Supplemental Document : BIG-IP 14.1.0.2 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.1.0

BIG-IP APM

  • 14.1.0

BIG-IP Analytics

  • 14.1.0

BIG-IP Link Controller

  • 14.1.0

BIG-IP LTM

  • 14.1.0

BIG-IP PEM

  • 14.1.0

BIG-IP AFM

  • 14.1.0

BIG-IP FPS

  • 14.1.0

BIG-IP DNS

  • 14.1.0

BIG-IP ASM

  • 14.1.0
Original Publication Date: 02/25/2019 Updated Date: 04/18/2019

BIG-IP Release Information

Version: 14.1.0.2
Build: 4.0

NOTE: This release includes fixes for the Spectre Variant 1 and Meltdown vulnerabilities (CVE-2017-5753, CVE-2017-5754).
In some configurations, installing software containing these fixes might impact performance. You can disable these fixes to recover performance. Please see K91229003 for additional Spectre and Meltdown information.

Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release
Known Issues in BIG-IP v14.1.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
724680-6 CVE-2018-0732 K21665601 OpenSSL Vulnerability: CVE-2018-0732
713806-8 CVE-2018-0739 K08044291 CVE-2018-0739: OpenSSL Vulnerability
699977-3 CVE-2016-7055 K43570545 CVE-2016-7055: OpenSSL Vulnerability in NodeJS ILX


Functional Change Fixes

ID Number Severity Solution Article(s) Description
755641-1 2-Critical   Unstable asm_config_server after upgrade, 'Event dispatcher aborted'
744685-2 2-Critical   BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension
744188-1 2-Critical   First successful auth iControl REST requests will now be logged in audit and secure log files
703835-5 2-Critical   When using scp into BIG-IP, use must specify the target filename
745387-1 3-Major   Resource-admin user roles can no longer get bash access
739432 3-Major   F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems
738108-1 3-Major   SCTP multi-homing INIT address parameter doesn't include association's primary address
698376-5 3-Major   Non-admin users have limited bash commands and can only write to certain directories


TMOS Fixes

ID Number Severity Solution Article(s) Description
737910-4 1-Blocking   Security hardening on the following platforms
753642-1 2-Critical   iHealth may report false positive for Critical Malware
752835-2 2-Critical   Mitigate mcpd out of memory error with auto-sync enabled.
750580-1 2-Critical   Installation using image2disk --format may fail after TMOS v14.1.0 is installed
707013-3 2-Critical   vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest
702472-7 2-Critical   Appliance Mode Security Hardening
668041-4 2-Critical K27535157 Config load fails when an iRule comment ends with backslash in a config where there is also a policy.
621260-2 2-Critical   mcpd core on iControl REST reference to non-existing pool
757027-1 3-Major   BIND Update
757026-1 3-Major   BIND Update
757025-1 3-Major   BIND Update
753564-1 3-Major   Attempt to change password using /bin/passwd fails
751011-3 3-Major   ihealth.sh script and qkview locking mechanism not working
751009-3 3-Major   Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out
750661 3-Major   URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied.
750447-3 3-Major   GUI VLAN list page loading slowly with 50 records per screen
749382-1 3-Major   Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater
746873-1 3-Major   Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing
745825-1 3-Major   The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading
745165-1 3-Major   Resource-Administrator role not allowed SFTP access
737536-2 3-Major   Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.
721585-1 3-Major   mcpd core processing ltm monitors with deep level of inheritance
639619-7 3-Major   UCS may fail to load due to Master key decryption failure on EEPROM-less systems
751636-1 4-Minor   Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership
737423-2 4-Minor   Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
754143-1 2-Critical K45456231 TCP connection may hang after finished
750292-2 2-Critical   TMM may crash when processing TLS traffic
747617-2 2-Critical   TMM core when processing invalid timer
742184-3 2-Critical   TMM memory leak
738945-4 2-Critical   SSL persistence does not work when there are multiple handshakes present in a single record
716714-4 2-Critical   OCSP should be configured to avoid TMM crash.
750200-3 3-Major   DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode
749294-4 3-Major   TMM cores when query session index is out of boundary
746131-4 3-Major   OpenSSL Vulnerability: CVE-2018-0732
745713-4 3-Major   TMM may crash when processing HTTP/2 traffic
744686-2 3-Major   Wrong certificate can be chosen during SSL handshake
743900-1 3-Major   Custom DIAMETER monitor requests do not have their 'request' flag set
739963-4 3-Major   TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup
739349-3 3-Major   LRO segments might be erroneously VLAN-tagged.
724327-2 3-Major   Changes to a cipher rule do not immediately have an effect
720219-3 3-Major K13109068 HSL::log command can fail to pick new pool member if last picked member is 'checking'
717896-4 3-Major   Monitor instances deleted in peer unit after sync
717100-1 3-Major   FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member
716167-2 3-Major   the value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the mtu of the kernel interface tmm_bp as given by $ ip a list dev tmm_bp or $ ifconfig tmm_bpq
704450-5 3-Major   bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration
703593-1 3-Major   TMSH tab completion for adding profiles to virtual servers is broken


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
756774-6 2-Critical   Aborted DNS queries to a cache may cause a TMM crash
756094-2 2-Critical   DNS express in restart loop, 'Error writing scratch database' in ltm log


Application Security Manager Fixes

ID Number Severity Solution Article(s) Description
752942-1 2-Critical   Live Update cannot be used by Administrator users other than "admin"
750922-1 2-Critical   BD crash when content profile used for login page has no parse parameters set
749136-1 2-Critical   Disk partition /var/log is low on free disk space
748321-1 2-Critical   bd crash with specific scenario
744347-4 2-Critical   Protocol Security logging profiles cause slow ASM upgrade and apply policy
721741-4 2-Critical   BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative
754420-1 3-Major   Missing policy name in exported ASM request details
754066-1 3-Major   Newly added Systems are not added as part of installing a Server Technologies update file
753295-1 3-Major   ASM REST: All signatures being returned for policy Signatures regardless of signature sets
750973-1 3-Major   Import XML policy error
750793-2 3-Major   Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition
750686-1 3-Major   ASE user cannot create or modify a bot signature.
750683-1 3-Major   REST Backwards Compatibility: Cannot modify enforcementMode of host-name
750668-1 3-Major   Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition
750666-1 3-Major   Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common'
750356-2 3-Major   Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted
749500-1 3-Major   Improved visibility for Accept on Microservice action in Traffic Learning
749109-3 3-Major   CSRF situation on BIGIP-ASM GUI
748999-3 3-Major   invalid inactivity timeout suggestion for cookies
748848-2 3-Major   Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers
748409-2 3-Major   Illegal parameter violation when json parsing a parameter on a case-insensitive policy
747977-1 3-Major   File manually uploaded information was not synced correctly between blades
747777-3 3-Major   Extractions are learned in manual learning mode
747550-3 3-Major   Error "This Logout URL already exists!" when updating logout page via GUI
746750-1 3-Major   Search Engine get Device ID challenge when using the predefined profiles
746298-1 3-Major   Server Technologies logos all appear as default icon
745813-1 3-Major   Requests are reported to local log even if only Bot Defense remote log is configured
745624-1 3-Major   Tooltipls for OWASP Bot Categories and Anomalies were added
745607-1 3-Major   Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly
745531-2 3-Major   Puffin Browser gets blocked by Bot Defense
742852-1 3-Major   Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header
739945-4 3-Major   JavaScript challenge on POST with 307 breaks application
738676-1 3-Major   Errors when trying to delete all bot requests from "Security :: Event Logs : Bot Defense : Bot Requests"
737866-2 3-Major   Rare condition memory corruption
754365-5 4-Minor   Updated flags for countries that changed their flags since 2010
721724-1 4-Minor   LONG_REQUEST notice print was fixed in BD log


Application Visibility and Reporting Fixes

ID Number Severity Solution Article(s) Description
746941-2 2-Critical   avrd memory leak when BIG-IQ fails to receive stats information
753446-2 3-Major   avrd process crash during shutdown if connected to BIG-IQ
749464-2 3-Major   Race condition while BIG-IQ updates common file
749461-2 3-Major   Race condition while modifying analytics global-settings
745027-2 3-Major   AVR is doing extra activity of DNS data collection even when it should not
744595-3 3-Major   DoS-related reports might not contain some of the activity that took place
744589-3 3-Major   Missing data for Firewall Events Statistics
715110-1 3-Major   AVR should report 'resolutions' in module GtmWideip


Access Policy Manager Fixes

ID Number Severity Solution Article(s) Description
752592-1 2-Critical   VMware Horizon PCoIP clients may fail to connect shortly after logout
754346-2 3-Major   Access policy was not found while creating configuration snapshot.
746771-3 3-Major   APMD recreates config snapshots for all access profiles every minute
745654-4 3-Major   Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server
743437-3 3-Major   Portal Access: Issue with long 'data:' URL


Service Provider Fixes

ID Number Severity Solution Article(s) Description
749603-1 3-Major   MRF SIP ALG: Potential to end wrong call when BYE received
749227-1 3-Major   MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE
748043-2 3-Major   MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP
747187-2 3-Major   SIP falsely detects media flow collision when SDP is in both 183 and 200 response
746825-1 3-Major   MRF SIP ALG with SNAT: Ephemeral listeners not created for un-subscribed outgoing calls
745715-2 3-Major   MRF SIP ALG now supports reading SDP from a mime multipart payload
745628-1 3-Major   MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message
745514-1 3-Major   MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message
745404-4 3-Major   MRF SIP ALG does not reparse SDP payload if replaced
744949-1 3-Major   MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix
744275-1 3-Major   BIG-IP system sends Product-Name AVP in CER with Mandatory bit set
742829-1 3-Major   SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0


Advanced Firewall Manager Fixes

ID Number Severity Solution Article(s) Description
747104-1 1-Blocking K52868493 LibSSH Vulnerability: CVE-2018-10933
752363-2 2-Critical   Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled
749331-3 2-Critical   Global DNS DoS vector does not work in certain cases
747922-3 2-Critical   With AFM enabled, during bootup, there is a small possibility of a tmm crash
748176-1 3-Major   BDoS Signature can wrongly match a DNS packet
748081-1 3-Major   Memory leak in BDoS module
747926-2 3-Major   Rare TMM restart due to NULL pointer access during AFM ACL logging


Policy Enforcement Manager Fixes

ID Number Severity Solution Article(s) Description
726647-5 3-Major   PEM content insertion in a compressed response may truncate some data


Carrier-Grade NAT Fixes

ID Number Severity Solution Article(s) Description
749879-2 3-Major   Possible interruption while processing VPN traffic


Fraud Protection Services Fixes

ID Number Severity Solution Article(s) Description
752782-1 3-Major   DataSafe Profiles" menu changed to "BIG-IP DataSafe
741449-3 4-Minor   alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts
738677-1 4-Minor   Configured name of wildcard parameter is not sent in data integrity alerts


Anomaly Detection Services Fixes

ID Number Severity Solution Article(s) Description
755378-1 2-Critical   HTTPS connection error from Chrome when BADOS TLS signatures configured
727136-1 3-Major   One dataset contains large number of variations of TLS hello messages on Chrome



Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release


Functional Change Fixes

ID Number Severity Solution Article(s) Description
745629 2-Critical   Ordering Symantec and Comodo certificates from BIG-IP
713817-1 3-Major   BIG-IP images are available in Alibaba Cloud
738891-1 4-Minor   TLS 1.3: Server SSL fails to increment key exchange method statistics


TMOS Fixes

ID Number Severity Solution Article(s) Description
746424 2-Critical   Patched Cloud-Init to support AliYun Datasource
745851 3-Major   Changed Default Cloud-Init log level to INFO from DEBUG
742251-1 4-Minor   Add Alibaba Cloud support to Qkview


Global Traffic Manager (DNS) Fixes

ID Number Severity Solution Article(s) Description
749774-5 3-Major   EDNS0 client subnet behavior inconsistent when DNS Caching is enabled
749675-5 3-Major   DNS cache resolver may return a malformed truncated response with multiple OPT records

 

Cumulative fix details for BIG-IP v14.1.0.2 that are included in this release

757027-1 : BIND Update

Component: TMOS

Symptoms:
Upgrade BIND to 9.11.5-P4 per recommendation from ISC

Conditions:
GTM provisioned.

Impact:
BIND not up-to-date

Workaround:
None.

Fix:
Upgrade to BIND 9.11.5-P4


757026-1 : BIND Update

Component: TMOS

Symptoms:
Upgrade BIND to 9.11.5-P4 per recommendation from ISC

Conditions:
GTM provisioned.

Impact:
BIND not up-to-date

Workaround:
None.

Fix:
Upgrade to BIND 9.11.5-P4


757025-1 : BIND Update

Component: TMOS

Symptoms:
Upgrade BIND to 9.11.5-P4 per recommendation from ISC

Conditions:
GTM provisioned.

Impact:
BIND not up-to-date

Workaround:
None.

Fix:
Upgrade to BIND 9.11.5-P4


756774-6 : Aborted DNS queries to a cache may cause a TMM crash

Component: Global Traffic Manager (DNS)

Symptoms:
TMM may crash if an attempt is made to send a response to a TCP connection that has already been torn down.

Conditions:
TCP connections that are aborted before receiving a RESPONSE from a cache.

Impact:
Loss of service until TMM is restarted. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Aborted DNS queries to a cache no longer cause a TMM crash.


756094-2 : DNS express in restart loop, 'Error writing scratch database' in ltm log

Component: Global Traffic Manager (DNS)

Symptoms:
DNS express (zxfrd) daemon gets stuck in a restart loop with the messages:
-- In /var/log/ltm:
Error writing scratch database (no error information available), serving database is unchanged. zxfrd will exit and restart.
-- The system posts the following message on the command line every few seconds:
emerg logger: Re-starting zxfrd

Conditions:
An update to an SOA record (and only an SOA) is received through a incremental zone transfer update (IXFR).

Impact:
Zone updates from the DNS master servers are not processed.

Workaround:
As a partial workaround, the DNS express cache files can be removed, forcing zxfrd to pull the entire zone using an AXFR request. To do so, use the following commands, in sequence:

   bigstart stop zxfrd
   rm /shared/zxfrd/*
   bigstart start zxfrd

Note: DNS express will not be able to service DNS responses until the zone transfers have completed. For this reason, this procedure should be carried out on the standby device, if possible.

Fix:
The system now properly handles IXFRs that contain only starting and ending SOA RRs, and no other RRs.


755641-1 : Unstable asm_config_server after upgrade, 'Event dispatcher aborted'

Component: Application Security Manager

Symptoms:
Ignored suggestions for Multiple decoding or HTTP Protocol Settings present after upgrading a unit to 14.1.0 can cause the asm_config_server and pabnagd processes to enter restart loops.

Conditions:
1) On a 13.1.x system send traffic that will generate suggestions for Max Decoding Passes, Maximum Headers, and/or Maximum Parameters.
2) Set those Suggestions to be Ignored.
3) Upgrade to 14.1.0.

Impact:
-- Multiple asm_config_server restarts.
-- System instability, including inability to manage ASM settings or use traffic learning.
-- No local logging.

Workaround:
You can use either of the following workarounds:

A) Delete any such ignored suggestions using the following SQL command:
 > DELETE FROM PL_SUGGESTIONS WHERE element_type IN (7,193,75);

B) Delete any such ignored suggestions before upgrade using the GUI/REST/SQL.

Fix:
The system now handles removed Entity types during upgrade for Ignored Suggestions: Ignored suggestions for Multiple decoding or HTTP Protocol Settings are removed during upgrade. You must reconfigure the Ignore settings after upgrade.

Behavior Change:
Refactoring in 14.1.0 modified the functionality of the following Entity types: Max Decoding Passes, Maximum Headers, and/or Maximum Parameters. Ignored suggestions for Multiple decoding or HTTP Protocol Settings are removed during upgrade, so you must reconfigure the Ignore settings after upgrade.


755378-1 : HTTPS connection error from Chrome when BADOS TLS signatures configured

Component: Anomaly Detection Services

Symptoms:
HTTPS connection error occurs. The system posts the following ltm.log warnings:

-- warning tmm1[25112]: 01260009:4: Connection error: ssl_basic_crypto_cb:694: Decryption error (20)
-- warning tmm1[25112]: 01260009:4: Connection error: hud_ssl_handler:1941: codec alert (20)

Conditions:
-- BADOS TLS signatures configured.
-- DoS profile is attached to a virtual server.
-- Using Google Chrome browser.

Impact:
HTTPS virtual server is not responsive.

Workaround:
Turn off TLS signatures flag.

Fix:
HTTPS connection error no longer occurs when connecting from Chrome to virtual server with TLS signature BADOS protection.


754420-1 : Missing policy name in exported ASM request details

Component: Application Security Manager

Symptoms:
No Policy name in exported ASM Request details

Conditions:
This is encountered when viewing the Security Events Report

Impact:
Missing policy name in request details

Workaround:
N/A

Fix:
Policy name is displayed in exported ASM request details


754365-5 : Updated flags for countries that changed their flags since 2010

Component: Application Security Manager

Symptoms:
Old flags for countries that changed their flags since 2010.

Conditions:
Requests from one of the following counties:
-- Myanmar
-- Iraq
-- Libya

Impact:
Old flag is shown.

Workaround:
None.

Fix:
The three flags are now updated in ASM.


754346-2 : Access policy was not found while creating configuration snapshot.

Component: Access Policy Manager

Symptoms:
APMD failed to create configuration snapshot with the following error:

Dec 28 14:21:50 bigip001 err apmd[16675]: 01490000:3: AccessPolicyProcessor/AccessPolicyProcessor.cpp func: "dispatchEvent()" line: 1195 Msg: EXCEPTION AccessPolicyProcessor/ProfileAccess.cpp line:234 function: snapshotConfigVariables - AccessPolicy ("/Common/myPolicy") not found while creating configuration snapshot!!!!

If you attempt to modify the policy in question, another error will show up:

Dec 28 16:59:44 bigip001 err apmd[16675]: 01490089:3: 00000000: Configuration change notification received for an unknown access profile: /Common/myPolicy

Conditions:
If TMM restarts and new access policy is added before TMM becomes up and running.

Impact:
Configuration snapshot will not be created and users will not be able to log on.

Workaround:
Recreate the access profile when TMM is stable.

Fix:
N/A


754143-1 : TCP connection may hang after finished

Solution Article: K45456231

Component: Local Traffic Manager

Symptoms:
TCP connections hang. Memory usage increases. TMM restarts.

Numerous hanging connections reported similar to the following:
-- config # tmsh show sys conn protocol tcp
Sys::Connections
165.160.21.1:5854 195.245.21.252:443 any6.any any6.any tcp 449 (tmm: 0) none none
165.160.21.1:5847 195.245.21.252:443 any6.any any6.any tcp 449 (tmm: 0) none none
165.160.21.1:5890 195.245.21.252:443 any6.any any6.any tcp 449 (tmm: 0) none none
165.160.21.1:5855 195.245.21.252:443 any6.any any6.any tcp 449 (tmm: 0) none none
165.160.21.1:5891 195.245.21.252:443 any6.any any6.any tcp 449 (tmm: 0) none none

Conditions:
Pool member fails to respond with an ACK to BIG-IP system serverside FIN. The BIG-IP system serverside connection eventually times out, and the clientside connection is orphaned.

Impact:
Those connections hang indefinitely (even past the idle timeout). Memory increases, eventually leading to a possible TMM out-of-memory condition, requiring a TMM restart. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TCP connections no longer hang under these conditions.


754066-1 : Newly added Systems are not added as part of installing a Server Technologies update file

Component: Application Security Manager

Symptoms:
Newly added Systems are not added as part of installing a Server Technologies update file, which prevents acceptance of Server Technology suggestion.

Conditions:
A Server Technology update file contained newly added Systems is installed.

Impact:
A suggestion to add a Server Technology using a newly added System cannot be accepted.

Workaround:
The corresponding ASM Signature update file must be loaded first.

Fix:
Newly added Systems are added correctly after installing Server Technology update file.


753642-1 : iHealth may report false positive for Critical Malware

Component: TMOS

Symptoms:
A minor change in the way qkview reports executable filenames may cause iHealth to interpret the presence of malware.

Conditions:
qkview files produced by 14.1.0 when uploaded to ihealth.f5.com

Impact:
iHealth may report a false positive for malware.

Workaround:
Ignore critical errors for malware reported by iHealth for version 14.1.0 only.

Fix:
This is fixed in 14.1.0.1


753564-1 : Attempt to change password using /bin/passwd fails

Component: TMOS

Symptoms:
When we run /bin/passwd as root:
passwd.bin: unable to start pam: Critical error - immediate abort
 Failed to change user's password. Exiting.

If we then do /bin/ausearch -m avc -ts recent, we see a lot of selinux denials for passwd.bin.

Conditions:
No special conditions needed

Impact:
Root/admin user cannot change password using the standard /bin/passwd executable.

Workaround:
The workaround would be to disable selinux, change the password and re-enable selinux:

# setenforce Permissive
# passwd
# setenforce Enforcing


Alternatively, one can use the tmsh commands to change the passwords: tmsh modify auth password root

Lastly, if one wishes to modify the selinux policy, there is the standard way of doing this

# ausearch -c passwd.bin --raw | audit2allow -M mypasswd
# semoduile -i mypasswd.pp

Fix:
With fix, we have no issues with /bin/passwd.bin being denied by selinux and /bin/passwd works as expected.


753446-2 : avrd process crash during shutdown if connected to BIG-IQ

Component: Application Visibility and Reporting

Symptoms:
During shutdown of BIG-IP, if it is connected to BIG-IQ then avrd might crash.

Conditions:
BIG-IP is set to shutdown and configured to send statistics to BIG-IQ.

Impact:
No serious impact, since the BIG-IP is already instructed to shutdown, so the process crash is not causing any damage.

Workaround:
N/A

Fix:
Issue is fixed, avrd does not crash during shutdown


753295-1 : ASM REST: All signatures being returned for policy Signatures regardless of signature sets

Component: Application Security Manager

Symptoms:
By default, only signatures that are included in the Security Policy enforcement via the Policy's Signature Sets are included in the response to /tm/asm/policies/<ID>/signatures.

Additionally, there should be the capability to $filter for either signatures that are in the policy or not in the policy.

These filters are not working

Conditions:
ASM REST/GUI is used to determine the number of signatures enabled on a Security Policy

Impact:
More data that expected will be returned to REST clients which may cause confusion.
Learning statistics/graphs may have confusing/incorrect numbers.

Workaround:
None

Fix:
inPolicy $filter works again, and the default behavior only returns the signatures that are in the policy.


752942-1 : Live Update cannot be used by Administrator users other than "admin"

Component: Application Security Manager

Symptoms:
When a a user with administrator role logs into the system they are not allowed to install update files on the new live-update page:
System ›› Software Management : Live Update

Conditions:
-- User is not admin or root
-- User is administrator

Impact:
Administrators are unable to apply security updates.

Workaround:
Workaround is to log in as admin and install the security updates. Even a web-application-security-administrator or web-application-security-editor can start an installation assuming they have this role on all partitions or at least on the common partition.

Fix:
Admin role was also checked for authorization.
Administrators should be able to log in and apply security updates.


752835-2 : Mitigate mcpd out of memory error with auto-sync enabled.

Component: TMOS

Symptoms:
If auto-sync is enabled and many configuration changes are sent quickly, it is possible for a peer system to fall behind in syncs. Once it does, it will exponentially get further behind due to extra sync data, leading to the sending mcpd running out of memory and core dumping.

Conditions:
-- Auto-sync enabled in an HA pair.
-- High volume of configuration changes made in rapid succession. Typically, this requires hundreds or thousands of changes per minute for several minutes to encounter this condition.

Impact:
mcpd crashes.

Workaround:
There are no workarounds other than not using auto-sync, or reducing the frequency of system configuration changes.

Fix:
This is not a complete fix. It is still possible for mcpd to run out of memory due to a peer not processing sync messages quickly enough. It does, however, make it more difficult for this scenario to happen, so configuration changes with auto-sync on can be sent somewhat more quickly without crashing mcpd as often.


752782-1 : DataSafe Profiles" menu changed to "BIG-IP DataSafe

Component: Fraud Protection Services

Symptoms:
Cosmetic change.

Conditions:
FPS Provisioning and a DataSafe license.

Impact:
Cosmetic change.

Fix:
"DataSafe Profiles" menu changed to "BIG-IP DataSafe".


752592-1 : VMware Horizon PCoIP clients may fail to connect shortly after logout

Component: Access Policy Manager

Symptoms:
Sometimes if user closes opened PCoIP desktop and logs out and then logs in again, he can't launch the same desktop anymore.

Conditions:
PCoIP UDP VS has "vdi" profile assigned.

Impact:
User can't open PCoIP remote desktop during short time period (1 minute).

Workaround:
Remove "vdi" profile and assign "remotedesktop" profile to the PCoIP UDP VS:
# tmsh modify ltm virtual <PCoIP UDP VS> profiles delete { vdi }
# tmsh modify ltm virtual <PCoIP UDP VS> profiles add { remotedesktop }

In admin UI the assignment of "remotedesktop" profile can be controlled via "Application Tunnels (Java & Per-App VPN)" checkbox (right under "VDI Profile" dropdown).

Fix:
Assignment of "vdi" profile to PCoIP UDP VS does not cause intermittent connection problems anymore.


752363-2 : Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled

Component: Advanced Firewall Manager

Symptoms:
Client request fails, due to being dropped on the BIG-IP system.

Conditions:
-- The BIG-IP AFM L4 BDoS feature is enabled.
-- Virtual server setup is such that the client-facing virtual server's destination is forwarded through another virtual server, which is an internally forwarded flow.

Impact:
Client request gets dropped due to BIG-IP AFM dropping the flow.

Workaround:
Disable BDoS feature. The feature can be disabled using the following commands:

-- To disable BDoS globally, run the following command:
modify security dos device-config dos-device-config dynamic-signatures { network { detection disabled mitigation none }}

To disable BDoS globally per-profile, run the following command:
modify security dos profile <profile-name> dos-network modify { test { dynamic-signatures { detection disabled mitigation none } } }
modify security dos profile test protocol-dns modify { test { dynamic-signatures { detection disabled mitigation none } } }

Fix:
The system now handles the looped flows properly, so the BDoS module does not incorrectly cause the packet to be dropped.


751636-1 : Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership

Component: TMOS

Symptoms:
Downgrading from BIG-IP version 14.1.0 to an earlier version, the group ID of /var/lock and /var/spool/mail are incorrect. This can be encountered after you boot into the earlier-versioned software image. /var/log/liveinstall.log contains the following messages:

-- info: RPM: filesystem-2.4.30-3.el6.0.0.10.i686
-- info: RPM: warning: group lock does not exist - using root
-- info: RPM: warning: group mail does not exist - using root

When running the following command:
config # rpm -V filesystem
......G.. /var/lock
......G.. /var/spool/mail

The expected results are as follows:
config # rpm -V filesystem
config # stat -c %G /var/lock
lock
config # stat -c %G /var/spool/mail
mail

In this version, the results are as follows:
config # rpm -V filesystem
config # stat -c %G /var/lock
root
config # stat -c %G /var/spool/mail
root

Conditions:
-- BIG-IP version 14.1.0 is running.
-- An earlier software version is installed.
-- The system is then booted into that earlier version.

Impact:
There is no known impact to the system if this occurs; however, running rpm -V will report these two discrepancies.

This occurs because rpm versions 4.8 and earlier have built-in recognition of exactly three group names; 'root', 'mail', and 'lock'. In v4.8, these special names appear in <src>/lib/misc.c:gnameToGid. To use the group names 'mail' and 'lock' as intended, all BIG-IP releases earlier than BIG-IP v14.1.0 rely on this special feature of rpm.

BIG-IP v14.1.0 moved to rpm version 4.11, in which the function no longer exists.

Workaround:
Using a shell command, correct the group ID of the two directories that are incorrect using the following two commands:

config # chgrp lock /var/lock
config # chgrp mail /var/spool/mail


751011-3 : ihealth.sh script and qkview locking mechanism not working

Component: TMOS

Symptoms:
Two qkviews can be started up on a system at the same time, which results in conflicts for each.

Conditions:
Running qkview on one terminal and then ihealth.sh in another.

Impact:
Running of two qkviews at the same time breaks both qkviews since they compete for the same files.

Workaround:
Run either qkview or ihealth.sh, not both simultaneously.

Fix:
Starting a qkview and then running ihealth.sh halts immediately as the system detects that qkview is running.


751009-3 : Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out

Component: TMOS

Symptoms:
After generating a Qkview or collecting a tcpdump via the BIG-IP GUI, or using the 'tmsh run util ihealth' command to do the equivalent, the /var/tmp/mcpd.out file is missing.

Conditions:
-- Generating a Qkview or collecting a tcpdump via the BIG-IP GUI.
-- Using the 'tmsh run util ihealth' command to do the equivalent operation.

Impact:
The file /var/tmp/mpcd.out is a debug file used by mcpd, primarily for collecting debug-level log information from MCPD.

The file being deleted causes challenges with trying to collect diagnostic information from a BIG-IP system (turning on mcpd debug logging), because it now requires a service impact (restarting mcpd).

Additionally, may cause challenges in managing disk space on /shared filesystem, as mcpd keeps writing to a deleted file, and it cannot be truncated.

Workaround:
Generating Qkviews by invoking the 'qkview' command directly avoids this issue.

Edit the /usr/bin/ihealth.sh script to remove the corresponding line.

From a bash shell:
1. mount -o remount,rw /usr
2. /bin/cp /usr/bin/ihealth.sh{,751009.bak}
3. sed -i '/\/bin\/rm -f \/var\/tmp\/mcpd.out/d' /usr/bin/ihealth.sh
4. mount -o remount,ro /usr

Note: This workaround does not persist across software installs/upgrades, nor does it ConfigSync or replicate across blades in a VIPRION chassis.

Fix:
The problem line has been removed from the script, so this mcpd debug file is left alone (not deleted) after running ihealth.sh. Note that the GUI version of running qkview uses ihealth.sh script.


750973-1 : Import XML policy error

Component: Application Security Manager

Symptoms:
Import XML policy fails with errors:
--------
The security policy file does not conform to the schema and cannot be imported
element attack_type: Schemas validity error : Element
'attack_type': 'Web Scraping' is not a valid value
--------

Conditions:
A user-defined Signature Set having Attack Type "Web Scraping" defined.

If a such a Set is included in an exported XML policy, schema validation on the XML policy import will fail.

Impact:
Import XML policy fails with errors

Workaround:
Use binary policy export/import

Fix:
We have fixed the XML policy export/import process to not fail or produce Attack Type "Web Scraping" related errors.


750922-1 : BD crash when content profile used for login page has no parse parameters set

Component: Application Security Manager

Symptoms:
Bd crashes. No traffic goes through ASM.

Conditions:
-- A Json Login page is configured.
-- The content profile used for the login page does not have parse parameters set.

Impact:
No traffic goes through ASM. Bd crashes.

Workaround:
Set the parse parameters setting.

Fix:
BD no longer crashes when the content profile used for login page has no parse parameters set.


750793-2 : Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition

Component: Application Security Manager

Symptoms:
Removing Bot/Logging/Security Service profiles that were created in a user-defined partition fails via GUI.

Conditions:
Attempting to delete Bot/Logging/Security Service profiles that were created in a user-defined partition.

Impact:
The Bot/Logging/Security Service Profile cannot be deleted via GUI.

Workaround:
Remove Bot/Logging/Cloud Security Service profiles via TMSH.

Fix:
You can now remove Bot profiles, Logging profiles, and Cloud Security Service profiles from user-defined partition.


750686-1 : ASE user cannot create or modify a bot signature.

Component: Application Security Manager

Symptoms:
Application Security Editor user role gets a validation exception while trying to create or modify bot defense signature either via GUI, tmsh, or REST.

Conditions:
The logged on user account is configured with an Application Security Editor role.

Impact:
Application Security Editor unable to define user-defined signatures for bot defense module.

Workaround:
Change user role to Administrator or Web Application Security Administrator to create or modify bot defense signatures.

Fix:
User accounts configured for Application Security Editor can now create/modify bot defense signatures.


750683-1 : REST Backwards Compatibility: Cannot modify enforcementMode of host-name

Component: Application Security Manager

Symptoms:
Modifying the enforcementMode value fails with the following message: Valid Host Name already exists in this policy.

In 14.1.0, the capability to treat specific domains as Transparent while the rest of the policy is in Blocking moved from Host Names to the new Microservices feature. The REST endpoint for Host Names (/mgmt/tm/asm/policies/<ID>/host-names) is meant to still support setting and modifying this attribute. However, this is not happening successfully.

Conditions:
-- Running version 14.1.0 software.
-- Using a pre-14.1.0 REST API to modify the enforcementMode of a host name (/mgmt/tm/asm/policies/<ID>/host-names).

Impact:
The value change fails.

Workaround:
You can use either workaround:

-- Change the value using the GUI.

-- Use the newer endpoint: (/mgmt/tm/asm/policies/<ID>/microservices).

Fix:
Using the backwards compatible REST to update the enforcementMode of a host name now succeeds.


750668-1 : Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition

Component: Application Security Manager

Symptoms:
Removing Bot/Logging/Security Service profiles that were created in a user-defined partition fails via GUI.

Conditions:
Attempting to delete Bot/Logging/Security Service profiles that were created in a user-defined partition.

Impact:
The Bot/Logging/Security Service Profile cannot be deleted via GUI.

Workaround:
Remove Bot/Logging/Cloud Security Service profiles via TMSH.

Fix:
You can now remove Bot profiles, Logging profiles, and Cloud Security Service profiles from user-defined partition.


750666-1 : Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common'

Component: Application Security Manager

Symptoms:
For any partition other than 'Common'(i.e., a user-defined partition), cannot create a new Bot Signature or Bot Category Signature via GUI, because the form fields and buttons are disabled (grayed out).

Conditions:
-- Creating Bot Signature/Bot Category Signature.
-- The partition is set to a user-defined partition.

Impact:
No creation of Bot Signature/Bot Category Signature can be completed through GUI in a user-defined partition.

Workaround:
Create Bot Signature/Bot Category Signature in TMSH.

Fix:
Can now create Bot Signature/Bot Category Signature in user partition different from 'Common'.


750661 : URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied.

Component: TMOS

Symptoms:
A regression in configuration processing causes LTM Rewrite profile to ignore configured URI translation rules.

Conditions:
Using LTM Rewrite profiles to ignore configured URI translation rules.

Impact:
URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied.

Workaround:
None.

Fix:
Restored functionality of LTM Rewrite URI translation rules.


750580-1 : Installation using image2disk --format may fail after TMOS v14.1.0 is installed

Component: TMOS

Symptoms:
When v14.1.0 is installed, subsequent installations of software performed using image2disk with the --format=volumes option from within a TMOS installation slot.

The failure occurs after the disks have been formatted, but before the TMOS installation slot is bootable, and the system is left without a TMOS installation slot.

While performing the installation, the system posts messages similar to the following in the serial console:

-- info: tm_install::RPM::rpm_db_find_by_namearch -- not found : MySQL-shared/i686
   ...
-- info: tm_install::VolumeSet::VolumeSet_install_packages -- installing package MySQL-shared (i686)
-- info: tm_install::RPM::rpm_db_find_by_namearch -- not found : openssl/x86_64
    ...
-- info: tm_install::VolumeSet::VolumeSet_install_packages -- installing package openssl (x86_64)
-- info: capture: status 32512 returned by command: chroot /mnt/tm_install/1258.DHwcwN rpm --rebuilddb
    ...
-- info: chroot: failed to run command 'rpm': No such file or directory

Conditions:
This issue occurs when all of the following conditions are met:
-- Version 14.1.0 is installed on the system, even if the system never boots into the 14.1.0 installation slot.
-- Using image2disk with the --format=volumes option specified from TMOS.
-- Installing another version of the software.


