:
After httpd restart, perform other operation like creating a key/cert before exporting archive file.

---

709133-1 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error might occur

Component: Local Traffic Manager

Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a double-free error can occur.

Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- An error occurs when reading the certificate serial number.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than not setting the tmm.ssl.loggingcreatedcerts BigDB variable.

---

709132-2 : When the BigDB variable tmm.ssl.loggingcreatedcerts is set a buffer overflow can occur

Component: Local Traffic Manager

Symptoms:
When the BigDB variable tmm.ssl.loggingcreatedcerts is set, a buffer overflow can occur.

Conditions:
-- The BigDB variable tmm.ssl.loggingcreatedcerts is set.
-- Forward proxy is being used.
-- A malformed certificate with a serial number length equal to 256 bytes is parsed during forging.

Impact:
A off-by-one error causes one byte to write off the end of an array.

Workaround:
There is no workaround other than to not set tmm.ssl.loggingcreatedcerts BigDB variable.

---

708968-1 : OSPFv3 failure to create a route entry for IPv4-Mapped IPv6 Address

Component: TMOS

Symptoms:
Route entries for IPv4-mapped IPv6 address (::ffff:<IPv4>) are not created in TMM when passed from Dynamic Routing protocols like OSPFv3.

Conditions:
- Route entry is for IPv4-mapped IPv6 address, that is ::ffff:<IPv4>.

Impact:
- Route entry is not created in TMM, packets addressed to such a destination might not be delivered at all or might not be delivered using the most efficient route.
- Connection between TMM and tmrouted is restarted that is a small performance overhead.

Workaround:
- If possible IPv4 address or IPv4-compatible IPv6 address should be passed instead of IPv4-mapped IPv6 address, however this depends on other routers.

---

708956-3 : During system boots up, error message displays: 'Dataplane INOPERABLE - only 1 HSBes found on this platform'

Component: TMOS

Symptoms:
During system bootup, the system occasionally posts the following error message and the system does not come up:
 Dataplane INOPERABLE - only 1 HSBes found on this platform.

Conditions:
This occurs occasionally at system bootup.
-- Using the following platforms:
i4600, i4800, i10600, i10800, i2600, i2800, i7600, i7800, i5600, i5800, i15600, i15800, i12600, i12800, HERCULON i2800, HERCULON i5800, HERCULON i10800, i11600, i11800, i11800-DS, i5820-DF, i7820-DF.

Impact:
System does not come up.

Workaround:
Reboot system.

Because this condition only happens occasionally, rebooting typically corrects the issue.

---

708484-1 : Network Map might take a long time to load

Component: TMOS

Symptoms:
Network Map loading time is directly proportional to the number of profiles/policies associated with a virtual server. When there are a significant number, Network Map might take many tens of seconds to load; when there are fewer associated profiles/policies, loading time is shorter.

For example, consider a configuration that contains virtual servers with a large number of associated profiles/policies.

In the following example config, the virtual server has two associated profiles. The time to load the Network Map page increases with each additional profile/policy.

# tmsh list ltm virtual vs
ltm virtual vs {
    creation-time 2018-03-06:18:27:53
    destination 0.0.0.0:any
    ip-protocol tcp
    last-modified-time 2018-03-06:18:27:53
    mask any
    profiles {
        myhttp { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    translate-address disabled
    translate-port disabled
    vlans {
        socks-tunnel
    }
    vs-index 5
}

Conditions:
-- Navigate to Local Traffic :: Network Map in the BIG-IP Configuration Utility.

-- The configuration contains a significantly large number of profiles/policies associated with the virtual server.

Impact:
It takes tens of seconds to load the Network Map page.

Workaround:
None.

---

708415-3 : Interface Flow Control Status does not update when using copper SFPs and Link Partner Flow Control is disabled

Component: TMOS

Symptoms:
When setting the flow control value of an interface with a copper SFP to any value other than 'none' and the link partner has flow control disabled on their end, the interface stats will not reflect the configured flow control setting. This is because the interface stats reflect the negotiated link state rather than the advertised capabilities.

Conditions:
BIG-IP device is using copper SFPs.
-- Flow control is enabled on an interface.
-- That interface is connected to another device where flow control has not been enabled.

For example, an administrator might perform the following on a BIG-IP system with a copper SFP on interface 1.1:

# modify net interface 1.1 flow-control tx-rx

# show net interface 1.1 all-properties

Under the 'Flow Ctrl' column of the interface properties, the value will indicate 'none' even though the interface was configured to enable transmit and receive flow control. This is because the column does not indicate the advertised capabilities but rather the negotiated property of the link.

Impact:
There is no functional impact, as flow control cannot be performed until both link partners agree to support it.

Workaround:
Flow control must be enabled on the remote device and the link must be re-negotiated, in order for the flow control configuration to take effect and be reflected in the interface properties of the link.

---

708249-1 : nitrox_diag utility generates QKView files with 5 MB maximum file size limit

Component: Local Traffic Manager

Symptoms:
When nitrox_diag generates a QKView file, the utility does not use the -s0 flag for the qkview command. That means there is a 5 MB file-size limit for the resulting QKView file nitrox_diag generates.

Conditions:
Run the nitrox_diag command.

Impact:
QKView files generated in response to running the nitrox_diag command might not contain all necessary information, for example, the result might contain truncated log files.

Workaround:
After running nitrox_diag, run the following command to generate a complete QKView file: qkview -s0

---

708068-1 : Tcl commands like "HTTP::path -normalize" do not return normalized path.

Component: Local Traffic Manager

Symptoms:
When using HTTP::path with the -normalized parameter:

"%2E%2E" is converted to ".." (expected)
"/foo/../bar" is converted to "/bar" (expected)
"/foo/%2E%2E/bar" is converted to "/foo/../bar" (unexpected)

Conditions:
The TCL command HTTP::path -normalize does not return normalized path as expected.

Impact:
Unexpected result.

Workaround:
There is no workaround.

---

708063 : In older RAID BIG-IP systems, storage provisioning is not possible when a drive is missing.

Component: TMOS

Symptoms:
Any task requiring modification of application storage volumes does not succeed. This includes re-provisioning, which occurs automatically during software upgrades.

Conditions:
-- When a drive is not present in a drive bay on the following platforms:

  + BIG-IP 6900
  + BIG-IP 8900
  + BIG-IP 10000
  + BIG-IP 11050

-- An application that requires storage volumes is provisioned, such as ASM.

Impact:
Tasks requiring modification of application storage volumes such as software upgrades or re-provisioning fails.

Workaround:
Check RAID status before software upgrades or re-provisioning. Address any degraded RAID issues, such as a missing drive, before upgrades and/or re-provisioning.

---

707961-1 : Unable to add policy to virtual server; error = Failed to compile the combined policies

Component: Local Traffic Manager

Symptoms:
LTM policy does not compile if it has more than one similar condition, and some of them refer to datagroup and others to non-datagroup types. The policy compiles if similar conditions all refer to datagroups or to non-datagroups.

Conditions:
-- LTM policy that has more than one similar condition.
-- Some conditions refer to datagroup types.
-- Some conditions refer to non-datagroup types.

Impact:
LTM policy does not compile. Cannot use the policy.

Workaround:
Create a datagroup for the non-datagroup type and use it in policy instead.

---

707953-3 : Users cannot distinguish between full APM and APM Lite License when looking at the provisioning page

Component: Access Policy Manager

Symptoms:
APM and APM Lite licenses are not distinguishable from the Provisioning UI: they both show as Licensed but APM lite only includes licenses for 10 sessions.

Conditions:
Viewing APM and APM Lite licenses in the GUI.

Impact:
Cannot distinguish the difference in types of licenses.

Workaround:
Check license file and verify what type of apm license is enabled: mod_apm (Full APM) or mod_apml (APM Lite).

---

707951-3 : Stalled mirrored flows on HA next-active when OneConnect is used.

Component: Local Traffic Manager

Symptoms:
-- 'tmctl -d blade tmm/umem_usage_stat | grep xdata' may show increased memory usage.
-- 'tmsh show sys connect' shows idle flows.

Conditions:
- OneConnect profile is configured.
- High availability (HA) mirroring is enabled.

Impact:
- Some flows are mirrored incorrectly.
- Stalled flows may occupy a lot of memory.

Workaround:
Disable OneConnect.

---

707740-5 : Fixed issue preventing GTM Monitors from being deleted when used on mulitple Virtual Servers with the same ip:port combination

Component: TMOS

Symptoms:
User would get "monitor is in use" when attempting to delete a GTM Monitor, even after removing that monitor from all GTM Virtual Servers

Conditions:
Attach a gtm monitor to multiple gtm virtual servers in the same transaction, where both of the virtual servers are monitoring the same ip:port

Impact:
User will not be able to ever delete the un-used gtm monitor

Workaround:
There is no workaround at this time.

---

707691-5 : BIG-IP handles some pathmtu messages incorrectly

Component: Local Traffic Manager

Symptoms:
FastL4 virtual servers incorrectly handle some pathmtu messages, such as ICMPv4 unreachable/fragmentation needed and ICMPv6 packet too big.

Conditions:
This occurs when the following conditions are true:
-- The client sends a window scaling factor greater than 0 (zero).
-- The server sends a window scaling factor equal to 0 (zero).
-- The pmtu message is within the window, but does not reflect the exact expected sequence number. The delta is bigger than the advertised window scaled at a factor of 0 (zero).

Impact:
pmtu message is erroneously ignored.

Workaround:
There is no workaround at this time.

---

707631-3 : The 'SYN Challenge Handling' setting of a TCP profile can revert to defaults when updating the profile using the GUI

Component: TMOS

Symptoms:
The 'SYN Challenge Handling' setting of a TCP profile can be reverted to defaults when a TCP profile is updated using the BIG-IP management GUI.

Conditions:
The SYN Challenge Handling settings of a TCP profile have previously been set to non-default values, and a configuration change is later made to the same TCP profile using the GUI.

Impact:
Loss of TCP profile syn challenge configuration settings

Workaround:
In the GUI, specifically set the SYN Challenge Handling fields after making an update to other TCP profile fields, or use tmsh to make the changes instead

SYN Challenge

GUI Setting: Nominal
TMSH:
    syn-cookie-enable enabled
    syn-cookie-whitelist disabled

GUI Setting: Challenge and Remember
TMSH:
    syn-cookie-enable enabled
    syn-cookie-whitelist enabled


GUI Setting: Disable Challenges:
    syn-cookie-enable disabled
    syn-cookie-whitelist disabled

---

707585-2 : Use native driver for 82599 NICs instead of UNIC

Component: TMOS

Symptoms:
-- Lower performance in TPS.
-- Increased CPU consumption for throughput.

Conditions:
-- Running BIG-IP Virtual Edition (VE) (UNIC is the default Virtual Function Network Driver for VE).
-- High data rates, perhaps particularly when connection mirroring is configured.

Impact:
Lower TPS performance numbers and higher CPU usage in throughput tests.

Workaround:
In case of UNIC, extra CPUs must be allocated to handle SoftIRQs for higher performance.

---

707445-4 : Nitrox 3 compression hangs/unable to recover

Solution Article: K47025244

Component: TMOS

Symptoms:
LTM logs show the following message:

    Nitrox 3, Hang Detected: compression device was reset

When the error manifests, there will be three error messages sent to the log over a period of several seconds. The device is then considered unrecoverable and marked down, and will no longer accept compression requests.

Conditions:
This applies only to vCMP guests. Some compression requests can stall the device after a bad compression request is made.

Note: Traffic volume and concurrence, along with the type of error have to occur together in order to result in this issue, so the issue is not easily reproduced.

Impact:
Once the device is marked down, compression will be sent to the software compression provider, until tmm on the device is restarted. This can cause local CPU utilization to climb.

Workaround:
There is no complete workaround without a software fix. However, compression will always default to the software compression provider when hardware cannot be recovered.

There are three recovery options available if the TMM-internal reset fails to recover the compression device automatically. These should be employed in this order:

A. Restart tmm using the command: bigstart restart tmm.
B. Restart the vCMP guest.
C. Restart the host (which restarts all guests).

Note: Because of the traffic volume, timing, and error type that cause this condition, this error might recur. This issue appears to be caused by a particular compression request. So regardless of the recovery method you execute, the problem may recur in a short time, or months later.

---

707391-1 : BGP may keep announcing routes after disabling route health injection

Component: TMOS

Symptoms:
As a result of a known issue BIG-IP with BGP configured may continue to announce routes even after disabling the virtual address or disabling route announcement on the virtual address.

Conditions:
BGP configured with multiple routes announced via Virtual-address route announcements.
Configuration changes made on the BGP configuration itself.
Virtual address or its route health announcement disabled.

Impact:
Prefixes continue to exist in the BGP table even after disabling the virtual address (visible via imish with the "show ip bgp" command); which will continue to announce the prefix to configured peers.

Workaround:
Workaround would be to restart the dynamic routing process.

---

707267-2 : REST Framework HTTP header limit size increased to 8 KB

Component: TMOS

Symptoms:
HTTP Header size limit causing 'Error getting auth token from login provider' GUI messages.

Conditions:
A client uses an HTTP Header larger than 4kb to make a request to the REST framework.

Impact:
Users will not be able to login or access certain pages in the UI.

Workaround:
Clear browser cookies, or otherwise reduce the size of the HTTP headers, so that the entire content HTTP headers is smaller than 4kb.

---

707100-1 : Potentially fail to create user in AzureStack

Component: TMOS

Symptoms:
Using Microsoft Azure Stack on the BIG-IP Virtual Edition (VE) configured with password authentication, the system sometimes fails to create the provided user, which means that the VE admin cannot ssh in after deployment. Note that an unexpected reboot causes this to occur during provisioning, and that Microsoft might have already fixed this issue.