In particular, this issue affects MOS version 2.12.0-140.0, which can be checked by running this command from a bash shell on the BIG-IP system:

     grub_default -d | grep -A6 'TMOS maintenance' | grep 'TIC_STATIC_VERSION'

Impact:
The installation fails, and the system is left in a state where it is not accessible on the network and has no configuration. You must use the console to access the system.

Workaround:
You can use the following workarounds:

-- Use the Software Management screens in the GUI to perform installations
-- Use the tmsh 'sys software' commands to perform software installations.
-- Do not use the image2disk --format command to install software.


750447-3 : GUI VLAN list page loading slowly with 50 records per screen

Component: TMOS

Symptoms:
GUI VLAN list page is loading slowly with there are 3200+ VLANs with the Records Per Screen Preference set to 50.

Conditions:
-- Using a VIPRION system.
-- Configuration containing 3200 or more VLANs.
-- System Preferences Records Per Screen set to 50.

Impact:
Cannot use the page.

Workaround:
Use tmsh or guishell tool to see the VLANs.

You can also try using a smaller value for the Records Per Screen option in System :: Preferences.

Fix:
Improved data retrieval and rendering for the VLAN list page.


750356-2 : Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted

Component: Application Security Manager

Symptoms:
In any Split View page (Request Log, Learning, etc.): All user-defined filters are removed if you delete a newly created filter without reloading the page first.

Conditions:
-- Create a new filter.
-- Remove the new filter.

Impact:
The system removes all user-defined filters.

Workaround:
Before you delete a newly created filter, reload the page.

Fix:
Filter removal now completes successfully for all scenarios.


750292-2 : TMM may crash when processing TLS traffic

Component: Local Traffic Manager

Symptoms:
TMM may crash when processing client-side certificates in TLS traffic.

Conditions:
Client certificate authentication is enabled (client-side SSL).

Impact:
TMM crash leading to a failover event.

Workaround:
None.

Fix:
TMM now processes TLS traffic as expected.


750200-3 : DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode

Component: Local Traffic Manager

Symptoms:
DHCP requests from the client are sent only to the first member in the DHCP server pool.

Conditions:
- BIG-IP system configured as a DHCP Relay.
- DHCP server pool contains more than one DHCP server.

Impact:
- DHCP server load balancing is not achieved.
- If the first DHCP server in the DHCP server pool does not respond or is unreachable, the DHCP client will not be assigned an IP address.

Workaround:
None.


749879-2 : Possible interruption while processing VPN traffic

Component: Carrier-Grade NAT

Symptoms:
When processing certain rare data sequences occurring in VPN traffic, the Traffic Management Microkernel may execute incorrect logic, triggering a TMM restart.

Conditions:
The problem occurs only with the CGNAT feature provisioned and when at least one virtual server is configured with certain profiles.

Impact:
The restart of the TMM disrupts network traffic until either an HA-configured partner TMM assumes processing or the TMM restart has completed.

Workaround:
No Workaround.

Fix:
Improved handling of PPTP messages in PPTP profile.


749774-5 : EDNS0 client subnet behavior inconsistent when DNS Caching is enabled

Component: Global Traffic Manager (DNS)

Symptoms:
When EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled, the responses differ in their inclusion of EDNS0 client subnet information based on whether the response was supplied by the cache or not.

Conditions:
This occurs when EDNS0 client subnet information is included in a DNS request, and DNS caching is enabled.

Impact:
Inconsistent behavior.

Workaround:
None.

Fix:
In this release, responses are now consistent when caching is enabled.


749675-5 : DNS cache resolver may return a malformed truncated response with multiple OPT records

Component: Global Traffic Manager (DNS)

Symptoms:
A configured DNS resolving cache returns a response with two OPT records when the response is truncated and not in the cache.

Conditions:
This can occur when:
-- A DNS resolving cache is configured.
-- The DNS query being handled is not already cached.
-- The response for the query must be truncated because it is larger than the size the client can handle (either 512 bytes or the buffer size indicated by an OPT record in the query).

Impact:
A DNS message with multiple OPT records is considered malformed and will likely be dropped by the client.

Workaround:
A second query will return the cached record, which will only have one OPT record.

Fix:
DNS cache resolver now returns the correct response under these conditions.


749603-1 : MRF SIP ALG: Potential to end wrong call when BYE received

Component: Service Provider

Symptoms:
When a BYE is received, the media flows for a different call might be closed in error.

Conditions:
If the hash of the call-id (masked to 12 bits) matches the hash of another's call-id.

Impact:
The media flows for both calls will be closed when one receives a BYE command. A call may be incorrectly terminated early.

Workaround:
None.

Fix:
Entire call-id checked before terminating media flows.


749500-1 : Improved visibility for Accept on Microservice action in Traffic Learning

Component: Application Security Manager

Symptoms:
Low visibility for accepted on microservice action

Conditions:
User has suggestions that can be accepted on microservice

Impact:
N/A

Workaround:
N/A

Fix:
Improved visibility for accept on microservice action and microservice relatged details of suggestion


749464-2 : Race condition while BIG-IQ updates common file

Component: Application Visibility and Reporting

Symptoms:
The file /var/config/rest/downloads/app_mapping.json is being used by two processes: BIG-IQ and avrd.
This can cause a race-condition between the two and in some rare cases can cause avrd to crash.

Conditions:
BIG-IQ updating /var/config/rest/downloads/app_mapping.json while avrd is reading it.

Impact:
avrd might read incomplete data, and can even core in some rare cases.

Workaround:
None.

Fix:
This race condition no longer occurs.


749461-2 : Race condition while modifying analytics global-settings

Component: Application Visibility and Reporting

Symptoms:
Updating the analytics global-settings might cause a core for avrd.

The avrd.log contains the following record:
AVRD_CONFIG|NOTICE... 13931|lib/avrpublisher/infrastructure/avr_mcp_msg_parser.cpp:2985| Modified Analytics Global Settings, added "0" offbox TCP addresses

Conditions:
Analytics global-settings are updated either explicitly, using a tmsh command, or implicitly, by internal process script.

Impact:
Might cause a core for avrd. After coring once, avrd is expected to start normally without any additional cores. The configuration change is expected to be applied correctly after restart is complete.

Workaround:
None.

Fix:
Race condition no longer occurs while modifying analytics global-settings.


749382-1 : Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater

Component: TMOS

Symptoms:
Running a bare-metal installation via image2disk (IE, 'image2disk --format=volumes <ISO>') may fail due to a missing command in the maintenance OS.

Conditions:
The version of MOS installed on the system is from a v14.1.0 or newer ISO, and a user attempts a bare-metal installation via the 'image2disk' command.

Impact:
Unable to perform bare-metal installations/installations from MOS in affected versions.

Workaround:
The installed version of MOS can be removed with the command '/usr/lib/bpdiag -a mos'. After doing this, installing a version older than 14.1.0 will re-install an older version of MOS without this issue. You can then reboot to MOS and manually run the installation using 'image2disk' from there.

Fix:
Fix issues with bare-metal installations via 'image2disk' failing.


749331-3 : Global DNS DoS vector does not work in certain cases

Component: Advanced Firewall Manager

Symptoms:
Global DNS DoS vector stops working under certain conditions.

Conditions:
Packets are not made to go through its entirety.

Impact:
Global DNS data structures are overwritten by subsequent incoming packets. Global DNS DoS vector does not rate-limit the packets.

Workaround:
None.

Fix:
Global DNS DoS vector checks now prevent this issue, so rate-limiting works as expected.


749294-4 : TMM cores when query session index is out of boundary

Component: Local Traffic Manager

Symptoms:
TMM cores when the queried session index is out of boundary. This is not a usual case. It is most likely caused by the memory corrupted issue.

Conditions:
When session index equals the size of session caches.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The index boundary check now operates correctly in this situation, so tmm no longer cores.


749227-1 : MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE

Component: Service Provider

Symptoms:
INVITE message being processed operation creates a temporary registration entry for a unregistered subscriber, this registration entry is not extended if a subsequent invite occurs. This could cause the registration to expire during a call, thus allowing the reserved translated addresses to be provided to a different subscriber.

Conditions:
An INVITE message is received when unregistered-subscriber-callout attribute in the siprouter-alg profile

Impact:
The system adds a temporary registration entry to the registration table. The lifetime for this entry is the max-session-timeout value from the siprouter-alg profile. Subsequent INVITES will not extend the lifetime.

This could cause the registration to expire during a call, allowing the reserved translated addresses to be provided to a different subscriber.

Workaround:
None.

Fix:
Subsequent INVITEs now extend the lifetime by another max-session-timeout value.


749136-1 : Disk partition /var/log is low on free disk space

Component: Application Security Manager

Symptoms:
Warning messages, such as these, In system CLI:
--------------
Broadcast message from root@bigip1.test.net (Wed Nov 7 09:01:01 2018):

011d0004:3: Disk partition /var/log (slot 1) has only 0% free
--------------

Conditions:
ASM or DOS are provisioned

Impact:
Disk partition /var/log is low on free disk space

Workaround:
Manually delete nsyncd logs from /var/log

Fix:
We have added stricter log rotation for nsyncd.


749109-3 : CSRF situation on BIGIP-ASM GUI

Component: Application Security Manager

Symptoms:
CSRF situation on the BIG-IP ASM GUI that might potentially lead to resource exhaustion on the device for the moment it is being run.

Conditions:
The following URL accepts a wildcard in the parameter id, making it a heavy URL:

https://BIG-IP/dms/policy/pl_negsig.php?id=*

Impact:
Once multiple requests are sent to the target GUI, it is possible to see httpd process spiking even in core 0 (VMWare).

Workaround:
None.

Fix:
If the query string parameter has a string value the query is not executed.


748999-3 : invalid inactivity timeout suggestion for cookies

Component: Application Security Manager

Symptoms:
ASM will report "invalid inactivity timeout" suggestions to delete a cookie, even though the cookies are being sent and are valid.

Conditions:
- Inactivity timeout feature is configured in Policy Builder
- Cookie entity is configured in the policy
- Valid, non-violating traffic containing cookies is passed

Impact:
Since non-violating traffic is not sent to the policy engine, the inactivity timeout timer is never reset, which will eventually lead to suggestions to delete the inactive cookie entities. These suggestions are erroneous because valid cookies are being sent in the traffic.

Workaround:
Ignore the inactive entity suggestions for cookies

Fix:
Inactivity learning for cookies has been deprecated, the feature does not cover cookies anymore.


748848-2 : Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers

Component: Application Security Manager

Symptoms:
Multiple virtual servers were each using different cookie names for cookies 72, 74, and 76. This occurred because these cookie names were dependent on virtual server properties.

Conditions:
- Multiple subdomains were configured to resolve to different virtual servers with different ASM policies.
- Anti-Bot Mobile SDK attempted to connect to these virtual servers, and could not use the same cookie to do so.

Impact:
Anti-Bot Mobile SDK was not able to connect to multiple virtual servers using the same cookie.

Workaround:
N/A

Fix:
The relevant cookie names were changed.
The format TS00000000_7x (prefix/suffix may change according to configuration) is now used for cookies 72, 74, and 76, which results in identical cookie names for all configured virtual servers.
This will allow Anti-Bot Mobile SDK to connect to multiple virtual servers using the same cookie.


748409-2 : Illegal parameter violation when json parsing a parameter on a case-insensitive policy

Component: Application Security Manager

Symptoms:
An illegal parameter violation is raised although the parameter is configured

Conditions:
The policy is configured as case insensitive, and a parameter is configured with capital letters

Impact:
False positive illegal parameter violation

Workaround:
Configure violation as case sensitive


748321-1 : bd crash with specific scenario

Component: Application Security Manager

Symptoms:
BD crash

Conditions:
A specific scenario may cause bd crash.

Impact:
Failover, traffic disturbance.

Workaround:
N/A


748176-1 : BDoS Signature can wrongly match a DNS packet

Component: Advanced Firewall Manager

Symptoms:
When using BDoS feature for DNS protocol, and when there are auto-generated DNS Signatures or if Custom DNS signatures are configured manually, it is found that at times, a valid DNS request is dropped because it wrongly matches the configured/dynamically generated DNS Signature when the box is under load, and BDoS mitigation is ongoing.

Conditions:
Configured DNS Signature (Or) there exists a Dynamically generated DNS Signature.

Such a DNS signature is found to match a DNS packet wrongly, even though the signature match criteria is different from the matched DNS packet.

Impact:
When box is under load, the configured DNS signature gets into Attack Mitigation mode (which is normal), but may wrongly drop a DNS packet that does not match the signature.

Workaround:
Disable BDoS for protocol DNS. Also, do not use Manually configured DNS Signatures.

Fix:
The parsed DNS information is cached and re-used wrongly as a performance optimization, which is corrected.


748081-1 : Memory leak in BDoS module

Component: Advanced Firewall Manager

Symptoms:
TMM runs out of memory and restarts.
The memory usage as shown in "tmctl memory_usage_stat", under module line tag "session" is noticed to be high, and keeps growing.

Conditions:
The issue is seen when BDoS feature is configured, and if there exits Custom or Auto Generated BDoS Signatures. When such signatures exist, the BDoS one second timer callback leaks memory.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable BDoS feature.
Disable all configured and auto generated BDoS signatures using TMSH command:
modify security dos dos-signature all { state disabled }


748043-2 : MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP

Component: Service Provider

Symptoms:
SIP Server sends SIP Request to the client.
The SIP Server inserts a different port, so that response are received on a different port.
The Client sends the response on the new requested port.
BIG-IP drops the packet

Conditions:
SIP Server wants the SIP Response to be coming on a different port.

Impact:
SIP Request will not receive the SIP Response

Workaround:
There is no workaround.

Fix:
Fix BIG-IP to process the SIP Response and send it to the SIP Server


747977-1 : File manually uploaded information was not synced correctly between blades

Component: Application Security Manager

Symptoms:
When a user uploads a file, the file is marked as manually uploaded.
When the system downloads a file, it is marked as not being manually uploaded.
This information was not passed and handled correctly in chassis.

Conditions:
- Product was deployed on multiple blades
- Fail over has occurred
- New update file was downloaded from ESDM on primary blade

Impact:
Security updates will not automatically be installed on new primary blade after fail over

Workaround:
Manually install security updates on new primary blade

Fix:
Correctly sync/handle information about file files - whether they were manually uploaded or downloaded from ESDM.


747926-2 : Rare TMM restart due to NULL pointer access during AFM ACL logging

Component: Advanced Firewall Manager

Symptoms:
Tmm crashes while performing log ACL match logging.

Conditions:
The problem can happen only with the following configuration:
1) AFM Logging for ACLs enabled.
2) Security Network Logging profile has the property "log-translation-fields enabled"

The problem happens under extremely rare circumstances.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Defensive error handling to avoid the scenario of NULL pointer access.


747922-3 : With AFM enabled, during bootup, there is a small possibility of a tmm crash

Component: Advanced Firewall Manager

Symptoms:
During bootup, with AFM enabled, there is a small possibility of a tmm crash. The tmm process generates a core file and then automatically restart.

Conditions:
-- AFM enabled.
-- sPVA-capable hardware platform.
-- Boot up the system.

Impact:
tmm crashes, coredumps, and then restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The race-condition has been fixed, so this issue no longer occurs.


747777-3 : Extractions are learned in manual learning mode

Component: Application Security Manager

Symptoms:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"

Conditions:
Direct cause: Policy contains parameters with dynamic type

Indirect cause: Policy Builder is configured to classify parameters as dynamic (related to bug 717525)

Impact:
- BIG-IP reports "Changes pending" frequently
- Errors in pabnagd.log: "Missing Parameter Rule1 attribute element"

Workaround:
- Change all dynamic parameters value types to User Input with Alpha Numeric data type

- Unset parameters' dynamic value type (or uncheck all parameters' dynamic classification options in 'Learning And Blocking Settings').

Fix:
Policy Builder does not set extractions for dynamic parameters in manual mode


747617-2 : TMM core when processing invalid timer

Component: Local Traffic Manager

Symptoms:
TMM crashes while processing an SSLO iRules that enables the SSL filter on an aborted flow.

Conditions:
SSLO is configured and passing traffic.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround

Fix:
SSL filter will no longer be enabled after connection close.


747550-3 : Error "This Logout URL already exists!" when updating logout page via GUI

Component: Application Security Manager

Symptoms:
When you try to update the Logout Page you get an error about the URL existence: Error "This Logout URL already exists!"

Conditions:
1) Create any Logout page
2) Try to update it

Impact:
The properties of the Logout Page cannot be updated.

Workaround:
Delete the logout page and create a new one.

Fix:
The error about existense will not be thrown on updating Logout Page


747187-2 : SIP falsely detects media flow collision when SDP is in both 183 and 200 response

Component: Service Provider

Symptoms:
A spurious error message is logged ("MR SIP: Media flow creation (...) failed due to collision") and media does not flow.

Conditions:
A SIP server responds to an INVITE with both a 183 "Session Progress" and later a "200 OK" for a single SIP call, and both responses contain an SDP with the same media info.

Impact:
Media does not flow on pinholes for which a collision was detected and reported.

Workaround:
None

Fix:
No collision is detected or logged when multiple messages with SDP recreate the same flows in the same call.


747104-1 : LibSSH Vulnerability: CVE-2018-10933

Solution Article: K52868493

Component: Advanced Firewall Manager

Symptoms:
For more information see: https://support.f5.com/csp/article/K52868493

Conditions:
For more information see: https://support.f5.com/csp/article/K52868493

Impact:
For more information see: https://support.f5.com/csp/article/K52868493

Fix:
For more information see: https://support.f5.com/csp/article/K52868493


746941-2 : avrd memory leak when BIG-IQ fails to receive stats information

Component: Application Visibility and Reporting

Symptoms:
AVRD has memory leak when it is failing to send statistical information to BIG-IQ.

Conditions:
BIG-IP is used by BIG-IQ version 6.0.0 or higher, and stats collection is enabled.
Plus, BIG-IQ has some malfunction that prevents it from receiving the statistical information that BIG-IP is sending (for example: all DCDs are down, or not network connection between BIG-IP and BIG-IQ).

Impact:
avrd memory is increased over time, leading to avrd restart when it is getting too large

Workaround:
Connectivity issue between BIG-IP and BIG-IQ should be fixed, not just in order to prevent this memory leak, but for more important functionality such as visibility and alerts features in BIG-IQ.

Fix:
Memory leak is fixed.


746873-1 : Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing

Component: TMOS

Symptoms:
Any non-admin cannot use tmsh list commands. Running the command gives the following error:

Unexpected Error: Can't display all items, can't get object count from mcpd.

Conditions:
Run a tmsh list command when logged in as non-admin user.

Impact:
Error is posted. Non-admin users cannot use the tmsh list commands.

Workaround:
Log in as admin to execute the tmsh list command.

Fix:
Non-admin users can now run tmsh list commands, as appropriate for the Role associated with the type of user account.


746825-1 : MRF SIP ALG with SNAT: Ephemeral listeners not created for un-subscribed outgoing calls

Component: Service Provider

Symptoms:
When a temporary registration is created for an un-subscribed user making an outgoing call, an ephemeral listener to receive incoming messages is not created.

Conditions:
If nonregister-subscriber-callout attribute in the siprouter-alg profile is enabled, and an unregiatered client device places an outgoing call, a temporary registration is created. This temporary registration lives for the life of the call. During the lifetime of the temporary registration if the connection from the client is closed, it is not possible for an external device to reach the client.

Impact:
The callee of an outgoing call initiated by an un-registered sip device will not be able to end the call.

Workaround:
There is no workaround at this time.

Fix:
When a temporary registration is created, an ephemeral listener is created to receive SIP commands to be forwarded to the client device.


746771-3 : APMD recreates config snapshots for all access profiles every minute

Component: Access Policy Manager

Symptoms:
When the access profile configurations in APMD and MCPD are out of sync, APMD will detect the config snapshot for one access profile is missing. This triggers AMPD to recreates the config snapshots for all access profiles. The detect-recreate cycle will repeat every minute.

Sep 11 17:57:39 BIG-IP err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

Sep 11 17:57:59 BIG-IP notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.
...

Sep 11 17:58:39 BIG-IP err apmd[18013]: 01490259:3: Exception occurred for memcache operation: AccessPolicyProcessor/ProfileAccess.cpp line:492 function: resetTimeout - Config snapshot for profile /Common/ap could not be found using key tmm.session.a9735a75704_0ooooooooooooooooooo
...

Sep 11 17:59:00 BIG-IP notice apmd[18013]: 014902f3:5: (null):Common:00000000: Successfully created config snapshots for all access profiles.

Conditions:
The condition under which the access profile configurations in APMD and MCPD become out of sync is unknown.

Impact:
TMM memory usage will increase due to excessive config snapshots created.

Workaround:
Restart APMD to clear the APMD and MCPD out of sync condition.

Fix:
N/A


746750-1 : Search Engine get Device ID challenge when using the predefined profiles

Component: Application Security Manager

Symptoms:
When using one of the pre-defined profiles, "bot-defense-device-id-generate-after-access" and "bot-defense-device-id-generate-after-access", Search Engines might get Device ID challenges (and will most likely get blocked since cannot run JS)

Conditions:
One of the pre-defined profiles ("bot-defense-device-id-generate-after-access" or "bot-defense-device-id-generate-after-access") are attached to vs, and a valid search engine sends requests.

Impact:
Search Engines may be blocked.

Workaround:
Change mitigation of "Trusted Bot" in the attached profile to "Alarm":
1. Go to
Security ›› Bot Defense : Bot Defense Profiles ›› bot-defense-device-id-generate-after-access
or
Security ›› Bot Defense : Bot Defense Profiles ›› bot-defense-device-id-generate-before-access
2. Go to tab "Mitigation Settings"
3. For "Trusted Bot" choose "Alarm".
4. Save profile.


746424 : Patched Cloud-Init to support AliYun Datasource

Component: TMOS

Symptoms:
Shipped Cloud-Init in this version of VE has no support of Alibaba Cloud metadata service for having no support of AliYun Datasource.

Conditions:
VE for Alibaba Cloud

Impact:
Provisioning VE through Cloud-Init won't work on Alibaba cloud

Workaround:
N/A

Fix:
Patched Cloud-Init to support AliYun Datasource


746298-1 : Server Technologies logos all appear as default icon

Component: Application Security Manager

Symptoms:
Server Technologies logos all appear as the default icon.

Conditions:
Browsing the list of available Server Technologies in an ASM policy.

Impact:
Server Technologies logos all appear as the default icon.

Workaround:
Install the most recent Server Technologies update file.

Fix:
Server Technology-specific logos appear correctly.


746131-4 : OpenSSL Vulnerability: CVE-2018-0732

Component: Local Traffic Manager

Symptoms:
OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover parts of the private key.

Conditions:
Advanced shell access.

Impact:
OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover parts of the private key.

Workaround:
None.

Fix:
Updated to OpenSSL 1.0.2p


745851 : Changed Default Cloud-Init log level to INFO from DEBUG

Component: TMOS

Symptoms:
Cloud-Init services generate too many debug log lines that populate their systemd journal.

Conditions:
Any BIG-IP VE release with Cloud-Init enabled and using "systemd".

Impact:
There're too many debug log lines that might make VE admin miss any more important information and severe errors when reading it.

Workaround:
Manually change all Cloud-Init's log levels to INFO from DEBUG.

Fix:
Cloud-Init's log default levels have been changed to INFO from DEBUG.


745825-1 : The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading

Component: TMOS

Symptoms:
This message may be logged while the audit_forwarder is loading the configuration:

audit_forwarder is disabled as the configuration is incomplete. Please define the following db variables: config.auditing.forward.sharedsecret, config.auditing.forward.destination and config.auditing.forward.type. And make sure config.auditing.forward.destination is not set to "::".

These DB variables may all be actually configured correctly, but since the configuration has not loaded yet this message may be logged multiple times.

Conditions:
The audit_forwarder process is starting up and loading the configuration.

Impact:
Confusing error messages in /var/log/ltm. Logging will still work as configured.

Workaround:
There is no workaround.

Fix:
Message has been modified to indicate the possibility of loading the configuration. Message is now logged only once. A new messages is logged indicating when audit_forwarder is enabled.


745813-1 : Requests are reported to local log even if only Bot Defense remote log is configured

Component: Application Security Manager

Symptoms:
Requests are logged locally on the BIG-IP system while they supposed to be sent only to the remote logger.

Conditions:
- Bot Defense profile attached to a virtual server.
- Bot Defense remote logger profile attached to a virtual server.

Impact:
Requests logged locally on the BIG-IP system when they are not supposed to be.

Workaround:
None.

Fix:
Logging profile filter mechanism now honors remote and local logging configurations.


745715-2 : MRF SIP ALG now supports reading SDP from a mime multipart payload

Component: Service Provider

Symptoms:
Previously all non SDP SIP payloads were ignored. This would cause media pinhole flows to not be created.

Conditions:
An INVITE message or its response contained a SDP section in a mime multipart payload.

Impact:
Media pinhole flows were not created

Workaround:
none

Fix:
The SIP ALG code can now extract and process the SDP section of a mime multipart payload.


745713-4 : TMM may crash when processing HTTP/2 traffic

Component: Local Traffic Manager

Symptoms:
Under certain conditions, TMM may crash when processing HTTP/2 traffic

Conditions:
HTTP/2 profile enabled

Impact:
TMM crash, leading to a failover event.

Workaround:
N/A

Fix:
TMM now processes HTTP/2 traffic as expected.


745654-4 : Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server

Component: Access Policy Manager

Symptoms:
When there are a lot of tcp connections that needs new kerberos ticket to be fetched from kdc, then the websso processes requests slower than the incoming requests. This could lead to low throughput and virtual server is very slow to respond to requests.

Conditions:
Large number of APM users using Kerberos SSO to access backend resources and all the tickets expire at the same time.

Impact:
Low throughput and slow responses from Virtual server.

Workaround:
There is no workaround at this time.

Fix:
Increase the size of websso worker queue, so that tmm and websso process can communicate effectively. This eliminates VS slowness and hence increase throughput.


745629 : Ordering Symantec and Comodo certificates from BIG-IP

Component: TMOS

Symptoms:
This new feature enables ordering Symantec and Comodo certificates from the BIG-IP system.

Conditions:
You must have a Symantec or Comodo CA account to make certificate orders from the BIG-IP system.

Impact:
This new feature enables ordering of certificates from CAs Symantec and Comodo. CA-Approved certificates are automatically fetched and installed on the BIG-IP system.

Workaround:
None. This is a new feature.

Fix:
This release adds the capability to order/fetch and install certificates from CAs Symantec and Comodo.

Behavior Change:
You can now order/fetch and install certificates from the Symantec and Comodo Certificate Authorities.


745628-1 : MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message

Component: Service Provider

Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a NOTIFY message has been processed.

Conditions:
This occurs because the NOTIFY message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.

Impact:
Media addresses in the SDP payload are not translated.

Workaround:
There is no workaround.

Fix:
Hairpin mode is not entered when processing NOTIFY messages


745624-1 : Tooltipls for OWASP Bot Categories and Anomalies were added

Component: Application Security Manager

Symptoms:
Tooltipls for some OWASP Bot Categories and Anomalies were N/A in GUI/REST.

Conditions:
- GUI page: Event Logs -> Bot Defense -> Bot Traffic.
- Bot classification is "OWASP Automated Threat"
- Tooltip shows "N/A" instead of detailed description.

Impact:
You cannot see detailed description of Bot classification of traffic.

Workaround:
N/A

Fix:
Tooltipls for OWASP Bot Categories and Anomalies were added


745607-1 : Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly

Component: Application Security Manager

Symptoms:
3 month/last year filter not displayed correctly in applied filter

Conditions:
3 month/last year filter applied in Bot Defense : Bot Traffic

Impact:
You cannot see which filter is currently applied

Workaround:
N/A

Fix:
3 month/last year filter displayed correctly in applied filter


745531-2 : Puffin Browser gets blocked by Bot Defense

Component: Application Security Manager

Symptoms:
Users using the Puffin Browser are blocked when accessing the Virtual Server when it is protected with either Proactive Bot Defense (within DoSL7 profile) or with the Bot Defense profile.
This applies to all version of the Puffin Browsers: Desktop, Android, iOS.

Conditions:
- Users using the Puffin Browser on Desktop, Android, iOS
- Bot Defense Profile, or: DoSL7 profile with Proactive Bot Defense is used while the "Block Suspicious Browsers" checkbox is enabled

Impact:
Users of the Puffin Browser cannot access the website

Workaround:
None

Fix:
Users of the Puffin Browser can now access the website that is protected by Bot Defense without getting blocked.
For the fix to be applied, both BIG-IP Release and ASU must be installed which contain the fix. Also, it is recommended to enable the following DB variables:
tmsh modify sys db dosl7.proactive_defense_validate_ip value disable
tmsh modify sys db dosl7.cs_validate_ip value disable


745514-1 : MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message

Component: Service Provider

Symptoms:
The media addresses in the SDP payload are not translated by MRF SIP ALD with SNAT after a SUBSCRIBE message has been processed.

Conditions:
This occurs because the SUBSCRIBE message has has the TO and FROM headers with the same value causing the ALG to enter hairpin mode.

Impact:
Media addresses in the SDP payload are not translated.

Workaround:
There is no workaround.

Fix:
Hairpin mode is not entered when processing SUBSCRIBE messages


745404-4 : MRF SIP ALG does not reparse SDP payload if replaced

Component: Service Provider

Symptoms:
When a SIP message is loaded, the SDP is parsed, if modified or replaced, the system does not reparse the modified payload.

Conditions:
This occurs internally while processing SDP in a SIP message.

Impact:
Changes to the SDP are ignored when creating media pinhole flows

Workaround:
NA

Fix:
The SDP payload will be reparsed of modified or replaced


745387-1 : Resource-admin user roles can no longer get bash access

Component: TMOS

Symptoms:
Resource-admin users with bash access may write to system files beyond the scope of their assigned access.

Conditions:
Resource-admin users configured with bash shell access.

Impact:
Resource-admin users with bash access may write to system files causing security risks.

Workaround:
Do not assign bash access for resource-admin users.

Fix:
Resource-admin users restricted to tmsh access now. If a resource-admin user had bash access in a prior version and upgrades to this version, that user will get converted to tmsh access automatically after the upgrade process.

Behavior Change:
Resource-admin roles can no longer have bash shell access. And upon upgrade, resource-admin users with bash access will get converted to tmsh shell access.


745165-1 : Resource-Administrator role not allowed SFTP access

Component: TMOS

Symptoms:
Users with the Resource-Administrator role can access BIG-IP via SFTP.

Conditions:
User with the Resource-Administrator role and Advanced Shell Access

Impact:
Users with the Resource-Administrator role can access BIG-IP via SFTP.

Workaround:
None.

Fix:
Users with the Resource-Administrator role can no longer be granted Advanced Shell Access and cannot sftp into BIG-IP. Such users can still use scp for file transfers.


745027-2 : AVR is doing extra activity of DNS data collection even when it should not

Component: Application Visibility and Reporting

Symptoms:
When collecting DNS data, AVR generates data that is used only for BIG-IQ, even if not connected to BIG-IQ.

Conditions:
DNS Statistics collection or DNS-DoS is configured.

Impact:
avrd process is taking more CPU cycles for activity that is not needed. There is no impact to functionality.

Workaround:
None.

Fix:
The system no longer performs extra computation that is not needed in this case.


744949-1 : MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix

Component: Service Provider

Symptoms:
SIP response messages have the wrong IP address in the FROM header when using NAT64.

Conditions:
If the client's IPv6 address does not match the virtual server's configured IPv6 prefix, the FROM header on a response message will have a different IP address that the request message.

Impact:
The SIP ALG with SNAT system will be unable to establish a call for the client.

Workaround:
There is no workaround at this time.

Fix:
The FROM header will now contain the client's IP address.


744686-2 : Wrong certificate can be chosen during SSL handshake

Component: Local Traffic Manager

Symptoms:
If two certificates of the same type are configured in an SSL profile, one marked `usage CA' and the other not, the wrong one could be chosen during the handshake.

Conditions:
Two certificates of the same type are configured in an SSL profile.

Impact:
The wrong certificate could be chosen during the handshake.

Workaround:
Do not configure two certificates of the same type on an SSL profile.


744685-2 : BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension

Component: Local Traffic Manager

Symptoms:
An intermediate CA certificate should be considered invalid if the certificate does not contain both "Basic Constraints: critical" and "CA:TRUE" in its extension. BIG-IP does not enforce this.

Conditions:
The SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop.

Impact:
The system might unexpectedly accept the SSL connection while the peer is using an inappropriate certificate.

Fix:
With the fix, if the SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, the system drops the SSL handshake if the peer's CA certificate does not contain both "Basic Constraints: critical" and "CA:TRUE" in its extension.

Behavior Change:
When authenticating a peer's SSL certificate, we require a CA certificate to have the "Basic Constraints" and "CA:True" in its extension, like this:

            X509v3 Basic Constraints: critical
                CA:TRUE

If an SSL profile has peer-cert-mode set to require and untrusted-cert-response-control set to drop, we will drop the handshake if the peer's CA certificate does not satisfy the above requirement.


744595-3 : DoS-related reports might not contain some of the activity that took place

Component: Application Visibility and Reporting

Symptoms:
Occasionally, some telemetry data of DoS related activity is lost.

Conditions:
No specific condition other than using the BIG-IP system anti-DDoS feature.

Impact:
DoS related reports might not contain some of the activity that takes place.

Workaround:
None.

Fix:
Issue was fixed, all telemetry data is collected without errors.


744589-3 : Missing data for Firewall Events Statistics

Component: Application Visibility and Reporting

Symptoms:
Statistical information that is collected for Firewall event, has some data that is getting lost and not reported.

When this is taking place, the following message appears at avrd log:
Some rows of load_stat_firewall_events_<some number> not loaded

Conditions:
AFM is used, no particular condition that leads to this situation of losing some of the stats, usually takes place under heavy activity.

Impact:
Statistical reports of Firewall Events are missing some the the activity that actually took place.

Workaround:
There is no workaround at this time.

Fix:
Issue with missing data was fixed.


744347-4 : Protocol Security logging profiles cause slow ASM upgrade and apply policy

Component: Application Security Manager

Symptoms:
ASM upgrade and apply policy are delayed by an additional 3 seconds for each virtual server associated with a Protocol Security logging profile (regardless of whether ASM is active on that virtual server). During upgrade, all active policies are applied, which leads to multiple delays for each policy.

Conditions:
There are multiple virtual servers associated with Protocol Security logging profiles.

Impact:
ASM upgrade and apply policy are delayed.

Workaround:
There is no workaround at this time.


744275-1 : BIG-IP system sends Product-Name AVP in CER with Mandatory bit set

Component: Service Provider

Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.

Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Product-Name AVP.

Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.

Workaround:
Configure an iRule in the MRF transport-config, for example:

ltm rule workaround {
    when DIAMETER_EGRESS {
        if {[serverside] && [DIAMETER::command] == "257" } {
            DIAMETER::avp flags set 269 0
        }
    }
}

Fix:
This release always clears the Mandatory bit for Product-Name AVPs in DIAMETER Capabilities Exchange Request messages.


744188-1 : First successful auth iControl REST requests will now be logged in audit and secure log files

Component: TMOS

Symptoms:
Previously, when making a REST request from a client for the first time and it is successful, this action was not logged.

Just subsequent REST calls were logged or initial failed REST calls from a client were logged.

Conditions:
Making a successfully auth-ed initial REST request from a new client to BIG-IP.

Impact:
BIG-IP admins would not know when a new client first made a successful REST call to BIG-IP.

Workaround:
None.

Fix:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.

Here's an example of what shows in audit log:

-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user bart2 - RAW: httpd(pam_audit): user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".

Here's an example of what shows in secure log:

-- info httpd(pam_audit)[26561]: user=bart2(bart2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".
-- info httpd(pam_audit)[26561]: 01070417:6: AUDIT - user usr2 - RAW: httpd(pam_audit): user=usr2(usr2) partition=[All] level=Guest tty=(unknown) host=10.10.10.10 attempts=1 start="Fri Oct 12 17:07:53 2018" end="Fri Oct 12 17:07:53 2018".

Subsequent REST calls will continue to be logged normally.

Behavior Change:
Now on the first successful REST call, these actions are logged in /var/log/audit and /var/log/secure log files.

Subsequent REST calls will continue to be logged normally.


743900-1 : Custom DIAMETER monitor requests do not have their 'request' flag set

Component: Local Traffic Manager

Symptoms:
Using the technique detailed in the Article: K14536: Customizing the BIG-IP Diameter monitor https://support.f5.com/csp/article/K14536 to create custom DIAMETER monitor requests fails for any request that uses the numeric form of a DIAMETER command code, because the 'request' flag is not set in the DIAMETER packet.

Conditions:
-- Using custom DIAMETER monitor requests.
-- Using numeric DIAMETER command codes.

Impact:
The monitor probes fail because the BIG-IP system does not set the DIAMETER 'request' flag for requests it sends when using a numeric value for the command code, so the DIAMETER server thinks it is a response

Workaround:
None.

Fix:
Ensured that the 'request' flag is set for all DIAMETER monitor requests.


743437-3 : Portal Access: Issue with long 'data:' URL

Component: Access Policy Manager

Symptoms:
HTML page may contain a very long 'data:' URL. Portal Access cannot handle such URLs correctly.

Conditions:
HTML page with very long 'data:' similar to the following example:

    data:image/png;base64,...

Such URLs might be several megabytes long.

Impact:
The rewrite plugin cannot process HTML pages with very long URLs and restarts. The page is not sent to the end user client; web application may not work correctly.

Workaround:
There is no workaround at this time.

Fix:
Now Portal Access handles very long 'data:' URLs correctly.


742852-1 : Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header

Component: Application Security Manager

Symptoms:
Bot defense blocks a request containing a TSPD101 cookie in query string. TSPD101 is sent when using the Safari browser, and cross-site redirect protection is applied on a request.

Conditions:
- ASM provisioned.
- Bot Defense profile attached to a virtual server.
- Cross-site redirection is applied on a request.
- Using the Safari browser.

Impact:
Cross-site requests are blocked during the grace period configured on the bot defense profile.

Workaround:
Disable browser verification in the bot defense profile.

Fix:
Cross-site redirect protection now works as expected when cookie is sent via query string.


742829-1 : SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0

Component: Service Provider

Symptoms:
The BIG-IP system incorrectly handles SDP media ports. UAC sends SDP message body publishing capable of handling voice, text, and video. UAS responds, publishing voice, text and video not desired by setting video port to '0'. The BIG-IP system does not honor the fact that UAS does not want video, and translates video port '0' to an ephemeral port, causing the UAC to believe it must open a video channel. When the UAC sends a video connection request, the BIG-IP system sends the request to the wrong port, i.e., to the media port for text, which causes the connection to fail.

Conditions:
RTP media port defined in the SIP message is set to 0.

Impact:
Improper media channel creation.

Workaround:
You can use an iRule workaround to remove the media attributes with ports set to 0 at the ingress, and update the message body size accordingly.


742251-1 : Add Alibaba Cloud support to Qkview

Component: TMOS

Symptoms:
Qkview has been updated to support obtaining files relevant to the Alibaba Cloud.

Conditions:
Run Qkview.

Impact:
Files related to the Alibaba Cloud were not collected.

Workaround:
None

Fix:
Files related to Alibaba Cloud are now collected.


742184-3 : TMM memory leak

Component: Local Traffic Manager

Symptoms:
-- High TMM memory utilization;
-- Aggressive sweeper activated;
-- the 'packet', 'xdata' and 'xhead' caches in the memory_usage_stat tmstat table have high 'allocated' and 'curr_allocs' numbers with a steadily increasing profile.

Conditions:
A fastL4 and a L7 profile (e.g. HTTP) are assigned to a virtual server.

Impact:
Degraded performance, possible TMM crash due to out-of-memory condition.

Workaround:
Do not add a L7 profile to a fastL4 virtual server.

Fix:
No memory leak in the TMM.


741449-3 : alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts

Component: Fraud Protection Services

Symptoms:
JAVASCRIPT_THRESHOLD alert should contain 2 timestamps:
1. component-validation cookie timestamp (set on cookie creation)
2. current BIG-IP timestamp

currently, these timestamps are not available in the alert details

Conditions:
JAVASCRIPT_THRESHOLD alert is triggered

Impact:
it is impossible to analyze the alert

Workaround:
There is no workaround at this time.

Fix:
FPS should always include both timestamps when triggering the JAVASCRIPT_THRESHOLD alert


739963-4 : TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup

Component: Local Traffic Manager

Symptoms:
HTTPS monitors mark a TLS v1.2-configured pool member down and never mark it back up again, even if the pool member is up. The monitor works normally until the SSL handshake fails for any reason. After the handshake fails, the monitor falls back to TLS v1.1, which the pool members reject, and the node remains marked down.

Conditions:
This might occur when the following conditions are met:
-- Using HTTPS monitors.
-- Pool members are configured to use TLS v1.2 only.

Impact:
Once the handshake fails, the monitor remains in fallback mode and sends TLS v1.0 or TLS v1.1 requests to the pool member. The pool member remains marked down.

Workaround:
To restore the state of the member, remove it and add it back to the pool.


739945-4 : JavaScript challenge on POST with 307 breaks application

Component: Application Security Manager

Symptoms:
A JavaScript whitepage challenge does not reconstruct when the challenge is on a POST request and the response from the back-end server is 307 Redirect. This happens only if the challenged URL is on a different path than the redirected URL. This prevents the application flow from completing.

Conditions:
- JavaScript challenge / CAPTCHA is enabled from either Bot Defense, Proactive Bot Defense, Web Scraping, DoSL7 Mitigation or Brute Force Mitigation.
- The challenge is happening on a POST request on which the response from the server is a 307 Redirect to a different path.

Impact:
Server is not able to parse the request payload and application does not work. This issue occurs because the TS*75 cookie is set on the path of the challenged URL, so the redirected URL does not contain the cookie, and the payload is not reconstructed properly to the server.

Workaround:
As a workaround, you can construct an iRule to identify that the response from the server is 307 Redirect, retrieve the TS*75 cookie from the request, and add to the response a Set-Cookie header, setting the TS*75 cookie on the '/' path.

Fix:
Having a JavaScript challenge on a POST request with 307 Response no longer prevents the application from working.


739432 : F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems

Component: Access Policy Manager

Symptoms:
F5 Adaptive Auth Configuration is a configuration required on BIG-IP systems. This allows access to F5 Adaptive Authentication Service hosted on the cloud. As the reporting feature is deprecated, the Reports associated with feature are removed from the BIG-IP system. The associated reports are now shown in the F5 Adaptive Auth Service instead.

Conditions:
Admin attempts to view F5 Adaptive Auth reports on the BIG-IP system.

Impact:
Admin cannot use F5 Adaptive Auth Reports on the BIG-IP system. This is because F5 Adaptive Auth Reports functionality has been removed from BIG-IP systems, and is no longer supported.

Workaround:
View the associated reports in the F5 Adaptive Auth Service instead.

Fix:
F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems.

Behavior Change:
The reporting feature of the F5 Adaptive Auth Configuration, which allows access to F5 Adaptive Authentication Service hosted on the cloud, is deprecated with this release, so the Reports associated with feature are removed from the BIG-IP system. The associated reports are now shown in the F5 Adaptive Auth Service instead.


739349-3 : LRO segments might be erroneously VLAN-tagged.

Component: Local Traffic Manager

Symptoms:
Segments being processed for large receive offload (LRO) (the action the system performs to aggregate multiple incoming packets within a buffer before passing them up)
might be erroneously VLAN-tagged when LRO is enabled.

Conditions:
-- TCP LRO enabled.
-- Egress VLAN untagged.

Impact:
Egress traffic might sometimes be tagged.

Workaround:
Disable TCP LRO. To enable or disable LRO functionality, you can use the following command syntax:

tmsh modify sys db tm.tcplargereceiveoffload value <enable | disable>

Fix:
The system now ensures that fragment packet flags are correctly set.


738945-4 : SSL persistence does not work when there are multiple handshakes present in a single record

Component: Local Traffic Manager

Symptoms:
SSL persistence hangs while parsing SSL records comprising multiple handshake messages.

Conditions:
This issue intermittently happens when an incoming SSL record contains multiple handshake messages.

Impact:
SSL persistence parser fails to parse such messages correctly. The start of the record may be forwarded on to server but then connection will stall and eventually idle timeout.

Workaround:
There is no workaround other than using a different persistence, or disabling SSL persistence altogether.

After changing or disabling persistence, the transaction succeeds and no longer hangs.


738891-1 : TLS 1.3: Server SSL fails to increment key exchange method statistics

Component: Local Traffic Manager

Symptoms:
When TLS 1.3 is negotiated with a server SSL profile, the key exchange method statistics do not increment.

Conditions:
-- TLS 1.3 is configured on a server SSL profile.
-- TLS 1.3 is the protocol version negotiated.

Impact:
Missing statistics.

Workaround:
None.

Fix:
The key exchange method statistics are now correctly incremented.

Behavior Change:
When TLS 1.3 is now supported for configuration on server SSL profiles, so these statistics are now present.


738677-1 : Configured name of wildcard parameter is not sent in data integrity alerts

Component: Fraud Protection Services

Symptoms:
FPS sends a data integrity alert when a parameter is configured with 'Check Data Manipulation' enabled.
the alert includes parameter's actual-name, actual-val-crc, and expected-val-crc.

For wildcard parameters, it is difficult to tell which parameter was found and triggered the data integrity alert, since FPS sends only the actual name that was found in the request.

Conditions:
Wildcard parameter defined for integrity check.

Impact:
Alert analysis is more difficult, as the actual matched parameter is not obvious.

Workaround:
None.

Fix:
FPS now includes wildcard parameter's configured-name in the data integrity alert.


738676-1 : Errors when trying to delete all bot requests from "Security :: Event Logs : Bot Defense : Bot Requests"

Component: Application Security Manager

Symptoms:
When trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests

Delete will fail with error and exceptions in restjavad.log

[WARNING][593][30 Jul 2018 14:42:26 UTC][8100/mgmt ForwarderPassThroughWorker] URI:http://localhost:8100/mgmt/tm/asm/events/bot-defense-events?$top=200000, Referrer:https://172.29.40.71/dms/bot_defense/bot_requests.php, Method:DELETE, Exception:java.util.concurrent.TimeoutException: remoteSender:192.168.188.171, method:DELETE

Conditions:
This can be encountered when deleting all bot requests while traffic is passing.

Impact:
delete fails, and there is significant memory consumption in asm_confog_server

Workaround:
n/a

Fix:
we have fixed the bot requests deletion process to not fail with errors and not cause huge memory consumption in asm_confog_server


738108-1 : SCTP multi-homing INIT address parameter doesn't include association's primary address

Component: TMOS

Symptoms:
When multihoming is enabled in an SCTP profile, the source-address of the INIT chunk was not added as an Address parameter in that INIT chunk.

Conditions:
Any SCTP profile where multi-homing is enabled.

Impact:
No impact for peers that implement SCTP in accordance with RFC 4960.

RFC does not require that the address either should or should not be included in the INIT chunk, but does require that an entity receiving an INIT chunk include the source-address in its list regardless of whether that is included in the INIT chunk.

Workaround:
No known workaround.

Fix:
BIG-IP now includes all relevant addresses in the INIT chunk.

Behavior Change:
When multihoming is enabled, the local address will now be added to the INIT chunk. Previously the local address (that is, the address that the datagram is sent from) was not listed as an Address parameter. This is permitted, but not required, by RFC 4960 section 3.3.2.1.


737910-4 : Security hardening on the following platforms

Component: TMOS

Symptoms:
Improve hardware security on the following platforms (i850, i2000, i4000, i5000, i7000, i10000, i15000, HRC-xxx)

Conditions:
Using the following platforms: i850, i2000, i4000, i5000, i7000, i10000, i15000, HRC-xxx.

Impact:
These platforms do not use all available hardware security enhancements.

Fix:
Specified platforms now use hardware security enhancements.


737866-2 : Rare condition memory corruption

Component: Application Security Manager

Symptoms:
BD dameon core

Conditions:
Slow server and slow offload services.

Impact:
A bd crash, traffic distrubance

Workaround:
None.

Fix:
A memory corruption condition was solved.


737536-2 : Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others.

Component: TMOS

Symptoms:
The use case is the following:
|OSPF 1|---|Network1|------[|OSPF process 1|---BIG-IP system---|OSPF process 2|]-----|Network2|---|OSPF 2|

Attempting to redistribute default route received from OSPF process that is peering with the Internet to OSPF process 2. However, if that route is removed (e.g., an Internet link goes down), OSPF process 2 removes the associated route and the 'default-information originate' command is the ideal choice, because as long as the OSPF process 1 default route is in the routing table, the default route is redistributed into OSPF process 2. If that route is gone, OSPF process 2 immediately removes it from routing table. Enabling 'default-information originate' on OSPF process 2 does not affect the outcome, and a default route is not injected like it should be.

Conditions:
-- On the BIG-IP system, OSPF routing protocol is enabled on a route-domain.
-- Routing configuration example:

OSPF router config examples:
***
OSPF 1:
!router ospf 1
 ospf router-id 10.13.0.7
 redistribute ospf
 network 10.13.0.0/16 area 0.0.0.1
 default-information originate

OSPF 2:
router ospf 1
 ospf router-id 10.14.0.5
 redistribute ospf
 network 10.14.0.0/16 area 0.0.0.1

BIG-IP system:
router ospf 1
 ospf router-id 10.13.0.2
 network 10.13.0.0/16 area 0.0.0.1
router ospf 2
 ospf router-id 10.14.0.9
 network 10.14.0.0/16 area 0.0.0.1
***

-- Enable 'default-information originate' on BIG-IP OSPF process 2 should allow OSPF process 2 to receive advertised default route from BIG-IP OSPF process 1 if such exists.

# expected OSPF routers configuration on the BIG-IP system:
router ospf 1
 ospf router-id 10.13.0.2
 network 10.13.0.0/16 area 0.0.0.1
router ospf 2
 ospf router-id 10.14.0.9
 network 10.14.0.0/16 area 0.0.0.1
 default-information originate

Impact:
A default route from OSPF process 1 is not advertised into OSPF process 2 routing table.

Workaround:
None.

Fix:
Enabling 'default-information originate' on OSPF process 2 forces OSPF process 2 to receive a default route from OSPF process 1 if such exists.


737423-2 : Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033

Component: TMOS

Symptoms:
An integer wraparound has been discovered in the Binary File Descriptor (BFD) library distributed in GNU Binutils up to version 2.30. An attacker could cause a crash by providing an ELF file with corrupted DWARF debug information.

concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by nm-new.

The Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (excessive memory allocation and application crash) via a crafted ELF file, as demonstrated by _bfd_elf_parse_attributes in elf-attrs.c and bfd_malloc in libbfd.c. This can occur during execution of nm.

Conditions:
Command-line usage of binutils tools by users with Advanced Shell Access

Impact:
None in default, standard and recommended configurations.

Workaround:
None.

Fix:
Upgraded binutils to an unaffected version.


727136-1 : One dataset contains large number of variations of TLS hello messages on Chrome

Component: Anomaly Detection Services

Symptoms:
Dataset of TLS fingerprints of clients of a site can consume significantly more space than needed.

Conditions:
-- BADOS with TLS signatures.
-- AFM end user clients using the Mozilla Chrome browser.

Impact:
Dataset is full, so it does not contain a full TLS fingerprints set. As result there is a risk of creating false-positive TLS signatures.

Workaround:
Turn off TLS signatures.

Fix:
Dataset of TLS fingerprints contains unique TLC fingerprints regardless GREASE ciphers.


726647-5 : PEM content insertion in a compressed response may truncate some data

Component: Policy Enforcement Manager

Symptoms:
HTTP compressed response with content insert action can truncate data.

Conditions:
PEM content insertion action with compressed HTTP response.

Impact:
Data might be truncated.

Workaround:
There is no workaround other than disabling compression accept-encoding attribute in the HTTP request.

Fix:
HTTP compressed response with content insert action no longer truncates data.


724680-6 : OpenSSL Vulnerability: CVE-2018-0732

Solution Article: K21665601


724327-2 : Changes to a cipher rule do not immediately have an effect

Component: Local Traffic Manager

Symptoms:
If a cipher rule is changed, and a cipher group that uses the rule is attached to an SSL profile, the change will not take effect until something else on the SSL profile changes.

Conditions:
A cipher group is used by an SSL profile, and one of its cipher rules changes.

Impact:
Unexpected behavior occurs as the user expects the cipher rule change to take effect immediately.

Workaround:
After changing the cipher rule that's used by a cipher group, make a change to any SSL profile that uses the associated cipher group.

Fix:
Any changes to a cipher rule or cipher group will take immediate effect.


721741-4 : BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative

Component: Application Security Manager

Symptoms:
bd log spits this error.
-------
ECARD_POLICY|NOTICE|May 24 04:49:42.035|4143|table.h:2408|IPTableList::del_object key not found in table
ECARD|ERR |May 24 04:49:42.035|4143|table.h:0398|KEY_UPDATE: Failed to REMOVE data will continue to add
-------

Conditions:
Configuring IP Address Exceptions in certain order - w/ and w/o route domain.

Impact:
BD and BD_Agent out-of-sync for IP Address Exception, causes false positives / false negatives

Workaround:
There is no workaround at this time.

Fix:
System no longer generates these false positive/negative log entries.


721724-1 : LONG_REQUEST notice print was fixed in BD log

Component: Application Security Manager

Symptoms:
LONG_REQUEST notice print showed incorrect memory usage.

Conditions:
- A long request is received.
- LONG_REQUEST notice is seen in BD log containing an incorrect value for total memory used by long request buffers.

Impact:
- Incorrect logging of total memory used by long request buffers.

Workaround:
N/A

Fix:
LONG_REQUEST notice print in BD log shows correct amount of memory used by long request buffers.


721585-1 : mcpd core processing ltm monitors with deep level of inheritance

Component: TMOS

Symptoms:
If the level of ltm monitor inheritance (defaults-from) is too large, i.e 9. then mcpd will fail to send sod a heartbeat within the heartbeat timeout; therefore sod will restart mcpd.

Conditions:
LTM monitors that have 9 levels of inheritance

i.e.

mon1 defaults from mon2, which defaults from mon3, which defaults from mon4 ... to mon10

Impact:
mcpd is restarted which will cause services to failover.

Workaround:
Rework the ltm monitors so that the level of inheritance is less than 9.


720219-3 : HSL::log command can fail to pick new pool member if last picked member is 'checking'

Solution Article: K13109068

Component: Local Traffic Manager

Symptoms:
This occurs in certain configurations where the HSL::log command is using a remote high speed log (HSL) pool with failing pool members. If a pool member goes into a 'checking' state and the command attempts to send the log via that pool member, it can fail to send and all future log commands from that iRule will also fail, if that pool member is actually unavailable.

Conditions:
-- Using HSL::log command.
-- iRule with a remote high speed logging configured.

Impact:
Failure to send log messages via HSL.

Workaround:
Follow this procedure:
1. Change the 'distribution' method of the remote high speed config to something else.
2. Save the configuration.
3. Change the method back.

Fix:
This issue no longer occurs. If a 'down' pool member is picked, it will eventually be bypassed to find an 'up' pool member, if possible.


717896-4 : Monitor instances deleted in peer unit after sync

Component: Local Traffic Manager

Symptoms:
An incremental-sync from a modified-node that was set to 'user-down' causes the target-node on the target-device to have only a single monitor instance, rather than the several monitor instances that were present on the from-node.

During the incremental sync, the system issues several messages similar to the following: err mcpd[6900]: 01070712:3: Caught configuration exception (0), Invalid monitor rule instance identifier: 24913.

Conditions:
-- In high availability (HA) configurations.
-- A node is modified, and then manually set to 'user-down'.
-- That node has more than one associated monitor.
-- An incremental-sync occurs to the paired device.

Impact:
After incremental-sync, a single monitor instance exists for the node on a 'backup' unit in an HA configuration, rather than the several monitor instances that exist for that node on the 'active' unit; and that node session is 'enabled' (where the 'from-node' was 'disabled); and that node status may be 'up' (where the 'from-node' was 'user-down'), and later transition to 'down' from a monitor-fail.

Thus, after incremental-sync, the target-node may then be 'down', while the active unit in the HA configuration continues to function as expected.

Workaround:
There are several workarounds:
-- Perform a 'full-sync' (rather than an 'incremental-sync').
-- Ensure the node is 'user-up' (not 'user-down') before the incremental-sync.
-- Perform 'tmsh load sys config' on the target unit. In this case, the 'Invalid monitor rule instance identifier' messages will be seen, but the configuration will successfully load, and the target-unit will run correctly with the expected configuration.

Fix:
An incremental-sync from a modified-node that was set to 'user-down' successfully replicates the several monitor instances on that node to the target-node on the backup device in an HA configuration.


717100-1 : FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member

Component: Local Traffic Manager

Symptoms:
FQDN ephemeral pool members and corresponding FQDN ephemeral nodes may not be created if multiple FQDN template pool members are created rapidly, without the corresponding FQDN template nodes being created first.

The missing FQDN ephemeral pool members may be created an hour after initial operations.

Conditions:
This may occur when all of the following conditions are true:
-- Multiple FQDN template pool members are created rapidly, such as during config load or multiple FQDN template pool members created in a single tmsh cli transaction, without the corresponding FQDN template nodes being created first.
-- The FQDN names in the newly-created FQDN template nodes all resolve to the same IP address.

Impact:
One or more FQDN ephemeral pool members may not be created, which could result in a pool with no members, and any virtual servers using that pool to fail to pass traffic.

Workaround:
The following steps, alone or in combination, may help avoid this issue:

1. Avoid rapid creation of multiple FQDN template pool members (such as by creating multiple in a single tmsh CLI transaction).
2. Create the corresponding FQDN template nodes first, before creating the FQDN template pool members.

Once this issue occurs (such as, after a config load), you can recover from this condition by deleting and recreating the FQDN template pool members that have no corresponding FQDN ephemeral pool members.

In addition, creating the corresponding FQDN template nodes first, with an FQDN 'interval' value set to a shorter timeout than the default (3600 seconds) allows automatic recovery from this condition after the configured FQDN 'interval' period (instead of after the default period of one hour).

Fix:
Ephemeral pool members are now created for each pool under these conditions.


716714-4 : OCSP should be configured to avoid TMM crash.

Component: Local Traffic Manager

Symptoms:
TMM generates a core if OCSP is not configured in the SSL profile.

Conditions:
OCSP not configured in the SSL profile.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than configuring OCSP in SSL profiles.

Fix:
In this release, TMM skips processing OCSP if it is not enabled.


716167-2 : the value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the mtu of the kernel interface tmm_bp as given by $ ip a list dev tmm_bp or $ ifconfig tmm_bpq

Component: Local Traffic Manager

Symptoms:
The MTU of the tmm_bp kernel interface may be out-of-sync with the value of sys db vlan.backplane.mtu as well as out-of-sync with the MTU displayed by $ tmsh show /net vlan all-properties -hidden.

Conditions:
This issue occurs on first-boot after upgrading to versions after
12.1.1 HF1.

Impact:
From the data plane perspective, this issue can cause excessive IP fragmentation on tmm_bp vlan and high cpu usage.
In some cases it would also cause packet loss.
From the config perspective, this issue has a few smaller impacts:
(a) fragmented packets on the tmm_bp interface if those packets have length greater than the actual MTU of this interface as given by the kernel with $ ip a list dev tmm_bp | egrep -i mtu or $ifconfig tmm_bp.
   (i) Note: This isn’t impactful to the running system. Fragmented packets are reassembled in order for TCP clients of the tmm_bp interface.
(b) the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the mtu of the kernel interface tmm_bp as given by $ ip a list dev tmm_bp or $ ifconfig tmm_bp .

(c) similarly, the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the mtu of the Net::Vlan tmm_bp as given by $ tmsh show net vlan -hidden tmm_bp.


Paraphrasing: vlan tmm_bp MTU (as found in vlan.backplane.MTU) is not applied to the corresponding kernel interface.

Workaround:
A series of subsequent restarts rolls the correct setting through:
  # tmsh stop sys service all
  # tmsh start sys service all

To verify:
  # ip addr show dev tmm_bp ; tmsh show net vlan -hidden tmm_bp \; list sys db vlan.backplane.mtu


715110-1 : AVR should report 'resolutions' in module GtmWideip

Component: Application Visibility and Reporting

Symptoms:
AVR does not report 'resolutions' in GtmWideip module.

Conditions:
One of the following modules is provisioned: AVR, AFM, or DNS/GTM.

Impact:
There are no statistics reported on 'resolutions' in GtmWideip module.

Workaround:
There is no workaround.

Fix:
AVR now reports 'resolutions' in GtmWideip module.


713817-1 : BIG-IP images are available in Alibaba Cloud

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) images are now available in the Alibaba International Cloud Marketplace.

Conditions:
Create virtual server instance within Alibaba International Cloud environment and select BIG-IP from the list of available images.

Impact:
New offerings for BYOL and PAYG for BIG-IP VE are now available in the Alibaba International Cloud Marketplace.

Workaround:
BIG-IP VE images are now available in Alibaba Cloud.

Fix:
BIG-IP VE images are now available in Alibaba Cloud.

Behavior Change:
BIG-IP VE now supports the Alibaba International Cloud Marketplace.


713806-8 : CVE-2018-0739: OpenSSL Vulnerability

Solution Article: K08044291


707013-3 : vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest

Component: TMOS

Symptoms:
- clusterd restarts on secondary blade
- /var/log/ltm: "Management IP (<guest_management-ip>) already in use by (vcmp guest <guest_name>)"

Conditions:
1. blade power off/on using bladectl command allows to reproduce ~80% of the time
2. not sure if this is specific to platform:
 - was able to reproduce easily on (B2100 - A109),
 - issue reproduced multiple times in cusomter environment on (B2150 - A113)
 - not able to reproduce with the same steps and version on 4800 (PB300) viprion

Impact:
- Secondary slot on viprion hypervisor is in "INOPERATIVE" state

Workaround:
On the VMCP Host, copy the file /shared/db/cluster.conf from the primary to all secondary cluster members.

For a four slot chassis, issue this command from the primary:
$ for i in 1 2 3 4; scp /shared/db/cluster.conf slot$i:shared/db/cluster.conf ; done

Clusterd should then recover from the restart loop on secondary blades.


704450-5 : bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration

Component: Local Traffic Manager

Symptoms:
A rarely seen scenario exists where 'bigd' crashes when the BIG-IP system is under extremely heavy load, due to 'bigd' running with an incomplete configuration and attempting to interact with 'mcpd' prior to being fully configured by 'mcpd'. This may occur when 'mcpd' is sufficiently delayed in configuring 'bigd' upon 'bigd' process start (at system-start, or upon 'bigd' process re-start), such that 'bigd' attempts to report monitoring results to 'mcpd' prior to fully receiving its configuration (from 'mcpd').

Conditions:
BIG-IP is under heavy load; and 'bigd' process is (re-)started; and 'mcpd' is delayed in relaying the full configuration to 'bigd'; and 'bigd' attempts to report monitoring results to 'mcpd'.

Impact:
Monitoring is delayed while bigd is restarting. If the load lasts for a long enough period of time, bigd might repeatedly fail to start and monitoring will not resume. In some cases 'bigd' may run with an incomplete configuration.

Workaround:
Reduce the load on the system.

Fix:
'bigd' does not crash and runs with complete configuration when (re-)starting when BIG-IP runs under heavy configuration resulting in 'mcpd' delaying its configuration of 'bigd'.


703835-5 : When using scp into BIG-IP, use must specify the target filename

Component: TMOS

Symptoms:
File transfers via scp allow indistinct target filenames.

Conditions:
File transfers using scp into BIG-IP.

Impact:
Transfers allowed without explicit specification of target filename.

Workaround:
None.

Fix:
Users without Advanced Shell Access must specify a target file name when using scp command, such as:

$ scp source_filename1 user1@BIG-IP-ADDR:/tmp/target_filename1

Behavior Change:
When using scp to copy files to BIG-IP, you must specify the target filename in the URL path, like so:

$ scp filename1 root@100.100.28.39:/tmp/target_filename1


703593-1 : TMSH tab completion for adding profiles to virtual servers is broken

Component: Local Traffic Manager

Symptoms:
TMSH tab completion for adding profiles to virtual servers is broken. List of profiles is not displayed when tab is pressed.

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create ltm virtual asdf profiles add {
Configuration Items:
  [enter profile name]

Conditions:
List of profiles is not displayed when trying to add profiles during creation of a virtual server.

Impact:
List of available profiles is not displayed.


702472-7 : Appliance Mode Security Hardening

Component: TMOS

Symptoms:
Appliance Mode does not follow best security practices for administrative users.

Conditions:
Appliance Mode licensed
Administrative user access

Impact:
Appliance Mode does not follow best security practices.

Workaround:
None.

Fix:
Appliance Mode now follows best security practices.


699977-3 : CVE-2016-7055: OpenSSL Vulnerability in NodeJS ILX

Solution Article: K43570545


698376-5 : Non-admin users have limited bash commands and can only write to certain directories

Component: TMOS

Symptoms:
TMSH access to Linux utilities does not follow best security practices.

Conditions:
Users without Advanced Shell Access running Linux utilities from inside TMSH.

Impact:
TMSH does not follow best security practices

Workaround:
None.

Fix:
TMSH access to Linux utilities now follows best security practices.

Behavior Change:
Some tmsh util commands will be restricted to writing files to certain directories.


668041-4 : Config load fails when an iRule comment ends with backslash in a config where there is also a policy.

Solution Article: K27535157

Component: TMOS

Symptoms:
Config load fails when an iRule contains a commented line that ends with an escape character (backslash), and the config also contains an LTM policy. Depending on the iRule, you might also see the following error: Syntax Error:(/config/bigip.conf at line: 42078) double quotes are not balanced.

Conditions:
-- iRule contains commented line that ends with a backslash.
-- The config also contains a policy.

For example, an iRule similar to the first example, and a policy similar to the second:

ltm rule /Common/log_info {
  when HTTP_RESPONSE {
    #log local0. "Original Location header value: [HTTP::header value Location],\
     updated: [string map ":[TCP::remote_port]/ /" [HTTP::header value Location]]"
}
}

...

ltm policy /Common/Test_Policy {
    controls { forwarding }
    requires { http tcp }
    rules {
        TestPol_Rule1 {
            actions {
                0 {
                    forward
                    select
                    node 10.2.10.20
                }
            }
            conditions {
                0 {
                    tcp
                    address
                    matches
                    values { 10.1.10.20 }
                }
            }
        }
    }
    strategy /Common/first-match
}

Impact:
Config load fails.

Workaround:
You can use any of the following workarounds:
-- Delete the line of code with the comment.
-- Put the entire comment on one line of code.
-- Divide lengthy comments into a series of smaller ones, so that each comment fits within one line of code.
-- Move the iRule so that it is sequentially before the LTM policy in the config file.

Fix:
Config load no longer fails when an iRule comment ends with backslash in a config where there is also a policy.


639619-7 : UCS may fail to load due to Master key decryption failure on EEPROM-less systems

Component: TMOS

Symptoms:
The following error:
'Symmetric Unit Key decrypt failure - decrypt failure'
is logged to /var/log/ltm when attempting to load a UCS.
Configuration fails then to load due to a secure attribute decryption failure.

Conditions:
1. UCS contains secure attributes.
2. UCS contains a '/config/bigip/kstore/.unitkey' file.
3. The current '/config/bigip/kstore/.unitkey' file does not match the '.unitkey' file within UCS.
4. System does not utilize an EEPROM for storing its unitkey. (For more information, see K73034260: Overview of the BIG-IP system Secure Vault feature :: https://support.f5.com/csp/article/K73034260.)

Impact:
The configuration fails to load.

Workaround:
Perform the following procedure:

1. Stop the system:
# bigstart stop
2. Replace the '/config/bigip/kstore/.unitkey' file with the '.unitkey' file from the UCS
3. Replace the '/config/bigip/kstore/master' file with the 'master' file from the UCS
4. Remove the mcp db to forcibly reload the keys:
# rm -f /var/db/mcpd.bin
# rm -f /var/db/mcpd.info

5. Restart the system and reload the configuration:
# bigstart start
# tmsh load sys config
or
# reboot


621260-2 : mcpd core on iControl REST reference to non-existing pool

Component: TMOS

Symptoms:
MCPd cores when attempting to create a pool and a monitor reference by using a REST call such as:

curl -u admin:admin -H "Content-Type: application/json" -X POST http://localhost:8100/tm/ltm/pool -d'{"name":"test_pool","monitor":" "}'

Conditions:
The monitor reference in the REST call must be comprised of a single space character.

Impact:
MCPd restarts, causing many of the system daemons to restart as well.

Workaround:
Don't use spaces in the monitor reference name.