Conditions:
Azure Stack VE provisioned with password authentication.

Impact:
Admin loses provisioned VE instance because there is no way to ssh in.

Workaround:
Deploy VE with key authentication.

---

707054-2 : SYN Cookie MSS for Fast L4 Profiles is limited to 256-9162

Component: Advanced Firewall Manager

Symptoms:
User cannot configure SYN Cookie MSS values for Fast L4 Profiles outside of 256-9162.

Conditions:
Under syncookie activated condition, SYN Cookie MSS value is set to < 256.

Impact:
Under syncookie activated condition, server side MSS lower than SYN Cookie MSS lower limit cannot be honored on client side. As a result, server side MSS discards data segment if larger than SYN Cookie MSS lower limit.

---

706797-2 : Portal Access: some multibyte characters in JavaScript code may not be handled correctly

Component: Access Policy Manager

Symptoms:
If JavaScript code contains multi-byte character which contains 0x0A in the last byte after conversion to UTF-32 form, then this character is handled as NEW LINE by Portal Access server-side JavaScript parser. If NEW LINE is not valid in this place, JavaScript code cannot be parsed.

Conditions:
JavaScript code with multi-byte character which contains 0x0A in the last byte after conversion to UTF-32 form, for example:

  //上 aa bb

(上) gives (4E 0A) in UTF32 form. So this line is processed as the following TWO lines:

  //
  aa bb

The second line is not a valid JavaScript code.

Impact:
Web application may not work correctly.

Workaround:
There is no workaround at this time.

---

706688-2 : Automatically add additional certificates to BIG-IP system in C2S and IC environments

Component: TMOS

Symptoms:
In order to function properly, the BIG-IP system's failover and autoscale features need extra certificates (which are used inside C2S environments) and endpoint URL. The extra certificates must be pointed to by the $AWS_CA_BUNDLE environment variable. The BIG-IP system's failover and autoscale feature use AWS CLI commands. Those AWS CLI commands need to have the $AWS_CA_BUNDLE pointing to the certificate files location and endpoint URL. These must be configured manually.

Conditions:
-- BIG-IP is running in AWS C2S (Commercial Cloud Services) where the domain is either c2s.ic.gov or sc2c.sgov.gov.

-- The BIG-IP system is configured to do failover or autoscale in those environments.

Impact:
Requires manual copying of the extra certificates, which are pointed to by AWS_CA_BUNDLE, to the BIG-IP system.

Workaround:
None.

---

706642-1 : wamd may leak memory during configuration changes and cluster events

Component: WebAccelerator

Symptoms:
wamd memory consumption increases over time.

Conditions:
-- AAM is provisioned so wamd is running.
-- User-initiated configuration change and/or other internal configuration or cluster events.

Impact:
wamd grows slowly over time, eventually crashing due to lack of memory. Temporary outage of services provided by wamd such as PDF linearization, invalidation, etc.

Workaround:
No workaround available.

---

706505-3 : iRule table lookup command may crash tmm when used in FLOW_INIT

Component: Local Traffic Manager

Symptoms:
iRule table lookup command may crash tmm when used in FLOW_INIT.

Conditions:
iRule table lookup command is used in FLOW_INIT.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use table lookup in the events after the flow is constructed.

---

706423-3 : tmm may restart if an IKEv2 child SA expires during an async encryption or decryption

Component: TMOS

Symptoms:
TMM may discard an existing child-SA via timer during the moment it is in use for encryption or decryption. And in another spot, an error aborting negotiation can cause multiple timers associated with one child-SA, which fight one another.

Conditions:
Errors in IPsec config that fail negotiation can happen when a child-SA is in a state that does not manage timers correctly.

A config with short SA lifetime, causing frequent re-keying, can have the effect of searching for a race condition when expire happens during active use in crypto.

Impact:
TMM restarts, disrupting traffic and causing HA failover.

Workaround:
Ensure that the IPsec IKEv2 configuration in the IPsec policy is correct (the same) on both IPsec peers. Also, ensure SA lifetime has longer duration, instead of merely seconds. (The default is one day.)

---

706374-5 : Heavy use of APM Kerberos SSO can sometimes lead to memory corruption

Component: Access Policy Manager

Symptoms:
Kerberos SSO under high load can sometimes lead to system instability.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
This might result in unpredictable behavior such as memory corruption or core. However, the occurrence is rare since it only impacts concurrent DNS SRV requests to resolve different KDCs.

Workaround:
There is no workaround.

---

706102-1 : SMTP monitor does not handle all multi-line banner use cases

Component: Local Traffic Manager

Symptoms:
An SMTP monitor does not handle all multi-line banner use cases, such as when the banner is physically split across two packets. This issue is due to attempting to parse the banner value from the first packet without a portion of the banner value that may arrive in a second packet.

Conditions:
An SMTP monitor is configured; and uses a multi-line banner; and the SMTP monitor banner is split across two physical packets.

Impact:
The SMTP monitor sends an RST after the first packet, and marks the resource down.

Workaround:
Use an SMTP monitor with a single-line banner. Or, rather than using an SMTP monitor, instead use a TCP monitor with send/recv strings.

---

705803 : Internet Explorer does not offer F5 VPN or F5 EPI for installation when UAC is disabled

Component: Access Policy Manager

Symptoms:
When an APM end user first tries to open Network Access resources from webtop, or to pass Endpoint Inspection from a Microsoft Windows system with User Access Control (UAC) disabled, Internet Explorer 11 does not offer F5 VPN or F5 EPI for installation. Instead, it assumes that F5 VPN/F5 EPI is already installed.

Conditions:
-- Windows 7.
-- UAC is disabled.
-- F5 VPN/F5 EPI is not installed on the system.

Impact:
The APM end user has to click a 'download' link instead of having F5 VPN/F5 EPI automatically download.

Workaround:
Click the 'Download' link manually and install F5 VPN/F5 EPI.

---

705651-2 : Async transaction may ignore polling requests

Component: TMOS

Symptoms:
Querying for the status of an asynchronous transaction by making a GET request may cause the query to block. The transaction will complete, even though the query may return an error status (400) to indicate that the GET request timed out.

Conditions:
A typical asynchronous transaction that returns a 202 status to indicate that you successfully created a transaction.

Impact:
The query returns an error.

Workaround:
To avoid having the query request block, refrain from querying the transaction for status.

---

705037-1 : System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart

Solution Article: K32332000

Component: TMOS

Symptoms:
It is possible for the BIG-IP system to present duplicate if_index statistics of network objects, either viewed internally or polled via SNMP.

Conditions:
-- High availability (HA) configuration.
-- Tunnels configured.
-- If dynamic routing is configured, additional impact may be noted.

Impact:
-- Unreliable or confusing statistics via SNMP polling.

-- If dynamic routing is also configured, possible nsm daemon restart, which may lead to loss of dynamic routes.

Workaround:
None.

---

704804-4 : The NAS-IP-Address in RADIUS remote authentication is unexpectedly set to the loopback address

Component: TMOS

Symptoms:
The NAS-IP-Address in RADIUS remote authentication requests is set to the loopback address, not the management IP.

Conditions:
This applies to remote authentication for the control plane, not APM.

Impact:
Login may be impacted.

Workaround:
There is no workaround at this time.

---

704764-1 : SASP monitor marks members down with non-default route domains

Component: Local Traffic Manager

Symptoms:
The LTM SASP monitor marks pool members down, whose address include non-default route domains.

Conditions:
1. Using the SASP health monitor to monitor a pool or pool member.
2. The address of the pool member includes a non-default route domain, such as:

ltm pool rd_test {
    members {
        test_1:http {
            address 12.34.56.78%99
        }
    }
    monitor my_sasp
}

Impact:
Pool members with non-default route domains will never be marked up by the SASP monitor.

Workaround:
Do not specify non-default route domains in the addresses of pool members monitored by the SASP health monitor.

The SASP protocol does not support the use of route domains in member addresses. Thus, the SASP GWM (Global Workload Manager) will ignore route domain information included in the member addresses when registered by the SASP monitor in BIG-IP, and will report the status of members using addresses without route domains.

Therefore, even with a fixed version of the SASP monitor, BIG-IP LTM administrators must be careful to avoid configuring multiple pool members with the same address except for different route domains, to be monitored by the SASP monitor. If case of such a configuration error, the status of the member reported by the SASP GWM may not accurately reflect the status of one or more of the pool members with matching IP addresses.

---

704733-3 : NAS-IP-Address will be sent with the bytes backwards

Component: TMOS

Symptoms:
The NAS-IP-Address will have the address of the local device sent with the bytes backwards (78.56.30.172 where 172.30.56.78 would be expected).

Conditions:
This affects IPv4 addresses only.

Impact:
The server may be configured to check the NAS-IP-Address before allowing logins, in which case it would fail.

Workaround:
There is no workaround at this time.

---

704643-2 : Backslashes preceding a forward slash are mistakenly doubled in regular expression within Signature rule

Component: Application Security Manager

Symptoms:
When adding or modifying a user-defined Attack Signature in Simple Edit Mode, backslashes preceding a forward slash are mistakenly doubled in regular expression keywords within the Signature.

Conditions:
-- Add or modify a user-defined Attack Signature with a regular expression keyword containing an escaped forward slash in Simple Edit Mode.

Impact:
The backslash escaping the forward slash is doubled, which changes the enforced signature rule.

Workaround:
Create or modify the Signature rule using Advanced Edit Mode.

---

704587-3 : Authentication with UTF-8 chars in password fails for ActiveSync users

Solution Article: K15450552

Component: Access Policy Manager

Symptoms:
ActiveSync end users cannot login to the server.

Conditions:
-- ActiveSync end users.
-- UTF-8 characters in the password.

Impact:
ActiveSync service will be unavailable.

Workaround:
Put a Variable Assign agent after Logon Page with following assignment:

(check the secure checkbox)
session.logon.last.password = set pass [mcget -secure session.logon.last.password]; binary scan $pass c* chars; set newpass ""; foreach {ch} $chars { append newpass [format %c [expr $ch & 0xFF]] }; return $newpass

---

704524-5 : [Kerberos SSO] Support for EDNS for kerberos DNS SRV queries

Component: Access Policy Manager

Symptoms:
Kerberos DNS SRV requests do not contain EDNS headers. Without this header, DNS server truncates the UDP responses if it is greater than 512 bytes, causing the DNS request to be re-sent on TCP connections. This results in unnecessary round trips in order to resolve DNS SRV queries.

Conditions:
APM users using Kerberos SSO to access backend resources.

Impact:
Increased latency of HTTP request processing. If the number of APM users is large, then this issue is magnified.

Workaround:
There is no workaround at this time.

---

704450-4 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration

Component: Local Traffic Manager

Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').

Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.

Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.

Workaround:
Reduce the load on the system.

---

704449-1 : Orphaned tmsh processes might eventually lead to an out-of-memory condition

Component: TMOS

Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.

An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:

/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh

If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.

Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.

Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.

Workaround:
There are several workarounds for this issue:

-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Halt orphaned tmsh processes.

---

704381-6 : SSL/TLS handshake failures and terminations are logged at too low a level

Component: Local Traffic Manager

Symptoms:
SSL/TLS handshake failures and terminations are being logged at too low of a level (INFO).

Conditions:
-- SSL/TLS connections are received or sent.
-- Handshake failures are logged.

Impact:
Sometimes other errors are produced, and the cause is a SSL/TLS handshake failure, but this failure is not being logged.

Workaround:
There is no workaround.

---

704336-5 : Updating 3rd party device cert not copied correctly to trusted certificate store

Component: TMOS

Symptoms:
When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.

Conditions:
Updating Device certificate which also includes multiple intermediate and root certificates.

Impact:
The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.

Workaround:
Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.

---

704247-1 : BIG-IP software may fail to install if multiple copies of the same image are present and have been deleted

Component: TMOS

Symptoms:
BIG-IP .iso images may fail to install if multiple copies of the same image are present and have been deleted.

Conditions:
-- Have multiple copies of the same image .iso in the /shared directory on a BIG-IP system.
-- Delete one of them.

Impact:
Installation attempt of the remaining image(s) might fail.

Workaround:
Restart the lind process, so the installation can continue.

---

703984-8 : Machine Cert agent improperly matches hostname with CN and SAN

Component: Access Policy Manager

Symptoms:
Machine certificate agent will match configured host name with actual host name if configured name matches beginning of the actual hostname.

Conditions:
MacOS APM client.

Impact:
Hostname match may be incorrect in these cases.

Workaround:
There is no workaround at this time.

---

703669-1 : Eventd restarts on NULL pointer access

Component: TMOS

Symptoms:
The loop that reads /config/eventd.xml to load configuration data processes data in 1024-byte chunks. If the size of the file is a multiple of 1024 bytes, the end of file condition that terminates the file read does not occur until the subsequent read. The subsequent read returns zero (0) bytes and passes an empty buffer to the parser, which causes eventd to restart repeatedly.

Conditions:
The length of the file /config/eventd.xml is a multiple of 1024 bytes.

Impact:
Causes eventd to crash.

Workaround:
To work around the problem, insert whitespace in /config/eventd.xml to pad the file to a size that is not a multiple of 1024 bytes.

---

703509-3 : Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled

Component: TMOS

Symptoms:
Non-admin user is unable to run save /sys config in tmsh if the admin user is disabled.

...notice tmsh[32418]: 01420003:5: Cannot load user credentials for user "admin" Current session has been terminated.
...notice tmsh[32418]: 01420003:5: The current session has been terminated.
...err tmsh[32417]: 01420006:3: Project-Id-Version: f5_tmsh 9.7.0 POT-Creation-Date: 2008-05-13 16:18-0700 PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE Last-Translator: F5 Networks <support@f5.com> Language-Team: LANGUAGE <en@li.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit
...err tmsh[32415]: 01420006:3: UCS saving process failed.