Known Issues in BIG-IP v14.1.x


TMOS Issues

ID Number Severity Solution Article(s) Description
758604-2 2-Critical   Deleting a port from a single-port trunk does not work.
757357-3 2-Critical   Tmm crashes when using virtio direct descriptors and packets 2 KB or larger
756830-1 2-Critical   BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
755716-1 2-Critical   IPsec connection can fail if connflow expiration happens before IKE encryption
755254-1 2-Critical   Remote auth: PAM_LDAP buffer too small errors on v14.1
754541-2 2-Critical   Reconfiguring an iApp that uses a client SSL profile fails
753650-2 2-Critical   The BIG-IP system reports frequent kernel page allocation failures.
750586-2 2-Critical   HSL may incorrectly handle pending TCP connections with elongated handshake time.
748205-3 2-Critical   SSD bay identification incorrect for RAID drive replacement
746464-1 2-Critical   MCPD sync errors and restart after multiple modifications to file object in chassis
743803-1 2-Critical   IKEv2 potential double free of object when async request queueing fails
737692 2-Critical   Handle x520 PF DOWN/UP sequence automatically by VE
726487-4 2-Critical   MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.
726240-1 2-Critical   Cannot find disk information.
721350-1 2-Critical   The size of the icrd_child process is steadily growing
719597-3 2-Critical   HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0
717785-2 2-Critical   Interface-cos shows no egress stats for CoS configurations
758387-2 3-Major   BIG-IP floods LLDP packet with MAC "01-80-c2-00-00-00" to vlan instead of dropping it
757572 3-Major   Virtual Edition doesn't support forging MAC addresses with Mellanox ConnectX-3 virtual functions
757519-1 3-Major   Unable to login using LDAP authentication
757431 3-Major   mcpd process killed after upgrade from 12.1.3
756820-2 3-Major   Non-UTF8 characters returned from /bin/createmanifest
756450-1 3-Major   Traffic using route entry that's more specific than existing blackhole route can cause core
756088-2 3-Major   The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address
754691-1 3-Major   During failover, an OSPF routing daemon may crash.
754336 3-Major   BIG-IP VE cannot use MOS for reimaging with 4 GB of memory or less
754335 3-Major   Install ISO does not boot on BIG-IP VE
753860-3 3-Major   Virtual server config changes causing incorrect route injection.
753423-6 3-Major   Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation
753001-1 3-Major   mcpd can be killed if the configuration contains a very high number of nested references
752994-1 3-Major   Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod
751581-3 3-Major   REST API Timeout while queriying large number of persistence profiles
751448-1 3-Major   TMM, ZebOS, and Linux routing table may lose dynamic routes on a tmm restart
751409-1 3-Major   MCP Validation does not detect when virtual servers differ only by overlapping VLANs
751024-4 3-Major   i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd
751021-1 3-Major   One or more TMM instances may be left without dynamic routes.
750318-3 3-Major   HTTPS monitor does not appear to be using cert from server SSL profile
749785-2 3-Major   nsm can become unresponsive when processing recursive routes
748545-1 3-Major   Remove 'sys-unconfig' and 'rhel-configure' binaries and related systemd service
748295-1 3-Major   TMM crashes on shutdown when using virtio NICs for dataplane
748206-1 3-Major   Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position
748187-4 3-Major   'Transaction Not Found' Error on PATCH after Transaction has been Created
747676-3 3-Major   Remote logging needs 'localip' to set source IP properly
746657-1 3-Major   tmsh help for FQDN node or pool member shows incorrect default for fqdn interval
746266-3 3-Major   Vcmp guest vlan mac mismatch across blades.
744730-1 3-Major   Specifying a larger system disk during VE launch requires manual reboot for the increase to go into effect
744520-1 3-Major   virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface
744252-2 3-Major   BGP route map community value: either component cannot be set to 65535
743132-6 3-Major   mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile
742753-4 3-Major   Accessing the BIG-IP system's WebUI via special proxy solutions may fail
742170-2 3-Major   REST PUT command fails for data-group internal
740589-1 3-Major   mcpd crash with core after 'tmsh edit /sys syslog-all-properties'
740543-1 3-Major   System hostname not display in console
740517-1 3-Major   Application Editor users are unable to edit HTTPS Monitors via the Web UI
739820-1 3-Major   Validation does not reject IPv6 address for TACACS auth configuration
739118-1 3-Major   Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration
738330-3 3-Major   /mgmt/toc endpoint broken after configuring remote authentication
737739-1 3-Major   bash shell still accessible for admin even if disabled
737397-1 3-Major   User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP
737346-1 3-Major   After entering username and before password, the logging on user's failure count is incremented.
734846-1 3-Major   Redirection to logon summary page does not occur after session timeout
727297-1 3-Major   GUI TACACS+ remote server list should accept hostname
727191-1 3-Major   Invalid arguments to run sys failover do not return an error
725791-6 3-Major   Potential HW/HSB issue detected
721020-1 3-Major   Changes to the master key are reverted after full sync
718405-2 3-Major   RSA signature PAYLOAD_AUTH mismatch with certificates
715379-3 3-Major   IKEv2 accepts asn1dn for peers-id only as file path of certificate file
701341-4 3-Major K52941103 If /config/BigDB.dat is empty, mcpd continuously restarts
698933-6 3-Major   Setting metric-type via ospf redistribute command may not work correctly
684096-4 3-Major   stats self-link might include the oid twice
683135-1 3-Major   Hardware syncookies number for virtual server stats is unrealistically high
657834-5 3-Major K45005512 Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent
648621-6 3-Major   SCTP: Multihome connections may not expire
641450-7 3-Major K30053855 A transaction that deletes and recreates a virtual may result in an invalid configuration
606032-5 3-Major   Network Failover-based HA in AWS may fail
591305-3 3-Major   Audit log messages with "user unknown" appear on install
581921-5 3-Major K22327083 Required files under /etc/ssh are not moved during a UCS restore
569859-5 3-Major   Password policy enforcement for root user when mcpd is not available
486712-5 3-Major   GUI PVA connection maximum statistic is always zero
758348-1 4-Minor   Cannot access GUI via hostname when it contains _
755197-3 4-Minor   UCS creation might fail during frequent config save transactions
754500-2 4-Minor   GUI LTM Policy options disappearing
726317-6 4-Minor   Improved debugging output for mcpd
484683-2 4-Minor   Certificate_summary is not created at peer when the chain certificate is synced to HA peer.
679431-4 5-Cosmetic   In routing module the 'sh ipv6 interface <interface> brief' command may not show header


Local Traffic Manager Issues

ID Number Severity Solution Article(s) Description
758465-1 2-Critical   TMM may crash or iRule processing might be incorrect
757441-4 2-Critical   Specific sequence of packets cause Fast Open being effectively disabled
757391-2 2-Critical   datagroup iRule command class can lead to memory corruption
756356-2 2-Critical   External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long
755585-1 2-Critical   mcpd can restart on secondary blades if a policy is created, published, and attached to a vs in a single transaction
753912-4 2-Critical   UDP flows may not be swept
752930-3 2-Critical   Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state
751589-1 2-Critical   In BIG-IP VE, some IP rules may not be created during the first boot up.
747727-1 2-Critical   HTTP Profile Request Header Insert Tcl error
747239-1 2-Critical   TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection
746710-1 2-Critical   Use of HTTP::cookie after HTTP:disable causes TMM core
745589-6 2-Critical   In very rare situations, some filters may cause data-corruption.
739003-2 2-Critical   TMM may crash when fastl4 is used on epva-capable BIG-IP
738046-1 2-Critical   SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby
734276-1 2-Critical   TMM may leak memory when SSL certificates with VDI or EAM in use
726900-1 2-Critical   Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters
712534 2-Critical   DNSSEC keys are not generated when configured to use an external FIPS device
625807-1 2-Critical   tmm cored in bigproto_cookie_buffer_to_server
758437-6 3-Major   SYN w/ data disrupts stat collection in Fast L4
758436-4 3-Major   Optimistic ACKs degrade Fast L4 statistics
758311-1 3-Major   Policy Compilation may cause MCPD to crash
757985-1 3-Major   TMM memory leak
757505-3 3-Major   peer-cert-mode set to always does not work when client-ssl is enabled with session-ticket
757029-2 3-Major   Ephemeral pool members may not be created after config load or reboot
756538-4 3-Major   Failure to open data channel for active FTP connections mirrored across an HA pair.
756270-4 3-Major   SSL profile: CRL signature verification doesn't check for multiple certificates with the same name as the issuer in the trusted CA bundle
755997-2 3-Major   non ipsec listener traffic, i.e. monitoring traffic, can be translated to wrong source address
755727-2 3-Major   Ephemeral pool members not created after DNS flap and address record changes
755631-1 3-Major   UDP / DNS monitor marking node down
754617-2 3-Major   iRule 'DIAMETER::avp read' command does not work with 'source' option
754604-2 3-Major   iRule : [string first] returns incorrect results when string2 contains null
754525-1 3-Major   Disabled virtual server accepts and serves traffic
753526-1 3-Major   IP::addr iRule command does not allow single digit mask
753159-1 3-Major   Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections
752530-1 3-Major   TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.
752334-1 3-Major   Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation
752078-2 3-Major   Header Field Value String Corruption
751036-1 3-Major   Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone
750473-4 3-Major   VA status change while 'disabled' are not taken into account after being 'enabled' again
749689-2 3-Major   HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart
749414-4 3-Major   Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects
748891-2 3-Major   Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP.
748529-1 3-Major   BIG-IP Virtual Edition with cloudhsm integration needs to restart tmm after a fresh install
747907-2 3-Major   Persistence records leak while the HA mirror connection is down
746922-6 3-Major   When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.
746078-1 3-Major   Upgrades break existing iRulesLX workspaces that use node version 6
745545-1 3-Major   CMP forwarded LRO host packets do not restore LRO flag
745285 3-Major   Virtual server configured with destination address list may not respond to ARP and ICMP echo
742838-1 3-Major   A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition
742237-4 3-Major   CPU spikes appear wider than actual in graphs
740959-4 3-Major   User with manager rights cannot delete FQDN node on non-Common partition
738450-1 3-Major   Parsing pool members as variables with IP tuple syntax
723306-1 3-Major   Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition
722707-2 3-Major   mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall
718790-1 3-Major   Traffic does not forward to fallback host when all pool members are marked down
714372 3-Major   Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari
710930-3 3-Major   Enabling BigDB key bigd.tmm may cause SSL monitors to fail
696755-3 3-Major   HTTP/2 may truncate a response body when served from cache
689361-4 3-Major   Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)
686059-4 3-Major   FDB entries for existing VLANs may be flushed when creating a new VLAN.
544958-1 3-Major   Monitors packets are sent even when pool member is 'Forced Offline'.
504522-4 3-Major   Trailing space present after 'tmsh ltm pool members monitor' attribute value
747968-3 4-Minor   DNS64 stats not increasing when requests go through dns cache resolver
747628-1 4-Minor   BIG-IP sends spurious ICMP PMTU message to server
744210-2 4-Minor   DHCPv6 does not have the ability to override the hop limit from the client.
738045-5 4-Minor   HTTP filter complains about invalid action in the LTM log file.
722534-1 4-Minor   load sys config merge not supported for iRulesLX
666378-1 5-Cosmetic   A virtual server's connections per second (precision.last_value) is confusingly named.


Performance Issues

ID Number Severity Solution Article(s) Description
746620-3 3-Major   "source-port preserve" does not work on BIG-IP Virtual Edition
747960-2 4-Minor   BIG-IP VE with 1nic does not handle fragmented traffic to webui or ssh properly


Global Traffic Manager (DNS) Issues

ID Number Severity Solution Article(s) Description
722741-1 2-Critical   Damaged tmm dns db file causes zxfrd/tmm core
756177-2 3-Major   Sometimes no GTM of a GTM Sync Group Sends Probe to a Monitor with alias address
751540-3 3-Major   GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server
750213-4 3-Major K25351434 DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.
749508-1 3-Major   LDNS and DNSSEC: Various OOM conditions need to be handled properly
749222-1 3-Major   dname compression offset overflow causes bad compression pointer
748902-1 3-Major   incorrect handling of memory allocations while processing DNSsec queries
746877-1 3-Major   Omitted check for success of memory allocation for DNSsec resource record
746719-1 3-Major   SERVFAIL when attempting to view or edit NS resource records in zonerunner
746137-1 3-Major   DNSSEC: Creating a new DNSSEC Zone can result in gtmd attempting to sync every 10 seconds
745035-2 3-Major   gtmd crash
744937-1 3-Major   Make authenticated-denial-of-existence NSEC3 RR Types Bitmap reflect available Resource Records
744787-4 3-Major   Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias
744707-2 3-Major   Fixed crash related to DNSSEC key rollover
739553-1 3-Major   Setting large number for Wide IP Persistence TTL breaks Wide IP persistence
723288-4 3-Major   DNS cache replication between TMMs does not always work for net dns-resolver
679316-7 3-Major   iQuery connections reset during SSL renegotiation
222220-4 3-Major   Distributed application statistics
755282-1 4-Minor   [GTM] bigip_add password prompt for IPv4-mapped IPv6 address
752216-6 4-Minor K33587043 DNS queries without the RD bit set may generate responses with the RD bit set
748177-1 4-Minor   Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character
744280-2 4-Minor   Enabling or disabling a Distributed Application results in a small memory leak
712335-3 4-Minor   GTMD may intermittently crash under unusual conditions.


Application Security Manager Issues

ID Number Severity Solution Article(s) Description
756108-1 2-Critical   BD crash on specific cases
756418-1 3-Major   Live Update does not authenticate remote users
751710-4 3-Major   False positive cookie hijacking violation
748851-3 3-Major   Bot Detection injection include tags which may cause faulty display of application
746394-1 3-Major   With ASM CORS set to "Disabled" it strips all CORS headers in response.
745802-1 3-Major   Brute Force CAPTCHA response page truncates last digit in the support id
723790-3 3-Major   Idle asm_config_server handlers consumes a lot of memory
758615-1 4-Minor   Reconstructed POST request is dropped after DID cookies are deleted
756998-1 4-Minor   DoSL7 Record Traffic feature is not recording traffic
755005-1 4-Minor   Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations
754109-1 4-Minor   ASM content-security-policy header modification violates Content Security Policy directive
752797-1 4-Minor   BD is not correctly closing a shared memory segment
747560-5 4-Minor   ASM REST: Unable to download Whitehat vulnerabilities


Application Visibility and Reporting Issues

ID Number Severity Solution Article(s) Description
756205-1 2-Critical   TMSTAT offbox statistics are not continuous
753485-1 2-Critical   AVR global settings are being overridden by HA peers
746837-2 3-Major   AVR JS injection can cause error on page if the JS was not injected


Access Policy Manager Issues

ID Number Severity Solution Article(s) Description
725505-1 2-Critical   SNAT settings in network resource are not applied after FastL4 profile is updated
758764-2 3-Major   APMD Core when CRLDP Auth fails to download revoked certificate
757782-1 3-Major   OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default
755475-1 3-Major   Corrupted customization group on target after updating logon page agent field on source device and config sync
754542-2 3-Major   TMM may crash when using RADIUS Accounting agent
752875-2 3-Major   tmm core while using service chaining for SSLO
751424-1 3-Major   HTTP Connect Category Lookup not working properly
750823-1 3-Major   Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD
750631-2 3-Major   There may be a latency between session termination and deletion of its associated IP address mapping
749057-1 3-Major   VMware Horizon idle timeout is ignored when connecting via APM
749036-2 3-Major   Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM
748451-3 3-Major   Manager users cannot perform changes in per-request policy properties
748070 3-Major   API Protection feature inadvertently allows editing of associated access policy
746768-4 3-Major   APMD leaks memory if access policy policy contains variable/resource assign policy items
745574-1 3-Major   URL is not removed from custom category when deleted
744532 3-Major   Websso fails to decrypt secured session variables
744316-4 3-Major   Config sync of APM policy fails with Cannot update_indexes validation error.
738547-3 3-Major   SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII
711056-1 3-Major   License check VPE expression fails when access profile name contains dots
695985-4 3-Major   Access HUD filter has URL length limit (4096 bytes)
673357-1 3-Major   SWG puts flow in intercept mode when session is not found
600985-1 3-Major   Network access tunnel data stalls
534187-5 3-Major   Passphrase protected signing keys are not supported by SAML IDP/SP
498926 5-Cosmetic   Client can fail to start a new session in multi-domain SSO.


WebAccelerator Issues

ID Number Severity Solution Article(s) Description
751383-1 4-Minor   Invalidation trigger parameter values are limited to 256 bytes
748031-1 4-Minor   Invalidation trigger parameter containing reserved XML characters does not create invalidation rule


Service Provider Issues

ID Number Severity Solution Article(s) Description
754615-2 2-Critical   Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup.
755630-1 3-Major   MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes
755311-1 3-Major   No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down
753501-1 3-Major   iRule commands (such as relate_server) do not work with MRP SIP
752822-1 3-Major   SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type
751179-1 3-Major   MRF: Race condition may create to many outgoing connections to a peer
749528-1 3-Major   IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap
749041-2 3-Major   MRSIP log of subscriber deletion outputs '(null)" for subscriber URI
748253-1 3-Major   Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection
746731-1 3-Major   BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set
749704-2 4-Minor   GTPv2 Serving-Network field with mixed MNC digits
747909-5 4-Minor   GTPv2 MEI and Serving-Network fields decoded incorrectly


Advanced Firewall Manager Issues

ID Number Severity Solution Article(s) Description
757359-1 2-Critical   pccd crashes when deleting a nested Address List
754805 2-Critical   Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured
751869-2 2-Critical   Possible tmm crash when using manual mode mitigation in DoS Profile
753028-2 3-Major   AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule
751116-1 3-Major   DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring
749761-3 3-Major   AFM Policy with Send to Virtual and TMM crash in a specific scenario
745809-2 3-Major   The /var partition may become 100% full requiring manual intervention to clear space
663946-6 3-Major   VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments
756477-2 5-Cosmetic   Drop Redirect tab incorrectly named as 'Redirect Drop'


Policy Enforcement Manager Issues

ID Number Severity Solution Article(s) Description
753163-4 3-Major   PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days
753014-4 3-Major   PEM iRule action with RULE_INIT event fails to attach to PEM policy
747065-2 3-Major   PEM iRule burst of session ADDs leads to missing sessions
746344-3 3-Major   PEM may not re-establish diameter connection after HA switchover
726011-4 3-Major   PEM transaction-enabled policy action lookup optimization to be controlled by a sys db


Carrier-Grade NAT Issues

ID Number Severity Solution Article(s) Description
744516-4 2-Critical   TMM panics after a large number of LSN remote picks


Fraud Protection Services Issues

ID Number Severity Solution Article(s) Description
745783-1 3-Major   Anti-fraud: remote logging of login attempts
660759-1 3-Major   Cookie hash persistence sends alerts to application server.


Anomaly Detection Services Issues

ID Number Severity Solution Article(s) Description
748813-3 2-Critical   tmm cores under stress test on VS with Dos profile with admd enabled
748121-3 2-Critical   admd livelock under CPU starvation
653573-6 2-Critical   ADMd not cleaning up child rsync processes
756877-1 3-Major   Virtual Server created with Guided Configuration is not visible in Grafana


Traffic Classification Engine Issues

ID Number Severity Solution Article(s) Description
757088-1 2-Critical   TMM clock advances and cluster failover happens during webroot db nightly updates
752803-1 2-Critical   CLASSIFICATION_DETECTED running reject can lead to a tmm core
752047-1 2-Critical   iRule running reject in CLASSIFICATION_DETECTED event can cause core
754257-2 3-Major   URL lookup queries not working


Device Management Issues

ID Number Severity Solution Article(s) Description
720434-3 2-Critical   Multiblade Chassis iAppLX Package upgrade sync is incomplete across blades
718033-4 3-Major   REST calls fail after installing BIG-IP software or changing admin passwords

 

Known Issue details for BIG-IP v14.1.x

758764-2 : APMD Core when CRLDP Auth fails to download revoked certificate

Component: Access Policy Manager

Symptoms:
Download CRLDP Auth fails to download revoked certificates, so the list of revoked certificate remains empty (NULL). APMD cores while accessing this empty (NULL) list.

Conditions:
Empty revoked-certificate list handling.

Impact:
APMD core. No access policy enforcement for user session or any MPI-reliant processes, such as rewrite and websso while apmd restarts.

Workaround:
None.


758615-1 : Reconstructed POST request is dropped after DID cookies are deleted

Component: Application Security Manager

Symptoms:
POST Request is dropped during DID challenge.

Conditions:
POST request is issued a DID challenge.

Impact:
Request is dropped.

Workaround:
None.


758604-2 : Deleting a port from a single-port trunk does not work.

Component: TMOS

Symptoms:
Deleting a port from a single-port trunk does notwork.

Conditions:
1. Disable all ports for a trunk, for example by disabling them on a directly connected switch. The last port is not deleted correctly.
2. Re enable some other ports, the trunk now also uses the disabled port.

Impact:
No user connectivity depending on which port is used.

Workaround:
None.


758465-1 : TMM may crash or iRule processing might be incorrect

Component: Local Traffic Manager

Symptoms:
After modifying an iRule:
- The iRules on one or more virtual servers might fire in the wrong order.
- The iRules on one or more virtual servers might not fire at all.
- TMM might crash if the iRule event is modified again.
- TMM might crash if a virtual server is modified.

Conditions:
This occurs when all of the following conditions are met:

- An iRule is in use on more than one virtual server.
- The iRule occupies a different position in the iRule list on various virtual servers, and one or more of the other iRules define the same event.
- The iRule event is modified.

Impact:
Traffic interruption while TMM restarts.
Incorrect iRule processing.

Workaround:
None.


758437-6 : SYN w/ data disrupts stat collection in Fast L4

Component: Local Traffic Manager

Symptoms:
Fast L4 analytics reports very large integers for goodput.

Conditions:
BIG-IP receives SYNs with attached data.

Impact:
Goodput data is unreliable.

Workaround:
None.


758436-4 : Optimistic ACKs degrade Fast L4 statistics

Component: Local Traffic Manager

Symptoms:
Fast L4 Analytics reports very large integers for goodput.

Conditions:
Endpoints send ACKs for data that has not been sent.

Impact:
Goodput statistics are not usable in certain data sets.

Workaround:
None.


758387-2 : BIG-IP floods LLDP packet with MAC "01-80-c2-00-00-00" to vlan instead of dropping it

Component: TMOS

Symptoms:
A LLDP packet sent to the BIG-IP system with a destination MAC of 01-80-c2-00-00-00 is treated as a broadcast packet and flooded to the VLAN.

Conditions:
-- The BIG-IP system is configured for STP passthrough.
-- The BIG-IP system receives a LLDP packet with MAC 01-80-c2-00-00-00.

Impact:
Due to a Cisco ACI bug, a packet loop is created when the packet is incorrectly flooded and the same frame is sent back to the BIG-IP system.

Workaround:
None.


758348-1 : Cannot access GUI via hostname when it contains _

Component: TMOS

Symptoms:
BIG-IP allows configuring hostname with embedded '_' (underscore). However BIG-IP GUI is not accessible when hostname includes '_', results in a 400 Bad Request.

Conditions:
BIG-IP hostname shall include '_'

Impact:
BIG-IP GUI cannot be accessed

Workaround:
No known work around if having '_' in hostname is a requirement.


758311-1 : Policy Compilation may cause MCPD to crash

Component: Local Traffic Manager

Symptoms:
If a policy has rules involving IPv6 addresses, and the addresses differ only on 32-bit boundaries, then the compilation of that policy may cause MPCD to crash.

Conditions:
A Policy is attached to a virtual.

That policy contains conditions that involve IPv6 addresses.
The addresses in different rules differ on on 32-bit boundaries.

Impact:
MCPD will core, and then restart. The policy will not be usable.

Workaround:
It may be possible to create multiple rules from a given rule by altering the netmask.

Another possibility is to add a dummy rule with no action that will match IP addresses differently.


757985-1 : TMM memory leak

Component: Local Traffic Manager

Symptoms:
-- TMM memory utilization baseline is slowly increasing.
-- The 'allocated' column of the 'tcl' row in the memory_usage_stat tmctl table is high and is close to the 'max_allocated' value.

Conditions:
The header-insert option in a custom HTTP profile is configured and the profile is attached to a virtual server.

Impact:
Degraded performance, eventual out-of-memory condition that may trigger TMM crash. Traffic disrupted while tmm restarts.

Workaround:
Instead of the profile header-insert use HTTP::header iRule commands.


757782-1 : OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default

Component: Access Policy Manager

Symptoms:
Invalid 'sub' claim in JWT access token that is generated by OAuth Authorization Server

Conditions:
OAuth Authorization Server is configured to return JWT access token, and when subject field is configured to be a session variable other than the default '%{session.assigned.uuid}'

Impact:
Invalid value in 'sub' claim in JWT access token. If OAuth resource server depend on the value of 'sub' claim, then that functionality will not work.

Workaround:
Add Variable assign agent after OAuth Authorization agent, and assign session.assigned.oauth.authz.token.subject with the session variable name such as session.logon.last.logonname.


757572 : Virtual Edition doesn't support forging MAC addresses with Mellanox ConnectX-3 virtual functions

Component: TMOS

Symptoms:
BIG-IP Virtual Edition doesn't support forging MAC addresses when using virtual functions from Mellanox ConnectX-3 adapters. Without this, features like MAC Masquerading and vlangroups do not function.

Conditions:
BIG-IP Virtual Edition with a Mellanox ConnectX-3 virtual function and a configuration requiring the use of non-default MAC addresses.

Impact:
Attempts to use these features with these NICs will not succeed and traffic that relies on this configuration will not function.


757519-1 : Unable to login using LDAP authentication

Component: TMOS

Symptoms:
User is unable to login using remote LDAP authentication.

capturing the LDAP traffic in version 14.1:

LDAPMessage searchRequest(2) "user@example.com" baseObject
        messageID: 2
        protocolOp: searchRequest (3)
            searchRequest
                baseObject: user@example.com
                scope: baseObject (0)
                derefAliases: neverDerefAliases (0)
                sizeLimit: 0
                timeLimit: 30
                typesOnly: False
                Filter: (objectClass=*)
                attributes: 0 items

vs v13.x which is working:

    LDAPMessage searchRequest(3) "dc=ad,dc=pvt" wholeSubtree
        messageID: 3
        protocolOp: searchRequest (3)
            searchRequest
                baseObject: dc=ad,dc=pvt
                scope: wholeSubtree (2)
                derefAliases: neverDerefAliases (0)
                sizeLimit: 2
                timeLimit: 30
                typesOnly: False
                Filter: (sAMAccountName=username)
                attributes: 0 items

Conditions:
LDAP authentication configuration includes user-template which is not a valid DN.

Impact:
Remote LDAP authentication users are unable to login.

Workaround:
You can use either of the following workarounds:
-- Create a specific user for bind by configuring bind-dn and bind-pw and remove user-template.
-- Switch to local authentication.


757505-3 : peer-cert-mode set to always does not work when client-ssl is enabled with session-ticket

Component: Local Traffic Manager

Symptoms:
When a session is restored using a session-ticket, the peer-cert-mode setting is not acknowledged.

Conditions:
Session tickets are enabled, the peer-cert-mode in the client-ssl profile is set to `always', and a session is restored using a ticket.

Impact:
The ssl client is only validated once, instead of each time.

Workaround:
Disable session ticket.


757441-4 : Specific sequence of packets cause Fast Open being effectively disabled

Component: Local Traffic Manager

Symptoms:
You see this warning in the logs:

warning tmm[21063]: 01010055:4: Syncookie embryonic connection counter -1 exceeded sys threshold 64000

Conditions:
TCP Fast Open and ECN are both enabled and multiple RST segments from the receive window are received in SYN_RECEIVED state.

Impact:
TCP Fast open is disabled as the pre_established_connections becomes very large (greater than a threshold).

Workaround:
TCP ECN option can be disabled.


757431 : mcpd process killed after upgrade from 12.1.3

Component: TMOS

Symptoms:
The BIG-IP appliance fails to become available after upgrade and the mcpd process keeps restarting.

Conditions:
BIG-IP system is upgraded from 12.1.3 to 14.1.0, with a very large configuration; this was encountered with more than 8,000 virtual servers and more than 600 monitor instances.

Impact:
The BIG-IP system fails to become operational.

Workaround:
If you are encountering this, you can disable mcpd heartbeat with the following command to complete the upgrade:

tmsh modify sys daemon-ha mcpd heartbeat disable

Once the upgrade is complete, enable the heartbeat:

tmsh modify sys daemon-ha mcpd heartbeat enable


757391-2 : datagroup iRule command class can lead to memory corruption

Component: Local Traffic Manager

Symptoms:
When using the iRule command to access datagroups within a foreach loop memory can be corrupted and tmm can crash.

Conditions:
A [class] command used within a foreach loop

Impact:
Traffic disrupted while tmm restarts.

Workaround:
no workarround aside from removing that iRule.


757359-1 : pccd crashes when deleting a nested Address List

Component: Advanced Firewall Manager

Symptoms:
When removing a nested Address List or Port List, the pccd process might crash.

Conditions:
This might occur under the following conditions:
-- Removing a nested Address List or Port List using a tmsh transaction with an incorrect tmsh command order consistently results in this crash.

-- A high availability (HA) setup with config-sync enabled and there are intermittent problems with HA-connections, or out-of-memory system state, might intermittently result in this crash.

Impact:
pccd crashes with core, restarts, and correctly compiles the new configuration. There is a resulting, small delay in applying the new configuration due to the pccd restart.

Workaround:
-- If the crash occurs as a result of incorrect tmsh commands in a transaction, reorder commands to the parent list is modified or deleted before deleting the nested list.

-- If the crash is an intermittent issue due to problems with HA-connections, or an out-of-memory system state, no action is necessary; pccd correctly compiles new configuration after it restarts.


757357-3 : Tmm crashes when using virtio direct descriptors and packets 2 KB or larger

Component: TMOS

Symptoms:
Some virtio backend implementations send large packets (2 KB or larger) even when LRO is disabled. If the backend uses direct descriptors, this combination might lead to a tmm core. The standard KVM implementation of virtio does not have this behavior.

Conditions:
-- BIG-IP Virtual Edition (VE) using virtio interfaces with direct descriptors.
-- A 2 KB or larger packet is delivered to the virtio interface.

Impact:
Tmm may restart. Traffic disrupted while tmm restarts.

Workaround:
Disable direct descriptors in the virtio backend.


757088-1 : TMM clock advances and cluster failover happens during webroot db nightly updates

Component: Traffic Classification Engine

Symptoms:
Webroot database mapping and unmapping takes a very long amount of time on TMM, so you might see clock advances occur. The long interval might result in a failover/state-transition in clustered environment.

Conditions:
-- Webroot database is downloaded.
-- TMM needs to swap to the new instance.

Impact:
TMM does not process traffic because of the long delay in mapping and unmapping, and failover might happen in a clustered environment.

Workaround:
You can avoid this issue by disabling BrightCloud updates, however, your environments will miss the latest updates as a result.

#vi /etc/wr_urldbd/bcsdk.cfg
  DoBcap=true
  DoRtu=false
  DownloadDatabase=false


757029-2 : Ephemeral pool members may not be created after config load or reboot

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:
1. Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
2. DNS queries to resolve these FQDN names occur almost simultaneously.
The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.
As a result, some pools may not have any active pool members, and will not pass traffic.
This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default fqdn interval value of 3600 seconds, such downtime would last approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter fqdn interval value for the FQDN nodes:
tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.


756998-1 : DoSL7 Record Traffic feature is not recording traffic

Component: Application Security Manager

Symptoms:
Enabling 'Record Traffic During Attacks' in the DoS Application Profile does not record traffic during attacks: TCP Dump files are not being created in the /shared/dosl7/tcpdumps/ directory as expected.

Conditions:
-- Enabling 'Record Traffic During Attacks' in the DoS Application Profile
-- DoSL7 Attacks are detected

Impact:
Attack traffic is not being recorded as expected.

Workaround:
None


756877-1 : Virtual Server created with Guided Configuration is not visible in Grafana

Component: Anomaly Detection Services

Symptoms:
The traffic of Virtual Server created with the Guided Configuration is not visible with Grafana monitoring tool.
Statistics of this Virtual Server are not included to admdb part of qkview.

Conditions:
Create Virtual Server using Guided Configuration

Impact:
Lack of information for debugging and troubleshooting

Workaround:
Configure Virtual Server manually, without the Guided Configuration


756830-1 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'

Component: TMOS

Symptoms:
BIG-IP may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'.

Conditions:
Connections match a virtual server that has following settings:

- Connection mirroring is enabled
- Source Port set to 'Preserve Strict'

In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'

Impact:
Source translation may fail on BIG-IP leading to client connection failures.

Workaround:
Couple of workarounds could be recommended:

- Do not use Source Port setting of 'Preserve Strict'

OR

- Disable connection mirroring on the virtual server


756820-2 : Non-UTF8 characters returned from /bin/createmanifest

Component: TMOS

Symptoms:
createmanifest reads from mcpd values stored for items that are obtained from firmware which can contain non-utf8 characters. This program is called in qkview which then gets updated to ihealth, but if any non-utf8 character is present, the output is omitted (because xml cannot handle non-utf8 characters).

Conditions:
Data stored in mcpd obtained from firmware contain non-utf8 characters.

Impact:
The upload to ihealth will not contain any of the manifest data set obtained via createmanifest.

Workaround:
The values could be obtained from the qkview by reading the qkview_run.data, but the conveniece of reading these in ihealth is not possible.


756538-4 : Failure to open data channel for active FTP connections mirrored across an HA pair.

Component: Local Traffic Manager

Symptoms:
Occasionally, attempting to actively open a data channel from an FTP session that is mirrored across a BIG-IP HA pair will fail. This is due to aggressive port reuse on the active BIG-IP causing ports that are still in a TIME_WAIT state to be used for the data connection.

Conditions:
- Have a BIG-IP HA pair configured
- Create an FTP virtual server with mirroring enabled
- Have the pool member(s) of the virtual server be either 3CDaemon or IIS servers (this issue has only been found for 3CDaemon and IIS, but it could affect other servers as well).
- Client attempts to download data through the virtual server via active FTP.

Impact:
Data connections fail to open, data transfer is unsuccessful.

Workaround:
Use passive FTP, or do not use mirroring for FTP virtual servers.


756477-2 : Drop Redirect tab incorrectly named as 'Redirect Drop'

Component: Advanced Firewall Manager

Symptoms:
Incorrect naming on navigation tabs Security :: Debug :: Drop Redirect.

Conditions:
Navigating to Security :: Debug :: Drop Redirect.

Impact:
The page name is Drop Redirect instead of Redirect Drop.

Workaround:
None.


756450-1 : Traffic using route entry that's more specific than existing blackhole route can cause core

Component: TMOS

Symptoms:
- TMM asserts with "Attempting to free loopback interface"

Conditions:
- using blackhole routes
- have a more specific route entry for network that falls in a less specific blackhole route

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use /32 blackhole routes


756418-1 : Live Update does not authenticate remote users

Component: Application Security Manager

Symptoms:
Remote users with Administrator or App Sec Admin cannot run live update

Conditions:
-- Remote user was created (ldap/radius)
-- Remote user logged in
-- New installation is available

Impact:
- Remote users will not be able to in install new update files
- Remote users will not be able to manually upload new files
- Remote users will not be able to manually check for updates

Workaround:
Log in with a local user like admin or application security editor or application security administrator


756356-2 : External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long

Component: Local Traffic Manager

Symptoms:
iRules using the command 'class match' with the 'equals' operator on long entries, as in:

my_datagroup:
"abcdefghijklmnopqrstuvwxyz0123456" := "value1"

class match "abcdefghijklmnopqrstuvwxyz0123456" equals my_datagroup

Will fail to return a positive match even if they are in the datagroup.

Conditions:
This is encountered when all of the following conditions are met:
- Using an external datagroup of type string with keys longer than 32 characters.
- Using an iRule with the 'class match' command and the 'equals' operator on the external datagroup.
- Trying to match keys > 32 characters.

Impact:
iRules will act incorrectly

Workaround:
If none of the keys in the datagroup are prefixes of each other, the 'equals' operator can be changed to 'starts_with' or 'ends_with' (if none are suffixes of each other).


756270-4 : SSL profile: CRL signature verification doesn't check for multiple certificates with the same name as the issuer in the trusted CA bundle

Component: Local Traffic Manager

Symptoms:
If there are multiple certificates in the trusted CA bundle with the same common name, CRL signature verification checks only one of them while looking for CRL issuer.

Conditions:
Multiple certificates with the same subject name as the CRL issuer in the trusted CA bundle used for authentication in SSL profiles.

Impact:
Handshake failure.


756205-1 : TMSTAT offbox statistics are not continuous

Component: Application Visibility and Reporting

Symptoms:
When BIG-IP(s) are manged by BIG-IQ the device health statistics have gaps (missing samples).

Conditions:
BIG-IP managed by BIG-IQ

Impact:
Missing data on device health such as CPU load and memory occupancy.

Workaround:
None.


756177-2 : Sometimes no GTM of a GTM Sync Group Sends Probe to a Monitor with alias address

Component: Global Traffic Manager (DNS)

Symptoms:
GTM pool members are marked down even though the monitored resource is available.

Conditions:
-- GTM configured in different data centers.
-- GTM pool configured with a monitor with alias address.
-- GTM pool members configured from different data centers.

Impact:
GTM pool members are marked down.

Workaround:
None.


756108-1 : BD crash on specific cases

Component: Application Security Manager

Symptoms:
BD crash on specific cases

Conditions:
1. Have a feature that requires Captcha/ Client side Integrity in ASM

Impact:
No traffic to app

Workaround:
None.


756088-2 : The BIG-IP might respond incorrectly to ICMP echo requests or incorrectly add/remove dynamic routes to a virtual-address

Component: TMOS

Symptoms:
The BIG-IP system unexpectedly responds to ICMP echo requests to a virtual-address that is unavailable, or unexpectedly does not respond to ICMP echo requests to a virtual-address that is available.

The BIG-IP system fails to remove a dynamic route for a virtual-address that is unavailable or fails to add a dynamic route for a virtual-address that is available.

Conditions:
-- There are multiple virtual servers associated with a virtual address.

-- The virtual-address icmp-echo is set to 'all' or 'any'.

-- The virtual-address route-advertisement is set to 'all' or 'any'.

Impact:
The BIG-IP might respond incorrectly to ICMP echo requests sent to a virtual-address.

-- If the virtual-address icmp-echo is set to 'all' or 'any', the BIG-IP may not respond correctly after a virtual-address availability change.

-- If the virtual-address route-advertisement is set to 'all' or 'any', the route for the virtual-address may not advertise properly after a virtual-address availability change.

The BIG-IP might fail to insert or remove a dynamic route for a virtual-address. This might cause the network to direct traffic to a down virtual-address or alternatively, not direct traffic to an up virtual-address.

Workaround:
None.


755997-2 : non ipsec listener traffic, i.e. monitoring traffic, can be translated to wrong source address

Component: Local Traffic Manager

Symptoms:
When IPSEC traffic is processed by a fastl4 profile, which is not related to an IPSEC listener, and is send out via a gateway pool or a dynamic route, the source address of this traffic can be erroneously changed to 127.0.0.x

Conditions:
IPSEC traffic is processed by a fastl4 profile, which is not related to an IPSEC listener, and is send out via a gateway pool or a dynamic route,

Impact:
wrong source address used.


755727-2 : Ephemeral pool members not created after DNS flap and address record changes

Component: Local Traffic Manager

Symptoms:
When using FQDN node/pool members, ephemeral pool members may not be created for one or more pools after address records change on the DNS server.
Once this condition occurs, ephemeral pool members will no longer be created for a given FQDN name in the affected pool.

Conditions:
This issue may occur under rare timing conditions when the following factors are present:
- Using FQDN nodes/pool members
- Changes occur in the address records on the DNS server, causing new ephemeral nodes/pool members to be created and old ephemeral nodes/pool members to be deleted
- There is a temporary loss of connectivity to/responsiveness from the DNS server

Impact:
When this issue occurs, the affected pool may be left with no active pool members. In that case, virtual servers targeting the affected pool will become unavailable and stop passing traffic.

Workaround:
When this issue occurs, the ability to create ephemeral pool members can be restored by one of the following actions:
1. Restart the dynconfd daemon:
bigstart restart dynconfd
2. Delete and re-create the FQDN template pool member:
tmsh mod ltm pool affected_pool members del { fqdn_pool_member:port }
tmsh mod ltm pool affected_pool members add { fqdn_pool_member:port { additional field values } }


To ensure that a pool contains active members even if this issue occurs, populate each pool with more than one FQDN pool member, or with an additional non-FQDN pool member.


755716-1 : IPsec connection can fail if connflow expiration happens before IKE encryption

Component: TMOS

Symptoms:
IKEv2 negotiation fails and tmm log shows "invalid bigip flow context" error.

Conditions:
Unusual timing that results in connflow expiration immediately preceding Diffie Hellman generation.

Impact:
IKE Negotiation fails, so an SA cannot be established.


755631-1 : UDP / DNS monitor marking node down

Component: Local Traffic Manager

Symptoms:
The UDP / DNS monitor marks nodes down.

Conditions:
UDP or DNS monitor configured where interval is multiple of timeout and the response is delayed by over one interval.

Impact:
Pool member is marked down.

Workaround:
Increase the interval to be greater than the response time of the server.


755630-1 : MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes

Component: Service Provider

Symptoms:
The media flows get terminated after the UDP idle timeout expires on a Standby device.

Conditions:
-- High availability (HA) configuration.
-- SIP media calls on a SIP-ALG with SNAT feature enabled.

Impact:
SIP calls fail to deliver media when HA failover occurs.

Workaround:
Partial mitigation is to set the UDP idle timeout to a higher value.


755585-1 : mcpd can restart on secondary blades if a policy is created, published, and attached to a vs in a single transaction

Component: Local Traffic Manager

Symptoms:
On a VIPRION cluster, if a single transaction creates a policy with the name Drafts/NAME, publishes the policy, and attaches the policy to a virtual server, mcpd restarts on the secondary blades.

Conditions:
-- VIPRION chassis with more than one blade.
-- Single mcp transaction that:
  * Creates a policy with 'Drafts/' as part of the policy name.
  * Publishes that policy.
  * Attaches that policy to a virtual server, either in the same transaction or a later transaction.

Impact:
mcpd restarts on all secondary blades of a cluster.

Workaround:
You can use either of the following workarounds:
-- Do not create policies with 'Drafts/' in the name.
-- Do not create and publish a policy in the same transaction.


755475-1 : Corrupted customization group on target after updating logon page agent field on source device and config sync

Component: Access Policy Manager

Symptoms:
After making change to logon page agent field then config sync to another device, open logon agent in VPE on target device encounters error.

Conditions:
1. Form a failover device group with two devices.
2. On one device, create an access policy with logon page agent. Make a config sync to sync the policy to the to other device. Verify everything ok on target device - open VPE for the policy, Logon Page is in the policy, click on the agent and edit box appear without problem.
3. On source device, launch VPE for the policy, click on Logon Page agent, make changes to Agent - e.g. choose "password" type for field3. Save the change and make a config sync again.
4. Go to target device, open VPE for the policy, and click on Logon Page is in the policy

Impact:
Config is not sync'ed properly to another device in device group.

Workaround:
In addition to make change to logon page field, also make change in "customization" section, e.g. update the text for "Logon Page Input Field".


755311-1 : No DIAMETER Disconnect-Peer-Request message sent when TMM is shutting down

Component: Service Provider

Symptoms:
When TMM is shutting down with active DIAMETER connections, it does not send out any Disconnect-Peer-Request messages to its DIAMETER pool members.

Conditions:
- DIAMETER in use.
- Active connections from the BIG-IP system to its DIAMETER pool members.
- TMM is shutting down.

Impact:
The remote server is not notified of the change in DIAMETER peer status.

Workaround:
None.


755282-1 : [GTM] bigip_add password prompt for IPv4-mapped IPv6 address

Component: Global Traffic Manager (DNS)

Symptoms:
After running the big_ip add script without a specifying a server address, the host address posted in the ssh password prompt is an IPv4-mapped IPv6 address for IPv4 servers.

For example:
Enter root password for 0000:0000:0000:0000:0000:FFFF:0A3C:010A

Conditions:
Run bigip_add without a server address, when the host address is an IPv4-mapped IPv6 address.

Impact:
There is no way to tell what the actual server name is without converting the IPv4-mapped IPv6 addresses back to an IPv4 to find which password to enter, for example: 0A3C:010A to 10.60.1.10

Workaround:
To workaround this, edit the bigip_add script.

IMPORTANT: Make sure to back up the bigip_add script before making modifications.

1. Make /usr folder writable
# mount -o rw,remount /usr
2. Backup bigip_add:
# cp /usr/local/bin/bigip_add /shared/tmp/bigip_add.backup
3. Edit bigip_add by adding different 'print' output for IPv4 servers.

Replace this:
< print "Enter $ruser password for $ip if prompted\n";

With something similar to this:
> if ($ip =~ /0000:0000:0000:0000:0000:FFFF:/) {
> my $display_ipv4 = ipv6_to_ipv4($ip);
> print "Enter $ruser password for $display_ipv4 if prompted\n";
> } else {
> print "Enter $ruser password for $ip if prompted\n";
> }

NOTE: Do not modify the actual value for $ip.

Below is an example diff:
# diff /shared/tmp/bigip_add.backup /usr/local/bin/bigip_add
18a19
>
43a45,51
> sub ipv6_to_ipv4
> {
> my $in_addr = $_[0];
> my @ipv6 = split /:/, $in_addr;
>
> my $ipv6_part1 = hex ($ipv6[6]);
> my $ipv6_part2 = hex($ipv6[7]);
44a53,60
> my $ipv4_1=scalar($ipv6_part1>>8);
> my $ipv4_2=scalar($ipv6_part1&0xff);
> my $ipv4_3=scalar($ipv6_part2>>8);
> my $ipv4_4=scalar($ipv6_part2&0xff);
>
> my $ipv4 = "${ipv4_1}.${ipv4_2}.${ipv4_3}.${ipv4_4}";
> return $ipv4;
> }
75d90
<
152c167,173
< print "Enter $ruser password for $ip if prompted\n";
---
>
> if ($ip =~ /0000:0000:0000:0000:0000:FFFF:/) {
> my $display_ipv4 = ipv6_to_ipv4($ip);
> print "Enter $ruser password for $display_ipv4 if prompted\n";
> } else {
> print "Enter $ruser password for $ip if prompted\n";
> }
179d199
<


755254-1 : Remote auth: PAM_LDAP buffer too small errors on v14.1

Component: TMOS

Symptoms:
You are unable to log into the BIG-IP using a ldap account.

In /var/log/secure you see
"pam_ldap(httpd:account): buffer X bytes too small" log error

Conditions:
Unknown

Impact:
LDAP authentication not working properly


755197-3 : UCS creation might fail during frequent config save transactions

Component: TMOS

Symptoms:
If 'tmsh save sys config' is run simultaneously with 'tmsh save sys ucs <file>', there is the possibility of a race condition where a file gets scheduled to be added to the UCS file, but gets deleted by the save-config before it actually gets saved.

Conditions:
-- Run 'save sys config' at the same time as 'save sys ucs <file>' in tmsh.
-- Files are getting added by one tmsh command, yet deleted by the other. For example, when deleting a file that has not been saved to the configuration, while the system tried to create a UCS that contains that to-be-deleted file.

Note: There are many operations in which 'save sys config' is performed internally, so running the 'save sys ucs <file>' operation might encounter the timing error any time, even when you are not manually running 'save sys config'.

Impact:
The UCS is not created, and system posts messages similar to the following:
-- config/bigip_base.conf/: Cannot stat: No such file or directory.
-- Exiting with failure status due to previous errors.
-- Operation aborted.

This is a rare, timing-related occurrence. Even though the 'save sys ucs <file>' aborts and logs errors, simply re-running the command is likely to succeed.

Workaround:
Re-run the 'save sys ucs <file>' after it aborts. Nothing else needs to be changed or restored.


755005-1 : Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations

Component: Application Security Manager

Symptoms:
Illegal Request Length uses Illegal Query String Length template and vice versa, so the incorrect titles are shown in violation details.

Conditions:
Open details of Illegal Request Length or Illegal Query String Length violation in request log.

Impact:
Illegal Request Length uses Illegal Query String Length template and vice versa. Only the titles are wrong. The actual requests are recorded correctly.

Workaround:
None.


754805 : Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured

Component: Advanced Firewall Manager

Symptoms:
tmm might crash and restart.

Conditions:
When AFM DoS badactor or attacked dst is configured on a vector, there is a race condition which can cause tmm to crash. The same race condition is present when single endpoint vectors are configured.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


754691-1 : During failover, an OSPF routing daemon may crash.

Component: TMOS

Symptoms:
With a specific OSPF configuration, during a failover, a peer which is changed from standby to active may experience an ospfd daemon crash.

Conditions:
High availability configuration with a routing configuration:
1) access-list with 0.0.0.0/0 filtering:
access-list 199 remark test
access-list 199 deny ip host 0.0.0.0 host 0.0.0.0
access-list 199 permit ip any any

2) OSPF router with this access-list:
router ospf 1
 ospf router-id 10.14.0.11
 bfd all-interfaces
 network 10.14.0.0/16 area 0.0.0.1
 distribute-list 199 in
!

-- The device with this configuration is in the standby state.
-- A failover occurs.

Impact:
An OSPF daemon crashes, losing routing information and OSPF dynamic routes for a moment while ospfd daemon restarts.

Workaround:
None.


754617-2 : iRule 'DIAMETER::avp read' command does not work with 'source' option

Component: Local Traffic Manager

Symptoms:
Configuring a 'source' option with the iRule 'DIAMETER::avp read' command does not work.

The operation posts a TCL error in /var/log/ltm logs:
err tmm3[11998]: 01220001:3: TCL error: /Common/part1 <MR_INGRESS> - Illegal value (line 1) error Illegal value invoked from within "DIAMETER::avp read 444 source [DIAMETER::avp data get 443 grouped]".

Conditions:
Using the 'DIAMETER::avp read' iRule command with a 'source' option.

Impact:
'DIAMETER::avp read' does not work with the 'source' option.

Workaround:
Use 'DIAMETER::avp get data' with the 'source' option, and re-create the header part when needed.


754615-2 : Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup.

Component: Service Provider

Symptoms:
tmm crashes.

Conditions:
SIP calls under load on a MRF-SIP-ALG setup and when most of the calls re-use the conn flow.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.


754604-2 : iRule : [string first] returns incorrect results when string2 contains null

Component: Local Traffic Manager

Symptoms:
In an iRule such as 'string first $string1 $string2' returns incorrect results when $string2 contains a null byte and $string1 is not found within $string2. Performing the same search in tclsh, the expected -1 (not found) result is returned.

Conditions:
-- 'string first $string1 $string2' iRule.
-- string2 in an iRule contains a null byte.

Impact:
Operation does not return the expected -1 (not found) result, but instead returns an unexpected, random result.

Workaround:
None.


754542-2 : TMM may crash when using RADIUS Accounting agent

Component: Access Policy Manager

Symptoms:
TMM may crash when using RADIUS Accounting agent in either per-session or per-request policy.

Conditions:
- APM is provisioned and licensed.
- RADIUS Accounting agent is used in either per-session or per-request policy.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


754541-2 : Reconfiguring an iApp that uses a client SSL profile fails

Component: TMOS

Symptoms:
As a result of this issue, you may encounter one or more of the following symptoms:

-- A virtual server is created but no client SSL profile is applied.
-- In the /var/log/ltm file, the system logs messages similar to the following example:

err mcpd[6434]: 01b4002b:3: Client SSL profile (/Common/Example.app/Example_client-ssl): the profile has no RSA cert/key pair that can be modified. To add RSA cert/key, please use [cert-key-chain add]

Conditions:
This issue occurs when the following conditions are met:

-- Attempting to reconfigure an iApp.
-- The iApp contains a client SSL profile.

Impact:
The system fails to create and apply the client SSL profile to the virtual server.

Workaround:
To work around this issue, you can temporarily disable SSL in the iApp, and then enable it again.

Impact of workaround:
Reconfiguring your iApp reconfigures all BIG-IP objects associated with the iApp. This might cause service disruptions to the application the iApp has been deployed for.

1. Navigate to the impacted iApp in GUI:
iApps :: Application Services : Applications :: Example.
 
2. Find the setting associated with the client SSL profile, often titled "How should the BIG-IP system handle SSL traffic?"

3. Change the associated setting to one that does not imply the use of SSL, for example: "Plain text to and from both clients and servers."

4. Press the Reconfigure button.

5. Return to the same question and change the field back to its original setting.

6. Press the Reconfigure button once more.


754525-1 : Disabled virtual server accepts and serves traffic

Component: Local Traffic Manager

Symptoms:
Disabled virtual servers accept traffic after being upgraded to version 14.1.0.

Conditions:
1. Configure a virtual server on pre-v14.1.0 software.
2. Make sure the virtual server can process traffic.
2. Disable the virtual server.
4. Make sure the BIG-IP system stops processing traffic.
5. Upgrade to version 14.1.0,

Impact:
The virtual server remains .Disabled', but it accepts and processes traffic.

Workaround:
To correct the behavior, manually enable/disable the virtual server.


754500-2 : GUI LTM Policy options disappearing

Component: TMOS

Symptoms:
Listed policies disappear under 'Do the following when traffic is matched' in Local Traffic :: Policies : Policy List :: {Rule Name} when pressing Cancel or Save and opening the list again.

Conditions:
Click the Cancel or Save button on the Local Traffic :: Policies : Policy List :: /Common/policy1:rule1 properties page.

Here are some specific steps to reproduce this issue (this procedure assumes you have at least one policy with at least one rule defined):
1. Navigate to Local Traffic :: Policies : Policy List :: /Common/policy1:rule1 to open the rule1 properties page.
2. In the section 'Do the following when the traffic is matched', click to open the first dropdown menu.
  - The system lists all of the items.
3. Click Cancel.
4. Click to reopen the properties page, and click the first dropdown menu.
  - The system lists fewer of the options.
5. Repeat steps 3 and 4.

Impact:
Options disappear from the list each time you click Cancel or Save. Cannot select options because they are no longer visible in the list.

Workaround:
To return all options to the list, use the refresh button in the browser.

You can also use the following the tmsh command:
modify ltm policy Drafts/<policy name> modify { <rule name> { actions add { ...


754336 : BIG-IP VE cannot use MOS for reimaging with 4 GB of memory or less

Component: TMOS

Symptoms:
Attempting to perform a clean installation on a BIG-IP Virtual Edition (VE) using the Maintenance Operating system (MOS) may fail with 'no space left on device'.

Conditions:
This issue occurs when all of the following conditions are met:

-- The device is a BIG-IP VE with 4 GB of RAM or less.

-- You perform a clean installation of BIG-IP 14.1.0, or a clean installation of any earlier version after the system was previously upgraded to BIG-IP 14.1.0.

Note: An example of a clean installation is one initiated by the "image2disk --format=volumes" command.

Impact:
The installation fails. Once that has occurred, the system automatically reboots into the previously active boot location.

Workaround:
You can use either of the following workarounds:

-- Temporarily assign at least 5 GB of memory to the VE instance for the duration of the installation. You can then lower it after installation is complete.

-- Create a fresh image from one of the pre-populated images such as OVA or QCOW2 and migrate a previous configuration to it.


754335 : Install ISO does not boot on BIG-IP VE

Component: TMOS

Symptoms:
The install ISO does not boot on BIG-IP Virtual Edition (VE).

Conditions:
Attempting to boot a BIG-IP VE from a virtual DVD-ROM drive loaded with an affected ISO file.

Impact:
The system does not fully boot and hangs, preventing you from performing an installation or using the live environment for other recovery purposes.

Workaround:
To work around this issue, boot the BIG-IP VE from an ISO file earlier than 14.1.0. If necessary, install that version, and then upgrade to 14.1.0 using the live installer.


754257-2 : URL lookup queries not working

Component: Traffic Classification Engine

Symptoms:
Occasionally, there is no response to a url-categorization query.

Conditions:
This might occur under the following conditions:
-- When there are duplicate requests using tmsh.
-- When the connection is partially closed by the server.

Impact:
URL does not get classified. Cannot take any actions against those URLs.

Workaround:
None.


754109-1 : ASM content-security-policy header modification violates Content Security Policy directive

Component: Application Security Manager

Symptoms:
When the backend server sends a content-security-policy header where source-src and default-src directives are missing, ASM will modify the header when it does its own JavaScript injection, which might cause a csp policy violation for inline JavaScript code.

Conditions:
-- ASM provisioned.
-- ASM policy attached on a virtual server.
-- ASM policy has CSRF or AJAX Blocking page enabled.

Impact:
Inline JavaScript does not run. The Browser reports a content-security-policy violation.

Workaround:
Disable csp in ASM by running the following commands:
-- /usr/share/ts/bin/add_del_internal add csp_enabled 0
-- bigstart restart asm


753912-4 : UDP flows may not be swept

Component: Local Traffic Manager

Symptoms:
Some UDP connection flows do not show in connection table but do show up in stats. This might occur with datagram_lb mode is enabled on the UDP profile under heavy load.

Conditions:
-- UDP profile with datagram_lb mode enabled.
-- System under heavy load.

Impact:
Increased memory utilization of TMM.

Workaround:
None.


753860-3 : Virtual server config changes causing incorrect route injection.

Component: TMOS

Symptoms:
Updating the virtual server to use a different virtual address (VADDR) does not work as expected. The old VADDR route should remove and inject the new route for the new virtual address. Instead, it injects incorrect routes into the routing protocols.

Conditions:
-- Change the VADDR on a virtual server.
-- Set route-advertisement on both VADDRs.

Impact:
Incorrect routes are injected into routing protocols.

Workaround:
None.


753650-2 : The BIG-IP system reports frequent kernel page allocation failures.

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)
- B4450 (A114)

Please note the issue is known to occur regardless of whether the system is running in vCMP mode or not, and regardless of whether the system is Active or Standby.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this to either 64 MB (65536 KB) or 128 MB (131072 KB). You must do this on all blades installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to only survive reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"


753526-1 : IP::addr iRule command does not allow single digit mask

Component: Local Traffic Manager

Symptoms:
When plain literal IP address and mask are used in IP::addr command, the validation fails if the mask is single digit.

Conditions:
The address mask is single digit.

Impact:
Validation fails.

Workaround:
Assign address/mask to a variable and use the variable in the command.


753501-1 : iRule commands (such as relate_server) do not work with MRP SIP

Component: Service Provider

Symptoms:
Some iRule commands (such as relate_server) fail when used in conjunction with Message Routing Protocol (MRP) SIP configurations using message routing transport.

Conditions:
-- MRP SIP configuration uses transport-config.
-- iRule command 'relate_server' is configured on the corresponding virtual server.

Impact:
iRule commands such as relate_server cannot be used with MRF SIP.

Workaround:
None.


753485-1 : AVR global settings are being overridden by HA peers

Component: Application Visibility and Reporting

Symptoms:
Configuration of AVR global settings is being overridden by HA peers and thus report wrongly to BIG-IQ DCD.

Conditions:
Having HA pair connected to BIG-IQ

Impact:
Configuration of BIG-IPs on HA pair can override each other and thus the following can happen:
1. They will identify wrongly to BIG-IQ
2. Will report to the wrong DCD
3. Will report to DCD even if they are not configured to report at-all
4. Won't report at all even if they are configured to report.

Workaround:
N/A


753423-6 : Disabling and immediately re-enabling the slot resulting interfaces from the slot permanently removed from aggregation

Component: TMOS

Symptoms:
working-mbr-count not showing correct number of interfaces.

Conditions:
Slot got disabled and re-enabled immediately.

Impact:
Interfaces may be removed from an aggregation permanently.

Workaround:
Disable and re-enable the slot with time gap of one second.


753163-4 : PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days

Component: Policy Enforcement Manager

Symptoms:
No connection request with PCRF/OCS if high availability (HA) failover occurs after 26 days. tmm crash

Conditions:
-- Using PEM.
-- HA failover occurs after 26 days.

Impact:
PEM does send the reconnect request within the configured reconnect, so there is no connection initiated with PCRF/OCS.

Workaround:
To restart the connection, restart tmm restart using the following command:
tmm restart

Note: Traffic disrupted while tmm restarts.


753159-1 : Pool IP ToS/QoS settings are not preserved on mirrored FastL4 connections

Component: Local Traffic Manager

Symptoms:
Mirrored serverside FastL4 connections do not inherit the IP ToS/QoS values from the selected pool or values set via iRule IP::tos/LINK::qos commands.

Conditions:
-- FastL4 virtual server with mirroring.
-- Pool with non-zero IP ToS/QoS values.
or
-- iRule with IP::tos/LINK::qos serverside commands

Impact:
IP ToS/QoS values are not set on mirrored connection after failover.

Workaround:
Configure desired IP ToS/QoS values in FastL4 profile


753028-2 : AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule

Component: Advanced Firewall Manager

Symptoms:
When Proxy ARP is enabled for destination addresses in an FW NAT rule performing destination NAT (static-nat/static-pat), forwarding ICMP traffic matching that rule is incorrectly dropped by AFM instead of being forwarded through the BIG-IP system.

Conditions:
-- Proxy ARP is enabled for destination addresses in an FW NAT rule.
-- The BIG-IP system (AFM) receives forwarding ICMP traffic for these (untranslated) destination addresses.

Impact:
Forwarding ICMP traffic is dropped by the BIG-IP system.

Workaround:
You can disable Proxy ARP functionality for FW NAT rules to cause the BIG-IP system (AFM) to handle forwarding ICMP traffic correctly and pass it through the system to the backend.

However, this causes the BIG-IP system to not respond to ARP requests anymore for destination addresses in such rules. As a further mitigation action, you can configure static ARP entries to handle this.


753014-4 : PEM iRule action with RULE_INIT event fails to attach to PEM policy

Component: Policy Enforcement Manager

Symptoms:
PEM iRule action with RULE_INIT event fails to attach to PEM policy.

Conditions:
Attaching PEM policy with PEM iRule action that contains a RULE_INIT event.

Impact:
PEM fails to update the new iRule action.

Workaround:
Force mcpd to reload the BIG-IP configuration.

To do so, follow the steps in K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.


753001-1 : mcpd can be killed if the configuration contains a very high number of nested references

Component: TMOS

Symptoms:
mcpd can be killed by sod if the configuration contains a very high number of nested references. This results in a core file due to a SIGABRT signal.

Conditions:
A very high number of nested configuration references (such as SSL certificate file objects).

Impact:
Failover or outage (if not HA). The system sends no traffic or status while mcpd restarts.

Workaround:
None.


752994-1 : Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod

Component: TMOS

Symptoms:
With a large number of client SSL profiles, combined with shallow nesting of these profiles, all referring to a single SSL certificate file object, mcpd can take a lot of time to process an update to that certificate. It is possible this amount of time will be longer than sod's threshold, and cause it to kill mcpd.

Conditions:
- A large number (hundreds or thousands) of client SSL profiles that have a shallow nesting structure and all point back to a single SSL certificate file object.
- Happens when the SSL certificate is updated.

Impact:
sod kills mcpd, which causes a failover (when high availability (HA) is configured) or an outage (when there is no HA configured).

Workaround:
None.


752930-3 : Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state

Component: Local Traffic Manager

Symptoms:
Virtual Servers left in unknown state. Blade keeps restarting.

Conditions:
Change default route domain (RD) of partition with wildcard Virtual Servers.

Impact:
-- Cannot persist the wildcard virtual server RD configuration.
-- Changing virtual server description after moving route-domain fails.
-- Secondary blade in constant reboot loop.

Workaround:
1. Delete wildcard virtual servers before changing default route-domain on partition.

2. Execute the following commands, in sequence, substituting your values for the configuration-specific ones in this example:

# ssh slot2 bigstart stop

# modify auth partition pa-1098-blkbbsi0000csa21ad1142 default-route-domain 109

# save sys config

# clsh rm -f /var/db/mcpdb.bin

# ssh slot2 bigstart start

Note: This recovery method might have to be executed multiple times to restore a working setup.


752875-2 : tmm core while using service chaining for SSLO

Component: Access Policy Manager

Symptoms:
tmm cores when using security services (service connect agent in per-request policies) for SSLO deployment.

Conditions:
-- Service connect agent in per-request policy.
-- SSLO deployment.

Impact:
tmm cores. Traffic disrupted while tmm restarts.

Workaround:
None.


752822-1 : SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type

Component: Service Provider

Symptoms:
SIP ALG calls that fail translation during ingress are not cleaned up by the system, which might result in memory being leaked inside the TMM processes.

Conditions:
SIP ALG calls that fail translation during ingress.

Impact:
TMM leaks memory, which can slow down performance and eventually cause TMM to run out of memory and restart. Traffic disrupted while tmm restarts.

Workaround:
None.


752803-1 : CLASSIFICATION_DETECTED running reject can lead to a tmm core

Component: Traffic Classification Engine

Symptoms:
When the CLASSIFICATION_DETECTED event is run on a serverside flow, and then an iRule command (e.g., to reject a flow) is run, tmm crashes.

Conditions:
-- CLASSIFICATION_DETECTED event runs on a serverside flow.
-- An iRule command runs (e.g., reject a flow).

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


752797-1 : BD is not correctly closing a shared memory segment

Component: Application Security Manager

Symptoms:
Number shared memory segments is increasing.

Conditions:
There are many ASM restarts.

Impact:
Memory increases on the system.

Workaround:
None.


752530-1 : TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput.

Component: Local Traffic Manager

Symptoms:
Fast L4 TCP Analytics reports incorrect goodput when server sequence number and the TMM generated sequence number are different.

Conditions:
This occurs when either of the following conditions are met:

-- tcp-generate-isn is set in the Fast L4 profile.
-- SYN cookie is active.

Impact:
The GUI page Statistics :: Analytics :: TCP :: Goodput page displays incorrect goodput values.

Workaround:
None.


752334-1 : Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation

Component: Local Traffic Manager

Symptoms:
When Fast L4 receives out of order TCP packets, TCP analytics may compute wrong goodput value.

Conditions:
When FAST L4 receives out-of-order packets.

Impact:
Fast L4 reports an incorrect goodput value for the connection.

Workaround:
None.


752216-6 : DNS queries without the RD bit set may generate responses with the RD bit set

Solution Article: K33587043

Component: Global Traffic Manager (DNS)

Symptoms:
If the BIG-IP system is configured to use forward zones, responses to DNS queries may include the RD bit, even if RD bit is not set on the query.

Conditions:
-- Forward zone is configured.
-- Processing a query without the RD bit.

Impact:
Some responses to DNS queries may include the RD bit, even thought the RD bit is not set on the query. This is cosmetic, but some DNS tools may report this as an RFC violation.

Workaround:
None.


752078-2 : Header Field Value String Corruption

Component: Local Traffic Manager

Symptoms:
This is specific to HTTP/2.

In some rare cases, the header field value string can have one or more of its prefix characters removed by the BIG-IP.

Conditions:
If the header field value string is exceptionally long, and has embedded white space characters, this bug may occur.

Impact:
A header such as:

x-info: very_long_string that has white space characters

may be sent to the client thus:

x-info: ery_long_string that has white space characters


752047-1 : iRule running reject in CLASSIFICATION_DETECTED event can cause core

Component: Traffic Classification Engine

Symptoms:
The CLASSIFICATION_DETECTED iRule event can run very early when classification happens in the classification database (srdb). If the iRule then issues a reject command, tmm cores.

Conditions:
CLASSIFICATION_DETECTED on L4 executing reject command.

Impact:
tmm restarts. Traffic disrupted while tmm restarts.

Workaround:
None.


751869-2 : Possible tmm crash when using manual mode mitigation in DoS Profile

Component: Advanced Firewall Manager

Symptoms:
tmm crash and restart is possible when using manual mode mitigation in DoS Profile.

Conditions:
When manual mode mitigation is used for any vector that is enabled in the DoS Profile that is attached to a Protected Object.

Impact:
tmm crash and restart is possible. Traffic disrupted while tmm restarts.

Workaround:
None.


751710-4 : False positive cookie hijacking violation

Component: Application Security Manager

Symptoms:
A false positive cookie hijacking violation.

Conditions:
-- Several sites are configured on the policy, without subdomain.
-- TS cookies are sent with the higher domain level then the configured.
-- A single cookie from another host (that belongs to the same policy) arrives and is mistaken as the other site cookie.

Impact:
False positive violation / blocking.

Workaround:
N/A


751589-1 : In BIG-IP VE, some IP rules may not be created during the first boot up.

Component: Local Traffic Manager

Symptoms:
The BIG-IP Virtual Edition (VE) system might not be able to install some IP rules in the host during the first boot up. As a result, some types of traffic (e.g., ssh) destined for the BIG-IP system via the data path (not via the management interface) might not be able to respond back to a sender. This issue exists only during the first boot into a new BIG-IP partition after installation.

Conditions:
This issue exists if the following conditions are met:
-- The BIG-IP system is VE.
-- Before installing a new BIG-IP image, the sys db variables 'liveinstall.saveconfig' and 'liveinstall.moveconfig' are both set to 'disable'. By default, both variables are set to 'enable'.
-- First boot into a new BIG-IP partition after installation.

Impact:
Some types of traffic (e.g., ssh) destined for the BIG-IP system via the data path (not via the management interface) might not be able to respond back to a sender.

Workaround:
You can use either of the following workarounds:

-- Restart mcpd using the following command:
bigstart restart mcpd

-- After the first boot into a new BIG-IP partition, you can simply reboot the BIG-IP system again, and then the necessary IP rules are created correctly.


751581-3 : REST API Timeout while queriying large number of persistence profiles

Component: TMOS

Symptoms:
When you have a large number of collections in BIG-IP, REST API seems to be timed out without any response from BIG-IP

Conditions:
When BIG-IP has large number of persistence profiles.

Impact:
REST API gets timed out when REST API queries the BIG-IP for persistence profiles. There is no response sent for given REST API.

Workaround:
When you have a large number of collections, you are recommended to use paging mechanism.

Please refer https://devcentral.f5.com/d/icontrol-rest-user-guide-version-131-246.

"iControl ® REST supports pagination options for large collections.


751540-3 : GTM Sync group not syncing properly with multiple self IP addresses configured on one VLAN but not all configured for GTM server

Component: Global Traffic Manager (DNS)

Symptoms:
GTM changes in some devices are not synced to other GTM-configured devices in the same syncgroup.

Conditions:
-- There are multiple self IP addresses configured on one VLAN.
-- Some, but not all, self IP addresses are configured for GTM server.

Impact:
GTM Sync group not syncing properly.

Workaround:
Configure all self IP addresses in the syncgroup for GTM server.


751448-1 : TMM, ZebOS, and Linux routing table may lose dynamic routes on a tmm restart

Component: TMOS

Symptoms:
There are three major routing participants on a BIG-IP system: TMM, ZebOS, and Linux routing tables. Each of them replicates routes between the other. The 'bigstart restart tmm' command restarts tmm, and a part of the restart process is to mark VLAN interfaces DOWN and later UP. Another part the same process is to restart the ZebOS daemons.

There is a race condition between these two events, so the following might happen:
1) tmm marks interface named vlan1 as DOWN, and a bit later marks as UP, but not UP and RUNNING.
2) The ZebOS daemons are restarted and ready to update interface status. They request a current status and mark interface UP, not UP and RUNNING.
3) tmm is fully restarted and marks vlan1 UP and RUNNING.
4) The ZebOS daemons reject dynamic routes because interface vlan1 is UP, but not RUNNING.

Conditions:
- BIG-IP Virtual Edition (VE).
- Dynamic routing is configured and there is a decide with some dynamic routes.
- You run the 'bigstart restart tmm' command.

Impact:
Traffic which relays on dynamic routes is interrupted. Because this is a race condition, it depends on configuration and timing.

Workaround:
Restart tmrouted daemon using the following command:
bigstart restart tmrouted


751424-1 : HTTP Connect Category Lookup not working properly

Component: Access Policy Manager

Symptoms:
1. HTTP Connect Category Lookup does not return the correct category.
2. HTTP Connect Category Lookup cannot attach the service chain correctly.

Conditions:
-- Using SSLO iApp to configure a security policy.
-- Choose conditions 'Category Lookup (All)' and '"Category Lookup (HTTP Connect)'.

Impact:
Service chain is not correctly triggered based on the SSLO iApp policy selection when HTTP Connect traffic is passed.

Workaround:
There is no workaround at this time.


751409-1 : MCP Validation does not detect when virtual servers differ only by overlapping VLANs

Component: TMOS

Symptoms:
It is possible to configure two virtual servers with the same address, port, and route domain, and have them overlap only in VLANs. MCP does not detect the overlap.