Conditions:
The default admin account is disabled, using an alternate user that has the administrator role.

Impact:
User is unable to save the configuration.

Workaround:
A user with the administrator role can save the config.
The root user can save the config.

---

703225-1 : DoS Visibility does not support display of more than 500 attacks and/or virtual servers

Component: Application Visibility and Reporting

Symptoms:
If there are more than 500 Attacks or Virtual Servers in the system at a given time, DoS Visibility is unable to consistently show all relevant data. The reasons are both technical and due to performance considerations.

This applies to the attacks chart and table, and the virtuals table in the center of the dashboard page. This does not apply to the dimension widgets on the right side.

Conditions:
More than 500 Virtual Servers exist, or/and more than 500 DoS Attacks are logged during the selected time period.

Impact:
Not all attacks/virtuals are displayed on the DoS Visibility overview page.

Workaround:
Zoom into a shorter time period, or use filters to limit the amount of displayed data. Once number of attacks and virtuals are under 500, data should be correct.

---

703090-3 : With many iApps configured, scriptd may fail to start

Component: TMOS

Symptoms:
If many iApp instances are installed, scriptd may have issues starting up, including the log message:

"script has exceeded its time to live, terminating the script"

Conditions:
This occurs when many iApp instances exist. F5's internal testing has been able to show that it occurs with 70 instances.

Impact:
The error message will show up, and some instances of the script will not run.

Workaround:
Restarting scriptd will resolve the issue.

---

703045-2 : If using TMSH commands with deprecated attributes in iAPP, the upgrade will fail.

Component: TMOS

Symptoms:
TMSH commands with deprecated attributes will fail if used in iAPP.

Conditions:
TMSH commands with deprecated attributes will fail if used in iAPP. This is so whether the iAPP is activated during the upgrade process or simply run under iAPP service at the user display.

Impact:
TMSH commands will not execute like create command will result in no objects (eg monitor, virtual server etc) being created.

Workaround:
Try to avoid deprecated attributes of the object in the iAPP.

---

702450-2 : The validation error message generated by deleting certain object types referenced by a policy action is incorrect

Component: Local Traffic Manager

Symptoms:
When deleting certain objects that are referenced by policy actions, you may see a validation error like this:

# tmsh delete ltm virtual test-vs
01071726:3: Cannot delete policy action '/Common/test-vs'. It is in use by ltm policy '/Common/test-policy'.

The referenced object is not a "policy action" in this case, but is a virtual server.

Conditions:
LTM policies must be in use, and at least one policy action must forward to an object. The user must attempt to delete that object.

Impact:
Possible confusion at the error message.

Workaround:
There is no workaround at this time.

---

701977-6 : Non-URL encoded links to CSS files are not stripped from the response during concatenation

Component: WebAccelerator

Symptoms:
Non-URL encoded links to CSS files are not stripped from the response during concatenation.

Conditions:
White space in the URLs.

Impact:
As above.

Workaround:
No workaround at this time.

---

701800-1 : SSO-enabled native RDP resources cannot be launched from APM Webtop with Mac RDP client 10.x

Component: Access Policy Manager

Symptoms:
Mac RDP client 10.x shows credentials prompt when SSO-enabled native RDP resource is launched from the APM Webtop (if user enters credentials, RDP client shows error message).

Conditions:
-- Mac RDP client is of version 10.x (e.g., 10.1.6).
-- Native RDP resource has SSO enabled.

Impact:
RDP resource cannot be launched.

Workaround:
Add the following to 'Custom Parameters' of SSO-enabled RDP resources:
full address:s:%{session.server.network.name}
promptcredentialonce:i:1

---

701249-3 : RADIUS authentication requests erroneously specify NAS-IP-Address of 127.0.0.1

Component: TMOS

Symptoms:
RADIUS requests from BIG-IP have attribute NAS-IP-Address = 127.0.0.1, which might cause authentication to fail.

The NAS-IP-Address is essentially the resource an end user client is trying to authenticate to. This is typically the management IP address of the BIG-IP system, but the BIG-IP system always sends 127.0.0.1 instead. That might fail or it might work, depending on how the server is configured.

Conditions:
This is an issue for all RADIUS authentication requests that use the attribute NAS-IP-Address.

Note: This affects remote control plane authentication only, not APM or other uses of RADIUS.

Impact:
BIG-IP system always sends 127.0.0.1 instead of the BIG-IP system's management IP address. RADIUS server might not service the request, so authentication fails.

Workaround:
There is no workaround.

---

700827-3 : B2250 blades may lose efficiency when source ports form an arithmetic sequence.

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. It can be observed for example by running "tmsh show sys tmm-traffic".

Conditions:
Source ports used to connect to B2250 blade form an arithmetic sequence.

Impact:
Traffic imbalance between tmm threads may result in sub-optimal performance.

Workaround:
Randomize source ports when connecting via a Big-Ip.

---

700812 : asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview

Component: Application Security Manager

Symptoms:
asmrepro recognizes a BIG-IP version of 13.1.0.1 as 13.1.0 and fails to load a qkview.

Conditions:
Try to deploy a qkview on a BIG-IP using the asmrepro tool
while BIG-IP has a 4 element version like 13.1.0.1.

Impact:
Cannot deploy a 4 element version qkview on a BIG-IP using the asmrepro tool.

Workaround:
n/a

---

700056-2 : MCPD process may lock up and restart when applying Local Traffic Policy to virtual server

Solution Article: K05350542

Component: Local Traffic Manager

Symptoms:
The mcpd process becomes unresponsive while attempting to load the configuration, or attempting to apply a configuration change that associates a particular local traffic policy to a virtual server. The mcpd process may also periodically restart every 5 minutes.

Conditions:
- Virtual servers configured.
- Specific policies configured and attached used by virtual servers.

Only policies configured in a specific way will trigger this situation. The specifics are not well understood, however, the vast majority of Local Traffic Policies are unaffected by this issue.

Impact:
Traffic disrupted while mcpd restarts.

Workaround:
There is no workaround.

---

699733-1 : DNS NOTIFY not sent to mgmt IP under Zone Transfer Clients list after DNS Express zone update

Component: Global Traffic Manager (DNS)

Symptoms:
When a DNS Express zone gets some zone entries updated, the BIG-IP system does not send DNS NOTIFY to nameserver with IP addresses from the mgmt subnet listed under Zone Transfer Clients.

Conditions:
* nameserver has IP address from mgmt subnet.
* nameserver id listed under Zone Transfer Clients of DNS Express zone.
* DNS Express zone gets entries updated.

Impact:
BIG-IP system does not send NOTIFY request to the nameserver.

Workaround:
There is no workaround at this time.

---

699598-1 : HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR

Component: Local Traffic Manager

Symptoms:
HTTP/2 requests with a large body may result in the BIG-IP system sending RST_STREAM with FRAME_SIZE_ERROR.

Conditions:
-- HTTP/2 profile is configured on the virtual server.
-- Request has body size greater than 16 KB.

Impact:
HTTP/2 stream is reset with FRAME_SIZE_ERROR and transfer does not complete.

Workaround:
None.

---

699531-5 : Potential TMM crash due to incorrect number of attributes in a PEM iRule command

Component: Policy Enforcement Manager

Symptoms:
TMM crash.

Conditions:
An iRule with a PEM iRule command that does not have the minimum number of attributes.

Impact:
Loss of service. Traffic disrupted while tmm restarts.

Workaround:
Make sure the PEM iRule command is called with at least the minimum number of parameters.

For example, make sure to call 'PEM::subscriber config policy referential set' with referential policies.

---

699426-4 : RRD cpu files are not updated when statsd has no prior knowledge of blades joining a cluster.

Component: Local Traffic Manager

Symptoms:
If a blade already known to statsd goes down, statsd continues to update the blade's /var/rrd/bladeXcpu file
If a new blade joins and is announced to statsd, statsd stops updating all /var/rrd/bladeXcpu files especillay if it did not have prior knowledge of the blade.

Conditions:
If statsd is restarted after the blade is disabled, or goes down, and after that the blade rejoins the cluster, the /var/rrd/bladeXcpu files stop updating (where X is the blade number).

Impact:
Data of those files is not updated. This impacts the graphs generated from these files.

Workaround:
Execute the command "bigstart restart statsd" after the new blade has joined the cluster.

---

698933 : Setting metric-type via ospf redistribute command may not work correctly

Component: TMOS

Symptoms:
When using a dynamic routing configuration, where an OSPF process redistributes routes setting a metric-type from another OSPF process the metric type is not changed.

Conditions:
Dynamic routing configuration with 2 or more OSPF processes redistributing routes using the "redistribute ospf <other process number> metric-type <type>"

Impact:
Metric type is not changed.

Workaround:
Change metric-type using a route-map applied to the redistribute command.

---

698836-1 : APM session counts not available after installing an APM session count License

Component: Access Policy Manager

Symptoms:
User unable to exploit extra capacity after installing an APM add on license with extra session counts.

Conditions:
Occurs when the add on License was incorrectly generated and lacks mod_apm license. (i.e. User had no previous full APM license but instead had the APM Light license only with 10 session maximum)

Impact:
User unable to use extra session capability, can only use the 10 sessions maximum provided by APM Light license

Workaround:
Generate a correct APM add-on license with mod_apm in addition to the extra session count.

---

698619-3 : Disable port bridging on HSB ports for non-vCMP systems

Component: TMOS

Symptoms:
Internal packets flooded on internal switch interfaces by the HSB can be bridged back to the HSB on BIG-IP 5000/7000 and VIPRION B2100 blades configured to enable port bridging by the switch.

Conditions:
-- Packets being flooded from the HSB to VLAN members when adding/deleting VLANs.
-- Non-vCMP systems.
-- Virtual server configured for Direct Server Return (DSR or nPath Routing).

Impact:
This triggers a FDB flush and can result in packet flooding back to the HSB and potential network saturation.

Workaround:
None.

---

698432-1 : Invalid error messages: warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10

Component: TMOS

Symptoms:
Loading a UCS in a vCMP guest which was taken from a different guest or a hardware device can produce the following error messages:

warning mcpd[5953]: 012a0004:4: halStorageRead: unable to read storage on this platform.
warning chmand[5730]: 012a0004:4: Store Read invalid store addr 0x3800, len 10

This is a cosmetic issue that occurs when the encrypted master key on a VCMP guest cannot be decrypted with the unit key of that system. This most often occurs when a UCS taken on a different guest is loaded.

Conditions:
Taking a UCS from one vCMP guest or hardware device and loading it onto a different vCMP guest.

Note: F5 does not support this configuration.

Impact:
Although there is no adverse effect on the system, error messages will be logged.

Workaround:
None.

---

698211-4 : DNS express response to non-existent record is NOERROR instead of NXDOMAIN.

Solution Article: K35504512

Component: Local Traffic Manager

Symptoms:
The DNS express response to a non-existent record is NOERROR instead of NXDOMAIN.

Conditions:
Delete a wildcard resource record to the related DNS express zone.

Impact:
DNS returns the incorrect response.

Workaround:
Delete the old db files: /var/db/tmmdns.bin and /var/db/zxfrd.bin, and then restart zxfrd.

---

696731-4 : The standard LinkUp/LinkDown traps may not be issued in all cases when an interface is administratively enabled/disabled

Solution Article: K94062594

Component: TMOS

Symptoms:
The standard LinkUp/LinkDown traps are issued when a port's status changes; that is, the link goes up or down. Additionally, the network manager can administratively enable and disable ports. For some platforms, there is no reliably issued standard LinkUp/LinkDown trap when a port is administratively enabled/disabled.

Conditions:
Administrative disabling an interface on BIG-IP

Impact:
May issue only the F5 Link change trap and not the additional standard MIB trap. The standard LinkUp/LinkDown traps may not be issued.

Workaround:
Use the F5-proprietary MIB: 1.3.6.1.4.1.3375.2.4.0.37 F5-BIG-IP-COMMON-MIB::BIG-IPExternalLinkChange trap to track administrative changes to links.

---

695341 : If FIPS card goes bad and cannot initialize, the BIG-IP system will continuously reboot

Component: TMOS

Symptoms:
If FIPS card has a problem and cannot initialize, the BIG-IP system will continuously reboot with following message indicating failure to initialize FIPS device:

Initializing FIPS device (n3fips): (Timeout) [FAILED]

Conditions:
FIPS card has a problem and cannot initialize.

Impact:
System will keep rebooting.

Workaround:
No workaround.

---

694491-1 : Errant log message appears as an error

Component: TMOS

Symptoms:
A log message similar to the following appears in /var/log/ltm:

err mcpd[]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (31624).

Conditions:
No specific conditions trigger this message. You might see this message when you inspect the LTM log after booting.

Impact:
There is no negative impact to the system. You can safely ignore this message.

Workaround:
No need for a workaround. The message can be ignored or filtered.

---

694439 : With management ip is set as IPv6, the downgrade fails when loading the config because of trailing slash in BIG-IP_base.conf.★

Component: TMOS

Symptoms:
Downgrading to older software that has IPv6 management support, when IPv6 management ip is configured, causes the configuration loading to fail due to extra slash in BIG-IP_base.conf (e.g. "2620:128:e008:4009::cafe/64/")

Conditions:
Management ip set to IPv6.

Impact:
The configuration load of BIG-IP_base.conf fails.

Workaround:
To address this issue the user has to edit the BIG-IP_base.conf and remove the extra slash from the management-ip field and re-load the configuration as instructed.

---

694073 : All signature update details are shown in 'View update history from previous BIG-IP versions' popup

Component: Application Security Manager

Symptoms:
If you are running a BIG-IP release named with 4 digits (e.g., 12.1.3.1), all signature update details are shown only in 'View update history from previous BIG-IP versions' popup. The 'Latest update details' section is missing.