Errors like this may be seen in the ltm log:

err tmm1[29243]: 01010009:3: Failed to bind to address

Conditions:
Two (or more) virtual servers with the same address, port, and route domain, and have them overlap only in VLANs

Impact:
Traffic does not get routed properly.

Workaround:
There is no workaround other than ensuring that virtual servers that have the same address, port, and route domain have no overlap of VLANs.


751383-1 : Invalidation trigger parameter values are limited to 256 bytes

Component: WebAccelerator

Symptoms:
Invalidation trigger parameter values are limited to a internal representation of 256 bytes. The values are escaped for regex matching, so the effective value size from the user perspective can be somewhat smaller than 256 bytes. Oversize values result in invalidation of all content on the target policy node.

Conditions:
- AAM policy with invalidation trigger.
- invalidation trigger request with parameter value larger than 256 bytes.

Impact:
All content on target policy node is invalidated rather than the specific content targeted.

Workaround:
None.


751179-1 : MRF: Race condition may create to many outgoing connections to a peer

Component: Service Provider

Symptoms:
If two different connections attempt to create an outgoing connection to a peer at the same time, multiple connections may be created, even if the peer object is configured for one connection per peer. This is due to a race condition in message routing framework during connection creation.

Conditions:
-- Two different connections attempt to create an outgoing connection to a peer at the same time.
-- The peer is configured for one connection per peer.

Impact:
More than one connection to a peer is created.

Workaround:
None.


751116-1 : DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring

Component: Advanced Firewall Manager

Symptoms:
The DoS visibility screens (Monitoring :: Security :: Reporting : DoS) may display DNS and Network protocol DoS attacks with the incorrect mitigation details.

Conditions:
An attacked object assigned to a DoS profile with either DNS or Network security protocols that are configured to have detect-only or learn-only states for DoS attacks.

Impact:
Network or DNS DoS attacks, detected by a DoS profile with detect-only or learn-only protection, display mitigation as Blocking instead of the configured Transparent protection. This does not affect the reported traffic data found in the DoS visibility dimensions and charts.

Workaround:
None.


751036-1 : Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone

Component: Local Traffic Manager

Symptoms:
Virtual server status becomes unavailable when the connections are over the rate limit, and stays unavailable when the number of connections fall below the limit.

Conditions:
-- The connections are over the rate limit, making the virtual server status unavailable.
-- The number of connections fall below the limit.

Impact:
Virtual server status reports unavailable, even though it should be available.

Workaround:
This problem does not impact virtual server processing traffic. It simply reports the wrong status.


751024-4 : i5000/i7000/i10000 platforms: SFP/QSFP I2C problems may not be cleared by bcm56xxd

Component: TMOS

Symptoms:
Messages similar to the following appear in /var/log/ltm:

info bcm56xxd: 012c0012:6: I2C muxes are not cleared. Problem with mux 224:

Conditions:
-- i5000/i7000/i10000 platforms.
-- May be caused by a defective optic, rebooting/upgrading BIG-IP, removing and reinserting optics.

Impact:
Changes in optic state may be ignored while I2C bus is unavailable.

Workaround:
For each SFP, perform the following procedure:

1. Unplug the optic.
2. Wait 10 seconds.
3. Plug optic back in.

Note: This message might be caused by a defective optic. If error messages stop when one optic is removed, and error messages resume when the optic is inserted, replace that optic.


751021-1 : One or more TMM instances may be left without dynamic routes.

Component: TMOS

Symptoms:
Inspecting the BIG-IP's routing table (for instance, using tmsh or ZebOS commands) shows that dynamic routes have been learnt correctly and should be in effect.

However, while passing traffic through the system, you experience intermittent failures. Further investigation reveals that the failures are limited to one or more TMM instances (all other TMM instances are processing traffic correctly). The situation does not self-recover and the system remains in this state indefinitely.

An example of a traffic failure can be a client connection reset with cause 'No route to host'. If the client retries the same request, and this hits a different TMM instance, the request might succeed.

Conditions:
This issue is known to occur when all of the following conditions are met:

- The system is a multi-blade VIPRION or vCMP cluster.

- The system just underwent an event such as a software upgrade, a reboot of one or more blades, a restart of the services on one or more blades, etc.

Impact:
Traffic fails intermittently, with errors that point to lack of routes to certain destinations.

Workaround:
You can try to temporarily resolve the issue by restarting the tmrouted daemon on all blades. To do so, run the following command:

# clsh "bigstart restart tmrouted"

However, there is no strict guarantee this will resolve the issue, given the nature of the issue.

Alternatively, you could temporarily replace the dynamic routes with static routes.


750823-1 : Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD

Component: Access Policy Manager

Symptoms:
Memory usage in TMM keeps going up.

Conditions:
Access::policy evaluate command fails with error message in /var/log/ltm:

TCL error: ... - Failed to forward request to apmd.

Impact:
Memory leaks in TMM, which cause a TMM crash eventually.

Workaround:
Limit the amount of data that will be forwarded to APMD.


750631-2 : There may be a latency between session termination and deletion of its associated IP address mapping

Component: Access Policy Manager

Symptoms:
In SWG, if a new request from a client executes iRule command "ACCESS::session exists" when the session has expired previously, the command will return false. However, if command "ACCESS::session create" is executed following the exist command, the session ID of the previous session may be returned.

Conditions:
In SWG, if a new request from a client IP comes into the system right after its previous session has expired.

Impact:
The Access filter will determine that the session ID is stale and, therefore, will redirect the client to /my.policy


750586-2 : HSL may incorrectly handle pending TCP connections with elongated handshake time.

Component: TMOS

Symptoms:
HSL may incorrectly handle TCP connections that are pending 3-way handshake completion that exceed default handshake timeout.

Conditions:
-- HSL or ReqLog configured to send logging data to pool via TCP protocol.
-- TCP 3-way handshake takes longer than 20 seconds (the default handshake timeout) to complete.

Impact:
-- Service interruption while TMM restarts.
-- Failover event.

Workaround:
None.


750473-4 : VA status change while 'disabled' are not taken into account after being 'enabled' again

Component: Local Traffic Manager

Symptoms:
The virtual-address network is not advertised with route-advertisement enabled.

Conditions:
1. Using a virtual-address with route advertisement enabled.
2. Disable virtual-address while state is down.
3. Enable virtual-address after state comes up.

Impact:
No route-advertisement of the virtual-address.

Workaround:
Toggle the route-advertisement for virtual-address.


750318-3 : HTTPS monitor does not appear to be using cert from server SSL profile

Component: TMOS

Symptoms:
An HTTPS monitor using a client certificate configured in the server SSL profile fails to send the certificate during the SSL handshake.

A tcpdump shows a 0-byte certificate being sent.

Conditions:
-- In-tmm monitoring is disabled (default).
-- The server SSL profile has been modified but without changing the configured certificate or key.

The resulting message passed from mcpd to bigd will contain only the incremental modification to the profile, which bigd treats as a complete profile, meaning that it is possible for the certificate and key parameters to be lost.

Impact:
SSL handshake might fail to complete and the HTTPS monitor fails.

Workaround:
Restart bigd process by running the following command:
bigstart restart bigd


750213-4 : DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records.

Solution Article: K25351434

Component: Global Traffic Manager (DNS)

Symptoms:
FPGA hardware-accelerated DNS Cache can respond improperly to DNS queries that contain EDNS OPT Records. This improper response can take several forms, ranging from not responding with an OPT record, to a query timeout, to a badvers response.

Conditions:
-- Using VIPRION B2250 blades.
-- This may occur if a client sends a query with an EDNS OPT record that has an unknown version or other values that the Hardware-accelerated Cache does not understand. These errors only occur when matching the query to a hardware cached response.

Note: If the response is not in the hardware cache, then the query should be properly handled.

Impact:
Hardware-accelerated DNS Cache drops the request. Clients will experience a timeout for that query.

This is occurring now because of the changes coming to software from certain DNS software vendors that remove specific workarounds on February 1st, 2019. This is known as DNS Flag Day.

Workaround:
None.


749785-2 : nsm can become unresponsive when processing recursive routes

Component: TMOS

Symptoms:
imish hangs, and the BIG-IP Network Services Module (nsm) daemon consuming 100% CPU.

Conditions:
-- Dynamic routing enabled
-- Processing recursive routes from a BGP peer with different prefixlen values.

Impact:
Dynamic routing, and services using dynamic routes do not operate. nsm does not recover and must be restarted.

Workaround:
None.


749761-3 : AFM Policy with Send to Virtual and TMM crash in a specific scenario

Component: Advanced Firewall Manager

Symptoms:
TMM restart in a specific scenario when AFM Policy is configured in multiple contexts (Global, Route Domain, Virtual Server), with Log Translations enabled, and Send-To-VS feature configured in at least one of the rules in the Security Policy.

Conditions:
-- When using Firewall ACL Policy in more than one context, i.e., more than one of the following context has ACL Security Policy applied:
  + Global Context
  + Route Domain
  + Virtual Server Context

-- Send To Virtual Server is configured on any Rule on the Security policy.

-- Traffic matching a Rule (with logging enabled) in more than one context.

-- AFM Security Logging Profile has log Translation Field Enabled.

Impact:
TMM restart causes service disruption. Traffic disrupted while tmm restarts.

Workaround:
Disable Logging of Translation Fields in Security Logging Profile.


749704-2 : GTPv2 Serving-Network field with mixed MNC digits

Component: Service Provider

Symptoms:
iRules command 'GTP::ie get value' incorrectly decodes Serving-Network field, putting the least significant digit of mobile network codes (MNC) value before the other two.

Conditions:
Using the iRule command 'GTP::ie get value' to retrieve the Serving-Network field from a GTP message (the iRule construction: GTP::ie get value -message $gtp_message 83).

Impact:
The operation returns results in which the least significant digit is inserted before the other two, resulting in incorrect data being returned.

Workaround:
None.


749689-2 : HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart

Component: Local Traffic Manager

Symptoms:
HTTPS monitor sends different amount of cipher suites in client hello during SSL handshake and sometimes back end server fails to find a desired cipher suite from client hello. As a result, sometimes SSL handshake fails and monitor wrongly marks pool member down.

Conditions:
-- Have an SSL profile to be used by an HTTPS monitor.
-- Load the same config more than once.

Impact:
HTTPS monitor might incorrectly mark pool member down because of a failed SSL handshake.

Workaround:
Restart bigd using the following command:
bigstart restart bigd


749528-1 : IVS connection on VLAN with no floating self-IP can select wrong self-IP for the source-address using SNAT automap

Component: Service Provider

Symptoms:
Under certain conditions the wrong self-IP can be selected as a source address for connections from an Internal Virtual Server to remote servers.

Conditions:
- Using an Internal Virtual Server (IVS).
- The VLAN being used to connect from the IVS to the server does not have a floating self-IP configured.
- At least one other VLAN has a floating self-IP configured.
- The primary virtual server that connects to the IVS is using SNAT automap.

Impact:
IVS traffic might not be routed properly.

Workaround:
- Configure a floating self-IP on the IVS server side VLAN.
or
- Use a SNAT pool instead of automap.


749508-1 : LDNS and DNSSEC: Various OOM conditions need to be handled properly

Component: Global Traffic Manager (DNS)

Symptoms:
Some LDNS and DNSSEC out-of-memory (OOM) conditions are not handled properly.

Conditions:
LDNS and DNSSEC OOM conditions.

Impact:
Various traffic-processing issue, for example, TMM panic during processing of DNSSEC activity.

Workaround:
None.


749414-4 : Modifying nodes/pool-member can lose monitor_instance and monitor_rule_instances for unrelated objects

Component: Local Traffic Manager

Symptoms:
There are two symptoms:

-- Modifying the monitor for a node or pool-member might remove monitor rule instances and monitor instances for other nodes/pool-members.
-- After those unrelated monitor rule instances and monitor instances are removed, if you try to alter the state of the pool-member/node, the system posts the following message: Invalid monitor rule instance identifier.

Conditions:
-- BIG-IP system is configured with nodes, pool-members, and pools with monitors.
-- Modify one of the nodes that is not in a pool.
-- Run the following command: tmsh load /sys config
-- Loading ucs/scf file can trigger the issue also.

Impact:
The system might delete monitor rule instances for unrelated nodes/pool-members. Pool members are incorrectly marked down.

Workaround:
Failover or failback traffic to the affected device.


749222-1 : dname compression offset overflow causes bad compression pointer

Component: Global Traffic Manager (DNS)

Symptoms:
DNS requests receive error response:
- Got bad packet: bad compression pointer
- Got bad packet: bad label type

Conditions:
When dns response is large enough so that dname redirect to an offset larger than 0x3f ff.

Impact:
DNS response is malformed.


749057-1 : VMware Horizon idle timeout is ignored when connecting via APM

Component: Access Policy Manager

Symptoms:
VMware Horizon has an option to set idle timeout under "View Configuration\Global Settings\General\Client-dependent settings\For clients that support applications". When there is no keyboard or mouse activity for the given time, application sessions should be disconnected (desktop sessions are staying, though).
This settings has no effect when connecting via APM.

Conditions:
VMware Horizon idle timeout setting for applications is configured and remote application is launched via APM.

Impact:
VMware Horizon idle timeout setting for applications has no effect.

Workaround:
None.


749041-2 : MRSIP log of subscriber deletion outputs '(null)" for subscriber URI

Component: Service Provider

Symptoms:
New logging was added for SIP subscriber registration and deletion. The deletion log MRSIPERR_SUBSCRIBER_DELETION_LOG() fails to show the subscriber URI, and instead, /var/log/ltm shows messages similar to the following:
MR_SIP: Subscriber registration deleted (xxx.xxx.xxx.xxx:5060 -> yyy.yyy.yyy.yyy:5060) subscriber URI: (null)

Conditions:
-- A SIP subscriber registration is deleted.
-- The log level DB variable log.mrsip.level is 'notice' or above.

Impact:
Prevents correlation of the deletion with the corresponding registration of the subscriber URI.

Workaround:
None.


749036-2 : Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM

Component: Access Policy Manager

Symptoms:
Some tmsh list commands may fail while SSLO is provisioned but no urldb or APM modules are provisioned with the following message: 'Password could not be retrieved'.

Conditions:
-- SSLO is provisioned.
-- Neither APM or URLDB are provisioned.
-- Run the generic tmsh list command.

Impact:
tmsh command fails and posts the error: Unexpected Error: Password could not be retrieved.

Note: Some 'tmsh list' commands with arguments do run. For example, 'tmsh list net vlan' provides correct output, but 'tmsh list' does not.

Workaround:
There is no workaround other than provisioning APM or URLDB.

Note: You can provision APM or URLDB even if they are not licensed. Although the full feature set is not available without a license, provisioning loads the daemons needed to support the generic 'tmsh list' command.


748902-1 : incorrect handling of memory allocations while processing DNSsec queries

Component: Global Traffic Manager (DNS)

Symptoms:
tmm crashes.

Conditions:
Heavy DNS traffic, using DNS security signatures. Use of external HSM may aggravate the problem.

Impact:
Traffic disrupted while tmm restarts.


748891-2 : Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP.

Component: Local Traffic Manager

Symptoms:
Potential MAC relearning at the switches the BIG-IP is connected to.

Conditions:
- DB variable connection.vlankeyed set to disabled.
- Multiple virtual-wires configured
- Client to server and server to client traffic using different virtual wires on the BIG-IP

Impact:
Packets will reach their L3 destination using an unexpected L2 path.


748851-3 : Bot Detection injection include tags which may cause faulty display of application

Component: Application Security Manager

Symptoms:
The Bot Detection feature / Bot Defense profile includes JavaScript which is injected within <APM_DO_NOT_TOUCH> tags. Some web applications may be displayed incorrectly due to these tags.

Conditions:
- Your application includes JavaScript which dynamically adds HTML elements and expects a certain set of tags in the <head> section of the HTML.
- Bot Detection / Bot Defense are enabled.

Impact:
Some web applications may be displayed incorrectly.

Workaround:
None


748813-3 : tmm cores under stress test on VS with Dos profile with admd enabled

Component: Anomaly Detection Services

Symptoms:
tmm cores

Conditions:
Stress test, VS with Dos profile with admd enabled

Impact:
Traffic disrupted while tmm restarts.

Workaround:
turn off Behavioral DOS


748545-1 : Remove 'sys-unconfig' and 'rhel-configure' binaries and related systemd service

Component: TMOS

Symptoms:
The RHEL-related binaries 'sys-unconfig' and 'rhel-configure' are shipped with BIG-IP when they are not relevant.

Conditions:
Running a BIG-IP v14.1.x release

Impact:
Binaries with RHEL branding are installed on system which are not used in BIG-IP and generate superfluous files.

Workaround:
N/A


748529-1 : BIG-IP Virtual Edition with cloudhsm integration needs to restart tmm after a fresh install

Component: Local Traffic Manager

Symptoms:
Right after a fresh BIG-IP install to a BIG-IP VE with cloudhsm integration, a nethsm key/cert enabled SSL client profile cannot be applied to a virtual server. A warning will be generated:

warning tmm1[19027]: 01260009:4: Connection error: hud_ssl_handler:1149: invalid profile (40)

Conditions:
Apply an SSL client profile with cloudHSM key/cert at AWS cloud.

Impact:
Virtual server enabled with cloudHSM key/cert can't be configured.

Workaround:
"bigstart restart tmm" after the fresh install.


748451-3 : Manager users cannot perform changes in per-request policy properties

Component: Access Policy Manager

Symptoms:
Users with Admin role can edit and administer per-request policy properties. Users with Manager role, which can manage most APM objects, cannot manage this specific one.

Conditions:
User with Manager role tries to modify or change per-request policies properties.

Impact:
Cannot manage per-request policy properties if user role is Manager.

Workaround:
There is no workaround other than having an Admin user manage these objects.


748295-1 : TMM crashes on shutdown when using virtio NICs for dataplane

Component: TMOS

Symptoms:
TMM crash on stop or restart.

Conditions:
1. Put the virtio NIC in a bad state while TMM is running (for example, detach the NIC from the host).
2. Run the following command: bigstart stop tmm

Impact:
TMM crash generates a core file. However, there is no impact on traffic as the device is already in a bad state before the crash.

Workaround:
None.


748253-1 : Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection

Component: Service Provider

Symptoms:
Depending on the DIAMETER settings of the BIG-IP, there can be a race condition in a mirrored device cluster where where the standby BIG-IP resets its mirror connection to the active.

Conditions:
- MRF DIAMETER in use.
- The DIAMETER session profile on the BIG-IP is configured to use Reset on Timeout.
- This is more likely to happen if (in the DIAMETER session profile) the Maximum Watchdog Failures is set to 1, and the Watchdog Timeout is configured to be the same value as the remote DIAMETER system.

Impact:
The standby is no longer mirroring the active system, and will get out of sync with it. There may be connections lost if a failover occurs.

Workaround:
More of a mitigation than a workaround:

- Configure the Maximum Watchdog Failures to a value greater than 1.
- Configure the Watchdog Timeout as something different than the same timeout on the remote peer, preferably to something that will have little overlap (i.e. the two timers should fire at the exact same time very infrequently).


748206-1 : Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position

Component: TMOS

Symptoms:
Browser becomes unresponsive.

Conditions:
Loading the network map with a virtual server that contains a forwarding rule policy in the second position.

Impact:
Browser becomes unresponsive and must be restarted.

Workaround:
Change the position of the forwarding rule policy.


748205-3 : SSD bay identification incorrect for RAID drive replacement

Component: TMOS

Symptoms:
On iSeries platforms with dual SSDs, the 'bay' of a given SSD indicated in the 'tmsh show sys raid' command may be incorrect. If a drive fails, or for some other reason it is intended to be replaced, and you are using the bay number listed from the tmsh command, the wrong drive could be removed from the system resulting in system failure to operate or boot.

Conditions:
iSeries platform with dual SSDs.

Impact:
Removal of the one working drive could result in system failure and subsequent failure to boot

Workaround:
If you discover that you removed the incorrect drive, you can attempt to recover by re-inserting the drive into the bay that it was in, and powering on the device.

The following steps will help to avoid inadvertently removing the wrong drive:

As a rule for systems with this issue:
-- Power should be off when you remove a drive. This makes it possible to safely check the serial number of the removed drive.
-- Power should be on, and the system should be completely 'up' before you add a new drive.

Here are some steps to follow to prevent this issue from occurring.


1. Identify the failed drive, taking careful note of its serial number (SN). You can use any of the following commands to get the serial number:
     • tmsh show sys raid
     • tmsh show sys raid array
     • array
2. Logically remove the failed drive using the following command: tmsh modify sys raid array MD1 remove HD<>
3. Power down the unit.
4. Remove the fan tray and physically remove the failed drive.
5. Manually inspect the SN on the failed drive to ensure that the correct drive was removed.
6. Replace the fan tray.
7. Power on the unit with the remaining, single drive.
8. Once booted, wait for the system to identify the remaining (good) drive. You can confirm that this has happened when it appears in the 'array' command output.
9. Remove fan tray again (with the system running).
10. Install the new drive.
11. Use the 'array' command to determine that the new drive is recognized (Note: the tmsh commands do not show new drive at this stage.)
12. Logically add the new drive using the command command: tmsh modify sys raid array MD1 add HD<>
13. Monitor the rebuild using any of the commands shown in step 1.

Note: You must follow these steps exactly. If you insert the new drive while the system is off, and you then boot the system with the previously existing working drive and the new blank drive present, the system recognizes the blank drive as the working Array member, and you cannot add it to the array. That means system responds and replicates as if 'HD already exists'.


748187-4 : 'Transaction Not Found' Error on PATCH after Transaction has been Created

Component: TMOS

Symptoms:
In systems under heavy load of transactions with multiple icrd_child processes, the system might post an erroneous 'Transaction Not Found' response after the transaction has definitely been created.

Conditions:
Systems under heavy load of transactions with multiple icrd_child processes.

Impact:
Failure to provide PATCH to a transaction whose ID has been created and logged as created.

Workaround:
If transaction is not very large, configure icrd_child to only run single-threaded.


748177-1 : Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character

Component: Global Traffic Manager (DNS)

Symptoms:
Multiple wildcards not matched to the most specific WideIP.

Conditions:
Two wildcard WideIPs differ on a '?' and a non-wildcard character.

Impact:
DNS request will get wrong answer.

Workaround:
There is no workaround at this time.


748121-3 : admd livelock under CPU starvation

Component: Anomaly Detection Services

Symptoms:
Due to the resources starvation the worker thread of admd does not get CPU for more than two minutes. At the same time, the configuration thread does get CPU.

The admd heartbeat failure occurs at 120 seconds. The SOD daemon kills admd.

The system posts messages similar to the following:

-- notice sod[6783]: 01140041:5: Killing /usr/bin/admd pid 6732
-- warning sod[6783]: 01140029:4: HA daemon_heartbeat ADMD.Anomaly0 fails action is restart.
-- warning sod[6783]: 01140029:4: HA daemon_heartbeat ADMD.Publisher0 fails action is restart.

Conditions:
-- High CPU / memory utilization,
-- Very large configuration.

Note: There are no known special configuration requirements to have this occur.

Impact:
admd restarts.
Behavioral DoS does not work.

Workaround:
Reboot the BIG-IP system.


748070 : API Protection feature inadvertently allows editing of associated access policy

Component: Access Policy Manager

Symptoms:
This release contains a feature called API Protection. API Protection access policies are hidden from the user interface in most areas except the log settings area.

Conditions:
Modifying API Protection access policy from Access :: Overview :: Event Logs :: Settings.

Impact:
If the API protection policy / profile is modified outside of API Protection GUI, the 'Apply Access Policy' may become activated with no way to deactivate it.

Workaround:
Navigate to the API Protection area and modify any part of the API Protection profile. This causes it to re-deploy, at which time the system clears the 'Apply Access Policy' prompt.


748031-1 : Invalidation trigger parameter containing reserved XML characters does not create invalidation rule

Component: WebAccelerator

Symptoms:
If a parameter value for an invalidation trigger contains reserved XML characters, compilation of the resulting invalidation rule fails due to the reserved characters not being escaped.

Conditions:
- AAM policy with invalidation trigger defined
- trigger request with parameter value(s) containing reserved XML characters

Impact:
The invalidation rule requested by the trigger request is not created. Content is not invalidated as expected.

Workaround:
No workaround exists.


747968-3 : DNS64 stats not increasing when requests go through dns cache resolver

Component: Local Traffic Manager

Symptoms:
DNS64 stats are not incrementing when running the tmsh show ltm profile dns or in tmctl profile_dns_stat commands if responses are coming from dns cache resolver.

Conditions:
DNS responses are coming from dns cache resolver.

Impact:
DNS64 stats not correct.

Workaround:
There is no workaround at this time.


747960-2 : BIG-IP VE with 1nic does not handle fragmented traffic to webui or ssh properly

Component: Performance

Symptoms:
Attempts to send fragmented packets destined for SSH or the webui of BIG-IP VE running with 1 NIC will fail. This is a rare situation generally, but one noted area where we have seen it is when BIG-IQ attempts to discover the BIG-IP.

Conditions:
BIG-IP VE configured with 1 network interface. Send IP fragmented traffic to either SSH or the web interface (TCP/8443 for 1nic).

Impact:
The IP fragments will not be properly reassembled and the connection will ultimately fail. This is only an issue for IP fragmented traffic sent with 1nic destined for SSH or the webui.

Workaround:
Prevent IP fragmentation, or configure multiple network interfaces.


747909-5 : GTPv2 MEI and Serving-Network fields decoded incorrectly

Component: Service Provider

Symptoms:
MEI and Serving-Network vales obtained with GTP::ie get iRule command contains digits swapped in pairs, first digit missing and a random digit added at the back.

Conditions:
Processing GTP traffic with iRules.

Impact:
It is impossible to obtain correct value of MEI and Serving-Network fields of the GTPv2 packets when processing with iRules.

Workaround:
No workaround.


747907-2 : Persistence records leak while the HA mirror connection is down

Component: Local Traffic Manager

Symptoms:
Memory may leak on the active unit while the HA mirror connection is down.

Conditions:
Persistence configured which requires state stored on BIG-IP.
Mirroring configured on the persistence profile or the virtual server.
Mirror connection is down. For example, next active is down/offline/unavailable.

Impact:
Memory leak until the HA mirror connection is up. Once mirror connection is up, memory will be released.

Workaround:
- Disable persistence while HA mirror connection is down (e.g., performing maintenance).
- Disable session mirroring for iRules.
- Use persistence which does not requires state stored on BIG-IP.
- Restore HA connection.


747727-1 : HTTP Profile Request Header Insert Tcl error

Component: Local Traffic Manager

Symptoms:
A TMM crash.

Conditions:
When the HTTP profile Request Header Insert field contains a Tcl interpreted string, Tcl is executed to expand the string before the header is inserted into the request header block.

If a Tcl error occurs

Impact:
In some cases this can cause TMM to crash. Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following to mitigate this:

-- Verify that your Tcl executes correctly in all cases.
-- Use a static string.


747676-3 : Remote logging needs 'localip' to set source IP properly

Component: TMOS

Symptoms:
Source ip of log entries sometimes use self-ip.

Conditions:
It happens when configuring mgmt IP and route is slower than syslog-ng start.

This issue happens in case of the HA scenario also.

Impact:
Remote log entry has wrong source IP address.

Workaround:
Use localip keyword to force specific IP address.

udp("1.1.1.9" port (514) localip("100.100.100.101"));

In case of the HA configuration, use persist-name key word or syslog-ng may fail to start.

# setting for device A
udp("1.1.1.9" port (514) localip("100.100.100.101") persist-name(devA) );
# setting for device B
udp("1.1.1.9" port (514) localip("100.100.100.102") persist-name(devB));


747628-1 : BIG-IP sends spurious ICMP PMTU message to server

Component: Local Traffic Manager

Symptoms:
After negotiating an MSS in the TCP handshake, BIG-IP then sends an ICMP PMTU message because the packet is too large.

Conditions:
The serverside allows timestamps and the clientside doesn't negotiate them.

The clientside MTU is lower than the serverside's.

There is no ICMP message on the clientside connection.

Impact:
Unnecessary retransmission by server, suboptimal xfrag sizes (and possibly packet sizes)

Workaround:
Disable timestamps on the serverside TCP profile, or proxy-mss on the clientside profile.


747560-5 : ASM REST: Unable to download Whitehat vulnerabilities

Component: Application Security Manager

Symptoms:
When using the Whitehat Sentinel scanner, the REST endpoint for importing vulnerabilities (/mgmt/tm/asm/tasks/import-vulnerabilities) does not download the vulnerabilities from the server automatically when no file is provided.

Conditions:
The ASM REST API (/mgmt/tm/asm/tasks/import-vulnerabilities) is used to download vulnerabilities from the server when a Whitehat Sentinel Scanner is configured.

Impact:
Vulnerabilities from the Whitehat server are not automatically downloaded when no file is provided, and it must be downloaded manually, or the GUI must be used.

Workaround:
The ASM GUI can be used to download the vulnerabilities from the Whitehat Server, or the file can be downloaded separately, and provided to the REST endpoint directly.


747239-1 : TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection

Component: Local Traffic Manager

Symptoms:
TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection.

Conditions:
This might occur rarely when the HTTP/2 gateway is configured on a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.


747065-2 : PEM iRule burst of session ADDs leads to missing sessions

Component: Policy Enforcement Manager

Symptoms:
Some PEM sessions that were originally added, later disappear and cannot be added back.

Conditions:
-- Subscriber addition is done by iRule on UDP virtual servers.
-- The sessions are added in a burst.
-- A small fraction of such sessions cannot be added back after delete.

Impact:
Policies available in the missing session cannot be accessed.

Workaround:
Add a delay of at least a few milliseconds between adding multiple session with same subscriber-id and IP address.


746922-6 : When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain.

Component: Local Traffic Manager

Symptoms:
In a situation when a routing entity belonging to the child route domain is searching for an egress point for a traffic flow, it's searching for a routing entry in the child domain first, then if nothing is found, it searches for it in the parent route domain and returns the best found routing entry.

If the best routing entry from the parent route domain is selected, then it is held by a routing entity and is used to forward a traffic flow. Later, a new route entry is added to the child route domain's routing table and this route entry could be better than the current previously selected routing entry. But previously selected entry doesn’t get invalidated, thus the routing entity which is holding this entry is forwarding traffic to a less preferable egress point.

#Example:
RD0(parent) -> RD1(child)
routing table: default gw for RD0 is 0.0.0.0/0%0
pool member is 1.1.1.1/32%1
-
Pool member searched for the best egress point and found nothing in the routing table for the route domain 1 and later found a routing entry, but from the parent route domain - 0.0.0.0/0%0.
Later new gw for RD1 was added - 0.0.0.0/0%1, it's more preferable for 1.1.1.1/32%1 pool member. 0.0.0.0/0%0 should be (but is not) invalidated to force the pool member to search for a new routing entry and find a better one if it exists, as in our case - 0.0.0.0/0%1.

Conditions:
1) There are more than one route domains in the parent-child relationship.
2) There are routing entries for the parent route-domain good enough to be selected as an egress point for the routing object(for instance, pool member) which is from child route domain.
3) The routing entry from a parent route domain was selected as an egress point for the object from the child route domain.
4) New routing entry for child route domain is added.

Impact:
If a new added route is more preferable than existing in a different route domain, then the new route is not going to be used by a routing object, which has selected an "old" route previously. Thus traffic flows through these routing objects to the unexpected/incorrect egress point. This could present undesirable behavior: the route could be unreachable and all traffic for a specific pool member is dropped or virtual server couldn't find an available SNAT address or just that the wrong egress interface is being used.

Workaround:
There are several ways:
Either of this workaround should be done after a new route in child domain was added.
- Recreate a route.
Recreate a parent route domain's routes. Restart tmrouted deamon if routes were gathered via routing protocols.
-----
- Recreate a routing object.
If a pool member is affected, recreate the pool member.
If a SNAT pool list is affected, recreate it.
And so on.


746877-1 : Omitted check for success of memory allocation for DNSsec resource record

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may panic from SIGABRT while logging this message:
./rdata.c:25: ldns_rdf_size: Assertion `rd != ((void *)0)' failed.

Conditions:
During memory stress while handling DNSsec traffic.

Impact:
TMM panic and subsequent interruption of network traffic.

Workaround:
Keeping the workload within normal ranges reduces the probability of encounter.


746837-2 : AVR JS injection can cause error on page if the JS was not injected

Component: Application Visibility and Reporting

Symptoms:
If page-load-time is enabled in the AVR profile, and the response is small enough to not be chunked, AVR 'promises' to the client a JS injection in the response by adding the expected length of the JS to the Content-length header.

If later, it is identified that the response contains no HTML tag, AVR does not inject the JS; instead it wraps the response with spaces.

This can lead to errors in cases where the change in response size is not supported.

Conditions:
AVR is configured to collect 'Page Load Time' and the response from the web server has these conditions:
-- The response is uncompressed.
-- The context-type header is text/html.
-- The response is not chunked (Context-length header exists).
-- The payload does not include the HTML head tag.

Impact:
White Spaces at the end of the page can cause it to be invalid for some applications.

Workaround:
To avoid trying to inject to pages where the JS does not fit, use iRules to control which pages should get the JS injection.

For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.


746768-4 : APMD leaks memory if access policy policy contains variable/resource assign policy items

Component: Access Policy Manager

Symptoms:
If an access policy contains variable/resource assign policy items, APMD will leak memory every time the policy is modified and applied.

Conditions:
1. Access policy has variable/resource assign policy items.
2. The access policy is modified and applied.

Impact:
APMD's memory footprint will increase whenever the access policy is applied.

Workaround:
There is no workaround.


746731-1 : BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set

Component: Service Provider

Symptoms:
The BIG-IP system always sets the Mandatory bit flag for Firmware-Revision AVPs in DIAMETER Capabilities Exchange Request messages.

Conditions:
Using DIAMETER to send a Capabilities Exchange Request message with the Firmware-Revision AVP.

Impact:
If the DIAMETER peer is intolerant of this Mandatory bit being set, it will reset the DIAMETER connection.

Workaround:
Configure an iRule in the MRF transport-config, for example:

ltm rule workaround {
    when DIAMETER_EGRESS {
        if {[serverside] && [DIAMETER::command] == "257" } {
            DIAMETER::avp flags set 267 0
        }
    }
}


746719-1 : SERVFAIL when attempting to view or edit NS resource records in zonerunner

Component: Global Traffic Manager (DNS)

Symptoms:
While attempting to use ZoneRunner to edit NS resource records, getting error:
01150b21:3: RCODE returned from query: 'SERVFAIL'.

Conditions:
- An NS resource record is selected using the zonerunner GUI
- The NS record points to a zone that bind is not authoritative for.
- Recursion is enabled on the zone in question
- The bind process is not able to reach the nameserver referenced in the NS record.

Impact:
Administrator is unable to use ZoneRunner to edit NS records.

Workaround:
Set recursion to no for the appropriate zone, perform the change, set recursion back to yes.

Note: This will be impacting to any clients expecting recursion for the duration of the change.


746710-1 : Use of HTTP::cookie after HTTP:disable causes TMM core

Component: Local Traffic Manager

Symptoms:
When an iRule disables HTTP with HTTP:disable, subsequent use of HTTP::cookie for that request will cause a TMM core dump.

Conditions:
1) HTTP profile is configured on the virtual.
2) HTTP:disable is called on request.
3) HTTP:cookie is then called on that request.

Impact:
Use of iRules in the above mentioned order will result in a TMM core. Traffic disrupted while tmm restarts.