Conditions:
Running a BIG-IP software release named with 4 digits (e.g., 12.1.3.1).

Impact:
Low and incorrect visibility of signature update details.

Workaround:
Signature update details can be viewed in 'View update history from previous BIG-IP versions' popup.

---

693901-5 : Active FTP data connection may change source port on client-side

Component: Local Traffic Manager

Symptoms:
The active FTP data connection on the client-side may use source port other than what was configured in the 'Data Port' parameter of the FTP profile.

Conditions:
FTP profile is attached to a virtual server and the 'Data Port' parameter is either left as default (20) or defined as a specific value.

Impact:
Active FTP data connection may be blocked by firewalls that expect a pre-defined source port.

Workaround:
None.

---

693706-1 : HTML field obfuscation is not supported with SPA

Component: Fraud Protection Services

Symptoms:
HTML field obfuscation feature is not supported on Single Page Application (SPA).

Conditions:
Configure WebSafe for SPA.

Impact:
HTML field obfuscation feature is not supported.

Workaround:
None.

---

693244-3 : BIG-IP not sending RST for SYN,ACK packets when ASM is provisioned

Component: Local Traffic Manager

Symptoms:
BIG-IP silently drop the serverside TCP flow, when it receives a client-side reset and the server-side flow is still in the SYN-SENT state.

Conditions:
BIG-IP receives a client-side reset when client-side TCP flow is in ESTABLISHED state and server-side TCP flow is in SYN-SENT state, serverside flow is silently dropped.

Impact:
Since serverside pool member does not receive the RST, it remains in SYN-RECEIVED state until it runs out of syn retransmissions and eventually, due to timeout, it returns to LISTEN state.

---

691188 : TMM core files might be truncated due to lack of space

Component: TMOS

Symptoms:
The /shared filesystem on a VIPRION 4450 blade might not have enough free space for large TMM core files.

Conditions:
-- Running on a VIPRION 4450 blade.
-- /shared has less than approximately 250 GB of free space.

Impact:
If TMM cores, there may not be enough space to save the full core file. Traffic disrupted while tmm restarts.

Workaround:
None.

---

689491-2 : cpu usage reported as 'stolen' on vcmp guests with 1-core or htsplit disabled

Component: TMOS

Symptoms:
CPU usage stats are incorrect and system looks idle when it's actually busy

Conditions:
vcmp guests with 1-core or htsplit disabled

Impact:
CPU stats are incorrect and it might make it difficult to trouble shoot problems.

---

688833 : Inconsistent XFF field in ASM log depending violation category

Component: Application Security Manager

Symptoms:
Depending on the violation category, the xff ip field is reported as 'xff_ip' and sometimes as 'xff ip'.

Conditions:
Viewing the XFF results in ASM log.

Impact:
This might cause problems with the syslog filters configured on the remote loggers.

Workaround:
Put in the rules that the client is using both 'xff ip' and 'xff_ip'.

---

688553-4 : SASP GWM monitor may not mark member UP as expected

Component: Local Traffic Manager

Symptoms:
Pool members monitored by the SASP monitor may be incorrectly marked DOWN when they should be marked UP.

Conditions:
This may occur on affected BIG-IP versions when using the SASP monitor targeting a Load Balancing Advisor GWM (Global Workload Manager).

This is more likely to occur if pool members monitored by the SASP monitor are also monitored by an additional monitor which has marked the members DOWN, or if one or more pool members monitored by the SASP monitor have been manually marked down (state user-down via tmsh, or Disabled in the GUI).

This is not expected to occur with non-affected BIG-IP versions or when using the SASP monitor targeting a Lifeline GWM (Global Workload Manager).

Impact:
Traffic handled by pool members monitored by the SASP monitor may be disrupted.

Workaround:
Removing the SASP monitor from the pool or pool member configuration then re-adding the SASP monitor may reset the pool member status to the correct state.

---

688421 : bigdb_open error is observed during system bootup of VIPRION 2200, 2400, 4400, 4480 chassis, and BIG-IP 5200, 5250, 10255, 10350, and 12050 platforms.

Component: TMOS

Symptoms:
The error message 'bigdb_open error:17367041' is observed during system bootup.

Conditions:
-- Booting the system.
-- Using one of the following platforms:
VIPRION 2200, 2400, 4400, 4480 chassis, and BIG-IP 5200, 5250, 10255, 10350, and 12050 platforms.

Impact:
This message does not indicate any functional problem. The system posts the message as a result of a timing issue. During system bootup, one part of the system comes up before another part. This message indicates that a part of the system that has come up cannot communicate with bigdb, which has not come up. bigdb will soon come up, and a retry will happen, at which time bigdb communication can occur, so the error messages no longer show up.

Workaround:
None.

---

688335-6 : big3d may restart in a loop on secondary blades of a chassis system

Solution Article: K00502202

Component: Global Traffic Manager (DNS)

Symptoms:
After big3d_install is run against a target system, and this target system is a multi-blade chassis, the big3d utility may begin restarting in a loop on all secondary blades of the target system. The primary blade is not affected, where big3d continues to run stable.

Conditions:
The following conditions are required to encounter this issue:

-- The big3d_install utility is used against a target system.
-- The target system is a multi-blade chassis.
-- The big3d_install utility picks the iQuery installation method (and not the SSH one).
-- The big3d_install utility incorrectly determines that the local version of the big3d utility should be copied to the remote system.

Impact:
big3d does not typically do anything on secondary blades, so this issue should have no immediate material impact.

However, should the cluster elect a new primary blade, and should big3d still be restarting on that blade, this could cause iQuery communication failures between that system and remote BIG-IP systems.

Workaround:
To stop secondary blades from restarting, manually restart big3d on the primary blade using the following command:
 bigstart restart big3d

To prevent this issue from happening, you can run the big3d_install by specifying that the SSH installation method be used using the following command:
 big3d_install -use_ssh <target IP>

---

688266-6 : big3d and big3d_install use different logics to determine which version of big3d is newer

Component: Global Traffic Manager (DNS)

Symptoms:
The big3d_install utility includes logic to determine whether the local system should copy its version of the big3d daemon to the remote system specified by the user.

This logic is incorrect and may result in the local copy of the big3d daemon being unnecessarily copied to the remote system or not copied when actually necessary.

Conditions:
A user runs the big3d_install utility.

Impact:
If the local big3d daemon was unnecessarily copied over to the remote system, there is no tangible impact (other than the fact big3d restarts on the remote system, which is expected). Eventually, the remote system restores and uses its version of the big3d daemon.

If the local big3d daemon was not copied over when it should have been, then the remote system may continue to run an older version of the big3d daemon, which may impede iQuery communication.

Workaround:
If the local big3d daemon was unnecessarily copied over to the remote system, you do not need to perform any remedial action. The remote system will automatically resolve this situation by restoring the intended (i.e., newer) big3d version.

If the local big3d daemon was not copied over when it should have been, you can invoke the big3d_install utility using the -f argument, which forces an install of the big3d daemon regardless of the local and remote versions.

---

688231-1 : Unable to set VET, AZOT, and AZOST timezones

Component: TMOS

Symptoms:
Unable to set VET, AZOT, and AZOST timezones

Conditions:
This occurs under normal operation.

Impact:
Cannot set these timezones.

Workaround:
Use the following zones with the same offset:

The AZOT timezone is the same offset as
N – November Time Zone.

The AZOST timezone is the same offset as
Z – Zulu Time Zone,
GMT – Greenwich Mean Time,
WET – Western European Time.

The VET timezone is the same offset as
AST – Atlantic Standard Time,
CDT – Cuba Daylight Time, CLT – Chile Standard Time,
EDT – Eastern Daylight Time,
FKT – Falkland Island Time,
Q – Quebec Time Zone.

---

687759 : bd crash

Component: Application Security Manager

Symptoms:
A bd crash.

Conditions:
-- A config change follows a bd crash.
-- There is a policy that is misconfigured, for example, a form-data parsing is applied on a non-form-data payload (such as XML or JSON).

Impact:
bd crashes; system fails over; traffic disturbance occurs.

Workaround:
Set the following internal parameter to 0: max_converted_length_to_cache

---

686675 : Monitor's adaptive-limit is not restricted to a minimum of the adaptive noise floor

Component: Local Traffic Manager

Symptoms:
Setting an adaptive monitor's 'adaptive-limit' below the value of the db variable 'bigd.adaptive.default_noise_floor' behaves as though the limit is the same as the 'noise floor'. By default this is 100ms.

Conditions:
Setting an adaptive monitor's 'adaptive-limit' below the value of the db variable 'bigd.adaptive.default_noise_floor'.

Impact:
Monitor is still marked up even if the delay in the server's response is higher than the adaptive-limit configured for the monitor.

Workaround:
Change 'bigd.adaptive.default_noise_floor' to be less than the desired adaptive-limit, or use an adaptive-limit larger than 100ms.

---

686438 : Loop of JS errors in Edge browser

Component: Fraud Protection Services

Symptoms:
Loop of JS errors in console similar to the following:

SCRIPT5007: Unable to get property 'timeStamp' of undefined or null reference
0844f74b58ab1800353ea6e389110166b33640975ab33f8c35b93e132e10aad2.js (839,290)
SCRIPT5007: Unable to get property 'length' of undefined or null reference
0844f74b58ab1800353ea6e389110166b33640975ab33f8c35b93e132e10aad2.js (57,25)

Conditions:
-- Edge browser.
-- Automatic transaction configured.
-- Popup dialog box is waiting for FPS end user input.
-- FPS end user inserts 1024 chars in password field.

Impact:
This might result in slowness of user environment. Errors are posted in the console.

Workaround:
Enable the -n flag to disable the anti-debug feature. To do so, add -n flag to /shared/datasync/compiler_conf/cs_fpm/OBF_FLAGS.

---

686071 : Log level change not saved to UCS.

Component: Access Policy Manager

Symptoms:
Changing the log level for an access policy using TMSH, and save this configuration into an UCS. Once restoring this UCS, you must to reload the Access :: Overview : Event Logs : Settings page in order to see the change in Admin UI.

Conditions:
-- Changing the log level for an access policy using TMSH.
-- Saving this configuration into an UCS..
-- Restoring this UCS.

Impact:
Log level changes are lost. You must reload the Access :: Overview : Event Logs : Settings page in order to see the change in the GUI.

Workaround:
None.

---

685582-8 : Incorrect output of b64 unit key hash by command f5mku -f

Component: TMOS

Symptoms:
The output of the b64 unit key hash is inconsistent upon each 'f5mku -f' command, whereas the hex version of the unit key hash was always correct/consistent.

Conditions:
Viewing output of 'f5mku -f' command.

Impact:
Inconsistent output of the b64 unit key.

Workaround:
Adding the verbose option (v) to the f5mku command will print additional information. The following command prints the hex version of the unit key header hash, which will be stable and can be used to detect changes to the unit key:

 f5mku -vf

For example:

# f5mku -vf
...
-- hdr.hash = c9:0d:13:2a:74:d4:7e:31:a4:78:5e:c8:3e:9c:b5:3d:7b:65:9c:7d
...

---

685340 : On an appliance IPv6 management IP config is not correctly preserved through an .iso install

Component: TMOS

Symptoms:
If an IPv6 management-ip is configured when an .iso is live-installed, the configuration in the new image will have an incorrect netmask for the IPv6 management IP.

Note: This is true only for IPv6 management-IP configurations; IPv4 management-ip configurations work as expected.

Conditions:
-- On any appliance (i.e., not blades in a cluster).
-- IPv6 management IP only.

Impact:
IPv6 management IP config is not correctly preserved through an .iso install. Configuration load fails.

Workaround:
Edit the /config/bigip_base.conf file and remove the extraneous netmask, and then load the config by running the command: tmsh load sys config. To do so, follow these steps:

1. Edit /config/bigip_base.conf:
-- Change this:
sys management-ip <IPv6_IP_address>/64/ffff:ffff:ffff:ffff::{}

-- To this:
sys management-ip <IPv6_IP_address>/64{}

2. If an IPv6 default-inet6 route is configured, that configuration also must be edited in /config/bigip_base.conf:

-- Change this:
sys management-route default {
    gateway <V6_gateway_IP_address>
    network default
}

-- To this:
sys management-route default-inet6 {
    gateway <V6_gateway_IP_address>
    network default-inet6
}

3. After making and saving the changes, run the following command: tmsh load sys config

---

684096-3 : stats self-link might include the oid twice

Component: TMOS

Symptoms:
The object ID might be erroneously embedded in the self-link twice.

Conditions:
query for stats such as https://<host>/mgmt/tm/ltm/pool/p1/stats

Impact:
incorrect self-link returned

Workaround:
be mindful when parsing the self-link

---

683307 : F5 APM webtop spawns a pop up windows with text 'webpage cannot be displayed' when running F5 VPN or F5 EPI first time

Component: Access Policy Manager

Symptoms:
Running F5 VPN or F5 EPI on the webtop page for the first time, Microsoft Internet Explorer v11 (IE11) spawns a pop-up window with text 'web page cannot be displayed' and does not close it automatically. The window must be closed manually.

Conditions:
The issue happens only when all of the following conditions are met:
-- Microsoft Windows 7 operating system.
-- IE11.
-- F5 VPN/F5 EPI not installed.
-- APM site is in trusted sites list.

Impact:
Window does not close on its own, and must be closed manually. Might cause confusion.

Workaround:
None. However, if any of the conditions are not met, the window closes automatically.

---

682283-1 : Malformed HTTP/2 request with invalid Content-Length value is served against RFC

Component: Local Traffic Manager

Symptoms:
HTTP/2 request can include Content-Length header. When the value of a Content-Length header does not match the sum of lengths of all DATA frames from the stream, RFC requires that the system reset the stream.

Conditions:
-- A virtual server is configured with HTTP/2 profile.
-- The value of Content-Length header does not match the sum of lengths of all DATA frames from the stream.

Impact:
The BIG-IP system sends a request to a server and serves a provided response, which is not in conformance with the RFC.

Workaround:
None.

---

682269 : Cannot send messages to LCD if tmm or mcpd fail to come up.

Component: TMOS

Symptoms:
If either tmm or mcp fail to come up, alertd will not come up. Alertd is responsible for causing messages to appear on the LCD.

Conditions:
Abnormal startup on a system such that tmm or mcpd is prevented from coming up. For example: A configuration module is detected to be missing or unsupported on i5xxx-, i7xxx-, i10xxx-, and i15xxx-series platforms.

Impact:
Must view logs to determine what issues may have occurred during startup.

Workaround:
Examination of the system log files and/or qkview will likely contain any messages that would have been sent to the LCD.

---

682241 : Escaped '#' is preserved in fields set through 'tmsh'

Component: Local Traffic Manager

Symptoms:
Using 'tmsh' to set monitor fields containing an octothorp ('\#') preserves the included backslash, rather than "absorbing" the backslash into the special character '#'. For example, setting monitor 'username' or 'description' to "abc\#def" or "abc#def" will preserve the '\#' or '#' as provided. This may be surprising if it was assumed that the backslash (escape-character) would be implicitly "absorbed" into the octothorp ('#').

Conditions:
tmsh is used to set monitor parameters (such as 'username' or 'description') where the value includes an escaped octothorp ('\#).

Impact:
The backslash is preserved (and not implicitly absorbed as an escaped character preceding the octothorp).

Workaround:
Do not escape the octothorp with a backslash for monitor values if no backslash is desired; and wrap the value within double-quotes as necessary.

---

681465 : When from-nethsm option is specified, there is no error when 'security-type' is 'normal' or 'password'.

Component: Local Traffic Manager

Symptoms:
The system posts an error when you specify 'security-type fips' along with 'from-nethsm', but ignores other, erroneous 'security-type' designations such as 'normal' and 'password'. In this case, when you specify 'security-type' as 'normal' or 'password', the system silently imports the 'from-nethsm' key as type 'nethsm'. Generally, as a best practice, when you should not specify 'security-type' when you use 'from-nethsm'.

When you specify security-type fips', the system posts an error, for example:

install sys crypto key key4___854f1568 from-nethsm security-type fips
Syntax Error: Security type must be nethsm.

This occurs because there is no way for the system to determine whether 'security-type normal' comes from 'default' (no 'security-type' specified) or from the manually specified 'security-type normal'.

Conditions:
-- Using the 'from-nethsm' option with the 'install sys crypto key' command.
-- Specifying 'security-type normal' or 'security-type password'.

Impact:
Using 'from-nethsm' with 'normal' or 'password' as the 'security-type' are not compatible options.

Workaround:
The preferred usage is that when you specify 'from-nethsm', you should not also specify a 'security_type'. When you specify 'security-type' as 'normal' or 'password, the system ignores it, and imports the key as 'security-type' of 'nethsm'.

---

680680 : The POP3 monitor used to send STAT command on v10.x, but now sends LIST command

Component: Local Traffic Manager

Symptoms:
in BIG-IP version 10.x, the POP3 monitor sent STAT command (which returned a count of messages in the mailbox). Now, the monitor sends the LIST command (which returns a list of messages and their sizes).

Conditions:
POP3 monitor set up on a mailbox.

Impact:
If the polled mailbox used in the monitoring has a huge amount of messages, the STAT command might fail to return results in time.

Workaround:
1. Create a mail account that does not receive many emails.
2. Make sure that the mailbox is nearly empty all the time (copy /dev/null periodically to the mailbox file).

---

679687-2 : LTM Policy applied to large number of virtual servers causes mcpd restart

Component: Local Traffic Manager

Symptoms:
When a large policy (on the order of several dozen rules), is applied to a large number of virtual servers (on the order of hundreds), the mcpd process compiles the policy to an optimized, intermediate form for each virtual server. The compilation occurs in the mcpd process, and because it becomes so busy/non-responsive, a watchdog process intervenes and restarts the mcpd process.

Conditions:
-- Relatively large policy (~30 or more rules) applied to large number of virtual servers (~100 or more).
-- Creating a draft of the policy that is currently applied to those virtual servers, when a similarly attached policy is published.

Impact:
The mcpd process becomes unresponsive and is reset by a watchdog process.

Workaround:
Two possible workarounds:
-- Make copies of the policy and apply a different copy of policy to different subsets of virtual servers.
-- Implement the policy using iRules.

---

679316-6 : iQuery connections reset during SSL renegotiation

Component: Global Traffic Manager (DNS)

Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record

Conditions:
This occurs when a system tries to send data over the iQuery connection while the two endpoints are performing SSL renegotiation.

Note: iQuery connections automatically perform SSL renegotiation every 24 hours.

Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.

Workaround:
There is no workaround at this time.

---

678450-1 : No 'F5RST port in use' sent when new connection arrives to port in use with strict preserve.

Component: Local Traffic Manager

Symptoms:
When 'Source Port: Preserve Strict' option is configured in performance L4 virtual servers, the 'F5RST port in use' packet is not sent, and connection hangs until timeout.

Conditions:
-- Connect to client and launch:
 # nc -p 8080 -v 10.10.10.40 80
-- Connect to client2 and launch:
 # nc -p 8080 -v 10.10.10.40 80
-- Modify virtual server vs_web type on LTM and repeat.

When the virtual server is standard "F5RST port in use" is sent. When the virtual server is performance L4 is not.

Impact:
Connection hangs. No increase for port-in-use stats when using the following commands:
 tmsh show /net rst-cause.

Workaround:
None.

---

678397 : tmsh 'mv' command does not update the PostgreSQL database with new object name

Component: TMOS

Symptoms:
The 'tmsh mv' command causes an object to be momentarily removed from the 'tmm', but does not update the PostgreSQL database with the object's new name. This may cause issues when the configuration is reloaded.

Note: The 'tmsh mv' command is not supported.

Conditions:
Issuing an 'tmsh mv' command to rename an object.

Impact:
PostgreSQL database is not updated with the object's new name. Potential issues when the configuration is reloaded.

Workaround:
Do not use the unsupported 'tmsh mv' command.

You can rename an object using any of these methods:
-- Using 'tmsh modify' commands.
-- Running 'tmsh delete/create' commands.
-- Through editing the configuration in the GUI.
-- Executing REST API calls.

---

677709 : pkcs11d daemon can generate a very large number of log messages

Component: Local Traffic Manager

Symptoms:
If communication between a BIG-IP instance and the Hardware Security Module (HSM) is interrupted, during its attempts to re-establish a connection, the TMOS pkcs11d daemon will log many error messages in the /var/log/ltm log file (or in daemon.log for earlier versions).

Messages appear similar to the following:
-- err pkcs11d[21325]: 01680002:3: Session initialization error.
-- err pkcs11d[21325]: 01680032:3: netHSM: PKCS11d stopped. Verify password, and restart PKCS11d.
-- err pkcs11d[21325]: 01680029:3: netHSM: Failed login: password[incorrect]. Error[160].

Conditions:
-- Configurations employing an external HSM.
-- communication between the BIG-IP instance and the HSM is interrupted

Impact:
A sufficiently large amount of log-message handling may consume processor time and I/O resources, to the detriment of other processing.

Workaround:
None.

---

677234 : vCMP evaluation license expiration causes guests to enter failed state

Component: TMOS

Symptoms:
Deployed vCMP guests go to failed state.

Conditions:
-- Using evaluation license.
-- vCMP guests configured and deployed.
-- License expires.

Impact:
Guests require a restart.

Workaround:
Change all guests state to 'configured', and then back to 'deployed'.

---

676491 : BIG-IP as a DHCP relay while in a DHCP relay chain will use its self-IP as the relay agent.

Component: Policy Enforcement Manager

Symptoms:
DHCP request is relayed to backend DHCP servers with Self-IP as relay agent instead of DHCP Virtual IP in case of Relay Chaining.

DHCP server will not be able to use the giaddr field to make a subnet determination while providing an IP address to a client.

Conditions:
DHCP relay chain, BIG-IP should be the relay agent right before the pool of DHCP servers.

Impact:
In a DHCP relay chain, BIG-IP does not relay agent right before the pool of DHCP servers.

Workaround:
1. The relay chain should be used across a single subnet if the DHCP server uses the giaddr to determine subnets for the clients.

2. If the use case is to load balance across multiple DHCP servers and the 3rd part DHCP relay cannot do so, LTM load balancing can be used.

---

676346-1 : PEM displays incorrect policy action counters when the gate status is disabled.

Component: Policy Enforcement Manager

Symptoms:
Action counters are incorrect.

Conditions:
PEM policy actions enabled with gate status of disabled.

Impact:
May provide an inconsistent view of PEM actions.

Workaround:
There is no workaround.

---

675208 : BWC priority groups cannot be shared across different BWC policies although the configuration allows it.

Component: TMOS

Symptoms:
BWC priority groups cannot be shared across different BWC policies, although the configuration allows it.

Conditions:
BWC categories are mapped in different BWC policies to a priority group.

Impact:
The system does not prevent the configuration, but the configuration has no effect. Configuration success is misleading.

Workaround:
None.

---

674992 : AAM traffic report's time period doesn't always apply

Component: WebAccelerator

Symptoms:
AAM traffic report's time period doesn't always apply.

Conditions:
Select a time period on the AAM traffic report page other than last hour.

Impact:
The table and graph still display last hour data.

---

673018 : Parsed text violates expected format error encountered while upgrading or loading UCS★

Component: TMOS

Symptoms:
During a configuration roll-forward on an upgrade, the UCS load fails and reports the following error:

Parsed text violates expected format.

Conditions:
This can occur under the following conditions:
-- When loading a configuration that contains iFiles.
-- During an upgrade process, when the source-path for an iFile contain a URL with a space or other invalid URL character in it, for example: http://myfiles.com/get this file.txt.

Impact:
Configuration fails to load, and the system reports the following error: Parsed text violates expected format.

Workaround:
You can use either of the following workarounds:

-- Modify the URL to the iFile to remove any spaces, and then reload the configuration.

-- Use the HTTP specification for specifying spaces (and other characters) in URLs. For example, represent a space using the string %20 in the URL: http://myfiles.com/get%20this%20file.txt.

---

672502 : When installing a new netHSM client to a BIG-IP volume, the pre-existing netHSM client installed to other BIG-IP volumes will be overwritten and could be unusable

Component: Local Traffic Manager

Symptoms:
When installing a new netHSM client to a new BIG-IP volume, the pre-existing netHSM client installed to other BIG-IP volumes will be overwritten and could be unusable

Conditions:
netHSM (Thales/SafeNet) client existed in the old version and a new client version is installed on a new volume. The new client will overwrite the old client in /shared.

Impact:
The pre-existing BIG-IP volumes that work with the netHSM client installed earlier might not work after the new client overwrites the old one. If the newly installed netHSM is not compatible with the pre-existing BIG-IP volume, the pre-existing BIG-IP volume will not work when the user boots to the old BIG-IP volume.

Workaround:
When booting to the old BIG-IP volume with the pre-existing older netHSM client, re-install the netHSM client version that is compatible to that volume. Note that once this is done, the new volume will be similarly affected and will need a reinstall of the newer (different) netHSM client too, once that is booted into.

---

672410 : High CPU load when HTTP/2 gateway is configured with source-persistence.

Component: Local Traffic Manager

Symptoms:
High CPU load when HTTP/2 gateway is configured with source-persistence.

Conditions:
-- HTTP/2 gateway is configured on the virtual server.
-- Source-persistence is turned on.

Impact:
High CPU load may lead to performance degradation.

Workaround:
Setting 'match-across-services' might help improve performance.

---

672312-4 : IP ToS may not be forwarded to serverside with syncookie activated

Component: Local Traffic Manager

Symptoms:
IP ToS field may not be preserved on forwarding in a FastL4 virtual server when syncookie is activated.

Conditions:
-- FastL4 ip-forwarding virtual server.
-- ToS in passthrough mode.
-- Syncookie is activated in hardware mode.
-- On a hardware platform with ePVA.

Impact:
IP ToS header is not forwarded to the serverside.

Workaround:
None.

---

671921 : SNMP traps cannot be delivered to non-default route domains

Component: TMOS

Symptoms:
If you configure SNMP trap destinations using TMSH or the Rest API, the system does not present an error if you configure the destination with a %routedomainid at the end of the destination IP address. However, the SNMP daemon does not have insight into route domains, so it cannot deliver the trap.

Conditions:
Trying to deliver an SNMP trap to a non-default route domain destination address.

Impact:
The system cannot deliver the trap. You must be able to route to the SNMP trap destination using the default route domain.

Workaround:
There is no workaround at this time.

---

671712-3 : The values returned for the ltmUserStatProfileStat table are incorrect.

Component: TMOS

Symptoms:
An SNMP table entry that intermittently comes back incorrectly. Specifically, an LTM profile user statistic value is returned with an OID that is off by one in the table.

Conditions:
A statistics profile is attached to a virtual server with an iRule that increments statistics on the profile. The SNMP walk of the table created by the statistics profile intermittently returns the values shifted up one OID such that the last row is zero and the first row is lost. A subsequent request is correct.

Impact:
Incorrect data returned in SNMP walk of LTM profile table.

Workaround:
The statistics themselves are kept correctly and can be accessed without using SNMP.

---

669645-4 : tmm crashes after LSN pool member change

Solution Article: K44021449

Component: Carrier-Grade NAT

Symptoms:
Changing LSN pool members while processing traffic may cause tmm to crash.

Conditions:
-- Changing, using, or removing an LSN pool.
-- Traffic is being processed.