Workaround:
Do not call HTTP:cookie on requests that have had HTTP disabled by HTTP:disable


746657-1 : tmsh help for FQDN node or pool member shows incorrect default for fqdn interval

Component: TMOS

Symptoms:
The tmsh help text for LTM nodes and pools shows the incorrect default for the fqdn 'interval' value.
The default is indicated as the TTL, whereas the actual default value is 3600 seconds (1 hour).
The configured value is displayed correctly if the node or pool is displayed using the 'all-properties' keyword.

Conditions:
Always.

Impact:
FQDN nodes and pool members may be created with a different fqdn refresh interval than intended.

Workaround:
When creating an FQDN node or pool member, specify the desired fqdn 'interval' value (either TTL, or the desired number of seconds).


746620-3 : "source-port preserve" does not work on BIG-IP Virtual Edition

Component: Performance

Symptoms:
BIG-IP Virtual Edition uses RSS hashing for selecting TMMs which has the side effect of causing "source-port preserve" to reuse ports aggressively. This can ultimately lead to connection failures.

Conditions:
BIG-IP virtual edition with "source-port preserve" configured on a fastl4 virtual server and VE configures RSS hash. VE will configure RSS hash if both the below conditions are met

1. VE supports RSS hash on the NIC. Currently, RSS is supported on ixlv and vmxnet3 NICs
2. The number of TMMs <= maximum number of queues supported by the NIC. For ixlv this is 4 and for vmxnet3 this is 8

Impact:
Connections may fail due to reusing ports too quickly.

Workaround:
On the Virtual Server, set source-port to "change".


746464-1 : MCPD sync errors and restart after multiple modifications to file object in chassis

Component: TMOS

Symptoms:
Upon modifying file objects on a VIPRION chassis and synchronizing those changes to another VIPRION chassis in a device sync group, the following symptoms may occur:

1. Errors are logged to /var/log/ltm similar to the following:

-- err mcpd[<#>]: 0107134b:3: (rsync: link_stat "/config/filestore/.snapshots_d/<_additional_path_to/_affected_file_object_>" (in csync) failed: No such file or directory (2) ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync error: some files could not be transferred (code 23) at main.c(1298) [receiver=2.6.8] syncer /usr/bin/rsync failed! (5888) () Couldn't rsync files for mcpd. ) errno(0) errstr().
-- err mcpd[<#>]: 0107134b:3: (rsync process failed.) errno(255) errstr().
-- err mcpd[<#>]: 01070712:3: Caught configuration exception (0), Failed to sync files..

2. MCPD may restart on a secondary blade in a VIPRION chassis that is receiving the configuration sync from the chassis where the file object changes were made.

Conditions:
This can be encountered when rapidly making changes to files such as creating and then deleting them while the config sync of the file creation is still in progress.

Impact:
Temporary loss of functionality, including interruption in traffic, on one or more secondary blades in one or more VIPRION chassis that are receiving the configuration sync.

Workaround:
After performing one set of file-object modifications and synchronizing those changes to the high availability (HA) group members, wait for one or more minutes to allow all changes to be synchronized to all blades in all member chassis before making and synchronizing changes to the same file-objects.


746394-1 : With ASM CORS set to "Disabled" it strips all CORS headers in response.

Component: Application Security Manager

Symptoms:
All access-control-* headers are removed by asm, including Cross-Origin Resource Sharing (CORS) headers. This causes CORS related javascript errors on browser console and blocks cross-domain requests that should be allowed.

Conditions:
-- ASM Provision
-- ASM policy attached to a virtual
-- Backed server sends CORS headers access-control-*

Impact:
Webapp which sends cross origin ajax requests could be broken.

Workaround:
Setup an irule on a virtual server.
when HTTP_RESPONSE {
    array set header_list { }
    foreach header_name [HTTP::header names] {
        if { [string tolower $header_name] starts_with "access-control-" } {
            set header_list($header_name) [HTTP::header $header_name]
        }
    }
}
when HTTP_RESPONSE_RELEASE {
    foreach header_name [array names header_list] {
        if {!([HTTP::header exists $header_name])} {
            HTTP::header insert $header_name $header_list($header_name)
        }
    }
}


746344-3 : PEM may not re-establish diameter connection after HA switchover

Component: Policy Enforcement Manager

Symptoms:
PEM diameter may not establish diameter connection after a failover, if more than 25 days have elapsed between failovers

Conditions:
If 25 days have elapsed between failovers

Impact:
Diameter connection may not happen

Workaround:
tmm restart


746266-3 : Vcmp guest vlan mac mismatch across blades.

Component: TMOS

Symptoms:
Guests running on blades in a single chassis report different MAC addresses on a single vlan upon host reboot for vcmp guest.

Conditions:
This issue may be seen when all of the following conditions are met:

- One (or more) blade(s) are turned off completely via AOM.
- Create two vlans.
- Deploy a multi-slot guest with the higher lexicographic vlan.
- Now, assign the smaller vlan to the guest.
- Reboot the host

Impact:
Incorrect MAC addresses are reported by some blades.

Workaround:
There is no workaround at this time.


746137-1 : DNSSEC: Creating a new DNSSEC Zone can result in gtmd attempting to sync every 10 seconds

Component: Global Traffic Manager (DNS)

Symptoms:
Creating a new DNSSEC Zone can result in gtmd attempting to sync every 10 seconds even though the configuration appears to be the same on each GTM in the sync group. This will last until another change is committed to the database (for example: create a new un-related object like a gtm wideip)

Conditions:
The user creates a new DNSSEC Zone.

Impact:
gtmd may attempt to sync every 10 seconds until another configuration change is made.

Workaround:
If the user makes another un-realted configuration change, like creating a gtm datacenter or wideip, the attempt to sync every 10 seconds will stop.


746078-1 : Upgrades break existing iRulesLX workspaces that use node version 6

Component: Local Traffic Manager

Symptoms:
When upgrading a BIG-IP with iRulesLX plugins, if those plugins are based on workspaces that use node version 6 (instead of version 0.12) they will fail to work properly after the upgrade once the plugin is reloaded from the workspace.

Errors like this will be seen in /var/log/ltm:

Oct 5 06:37:12 B7200-R14-S36 info sdmd[17582]: 018e0017:6: pid[26853] plugin[/Common/test-jt-plugin.test-jt-extension] Starting the server.....jt...after upgrade...
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: Resuming log processing at this invocation; held 233 messages.
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] /var/sdm/plugin_store/plugins/:Common:test-jt-plugin_62858_3/extensions/test-jt-extension/node_modules/f5-nodejs/lib/ilx_server.js:30
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ILXServerWrap = process.binding('ILXServerWrap').ILXServerWrap;
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] ^
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] Error: No such module: ILXServerWrap
Oct 5 06:37:12 B7200-R14-S36 err sdmd[17582]: 018e0018:3: pid[26850] plugin[/Common/test-jt-plugin.test-jt-extension] at Error (native)

Conditions:
Upgrading a version of BIG-IP that is using iRulesLX that has a workspace based on node version 6. Later reloading the iRulesLX plugin from the workspace.

Impact:
The iRulesLX plugin no longer works.

Workaround:
- Navigate to the workspace folder on the BIG-IP (/var/ilx/workspaces/<partition>/<workspace name>.
- Make the file "node_version" writable (chmod +w node_version).
- Edit the node_version file: change "0.12" to "6"
- Save the node_version file.
- Make the file "node_version" read-only (chmod -w node_version).
- Reload the iRulesLX plugin from the workspace.


745809-2 : The /var partition may become 100% full requiring manual intervention to clear space

Component: Advanced Firewall Manager

Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free

Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition

Workaround:
This workaround is temporary in nature, should the conditions of this bug still be met, and may need to be periodically performed either manually or from a script. While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:
 bigstart stop restjavad
 rm -rf /var/config/rest/storage*.zip
 rm -rf /var/config/rest/*.tmp
 bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.


745802-1 : Brute Force CAPTCHA response page truncates last digit in the support id

Component: Application Security Manager

Symptoms:
Brute Force CAPTCHA response page shown to an end-user has a support id and the last digit is truncated.

Conditions:
- ASM Provisioned
- ASM policy attached to a virtual server
- ASM Brute Force Protection enabled in the asm policy
- ASM Brute Force sends captcha mitigation page when a website is under brute force attack.

Impact:
The support id presented to an end-user won't be matched to the one shown in the asm logs

Workaround:
There is no workaround at this time.


745783-1 : Anti-fraud: remote logging of login attempts

Component: Fraud Protection Services

Symptoms:
There is no support for logging of login attempts to a remote service.

Conditions:
Using high speed logging (HSL) to log login attempts.

Impact:
There is no support for logging of login attempts.

Workaround:
None.


745589-6 : In very rare situations, some filters may cause data-corruption.

Component: Local Traffic Manager

Symptoms:
In very rare situations, an internal data-moving function may cause corruption.

Filters that use the affected functionality are:
HTTP2, Sip, Sipmsg, MQTTsession, serdes_diameter, FTP.

Conditions:
The affected filters are used, and some very rare situation occurs.

Impact:
This may cause silent data corruption, or a TMM crash.

Workaround:
There is no workaround at this time.


745574-1 : URL is not removed from custom category when deleted

Component: Access Policy Manager

Symptoms:
When the admin goes to delete a certain URL from a custom category, it should be removed from the category and not be matched anymore with that category. In certain cases, the URL is not removed effectively.

Conditions:
This only occurs when the syntax "http*://" is used at the beginning of the URL when inserted into custom categories.

Impact:
When the URL with syntax "http*://" is deleted from the custom category, it will not take effect for SSL matches. For example, if "http*://www.f5.com/" was inserted and then deleted, and the user passed traffic for http://www.f5.com/ and https://www.f5.com/, the SSL traffic would still be categorized with the custom category even though it was deleted. The HTTP traffic would be categorized correctly.

Workaround:
"bigstart restart tmm" will resolve the issue.


745545-1 : CMP forwarded LRO host packets do not restore LRO flag

Component: Local Traffic Manager

Symptoms:
When packets are being CMP forwarded for the host (e.g., related connection), the LRO flag is not being restored. As a result, these packets do not go through TSO which results in PMTU response and the connection hangs.

Conditions:
This issue is particular to CMP forwarded host connections which are going over the TMM interface due to explicit LRO and large MTU.

Impact:
The connection hangs.

Workaround:
There is no workaround.


745285 : Virtual server configured with destination address list may not respond to ARP and ICMP echo

Component: Local Traffic Manager

Symptoms:
When a virtual server configured with destination address list, some of the address ranges within the list may be configured as a subnet virtual address. Subnet virtual addresses do not respond to ARP and ICMP echo. This is in line with the traditional subnet listeners.

Conditions:
A virtual server is configured with destination address list, that contains address ranges.

Impact:
Addresses may behave differently in a destination address list depending on whether the address is configured as a host or as part of a range.

Workaround:
If the addresses of a destination address list are desired to behave as hosts, then do not add address ranges to the list, but add them as a list of individual addresses.


745035-2 : gtmd crash

Component: Global Traffic Manager (DNS)

Symptoms:
gtmd crashes

Conditions:
This rarely occurs when an iQuery connection is abnormally terminated.

Impact:
Under rare circumstances, gtmd may crash and restart.

Workaround:
None


744937-1 : Make authenticated-denial-of-existence NSEC3 RR Types Bitmap reflect available Resource Records

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP does not know what resource records some external zone holds at the time the BIG-IP is responding to some dnssec query that asked for some record type at some owner name.
If the resource record type does not exist, then as part of the response, the BIG-IP generates an NSEC3 record (to authenticate denial of existence along with RRSIG) containing a types bitmap that is supposed to have the available RRs at the owner name.
With some new feature supported in BIND 9.12 (RFC 8198) called Aggressive use of Negative Cache, that negative response with the inaccurate types bitmap is cached which can then be re-used to show that some resource records do not exist but are in fact available at the owner name.

Conditions:
A query comes in for a zone that is not hosted on the BIG-IP where the BIG-IP is only responsible for DNSSEC signing.

Impact:
Validating resolvers implementing Aggressive Use of DNSSEC-Validated Cache may respond with NODATA for an existing resource record.

Workaround:
N/A


744787-4 : Adding alias for a WideIP with the same name as an alias from another WideIP will replace the previous alias

Component: Global Traffic Manager (DNS)

Symptoms:
WideIP alias will be replaced.

Conditions:
There is an existing alias for a WideIP and adding the same alias for another WideIP.

Impact:
The previous WideIP will be replaced.

Workaround:
Avoid adding existing WideIP for other WideIP.


744730-1 : Specifying a larger system disk during VE launch requires manual reboot for the increase to go into effect

Component: TMOS

Symptoms:
It is allowed to specify larger system disk size during VE launch. The larger disk will be allocated, but VE will not be able to use the extra space initially. Manual reboot will allow VE to use the extra space. Desired behavior for VE is to reboot by itself.

Conditions:
This occurs when you launch VE with a larger system disk in the initial version of 14.1

Impact:
BIG-IP cannot use the extra space

Workaround:
Reboot VE


744707-2 : Fixed crash related to DNSSEC key rollover

Component: Global Traffic Manager (DNS)

Symptoms:
When running out of memory, a DNSSKEY rollover event can cause a tmm core dump.

Conditions:
System low/out of memory.
DNSSKEY rollover event.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround.


744532 : Websso fails to decrypt secured session variables

Component: Access Policy Manager

Symptoms:
Whenever websso tries to decrypt secure session variables, the following error is seen /var/log/apm:

Aug 15 21:36:25 abcd err websso.0[20421]: 014d0028:3: /Common/Test_PRP:Common:2b8e7abc: Master Decrypt failed for user test with error 'ckDecrypt: invalid ciphertext'
Aug 15 21:36:25 abcd info websso.0[20421]: 014d0009:6: /Common/Test_PRP:Common:2b8e7abc: Websso basic authentication for user 'test' using config '/Common/sso_test_obj'

Conditions:
- Per-req policy is attached to virtual server.
- Secure subsession variables are assigned to session variables using Variable Assign Agent in per-req policy.
- SSO Configuration Select agent is used in per-req policy.

Impact:
Single Sign-On (SSO) won't work correctly.

Workaround:
There is no workaround at this time.


744520-1 : virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface

Component: TMOS

Symptoms:
virtual server with perm profile drops traffic received from Vxlan-GRE tunnel interface.

Conditions:
Virtual server with pem profile and Vxlan-GRE tunnel interface.

Impact:
Traffic drop.

Workaround:
There is no workaround.


744516-4 : TMM panics after a large number of LSN remote picks

Component: Carrier-Grade NAT

Symptoms:
TMM panics with the assertion "nexthop ref valid" failed. This occurs after a large number of remote picks cause the nexthop reference count to overflow.

Conditions:
A LSN Pool and remote picks. Remote picks occur when the local TMM does not have any addresses or port blocks available. Remote picks are more likely when inbound and hairpin connections are enabled.

Impact:
TMM restarts. Traffic is interrupted.

Workaround:
There is no workaround.


744316-4 : Config sync of APM policy fails with Cannot update_indexes validation error.

Component: Access Policy Manager

Symptoms:
Config sync operation fails for APM policy when policy item of same name points to different agent on source and target

The system posts errors similar to the following:

Sync error on rfang-vemgmt.lab.labnet.com: Load failed from /Common/rfang-ve-3mgmt.lab.labnet.com 01070734:3: Configuration error: DB validation exception, unique constraint violation on table (access_policy_item_agent) object ID (/Common/resm_act_message_box_1 /Common/resm_act_message_box_ag_1). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:access_policy_item_agent status:13)"

Conditions:
This occurs in the following scenario:

1. Configure a failover device group containing two BIG-IP systems.
2. Create an APM access profile on one unit.
  + Launch VPE for the policy.
  + Add a macro.
  + In macro add an agent, e.g., Message box.
  + Add macro to the main policy.
3. Initiate config sync to another device.
4. On one BIG-IP system, add another Message box agent using the same macro. On the other BIG-IP system, make a copy of the access profile.
5. On either BIG-IP system, initiate another config sync operation.

Impact:
Unable to sync configuration in a failover device group.

Workaround:
You can work around this using the following procedure:

1. On the device receiving the config sync, delete the APM policies that contain the referenced APM policy items.
2. Perform an overwrite-config-sync operation from the sending device to this device.


744280-2 : Enabling or disabling a Distributed Application results in a small memory leak

Component: Global Traffic Manager (DNS)

Symptoms:
Enabling or disabling a Distributed Application results in an 8 byte memory leak.

Conditions:
Enabling or disabling a Distributed Application.

Impact:
8 bytes of memory are leaked every time a Distributed Application is enabled or disabled. If Distributed Applications are repeatedly programmatically enabled and disabled, over time, the system might eventually exhaust all available memory.

Workaround:
None.


744252-2 : BGP route map community value: either component cannot be set to 65535

Component: TMOS

Symptoms:
The community value for BGP route map entries should allow values of 1-65535 for both components, but it is not allowing 65535 for either component.

Conditions:
-- Using BGP route map community values.
-- Attempting to set one or both components to 65535.

Impact:
Unable to use the full range of BGP route map community values

Workaround:
There is no workaround at this time.


744210-2 : DHCPv6 does not have the ability to override the hop limit from the client.

Component: Local Traffic Manager

Symptoms:
DHCPv6 packet may be dropped by a device after the DHCP relay if the client provided hop limit is 1.

Conditions:
DHCPv6 Relay configured on the BIG-IP.

Impact:
Loss of DHCPv6 service.

Workaround:
There is no workaround at this time.


743803-1 : IKEv2 potential double free of object when async request queueing fails

Component: TMOS

Symptoms:
TMM may core during an IPsec cleanup of a failed async operation.

Conditions:
When an async IPsec crypto operation fails to queue.

Impact:
Restart of tmm. All tunnels lost must be re-established.

Workaround:
No workaround known at this time.


743132-6 : mcpd might restart on secondary blades after modify sys httpd ssl-certchainfile

Component: TMOS

Symptoms:
On a chassis platform, if 'tmsh modify sys httpd ssl-certificate' is run immediately after creating a new certificate file, it's possible for mcpd to restart on the secondary blades. This happens when it takes longer for csyncd to copy the new certificate file to the other blades than it takes mcpd to send the modify message to the other blades.

Conditions:
Chassis platform with multiple blades.
Setting the httpd ssl-certificate to a new file.

Impact:
mcpd stops on secondary blades, causing those blades to go offline for a short time while mcpd and other daemons restart.

Workaround:
When setting the httpd ssl-certificate to a new file, wait a few seconds after creating the file before issuing the tmsh modify command.


742838-1 : A draft policy of an existing published policy cannot be modified if it is in /Common and an used by a virtual server in a different partition

Component: Local Traffic Manager

Symptoms:
If you have a published policy in /Common that is in use by a virtual server in a different partition, if you try to create and modify a draft of the existing policy, you will get an error like this:

"01070726:3: Policy /Common/Drafts/test-policy in partition Common cannot reference policy reference /Common/Drafts/test-policy /test/test-vs in partition test"

This happens in both the GUI and TMSH.

Conditions:
-- A published policy exists in /Common.
-- The published policy is attached to a virtual server in a different partition.
-- Attempt to create and modify a draft of the policy.

Impact:
Inability to edit the published policy.

Workaround:
None.


742753-4 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail

Component: TMOS

Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.

Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:

- Remove the Referer header.

- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.

Impact:
Users cannot log on to the BIG-IP system's WebUI.

Workaround:
As a workaround, you can do any of the following things:

- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).

- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).

- Modify the proxy solution so that it inserts compatible Referer and Host headers.


742237-4 : CPU spikes appear wider than actual in graphs

Component: Local Traffic Manager

Symptoms:
Graphs of CPU usage show spikes that are wider than actual CPU usage.

Conditions:
CPU usage has spikes.

Impact:
Graphs of CPU spikes appear to last longer than they actually last.

Workaround:
Restart statsd to change the start of the RRD sampling interval.


742170-2 : REST PUT command fails for data-group internal

Component: TMOS

Symptoms:
Cannot change content of existing data-group internal using REST PUT command.

Conditions:
Using REST API.

Impact:
Cannot modify data-group internal via the REST API.

Workaround:
Add 'type' in the content


740959-4 : User with manager rights cannot delete FQDN node on non-Common partition

Component: Local Traffic Manager

Symptoms:
A user that has manager rights for a non-Common partition, but not for the /Common partition, may be denied delete privileges for an FQDN template node that is created on the non-Common partition for which the user does have manager rights.

This occurs because ephemeral nodes created from the FQDN template node are 'shared' in the /Common partition, so the delete transaction fails because the user has insufficient permissions to delete the dependent ephemeral nodes on the /Common partition.

Conditions:
-- A user is created with manager rights for a non-Common partition.

-- That user does not have manager rights for the /Common partition;

-- At least one ephemeral node is created from that FQDN template node (due to DNS lookup), which is not also shared by other FQDN template nodes.

-- That user attempts to delete an FQDN template node on the non-Common partition for which the user has manager rights.

Impact:
The transaction to delete the FQDN template node fails due to insufficient permissions. No configuration changes occur as a result of the FQDN template node-delete attempt.

Workaround:
You can use either of the following workarounds:

-- Perform the FQDN template node-delete operation with a user that has manager rights to the /Common partition.

-- Create the FQDN template node on the /Common partition.


740589-1 : mcpd crash with core after 'tmsh edit /sys syslog-all-properties'

Component: TMOS

Symptoms:
Syslog-ng consumes more than 95% CPU starving other processes of CPU time. This leads to eventual mcpd crash with core.

Conditions:
Configuring nonexistent local IP addresses and remote log server.

Impact:
Abnormal CPU usage. Potential eventual mcpd crash with core.

Workaround:
To mitigate the issue, you can use either of the following:

-- Follow these two steps:
 1. Remove the remote log server from the configuration.
 2. Replace the nonexistent local IP addresses with self IP addresses.

-- Configure the remote destination host with a unique parameter in the configuration so that syslog does not get confused if there are multiple entries:
udp(190.45.32.51 port(514) localip(190.46.2.221) persist-name(r1));
udp(190.45.32.51 port(514) localip(190.46.2.222) persist-name(r2));
udp(190.200.60.1 port(514) localip(190.46.2.221) persist-name(r3));
udp(190.200.60.1 port(514) localip(190.46.2.222) persist-name(r4));


740543-1 : System hostname not display in console

Component: TMOS

Symptoms:
Hostname is not displayed in the shell prompt in bash and tmsh.

Conditions:
After reboot or upgrade, login to the host console, shell, or tmsh.

Impact:
Hostname is not displayed in the shell prompt.

Workaround:
Update hostname from GUI/TMSH.


740517-1 : Application Editor users are unable to edit HTTPS Monitors via the Web UI

Component: TMOS

Symptoms:
A user with Application Editor role cannot modify an HTTPS Monitor via the GUI. The user is sent the the following, misleading and incorrect error message: Access Denied: user does not have delete access to object (ssl_cert_monitor_param)

Conditions:
The logged in GUI user must be an Application Editor role for the partition containing the HTTPS Monitor

Impact:
The user must use TMSH to modify an HTTPS Monitor.

Workaround:
Run the following tmsh command: modify ltm monitor https"\


739820-1 : Validation does not reject IPv6 address for TACACS auth configuration

Component: TMOS

Symptoms:
TACACS authentication does not support IPv6 address for the authentication server, but both GUI and TMSH allow IPv6 addresses to be configured for TACACS. Such configurations may result in failed logins with messages in /var/log/secure like

Aug 8 10:47:39 gtm-13108-174 err httpd[5948]: pam_tacplus: skip invalid server: 2001::1001:1001 (invalid port: no digits)

Conditions:
Use the GUI or TMSH to create or modify a TACACS server

Impact:
Remote authentication will fail unless a second server is configured with IPv4 address.

Workaround:
Do not configure IPv6 address for TACACS server


739553-1 : Setting large number for Wide IP Persistence TTL breaks Wide IP persistence

Component: Global Traffic Manager (DNS)

Symptoms:
Wide IP persistence is not working. Previous Wide IP persistence records are cleared.

Conditions:
This occurs when the Wide IP Persistence TTL plus the persist-record creation time is greater than 4294967295.

Impact:
Wide IP persistence does not work.

Workaround:
There is no workaround other than not setting Wide IP Persistence TTL to a number greater than 4294967295.


739118-1 : Manually modifying a self IP address in bigip_base.conf file and reloading the configuration results in routing misconfiguration

Component: TMOS

Symptoms:
Changing existing self IP addresses in bigip_base.conf file directly. After uploading the changed configuration file, BIG-IP routing service provides out of date Self IP route information to dependent services.

Conditions:
- Self IP address is configured on the BIG-IP system.
- Manually change the IP address of a self IP in bigip_base.conf file.
- Load changed configuration via tmsh.

Impact:
Different services have different route information:
-- tmsh table - has the old route.
-- Dynamic routing - hHas the old and new routes.
-- Kernel table - has the new route.

Workaround:
There are two workarounds, preventive and corrective.
Preventive:
Do not manually change self IP addresses in bigip_base.conf file. It is not recommended way to add/change BIG-IP configuration. Use GUI or tmsh instead.

Corrective:
If changed configuration is uploaded. In GUI or tmsh, delete changed self IP address, and then create a self IP address with old IP address and delete it as well. Now, all affected routes are removed.


739003-2 : TMM may crash when fastl4 is used on epva-capable BIG-IP

Component: Local Traffic Manager

Symptoms:
TMM may crash when fastl4 is used on epva-capable BIG-IP.

Conditions:
The virtual server has fastl4 profile installed, has iRule installed and the iRule uses SERVER_CONNECTED event. The pool member is route-able but does not exist.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


738547-3 : SAML Sax Parser returns error when importing metadata file that contains certain UTF-8 encoded characters other than ASCII

Component: Access Policy Manager

Symptoms:
When SAML metadata file that contains certain UTF-8 characters other than ASCII is imported, SAML SAX Parser returns error

Conditions:
When SAML metadata file contains certain UTF-8 characters other than the ASCII set,

Impact:
SAML metadata file is not imported, and the system reports an error. SAML configuration on BIG-IP systems is impacted.

Workaround:
Remove the non-ASCII UTF-8 characters, and try the import operation again.


738450-1 : Parsing pool members as variables with IP tuple syntax

Component: Local Traffic Manager

Symptoms:
There is a config loading warning at tmsh similar to the following: unexpected end of arguments;expected argument spec:PORT.

Conditions:
Tcl variable is used for the IP tuple instead of a plain value.

Impact:
iRule LB::reselect command may not recognize an IP tuple when it is a variable. tmsh warning shows.

Note: There is no warning in the GUI.

Workaround:
Use plain value instead of variable.


738330-3 : /mgmt/toc endpoint broken after configuring remote authentication

Component: TMOS

Symptoms:
'Invalid username or password.' error on the /mgmt/toc page after configuring remote authentication.

Conditions:
When remote auth is configured.

Impact:
Cannot configure remote authentication.

Workaround:
None.


738046-1 : SERVER_CONNECTED fires at wrong time for FastL4 mirrored connections on standby

Component: Local Traffic Manager

Symptoms:
For FastL4 connections, SERVER_CONNECTED currently doesn't fire on the standby device. If the standby device then becomes active, the first packet from the server on an existing FastL4 connection causes SERVER_CONNECTED to fire. Depending on what the iRule does in SERVER_CONNECTED, a variety of results can occur, including TMM coring due to commands being executed in unexpected states.

Conditions:
-- High availability configuration.
-- Mirrored FastL4 virtual server.
-- Attached iRule contains a SERVER_CONNECTED event.

Impact:
SERVER_CONNECTED does not fire when expected on standby device. When the standby device becomes active, the SERVER_CONNECTED iRule may cause TMM to core with traffic being disrupted while TMM restarts.

Workaround:
None.


738045-5 : HTTP filter complains about invalid action in the LTM log file.

Component: Local Traffic Manager

Symptoms:
Payload data is collected at the HTTP_REQUEST event and finishes collecting (HTTP::release) when the NAME_RESOLVED event occurs. On releasing, data is forwarded to the serverside, triggering the HTTP_REQUEST_SEND event.
 
When trying to raise HTTP_REQUEST_SEND, the iRule queues it and returns IN_PROGRESS, because the system is already in the process of running TCLRULE_NAME_RESOLVED. (Nested iRules: TCLRULE_NAME_RESOLVED -> TCLRULE_HTTP_REQUEST_SEND)

Due to the IN_PROGRESS status, tcp_proxy skips forwarding HUDCTL_REQUEST to the serverside, but not the subsequent payload. So the HTTP filter considers this an invalid action.

Conditions:
-- Standard virtual server with iRules attached (for example, using the following configuration for a virtual server):

when HTTP_REQUEST {
    HTTP::collect
    NAME::lookup @10.0.66.222 'f5.com'
}
when NAME_RESOLVED {
    HTTP::release
}
when HTTP_REQUEST_SEND {
        log local0. "Entering HTTP_REQUEST_SEND"
}

-- Client sends two HTTP Post requests.
-- After the first request, the second connection is kept alive (for example, by using HTTP header Connection) so that the second request can reuse the same connection.

Impact:
The second request gets reset, and the system logs errors in the LTM log file.

Workaround:
To avoid nested iRules in this instance, simply remove the HTTP_REQUEST_SEND from the iRule.


737739-1 : bash shell still accessible for admin even if disabled

Component: TMOS

Symptoms:
With the administrator role, you have an option in TMUI to disable or restrict terminal access. If you disable or restrict access, the corresponding REST endpoint is neither disabled nor restricted.

Conditions:
Use TMUI as the admin, or as a user with the administrator role, and either of the following:
-- Disable terminal access.
-- Restrict access to TMSH.

Impact:
Users with the Administrator role can obtain shell access via REST.

With terminal access disabled:
-- If you attempt to login using SSH, you will not be to do so.
-- If you make a POST request to the /mgmt/tm/util/bash endpoint with a body that includes a command to run, that command will be run.

With access to TMSH restricted:
-- A POST request to the /mgmt/tm/util/bash endpoint that includes a body with a command to run will be run.

Workaround:
None.


737692 : Handle x520 PF DOWN/UP sequence automatically by VE

Component: TMOS

Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that is passed to the BIG-IP-VE). If an x520 device's PF is set down and then up, tmm does not recover traffic on that interface.

Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.

Impact:
VE does not process any traffic on that VF.

Workaround:
Reboot VE.


737397-1 : User with Certificate Manager role is unable to archive certificates using GUI and iControlSOAP

Component: TMOS

Symptoms:
Unable to archive certificates or keys using GUI and iControlSOAP.

Conditions:
When the user is in Certificate Manager role.

Impact:
Unable to backup certificates or keys.

Workaround:
The user in Certificate Manager role is still be able to export the key and see its PEM string. So you can manually create an archive file by copying the PEM string into a file.


737346-1 : After entering username and before password, the logging on user's failure count is incremented.

Component: TMOS

Symptoms:
Listing login failures (i.e., using the following command: 'tmsh show auth login-failures') shows a failed login for the user who is currently logging in via console or SSH.

Conditions:
-- A user is logging in via console or SSH.
-- Between the time the system presents the password prompt and the user enters the password.

Note: This does not apply to GUI or iControl REST logins.

Impact:
If many logins for the same user get to this state simultaneously, it may be enough to exceed a specified lockout threshold, locking the user out.

Workaround:
There is no workaround other than using the GUI or iControl REST to log in to the system.


734846-1 : Redirection to logon summary page does not occur after session timeout

Component: TMOS

Symptoms:
After a BIG-IP Administrator user session times out, the user is not automatically redirected to the logon summary page, despite being configured to do so.

Conditions:
-- The BIG-IP system is configured to redirect to the logon summary page immediately after logging in, using the following db variable:
ui.users.redirectsuperuserstoauthsummary = true

-- The BIG-IP Administrator users' session automatically times out.

Impact:
The system does not comply with government security requirements that BIG-IP Administrator users be sent automatically to the logon summary. BIG-IP Administrator users must manually navigate to the logon summary page

Workaround:
Manually navigate to the logon summary page.


734276-1 : TMM may leak memory when SSL certificates with VDI or EAM in use

Component: Local Traffic Manager

Symptoms:
TMM 'method' memory usage grows over time when VDI and serverssl *or* EAM and clientssl are configured on the same VIP.

Conditions:
One or both of the following:

-- VDI and serverssl are configured on the same VIP
-- EAM and clientssl are configured on the same VIP

Impact:
TMM memory usage grows over time leading to eventual performance degradation and potential traffic outage if TMM cores.

Workaround:
No workaround short of not using these combinations of features.


727297-1 : GUI TACACS+ remote server list should accept hostname

Component: TMOS

Symptoms:
Cannot add hostnames to the Remote - TACACS+ server list in the GUI.

Conditions:
-- On the System :: Users : Authentication page with Remote - TACACS+ specified.
-- Add hostname to the server list.

Impact:
Validation does not accept a hostname. Cannot add hostname as a server.

Workaround:
Use tmsh to add a hostname.


727191-1 : Invalid arguments to run sys failover do not return an error

Component: TMOS

Symptoms:
If an invalid device name is used in the sys failover command, the device name reject is logged in /var/log/ltm and failover does not occur. No error or failure message is displayed on the command line.

Note: In prior versions, the system incorrectly performed a force-to-standby operation (no 'device' specified), rather than a directed failover operation (failover to specified 'device'). Although this resulted in the active device becoming standby, it did not cause the system to choose the (nonexistent) device specified.

Conditions:
Run a tmsh command similar to the following:
sys failover standby traffic-group traffic-group-1 device invalid_name

Impact:
Since no failover occurs and no error/warning is returned, this may result in some confusion.

Workaround:
There is no workaround.


726900-1 : Switching from FastL4 or TCP profiles to an ipother profile may leave a virtual server with stale TCP syncookie parameters

Component: Local Traffic Manager

Symptoms:
Virtual server may attempt to use syncookies on first SYN packet rather than allowing the connection to pass through to the real server.

Conditions:
Modifying a virtual server (CLI/iControl/GUI) to switch from FastL4 or TCP profiles to an 'ip-other' profile.

Impact:
The configured 'ip-other' virtual server will fail to accept all traffic. For example, a TCP or a UDP flow which should have been accepted and processed by the 'ip-other' virtual server will be dropped incorrectly, trying to enforce 'Syn Cookie' validation.

Workaround:
When switching a virtual server profile from FastL4/TCP to the 'ip-other' profile, delete the virtual server and then re-add it with the 'ip-other' profile.


726487-4 : MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change.

Component: TMOS

Symptoms:
The MCPD daemon on secondary VIPRION or vCMP blades exits and restarts, logging errors similar to the following:

-- err mcpd[11869]: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5.

-- err mcpd[11869]: 01070734:3: Configuration error: Configuration from primary failed validation: 01070734:3: Configuration error: Node name /group1/5.5.5.5 encodes IP address 5.5.5.5%18 which differs from supplied address field 5.5.5.5... failed validation with error 17237812.

Or:

--- err mcpd[8320]: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).

--- err mcpd[8320]: 01070734:3: Configuration error: Configuration from primary failed validation: 0107003b:3: Pool member IP address (5.5.5.5%999) cannot be assigned to node (/group1/node1). The node already has IP address (5.5.5.5).... failed validation with error 17236027.

Conditions:
This issue occurs when all of the following conditions are met:

-- VIPRION or vCMP platform with more than one blade.
-- A partition with a non-default route domain.
-- Creating a pool member in the aforementioned partition while a configuration save is taking place at the same time (either system or user initiated).

Impact:
If the system is Active, traffic will be disrupted as the secondary blades restart. The capacity of the system will be reduced until all blades are on-line again. Additionally, depending on the system configuration, the system may fail over to its peer (if one exists).

Workaround:
There is no workaround other than not to create pool members from a different client while saving configuration changes in another client. However, this does not help if the configuration save operation was system-initiated.


726317-6 : Improved debugging output for mcpd

Component: TMOS

Symptoms:
In some cases, mcpd debugging output is insufficient for diagnosing a problem.

Conditions:
Using debugging in mcpd, specifically, setting log.mcpd.level to debug.

Impact:
None. Has no effect without log.mcpd.level set to debug.

Workaround:
None.


726240-1 : Cannot find disk information.

Component: TMOS

Symptoms:
When running the configuration utility in the GUI, after clicking Next on the License screen the GUI reports an error and you are unable to proceed: Cannot find disk information.

Conditions:
The conditions that trigger this are unknown; in one scenario, it was observed after running 'tmsh load sys config default', suspending the VE, and then restarting it and running the configuration utility.

Impact:
You are unable to proceed through the configuration utility.

Workaround:
If this occurs, reboot the machine and the error will fix itself.


726011-4 : PEM transaction-enabled policy action lookup optimization to be controlled by a sys db

Component: Policy Enforcement Manager

Symptoms:
There is no way to disable optimization if time-based actions are enabled in the PEM policy and a statistical transaction-based action enforcement is desired.

Conditions:
If the PEM classification tokens do not change.

Impact:
Time-based actions such as insert content may not get applied to such flows.

Workaround:
None.


725791-6 : Potential HW/HSB issue detected

Component: TMOS

Symptoms:
There are a number of High-Speed Bridge (HSB) stats registers that monitor the errors in HSB SRAM that are critical for passing traffic, for example, RQM_CRC_ERROR Count 0, RQM_CRC_ERROR count 1, RQM_CRC_ERROR Count 2, etc. Any errors in any of these registers may indicate a hardware error in the HSB SRAM that impedes traffic through embedded Packet Velocity Acceleration (ePVA). In that case, ePVA-accelerated flow might fail.

With a burst of CRC errors in the SRAM for ePVA transformation cache, it won't trigger a failover and causes a silent traffic outage on the FastL4 VIP with hardware traffic acceleration. This is because the health check watchdog packets are still functioning correctly, and the current TMOS software primarily monitors watchdog packets tx/rx failures to trigger failover.

In these cases, there might be the following messages in /var/log/tmm*:

  Device error: hsb_lbb* tre2_crc_errs count *

Conditions:
Traffic is offloaded to HSB hardware for acceleration.

Impact:
Hardware accelerated traffic drop.

Workaround:
Switch traffic to software acceleration.


725505-1 : SNAT settings in network resource are not applied after FastL4 profile is updated

Component: Access Policy Manager

Symptoms:
When the admin updates a FastL4 profile, the iRule associated with the internal virtual server (the APM forward virtual server) is removed.

This iRule sets up the SNAT setting, however, since the iRule is removed, the SNAT setting is not applied to new network access connections.

Conditions:
-- Using network access.
-- FastL4 profile is updated.

Impact:
When accessing the backend resource, the BIG-IP system uses the self IP address as the source IP address instead of the IP address configured under the network access resource. Traffic disrupted while tmm restarts.

Workaround:
Restart tmm.

Restarting tmm re-creates the forward virtual servers and attach the relevant iRule.


723790-3 : Idle asm_config_server handlers consumes a lot of memory

Component: Application Security Manager

Symptoms:
Idle asm_config_server handlers needlessly uses a large amount of memory.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a big XML ASM policy and then leaving the BIG-IP system idle. Relevant asm_config_server handler process increases its memory consumption and stays that way, holding on to the memory until it is released with a restart.

Impact:
Unnecessary memory consumption.

Workaround:
1) Lower the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server:
---------------
# perl -pi.bak -e 's/MaxMemorySize=471859200/MaxMemorySize=262144000/' /etc/ts/tools/asm_config_server.cfg
---------------

2) Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------

Notes:
-- The provided workaround does not permanently fix the issue. Instead it alleviates the symptoms of memory pressure, by (1) lowering the MaxMemorySize threshold from 450 MB to 250 MB, per process of asm_config_server, and (2) freeing up all the memory that is currently taken by all asm_config_server processes.
-- This workaround does not cause any down time; the asm_config_server processes automatically start within ~30 seconds.


723306-1 : Error in creating internal virtual servers, when address 0.0.0.0 exists on different partition

Component: Local Traffic Manager

Symptoms:
Loading correct configuration with 'tmsh load /sys config' fails. The error message appears similar to the following:

    01070726:3: Virtual Address /test/0.0.0.0 in partition test cannot be referenced by Virtual Server /Common/test-internal in partition Common.
Unexpected Error: Loading configuration process failed.

Conditions:
Creating internal virtual server, when 0.0.0.0 address exists on another partition.

Impact:
Inability to load config, with created internal virtual server.

Workaround:
Create internal virtual server first; then create the 0.0.0.0 address on different partition.


723288-4 : DNS cache replication between TMMs does not always work for net dns-resolver

Component: Global Traffic Manager (DNS)

Symptoms:
System DNS resolvers (net dns-resolver objects) do not share DNS reply information between the dns resolver instances across TMMs, which can result in separate TMMs performing seemingly-unnecessary DNS lookups.

Conditions:
There are no LTM DNS *cache* objects present in the BIG-IP configuration.

Impact:
A performance impact resulting from each TMM having to perform unnecessary DNS lookups.

Workaround:
Use tmsh to create a placeholder LTM DNS cache resolver object. The object does not need to be used anywhere, just present in the config.

Note: This workaround is effective even without a DNS license (although in that case, the placeholder object must be created using tmsh, as the GUI menu would not be available without a DNS license.)


722741-1 : Damaged tmm dns db file causes zxfrd/tmm core

Component: Global Traffic Manager (DNS)

Symptoms:
zxfrd/tmm cores on startup.

Conditions:
Damaged tmm dns db file.

Impact:
System remains in a tmm-restart loop caused by tmm opening a corrupted tmmdns.bin on startup and segfaulting. Traffic disrupted while tmm restarts.

Workaround:
Delete the damaged db files.


722707-2 : mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall

Component: Local Traffic Manager

Symptoms:
The 'debug' log for a 'mysql' monitor may incorrectly report data being received from the database when network routing is configured to drop packets from that database, causing confusion when diagnosing packet traffic. This might be stimulated by configuring the firewall to enable traffic to/from the 'mysql' database, and then (after the 'mysql' monitor successfully connecting with the database) changing firewall rules to drop packets returned *from* the database.

Conditions:
-- A 'mysql' monitor successfully connects to the 'MySql' database.
2. Once connection is established, firewall rules are changed to 'DROP' packets returned from the 'MySQL' database, resulting in several entries in the 'mysql' monitor 'debug' log that incorrectly suggest packets were received from the 'MySQL' database.

Impact:
Several log entries may be made in the 'mysql' debug log suggesting packets were received from the 'MySQL' database (after a previous successful database probe connection), when in fact those packets were dropped due to changes in the firewall rules. These log entries may confuse debugging scenarios, but will typically self-correct (such as after three log message entries).

Workaround:
When configuring network traffic for 'MySQL' database resources, ensure symmetry for traffic handling (either bi-directional packet routing between 'bigd' and the 'MySQL' database is supported, or neither 'send' nor 'receive' packet routing to the 'MySQL' database is supported).


722534-1 : load sys config merge not supported for iRulesLX

Component: Local Traffic Manager

Symptoms:
iRulesLX configurations are (for the most part) contained in the file system, rather than the 'traditional' BIG-IP config files. An attempt to merge configurations containing iRulesLX using the tmsh command 'load sys config merge' options fails with an error similar to the following:

# load sys config merge from-terminal
Enter configuration. Press CTRL-D to submit or CTRL-C to cancel.
ilx plugin test-plugin {
  from-workspace test-ws
}
Validating configuration...
Unexpected Error: "basic_string::at"

Conditions:
The configuration being merged contains iRulesLX.

Impact:
The merge will fail with the error: Unexpected Error: "basic_string::at". The previous configuration will continue to work.

Workaround:
There is no workaround at this time for merging iRulesLX configuration. If the iRulesLX configuration is removed from the configuration to be merged, the merge will work.


721350-1 : The size of the icrd_child process is steadily growing

Component: TMOS

Symptoms:
The resident segment size (rss) for the icrd_child process continues to increase on issuing iCR GET requests. This increase is permanent and the rss does not drop back to its original size.

Conditions:
The following is an example config under which this issue occurs. Note this is an illustrative example; the actual issue might occur for various config objects.

GET tm/ltm/virtual?expandSubcollections=true wherein the virtual has some profiles associated with it.

ltm pool p-http { }
ltm virtual novel-1000 {
...
    pool p-http
    profiles {
        analytics { }
        http { }
        tcp { }
    }
....
}


# tmctl proc_pid_stat 'proc_name=icrd_child' -s proc_name,ppid,vsize,rss

On subsequent GET requests the rss size continues to increase.

Impact:
Increase in the rss of the icrd_child process. This increase could lead to icrd_child core or swapping of processes into the rss due to limited memory left for other processes.

Workaround:
There is no workaround.


721020-1 : Changes to the master key are reverted after full sync

Component: TMOS

Symptoms:
Changing the master key on a device that is in a device cluster are reverted when performing a full sync of any device-group. The master key is reset to its previous value.

Conditions:
-- The BIG-IP system is in a device cluster.
-- You change the master key from within TMSH.

Impact:
Subsequent configuration loads fail on the device.

Workaround:
There is no workaround.


720434-3 : Multiblade Chassis iAppLX Package upgrade sync is incomplete across blades

Component: Device Management

Symptoms:
Some iAppLX package files on primary blade do not exist on secondary blades.

Conditions:
After installing an iAppLX package on a multiblade chassis the package files are synced to other blades. This process is not instantaneous and may take several minutes.

During this time if the same iAppLX package is upgraded then not all of the files will be synced across blades and an incomplete iAppLX package will exist on secondary blades.

Impact:
When a failover occurs to a blade with an incomplete iAppLX package, then parts of the iAppLX GUI may not work.

Workaround:
Run the command 'bigstart restart csyncd' to trigger a resync of files from primary to secondary blades run


719597-3 : HA between VIPRION chassis with B2250 blades might not work when running v12.1.1 and v13.1.0

Component: TMOS

Symptoms:
When two VIPRION chassis with B2250 blades try to form a high availability (HA) connection, with one running v12.1.1 and the other running v13.1.0, HA connections between TMMs on Active and TMMs on Standby might fail.

Conditions:
-- Two VIPRION chassis with B2250 blades.
-- One blade running v12.1.1 and the other running v13.1.0.
-- Try to configure HA connection.

Impact:
Fail to form HA connection.

Workaround:
There is no workaround other than installing the same software on both blades.


718790-1 : Traffic does not forward to fallback host when all pool members are marked down

Component: Local Traffic Manager

Symptoms:
Traffic does not get forwarded to fallback hosts.

Conditions:
All the pool members are marked administrative down.

Impact:
Traffic does not get forwarded.

Workaround:
Pick a monitor working properly for the pool.


718405-2 : RSA signature PAYLOAD_AUTH mismatch with certificates

Component: TMOS

Symptoms:
IPsec IKEv2 negotiation with other vendors may fail to establish tunnels when certificate authentication is configured, using either RSA signature or DSS.

The value of PAYLOAD_AUTH does not match when the BIG-IP system compares it with what the remote peer sends. The same certificate works when the BIG-IP system is the initiator, but not when another vendor is the initiator.

Conditions:
Interoperating with other vendors under IKEv2 while using certificates.

Impact:
IKEv2 tunnels fail to establish, failing the second IKE_AUTH exchange in the protocol.

Workaround:
Use pre-shared key authentication.


718033-4 : REST calls fail after installing BIG-IP software or changing admin passwords

Component: Device Management

Symptoms:
After installing the latest BIG-IP software, or changing the BIG-IP admin passwords once or twice, REST calls might fail with the following error: 400 - Bad Request.

Conditions:
The conditions under which this occurs are not well understood. The issue occurs randomly, and is likely the result of a timing issue.

Impact:
REST calls or GUI operations fail to work. Get errors on screen.

Workaround:
Run the following command on the BIG-IP system:
$ bigstart restart restjavad


717785-2 : Interface-cos shows no egress stats for CoS configurations

Component: TMOS

Symptoms:
No egress packet counts per CoS queue are reported on B21x0 and 5x00/7x00 platforms. The issue affects the egress packet statistics reporting per CoS queue only. The operation of the CoS feature is not affected and the egress packets statistics reporting per external interface is also not affected.

Conditions:
-- Valid 8 HW CoS feature configuration has been enabled and passing traffic.
-- BIG-IP 5x00/7x00 platforms and VIPRION 21x0 blades.
-- Running the show net interface-cos command.

Impact:
Egress packet statistics reported per CoS queue shows no counts.

Workaround:
None.


715379-3 : IKEv2 accepts asn1dn for peers-id only as file path of certificate file

Component: TMOS

Symptoms:
IKEv2 only has a very inconvenient way to specify ID for an ike-peer when using peers-id-type asn1dn. The string value of peers-id-value was understood only as a file path, and not as a representation of the asn1dn value itself. The file had to be a certificate, whose subject happened to be the ID of the remote peer as a distinguished name (DN), so this could be extracted as binary DER for asn1dn. This was both awkward and error prone, requiring what amounts to a copy of a peer's certificate before it is sent during negotiation.

Conditions:
-- Using certificate based authentication in IPsec IKEv2.
-- Configuring an ike-peer with peers-id-type as asn1dn.

Impact:
Very difficult to use asn1dn as the ID of a peer, impeding inter-operation with other vendors.

Workaround:
If you can install a local copy of the peer's certificate, with an asn1dn value inside matching what that peer will actually send in an IKE_AUTH exchange, IKEv2 can extract the asn1dn provided the value of peers-id-value is an absolute file system path to this local certificate copy.


714372 : Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari

Component: Local Traffic Manager

Symptoms:
If the BIG-IP system has a web-acceleration which provides a number of caching and optimization options suitable for HTTP/1.1. It uses 'Connection: Keep-Alive' header on a server side, which results in appearance of 'Keep-Alive' header in a response. Such a HTTP header was adopted by the industry but not standardized. When a web-acceleration profile is configured and provides a response, Safari clients do not accept responses with a such header and reject those with a RST_STREAM message.

Conditions:
-- BIG-IP has a virtual server with HTTP/2 profile and a web-acceleration profile.
-- A pool member responds with 'Keep-Alive' header in the following format: Keep-Alive: timeout=<number>, max=<number>.

Impact:
A response to a request is rejected, which might cause incorrect rendering of HTTP page.

Workaround:
Use an iRule to remove the Keep-Alive header:

when HTTP_RESPONSE_RELEASE {
    HTTP::header remove keep-alive
}

Alternatively use an LTM Policy where this header is removed from a server's response.


712534 : DNSSEC keys are not generated when configured to use an external FIPS device

Component: Local Traffic Manager

Symptoms:
DNSSEC keys that use an external FIPS device are not generated, and an SELinux denial is reported in /var/log/auditd/audit.log. The logged permission denial should indicate that a process running under the 'mcpd_t' SELinux context was denied the 'execmem' permission.

Conditions:
-- A device is configured with one or more DNSSEC keys that are configured to be generated by an external FIPS device (indicated by the 'use-fips' option being set to 'external').
-- An unpatched version of the Thales client software be in use on the device.

Impact:
DNSSEC keys will not be generated when configured to use the external FIPS device.

Workaround:
Update the version of the Thales client software that is in use on the device.


712335-3 : GTMD may intermittently crash under unusual conditions.

Component: Global Traffic Manager (DNS)

Symptoms:
GTMD may intermittently crash when an unexpected error occurs while creating a statistics row for a resource added to the configuration.

Conditions:
When a pool member is added to the system and there is an unexpected failure to create the associated statistics row.

Impact:
GTMD restarts.

Workaround:
There is no workaround at this time.


711056-1 : License check VPE expression fails when access profile name contains dots

Component: Access Policy Manager

Symptoms:
License Check Agent always flows down fallback branch. Logs show the following pattern:
Mar 1 11:25:18 BIG-IP err apmd[13738]: 01490190:3: /Common/my.profile.name:Common:2a392ccd: Key 'tmm.profilelicense./Common/my.profile.name#' was not found in MEMCACHED.
Mar 1 11:25:18 BIG-IP err apmd[13738]: 01490086:3: /Common/my.profile.name:Common:2a392ccd: Rule evaluation failed with error: can't use empty string as operand of "-"

Conditions:
Access profile contains dots in its name and License Check agent is used in the VPE to check against profile license.

Impact:
License check always fails, resulting in denied logon.

Workaround:
Use a different policy name without '.' character.


710930-3 : Enabling BigDB key bigd.tmm may cause SSL monitors to fail

Component: Local Traffic Manager

Symptoms:
When bigd.tmm is enabled, SSL monitors may begin to fail.

Conditions:
-- The in-tmm monitoring feature is enabled via the bigd.tmm db variable (it is disabled by default)
-- The cipher string of the attached SSL profile uses keywords that are invalid with TMM.

Impact:
The cipher string will no longer be valid when bigd.tmm is enabled and the keywords will need to be modified or removed. SSL monitors begin to fail after modifying bigd.tmm.

Workaround:
Modify or remove incompatible keywords from the ciphers string; the in-tmm monitoring feature only allows ciphers that are allowed by SSL profiles.


701341-4 : If /config/BigDB.dat is empty, mcpd continuously restarts

Solution Article: K52941103

Component: TMOS

Symptoms:
If another issue causes /config/BigDB.dat to be empty, mcpd will fail to start up.

Conditions:
The event causing BigDB.dat to be truncated is unknown at this time.

Impact:
The system will fail to start up, and mcpd will continually restart.

Workaround:
Remove this empty file. (If BigDB.dat is nonexistent, the issue will not occur.)


698933-6 : Setting metric-type via ospf redistribute command may not work correctly

Component: TMOS

Symptoms:
When using a dynamic routing configuration, where an OSPF process redistributes routes setting a metric-type from another OSPF process the metric type is not changed.

Conditions:
Dynamic routing configuration with 2 or more OSPF processes redistributing routes using the "redistribute ospf <other process number> metric-type <type>"

Impact:
Metric type is not changed.

Workaround:
Change metric-type using a route-map applied to the redistribute command.


696755-3 : HTTP/2 may truncate a response body when served from cache

Component: Local Traffic Manager

Symptoms:
BIG-IP provides a client side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached in BIG-IP with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag causing the client to ignore the rest of the response body.

Conditions:
BIG-IP has a virtual where HTTP/2 and Web Acceleration profiles are configured.

Impact:
Some clients' browsers do not retry a resource causing incorrect rendering of an HTML page.

Workaround:
Adding the following iRule causes the body to be displayed:

when HTTP_RESPONSE_RELEASE {
    set con_len [string trim [HTTP::header value Content-Length]]
    HTTP::header remove Content-Length
    HTTP::header insert Content-Length "$con_len"
}


695985-4 : Access HUD filter has URL length limit (4096 bytes)

Component: Access Policy Manager

Symptoms:
Access HUD filter cannot process a URL if it is longer than 4096 bytes.

Conditions:
Any URL with a request consisting of more than 4096 bytes.

Impact:
The URL cannot be processed, and client gets a RST.

Workaround:
None.


689361-4 : Overwrite configsync can change the status of a pool member from 'unchecked' to 'up' (gateway_icmp monitor)

Component: Local Traffic Manager

Symptoms:
It is possible for an overwrite-configsync to change an 'unchecked' monitor to 'up', when that unchecked monitor references a node that does not respond to ICMP requests. This may occur when a node does not respond to ICMP requests for exactly one of two paired devices, but a configuration change made to one device causes the 'up' status to be propagated to the 'unchecked' device.

Conditions:
Two pool members are monitored; and one references a node not responding to ICMP requests; and a gateway_icmp monitor is on both nodes; and an overwrite-configsync is initiated from a paired device, where the node does respond to ICMP requests from that paired device.

Impact:
The overwrite-configsync causes the 'unchecked' monitor to transition to 'up', when it should remain 'unchecked' for the device to which the node does not respond to ICMP requests.

Workaround:
Ensure network configuration such that a monitored node responds to ICMP requests from both (or neither) of each paired-device. Alternatively, initiate configuration changes only from the device to which the node will not respond to ICMP requests.


686059-4 : FDB entries for existing VLANs may be flushed when creating a new VLAN.

Component: Local Traffic Manager

Symptoms:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN.

Conditions:
- Creating a new VLAN with existing VLANs using trunk members. - STP is enabled on its trunk member.

Impact:
FDB entries on existing VLAN trunk member interfaces may be flushed when creating a new VLAN. This will result in potential network saturation.

Workaround:
To avoid the FDB flushing on trunk member interfaces of existing, unrelated VLANs, ensure that STP is disabled on its trunk member.


684096-4 : stats self-link might include the oid twice

Component: TMOS

Symptoms:
The object ID might be erroneously embedded in the self-link twice.

Conditions:
query for stats such as https://<host>/mgmt/tm/ltm/pool/p1/stats

Impact:
incorrect self-link returned

Workaround:
be mindful when parsing the self-link


683135-1 : Hardware syncookies number for virtual server stats is unrealistically high

Component: TMOS

Symptoms:
In rare situations "tmsh show ltm virtual" shows unrealistically high hardware syncookie numbers.

Conditions:
Virtual server with hardware syncookie protection enabled.

Impact:
Stats issue. No impact to traffic.


679431-4 : In routing module the 'sh ipv6 interface <interface> brief' command may not show header

Component: TMOS

Symptoms:
In the BIG-IP Advanced Routing module the 'sh ipv6 interface <interface> brief' command does not show header

Conditions:
- Advanced Routing module licensed and configured
- From within imish shell, run the command 'sh ipv6 interface <interface> brief'.

Impact:
The header is not shown.

Workaround:
Run the equivalent command without indicating the interface:
sh ipv6 interface brief


679316-7 : iQuery connections reset during SSL renegotiation

Component: Global Traffic Manager (DNS)

Symptoms:
Error in /var/log/gtm:
err gtmd[14797]: 011ae0fa:3: iqmgmt_receive: SSL error: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record

Conditions:
This occurs when a system tries to send data over the iQuery connection while the two endpoints are performing SSL renegotiation.

Note: iQuery connections automatically perform SSL renegotiation every 24 hours.

Impact:
The BIG-IP system is marked 'down' until the connection is reestablished. This usually takes no longer than one second.

Note: This is a subtly different issue from the one (with a very similar error, 140940F5 vs 140940E5) described in Bug ID 477240: iQuery connection resets every 24 hours :: https://cdn.f5.com/product/bugtracker/ID477240.html (K16185: BIG-IP GTM iQuery connections may be reset during SSL key renegotiation :: https://support.f5.com/csp/article/K16185).

This issue occurs even in versions where ID477240 is fixed. There is no fix for this specific trigger of the same message.

Workaround:
There is no workaround at this time.


673357-1 : SWG puts flow in intercept mode when session is not found

Component: Access Policy Manager

Symptoms:
In SWG, flows that should be getting bypassed are placed in intercept mode.

Conditions:
This occurs when the per-request policy receives an https request and a session is not established.

Impact:
In some cases, the client sees certificate warning.

Workaround:
If the access policy is "start->allow"; following iRule can be used for workaround:

when CLIENT_ACCEPTED {
        if { [ACCESS::session exists] } {
            log local0. "Found Access Session"
            log local0. [ACCESS::session exists]
        } else {
          set sid [ACCESS::session create -lifetime 300 -timeout 300 -flow]
          log local0. "No Access Session found, creating $sid"
          ACCESS::session data set session.ui.mode "0"
          ACCESS::session data set session.policy.result "allow"
        }
}


666378-1 : A virtual server's connections per second (precision.last_value) is confusingly named.

Component: Local Traffic Manager

Symptoms:
A virtual server's current connections-per-second statistic has a confusing name. The statistic is maintained when rate limiting is configured for a virtual server. The statistic is updated when the virtual hits a rate-limiting condition, and it stays at the last value it held when the limit was hit.

Conditions:
If the rate limit is never configured then the value is 0. If the rate limit is configured and is hit, then the value is the active count when the limit was hit. The value stays at that count until the limit is hit again.

Impact:
There is no functional impact, but the statistic's meaning is confusing.

Workaround:
The MIB description should clarify the meaning of this statistic.


663946-6 : VCMP host may drop IPv4 DNS requests as DoS IPv6 atomic fragments

Component: Advanced Firewall Manager

Symptoms:
When DNS is under load greater than the AFM-configured rate limit, certain IPv4 packets are categorized as IPv6 atomic fragments and may be dropped due to rate limits.

Conditions:
-- AFM enabled.
-- DNS load greater than AFM-configured rate limit for IPv6 atomic fragments (default 10 KB).

Impact:
May result in lower than expected DNS load test results.

Workaround:
Use either of the following workarounds:
-- Disable AFM.
-- Increase detection limit for IPv6 atomic fragments under AFM.

Note: For AFM HW DoS protection, the host and vCMP guest must be the same version, disable hardware DoS checking on the vCMP guest to prevent this issue. To do so, set sys db dos.forceswdos to 'true'.


660759-1 : Cookie hash persistence sends alerts to application server.

Component: Fraud Protection Services

Symptoms:
When Persistence cookie insert is enabled with a non-default cookie name, the cookie might be overwritten after an alert is handled.

Conditions:
-- Persistence profile in their virtual server.
-- Profile relies on cookie hash persistence.
-- Non-default Cookie name used for cookie persistence.

(Default cookie naming strategy appends Pool Name, which results in two cookies set with different names and different values, leaving the application pool persistence cookie unmodified.)

Impact:
Sends alerts to application server. Traffic might be sent to wrong pool member.

Workaround:
Use an iRule similar to the following to remove persistence cookie in case of alerts:

ltm rule /Common/cookie_persist_exclude_alerts {
    when HTTP_REQUEST {
    
    #enable the usual persistence cookie profile.

    if { [HTTP::path] eq "/<alert-path>/" } {
        persist none
    }
}
}


657834-5 : Extraneous OSPF retransmissions and ospfTxRetransmit traps can be sent

Solution Article: K45005512

Component: TMOS

Symptoms:
When using OSPF with high load and network recalculation there is a possibility of a race condition that can lead to additional OSPF retransmissions being sent out. This might also cause SNMP traps to be sent, if configured on the system.

Conditions:
-- OSPF routing protocol configured.
-- System configured to send SNMP traps.
-- OSPF instability/networking flaps.

Note: The greater the number of routes flapping, the more likely to see the condition.

Impact:
There is no impact on the OSPF processing itself. The additional traffic does not cause failing adjacencies or loss of routing information.

However, this might cause many additional OSPF related traps to be sent, which might cause additional load on the external network monitoring system.

Workaround:
While this does not have a direct workaround, you may want to investigate the cause of the network/OSPF instability that causes the additional retransmissions.


653573-6 : ADMd not cleaning up child rsync processes

Component: Anomaly Detection Services

Symptoms:
ADMd daemon on device is spinning up rsync processes and not cleaning them up properly, causing tons of this zombie processes

Conditions:
If rsync process ends via exit (in the case of some trouble)

Impact:
No technical impact, but there are many zombie processes

Workaround:
Restart admd (bigstart restart admd) to remove all existing rsync zombies.


648621-6 : SCTP: Multihome connections may not expire

Component: TMOS

Symptoms:
SCTP: Multihome connections may not expire when forcibly deleted.

Conditions:
When the multi-homing connections have been forcibly deleted from tmsh command.

Impact:
The multi-homing connections won't be expired.

Workaround:
Don't manually deleted the multi-homing connections.


641450-7 : A transaction that deletes and recreates a virtual may result in an invalid configuration

Solution Article: K30053855

Component: TMOS

Symptoms:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp) may result in an invalid in-memory configuration. This may also result in traffic failing to pass, because TMM rejects the invalid configuration.

Config load error:
    01070095:3: Virtual server /Common/vs_icr_test lists incompatible profiles.

Configuration-change-time error in /var/log/ltm:
    err tmm[22370]: 01010007:3: Config error: Incomplete hud chain for listener: <name>

Conditions:
Deleting and recreating a virtual server within a transaction (via tmsh or iControl REST) and trying to modify the profiles on the virtual server (e.g., changing from fastl4 to tcp).

Impact:
Configuration fails to load in the future.
Traffic fails to pass, because TMM rejects the configuration.

Workaround:
Within tmsh, use the following command: profiles replace-all-with.
Within iControl REST, use three separate calls:
   1. Delete virtual server.
   2. Create virtual server (with an empty profile list).
   3. Modify the virtual server's profile list.


625807-1 : tmm cored in bigproto_cookie_buffer_to_server

Component: Local Traffic Manager

Symptoms:
TMM cores on SIGSEGV during normal operation.

Conditions:
It is not known exactly what triggers this, but it may be triggered when a connection is aborted in a client-side iRule iRule, this log signature may indicate that this is being triggered:

tmm3[11663]: 01220009:6: Pending rule <irule_name> <HTTP_REQUEST> aborted for <ip> -> <ip>

Impact:
Traffic disrupted while tmm restarts.


606032-5 : Network Failover-based HA in AWS may fail

Component: TMOS

Symptoms:
MCPD posts an error that network failover is not configurable:
01071ac2:3: Device-group (/Common/autoscale-group): network-failover property must be disabled in VE-1NIC.

Conditions:
Attempting to setup high availability (HA) in Amazon Web Services (AWS) with only 1 network interface.

Impact:
Configuration of HA in AWS cannot be completed.

Workaround:
The current workaround is to configure HA in AWS with at least 2 network interfaces.


600985-1 : Network access tunnel data stalls

Component: Access Policy Manager

Symptoms:
In certain scenarios, the network access tunnel stays up; however, no data transfer occurs on the tunnel. This issue occurs intermittently.

Conditions:
The cause of this issue is not yet known.

Impact:
Data stalls on the tunnel and hence wont be able to access any applications. However, Edge Client shows the VPN tunnel as 'Connected'.

Workaround:
Manually re-establish the tunnel.


591305-3 : Audit log messages with "user unknown" appear on install

Component: TMOS

Symptoms:
Multiple log entries in /var/log/audit similar to

May 4 11:37:35 localhost notice mcpd[5488]: 01070417:5: AUDIT - client Unknown, user Unknown - transaction #33-1 - object 0 - create_if { db_variable { db_variable_name "version.edition" db_variable_value "<none>" db_variable_sync_type "private_internal" db_variable_data_type "string" db_variable_display_name "Version.Edition" } } [Status=Command OK]

Conditions:
This happens on initial install, it is not yet known what triggers it.

Impact:
This is the result of a daemon on the system not properly identifying itself to mcpd. The log messages can be safely ignored.


581921-5 : Required files under /etc/ssh are not moved during a UCS restore

Solution Article: K22327083

Component: TMOS

Symptoms:
The ssh files required for ssh sign on are not transferred when performing a UCS restore operation.
files are not transferred even during upgrade

Conditions:
This can happen when performing a UCS restore operation.

Impact:
This might affect the operation of ssh.

Workaround:
Add the folder /etc/ssh to the /usr/libdata/configsync/cs.dat file


569859-5 : Password policy enforcement for root user when mcpd is not available

Component: TMOS

Symptoms:
When the mcpd configuration database is not available password policy is not enforced when changing passwords for the user "root" using the command-line utility `passwd`.

Conditions:
Advanced shell access
mcpd is not available
Change root password with the `passwd` utility

Impact:
Root password may be set to a string that does not comply with the current password policy


544958-1 : Monitors packets are sent even when pool member is 'Forced Offline'.

Component: Local Traffic Manager

Symptoms:
If you have a pool member associated with more than one virtual server and the pool member is marked Forced-Offline, the pool monitor will continue to function if the monitor is assigned to both pools.

Conditions:
-- Pools containing identical members.
-- Pool monitoring configured.
-- Pool members are Forced Offline.

Impact:
Monitors packets are sent even when pool member is 'Forced Offline'.

Workaround:
None.


534187-5 : Passphrase protected signing keys are not supported by SAML IDP/SP

Component: Access Policy Manager

Symptoms:
Signing operation may fail if the BIG-IP system is used as a SAML Identity Provider or Service Provider and is configured to use passphrase-protected signing keys.

Conditions:
Private key used to perform digital signing operations is passphrase protected.

Impact:
SAML protocol will not function properly due to inability to sign messages.

Workaround:
To work around the problem, remove the passphrase from the signing key.


504522-4 : Trailing space present after 'tmsh ltm pool members monitor' attribute value

Component: Local Traffic Manager

Symptoms:
Values returned from the tmsh command 'ltm pool pool members monitor' have a trailing space, such as returning '/Common/myhttps ' (note the trailing-space). This trailing-space is also observed for the value returned from a REST call.

Conditions:
'tmsh' or a REST call is used to return the 'monitor' for pool members.

Impact:
Scripts or custom applications processing this returned output may wish to 'trim' whitespace on the value (as a trailing space is present); or should not assume the trailing space will be present in the future (as this behavior is not guaranteed).

Workaround:
Use a script or custom applications to 'trim' trailing whitespace for returned values.


498926 : Client can fail to start a new session in multi-domain SSO.

Component: Access Policy Manager

Symptoms:
A client cannot start a new session from the session expired page if the session expires on the primary auth domain before the policy completes.

Conditions:
-- Configure multi-domain SSO.
-- Client attempts to access an application (www.site.com) and is then redirected to the auth domain (www.primaryauth.com).
-- The auth policy is allowed to expire without completing.

Impact:
The 'start a new session' prompt cannot send the client back to the application to restart the policy, since that information was lost when the session expired. The client must use the back button to return to the application to start a new session.

Workaround:
As a workaround, in Customization, modify the HREF for the Session Expired Message so that it redirects to www.site.com.

In the customization text for the Session Expired Message, replace [SESSION_RESTART_URL] with the session variable %{session.server.network.name}.


486712-5 : GUI PVA connection maximum statistic is always zero

Component: TMOS

Symptoms:
The GUI PVA connection maximum statistic is always zero, regardless of the number of PVA connections established.

Conditions:
This occurs when fastL4 connections are used.

Impact:
The customer cannot determine the maximum number of PVA connections because the stat is always zero.


484683-2 : Certificate_summary is not created at peer when the chain certificate is synced to HA peer.

Component: TMOS

Symptoms:
The other Peer of a high-availability (HA) pair cannot show the summary of cert-chain by 'tmsh run sys crypto check-cert verbose enabled' after config-sync.

Conditions:
Conditions leading to this issue include:
1. On the command line or in the GUI, setup an HA Pair
2. Import Certificate chain to one BIG-IP system.
3. 'run config-sync' to sync the Certificate chain to the peer BIG-IP system.

Impact:
After a ConfigSync operation, the certificate chain summary is not created on other HA peers.

Workaround:
Copy the cert-chain file to a place (such as /shared/tmp/), and update the cert-chain using a command similar to the following:
modify sys file ssl-cert Cert-Chain_Browser_Serv.crt source-path file:/shared/tmp/Cert-Chain_Browser_Serv.crt_58761_1


222220-4 : Distributed application statistics

Component: Global Traffic Manager (DNS)

Symptoms:
Distributed application statistics shows only requests passed to its first wide IP.

Conditions:
Using Distributed application statistics and multiple wide-IP-members.

Impact:
The system does not include statistics for requests passed to other wide-IP-members of the distributed application.

Workaround:
None.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************
Generated: Tue Feb 19 16:37:05 2019 PST
Copyright F5 Networks (2019) - All Rights Reserved