Impact:
When tmm crashes, traffic processing will stop until tmm restarts. Note that this can occur, even if the change was on a high-availability peer unit and config-sync has taken place.

Workaround:
Recommend to change LSN pool members during a maintainence window with low traffic or ideally to use an HA pair with a standby unit for implementing configuration changes on live traffic.

---

668041-3 : Config load fails when an iRule comment ends with backslash in a config where there is also a policy.

Solution Article: K27535157

Component: TMOS

Symptoms:
Config load fails when an iRule contains a commented line that ends with an escape character (backslash), and the config also contains an LTM policy. Depending on the iRule, you might also see the following error: Syntax Error:(/config/bigip.conf at line: 42078) double quotes are not balanced.

Conditions:
An iRule contains commented line that ends with a backslash, and the config also contains a policy, for example, an iRule similar to the first example, and a policy similar to the second:

ltm rule /Common/log_info {
  when HTTP_RESPONSE {
    #log local0. "Original Location header value: [HTTP::header value Location],\
     updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"
}
}

...

ltm policy /Common/Test_Policy {
    controls { forwarding }
    requires { http tcp }
    rules {
        TestPol_Rule1 {
            actions {
                0 {
                    forward
                    select
                    node 10.2.10.20
                }
            }
            conditions {
                0 {
                    tcp
                    address
                    matches
                    values { 10.1.10.20 }
                }
            }
        }
    }
    strategy /Common/first-match
}

Impact:
Config load fails.

Workaround:
You can use any of the following wordarounds:
-- Delete the comment line.
-- Merge the multiple-lines.
-- Make separate multi-line comments

---

667618-5 : Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts

Component: TMOS

Symptoms:
Hardware SYN Cookies activated on a virtual server under a SYN attack may not deactivate after the SYN attack ends and valid TCP traffic starts.

Conditions:
A SYN flood attack or similar SYN attack where SYNs are flooded into the BIG-IP system.

Impact:
This can successfully cause hardware SYN cookies to be activated on the BIG-IP virtual server under attack. However, once the attack subsides and falls below the SYN check threshold, SYN cookies may not immediately deactivate.

Workaround:
There is no workaround at this time.

---

664869 : Duplicate wildcard virtual server address creation

Component: TMOS

Symptoms:
You can create duplicate wildcard virtual servers using tmsh, but not in the GUI.

Conditions:
-- Running v13.x.
-- Creating duplicate wildcard virtual servers.

Impact:
You might experience unexpected behavior regarding routing of packets to virtual servers and their respective destinations.

Workaround:
-- Do not configure a second virtual server with identical attributes.

-- Delete one of the identical virtual servers, if it has already been configured.

---

664440 : session_lookup_all() doesn't find all entries during intra-cluster redistribution.

Component: TMOS

Symptoms:
During redistribution, any tool that uses session_lookup_all() via memcached will not produce all the expected output. For example pem_sessiondump will miss some entries until the redistribution is done.

Conditions:
-- On a chassis system.
-- Immediately after adding or removing a blade.
-- Any tool that uses session_lookup_all() via memcached.

Impact:
Temporary missing entries.

Workaround:
Wait until the system stabilizes after adding/removing a blade. (Generally, 30 seconds.)

---

663874-1 : Off-box HSL logging does not work with PEM in SPAN mode.

Solution Article: K77173309

Component: Policy Enforcement Manager

Symptoms:
While on-box HSL logging works, off-box HSL logging does not work with PEM in SPAN mode.

Conditions:
-- PEM in SPAN mode.
-- Off-box HSL logging is configured.

Impact:
Cannot use off-box HSL logging with PEM in SPAN mode; must use on-box HSL logging instead.

Workaround:
There is no workaround at this time.

---

662725 : tmsh kernel default log levels does not match documentation

Component: TMOS

Symptoms:
Actual tmsh default was 'notice', but changed to 'debug'
so that kern.log files in qkviews are complete.
This was done so that diagnosing issues, support
has all the information in terms of kernel output.

This documentation discrepancy is a non-functional
change that should have been done in 11.5.0 when
the actual default value was changed.

Conditions:
None.

Impact:
None.

Workaround:
None.

---

660654 : 'epsec refresh' works incorrectly if install package is deleted

Component: Access Policy Manager

Symptoms:
If the install EPSEC package is deleted before running the 'epsec refresh' command, the existing EPSEC version is refreshed instead of the new version.

Conditions:
-- Upload and install EPSEC package with a later version than is on the system.
-- Delete the install package.
-- Run the command: epsec refresh.

Impact:
System package will be installed (essentially, a rollback to the previous version).

Workaround:
Leave the install package on the system until after you run the epsec refresh command.

---

657822 : SMB monitor marks node down★

Solution Article: K83148199

Component: Local Traffic Manager

Symptoms:
Server Message Block (SMB) monitor marks node down after upgrading.

Conditions:
Samba server only accepts plaintext or lanman auth.
SMB monitor begins to fail after upgrading.

Impact:
Monitor marked down, impairing services.

Workaround:
Modify the /etc/samba/smb.conf and in the [global] section, add the following lines:

client ntlmv2 auth = No
client lanman auth = Yes
client plaintext auth = Yes

---

657223 : When triggered by a DHCP Lease query, subscriber ID with DHCP Option 37/38 is not supported.

Component: Policy Enforcement Manager

Symptoms:
If configured to include DHCP Option 37/38, the subscriber ID field will be empty.

Conditions:
DHCP Lease query should use a DHCP virtual server with Option 37 or Option 38 configured to be part of the subscriber ID.

Impact:
Creation of subscribers with empty subscriber ID.

Workaround:
Do not use Option 37 or Option 38 as part of the subscriber ID in a DHCP virtual server that is to be used by a DHCP Lease query.

---

654438 : Unclear error string when setting invalid score values

Component: TMOS

Symptoms:
Setting invalid score value (for example, rule score or automatic transaction score) generates an unclear error in which the max value is printed as char (ASCII value of max, d is 100 in the following example):

The value (144) is outside the acceptable value set [value equal to or less than d].

The message should read: The value (144) is outside the acceptable value set [value equal to or less than 100].

Conditions:
Setting invalid score value in tmsh (not in GUI).

Impact:
Misleading error message is posted. The impact is minimal. The correct value is used, it's just not displayed correctly in the error message.

Workaround:
Use GUI to get the appropriate error message.

---

653418-1 : Host Processor Superuser keys in /root/.ssh/authorized_keys no longer necessary

Component: TMOS

Symptoms:
Keys with the name 'Host Processor Superuser' are still present in /root/.ssh/authorized_keys, but are no longer used by supported BIG-IP versions.

Conditions:
Running any currently supported version of BIG-IP software.

Impact:
The keys' presence is benign and there is no negative impact except for the confusion caused by wondering what these keys are for.

Workaround:
Keys with this label can be safely removed from the authorized_keys file manually.

---

651169 : The Dashboard does not show an alert when a power supply is unplugged

Component: Access Policy Manager

Symptoms:
The TMUI Dashboard's alert panel will not show any warning if the cord to one of the power supplies is unplugged.

Conditions:
One of the power supplies is unplugged.

Impact:
Watching the Dashboard will not alert the administrator to an unplugged power supply.

Workaround:
None.

---

648917-2 : Need to re-provision vCMP after upgrading to 13.1.x or later on the BIG-IP 10350F platform

Component: TMOS

Symptoms:
With vCMP provisioned, upgrading to 13.1.x or later release will not enable IOMMU support after the upgrade.

Conditions:
-- Upgrading to 13.1.x or later.
-- vCMP already provisioned.
-- Running on the BIG-IP 10350F platform.

Impact:
Guests will not have FIPS functionality until IOMMU is enabled.

Workaround:
Re-provision vCMP after the upgrade to enable IOMMU support.

---

648802-4 : Required custom AVPs are not included in an RAA when reporting an error.

Component: Policy Enforcement Manager

Symptoms:
Custom Attribute-Value-Pairs (AVPs) defined on the system will not be visible in a Re-Auth-Answer (RAA).

Conditions:
This occurs when the following conditions are met:
-- PEM enabled with Gx.
-- Custom AVPs configured.
-- PEM responds with an error code in an RAA against a Policy and Charging Rules Function (PCRF) triggered action.

Impact:
Lack of custom AVPs in such an RAA may result in loss of AVP dependent service.

Workaround:
There is no workaround at this time.

---

648264 : IPsec over iSession stops working after upgrading to 11.6.1 from 11.6.0★

Component: TMOS

Symptoms:
IPsec over iSession stops working after upgrading from 11.6.0 to 11.6.1 or later.

Conditions:
-- IPsec over iSession configured.
-- Upgrade from 11.6.0 to 11.6.1 or later.

Impact:
IPsec over iSession does not work. This occurs because beginning in 11.6.1, the anonymous IKE-peer is disabled by default. This prevents IPsec over iSession from working.

Workaround:
To work around this issue, you can configure the iSession configuration to use one sided iSession and IPsec to NAT traversal. For more information, refer to the Setting Up iSession and IPsec To Use NAT Traversal on One Side of the WAN chapter of the BIG-IP LTM BIG-IP TMOS: Tunneling and IPsec guide.

Impact of workaround: Performing the suggested workaround should not have a negative impact on your system

Note: The Quick Start : Symmetric Properties of the Configuration utility is considered obsolete due to the lack of support for IKEv2. Using the encapsulation option as outlined in the Setting Up iSession and IPsec To Use NAT Traversal on One Side of the WAN chapter of the BIG-IP LTM BIG-IP TMOS: Tunneling and IPsec guide is meant for demonstration purposes using low security defaults. This configuration is not recommended for use in production environments.

Important: Configuring IPsec IKEv1 with the anonymous IKE-peer General Properties setting of State 'Enabled', can expose a known security vulnerability. This configuration should only be utilized when testing in a closed lab environment. For more information refer to: K10133477: BIG-IP IPsec IKE peer listener vulnerability CVE-2016-5736

---

643134 : Support IPv6 IP protocol 0(hopopt) in firewall rule

Solution Article: K76726444

Component: Advanced Firewall Manager

Symptoms:
You are unable to configure firewall rule IPv6 IP protocol 0(hopopt).

Conditions:
When you try to configure firewall rule with IPv6 IP protocol hopopt or 0.

Impact:
AFM will treat it as IP protocol any, not hopopt.
You cannot configure firewall rule IP protocol hopopt(0).

Workaround:
N/A

---

642276 : Addition of new blade puts software management in a degraded state.★

Solution Article: K00713065

Component: TMOS

Symptoms:
When a new blade is inserted into a chassis that does not have HD1.1 populated, the software manager is sometimes unable to completely remove all logical volumes from the new blade's factory-installed HD1.1 volume set.

Conditions:
-- Adding a new blade in a chassis.
-- The 'HD1.1' slot does not exist in the cluster.

Impact:
No immediate impact, but you will not be able to install to HD1.1 in the future due to the undeleted logical volume left in the volume set.

Workaround:
1) Unmount the volume where the problem exists.
2) Remove the volume.
3) Restart the software manager.

Example, in shell:

First look in /var/log/liveinstall.log to find the name of the volume that still exists. You might see, for example:
'Can't remove open logical volume set.1._config'.

Then use the following cleanup commands, substituting in the volume name, as follows:

 umount /dev/vg-db-sda/set.1._config
 lvremove /dev/vg-db-sda/set.1._config
 bigstart restart lind

---

641450-6 : A transaction that deletes and recreates a virtual may result in an invalid configuration

Solution Article: K30053855

Component: TMOS

Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.

Config load error:
    01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.

Configuration-change-time error in /var/log/ltm:
    err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>

Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).

Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.

Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
   1. Delete virtual server.
   2. Create virtual server (with an empty profile list).
   3. Modify the virtual server's profile list.

---

639619-2 : UCS created on 11.6.0 that contains a secure attribute DWBL (Dynamic White/Black lists) feed list fails to upgrade to 13.0.0 with AFM and LTM on Virtual Edition (VE).★

Component: TMOS

Symptoms:
UCS created on 11.6.0 that contains a secure attribute DWBL (Dynamic White/Black lists) feed list fails to upgrade to 13.0.0 with AFM and LTM on Virtual Edition (VE).

Conditions:
-- 11.6.0 UCS.
-- AFM configured.
-- Running on VE.
-- DWBL configured.

Impact:
Cannot load UCS or upgrade to 13.0.0.

Workaround:
None.

---

638014 : ASM end users blocked due to 'ASM Cookie Hijacking' violation after upgrade.

Component: Application Security Manager

Symptoms:
ASM end users blocked due to 'ASM Cookie Hijacking' violation after upgrade.

Conditions:
- The ASM end user left the browser window open.
- The ASM admin upgrades the BIG-IP version to 13.0.0 or later.
- The previous software version was earlier than version 13.0.0.

Impact:
ASM end user is blocked for the first request. The next request will pass.

Workaround:
Alert ASM end users who encounter the 'ASM Cookie Hijacking' block to attempt their request an additional time.

---

636568 : LTM: Rateshaper: For all rate shaper deployment use pfifo and fred as default.

Component: Local Traffic Manager

Symptoms:
Using the SFQ Queue Method to create a rate class gives lower bandwidth than expected.

Conditions:
Rate shaper class created with SFQ.

Impact:
Lower bandwidth than configured.

Workaround:
Configure the rate shaper with pfifo instead of SFQ. Or, if the flow fairness is required, configure drop-policy to use fred.

---

635939 : Replacing scrubber virtual server / route domain causes incorrect scrubbing threshold

Component: Advanced Firewall Manager

Symptoms:
When replacing a scrubber virtual server or scrubber route domain, some of the scrubbing values are affected:

(1) example of replacing scrubber virtual server 'vs-name' to 'VS2':
tmsh modify security scrubber profile scrubber-profile-default scrubber-virtual-server modify { vs1 { vs-name VS2 } }

(2) where impacted values can be observed (Time to Live, Observed Rate):
tmsh show security scrubber dwbl-scrubber-stat

Conditions:
You may encounter this when modifying a virtual or route domain containing a scrubber profile.

Impact:
The throughput capacity will be incorrect.

Workaround:
Instead of doing replace, do a delete/add:

tmsh modify security scrubber profile scrubber-profile-default scrubber-virtual-server delete { vs1 }.
tmsh modify security scrubber profile scrubber-profile-default scrubber-virtual-server add { vs1 { vs-name VS2 } }.

---

630269 : Support Substitute value in ajax with application/x-www-form-urlencoded content-Type

Component: Fraud Protection Services

Symptoms:
Substitute value feature does not support Ajax requests with application/x-www-form-urlencoded content-Type.

Conditions:
Send the credentials validation Ajax POST request with application/x-www-form-urlencoded content-Type.

Impact:
Page that uses Ajax requests with application/x-www-form-urlencoded content-Type won't be able to use Substitute value feature.

Workaround:
None.

---

626403 : iOS receiver optional two factor auth slider is not displayed

Component: Access Policy Manager

Symptoms:
While adding a Citrix store account in iOS citrix receiver, it prompts for credentials based on access policy "Citrix logon prompt" agent. It does not display the slider option to have it as an optional.

Conditions:
Citrix APM is configured in replacement mode with "Citrix Logon Prompt" agent or "session.citrix.client_auth_type" variable assign is defined.

Impact:
Client auth type can not be optional. It is either be two factor or single auth type.

Workaround:
- Remove "Citrix Logon Prompt" and use regular "Logon Page".
- Do not use "session.citrix.client_auth_type".
- Add have the below irule attached to the Virtual server used for Store access.

# optional two factor auth workaround.
when HTTP_REQUEST {
    set uri_path [string tolower [HTTP::path]]
    if { $uri_path == "/vpn/index.html" } {
        HTTP::respond 200 -version auto content "/vpn/" noserver
    } elseif {$uri_path == "/agservices/discover"} {
        HTTP::respond 302 -version auto noserver Location "/vpn/index.html"
    }
}

---

620053-3 : Gratuitous ARPs may be transmitted by active unit going offline

Component: Local Traffic Manager

Symptoms:
When cluster's active goes offline, the non-primary blades may send gratuitous ARPs.

Conditions:
Cluster's active goes offline.

Impact:
Potential impact to traffic if the gratuitous ARPs of the blade which goes offline is received before the unit taking over as primary, or if gratuitous ARPs are rate-limited on upstream or downstream devices.

Workaround:
Failover the cluster before forcing offline or configure mac masquerading.

---

612870 : No monitor displayed for 'tmsh show monitor' and 'tmsh show monitor <monitor_type>'

Component: Local Traffic Manager

Symptoms:
The command 'tmsh show monitor <monitor_type> <monitor_name>' correctly displays the several monitor instances of that monitor type-and-name. However, omitting either '<monitor_type>' or '<monitor_name>' displays no output (not even an error message), which may result in an incorrect conclusion that no monitor instances exist.

Conditions:
The user issues the command 'tmsh show monitor <monitor_type> <monitor_name>' but omits one of '<monitor_type>' or '<monitor_name>' (thereby resulting in no monitors displayed when monitor instances exist).

Impact:
User may incorrectly conclude no monitor instances exist, when in fact the command was insufficiently formed.

Workaround:
User should issue the complete command 'tmsh show monitor <monitor_type> <monitor_name>'.

---

611424 : iControl-REST object member stats query produces incorrectly nested JSON when object not specified with full path

Solution Article: K11322409

Component: TMOS

Symptoms:
When using a non-fully-pathed name in iControl-REST in a call to stats (e.g., pool/p1/members/stats) the resulting response JSON contains incorrectly nested objects.

Conditions:
This occurs when an iControl query is made for stats for member objects without specifying the full object path.

Impact:
The response JSON contains incorrectly nested stats content.

Workaround:
Use the fully-qualified path including the partition where the object resides (e.g., pool/~Common~p1/members/stats)

---

606983-1 : ASM errors during policy import

Component: Application Security Manager

Symptoms:
Import failure when importing ASM policy with many Session Awareness Data Points.

ASM logs errors similar to the following:
-- crit g_server_rpc_handler_async.pl[10933]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Could not update the Export Policy Task 'Export Policy Task (1469519765.114479)'. DBD::mysql::db do failed: Got a packet bigger than 'max_allowed_packet' bytes.

Conditions:
-- ASM provisioned.
-- Session Awareness enabled.
-- Many (more than 1000) active Session Awareness 'Block All' data points are present.
-- Export a policy.
-- Import the same policy.

Impact:
asm_config_server crash occurs. asm_config_server recovers automatically, within ~15-30 seconds.

Workaround:
Either release all Session Awareness Data Points before export, or remove them from the exported policy before importing it back.

---

606032-4 : Network Failover-based HA in AWS may fail

Component: TMOS

Symptoms:
MCPD posts an error that network failover is not configurable:
01071ac2:3: Device-group (/Common/autoscale-group): network-failover property must be disabled in VE-1NIC.

Conditions:
Attempting to setup high availability (HA) in Amazon Web Services (AWS) with only 1 network interface.

Impact:
Configuration of HA in AWS cannot be completed.

Workaround:
The current workaround is to configure HA in AWS with at least 2 network interfaces.

---

602708-5 : Traffic may not passthrough CoS by default

Solution Article: K84837413

Component: Local Traffic Manager

Symptoms:
Traffic being forwarded by TMM may not passthrough the Class of Service (CoS) received.

Conditions:
-- IP forwarding Virtual server.
-- Traffic received with priority other than 3.

Impact:
Traffic is set to L2 QoS priority 3 and may cause issues on other networking devices.

Workaround:
Create a default CoS configuration or apply L2 QoS settings in the FastL4 profile.

---

602243 : Sync only device-group, with ASM sync enabled, triggers config conflicts

Component: Application Security Manager

Symptoms:
ASM configuration partially synced or causing conflicting changes in the sync-only device group, where ASM sync is enabled.

Conditions:
-- high availability (HA) configuration with two device groups: sync-failover and sync-only.
-- The sync-failover device group has auto-sync disabled, while the sync-only device group has auto-sync enabled (or vice versa).
-- ASM sync is enabled on the sync-only device group.

Impact:
ASM configuration is not properly synced or causes conflicting changes in the device group.

Workaround:
Either have a single sync-failover device group with ASM sync enabled for it, or have auto-sync for both the sync-failover device group and the sync-only device group set to same value: enabled or disabled.

---

598917-1 : TMSH and GUI might display a different common name from that is used by the system and displayed in the past.

Component: TMOS

Symptoms:
When the certificate contains multiple common names in its subject, TMSH/GUI might display a different one from that is used by the system. This behavior is also inconsistent with it in the past.

Conditions:
When the certificate contains multiple common names in its subject.

Impact:
When the server name (SNI) is not configured in a clientSSL profile, the system will use the common name of its certificate as its server name, and use it to match/lookup clientSSL profiles when the SSL client specifies SNI in the clienthello. So when the clientSSL profile is using a certificate with multiple common names in the subject, the system might display a different common name from the one that is used to match/lookup clientSSL profiles whose server name is not configured.

---

594064-6 : tcpdump with :p misses first few packets on forwarding (UDP, FastL4) flows.

Solution Article: K57004151

Component: Local Traffic Manager

Symptoms:
When the tcpdump utility is used with the ':p' modifier, it appears that the first few serverside packets are not captured.

Conditions:
-- Using the ':p' modifier with the tcpdump utility to capture serverside flows associated with clientside flows that match a tcpdump filter.
-- FastL4 or standard virtual server UDP flows are being captured.

Impact:
Typically, the peer flow will not be captured until the second packet is processed on the original flow that is captured by the tcpdump filter. Although there is no operational impact, it might cause confusion when looking for serverside traffic when capturing using a command similar to the following: tcpdump -i <vlan>:p host <client-ip>

Typical examples of missing packets include:
  -- Serverside syn and syn-ack from FastL4 TCP traffic.
  -- All serverside packets for single packet request/reply traffic, e.g., dns request/reply.

Workaround:
Specify filter that includes serverside traffic (e.g., include pool member addresses as 'host <addr>').

---

592504-1 : False positive illegal length violation can appear

Component: Application Security Manager

Symptoms:
A false positive illegal length violation.

Conditions:
A chunked request where the request length is more than half of the configured max request length.

Impact:
False positive illegal length violation.

Workaround:
Configure a higher max request length violation.

---

588521-1 : Port/Protocol packet filter might fail to capture IPv6 fragments.

Solution Article: K93066363

Component: Local Traffic Manager

Symptoms:
Port/Protocol packet filter might fail to capture IPv6 fragments.

Conditions:
This can occur under the following conditions:
- Virtual server is configured to use packet filters.
- Packet filter is based on a port number.
- Filter default action is discard.
- IPv6 protocol is being used.

Impact:
The BIG-IP system will not be able to process IPv6 traffic.

Workaround:
For IPv6, instead of using a rule such as 'dst port 50000', filter based on raw fragments offsets, for example:
'((udp dst port 50000) or (ip6[6]=44 and ip6[40]=17 and ip6[50]=50000)).

---

587804 : Symmetric Unit Key decrypt failure on base load

Component: TMOS

Symptoms:
On initial boot of VIPRION blade, before the blade is licensed, you may see the following error message in /var/log/ltm:

err mcpd[5015]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure

Conditions:
It is not yet known what the conditions are that trigger this error.

Impact:
This occurs on initial boot of the VIPRION blade, prior to licensing the device. After licensing, this error does not occur.

Workaround:
None. If this error is reported on first boot, but can otherwise be licensed, it can be safely ignored. If this occurred after loading a ucs file, see SOL13132: Backing up and restoring BIG-IP configuration files at https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13132.html for more information on this error.

---

583306-1 : Using management port as config sync address might allow its deletion.

Component: TMOS

Symptoms:
If you assign the management port as a config sync address, it's possible to later delete the management port without error. This causes quite a few problems in multiple places (updating the sys_device, adding devices to trust, etc.)

Conditions:
management-ip while configured as a config sync address.

Impact:
Can delete management-ip.

Workaround:
None, other than do not delete management-ip when it's configured as a config sync address.

---

574095 : Invalid characters allowed in hostname

Component: TMOS

Symptoms:
The hostname not being RFC 952/RFC 1123 compliant.

Conditions:
Characters in the hostname making the hostname not RFC 952/RFC 1123 compliant.

Impact:
The hostname won't be RFC 952/RFC 1123 compliant.

Workaround:
Don't add characters to the hostname making the hostname not RFC 952/RFC 1123 compliant.

---

571651-5 : Reset Nitrox3 crypto accelerator queue if it becomes stuck.

Solution Article: K66544028

Component: Local Traffic Manager

Symptoms:
Certain configuration parameters used during an SSL handshake can elicit a 'queue stuck' message from the accelerator. When this happens, the /var/log/ltm log file will contain a message similar to the following:

    'n3-cryptoX request queue stuck'.

Conditions:
The BIG-IP system uses Nitrox 3 encryption hardware to perform SSL encryption.

An SSL handshake sent to the BIG-IP system is incorrectly configured or contains bad information.

Impact:
In-flight and queued contexts for the specific accelerator are dropped. After device recovery, new requests will be accelerated.

Workaround:
Disable crypto acceleration.

---

569715 : BOLT client browser is recognized incorrectly

Component: WebAccelerator

Symptoms:
BOLT browser is recognized as Safari which may cause a web page rendering issue.

Conditions:
BIG-IP must have AAM module provisioned and have a policy with ICC enabled attached to a virtual.

Impact:
When a user with BOLT client accesses the website AAM may use feature not supported by that client. It might cause an incorrect rendering of the webpage.

Workaround:
Disable ICC

---

569714 : Maxthon browser is recognized as Chrome

Component: WebAccelerator

Symptoms:
Maxthon browser is recognized as Chrome that may cause a web page rendering issue.

Conditions:
BIG-IP must have AAM module provisioned and have a policy with image optimization enabled attached to a virtual.

Impact:
When a user with Maxthon client accesses the website AAM can convert image to webp format not recognized by the client. It will cause incorrect rendering of the webpage.

Workaround:
Disable conversion to webp.

---

569713 : Puffin browser is recognized as Chrome

Component: WebAccelerator

Symptoms:
Puffin browser is recognized as Chrome that may cause a web page rendering issue.

Conditions:
BIG-IP must have AAM module provisioned and have a policy with image optimization enabled attached to a virtual.

Impact:
When a user with Puffin client accesses the website AAM can convert image to webp format not recognized by the client. It will cause incorrect rendering of the webpage.

Workaround:
Disable conversion to webp.

---

567617 : Database Changes not Propagated to All Blades

Component: WebAccelerator

Symptoms:
Using the TMSH interface to change a DB variable does not always result in propagating the value change to all blades.

Conditions:
In a clustered configuration, a change to the sys db wam.cache.range.maxranges value will be applied to the primary blade, but not to the secondary blades.

Impact:
Traffic could be processed differently on one blade vs another.

---

565668 : PEM session usage via iRules immediate following PEM session creation via iRules may result in the usage not working as expected.

Component: Policy Enforcement Manager

Symptoms:
PEM session usage via an iRule command may not work.

Conditions:
iRule that creates a PEM session and uses the session via iRule commands.

Impact:
iRule failure.

Workaround:
Add a small delay after PEM session creation via iRules

---

562997 : TMM may leak memory when renaming pools

Component: TMOS

Symptoms:
As a result of a known issue TMM may leak memory if a pool containing poolmembers is renamed.

Conditions:
- Pool with poolmembers.
- Move operation is enabled via sys db key.
- Pool is renamed.

Impact:
TMM may leak memory associated to pools and poolmembers

Workaround:
Do not use move operation; fully delete/recreate pools if renaming is needed.

---

560889 : Some User-Agent strings are parsed incorrectly resulting in a wrong browser family

Component: WebAccelerator

Symptoms:
When AM is configured for image optimization it may require to determine browser type to allow browser-specific optimizations. Incorrect browser family may result in using of an inapplicable optimization. For example, if Internet Explorer is recognized as Chrome, it may be served with an optimized image in WEBP format instead of JPEG.

Conditions:
An optimization is configured in AM policy requiring a browser specific optimization, e.g. image optimization.

Impact:
The client's browser may not render the page correctly.

Workaround:
Disable the appropriate optimization.

---

560820 : ICC may handle incorrectly when used with IEMobile client

Component: WebAccelerator

Symptoms:
When IEMobile client connects to BIG-IP with AAM policy where ICC is enabled, the client may receive an incorrect response.

Conditions:
BIG-IP has AAM provisioned and a policy with ICC enabled is attached to a virtual. IEMobile client connects via this virtual.

Impact:
A page may be rendered incorrectly.

Workaround:
Disabled ICC.

---

560429 : LTM iRule table set command cannot always set value of record with extremely short timeout

Component: TMOS

Symptoms:
If you have a record with an extremely low timeout value and you attempt to constantly set/reset the value, you may intermittently attempt to access the record while it is expired, in which case the value you attempt to set it to is not accepted.

Conditions:
Using table set command with a timeout of less than 8 seconds.

Impact:
iRule operates incorrectly

Workaround:
Refresh the timeout on the entry before attempting to set it, via table lookup.

---

558969 : Optimization to JPEG-XR fails on Edge browsers

Component: WebAccelerator

Symptoms:
When image optimization to convert to JPEG-XR is enabled and an Edge client connects to BIG-IP it doesn't receive optimized image according to configured policy and DB variable ccdb.allow.edge.jpegxr set to "true".

Conditions:
BIG-IP has AAM provisioned and a policy with image optimization to convert to JPEG-XR option enabled is attached to a virtual. An Edge client connects via this virtual.

Impact:
JPEG-XR is expected to consume less throughput which may affect pages with multiple images rendering on it.

---

558952 : Edge Mobile browser is recognized as Chrome

Component: WebAccelerator

Symptoms:
Edge Mobile browser is recognized as Chrome causing a web page rendering issue.

Conditions:
BIG-IP must have AAM module provisioned and have a policy with image optimization enabled attached to a virtual.

Impact:
When a user with Edge Mobile client accesses the website AAM can convert image to webp format not recognized by the client. It will cause incorrect rendering of the webpage.

Workaround:
Disable conversion to webp.

---

556785 : Not all HTTP transactions make it through credits to iRule failures when FastL4 is enabled.

Component: Policy Enforcement Manager

Symptoms:
Some HTTP transactions are dropped

Conditions:
Occurs in the following scenario
- PEM configured on an HTTP virtual
- Transactional policy configured
- iRule triggered per transaction is attached to HTTP virtual and FastL4

Impact:
Can result in dropped flows.

Workaround:
To workaround this, issue can be avoided by not enabling FastL4 when iRules are present in this scenario.

---

555229 : Transactional PEM policies without an HTTP profile on the virtual server do not result in transactional classification.

Component: Policy Enforcement Manager

Symptoms:
Transactional HTTP flows will be classified only on the first transaction.

Conditions:
Virtual server with a PEM profile, classification profile, no HTTP profile, and transactional PEM policy.

Impact:
PEM actions that differ between transactions for a flow will not take effect. Instead, the flow adheres to the PEM actions against the first transaction.

Workaround:
Add an HTTP profile to the virtual server if transactional flows need to be evaluated for each transaction.

---

554625 : Datagroups have a large impact on configuration save times

Component: TMOS

Symptoms:
Configurations with a high number of datagroups result in an unexpected save time. When configuration contains 1000+ datagroups, then the save time is near 60 seconds.

Conditions:
This issues occurs when:
 - Configuration contains a significant number of datagroups
 - Running v11.0.0+

Impact:
Increased save time

Workaround:
None.

---

547581 : iControl REST: Errors may occur when fetching large number of objects using iControl REST API

Solution Article: K01444423

Component: TMOS

Symptoms:
iControl REST: Errors may occur when fetching a large number of objects using the iControl REST API. Symptoms may include a timeout error (typically after 60 seconds) or a Java OOM (out-of-memory) error.

Conditions:
This may happen when the control plane is stressed in terms of CPU and memory usage, for example, when trying to load 20 KB rules.

Impact:
iControl REST API is non-responsive or unusable.

Workaround:
Use pagination for getting a large number of objects, by using ODATA's $skip and $top query parameters. For example, to get the first 100 tm/ltm/pool objects:

HTTP method - GET.
URI - https://locahost/mgmt/tm/ltm/pool?$skip=0&$top=100.

---

539809 : Debug header may show misleading information when Symmetric deployment is configured

Component: WebAccelerator

Symptoms:
X-WA-Info header shows that a response was served from a remote BIG-IP while it was served from the central BIG-IP.

Conditions:
BIG-IP has to be configured as a central device in AAM Symmetric Deployment, a policy node allows caching of a compressed response. After the response is cached, X-WA-Info header shows that the response was served from a remote BIG-IP for the consequent requests.

Impact:
Information is misleading and may cause confusion in interpretation of http request/response flow. It requires to match the debug header to BIG-IP configuration to extract correct information. If the traffic capture is separated from the configuration snapshot, it may increase a chance of a mistake during analysis.

Workaround:
While this information is misleading, it still contains useful information which can be extracted and confirmed with a configuration snapshot.

---

500402 : 'Data publisher not found or not implemented' mcpd error message when iRule is loaded from tmsh.

Solution Article: K33178590

Component: TMOS

Symptoms:
'Data publisher not found or not implemented' mcpd error message when iRule is loaded from tmsh. The system posts the following mcpd error message in ltm log when an iRule is loaded from tmsh: err mcpd[5834]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (6589).

Conditions:
When merging config files, the error message may show up in system log.

Impact:
There is no functional impact observed.

Workaround:
Manually edit and merge config files.

---

494258 : TMSH setting certain values for 'ip-protocol' has incorrect behavior

Component: TMOS

Symptoms:
Using TMSH to set certain values for 'ip-protocol' does not set the expected value. For example, setting 'ip-protocol' value to 'any', 'ip', 'hopopt', the value for 'ip-protocol' may be set incorrectly. This occurs because TMSH cannot determine the exact mapping because of the one-to-many relationship (for example: 0 maps to 'any', to 'ip', and to 'hopopt').

Conditions:
TMSH commands for setting 'ip-protocol'.

Impact:
The system does not set the expected value. For example, if you specify 'ipv6-auth', tmsh lists it as 'ah'.
Specifying 'ipv6-crypt' results in 'esp'.
Specifying 'esp' results in 'ipv6-crypt'.
Specifying 'ah' results in 'ipv6-auth'.
Specifying 'hopopt' results in 'any'.
Specifying 'ip' results in 'any'.

Workaround:
None.

---

488915 : If you configure the remote user authentication server such as LDAP, make sure it is available.

Component: TMOS

Symptoms:
If the authentication server is not available such as failure to respond to ping, and when creating/modifying a user in TMSH and setting a password, the TMSH appears to hang for more than 60 seconds. Any of outstanding GUI sessions might also time out.

Note: If you are adding/modifying a user and not setting a password there is no problem.

Conditions:
-- The authentication server is not available (such as failure to respond to ping).
-- Creating/modifying a user in TMSH and setting a password.

Impact:
TMSH appears to hang for more than 60 seconds. Any of outstanding GUI sessions might also time out.

Workaround:
None.

---

481235 : Rare Watchdog Restart of TMM and Datastor

Component: TMOS

Symptoms:
The TMM and Datastor get killed and restarted by the watchdog process.

Conditions:
If the server pool is inadequate, or responses are too slow, datastor can experience a resource starvation problem.

Impact:
TMM and Datastor will be killed by the watchdog process.

Workaround:
None. This usually occurs when your server pool is experiencing problems, delays, or simply has too few servers to handle the load.

---

479670 : Status incorrect for vCMP host and guest with different blades as primary

Component: TMOS

Symptoms:
If a licensing operation happens when the vCMP host and a guest have different blades as primary, then the status might show an incorrect number of downed links.

Conditions:
vCMP host and guest have different blades specified as the primary.

Impact:
Although the system might report an incorrect number of downed links, this is a cosmetic issue. The system functions correctly.

Workaround:
Ensure that the host and guest have the same blades specified as the primary.

---

476010 : Inband monitor does not mark pool member offline as expected

Component: Local Traffic Manager

Symptoms:
The inband monitor might not cause pool members/pools to be marked offline after the expected number of failures.

Conditions:
A virtual server with an inband monitor.

Impact:
Traffic might be disrupted for a longer-than-expected period of time after a pool member goes offline. The issue might be more readily apparent when there is only one pool member.

Workaround:
None.

---

473787 : System might fail to unchunk server response when compression is enabled

Component: Local Traffic Manager

Symptoms:
If a BIG-IP virtual server is configured with a compression profile and either:

- an NTLM profile
- or an APM access policy

When a pool member sends a chunked (and uncompressed) HTTP response to the BIG-IP system (Transfer-Encoding: chunked), if the BIG-IP system compresses the payload, it does so without unchunking it.

This results in the BIG-IP system sending the client a malformed response that contains chunked encoding markers in the compressed content.

Conditions:
This issue occurs when the following conditions are met:
-- The NTLM and OneConnect profiles are applied to a virtual server. This can also be triggered when replacing the NTLM profile with an APM access policy configuration on the virtual server.
-- HTTP compression is enabled on the virtual server.

Impact:
HTTP responses to the client are malformed. When decompressed, the HTTP response payload incorrectly contains HTTP chunked encoding markers.

Workaround:
To work around this issue, you can either modify the type of response chunking or disable compression. For information on how to do so, see K14030: The BIG-IP system may fail to unchunk server responses when compression is enabled, available here: https://support.f5.com/csp/article/K14030.

---

472412 : When you force-offline a node, the associated pool member State shows Disabled, but behaves like it is Forced Offline.

Component: Local Traffic Manager

Symptoms:
When you force-offline a node, the associated pool member State shows 'Disabled (Only persistent or active connections allowed)', not 'Forced Offline (Only active connections allowed)' in the GUI.

Conditions:
Force-offline a node, and then view the associated pool member State.

Impact:
Existing persistence records disappear, and the connection get load balanced to the available pool member, which is forced offline behavior. The state of the pool member is gray and 'disabled', not 'forced offline'.

Workaround:
None.

---

470264 : Tcpdump captures nothing when filtered by VLAN tag

Component: TMOS

Symptoms:
There is no output generated for tcpdump when filtered by the VLAN tag. Without the filter, output can be seen.

Conditions:
-- Use guest VLAN tagging.
-- Tcpdump with the VLAN tag filter.

Impact:
No output for tcpdump, which makes troubleshooting difficult.

Workaround:
Use tcpdump without the VLAN tag filter and then filter using standard Linux tools (e.g., grep).

---

439860 : Missing SNMP alerts for Virtual Server enabled/disabled.

Component: Local Traffic Manager

Symptoms:
When user enables or disables a virtual server, the SNMP traps do not exist. However, when virtual server changes up/down state due to pool member monitoring, the traps exist.

Conditions:
The BIG-IP system configured for sending SNMP traps.

Impact:
SNMP traps when a user manually enables/disables virtual servers are not sent.

Workaround:
None.

---

435592-1 : Error when creating for reconfiguration iApp Application Services: Error parsing template:MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())'

Component: TMOS

Symptoms:
Error when creating iApp Application Services for reconfiguration: Error parsing template:MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())'.

Conditions:
This occurs when the configuration contains a very large number of items that the iApp Template might be querying for (for example, a large number of pools).

Impact:
Cannot create or modify application services. The system posts the error message: Error parsing template:MCP call 'mcpmsg_set_string_item(msg, CID2TAG(m_cid), val.c_str())' failed with error: 16908375, 01020057:3: The string with more than 65535 characters cannot be stored in a message.

---

431480-6 : Under rare conditions, the TMM process may produce a core file and restart upon failover, with the Assertion 'laddr is not NULL' error message

Component: Local Traffic Manager

Symptoms:
Occasionally, you might encounter a situation in which tmm dumps a core, and the system writes to the logs a message similar to the following: notice panic: ../base/listener.c:1116: Assertion 'laddr is not NULL' failed.

Conditions:
The exact conditions that result in this error are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
This issue has no workaround at this time, but the system recovers without any user action.

---

222145 : Incorrect netmask is set for the wildcard network virtual server

Solution Article: K9747

Component: Local Traffic Manager

Symptoms:
The wildcard network virtual server does not process traffic.

Conditions:
An incorrect netmask is set for the wildcard network virtual server.

This issue occurs when all of the following conditions are met:

-- The Host option is selected when creating an IPv4 or IPv6 wildcard network virtual server.
-- The netmask of the wildcard network virtual server retains the default mask.

-- The default 32-bit netmask for an IPv4 wildcard network virtual server is set to 255.255.255.255.
-- The default 64-bit netmask for an IPv6 wildcard network virtual server is set to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.

Impact:
The wildcard network virtual server does not process traffic.

Workaround:
To work around this issue, you can apply the custom netmask of all zeros (ipv4 0.0.0.0, ipv6 0:0:0:0:0:0:0:0) when creating the wildcard network virtual server.

---

★ This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade