Supplemental Document : BIG-IP 15.1.0.1 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.0

BIG-IP APM

  • 15.1.0

BIG-IP Link Controller

  • 15.1.0

BIG-IP Analytics

  • 15.1.0

BIG-IP LTM

  • 15.1.0

BIG-IP AFM

  • 15.1.0

BIG-IP PEM

  • 15.1.0

BIG-IP FPS

  • 15.1.0

BIG-IP DNS

  • 15.1.0

BIG-IP ASM

  • 15.1.0
Original Publication Date: 12/11/2019 Updated Date: 05/28/2022

BIG-IP Release Information

Version: 15.1.0.1
Build: 4.0

Known Issues in BIG-IP v15.1.x

Functional Change Fixes

None


TMOS Fixes

ID Number Severity Solution Article(s) Description
834853 3-Major   Azure walinuxagent has been updated to v2.2.42


Local Traffic Manager Fixes

ID Number Severity Solution Article(s) Description
862557-1 3-Major   Client-ssl profiles derived from clientssl-quic fail validation

 

Cumulative fix details for BIG-IP v15.1.0.1 that are included in this release

862557-1 : Client-ssl profiles derived from clientssl-quic fail validation

Component: Local Traffic Manager

Symptoms:
After configuring a clientssl-quic profile, you get a validation error:

01b40001:3: A cipher group must be configured when TLS 1.3 is enabled (validation failed for profile /Common/clientssl-f5quic-udp).

Conditions:
This can occur when using the clientssl-quic built-in profile to build a profile that can serve HTTP/3 over QUIC.

Impact:
You are unable to configure a clientssl profile to work with HTTP/3 + QUIC that is also customized to serve the right certificate, etc.

Workaround:
Modify the clientssl-quic profile to have the following properties:
    cipher-group quic
    ciphers none
This requires the following additional config objects:
ltm cipher group quic {
    allow {
        quic { }
    }
}
ltm cipher rule quic {
    cipher TLS13-AES128-GCM-SHA256,TLS13-AES256-GCM-SHA384
    description "Ciphers usable by QUIC"
}

Fix:
Update the built-in configuration to pass validation.


834853 : Azure walinuxagent has been updated to v2.2.42

Component: TMOS

Symptoms:
Some onboarding features are not available in the current version of walinuxagent.

Conditions:
Attempting to use a feature that is not available in the current version of the Azure walinuxagent that is included in the BIG-IP release.

Impact:
Cannot use new features in the Azure walinuxagent until the Azure walinuxagent is updated.

Workaround:
None.

Fix:
The Azure walinuxagent has been updated to v2.2.42



Known Issues in BIG-IP v15.1.x


TMOS Issues

ID Number Severity Solution Article(s) Description
864513-1 1-Blocking   ASM policies didn't load immediately after upgrade to v14.1.0.1
865329-1 2-Critical   WCCP crashes on "ServiceGroup size exceeded" exception
860517-1 2-Critical   MCPD may crash on startup with many thousands of monitors on a system with many CPUs.
856713-3 2-Critical   IPsec crash during rekey
854493-5 2-Critical   Kernel page allocation failures messages in kern.log
849405-2 2-Critical   LTM v14.1.2.1 no log after upgrade
841953-7 2-Critical   A tunnel can be expired when going offline, causing tmm crash
841333-7 2-Critical   TMM may crash when tunnel used after returning from offline
840769-2 2-Critical   Having more than one IKE-Peer version value results in upgrade failure
837637-1 2-Critical   Orphaned bigip_gtm.conf can cause config load failure after upgrading
831821-1 2-Critical   Corrupted DAG packets causes bcm56xxd core on VCMP host
829677-2 2-Critical   .tmp files in /var/config/rest/ may cause /var directory exhaustion
817709-3 2-Critical   IPsec: TMM cored with SIGFPE in racoon2
816233-1 2-Critical   Session and authentication cookies should use larger character set
811701-3 2-Critical   AWS instance using xnet driver not receiving packets on an interface.
811149-2 2-Critical   Remote users are unable to authenticate via serial console.
796601-2 2-Critical   Invalid parameter in errdefsd while processing hostname db_variable
780437-6 2-Critical   Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
776393-3 2-Critical   Memory leak in restjavad causing restjavad to restart frequently with OOM
750588-3 2-Critical   While loading large configurations on BIG-IP systems, some daemons may core intermittently.
737322-3 2-Critical   tmm may crash at startup if the configuration load fails
593536-9 2-Critical K64445052 Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations
867253-3 3-Major   Systemd not deleting user journals
867181-1 3-Major   ixlv: double tagging is not working
867177-3 3-Major   Outbound TFTP and Active FTP no longer work by default
867013-2 3-Major   Fetching asm policy list from GUI (in LTM policy rule creation) occasionally causes REST timeout
860317-3 3-Major   JavaScript Obfuscator can hang indefinitely
860181-1 3-Major   After sync failure due to lack of local self-IP on the peer, adding in the self-IP does not resolve the sync error
858769-6 3-Major   Net-snmp library must be upgraded to 5.8 in order to support SHA-2
858197-2 3-Major   Merged crash when memory exhausted
856953-4 3-Major   IPsec: TMM cored after ike-peer switched version from IKEv2 to IKEv1
853617-1 3-Major   Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles
852565-5 3-Major   On Device Management::Overview GUI page, device order changes
852265-1 3-Major   Virtual Server Client and Server SSL profile list boxes no longer automatically scale for width
851789-2 3-Major   SSL monitors flap with client certs with private key stored in FIPS
851785-3 3-Major   BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver
851021-1 3-Major   Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error
850997-1 3-Major   'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page
846141-1 3-Major   Unable to use Rest API to manage GTM pool members that have an pipe symbol '|' in the server name.
843661-1 3-Major   TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command
843597-1 3-Major   Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle
842901-1 3-Major   Improve fast failover of PIM-DM-based multicast traffic when BIG-IP is deployed as an Active/Standby HA pair.
842669-3 3-Major   Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log
841721-2 3-Major   BWC::policy detach appears to run, but BWC control is still enabled
841649-4 3-Major   Hardware accelerated connection mismatch resulting in tmm core
841277-7 3-Major   C4800 LCD fails to load after annunciator hot-swap
838901-4 3-Major   TMM receives invalid rx descriptor from HSB hardware
838337-1 3-Major   The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.
838297-2 3-Major   Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication
837481-7 3-Major   SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID
829821-1 3-Major   Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured
829317-5 3-Major   Memory leak observed when running ICRD child
829193-4 3-Major   REST system unavailable due to disk corruption
828873-3 3-Major   Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor
828789-1 3-Major   Certificate Subject Alternative Name (SAN) limited to 1023 characters
827209-4 3-Major   HSB transmit lockup on i4600
827021-7 3-Major   MCP update message may be lost when primary blade changes in chassis
826313-6 3-Major   Error: Media type is incompatible with other trunk members
821309-1 3-Major   After an initial boot, mcpd has a defunct child "systemctl" process
820213-4 3-Major   'Application Service List' empty after UCS restore
819457-1 3-Major   LTM high availability (HA) sync should not sync GTM zone configuration
818505-1 3-Major   Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
817089-3 3-Major   Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing
814585-1 3-Major   PPTP profile option not available when creating or modifying virtual servers in GUI
814353-6 3-Major   Pool member silently changed to user-disabled from monitor-disabled
814273-1 3-Major   Multicast route entries are not populating to tmm after failover
812981-6 3-Major   MCPD: memory leak on standby BIG-IP device
812493-4 3-Major   When engineID is reconfigured, snmp and alert daemons must be restarted
811041-7 3-Major   Out of shmem, increment amount in /etc/ha_table/ha_table.conf
810381-2 3-Major   The SNMP max message size check is being incorrectly applied.
807945-3 3-Major   Loading UCS file for the first time not updating MCP DB
807337-5 3-Major   Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.
807005-5 3-Major   Save-on-auto-sync is not working as expected with large configuration objects
806073-1 3-Major   MySQL monitor fails to connect to MySQL Server v8.0
803237-2 3-Major   PVA does not validate interface MTU when setting MSS
803157-3 3-Major   LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots
802685-2 3-Major   Unable to configure performance HTTP virtual server via GUI
802281-3 3-Major   Gossip shows active even when devices are missing
799001-1 3-Major   Sflow agent does not handle disconnect from SNMPD manager correctly
798885-4 3-Major   SNMP response times may be long due to processing burden of requests
793121-5 3-Major   Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication
785741-3 3-Major   Unable to login using LDAP with 'user-template' configuration
784733-6 3-Major   GUI LTM Stats page freezes for large number of pools
778513-1 3-Major   APM intermittently drops log messages for per-request policies
767341-1 3-Major   If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.
758781 3-Major   iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates
746758-1 3-Major   Qkview produces core file if interrupted while exiting
730852-1 3-Major   The tmrouted repeatedly crashes and produces core when new peer device is added
719555-3 3-Major   Interface listed as 'disable' after SFP insertion and enable
714216-4 3-Major   Folder in a partition may result in load sys config error
688231-3 3-Major   Unable to set VET, AZOT, and AZOST timezones
654635-1 3-Major K34003145 FTP virtual server connections may rapidly reuse ephemeral ports
615329-1 3-Major   Special Virtual IP configuration required for IPv6 connectivity on some Virtual Edition interfaces
605675-6 3-Major   Sync requests can be generated faster than they can be handled
587821-10 3-Major   vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.
486997-4 3-Major   The vCMP guest lost watchdog heartbeat, and the host restarted it.
857045-1 4-Minor   LDAP system authentication may stop working
853101-2 4-Minor   ERROR: syntax error at or near 'FROM' at character 17
851393-1 4-Minor   tmipsecd leaves a zombie rm process running after starting up
848681-7 4-Minor   Disabling the LCD on a VIPRION causes blade status lights to turn amber
846521-7 4-Minor   Config script does not refresh management address entry properly when alternating between dynamic and static
838925-7 4-Minor   Rewrite URI translation profile can cause connection reset while processing malformed CSS content
832665-1 4-Minor   The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5
831293-5 4-Minor   SNMP get requests slow to respond.
828625-3 4-Minor   User shouldn't be able to configure two identical traffic selectors
826189-3 4-Minor   The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.
824205-3 4-Minor   GUI displays error when a virtual server is modified if it is using an address-list
822253-1 4-Minor   After starting up, mcpd may have defunct child "run" and "xargs" processes
818737-3 4-Minor   Improve error message if user did not select a address-list or port list in the GUI
818297-3 4-Minor   OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure
816353-3 4-Minor   Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1
757167-3 4-Minor   TMM logs 'MSIX is not supported' error on vCMP guests
722230-1 4-Minor   Cannot delete FQDN template node if another FQDN node resolves to same IP address
706685-1 4-Minor   The web UI becomes unresponsive after certain commands
673573-1 4-Minor   tmsh logs boost assertion when running child process and reaches idle-timeout
832661 5-Cosmetic   Default provisioning for all instances is LTM nominal
818777-2 5-Cosmetic   MCPD error - Trouble allocating MAC address for VLAN object
353607-1 5-Cosmetic   cli global-settings { service number } appears to have no effect


Local Traffic Manager Issues

ID Number Severity Solution Article(s) Description
860881-3 2-Critical   TMM can crash when handling a compressed response from HTTP server
858429-3 2-Critical   BIG-IP system sending ICMP packets on both virtual wire interface
853329-2 2-Critical   HTTP explicit proxy can crash TMM when used with classification profile
842937-6 2-Critical   TMM crash due to failed assertion 'valid node'
841469-6 2-Critical   Application traffic may fail after an internal interface failure on a VIPRION system.
839401-1 2-Critical   Moving a virtual-address from one floating traffic-group to another does not send GARPs out.
837617-1 2-Critical   Tmm may crash while processing a compression context
835505-1 2-Critical   Tmsh crash possibly related to NGFIPS SDK
824437-7 2-Critical   Chaining a standard virtual server and an ipother virtual server together can crash TMM.
798893-1 2-Critical   Changes to a webacceleration profile are not instantly applied to virtual servers using the profile
726518-1 2-Critical   Tmsh show command terminated with CTRL-C can cause TMM to crash.
552937-6 2-Critical   HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.
868209-3 3-Major   Transparent vlan-group with standard virtual-server and PAT does not translate a destination port.
868033-1 3-Major   SSL option "passive-close" option is unused and should be removed
863401-1 3-Major   QUIC congestion window sometimes increases inappropriately
863165-3 3-Major   Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.
862597-7 3-Major   Improve MPTCP's SYN/ACK retransmission handling
862069-1 3-Major   Using non-standard HTTPS and SSH ports will fail under certain conditions
860277-4 3-Major   Default value of TCP Profile Proxy Buffer High Low changed in 14.1
860005-1 3-Major   Ephemeral nodes/pool members may be created for wrong FQDN name
858701-1 3-Major   Running config and saved config are having different route-advertisement values after upgrading from v12.1.x
853613-4 3-Major   Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp
853145-1 3-Major   TMM cores in certain scenarios with SSL Forward Proxy Bypass
852953-1 3-Major   Accept Client Hello spread over multiple QUIC packets
852873-2 3-Major   Proprietary Multicast PVST+ packets are forwarded instead of dropped
852861-1 3-Major   TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario
852325-1 3-Major   HTTP2 does not support Global SNAT
851477-1 3-Major   Memory allocation failures during proxy initialization are ignored leading to TMM cores
851445-1 3-Major   QUIC with HTTP/3 should allow the peer to create at least 3 concurrent uni-streams
851353-1 3-Major   Connection reset with incorrect error code when invalid or malformed header is received in an HTTP/3 request
851101-4 3-Major   Unable to establish active FTP connection with custom FTP filter
851045-1 3-Major   LTM database monitor may hang when monitored DB server goes down
850973-1 3-Major   Improve QUIC goodput for lossy links
850933-1 3-Major   Improve QUIC rate pacing functionality
850873-3 3-Major   LTM global SNAT sets TTL to 255 on egress.
850145-1 3-Major   Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed
848777-3 3-Major   Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.
847325-3 3-Major   Changing a virtual server that uses a oneconnect profile can trigger persistence misbehavior.
846977-1 3-Major   TCP:collect validation changed in 12.0.0: the first argument can no longer be zero
846873-4 3-Major   Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure
846441-2 3-Major   Flow-control is reset to default for secondary blade's interface
845333-6 3-Major   An iRule with a proc referencing a datagroup cannot be assigned to Transport Config
844085-1 3-Major   GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address
843317-3 3-Major   The iRules LX workspace imported with incorrect SELinux contexts
842517-2 3-Major   CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails
842425-1 3-Major   Mirrored connections on standby are never removed in certain configurations
841369-3 3-Major   HTTP monitor GUI displays incorrect green status information
841341-6 3-Major   IP forwarding virtual server does not pick up any traffic if destination address is shared.
840785-1 3-Major   Update documented examples for REST::send to use valid REST endpoints
838353-1 3-Major   MQTT monitor is not working in route domain.
836661-2 3-Major   Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet.
832133-1 3-Major   In-TMM monitors fail to match certain binary data in the response from the server.
830797-3 3-Major   Standby high availability (HA) device passes traffic through virtual wire
828601-1 3-Major   IPv6 Management route is preferred over IPv6 tmm route
825245-4 3-Major   SSL::enable does not work for server side ssl
824433-3 3-Major   Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile
823825-7 3-Major   Renaming high availability (HA) VLAN can disrupt state-mirror connection
820333-1 3-Major   LACP working member state may be inconsistent when blade is forced offline
818853-1 3-Major   Duplicate MAC entries in FDB
818833-1 3-Major   TCP re-transmission during SYN Cookie activation results in high latency
818789-7 3-Major   Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile
813701-6 3-Major   Proxy ARP failure
810821-3 3-Major   Management interface flaps after rebooting the device
810533-2 3-Major   SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile
809597-5 3-Major   Memory leak observed when running ICRD child
803629-7 3-Major   SQL monitor fails with 'Analyze Response failure' message even if recv string is correct
803233-1 3-Major   Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
803109-3 3-Major   Source-port preserve-strict configured along with OneConnect may result in zombie forwarding flows
801549-1 3-Major   Tmm memory utilization growth.
801497-3 3-Major   Virtual wire with LACP pinning to one link in trunk.
790845-4 3-Major   An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default
788753-2 3-Major   GATEWAY_ICMP monitor marks node down with wrong error code
787973-1 3-Major   Potential memory leak when software crypto request is canceled.
786517-5 3-Major   Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address
760406-1 3-Major   HA connection might stall on Active device when the SSL session cache becomes out-of-sync
758599-3 3-Major   IPv6 Management route is preferred over IPv6 tmm route
756313-6 3-Major   SSL monitor continues to mark pool member down after restoring services
720440-6 3-Major   Radius monitor marks pool members down after 6 seconds
714372-5 3-Major   Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari
705112-6 3-Major   DHCP server flows are not re-established after expiration
554506-1 3-Major K47835034 PMTU discovery from management does not work
512490-11 3-Major   Increased latency during connection setup when using FastL4 profile and connection mirroring.
859113-1 4-Minor   Using "reject" iRules command inside "after" may causes core
858309-4 4-Minor   Setting a self IP with an IPv6 Address with an embedded IPv4 address causes tmm to continually restart
851757-1 4-Minor   Receiving a TLS END_OF_EARLY_DATA message in QUIC is a PROTOCOL_VIOLATION
851425-1 4-Minor   Update QLOG to draft-01
845545 4-Minor   Potential name collision for client-ssl profile named 'clientssl-quic'
844337-4 4-Minor   Tcl error log improvement for node command
839245-3 4-Minor   IPother profile with SNAT sets egress TTL to 255
838405-3 4-Minor   Listener traffic-group may not be updated properly when spanning is in use.
838305-7 4-Minor   BIG-IP may create multiple connections for packets that should belong to a single flow.
834217-7 4-Minor   Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.
832233-1 4-Minor   The iRule regexp command issues an incorrect warning
824365-5 4-Minor   Need informative messages for HTTP iRule runtime validation errors
822025 4-Minor   HTTP response not forwarded to client during an early response
818721-3 4-Minor   Virtual address can be deleted while it is in use by an address-list.
814037-6 4-Minor   No virtual server name in Hardware Syncookie activation logs.
714502-3 4-Minor   bigd restarts after loading a UCS for the first time


Performance Issues

ID Number Severity Solution Article(s) Description
850193-4 3-Major   Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues


Global Traffic Manager (DNS) Issues

ID Number Severity Solution Article(s) Description
846713-1 2-Critical   Gtm_add does not restart named
858973-1 3-Major   DNS request matches less specific WideIP when adding new wildcard wideips
852101-1 3-Major   Monitor fails.
844689-1 3-Major   Possible temporary CPU usage increase with unusually large named.conf file
835209-3 3-Major   External monitors mark objects down
813221-5 3-Major   Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync
760471-1 3-Major   GTM iQuery connections may be reset during SSL key renegotiation.
746348-4 3-Major   On rare occasions, gtmd fails to process probe responses originating from the same system.
839361-6 4-Minor   iRule 'drop' command does not drop packets when used in DNS_RESPONSE
774257-4 5-Cosmetic   tmsh show gtm pool and tmsh show gtm wideip print duplicate object types


Application Security Manager Issues

ID Number Severity Solution Article(s) Description
868641-3 2-Critical   Possible TMM crash when disabling bot profile for the entire connection
865981-1 2-Critical   ASM GUI and REST become unresponsive upon license change
865461-1 2-Critical   BD crash on specific scenario
865289-1 2-Critical   TMM crash following DNS resolve with Bot Defense profile
852437-3 2-Critical   Overly aggressive file cleanup causes failed ASU installation
846073-1 2-Critical   Installation of browser challenges fails through Live Update
843801-2 2-Critical   Like-named previous Signature Update installations block Live Update usage after upgrade
825413-4 2-Critical   /var/lib/mysql disk is full
868721-1 3-Major   Transactions are held for a long time on specific server related conditions
867825-4 3-Major   Export/Import on a parent policy leaves children in an inconsistent state
862413-1 3-Major   Broken layout in Threat Campaigns and Brute Force Attacks pages
854177-5 3-Major   ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality
853989-1 3-Major   DOSL7 Logs breaks CEF connector by populating strings into numeric fields
850677-4 3-Major   Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy
850673-1 3-Major   BD sends bad acks to the bd_agent for configuration
849349-5 3-Major   Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db
846181-3 3-Major   Request samples for some of the learning suggestions are not visible
846057-3 3-Major   UCS backup archive may include unnecessary files
844373-1 3-Major   Learning suggestion details layout broken in some browsers
839509-1 3-Major   Incorrect inheritance treatment in Response and Blocking Pages page
839141-1 3-Major   Issue with 'Multiple of' validation of numeric values
837341-1 3-Major   Response and Blocking Pages page: Deception Response pages should not be shown in parent policy
833685-5 3-Major   Idle async handlers can remain loaded for a long time doing nothing
829029-1 3-Major   Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error
793017-3 3-Major   Files left behind by failed Attack Signature updates are not cleaned
742549-3 3-Major   Cannot create non-ASCII entities in non-UTF ASM policy using REST
739618-3 3-Major   When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy
640842-5 3-Major   ASM end user using mobile might be blocked when CSRF is enabled
842265-1 4-Minor   Create policy: trusted IP addresses from template are not shown
841985-5 4-Minor   TSUI GUI stuck for the same session during long actions


Application Visibility and Reporting Issues

ID Number Severity Solution Article(s) Description
838709-4 2-Critical   Enabling DoS stats also enables page-load-time
863161-1 3-Major   Scheduled reports are sent via TLS even if configured as non encrypted
830073-2 3-Major   AVRD may core when restarting due to data collection device connection timeout
787677-5 3-Major   AVRD stays at 100% CPU constantly on some systems
863069-1 4-Minor   Avrmail timeout is too small


Access Policy Manager Issues

ID Number Severity Solution Article(s) Description
579219-5 2-Critical   Access keys missing from SessionDB after multi-blade reboot.
853325-1 3-Major   TMM Crash while parsing form parameters by SSO.
852313-4 3-Major   VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured
850277-1 3-Major   Memory leak when using OAuth
844781-3 3-Major   [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection
844573-1 3-Major   Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.
844281-3 3-Major   [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.
831781-4 3-Major   AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode
824121-2 3-Major   Using the Websocket profile prevents mouse wheel scroll function
744407-1 3-Major   While the client has been closed, iRule function should not try to check on a closed session
685593-5 3-Major   Access session iRules can fail with error 'Illegal argument'
819233-3 4-Minor   Ldbutil utility ignores '--instance' option if '--list' option is specified


WebAccelerator Issues

ID Number Severity Solution Article(s) Description
833213-1 3-Major   Conditional requests are served incorrectly with AAM policy in webacceleration profile


Service Provider Issues

ID Number Severity Solution Article(s) Description
839389-1 2-Critical   TMM can crash when connecting to IVS under extreme overload
866021-1 3-Major   Diameter Mirror connection lost on the standby due to "process ingress error"
853545-1 3-Major   MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event
842625-5 3-Major   SIP message routing remembers a 'no connection' failure state forever
840821-1 3-Major   SCTP Multihoming not working within MRF Transport-config connections
825013-1 3-Major   GENERICMESSAGE::message's src and dst may get cleared in certain scenarios
803809-4 3-Major   SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.
696348-5 3-Major   "GTP::ie insert" and "GTP::ie append" do not work without "-message" option
859721-1 4-Minor   Using GENERICMESSAGE create together with reject inside periodic after may cause core
836357-5 4-Minor   SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2
793005-1 5-Cosmetic   'Current Sessions' statistic of MRF/Diameter pool may be incorrect


Advanced Firewall Manager Issues

ID Number Severity Solution Article(s) Description
802421-6 2-Critical   The /var partition may become 100% full requiring manual intervention to clear space
844597-4 3-Major   AVR analytics is reporting null domain name for a dns query
837233-3 3-Major   "Application Security Administrator" user role cannot manage Dos Profile GUI
813969-5 3-Major   Network DoS reporting events as 'not dropped' while in fact, events are dropped


Policy Enforcement Manager Issues

ID Number Severity Solution Article(s) Description
845313-3 2-Critical   Tmm crash under heavy load


Carrier-Grade NAT Issues

ID Number Severity Solution Article(s) Description
812705-3 3-Major   'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic


Anomaly Detection Services Issues

ID Number Severity Solution Article(s) Description
767045-4 4-Minor   TMM cores while applying policy


Device Management Issues

ID Number Severity Solution Article(s) Description
718796-5 2-Critical   IControl REST token issue after upgrade
710809-5 2-Critical   Restjavad hangs and causes GUI page timeouts
835517-1 3-Major   After upgrading BIG-IP iso and resetting HA, gossip may show "UNPAIRED"


iApp Technology Issues

ID Number Severity Solution Article(s) Description
842193-1 3-Major   Scriptd coring while running f5.automated_backup script


Protocol Inspection Issues

ID Number Severity Solution Article(s) Description
825501-3 3-Major   IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.

 

Known Issue details for BIG-IP v15.1.x

868721-1 : Transactions are held for a long time on specific server related conditions

Component: Application Security Manager

Symptoms:
Long request buffers are kept around for a long time in bd.

Conditions:
-- The answer_100_continue internal parameter is turned off (non default) or the version is pre 15.1
-- The server closes the connection while request packets are accumulated.

Impact:
The long request buffers are consumed. You may see a "Too many concurrent long requests" log message and requests with large content lengths will get reset.

Workaround:
There is no workaround that can be done from ASM configuration.
If possible, change the server application settings to wait longer for the request payload in 100-continue request or change the client side application to not work with 100-continue.


868641-3 : Possible TMM crash when disabling bot profile for the entire connection

Component: Application Security Manager

Symptoms:
When using an iRule to disable bot profile, and causing it to be disabled (for the entire connection) during a CAPTCHA challenge -- TMM will crash.

Conditions:
-- Bot Defense profile is attached to the Virtual Server, with a CAPTCHA mitigation.
-- An iRule is attached to the virtual server, which disables bot profile.
-- Sending a request that is responded with a CAPTCHA, then sending (in the same connection), a request that disable the bot profile, and then answering the CAPTCHA.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
When using an iRule to disable bot defense profile on certain conditions, add an "else" clause for re-enabling the profile, taking note that all ::disable iRule commands are effective for the entire connection, and not just the transaction.


868209-3 : Transparent vlan-group with standard virtual-server and PAT does not translate a destination port.

Component: Local Traffic Manager

Symptoms:
When BIG-IP is configured with transparent vlan-group, virtual server which does port-translation and traffic hitting BIG-IP does not have a destination MAC address that belongs to BIG-IP - there will be no destination port translation performed on the server-side.

Conditions:
All conditions must be met:
- Transparent vlan-group.
- Virtual server with port translation.
- Traffic has a destination MAC address that does not belong to BIG-IP.

Impact:
Server-side connections will fail.

Workaround:
Use opaque vlan-group instead.


868033-1 : SSL option "passive-close" option is unused and should be removed

Component: Local Traffic Manager

Symptoms:
The SSL profile "passive-close" option is available in TMSH (but not the GUI), but is not actually used.

A side-effect of this issue is: when the "passive-close" option is configured in TMSH, if the profile is later modified in the GUI, the "passive-close" option will be removed from the profile.

Conditions:
-- Modifying a client or server SSL profile in TMSH.

Impact:
The "passive-close" option is not actually used.

Workaround:
Do not use the "passive-close" option.


867825-4 : Export/Import on a parent policy leaves children in an inconsistent state

Component: Application Security Manager

Symptoms:
When overwriting a parent policy with import/replace, elements from the parent policy that were deleted remain in the child policies.

Conditions:
-- A parent policy exists with a child policy that inherits a section in which new configuration elements can be created in the parent policy (like ip address exceptions).
-- An element is deleted from the parent policy, and then the parent policy is exported.
-- The parent policy is then imported to replace a parent policy on a different device to perform the same changes on its children.

Impact:
The children on the different devices are left unexpectedly in different states.


867253-3 : Systemd not deleting user journals

Component: TMOS

Symptoms:
When setting "SystemMaxUse" to any value, systemd does not get honored and the specified size is exceeded

Conditions:
-- Using a Non-TMOS user account with external authentication permission.
-- Systemd-journald is configured to create a user journal for every user that logs into the BIG-IP system.

Impact:
Journald filling up file system size. These journals are allocated with a minimum size of 4MiB and are not removed when the log entries age-out.

Workaround:
Remove journal logs manually.


867181-1 : ixlv: double tagging is not working

Component: TMOS

Symptoms:
If a VLAN tag is configured on the Virtual Function in the host, and the BIG-IP guest is configured to use a tagged VLAN, packets that egress the host on this VLAN contain only the VLAN tag configured on the host (i.e. the BIG-IP's VLAN tag is lost).

Conditions:
- Using a BIG-IP VE.
- A VLAN tag is configured on both the host VF and on the BIG-IP.

Impact:
The BIG-IP's VLAN tag is lost.


867177-3 : Outbound TFTP and Active FTP no longer work by default

Component: TMOS

Symptoms:
When attempting to use TFTP or Active FTP at the BIG-IP command line to transfer files to a remote system, the connection eventually times out and the file is not transferred.

This is expected behavior resulting from the enhancement made in BIG-IP v14.1.0:
"Support for network firewall rules on the management port" :: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote-bigip-14-1-0.html#rn_ltm-tmos_1410_new.

Conditions:
- BIG-IP v14.1.0 or greater.
- Attempt to initiate TFTP or Active FTP from the BIG-IP command line.

Impact:
Unable to use TFTP or Active FTP to transfer files to/from the BIG-IP system.

Workaround:
Important: These legacy protocols do not support secure transport. Sensitive data, including passwords, may be exposed. Better alternatives (sftp, scp, etc.) using encrypted transport should be considered instead.

If you require the use of the disabled, insecure, and/or cleartext-authenticated protocols, you can place the following lines in /config/startup and reboot to enable them.

modprobe nf_conntrack_tftp
modprobe nf_conntrack_ftp

Note: This change is not synced by ConfigSync, and must be applied individually to all devices.


867013-2 : Fetching asm policy list from GUI (in LTM policy rule creation) occasionally causes REST timeout

Component: TMOS

Symptoms:
You are unable to associate new ASM policies to LTM policies, due to REST timeout.

Conditions:
This can be encountered when there is a large number of policies configured in ASM.

Impact:
Unable to associate new ASM policies to LTM policies, due to rest timeout.


866021-1 : Diameter Mirror connection lost on the standby due to "process ingress error"

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, mirrored connections on the standby may be lost when the "process ingress error" log is observed only on the standby, and there is no matching log on the active.

Conditions:
This can happen when there is a large amount of mirror traffic, this includes the traffic processed by the active that requires mirroring and the high availability (HA) context synchronization such as persistence information, message state, etc.

Impact:
Diameter mirror connections are lost on the standby. When failover occurs, these connections may need to reconnect.


865981-1 : ASM GUI and REST become unresponsive upon license change

Component: Application Security Manager

Symptoms:
When there is a license change at the same time as a security update (ex. Threat Campaigns or Attack Signatures), the system can reach a deadlock which blocks some operations, eventually leading to all the REST threads becoming blocked and unresponsive.

Conditions:
A license change occurs at the same time as a security update (ex. Threat Campaigns or Attack Signatures).

Impact:
ASM user interfaces are unresponsive.

Workaround:
Kill asm_config_server.pl or restart ASM


865461-1 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crash on specific scenario

Conditions:
A brute force attack mitigation using captcha or client side challenge.

Impact:
BD crash, failover.

Workaround:
Add an iRule that removes the query string from the referrer header only for the login page POSTs.


865329-1 : WCCP crashes on "ServiceGroup size exceeded" exception

Component: TMOS

Symptoms:
Under general usage; WCCP crashes with a "ServiceGroup size exceeded" exception.

Conditions:
Have WCCP service groups configured.

Impact:
WCCP throws an exception and crashes.

Workaround:
None.


865289-1 : TMM crash following DNS resolve with Bot Defense profile

Component: Application Security Manager

Symptoms:
TMM may crash when Bot Defense is enabled and network DNS is configured.

Conditions:
This can occur when is Bot Defense enabled and network DNS is configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
N/A


864513-1 : ASM policies didn't load immediately after upgrade to v14.1.0.1

Component: TMOS

Symptoms:
ASM policies didn't load immediately after upgrade to v14.1.0.1 or later version because selinux policy was incorrect for some files after up-gradation.This is selinux issue.

Conditions:
1) Install and configure ASM including a number of active policies on virtual servers on version 13.1
2) Upgrade to version 14.1 or 15.x

Impact:
Traffic will start failing due to ASM policies not loading after upgrade.

Workaround:
Remove policy from the ASM profiles from the virtual servers and do the upgrade.
Apply policy after upgrade.


863401-1 : QUIC congestion window sometimes increases inappropriately

Component: Local Traffic Manager

Symptoms:
When QUIC is discovering the link bandwidth, it sometimes increases the congestion window when there is not enough available data to use the existing congestion window.

Conditions:
When the application is not generating enough data, or any streams with data are stream flow control limited.

Impact:
In some cases, the congestion window can be too large for the path and cause packet losses if it is later fully utilized.

Workaround:
None


863165-3 : Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members.

Component: Local Traffic Manager

Symptoms:
For the i4x00 and 4000 platforms, egress trunk distribution will be unbalanced if the number of trunk members is not a power of 2.

Conditions:
A trunk is configured with an odd number of trunk interfaces or a trunk member goes down such that the number of working members is odd.

Impact:
Uneven traffic distribution. Some interfaces will see more traffic than others.

Workaround:
Insure the number of trunk interfaces is a power of 2: 2, 4, or 8.


863161-1 : Scheduled reports are sent via TLS even if configured as non encrypted

Component: Application Visibility and Reporting

Symptoms:
The scheduled report email is sent from BIG-IP using TLS even if configured to not use encryption. When the mail server TLS is outdated it may lead to failure of the mail delivery.

Conditions:
The scheduled reports are enabled and configured to use a mail server which reports TLS capability.

Impact:
The minor impact is unexpected behaviour. In rare cases it may lead to malfunction of the scheduled reports.


863069-1 : Avrmail timeout is too small

Component: Application Visibility and Reporting

Symptoms:
AVR report mailer times out prematurely and reports errors:

AVRExpMail|ERROR|2019-11-26 21:01:08 ECT|avrmail.php:325| PHPMailer exception while trying to send the report: SMTP Error: data not accepted.

Conditions:
Configure reports, which will be sent to e-mail

Impact:
Error response from SMTP server, and the report is not sent

Workaround:
Increase timeout in avrmail.php via bash commands


862597-7 : Improve MPTCP's SYN/ACK retransmission handling

Component: Local Traffic Manager

Symptoms:
- MPTCP enabled TCP connection is in SYN_RECEIVED state.
- TMM cores.

Conditions:
- MPTCP is enabled.
- SYN/ACK (with MP_JOIN or MP_CAPABLE) sent by the BIG-IP is not ACKed and needs to be retransmitted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable MPTCP option in the TCP profile.


862413-1 : Broken layout in Threat Campaigns and Brute Force Attacks pages

Component: Application Security Manager

Symptoms:
Horizontal scroll added to the page unnecessarily.

Conditions:
This occurs when viewing the Threat Campaigns or Brute Force Attacks page in any browser

Impact:
The horizontal scroll bar breaks the intended page layout.

Workaround:
N/A


862069-1 : Using non-standard HTTPS and SSH ports will fail under certain conditions

Component: Local Traffic Manager

Symptoms:
On all versions 12.1.0 or above, if you try to change the HTTPS port (e.g. to 8443) and then expose the management UI via a self IP in a non-zero route domain, it won't work.

In versions 14.1.0 and above on VEs, attempting to manage a BIG-IP over a self IP can fail if all these conditions are met:
   - Non-standard HTTPS port used.
   - No TMM default route configured.
      - No route to the client IP configured.

Conditions:
-- Modify the default HTTPS and/or default SSH ports.

And either:

On 12.1.0 and above:
-- Expose the management UI and/or CLI via a self IP in a non-zero route domain.

... or:

On 14.1.0 and above:
-- No TMM default route configured.
-- No route to the client IP configured.

Impact:
Unable to access BIG-IP GUI on non-standard HTTPS port, and/or unable to access BIG_IP CLI on non-standard SSH port.


860881-3 : TMM can crash when handling a compressed response from HTTP server

Component: Local Traffic Manager

Symptoms:
TMM crashes while handling HTTP response

Conditions:
HTTP virtual server performing decompression of response data from a server, e.g. because a rewrite profile is attached to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable compression on the server.


860517-1 : MCPD may crash on startup with many thousands of monitors on a system with many CPUs.

Component: TMOS

Symptoms:
MCPD can crash with out of memory when there are many bigd processes (systems with many CPU cores) and many pool members/nodes/monitors.

As a guideline, approximately 100,000 pool members, nodes, and monitors can crash a system that has 10 bigd processes (BIG-IP i11800 platforms). tmm crash

Conditions:
-- Tens of thousands of pool members, nodes, and/or monitors.
-- Multiple (generally 6 or more) bigd processes.
-- System startup or bigstart restart.

Impact:
The mcpd process crashes. Traffic disrupted while mcpd restarts.

Workaround:
Set the db variable bigd.numprocs to a number smaller than the number of bigd processes currently being started.


860317-3 : JavaScript Obfuscator can hang indefinitely

Component: TMOS

Symptoms:
High CPU usage by obfuscator for an extended period of time.

Conditions:
Occurs very rarely, when FPS or L7 DDoS protection are enabled.

Impact:
High CPU Usage.

Workaround:
Kill the obfuscator process


860277-4 : Default value of TCP Profile Proxy Buffer High Low changed in 14.1

Component: Local Traffic Manager

Symptoms:
Version: 13.1.3.1

# tmsh list ltm profile tcp tcp proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
    proxy-buffer-high 49152
    proxy-buffer-low 32768
}

       proxy-buffer-high
            Specifies the highest level at which the receive window is closed.
            The default value is 49152.

       proxy-buffer-low
            Specifies the lowest level at which the receive window is closed.
            The default value is 32768.

Version: 14.1.2.2

# list ltm profile tcp TCP proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
    proxy-buffer-high 65535
    proxy-buffer-low 32768
}


proxy-buffer-high
            Specifies the highest level at which the receive window is closed.
            The default value is 131072.

proxy-buffer-low
            Specifies the lowest level at which the receive window is closed.
            The default value is 98304.

Conditions:
Looking at the help for proxy-buffer-high and proxy-buffer-low in tmsh

Impact:
The default value for proxy-buffer-high is 65535 and the default value for proxy-buffer-low is 32768, but the help text indicates that the defaults are 13072 and 98304 respectively.


860181-1 : After sync failure due to lack of local self-IP on the peer, adding in the self-IP does not resolve the sync error

Component: TMOS

Symptoms:
If you have BIG-IPs in a Device Service Cluster, and you attempt to sync a new floating self-IP over to a standby on a VLAN that the standby does not currently have a non-floating self-IP on, you will get an error and the sync will fail. This is the correct behavior. The issue, though, is that if you subsequently create a non-floating self-IP on the standby in order to rectify this issue, the sync will still fail.

Conditions:
-- BIG-IPs configured in a Device Service Cluster.
-- Device group is configured to use Automatic Sync or Manual with Incremental sync.
-- Attempting to sync a floating self-IP to a system that does not have a non-floating self-IP on the same VLAN.

Impact:
You are unable to sync BIG-IPs. Both devices will be out of sync and you will see an error displayed:

01070355:3: Self IP <address> is declared as a floating address but there is no non-floating address defined for this network

Even after you add a non-floating self-IP on the affected device, a subsequent config sync does not fix the error.

Workaround:
If you make any other configuration change that generates a config sync, this will correct itself after the other device has added a non-floating Self-IP.

Otherwise, this can be corrected by doing a full config sync, and can be done via the GUI or via tmsh.

In the GUI, change the Sync Type for the device group to Manual with Full Sync, and then do a config sync.

In tmsh, the command is:
run cm config-sync force-full-load-push to-group <affected_device_group>


860005-1 : Ephemeral nodes/pool members may be created for wrong FQDN name

Component: Local Traffic Manager

Symptoms:
Under rare timing conditions, one or more ephemeral nodes and pool members may be created for the wrong FQDN name, resulting in one or more ephemeral pool members being created incorrectly for a given pool.

Conditions:
This problem occurs when a DNS Request is sent to resolve a particular FQDN name with the same DNS Transaction ID (TXID) as another DNS Request currently pending with the same DNS name server. When this occurs, the IP addresses returned in the first DNS Response received with that TXID may be incorrectly associated with a pending DNS Request with the same TXID, but for a different FQDN name which does not actually resolve to those IP addresses.

The timing conditions that produce such duplicate TXIDs may be produced by one or more of the following factors:
1. Many FQDN names to be resolved.
2. Short DNS query interval values configured for the FQDN template nodes (or short TTL values returned by the DNS name server with the query interval configured as 'ttl').
3. Delayed responses from the DNS name server causing DNS queries to remain pending for several seconds.

Impact:
When this issue occurs, traffic may be load-balanced to the wrong members for a given pool.

Workaround:
It may be possible to mitigate this issue by one or more of the following actions:

-- Ensuring that the DNS servers used to resolve FQDN node names have sufficient resources to respond quickly to DNS requests.

-- Reducing the number of FQDN template nodes (FQDN names to be resolved).

-- Reducing the frequency of DNS queries to resolve FQDN node names (FQDN names) by either increasing the 'interval' value configured for FQDN template nodes, or by increasing the TTL values for DNS zone records for FQDN names for FQDN nodes configured with an 'interval' value of 'ttl'.


859721-1 : Using GENERICMESSAGE create together with reject inside periodic after may cause core

Component: Service Provider

Symptoms:
In iRules, when "GENERICMESSAGE::message create" is called after "reject" command inside "after -periodic", it may cause core. Below is an example iRules.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859113.

Conditions:
GENERICMESSAGE::message create" is called after "reject" inside "after -periodic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event


859113-1 : Using "reject" iRules command inside "after" may causes core

Component: Local Traffic Manager

Symptoms:
In iRules, when "reject" is used inside "after -periodic" and it is followed by "GENERICMESSAGE::message create". It may trigger a tmm core. Below is an example iRule.

when CLIENT_ACCEPTED {
    ... omitted ...
    after 1000 -periodic {
        ... omitted ...
        reject
        GENERICMESSAGE::message create "test"
    }
}

This relates to ID 859721

Conditions:
- "reject" is used inside "after -periodic"
- it is followed by "GENERICMESSAGE::message create"

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There are 2 possible work-arounds
- use "return" command after "reject" to exit after script immediately after "reject" command is invoked
- add routine to cancel the after in CLIENT_CLOSED event


858973-1 : DNS request matches less specific WideIP when adding new wildcard wideips

Component: Global Traffic Manager (DNS)

Symptoms:
After adding a new wildcard wideip, DNS requests start matching the wildcard even if a more specific wildcard wideip should match.

Conditions:
New less specific Wildcard WideIPs are created.

Impact:
DNS request matches less specific WideIP.

Workaround:
# tmsh load sys config gtm-only
or
restart tmm


858769-6 : Net-snmp library must be upgraded to 5.8 in order to support SHA-2

Component: TMOS

Symptoms:
The net-snmp 5.7.2 library does not support extended key lengths for SHA and AES protocols used for SNMPv3 authentication and privacy protocols.

Conditions:
When the BIG-IP net-snmp libraries are version 5.7.2, or earlier, than only SHA and AES are available for configuring trap sessions and users in SNMPv3.

Impact:
The longer keys lengths for SNMPv3 cannot be used.


858701-1 : Running config and saved config are having different route-advertisement values after upgrading from v12.1.x

Component: Local Traffic Manager

Symptoms:
If you upgrade a 12.1.x device with route advertisement enabled, there will be a difference between the running configuration and the saved configuration post upgrade.

-- In the running configuration, the word 'enabled' changes to 'selective'.
-- In bigip.conf, the setting is still set to 'enabled'.

Conditions:
-- Upgrading a v12.1.x device with route advertisement enabled.
-- After saving config both the running-config and bigip.conf are having same value i.e., 'selective'.
-- Load the configuration (tmsh load sys config).

Impact:
The route-advertisement setting is 'enabled' in the config file, but 'selective' in the running configuration. This has the following impact:

If you save the configuration and then reload it, the route advertisement is changed to 'selective' in the config file and 'disabled' in the running config.

Workaround:
After the running config is set to the 'diabled' value, reload the configuration again using the following command to set the running config and saved config to to 'selective':

tmsh load sys config


858429-3 : BIG-IP system sending ICMP packets on both virtual wire interface

Component: Local Traffic Manager

Symptoms:
ICMP packets are forwarded to both virtual wire interface, which causes MAC-Flip on the connected switches.

Conditions:
-- Ingress ICMP packet is on one TMM.
-- Egress is on another TMM.

Impact:
Traffic is disrupted in the network.

Workaround:
None.


858309-4 : Setting a self IP with an IPv6 Address with an embedded IPv4 address causes tmm to continually restart

Component: Local Traffic Manager

Symptoms:
TMM keeps restarting after setting a self IP to an IPv6 address with an embedded IPv4 address in TMSH.

Conditions:
Set self IP to an IPv6 address with an embedded Ipv4 address using tmsh.

Impact:
Tmm restarts repeatedly. Traffic disrupted while tmm restarts.

Workaround:
Set self IP to IPv4 address.


858197-2 : Merged crash when memory exhausted

Component: TMOS

Symptoms:
Merged crashes when system memory is exhausted

Conditions:
System memory is is at 0% available.

Impact:
Merged crashes, stopping stats updates

Workaround:
Reduce the configuration on the system


857045-1 : LDAP system authentication may stop working

Component: TMOS

Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.

In /var/log/daemon.log, you may see the following:

warning systemd[1]: nslcd.service failed

Conditions:
Nslcd daemon crashed, and it fails to restart.

Impact:
System authentication stops working until nslcd is restarted.

Workaround:
Manually restart nslcd daemon:

tmsh start sys service nslcd


856953-4 : IPsec: TMM cored after ike-peer switched version from IKEv2 to IKEv1

Component: TMOS

Symptoms:
TMM cores.

Conditions:
Occured when IKE peer version changed from IKEv2 to IKEv1, leading to an attempt of renegotiating IPsec tunnel.

Impact:
Traffic disrupted while tmm restarts.


856713-3 : IPsec crash during rekey

Component: TMOS

Symptoms:
IPsec-related tmm crash and generated core file during rekey.

Conditions:
-- IPsec timeout occurs.
-- Some temporary SA's are created by racoon.

Impact:
Tmm crashes and creates core file. Traffic disrupted while tmm restarts.

Workaround:
None.


854493-5 : Kernel page allocation failures messages in kern.log

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the following VIPRION blade models:

- B2250 (A112)
- B4300 (A108)
- B4340N (A110)
- B4450 (A114)

Please note the issue is known to occur regardless of whether or not the system is running in vCMP mode, and regardless of whether the system is Active or Standby.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this as follows:
-- 64 MB (65536 KB for 2250 blades)
-- 48 MB (49152 KB for B4300 blades)
-- 128 MB (131072 KB for 4450 blades)

You must do this on each blade installed in the system.

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID753650' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID753650' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades, and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"


854177-5 : ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality

Component: Application Security Manager

Symptoms:
Whenever a pool IP address is modified, an update is sent to bd regardless of whether that pool is relevant to ASM. When these updates occur frequently, as can be the case for FQDN nodes that honor DNS TTL, latency can be introduced in ASM handling.

Conditions:
Pool nodes have frequent IP address updates, typically due to an FQDN node set to honor DNS TTL.

Impact:
Latency is introduced to ASM handling.

Workaround:
Set the fast changing nodes to static updates every hour.


853989-1 : DOSL7 Logs breaks CEF connector by populating strings into numeric fields

Component: Application Security Manager

Symptoms:
Dosl7 remote logger messages breaks ArcSight CEF connector when using ArcSight destination format. CEF Logs are dropped.

Conditions:
- ASM provisioned
- Dos profile attached to a virtual server
- Dos application protection enabled
- Logging profile configured with ArcSight format attached to a virtual

Impact:
ArcSight server might be broken after getting dosl7 attack detection messages from the BIG-IP.

Workaround:
BIG-IP iRule or another proxy can be used to intercept ArcSight messages and strip the a string portion from ArcSight numeric type fields.


853617-1 : Validation does not prevent virtual server with UDP, HTTP, SSL, (and OneConnect) profiles

Component: TMOS

Symptoms:
Validation does not prevent specific configuration, but reports errors. In newer versions:

-- err tmm1[7019]: 01010008:3: Proxy initialization failed for /Common/vs_test. Defaulting to DENY.
-- err tmm1[7019]: 01010008:3: Listener config update failed for /Common/vs_test: ERR:ERR_ARG

In older versions:

-- err tmm[23118]: 01010007:3: Config error: virtual_server_profile no suitable hudchain
-- err tmm[23118]: 01010007:3: Config error: add virtual server profile error

Conditions:
Creating a virtual server with UDP, HTTP, SSL, (and OneConnect) profiles.

Impact:
Virtual server is defined and in configuration, but does not pass traffic.

On v12.1.x and v13.0.0, attempts to recover from this configuration can leave TMM in a bad state, which can then result in a TMM crash.

Workaround:
None.


853613-4 : Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp

Component: Local Traffic Manager

Symptoms:
A TCP connection hangs occasionally.

Conditions:
-- The TCP connection is on the clientside.
-- sys db tm.tcpsendrandomtimestamp is enabled (default is disabled).
-- A virtual server's TCP's Verified Accept and Timestamps are both enabled.

Impact:
TCP connections hangs, and data transfer cannot be completed.

Workaround:
You can use either of the following workarounds:
-- Disable tm.tcpsendrandomtimestamp.
-- Disable either the TCP's Verified Accept or Timestamps option.


853545-1 : MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event

Component: Service Provider

Symptoms:
For each message dropped during GENERICMESSAGE_INGRESS, memory is leaked.

Conditions:
Usage of GENERICMESSAGE::message drop iRule command during GENERICMESSAGE_INGRESS event will leak memory.

Impact:
As more memory is leaked, less memory is available for message processing, eventually leading to a core.

Workaround:
Use MR::message drop during MR_INGRESS event instead to drop a message.


853329-2 : HTTP explicit proxy can crash TMM when used with classification profile

Component: Local Traffic Manager

Symptoms:
The BIG-IP system may serve HTTP traffic as forward proxy and use DNS resolver objects to provide a server to connect to for request processing. When a classification profile is attached to the virtual server, it may result in a TMM crash with regards to some HTTP requests.

Conditions:
-- PEM is provisioned.
-- HTTP explicit proxy is configured on a virtual server.
-- A classification profile attached to the virtual server.

Impact:
TMM crashes, causing failover. Traffic disrupted while tmm restarts.

Workaround:
None.


853325-1 : TMM Crash while parsing form parameters by SSO.

Component: Access Policy Manager

Symptoms:
When a form is received in the response, TMM crashes when SSO identifies the form parameter, and logs the Form parameter value and type in SSOv2 form-based passthrough log.

Conditions:
-- When any of the form parameters that SSO receives in the response does not have a value.
-- Passthrough mode is enabled in SSO.

Impact:
TMM crash when Passthrough mode is enabled in SSO. Traffic disrupted while tmm restarts.

Workaround:
Do not use Passthrough mode with SSO.


853145-1 : TMM cores in certain scenarios with SSL Forward Proxy Bypass

Component: Local Traffic Manager

Symptoms:
TMM cores in certain scenarios with SSL Forward Proxy Bypass.

Conditions:
-- Virtual server with SSL profiles.
-- SSL Forward proxy is enabled.
-- SSL Forward proxy bypass is enabled.

Impact:
TMM cores. Traffic disrupted while tmm restarts.

Workaround:
No workaround.


853101-2 : ERROR: syntax error at or near 'FROM' at character 17

Component: TMOS

Symptoms:
After clicking UI Security :: Network Firewall : Active Rules, /var/log/ltm reports the following error message:
--warning postgres ERROR: syntax error at or near 'FROM' at character 17.

Conditions:
Enabled turboflex-security and AFM module.

Impact:
-- Possible leak of postgres database connections.
-- A warning log message is created, but the system continues to function normally.

Workaround:
None.


852953-1 : Accept Client Hello spread over multiple QUIC packets

Component: Local Traffic Manager

Symptoms:
A QUIC connection does not complete the handshake successfully when the Client Hello spans multiple initial packets.

Conditions:
-- QUIC is in use.
-- A Client Hello is received that spans multiple packets.

Impact:
QUIC is unable to process a Client Hello that spans multiple packets.

Workaround:
None.


852873-2 : Proprietary Multicast PVST+ packets are forwarded instead of dropped

Component: Local Traffic Manager

Symptoms:
Since BIG-IP does not recognize proprietary multicast MACs like PVST+ (01:00:0c:cc:cc:cd) when STP is disabled it won't be able to drop those frames. Instead it would treat those as L2 multicast frames and forward between 2 interfaces.

Conditions:
STP disabled
All platforms except 2000 series, 4000 series, i2000 series, i4000 series and i850

Impact:
PVST+ (01:00:0c:cc:cc:cd), a proprietary multicast MAC will be forwarded instead of discarded even though when STP is disabled

Workaround:
Not available


852861-1 : TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario

Component: Local Traffic Manager

Symptoms:
TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario.

Conditions:
-- Virtual server with QUIC, HTTP/3, HTTP, SSL and httprouter profiles.
-- 0-RTT connection resumption in progress.

Impact:
TMM cores intermittently.

Workaround:
No workaround.


852565-5 : On Device Management::Overview GUI page, device order changes

Component: TMOS

Symptoms:
When manual device group sync is enabled, the device with the most recent change will be displayed at the top of the Device Management::Overview GUI page.

Conditions:
-- Multiple devices in a device group
-- Device group has manual config sync enabled
-- A change is made on a device

Impact:
When the list loads, the device with the most recent changes is displayed at the top. This can make the device order appear to be inconsistent, and can create confusion when doing manual config sync if you are expecting the order to be always consistent.


852437-3 : Overly aggressive file cleanup causes failed ASU installation

Component: Application Security Manager

Symptoms:
Directory cleanup for for failed Attack Signature Updates was too aggressive and may delete needed files in the middle of the installation itself and cause it to fail.

Conditions:
An Attack Signature Update runs at the same time as the file cleanup task.

Impact:
The Attack Signature Update fails to complete successfully.

Workaround:
The Attack Signature Update can be retried.


852325-1 : HTTP2 does not support Global SNAT

Component: Local Traffic Manager

Symptoms:
The Global SNAT feature does not work with HTTP2.

Conditions:
-- Global SNAT is used
-- HTTP2 is used.

Impact:
Traffic uses the incorrect IP addresses when sourced from the BIG-IP system.

Workaround:
Use an explicit SNAT setting: SNAT Auto-Map or a SNAT pool.


852313-4 : VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured

Component: Access Policy Manager

Symptoms:
VMware Horizon clients cannot ,connect to APM and /var/log/apm contains hte following error:
... err tmm3[12345]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_BOUNDS. File: ../modules/hudfilter/access/access.c, Function: access_do_internal_retry, Line: 16431

Conditions:
-- Access Policy has 'VMware View Logon Page' agent configured with 'Kerberos Authentication'.
-- The policy has been in use for some time.

Impact:
VMware Horizon client cannot connect to APM after some time.

Workaround:
None.


852265-1 : Virtual Server Client and Server SSL profile list boxes no longer automatically scale for width

Component: TMOS

Symptoms:
The 'SSL Profile (Client)' and 'SSL Profile (Server)' listboxes (both 'Selected' and 'Available') now have a fixed width when viewing Virtual Server settings.

Conditions:
-- An SSL profile (client or server) with a long name.
-- Accessing the Virtual Server settings page in the GUI.

Impact:
If many SSL profiles start with the same several letters, it may be impossible to detect which one is the desired profile.

Workaround:
None.


852101-1 : Monitor fails.

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d fails external monitor SIP_monitor because GTM SIP Monitors need to be running as privileged.

Conditions:
TLS SIP monitor on pool member requiring client auth.

Impact:
Big3d fails external monitor SIP_monitor.

Workaround:
The only workaround is to allow world reading of key files in the filestore, however, this is not ideal as it exposes potentially sensitive data.


851789-2 : SSL monitors flap with client certs with private key stored in FIPS

Component: TMOS

Symptoms:
Bigd reporting 'overload' or 'overloaded' in /var/log/ltm.
SSL monitors flapping while the servers are available.

Conditions:
-- FIPS-enabled platform.
-- HTTPS monitors using client-cert authentication where the key is stored in FIPS HSM.
-- Large number of monitors or low interval.

Impact:
Periodic service interruption depending on which monitors are flapping. Reduced number of available servers.

Workaround:
-- Increase the interval on the monitors.
-- Switch the monitors to use software keys.


851785-3 : BIG-IP 10350V-F platform reported page allocation failures in N3FIPS driver

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system logs kernel page allocation failures to the /var/log/kern.log file. The first line of the output appears similar to the following example:

swapper/13: page allocation failure: order:2, mode:0x204020

After that, a stack trace follows. The process name in the line ('swapper/16', in this example). You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This issue is known to occur on the appliance 10350V-F D112.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You can work around this issue by increasing the value of the min_free_kbytes kernel parameter. This controls the amount of memory that is kept free for use by special reserves.

It is recommend to increase this to 128 MB (131072 KB).

When instantiating this workaround, you must consider whether you want the workaround to survive only reboots, or to survive reboots, upgrades, RMAs, etc. This is an important consideration to make, as you should stop using this workaround when this issue is fixed in a future version of BIG-IP software. So consider the pros and cons of each approach before choosing one.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID 851785' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID851785' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on the BIG-IP appliance and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the BIG-IP appliance and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"


851757-1 : Receiving a TLS END_OF_EARLY_DATA message in QUIC is a PROTOCOL_VIOLATION

Component: Local Traffic Manager

Symptoms:
When a TLS END_OF_EARLY_DATA message is received by QUIC, a CONNECTION_CLOSE frame with a CRYPTO_ERROR is produced. However, the error should be a PROTOCOL_VIOLATION.

Conditions:
-- QUIC is in use.
-- A TLS END_OF_EARLY_DATA message is received.

Impact:
A CRYPTO_ERROR is produced, however, the error should be PROTOCOL_VIOLATION.

Workaround:
None.


851477-1 : Memory allocation failures during proxy initialization are ignored leading to TMM cores

Component: Local Traffic Manager

Symptoms:
Memory allocation failures during proxy initialization are ignored. TMM cores when trying to access uninitialized memory.

Conditions:
-- HTTP or HTTP/2 virtual server with httprouter profile.
-- Low memory or fragmented memory on the system when configuration is being loaded.

Impact:
TMM cores when accessing uninitialized memory.

Workaround:
No workaround.


851445-1 : QUIC with HTTP/3 should allow the peer to create at least 3 concurrent uni-streams

Component: Local Traffic Manager

Symptoms:
QUIC profile has a field for maximum uni-streams. This represents the number of concurrent uni-streams that the peer can create. If HTTP/3 is also configured on the virtual, then the value for uni-streams should ne >=3. The peer should be able to create at least 3 uni-streams, for control, encoder and decoder.

Conditions:
QUIC, HTTP/3, SSL and httprouter profiles are configured on the virtual. QUIC client tries to establish a connection with Big-IP. HTTP/3 is negotiated in ALPN.

Impact:
If fewer than 3 max uni-streams are configured, HTTP/3 transactions will not be successful.

Workaround:
Configure correct value of max uni-streams in QUIC profile.


851425-1 : Update QLOG to draft-01

Component: Local Traffic Manager

Symptoms:
The BIG-IP QLOG implementation is currently on draft-00, and draft-01 has been released.

Conditions:
QUIC and QLOG are in use.

Impact:
Existing third-party applications might remove support for QLOG draft-00 at some point.

Workaround:
None.


851393-1 : tmipsecd leaves a zombie rm process running after starting up

Component: TMOS

Symptoms:
After booting the system, you notice zombie 'rm' processes:

$ top -b | awk '$8=="Z"'
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm
14461 root 20 0 0 0 0 Z 0.0 0.0 0:00.00 rm

Restarting tmipsecd will kill the zombied process but will start a new one.

Conditions:
IPSEC is enabled

Impact:
A zombie 'rm' process exists. There should be no other impact.


851353-1 : Connection reset with incorrect error code when invalid or malformed header is received in an HTTP/3 request

Component: Local Traffic Manager

Symptoms:
Invalid pseudo header or malformed header in an HTTP/3 request should result in resetting of the stream with error code of HTTP3_GENERAL_PROTOCOL_ERROR. Instead the connection is reset with HTTP3_UNEXPECTED_FRAME error code.

Conditions:
-- Virtual server with QUIC, HTTP/3, HTTP, SSL, and httprouter profiles.
-- HTTP/3 header frame from client with invalid or malformed header is received.

Impact:
Connection is reset with incorrect error code, instead of just the individual stream.

Workaround:
No workaround.


851101-4 : Unable to establish active FTP connection with custom FTP filter

Component: Local Traffic Manager

Symptoms:
Unable to establish active FTP connection with custom FTP filter.

Conditions:
All of the following conditions are true:
-- Virtual server using custom FTP filter.
-- FTP filter has port (port used for data channel) set to 0 (zero).
-- Virtual server has source-port set to preserve-strict.
-- Using active FTP through the virtual server.

Impact:
-- The active FTP data channel is reset.
-- Commands that require data channel in active mode fail.

Workaround:
-- Change source-port to change or preserve.
-- Set port on FTP filter to be used for data channel.
-- Use passive FTP.


851045-1 : LTM database monitor may hang when monitored DB server goes down

Component: Local Traffic Manager

Symptoms:
When multiple database servers are monitored by LTM database (MSSQL, MySQL, PostgreSQL, Oracle) monitors and one database server goes down (such by stopping the database server process), a deadlock may occur in the LTM database monitor daemon (DBDaemon) which causes an interruption in monitoring of other database servers.
When this occurs, one database server going down may cause all monitored database servers to be marked Down for several minutes until the blocking operation times out and normal monitoring can resume.

Conditions:
This may occur when:
1. Running a version of BIG-IP or an Engineering Hotfix which contains fixes for bugs ID769309 and ID775901.
2. Stopping a monitored database server process (such as by halting the database service).

Impact:
Monitoring of database servers may be interrupted for up to several minutes, causing monitored database servers to be marked Down. This may persist for several minutes until the blocking operation times out, the backlog of blocked DB monitor threads are processed to completion, and normal DB monitoring resumes.

Workaround:
You can prevent this issue from occurring by using a different LTM monitor type (such as a TCP monitor or external monitor) to monitor the database servers.


851021-1 : Under certain conditions, 'load sys config verify file /config/bigip.conf' may result in a 'folder does not exist' error

Component: TMOS

Symptoms:
TMSH error example:

Configuration error: Can't associate ASM device sync (/Common/testsync/staging.example.com) folder does not exist

Conditions:
The conditions under which this occurs are unknown.

Impact:
Load of config file fails with an error that the folder does not exist.

Workaround:
Use 'tmsh load sys config verify', without specifying a specific file.


850997-1 : 'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page

Component: TMOS

Symptoms:
The SNMPD daemon no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page.

Conditions:
Viewing the page at:

System :: High Availability : Fail-safe : System

Impact:
Unable to configure the high availability (HA) settings for the snmpd high availability (HA) daemon through the GUI.

Workaround:
Use TMSH to modify the snmpd high availability (HA) settings.


850973-1 : Improve QUIC goodput for lossy links

Component: Local Traffic Manager

Symptoms:
QUIC gets lower goodput compared to TCP when tested on lossy links.

Conditions:
The tested links are lossy (e.g, 0.1% loss probability).

Impact:
QUIC completes the data transfer in longer time.

Workaround:
N/A


850933-1 : Improve QUIC rate pacing functionality

Component: Local Traffic Manager

Symptoms:
QUIC rate pacing becomes dis-functional under some conditions.

Conditions:
- QUIC rate pacing is in use.
- Packet size becomes slightly larger than available rate pacing bytes.

Impact:
QUIC rate pacing becomes noneffective which leads to sending data more bursty.

Workaround:
N/A


850873-3 : LTM global SNAT sets TTL to 255 on egress.

Component: Local Traffic Manager

Symptoms:
When using the global SNAT feature on LTM, IPv4 TTL/IPv6 Hop-Limit values may be erroneously set to 255/64 on egress.

Conditions:
Traffic is handled by global SNAT.

Impact:
TTL on egress is set to 255/; Hop-Limit on egress is set to 64.

Workaround:
None.


850677-4 : Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy

Component: Application Security Manager

Symptoms:
Non-ASCII parameter static values are garbled when created in a non-UTF-8 policy using REST.

Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII parameter static values using REST.

Impact:
Parameter static values containing non-ASCII characters are garbled when created using REST.

Workaround:
Use UTF-8.


850673-1 : BD sends bad acks to the bd_agent for configuration

Component: Application Security Manager

Symptoms:
The bd_agents stops sending configuration in the middle of startup or a configuration change.
The policy maybe incomplete in the bd causing a wrong enforcement.

Conditions:
This is a rare issue and the exact conditions that trigger it are unknown.

Impact:
Bd_agent hangs or restarts which may cause a complete asm restart (and failover).
A partial policy may exist in bd causing improper enforcement.

Workaround:
Export and import the policy in case the policy is enforced incorrectly and un-assigning / re-assigning does not help.


850277-1 : Memory leak when using OAuth

Component: Access Policy Manager

Symptoms:
Tmm memory usage keeps going up when passing multiple HTTP requests through a kept-alive TCP connection carrying an OAuth token as bearer in the Authorization header.

Conditions:
-- Multiple HTTP requests through a kept-alive TCP connection.
-- Requests carry an OAuth token as bearer in the Authorization header.

Impact:
Memory leak occurs in which tmm memory usage increases.

Workaround:
None.


850193-4 : Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues

Component: Performance

Symptoms:
-- Uneven unic channel distribution and transmit errors (tx_errcnt) seen in /proc/unic.
-- Packet loss and increased retransmissions under load.

Conditions:
BIG-IP Virtual Edition (VE) in Hyper-V or Azure Cloud.

Impact:
-- Reduced throughput.
-- Packet loss and increased retransmissions under load.

Workaround:
None.


850145-1 : Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed

Component: Local Traffic Manager

Symptoms:
First HTTP request on a connection creates a connection to the server. Subsequent pipelined requests should be processed and use the established connection to the server. However, the requests were queued in the proxy and not processed resulting in connection hang.

Conditions:
- HTTP or HTTP/2 virtual server with httprouter profile.
- HTTP/1.1 connections with the client and server.
- Pipelined HTTP requests.

Impact:
Connection hangs and is eventually reset.

Workaround:
No workaround.


849405-2 : LTM v14.1.2.1 no log after upgrade

Component: TMOS

Symptoms:
After upgrading to v14.1.2.1, logs are not generated and sysstat.service is not running.

Conditions:
-- Upgrade from BIG-IP v12.1.x (which uses CentOS 6) to BIG-IP v14.1.2.1 or later (which uses CentOS 7).
-- The issue is momentary and is not always reproducible.

Impact:
Logs are not generated and sysstat.service is not running.

Workaround:
Once the BIG-IP starts up, check for failed services

systemctl list-units --failed

If results show sysstat.service as FAILED, run the following command:

restorecon -Rv /var/log/sa6 && systemctl start sysstat


849349-5 : Adding a new option to disable CSP header modification in bot defense/dosl7 via sys db

Component: Application Security Manager

Symptoms:
Web app flow might fail resulting in JavaScript errors related to CSP policy

Conditions:
-- ASM provisioned.
-- Bot-Defense or DoS Application profile assigned to a virtual server.
-- The backend server sends CSP headers.

Impact:
Web application flow might fail.

Workaround:
Attach an iRule:

when HTTP_REQUEST {
    set csp 0
}
when HTTP_RESPONSE {
    if { [HTTP::header exists Content-Security-Policy] } {
        set csp "[HTTP::header values Content-Security-Policy]"
    }
}
when HTTP_RESPONSE_RELEASE {
    if { $csp != 0 } {
        HTTP::header replace Content-Security-Policy $csp
    }
    set csp 0
}


848777-3 : Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node.

Component: Local Traffic Manager

Symptoms:
Shared object address-list in non-default partition in non-default route-domain does not sync to peer node. The system reports the following exceptions when such an issue occurs:

-- err mcpd[4941]: 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).

-- err mcpd[4941]: 01071488:3: Remote transaction for device group /Common/DG1 to commit id 500 6754270728594498269 /Common/bigiptest1 0 failed with error 0107004d:3: Virtual address (/TestwithRD1/0.0.0.0%1) encodes IP address (0.0.0.0%1) which differs from supplied IP address field (0.0.0.0).

Conditions:
-- Create Custom partition.
-- Create Custom Route-domain.
-- Change custom partition.
-- Create address list in non-default route domain.
-- Create virtual server with previously created address list and any TCP port.
-- Now, try to Sync to high availability (HA) peer.

Impact:
Sync fails with error. Configuration will not sync to peer node.

Workaround:
None.


848681-7 : Disabling the LCD on a VIPRION causes blade status lights to turn amber

Component: TMOS

Symptoms:
When the LCD is disabled or turned off on a VIPRION system, the blade status lights turn amber.

Conditions:
You can cause this to occur by running the command:
tmsh modify sys db platform.chassis.lcd value disable

Impact:
Blade status lights change to amber, even if nothing is wrong with the system.

Workaround:
None.


847325-3 : Changing a virtual server that uses a oneconnect profile can trigger persistence misbehavior.

Component: Local Traffic Manager

Symptoms:
High tmm CPU utilization.
Stalled connection.
Incorrect persistence decisions

Conditions:
A oneconnect profile is combined with certain persist profiles on a virtual server.

The virtual server configuration is changed while there is an ongoing connection to the virtual server. Any connections that make a request after the configuration change can be affected.

The persistence types that are affected are
Source Address (but not hash-algorithm carp)
Destination Address (but not hash-algorithm carp)
Universal
Cookie (only cookie hash)
Host
SSL session
SIP
Hash (but not hash-algorithm carp)

Impact:
High tmm CPU utilization.
Stalled connection.
Incorrect persistence decisions


846977-1 : TCP:collect validation changed in 12.0.0: the first argument can no longer be zero

Component: Local Traffic Manager

Symptoms:
Validation for TCP::collect was changed in BIG-IP software v12.0.0 (with the introduction of JET specifications). Prior to 12.0.0, there were no restrictions on the values of the two arguments. As of 12.0.0, the first argument ('collect_bytes') must be a positive integer, and the second argument ('skip_bytes) must be a non-negative integer.

Occurrences of 'TCP::collect 0 0' in iRules experience issues when upgrading to a newer version, producing warnings in LTM log:

/Common/T_collect:9: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"136 17][TCP::collect 0 0].

Conditions:
-- Using a version of BIG-IP software earlier than 12.0.0, configure an iRule with a 'TCP::collect 0 0' command.
-- Upgrade to 12.0.0 or later.

Impact:
Warning in the LTM log file. The iRules containing 0 values do not function as expected. There is no other impact.

Workaround:
Change 'TCP::collect 0 0' to a value other than 0 (zero) in any iRules before or after upgrade.


846873-4 : Deleting and re-adding the last virtual server that references a plugin profile in a single transaction causes traffic failure

Component: Local Traffic Manager

Symptoms:
Traffic fails to pass through a virtual server.

Conditions:
-- Virtual server is removed and a new one is added in a single transaction.
-- Virtual server references a plugin profile.

For example, create a CLI transaction:
- delete ltm virtual vs_http
- create ltm virtual vs_https destination 1.1.1.1:443 vlans-enabled profiles replace-all-with { http ntlm oneconnect }
- submit cli transaction

Impact:
Traffic failure on the new virtual server.

Workaround:
Create a virtual server that does not accept any traffic, but keeps the NTLM MPI plugin channel alive:

tmsh create ltm virtual workaround destination 1.1.1.1:1 profiles replace-all-with { http oneconnect ntlm } vlans-enabled vlans none && tmsh save sys config


846713-1 : Gtm_add does not restart named

Component: Global Traffic Manager (DNS)

Symptoms:
Running gtm_add failed to restart the named daemon.

Conditions:
Run gtm_add to completion.

Impact:
Named is not restarted. No BIND functionality.

Workaround:
Restart named:
bigstart start named


846521-7 : Config script does not refresh management address entry properly when alternating between dynamic and static

Component: TMOS

Symptoms:
Config script does not refresh management address entry properly when alternating between dynamic (DHCP) and static configuration.

Conditions:
- Management IP assignment is changed from dynamic (DHCP) to static.
- Same IP address is configured, as previously received from DHCP server.

Impact:
Remote management access is lost after DHCP lease expires.

Workaround:
Restart BIG-IP after changing the management IP address.


846441-2 : Flow-control is reset to default for secondary blade's interface

Component: Local Traffic Manager

Symptoms:
When a secondary blade is a new blade or is booted without a binary db, the LLDP settings on the blade's interface is reset to default.

Conditions:
Plug in a new secondary blade, or reboot a blade (that comes up as secondary) without a binary db.

Impact:
The flow-control setting is reset to default (tx-rx).

Workaround:
Reload the configuration on the primary blade.


846181-3 : Request samples for some of the learning suggestions are not visible

Component: Application Security Manager

Symptoms:
Learning suggestions created from single request do not show source 'request log' in the 'Suggestion' GUI section.

Conditions:
'Learning Suggestion' created from only one 'Request Log' record.

Impact:
Learning suggestions created from single request does not show source 'request log' in the 'Suggestion' GUI section

Workaround:
None.


846141-1 : Unable to use Rest API to manage GTM pool members that have an pipe symbol '|' in the server name.

Component: TMOS

Symptoms:
Rest API returns 404 'Object not found"' error when attempting direct access to pool member that has pipe symbol '|' in the server or virtual server name.

Conditions:
An iControl/REST call to a pool member that has a virtual server on the Server whose name contains a | character in the server or virtual server name.

Impact:
The iControl/REST call cannot manage a pool member associated with a virtual server or server whose name contains a | character.

Workaround:
Rename the server or virtual server to a name that does not contains the | character.


846073-1 : Installation of browser challenges fails through Live Update

Component: Application Security Manager

Symptoms:
Live Update of Browser Challenges fails installation.

Live Update provides an interface on the F5 Downloads site to manually install or configure automatic installation of various updates to BIG-IP ASM components, including ASM Attack Signatures, Server Technologies, Browser Challenges, and others.

Conditions:
-- From the F5 Downloads side, select a software version.
-- Click BrowserChallengesUpdates.
-- Attempt to download and install Download BrowserChallenges<version_number>.im.

Note: Browser Challenges perform browser verification, device and bot identification, and proactive bot defense.

Impact:
Browser Challenges update file cannot be installed.

Workaround:
None.


846057-3 : UCS backup archive may include unnecessary files

Component: Application Security Manager

Symptoms:
UCS backup archive file size is much larger than UCS files in previous releases.

Conditions:
-- UCS backup process finishes with failure and does not clean temporary files.
-- A second UCS backup is attempted.

Impact:
Those files are included in the UCS archive, which results in an unusually large UCS backup files.

Workaround:
Before running the UCS backup process, remove directories:

/var/tmp/ts_db.save_dir_*.cstmp/


845545 : Potential name collision for client-ssl profile named 'clientssl-quic'

Component: Local Traffic Manager

Symptoms:
This release includes a new base client-ssl profile for use by QUIC virtual servers. If an existing client-ssl profile named 'clientssl-quic' exists, it will be overwritten by the new built-in profile after upgrading.

Conditions:
The system to be upgraded has an existing client-ssl profile named 'clientssl-quic'.

Impact:
The existing profile will be overwritten by the new built-in profile.

Workaround:
Rename the existing profile prior to upgrade.


845333-6 : An iRule with a proc referencing a datagroup cannot be assigned to Transport Config

Component: Local Traffic Manager

Symptoms:
If you try to assign an iRule to a Transport Config, and if the iRule has a proc that references a datagroup, the assignment fails with an error:
01070151:3: Rule [/Common/test2] error: Unable to find value_list (datagroup) referenced at line 6: [class lookup "first" datagroup]

Conditions:
-- Assign an iRule to a Transport Config.
-- The iRule has a proc.
-- The proc references a datagroup.

Impact:
Validation fails. An iRule with a proc referencing a datagroup cannot be assigned to Transport Config objects.

Workaround:
Make the datagroup a Tcl variable to bypass validation.


845313-3 : Tmm crash under heavy load

Component: Policy Enforcement Manager

Symptoms:
Tmm crashes.

Conditions:
-- BIG-IP PEM is licensed and configured.
-- Heavy traffic is received by PEM virtual server.
-- The traffic pattern goes through subscriber add/delete frequently.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


844781-3 : [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection

Component: Access Policy Manager

Symptoms:
SELinux policy does not allow the rewrite plugin to create a directory and write troubleshooting data into /var/tmp/WebAppTrace.

Conditions:
Collecting Portal Access web applications traces per K13384: Performing a web applications trace (11.x - 14.x) :: https://support.f5.com/csp/article/K13384

Impact:
Cannot collect Portal Access web applications troubleshooting data as it described in in that AskF5 Article.

Workaround:
Connect via SSH using the root account and run this command:
restorecon -Rv /var/tmp/WebAppTrace/


844689-1 : Possible temporary CPU usage increase with unusually large named.conf file

Component: Global Traffic Manager (DNS)

Symptoms:
You might see occasional and temporary CPU usage increases when named.conf file is unusually large.

Conditions:
Unusually large named.conf file and zones are checked for updates (when the SOA expires).

Impact:
When a zone file is updated, a downstream effect is the ZoneRunner process to parse again the named.conf file. The parsing of an unusually large file may cause a temporary increase in CPU usage.

Workaround:
None.


844597-4 : AVR analytics is reporting null domain name for a dns query

Component: Advanced Firewall Manager

Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.

Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.

Impact:
DNS domain name is reported as NULL

Workaround:
Enable the matching type vector on the DNS DoS profile.


844573-1 : Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret.

Component: Access Policy Manager

Symptoms:
The log message when OAuth client or resource server fails to generate the secret is assigned an incorrect log level, and is incorrectly logged at the emergency level.

Conditions:
This is encountered when this message is logged by mcpd.

Impact:
Log message cannot be grouped with messages at the correct log level.

Workaround:
None.


844373-1 : Learning suggestion details layout broken in some browsers

Component: Application Security Manager

Symptoms:
One of the suggestion details is placed incorrectly, out of alighment.

Conditions:
This occurs when you open the details for learning suggestion, e.g., based on refinement.

Impact:
Refinement title is out of line.

Workaround:
Use a different browser, if needed.


844337-4 : Tcl error log improvement for node command

Component: Local Traffic Manager

Symptoms:
Because of the Tcl error, connection gets reset and reports an error:

err tmm[18774]: 01220001:3: TCL error: /Common/test2- bad port in node <addr> <port> cmdTCL error (line 43) (line 43) invoked from within "node 172.x.x.x IP [LB::server port]"

Conditions:
Using node command under pre-load-balancing iRule events.

Impact:
Unclear port values in Tcl error message.

Workaround:
None.


844281-3 : [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files.

Component: Access Policy Manager

Symptoms:
Java applets are not patched when accessed through APM Portal Access.

/var/log/rewrite contains error messages similar to following:
-- notice rewrite - fm_patchers/java_patcher_engine/CryptoToolsManager.cpp:568 (0x1919ab0): CryptoToolsManager :: _ReadCA() - cannot open CA file.

/var/log/auditd/audit.log contains AVC denials for rewrite on attempt to read file under /config/filestore/.

Conditions:
Java patching is enabled via rewrite profile and Portal Access resource.

Impact:
Java applets cannot be patched by APM Portal Access rewriter.

Workaround:
None.


844085-1 : GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address

Component: Local Traffic Manager

Symptoms:
With multiple virtual servers that have the same destination address, changing all of them in the GUI to use an address list as their source address will result in the last one changed failing with an error similar to:

01070344:3: Cannot delete referenced virtual address /Common/1.2.3.4.

Conditions:
-- More than one virtual server with the same destination address.
-- Changing all the virtual servers that share the same destination address to use an address list for their source address.

Impact:
Unable to change the source address of a virtual server to an address list.

Workaround:
Use TMSH to manually create a traffic-matching criteria object and assign it to the virtual server:

tmsh create ltm traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination-address-inline <destination address of virtual server> destination-port-inline <destination port of virtual server> source-address-inline 0.0.0.0 source-address-list <address list name>
}

tmsh modify /ltm virtual <virtual server name>traffic-matching-criteria<virtual server name>_VS_TMC_OBJ destination 0.0.0.0:any


843801-2 : Like-named previous Signature Update installations block Live Update usage after upgrade

Component: Application Security Manager

Symptoms:
Signature Update installations using ASU files with the same name on versions before 14.1.0 block Live Update usage after upgrade to 14.1.0 or later.

Conditions:
The same Signature Update file is installed multiple times on the device when running a version earlier than 14.1.0.

Impact:
Signature Update cannot be installed using Live Update, and errors appear in logs.

Workaround:
1. Delete the file: /var/lib/hsqldb/live-update/live-update-import.yaml.
2. Restart tomcat:
bigstart restart tomcat

This causes pre-upgrade records for Signature Update to be lost, but does not have any other functional impact.


843661-1 : TMSH allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command

Component: TMOS

Symptoms:
TMSH currently allows you to specify the 'add-on-keys' option when running the 'revoke sys license' command, but the option is not honored and the entire license is revoked.

Conditions:
-- BIG-IP license and add-on license are installed.
-- Attempt to revoke the system license with 'add-on-keys' as an option.

Impact:
Add-on-keys option is ignored, and the entire license is revoked instead.

Workaround:
None.


843597-1 : Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle

Component: TMOS

Symptoms:
The vmxnet3 driver cannot handle MTUs larger than 9000 bytes.

Conditions:
-- Using a BIG-IP Virtual Edition (VE) with the vmxnet3 driver.
-- Passing packets larger than 9000 bytes.

Impact:
Either packets are dropped, or the hypervisor may crash on some platforms that do not handle this condition gracefully.

Workaround:
Modify the tmm_init.tcl file, adding the following line:

ndal mtu 9000 15ad:07b0


843317-3 : The iRules LX workspace imported with incorrect SELinux contexts

Component: Local Traffic Manager

Symptoms:
Files imported from iRules LX workspace may have incorrect SELinux contexts such as abrt_var_cache_t.

This can cause reloading the workspace to fail with errors:

01070079: failed to create workspace archive ... Return code {2}

Conditions:
Importing the iRules LX workspace.

Impact:
Workspace cannot be imported

Workaround:
As a workaround you can run the following command on the folders to restore the context:
restorecon -R -v


842937-6 : TMM crash due to failed assertion 'valid node'

Component: Local Traffic Manager

Symptoms:
Under undetermined load pattern TMM may crash with message: Assertion 'valid node' fail.

Conditions:
This can occur while passing traffic with the Ram Cache profile enabled on a Virtual Server. Other conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Refrain from using ramcache may mitigate the problem.


842901-1 : Improve fast failover of PIM-DM-based multicast traffic when BIG-IP is deployed as an Active/Standby HA pair.

Component: TMOS

Symptoms:
Although the effect differs for different topologies, in general, the multicast traffic is interrupted for 5-to-180 seconds after failover.

Conditions:
Fast failover of PIM-DM-based multicast traffic when the BIG-IP system is deployed as an Active/Standby high availability (HA) configuration.

Impact:
The multicast traffic is interrupted for 5-to-180 seconds after a failover event.

Workaround:
None. This is an improvement request.


842669-3 : Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log

Component: TMOS

Symptoms:
systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log. Bare ')' being logged to /var/log/user.log., for example:

cat /var/log/user.log
[...]: Deleting file /shared/core/*.core.*
[...]: Deleting file /shared/core/*.core.*
[...] )
[...] )

Conditions:
The cron process tries and fails to send an email because of output about a cron script.

Impact:
The logging subsystem accepts syslog messages with embedded newlines, and writes first part to the appropriate file, and the other lines to /var/log/user.log.

Workaround:
No known workaround.


842625-5 : SIP message routing remembers a 'no connection' failure state forever

Component: Service Provider

Symptoms:
When SIP message routing fails to route to a pool member (Triggering a MR_FAILED, MR::message status of 'no connection'), The BIG-IP system caches the failed state and continues to return this even after the pool member becomes reachable again.

Conditions:
When BIG-IP systen fails to route messages to the peer (server) due to unavailability of route or any other issues.

Impact:
The BIG-IP system is never be able to establish connection to the peer.

Workaround:
None.


842517-2 : CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails

Component: Local Traffic Manager

Symptoms:
SSL handshake fails with error in LTM logs.pkcs11d[10407]:
err pkcs11d[10407]: 01680048:3: C_Sign: pkcs11_rv=0x00000082, CKR_OBJECT_HANDLE_INVALID

Conditions:
Key created with Safenet NetHSM is used in SSL profile for virtual server. This error is seen randomly.

Impact:
SSL handshake fails.

Workaround:
Restart the PKCS11D.


842425-1 : Mirrored connections on standby are never removed in certain configurations

Component: Local Traffic Manager

Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.

Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.

Impact:
Leaking connections on the standby system.

Workaround:
You can use either of the following workarounds:

-- Use auto-lasthop with mirrored connections.

-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.


842265-1 : Create policy: trusted IP addresses from template are not shown

Component: Application Security Manager

Symptoms:
If there are trusted IP addresses in the selected template, they are not shown in GUI during policy creation

Conditions:
Create user-defined template from policy with trusted IP addresses.

Impact:
If you manually enter the same IP addresses that were in template, you may get an error message after policy creation

Workaround:
None.


842193-1 : Scriptd coring while running f5.automated_backup script

Component: iApp Technology

Symptoms:
When the iApp, f5.automated_backup, script is terminated due to the max-script-run-time, the script still continues and finishes, sometimes with scriptd coring and posting error messages in /var/log/ltm:

-- info logger[17173]: f5.automated_backup iApp autobackup: STARTED
-- info logger[17175]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs GENERATING

-- err scriptd[13532]: 014f0004:3: script has exceeded its time to live, terminating the script <------ after 20 secs, it continues even after the scriptd core.

-- notice sod[3235]: 01140041:5: Killing /usr/bin/scriptd pid 13532.
-- warning sod[3235]: 01140029:4: high availability (HA) daemon_heartbeat scriptd fails action is restart.
-- info logger[19370]: f5.automated_backup iApp autobackup: pem.f5lab.com_20191004.ucs SAVED LOCALLY
(/var/local/ucs)
-- info logger[19372]: f5.automated_backup iApp autobackup: FINISHED

Conditions:
Configure the iApp application with f5.automated_backup template to do auto-backup at regular intervals.

Impact:
Scriptd core.

Workaround:
None.


841985-5 : TSUI GUI stuck for the same session during long actions

Component: Application Security Manager

Symptoms:
The GUI becomes unresponsive when you perform an operation that takes a long time (e.g., Attack Signatures update).

Conditions:
Long-running task is performed, such as export/import/update signatures.

Impact:
GUI is unresponsive for that session.

Workaround:
If you need to continue working during long task is performed, you can log in via another browser.


841953-7 : A tunnel can be expired when going offline, causing tmm crash

Component: TMOS

Symptoms:
When the system transitions from active or next active (standby), e.g., to offline, the internal flow of a tunnel can be expired.

If the device returns to active or standby, and if the tunnel is modified, a double flow removal can cause a tmm crash.

Conditions:
-- System transitions from active or next active.
-- Tunnel is modified.
-- Device returns to active or next active mode.

Impact:
The tmm process restarts. Traffic disrupted while tmm restarts.

Workaround:
None.


841721-2 : BWC::policy detach appears to run, but BWC control is still enabled

Component: TMOS

Symptoms:
The dynamic BWC policy can be attached from iRules but not detached. No error occurs when BWC::policy detach is run, but the detached policy continues to work.

Conditions:
-- Dynamic BWC policy for a HTTP request URI during session.
-- Running BWC::policy detach.

Impact:
The detached policy continues to work.


841649-4 : Hardware accelerated connection mismatch resulting in tmm core

Component: TMOS

Symptoms:
Tmm receives an update from the ePVA for a hardware accelerated connection that is matched to the wrong correction. This can result in a tmm core, which is reported as a segment fault in the tmm log files.

Conditions:
A FastL4 virtual server that has hardware acceleration enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable hardware acceleration.


841469-6 : Application traffic may fail after an internal interface failure on a VIPRION system.

Component: Local Traffic Manager

Symptoms:
Blades in a VIPRION system connect with one another over a data backplane and a management backplane.

For more information on the manner in which blades interconnect over the data backplane, please refer to K13306: Overview of the manner in which the VIPRION chassis and blades interconnect :: https://support.f5.com/csp/article/K13306.

Should an internal interface fail and thus block communication over the data backplane between two distinct blades, an unusual situation arises where different blades compute different CMP states.

For example, if on a 4-slot chassis, blades 2 and 3 become disconnected with one another, the following is TMM's computation of which slots are on-line:

slot1: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)
slot2: slots 1, 2, and 4 on-line (cmp state 0xb / 11)
slot3: slots 1, 3, and 4 on-line (cmp state 0xd / 13)
slot4: slots 1, 2, 3, and 4 on-line (cmp state 0xf / 15)

As different slots are effectively operating under different assumptions of the state of the cluster, application traffic does not flow as expected. Some connections time out or are reset.

You can run the following command to inspect the CMP state of each slot:

clsh 'tmctl -d blade -s cmp_state tmm/cmp'

All slots should report the same state, for instance:

# clsh 'tmctl -d blade -s cmp_state tmm/cmp'
=== slot 2 addr 127.3.0.2 color green ===
cmp_state
---------
       15

=== slot 3 addr 127.3.0.3 color green ===
cmp_state
---------
       15

=== slot 4 addr 127.3.0.4 color green ===
cmp_state
---------
       15

=== slot 1 addr 127.3.0.1 color green ===
cmp_state
---------
       15

When this issue occurs, logs similar to the following example can be expected in the /var/log/ltm file:

-- info bcm56xxd[4276]: 012c0015:6: Link: 2/5.3 is DOWN
-- info bcm56xxd[4296]: 012c0015:6: Link: 3/5.1 is DOWN
-- info bcm56xxd[4296]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4339]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd
-- info bcm56xxd[4214]: 012c0012:6: Trunk default member mod 13 port 0 slot 2; CMP state changed from 0xf to 0xd

And a CMP transition will be visible in the /var/log/tmm file similar to the following example:

-- notice CDP: PG 2 timed out
-- notice CDP: New pending state 0f -> 0b
-- notice Immediately transitioning dissaggregator to state 0xb
-- notice cmp state: 0xb

For more information on troubleshooting VIPRION backplane hardware issues, please refer to K14764: Troubleshooting possible hardware issues on the VIPRION backplane :: https://support.f5.com/csp/article/K14764.

Conditions:
This issue arises after a very specific type of hardware failure. The condition is very unlikely to occur and is impossible to predict in advance.

Impact:
Application traffic is impacted and fails sporadically due to a mismatch in CMP states between the blades. Failures are likely to manifest as timeouts or resets from the BIG-IP system.

Workaround:
F5 recommends the following to minimize the impact of this potential issue:

1) For all highly available configurations (e.g., A/S, A/A, A/A/S, etc.).

The BIG-IP system has functionality, in all software versions, to enact a fast failover when the conditions described occur.

To ensure this functionality will trigger, the following configuration requirements must be met:

a) The mirroring strategy must be set to 'between'.
b) A mirroring channel to the next-active unit must be up.
c) The min-up-members option must be set to the number of blades in the chassis (e.g., 4 if there are 4 blades in the chassis).

Note: It is not required to actually configure connection mirroring on any virtual server; simply choosing the aforementioned strategy and ensuring a channel is up to the next-active unit will suffice. However, note that some configurations will benefit by also configuring connection mirroring on some virtual servers, as that can greatly reduce the number of affected connections during a failover.

2) For 'regular' standalone units.

If a VIPRION system is truly standalone (no kind of redundancy whatsoever), there is no applicable failsafe action, as you will want to keep that chassis online even if some traffic is impaired. Ensure suitable monitoring of the system is in place (e.g., remote syslog servers, SNMP traps, etc.), so that a BIG-IP Administrator can react quickly in the unlikely event this issue does occur.

3) For a standalone chassis which belongs to a pool on an upstream load-balancer.

If the virtual servers of a standalone VIPRION system are pool members on an upstream load-balancer, it makes sense for the virtual servers to report unavailable (e.g., by resetting all new connection attempts) so that the upstream load-balancer can select different pool members.

An Engineering Hotfix can be provided which introduces an enhancement for this particular use-case. A new DB key is made available under the Engineering Hotfix: tmm.cdp.requirematchingstates, which takes values 'enable' and 'disable'.

The default is 'disable', which makes the VIPRION system behave as in versions without the enhancement. When set to 'enable', the VIPRION system attempts to detect this failure and, if it does, resets all new connections. This should trigger some monitor failures on the upstream load-balancer and allow it to select different pool members.

Please note you should only request the Engineering Hotfix and enable this DB key when this specific use-case applies: a standalone VIPRION system which belongs to a pool on an upstream load-balancer.

When the new feature is enabled, the following log messages in the /var/log/ltm file indicate when this begins and stops triggering:

-- crit tmm[13733]: 01010366:2: CMP state discrepancy between blades detected, forcing maintenance mode. Unable to relinquish maintenance mode until event clears or feature (tmm.cdp.requirematchingstates) is disabled.

-- crit tmm[13262]: 01010367:2: CMP state discrepancy between blades cleared or feature (tmm.cdp.requirematchingstates) disabled, relinquishing maintenance mode.


841369-3 : HTTP monitor GUI displays incorrect green status information

Component: Local Traffic Manager

Symptoms:
LTM HTTP monitor GUI displays incorrect green status when related pool is down.

TMSH shows correct information

Conditions:
LTM HTTP monitor destination port does not match with pool member port.

Impact:
LTM HTTP marks the node down, but the Instances tab of the monitor in the GUI reports the status as green

Workaround:
You can use either of the following workarounds:
-- Use TMSH to get correct info.
-- Ensure that LTM HTTP monitor destination port does match pool member port.


841341-6 : IP forwarding virtual server does not pick up any traffic if destination address is shared.

Component: Local Traffic Manager

Symptoms:
Virtual servers do not forward any traffic but the SNAT does.

Conditions:
-- Multiple wildcard IP forwarding virtual servers with the same destination address.
-- SNAT is configured.

Impact:
IP forwarding virtual server does not pick up any traffic.

Workaround:
Delete and then re-create virtual servers.


841333-7 : TMM may crash when tunnel used after returning from offline

Component: TMOS

Symptoms:
TMM may crash when a tunnel is used after the unit returns from offline status.

Conditions:
-- Tunnel is configured and active.
-- Unit is transitioned from offline to online.
-- Tunnel is used after online status is restored.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


841277-7 : C4800 LCD fails to load after annunciator hot-swap

Component: TMOS

Symptoms:
After following F5-recommended procedures for hot-swapping the left annunciator card on a C4800 chassis and replacing the top bezel, the LCD screen fails to load.

Conditions:
- C4800 chassis with 2 annunciator cards.
- Hot-swap the left annunciator card and replace the top bezel.

Impact:
-- Status light on the top bezel turns amber.
-- LCD becomes unresponsive, and continuously displays 'F5 Networks Loading...'.

Workaround:
1. Run the command:
tmsh modify sys db platform.chassis.lcd value disable

2. Wait 10 seconds.

3. Run the command:
tmsh modify sys db platform.chassis.lcd value enable.

This forces the LCD to sync back up with the VIPRION system and returns it to normal operation. The top bezel status light should turn green.


840821-1 : SCTP Multihoming not working within MRF Transport-config connections

Component: Service Provider

Symptoms:
SCTP filter fails to create outgoing connections if the peer requests multihoming. The failure may produce a tmm core.

Conditions:
Usage of SCTP multi-homing with a MRF transport-config.

Impact:
The outgoing connection is aborted or tmm may core. Traffic disrupted while tmm restarts.

Workaround:
None.


840785-1 : Update documented examples for REST::send to use valid REST endpoints

Component: Local Traffic Manager

Symptoms:
The documented examples for REST::send refers to REST endpoints that are not valid.

Conditions:
Viewing the documentation at https://clouddocs.f5.com/api/irules/REST__send.html.

Impact:
Invalid examples lead to potential confusion.

Workaround:
Use valid REST endpoints, documented at https://clouddocs.f5.com/api/icontrol-rest/APIRef.html.


840769-2 : Having more than one IKE-Peer version value results in upgrade failure

Component: TMOS

Symptoms:
When a 'net ipsec ike-peer' object has the version attribute with more than one value, upgrading to version 15.1.0 results in a failed upgrade.

Conditions:
The version attribute has two values, in this example, 'v1' and 'v2.'

net ipsec ike-peer test {
    my-cert-file default.crt
    my-cert-key-file default.key
    my-id-value 38.38.38.64
    peers-id-value 38.38.38.38
    phase1-auth-method rsa-signature
    phase1-encrypt-algorithm 3des
    phase1-hash-algorithm sha256
    prf sha256
    remote-address 38.38.38.38
    traffic-selector { /Common/homer2 }
    version { v1 v2 }
}

Impact:
Upgrading to version 15.1.0, which allows only one value for the version attribute, results in a failed upgrade/config load error.

Workaround:
Before upgrading, modify your config so that the version attribute has only one value for the version attribute.


839509-1 : Incorrect inheritance treatment in Response and Blocking Pages page

Component: Application Security Manager

Symptoms:
Deception Response Pages is not inherited, but if common response pages are inherited, you are unable to save changes.

Conditions:
-- Deception Response Pages features licensed.
-- Parent policy selected with inheritance of response pages.

Impact:
Deception Response Pages cannot be modified.

Workaround:
None.


839401-1 : Moving a virtual-address from one floating traffic-group to another does not send GARPs out.

Component: Local Traffic Manager

Symptoms:
Gratuitous ARPs (GARPs) are not sent out when moving a virtual-address from one floating traffic-group to another (e.g., from traffic-group-1 to traffic-group-2).

Conditions:
-- Moving a virtual-address from one floating traffic-group to another.
-- The traffic-groups are active on different devices.

Impact:
Application traffic does not immediately resume after the virtual-address is moved. Instead, the surrounding network devices have to ARP out for the IP address after reaching a timeout condition.

Workaround:
After moving the virtual-address, disable and then re-enable the ARP setting for the virtual-address. This forces GARPs to be sent out.


839389-1 : TMM can crash when connecting to IVS under extreme overload

Component: Service Provider

Symptoms:
TMM might crash while attempting to connect internally to an internal virtual server (IVS) and the connection setup cannot be completed due to internal factors.

Conditions:
-- Extreme overload such that TMM is out of memory, or some other internal condition that prevents connection setup.
-- Connection to an internal virtual server is attempted.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


839361-6 : iRule 'drop' command does not drop packets when used in DNS_RESPONSE

Component: Global Traffic Manager (DNS)

Symptoms:
The iRule 'drop' command may not drop a DNS response when called under DNS_RESPONSE event.

Conditions:
iRule drop is used under DNS_RESPONSE event.

Impact:
DNS response may be improperly forwarded to the client.

Workaround:
Use DNS::drop instead.


839245-3 : IPother profile with SNAT sets egress TTL to 255

Component: Local Traffic Manager

Symptoms:
BIG-IP may set TTL to 255 on forwarded packets.

Conditions:
Virtual-server with ipother profile and SNAT configured.

Impact:
Traffic leaves with egress TTL set to 255.

Workaround:
None.


839141-1 : Issue with 'Multiple of' validation of numeric values

Component: Application Security Manager

Symptoms:
'Multiple of' validation of numeric values may not be correct in some scenarios.

Conditions:
-- Create default policy from API Security template.
-- Create default decimal parameter with 'Multiple of'=5.
-- Send request to /index.php?param=0.

Impact:
'Multiple of' validation of numeric values does not block as expected.

Workaround:
None.


838925-7 : Rewrite URI translation profile can cause connection reset while processing malformed CSS content

Component: TMOS

Symptoms:
Malformed CSS where one of the style rules is missing a closing brace could cause LTM Rewrite profile to stop processing file or reset connection.

Conditions:
-- LTM Rewrite (URI translation) profile is attached to virtual server.
-- Content rewriting is enabled in Rewrite profile settings.
-- CSS file contains style rule with missing closing brace.

Impact:
URLs are not modified within affected files, starting from the missing closing brace. Intermittent connection resets occur.

Workaround:
Before rewriting, insert the missing symbol into CSS content either directly on the backend server or with an iRule.


838901-4 : TMM receives invalid rx descriptor from HSB hardware

Component: TMOS

Symptoms:
The HSB hardware returns an invalid receive (rx) descriptor to TMM. This results in a TMM core and can be seen as a SIGSEGV in the TMM logs. This also might result in continuous restarts of TMM, resulting in subsequent SIGSEGVs reported in the TMM logs until the unit is manually recovered.

Conditions:
The exact conditions under which this occurs are unknown.

Impact:
Traffic disrupted while tmm restarts. This may result in continuous TMM restarts until the BIG-IP system is rebooted.

Workaround:
None.


838709-4 : Enabling DoS stats also enables page-load-time

Component: Application Visibility and Reporting

Symptoms:
If collect-all-dos-statistic is enabled, AVR 'promises' to the client a JavaScript injection in the response by adding the expected length of the JavaScript to the Content-length header.

Conditions:
Security :: reporting : settings : collect-all-dos-statistic is enabled.

Impact:
In addition to collecting DoS statistics, JavaScript injection also occurs.

Workaround:
Can use iRules to control which pages should get the JavaScript injection.

For detailed information, see K13859: Disabling CSPM injection with iRules :: https://support.f5.com/csp/article/K13859.


838405-3 : Listener traffic-group may not be updated properly when spanning is in use.

Component: Local Traffic Manager

Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.

Conditions:
Spanning is disabled or enabled on a virtual address.

Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.

Depending on the configuration, virtual server may or may not forward the traffic when expected.

Workaround:
Enable/Disable spanning together with changing a traffic-group:

> modify ltm virtual-address 0.0.0.0 traffic-group none spanning enabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled


838353-1 : MQTT monitor is not working in route domain.

Component: Local Traffic Manager

Symptoms:
MQTT monitor fails when non-default route domains are used.

Conditions:
-When a non-default route domain is configured for a pool member
-mqtt monitor in use

Impact:
Mqtt monitor does not work in route domain.


838337-1 : The BIG-IP system's time zone database does not reflect recent changes implemented by Brazil in regard to DST.

Component: TMOS

Symptoms:
In 2019, Brazil cancelled DST (Daylight Saving Time) and is now on standard time indefinitely. The BIG-IP system's time zone database needs to be updated to reflect this change.

Conditions:
None.

Impact:
BIG-IP systems configured to use "America/Sao_Paul" (or other applicable Brazilian localities) will still apply DST. Hence time will spring forward and backward on previously designated dates.

This will have no impact to application traffic handled by the BIG-IP system. However, logs, alerts, reports, cron jobs, etc. will use incorrect time.

Note: You can inspect the time changes your system is due to apply by running the following command from the BIG-IP system's advanced shell (bash):

zdump -v <timezone>

For example:

zdump -v America/Sao_Paulo

Workaround:
As a workaround, you can set the BIG-IP system's time zone to that of a different country with the same UTC offset and already not observing DST.

For example, instead of using "America/Sao_Paul", you could use "America/Buenos_Aires" to obtain the same result.


838305-7 : BIG-IP may create multiple connections for packets that should belong to a single flow.

Component: Local Traffic Manager

Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.

Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.

Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.


838297-2 : Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication

Component: TMOS

Symptoms:
Under certain conditions, the BIG-IP system requires you to change your password on every login.

Furthermore, the login then fails, and loops endlessly asking for the password, even though the password has not expired.

Conditions:
-- BIG-IP 14.0.0 and later.
-- LDAP authentication is used for remote users.
-- Active Directory (AD) user account has shadowLastChange attribute with a value of 0 (or anything lower than the number of days since 1-1-1970).

Impact:
Remote AD BIG-IP users are unable to login to the BIG-IP system using remote LDAP authentication

Workaround:
Clear the value of shadowLastChange within AD.


837637-1 : Orphaned bigip_gtm.conf can cause config load failure after upgrading

Component: TMOS

Symptoms:
Configuration fails to load after upgrade with a message like
01420006:3: Can't find specified cli schema data for 13.1.1.4

Conditions:
Orphaned bigip_gtm.conf from an older-version.
This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade leaving behind a bigip_gtm.conf with the old schema.

Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.

Impact:
Configuration fails to load after upgrade.

Workaround:
After deprovisioning DNS, before upgrading run
rm -f /config bigip_gtm.conf
tmsh load sys config gtm-only


837617-1 : Tmm may crash while processing a compression context

Component: Local Traffic Manager

Symptoms:
Tmm crashes on segfault.

Conditions:
Conditions are unknown.

Impact:
Traffic disrupted while tmm restarts.


837481-7 : SNMPv3 pass phrases should not be synced between high availability (HA) devices as that are based on each devices unique engineID

Component: TMOS

Symptoms:
SNMPv3 fails to read authenticated or encrypted messages to all but one of the members of a Config Sync group.

Conditions:
Using SNMPv3 to read or receive Traps from high availability (HA) pairs.

Impact:
SNMPv3 can only work for one member of a configsync group.
Configuring passwords on one device, makes that device work, but other members of the config sync group will now fail.

Workaround:
- check "Authoritative (security) engineID for SNMPv3" is not synced (mostly code released since 2019)
engineID needs to be unique per device

- Modify /defaults/config_base.conf to set sync to "no" and check that these do not sync
We must NOT sync these parameters as they need to match the individual device engineID

            display-name "Authoritative (security) engineID for SNMPv3"
            display-name "Authentication pass phrase for SNMPv3 messages"
            display-name "Privacy pass phrase used for encrypted SNMPV3 messages"
            display-name "User's passphrase"
            display-name "Privacy passphrase"

### Mount usr as rw see see K11302
mount -o remount,rw /usr
pico /defaults/config_base.conf
# use Control-w to search for the display names above
# change "configsyncd yes" to "configsyncd no" if necessary in each location
# use Control-x y to exit with saving
# Restore usr as ro
mount -o remount,ro /usr
tmsh load sys config

Then once they are not syncing over, you can create v3 on each device using the same pass phrase as your SNMPv3 manager is using

tmsh modify sys snmp users add { v3snmp { auth-protocol sha privacy-protocol aes username mikev3 auth-password password3 privacy-password password3} }
tmsh modify sys snmp users modify { v3snmp { security-level auth-privacy access rw } }

Then each device should respond OK to query for that same pass phrase

snmpwalk -v 3 localhost -a sha -x aes -A password3 -X password3 -u mikev3 -l authpriv


For more information about SNMP, see the following articles.
K15681: Customizing the SNMP v3 engineID
K6821: SNMP v3 fails if the SNMP engine ID is not unique
K3727: Configuring custom SNMP traps


837341-1 : Response and Blocking Pages page: Deception Response pages should not be shown in parent policy

Component: Application Security Manager

Symptoms:
Deception Response pages shown and editable in parent policy.

Conditions:
-- Deception Response Pages feature is licensed and enabled.
-- You are editing the parent policy.

Impact:
Deception Response pages cannot be updated from the parent policy, thus any update of response pages fails with error.

Workaround:
None.


837233-3 : "Application Security Administrator" user role cannot manage Dos Profile GUI

Component: Advanced Firewall Manager

Symptoms:
BIG-IP GUI users in "Application Security Administrator" role are not allowed to manage DoS profile page and settings.

Conditions:
This affects users logged in with the "Application Security Administrator" role

Impact:
DoS profiles cannot be edited from GUI

Workaround:
Either change user role to allow managing DoS profile or edit profiles from tmsh


836661-2 : Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet.

Component: Local Traffic Manager

Symptoms:
Packet with unexpected source MAC is seen on the adjacent node to the BIG-IP system.

Conditions:
-- The BIG-IP system is configured in an L2 transparent mode using virtual wires.
-- Traffic forwarded between client and server in an asymmetric manner across virtual wires.

Impact:
Incorrect source MAC is used. Possible impacts to services on nodes adjacent to the BIG-IP system if policy decisions on those nodes are made with the source MAC of the received packet as input.

Workaround:
None.


836357-5 : SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2

Component: Service Provider

Symptoms:
In MBLB/SIP, if the BIG-IP system attempts to send messages to the destination over a TCP connection that is in FIN-wait2 stage, instead of returning a failure and silently dropping the message, the BIG-IP system attempts to create a new TCP connection by sending a SYN. Eventually, the attempt fails and causes the connection to be aborted.

Conditions:
-- This happens on MBLB/SIP deployment with TCP.
-- There is message sent from the server to the BIG-IP system.
-- The BIG-IP system forwards the message from the server-side to client-side.
-- The destination flow (for the BIG-IP system to forward the message to) is controlled by 'node <ip> <port>' and 'snat <ip> <port>' iRules command.
-- The destination flow is in the FIN-wait2 stage.

Impact:
This causes the BIG-IP system to abort the flow that originates the message.

Workaround:
None.


835517-1 : After upgrading BIG-IP iso and resetting HA, gossip may show "UNPAIRED"

Component: Device Management

Symptoms:
After upgrading BIG-IP iso and resetting HA, gossip may show "UNPAIRED" and the REST endpoint /resolver/device-groups/tm-shared-all-BIG-IPs/devices/ may show only one device.

Conditions:
This has been observed during upgrade from 14.x.x to 15.x.x.

Impact:
SSLO won't work as expected

Workaround:
If gossip shows "UNPAIRED" after upgrade, you may need to do following at both devices:

1. Delete existing device information.
restcurl -X DELETE shared/resolver/device-groups/tm-shared-all-BIG-IPs/devices
 
2. Force updating.
bigstart restart restjavad
restcurl -X POST -d '{}' tm/shared/bigip-failover-state


835505-1 : Tmsh crash possibly related to NGFIPS SDK

Component: Local Traffic Manager

Symptoms:
tmsh crashes

Conditions:
The conditions that trigger this are unknown, and it occurs rarely. The NGFIPS SDK may core dump as well.

Impact:
Tmsh may crash.


835209-3 : External monitors mark objects down

Component: Global Traffic Manager (DNS)

Symptoms:
Object to which the external monitor is attached is marked down.

Conditions:
Executing external monitors trying to access something without appropriate permissions.

Impact:
Object to which the external monitor is attached is marked down.

Workaround:
None.


834217-7 : Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window.

Component: Local Traffic Manager

Symptoms:
Due to a known issue BIG-IP may advertise sub-optimal window size.

Conditions:
Result of (init-rwnd * client-mss) is greater than maximum window size (65,535).

Impact:
Degraded TCP performance.

Workaround:
Do not use init-rwnd values that might result in values higher than maximum window size (65,535).

Assuming MSS of 1480, the maximum value of init-rwnd is:
65535/1480 = 44.


833685-5 : Idle async handlers can remain loaded for a long time doing nothing

Component: Application Security Manager

Symptoms:
Idle async handlers can remain loaded for a long time doing nothing becasue they do not have an idle timer. The sum of such idle async handlers can add unnecessary memory pressure.

Conditions:
This issue might result from several sets of conditions. Here is one:

Exporting a big XML ASM policy and then leaving the BIG-IP system idle. The relevant asm_config_server handler process increases its memory consumption and remains that way, holding on to the memory until it is released with a restart.

Impact:
Idle async handlers remain for a long time.

Workaround:
-- Restart asm_config_server, to free up all the memory that is currently taken by all asm_config_server processes and to impose the new MaxMemorySize threshold:
---------------
# pkill -f asm_config_server
---------------
-- Restart it periodically via cron, as idle handlers are soon created again.


833213-1 : Conditional requests are served incorrectly with AAM policy in webacceleration profile

Component: WebAccelerator

Symptoms:
HTTP 1.1 allows a conditional request with header If-Modified-Since or If-Unmodified-Since to determine whether a resource changed since a specified date and time. If AAM is provisioned and its policy is assigned to a virtual server, it may incorrectly respond with 304 Not Modified, even after the resource was updated.

Conditions:
-- AAM is provisioned and webacceleration policy is attached to a virtual server.
-- Client sends a conditional request with If-Modified-Since or If-Unmodified-Since header.
-- The BIG-IP system responds from AAM cache.

Impact:
Client does not receive an updated resource.

Workaround:
Use webacceleration profile without AAM policy for resources that require conditional checks falling back into Ramcache.


832665-1 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.0.5

Component: TMOS

Symptoms:
Features supported in newer versions of open-vm-tools will not be available.

Conditions:
This issue may be seen when running in VMware environments.

Impact:
Features that require a later version of open-vm-tools will not be available.

Workaround:
None.


832661 : Default provisioning for all instances is LTM nominal

Component: TMOS

Symptoms:
Prior to configuring an AWS WAF (AWAF) PAYG cloud instance, you may see errors related to an unlicensed LTM module. This occurs because the default provisioning for all instances is LTM nominal. However, the license associated with an AWAF PAYG cloud instance does not enable the LTM feature. As a result, the default provisioning for an unconfigured AWAF PAYG cloud instance will be incompatible with the PAYG license.

Conditions:
-- This issue relates only to AWAF PAYG cloud instances.
-- Not using the onboarding/templates to configure/provision the instance prior to use.

Impact:
Licensing error messages may be observed before the AWAF cloud instance is configured/provisioned. The functionality works as expected, however, so you can ignore these messages.

Workaround:
The recommended workflow for all cloud instances is to use onboarding/templates to configure/provision the instance prior to use. If this workflow is followed, any provisioning errors associated with the default provisioning are cleared prior to usage.


832233-1 : The iRule regexp command issues an incorrect warning

Component: Local Traffic Manager

Symptoms:
At validation time, mcpd issues a warning similar to the following:

warning mcpd[7175]: 01071859:4: Warning generated : /Common/test1:2: warning: ["\1" has no meaning. Did you mean "\\1" or "1"?][{(test) (\1)}]

Conditions:
Use arguments such as "\1", "\2", "\3" etc., in command regexp.

Impact:
A warning is generated, "\1" has no meaning, even though it is valid.

Workaround:
Ignore the warning.


832133-1 : In-TMM monitors fail to match certain binary data in the response from the server.

Component: Local Traffic Manager

Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system still marks them DOWN.

Conditions:
This issue occurs when all of the following conditions are met:

-- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).

-- One (or more) of your TCP or HTTP monitors specifies a receive string using HEX encoding, in order to match binary data in the server's response.

-- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.

Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.

Workaround:
You can use either of the following workarounds:

-- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.

-- Do not monitor the application through a binary response (if the application allows it).


831821-1 : Corrupted DAG packets causes bcm56xxd core on VCMP host

Component: TMOS

Symptoms:
On VCMP host, bcm56xxd crashes when it receives a corrupted DAG packets.

Conditions:
Unknown.

Impact:
Device goes offline, traffic disruption.


831781-4 : AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode

Component: Access Policy Manager

Symptoms:
Both AD Query and LDAP Auth/Query fails.

Conditions:
-- AD Query Agent, LDAP Auth Agent, or LDAP Query Agent is configured in Per-Session or Per-Request Policy.
-- These agents are configured in Direct mode.
-- The AD and LDAP server address is configured as IPv6 address.

Impact:
Users may not be able to login to APM, and hence service is disrupted.

Workaround:
None.


831293-5 : SNMP get requests slow to respond.

Component: TMOS

Symptoms:
SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical are slow to respond.

Conditions:
Using SNMP get requests for ipAddr, ipAddress, ipAddressPrefix and ipNetToPhysical.

Impact:
Slow performance.

Workaround:
None.


830797-3 : Standby high availability (HA) device passes traffic through virtual wire

Component: Local Traffic Manager

Symptoms:
Virtual wire is forwarding traffic on standby resulting in traffic loops and potential network outage.

Conditions:
-- High availability (HA) configured.
-- Virtual wire configured.

Impact:
Standby device is passing traffic, which may create traffic loops and bring down the network.

Workaround:
Do not configure virtual wire on standby devices.


830073-2 : AVRD may core when restarting due to data collection device connection timeout

Component: Application Visibility and Reporting

Symptoms:
Avrd crashes, one or more core avrd files exist in /var/core

Conditions:
-- A BIG-IP system is managed by BIG-IQ via secure channel
-- Avrd is restarted.

Impact:
Avrd cores as it is shutting down. During avrd shutdown, the BIG-IQ data collection device (DCD) is unreachable for 10 minutes

Workaround:
None.


829821-1 : Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured

Component: TMOS

Symptoms:
If a very large amount of pool members are configured (tens of thousands), mcpd may miss its high availability (HA) heartbeat and be killed by sod.

Conditions:
-- A large number of pool members.
-- Pool member validation occurs (such as when loading a configuration or doing a configsync operation).

Impact:
Mcpd is killed by sod. This causes a failover (when the BIG-IP is in a DSC) or outage (if standalone).

Workaround:
None.


829677-2 : .tmp files in /var/config/rest/ may cause /var directory exhaustion

Component: TMOS

Symptoms:
The /var partition might become completely full on the disk due to tmp files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemon restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open.

This issue is happening because a VIPRION process is not available because of a REST timeout.

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Manually run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/*.tmp
bigstart start restjavad


829317-5 : Memory leak observed when running ICRD child

Component: TMOS

Symptoms:
When ICRD child process is running and users are switching rapidly, memory may leak slowly in tms and APM.

Conditions:
[1] ICRD child process is running
[2] There are multiple users on the device
[3] The multiple users are fetching a web-page using curl, repeatedly and concurrently

Impact:
Memory slowly leaks in tmsh and APM.


829193-4 : REST system unavailable due to disk corruption

Component: TMOS

Symptoms:
-- The iControl REST commands respond with the following:

[INFO] Text: u'{"code":200,"message":"REST system unavailable due to disk corruption! See /var/log/restjavad.*.log for errors.","restOperationId":1472895,"kind":":resterrorresponse"}'

-- The GUI indicates that iAppLX sub-system is unresponsive.

-- On the BIG-IP device, /var/config/rest/storage/LOST-STORAGE.txt exists.

Conditions:
The conditions that trigger this are unknown. It might be due to a previous catastrophic event such as power loss or out-of-memory errors.

Manually creating the file /var/config/rest/storage/LOST-STORAGE.txt can also trigger this error.

Impact:
The iControl REST system is unavailable.

Workaround:
Run the following commands at the BIG-IP command prompt:

bigstart stop restjavad restnoded
rm -rf /var/config/rest/storage
rm -rf /var/config/rest/index
bigstart start restjavad restnoded
rm -f /var/config/rest/downloads/*.rpm
rm -f /var/config/rest/iapps/RPMS/*.rpm
tmsh restart sys service tomcat

Then, reinstall any iAppLX packages that were installed.


829029-1 : Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error

Component: Application Security Manager

Symptoms:
Adding multiple user-defined Signatures via REST in quick succession may end with duplicate key database error.

Conditions:
At least two REST calls adding Attack Signatures and/or Attack Signature Sets which are sent in quick succession to the BIG-IP system.

Impact:
REST calls after the first may not be successful, resulting in failure to modify configuration as desired.

Workaround:
Retry the subsequent REST calls.


828873-3 : Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor

Component: TMOS

Symptoms:
In the deployment of BIG-IP 15.0.0 on Nutanix AHV Hypervisor, f5-label service is failing with inappropriate input device error.

Conditions:
Deployment of BIG-IP v15.0.0 on Nutanix AHV Hypervisor.

Impact:
Deployment of BIG-IP v15.0.0 is not stable to log into GUI or terminal on Nutanix AHV Hypervisor.

Workaround:
Steps:

1. Mount the drive:
mount -o rw,remount /usr

2. Add a comment below the line in the '/usr/lib/systemd/system/f5-label.service' service file:
#StandardInput=tty

3. Reload the daemon:
systemctl daemon-reload

4. Restart the service:
systemctl restart f5-label


828789-1 : Certificate Subject Alternative Name (SAN) limited to 1023 characters

Component: TMOS

Symptoms:
Certificate Subject Alternative Names are limited to 1023 characters.

Conditions:
Using a certificate with a Subject Alternative Name longer than 1023 characters.

Impact:
A certificate's Subject Alternative Name is not correct in the BIG-IP


828625-3 : User shouldn't be able to configure two identical traffic selectors

Component: TMOS

Symptoms:
Config load fails by issuing "tmsh load sys config verify"
01070734:3: Configuration error: Duplicate traffic selector is not allowed
Unexpected Error: Validating configuration process failed.

Conditions:
Duplicate IP addresses on multiple traffic-selectors attached to different ipsec-policies.

Impact:
Config load will fail after a reboot

Workaround:
Delete duplicate traffic-selectors.


828601-1 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metrics than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the management interface.

Conditions:
-- Create an IPv6 management route, which is going to be a default gateway.

-- Receive another default gateway from a configured peer using any of dynamic routing protocols (BGP, OSPF, etc.)

Impact:
The incorrect routing table sends the traffic that matches the default route to the management interface.

Workaround:
None.


827209-4 : HSB transmit lockup on i4600

Component: TMOS

Symptoms:
TMM shows HSB transmit lockup message and cored.

Conditions:
-- Using an i4600 platform.
-- Other conditions under which this occurs are unknown.

Impact:
Disruption to processing traffic on the BIG-IP system.

Workaround:
None.


827021-7 : MCP update message may be lost when primary blade changes in chassis

Component: TMOS

Symptoms:
In a VIPRION chassis, when the Primary blade is disabled (intentionally or due to an unexpected loss of functionality) and a new Primary blade is selected, there is a brief window of time during which status messages forwarded from MCPD on a Secondary blade to MCPD on the Primary blade might be dropped, possibly resulting in an incorrect view of the state of configured objects.

Conditions:
This problem may occur under the following conditions:
-- The state of a blade-local object/resources (such as a network interface or trunk) changes.
-- There is a high load on MCPD (for example, due to configuration reload on the new Primary blade) which delays processing of some MCPD actions.

Impact:
This problem may result in the state of blade-local objects (such as interfaces or trunks) being seen and reported incorrectly across the blades in the chassis, or on one or more specific blades (Primary, Secondary) in the chassis.

For example, if loss of the Primary blade results in one or more interfaces in a trunk being marked down by LACPD on a specific blade, resulting changes in trunk/member status may not be propagated correctly to the Primary blade, and from there to other Secondary blades.

Workaround:
None.


826313-6 : Error: Media type is incompatible with other trunk members

Component: TMOS

Symptoms:
Loading system configuration is failing after upgrade with an error message

01070619:3: Interface 5.0 media type is incompatible with other trunk members

Conditions:
-- Trunk interface created in BIG-IP version 12.3.4.
-- Trunk interfaces have different speeds (e.g. 100Mb interfaces and 1Gb interfaces)
-- Load the configuration after upgrading from v12.1.3.4 to v12.1.3.5.

Impact:
The system configuration is failing to load.

Workaround:
If you encounter this error, manually fix all trunks to only use interfaces of the same speed, and then load the configuration.


826189-3 : The WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.

Component: TMOS

Symptoms:
The input validation performed by the BIG-IP system WebUI incorrectly allows the dns64-prefix option found in DNS profiles to include a subnet mask.

The WebUI should allow users to specify only a prefix (for example, 2001:db8:0:0:0:0:0:0 or 2001:db8::); however, it incorrectly allows users to specify a subnet mask too (for example, 2001:db8:0:0:0:0:0:0/96 or 2001:db8::/96).

In contrast, the TMSH utility correctly enforces values for this option.

Conditions:
The BIG-IP Administrator creates or modifies a DNS profile using the WebUI, and specifies an IP/SM value for the dns64-prefix option.

Impact:
Upon performing DNS64, TMM returns incorrect DNS answers that do not use the specified prefix. For example, if the Administrator specifies 2001:db8:0:0:0:0:0:0/96 as the prefix, and if the IPv4 address of the requested resource is 198.51.100.1, DNS64 returns ::198.51.100.1 instead of 2001:db8::c633:6401. This prevents end-user clients from reaching the intended resource.

The impact described in this section only applies to BIG-IP versions 14.1.0 and later. Previous BIG-IP versions also had this WebUI validation issue, but despite this TMM still returned the correct DNS answer.

Workaround:
When configuring this option using the WebUI, do not specify a subnet mask.


825501-3 : IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.

Component: Protocol Inspection

Symptoms:
If the IPS IM package is installed on a multi-slot device, and one slot is offline, the IM package version might be different on the offline slot when it comes back online.

It also shows different versions of the Active IM package on different slots.

Conditions:
-- Multi-bladed clustered system.
-- One of the blades is offline.
-- The IPS IM package is installed to the primary blade.

Impact:
The primary blade syncs the IM package to all of the secondary blades that are online; however, when the offline blade comes back online, it does not have the updated IM package.

As a result, traffic being processed by different blades will be using different IPS libraries and might cause inconsistency in the functionality

Workaround:
Although there is no workaround, you can prevent the issue by ensuring that all blades are online when you install an IPS IM package.


825413-4 : /var/lib/mysql disk is full

Component: Application Security Manager

Symptoms:
PRX.BRUTE_FORCE_* db tables do not have a row_limit, so they can grow to consume all available disk space in /var/lib/mysql.

Conditions:
ASM provisioned

Impact:
/var/lib/mysql can run out of disk space

Workaround:
1. Truncate the two large tables. This clears all the row in those table and should make disk space.
   Note that existing brute force username and IPs reporting data will be lost.

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_USERNAMES"

# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "TRUNCATE TABLE PRX.BRUTE_FORCE_MITIGATED_IPS"

2. Add row_limit for the two tables to avoid the same issue in the future.

Add following lines in the bottom of this file, /etc/ts/tools/clean_db.yaml

  PRX.BRUTE_FORCE_MITIGATED_USERNAMES:
    row_limit: 100000
    order_by: brute_force_mitigated_username_id

  PRX.BRUTE_FORCE_MITIGATED_IPS:
    row_limit: 100000
    order_by: brute_force_mitigated_ip_id

Restart clean_db process (there is no impact of restarting this process)

# pkill -f clean_db

Wait 30 sec, and make sure the process came back

# ps aux | grep clean_db


825245-4 : SSL::enable does not work for server side ssl

Component: Local Traffic Manager

Symptoms:
When SSL::enable is issued in an iRule, for example in the HTTP Request event, it will not enable the server side profile if the server side profile is disabled.

Conditions:
An HTTP profile is configured on a virtual, and the server-ssl profile on the same virtual is disabled.

Impact:
The connection will close instead of completing.

Workaround:
Do not use a disabled server-ssl profile in this situation.


825013-1 : GENERICMESSAGE::message's src and dst may get cleared in certain scenarios

Component: Service Provider

Symptoms:
The "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands may not work properly if iRule processing changes to a different TMM. These commands may return an empty string rather than correct data.

Conditions:
-- Using "GENERICMESSAGE::message src" and/or "GENERICMESSAGE::message dst" iRule commands.
-- iRule processing moves from one TMM to another TMM.

Impact:
Incorrect data returned from "GENERICMESSAGE::message src" and "GENERICMESSAGE::message dst" iRule commands.


824437-7 : Chaining a standard virtual server and an ipother virtual server together can crash TMM.

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGFPE and restarts. The TMM logs contain the following panic message:

Assertion "xbuf_delete_until successful" failed.

Conditions:
This issue occurs when the following conditions are met:

-- The system has been configured with a standard virtual server and an Any IP (ipother) virtual server chained together. This can be done explicitly using an iRule that features the 'virtual' command to connect the two virtual servers, or implicitly with certain APM configurations.

-- The pool member on the server-side asks this specific virtual server configuration on the BIG-IP system to retransmit data.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure the target virtual server in the chain configuration does not use the ipother profile.


824433-3 : Added HTTP2 and HTTP3 request/response statistic fields to the HTTP profile

Component: Local Traffic Manager

Symptoms:
The HTTP/1.1 request/response statistic fields in the HTTP profile are incremented incorrectly when HTTP2 traffic is encountered.

There is not currently a way to view the HTTP2 and HTTP3 request/response stats on the HTTP profile.

Conditions:
-- Client or server sends HTTP2 request/response.
-- Using GUI, TMSH, iControl (SOAP), or SNMP.

Impact:
Incorrect HTTP/1.1 request/response statistic values are present in the HTTP profile when HTTP2 traffic is encountered.

Workaround:
None.


824365-5 : Need informative messages for HTTP iRule runtime validation errors

Component: Local Traffic Manager

Symptoms:
For HTTP iRule runtime validation errors, an ERR_NOT_SUPPORTED error message is appended (with rule name and event) to /var/log/ltm, but the message is not informative about the cause of the validation error:

err tmm1[20445]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri".

The system should post a more informative message, in this case:

err tmm[10662]: 01220001:3: TCL error: /Common/example <HTTP_REQUEST> - can't call after responding - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::uri"

Conditions:
-- HTTP filter and HTTP iRules are used by a virtual server.
-- An HTTP iRule runtime validation error happens. For example, HTTP::uri is called after HTTP::respond () which is not supported.

Impact:
With no informative error messages, it is difficult to identify the validation error.

Workaround:
There is no workaround at this time.


824205-3 : GUI displays error when a virtual server is modified if it is using an address-list

Component: TMOS

Symptoms:
When you modify a virtual server, the GUI returns an error similar to the following:

01b90011:3: Virtual Server /Common/vs2_udp's Traffic Matching Criteria /Common/vs2_udp_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs1_tcp destination address, source address, service port.

Conditions:
This occurs when either of the following occur:

-- When renaming the virtual server.
-- When changing the address-list attribute.

Impact:
Cannot update virtual configuration with new value.

Workaround:
None.


824121-2 : Using the Websocket profile prevents mouse wheel scroll function

Component: Access Policy Manager

Symptoms:
Mouse wheel function does not work.

Conditions:
WebSSO and Websocket profiles are configured on a virtual server.

Impact:
Although there is no product functionality impact, it is an inconvenience to the BIG-IP administrator using the GUI.

Workaround:
To work around this issue, use an iRule that disables SSO for the Websocket request. For example, for remotespark (https://www.remotespark.com/html5.html) you can use the following iRule:

ltm rule sso_disable_ws {
  when HTTP_REQUEST {
   if {[HTTP::uri] starts_with "/RDP?" and [HTTP::header exists "Upgrade"] and [HTTP::header "Upgrade"] == "websocket" } {
    log "DISABLING WEBSSO"
    WEBSSO::disable
   }
  }
}


823825-7 : Renaming high availability (HA) VLAN can disrupt state-mirror connection

Component: Local Traffic Manager

Symptoms:
If the VLAN that services the state mirror connection between BIG-IP systems is renamed, it can cause a disruption of the state mirror connection. It can also lead to an eventual crash.

Conditions:
Renaming the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.

Impact:
System might crash eventually.

Workaround:
Do not rename the VLAN that services the state mirror connection between BIG-IP systems in an high availability (HA) configuration.


822253-1 : After starting up, mcpd may have defunct child "run" and "xargs" processes

Component: TMOS

Symptoms:
After starting up, mcpd may have defunct child "run" and "xargs" processes

Conditions:
Slow disk storage or large configuration files.

Impact:
Minimal; some zombie processes are created.


822025 : HTTP response not forwarded to client during an early response

Component: Local Traffic Manager

Symptoms:
In early server responses, the client does not receive the intended response from the HTTP::respond iRule. The client instead receives an unexpected 500 internal server error.

Conditions:
-- A slow client.
-- early server response with the HTTP::respond iRule.

Impact:
A client does not receive the redirect from the HTTP::respond iRule.

Workaround:
None.


821309-1 : After an initial boot, mcpd has a defunct child "systemctl" process

Component: TMOS

Symptoms:
Zombie "systemctl" process, as a child of mcpd.

Conditions:
Reboot of the BIG-IP.

Impact:
Minimal; a single zombie process is created.

Workaround:
To get rid of the process, you can restart mcpd.


820333-1 : LACP working member state may be inconsistent when blade is forced offline

Component: Local Traffic Manager

Symptoms:
Inconsistent (out-of-sync) LACP working member state.
Incorrect trunk high availability (HA) score.

Conditions:
LACP updates while blade is going offline.

Impact:
Incorrect high availability (HA) score may prevent the unit from automatically failing over.


820213-4 : 'Application Service List' empty after UCS restore

Component: TMOS

Symptoms:
The iApps :: Applications LX list does not display anything after restoring a UCS that was taken from a different device.

Conditions:
-- Restoring a UCS from a different device.
-- UCS includes the iAppLX package.

Impact:
Cannot see anything on 'Application Service List', and you are unable to configure the application.

Workaround:
Run the following command before restoring the UCS file:

clear-rest-storage


819457-1 : LTM high availability (HA) sync should not sync GTM zone configuration

Component: TMOS

Symptoms:
LTM high availability (HA) sync group are syncing GTM zone configuration changes.

Conditions:
1. BIG-IPs has both LTM and GTM provisioned.
2. The two BIG-IPs are inside one LTM sync group.

Impact:
GTM zone files are accidentally modified.


819233-3 : Ldbutil utility ignores '--instance' option if '--list' option is specified

Component: Access Policy Manager

Symptoms:
When running ldbutil utility, if the '--list' option is specified, then the '--instance' option has no effect. All the local users will be listed.

Conditions:
When both '--list' and '--instance' options are specified.

Impact:
The output lists all the local users and not limiting to the '--instance' option given.

Workaround:
None.


818853-1 : Duplicate MAC entries in FDB

Component: Local Traffic Manager

Symptoms:
Forwarding DataBase (FDB) not updated when a MAC moves among interfaces.

Conditions:
-- Having multiple paths to a MAC in a given configuration.

Impact:
There are duplicate MAC address entries which come from multiple interfaces.

Workaround:
None.


818833-1 : TCP re-transmission during SYN Cookie activation results in high latency

Component: Local Traffic Manager

Symptoms:
Issue is reported at the following system setup:

client <-> BIG-IP <-> concentrator <-> proxy <-> BIG-IP nat gateway <-> Internet

-- SYN Cookie got activated on F5 nat gateway.
-- Latency from 'Internet' (public host) is observed at 'Proxy' device sitting before F5 nat gw.
-- During the latency issue, SYN Cookie was active and evicting connections.
-- When SYN Cookie is enabled, it switches to l7 delayed binding as expected but it is not sending ACK for HTTP request so the client sends it again and again.

Conditions:
Haredware SYN Cookie is enabled on FastL4 profile

Impact:
High latency is observed.

Workaround:
Disable the SYN Cookie on the FastL4 profile


818789-7 : Setting ssl profile to none in https monitor, not setting Ciphers to DEFAULT as in serverssl Profile

Component: Local Traffic Manager

Symptoms:
With in-tmm monitoring enabled (or sys db bigd tmm set to enable) and with https monitor's ssl-profile set to none, the expected behavior is to send ciphers in ClientHello based on default serverssl profile as mentioned in GUI help for https monitor.

Conditions:
Configure HTTPS Monitor with ssl-profile "None".

Impact:
Ciphers are not exchanged as expected in the ClientHello Packets

Workaround:
Configure HTTPS Monitor without ssl-profile option, default serverssl profile will be used


818777-2 : MCPD error - Trouble allocating MAC address for VLAN object

Component: TMOS

Symptoms:
You see the following errors in /var/log/ltm:

err mcpd[8985]: 0107071c:3: Trouble allocating mac address for vlan object /Common/external.

Conditions:
Conditions under which this occurs are unknown.

Impact:
There is no known impact to the system as a result of this log message.

Workaround:
If this reoccurs, you can try force reloading mcpd.

For more information, see K13030: Forcing the mcpd process to reload the BIG-IP configuration, available at https://support.f5.com/csp/article/K13030.


818737-3 : Improve error message if user did not select a address-list or port list in the GUI

Component: TMOS

Symptoms:
In the GUI, the Virtual Server screen displays the available address-lists or port lists for source address, but there is no clarity on whether the options are selected or available.

Conditions:
-- Virtual server's source address section.

Impact:
If you do not make a selection and try to create the Virtual Server, an error occurs: An error has occurred while trying to process your request.

Workaround:
Click to select the address-list of port-list displayed as source address for Virtual Server.


818721-3 : Virtual address can be deleted while it is in use by an address-list.

Component: Local Traffic Manager

Symptoms:
-- The virtual-address (and virtual server) will no longer work.

-- The BIG-IP won't answer ARP requests for it.

-- Loading the config again or performing similar operations will not re-create the virtual-address.

Conditions:
-- A virtual address is deleted while it is in use by an address list and virtual server.
-- MCPD is restarted (or the unit rebooted, etc.).

Impact:
Traffic processing is disrupted


818505-1 : Modifying a virtual address with an iControl PUT command causes the netmask to always change to IPv6 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Component: TMOS

Symptoms:
Using an iControl PUT command to modify a virtual address will change that address's netmask to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff.

Conditions:
Modifying a virtual address using an iControl PUT command.

Impact:
An unintentional change to the virtual address's netmask.

Workaround:
Two options:
-- Use a PATCH command instead of a PUT command.
-- Always specify the netmask explicitly when making changes.


818297-3 : OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure

Component: TMOS

Symptoms:
OVSDB-server fails to make SSL connections when Selinux is enforced.

In /var/log/openvswitch/ovsdb-server.log:

...|00012|stream_ssl|ERR|/config/filestore/files_d/Common_d/certificate_d/:Common:myCert_2468_1: stat failed (Permission denied).

Conditions:
-- Navigate to System :: Configuration : OVSDB.
-- Add cert and keys.

Impact:
Permission denied, SSL connection failure.

Workaround:
Step 1: Check openvswitch SELinux denial:
# audit2allow -w -a
Example output:
type=AVC msg=audit(1566915298.607:32958): avc: denied { search } for pid=18966 comm="ovsdb-server" name="/" dev="dm-7" ino=2 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:f5config_t:s0 tclass=dir
    Was caused by:
        Missing type enforcement (TE) allow rule.

        You can use audit2allow to generate a loadable module to allow this access.

Step 2: Find openvswitch components that need Linux policy additions:
# audit2allow -a
Example output:
#============= openvswitch_t ==============
allow openvswitch_t f5config_t:dir search;
allow openvswitch_t f5filestore_t:dir search;
allow openvswitch_t f5filestore_t:file { getattr open read };

Step 3: Modify the policy to allow access to the component openvswitch_t:
# audit2allow -a -M openvswitch_t

Step 4: Apply the policy:
# semodule -i openvswitch_t.pp


817709-3 : IPsec: TMM cored with SIGFPE in racoon2

Component: TMOS

Symptoms:
TMM asserted and cored in racoon2 with this panic message:

panic: iked/ikev2_child.c:2858: Assertion "Invalid Child SA proposal" failed.

Conditions:
When IKEv2 Phase 2 SA has no peer proposal associated with it.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


817089-3 : Incorrect source MAC address with hardware acceleration (ePVA) and asymmetric routing

Component: TMOS

Symptoms:
Connections that are hardware accelerated and that use asymmetric routing may use the wrong MAC address for return traffic. This can be observed by looking at a packet capture.

Conditions:
Hardware acceleration is enabled (ePVA/fastL4) with asymmetric routing.

Impact:
The return traffic has the wrong source MAC address. This may affect packet forwarding depending on the configuration.

Workaround:
Disable HW acceleration.


816353-3 : Unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1

Component: TMOS

Symptoms:
During re-licensing or license reload, an unknown trap OID 1.3.6.1.2.1.47.2.0.1.0.1 may be sent.

Conditions:
Occurs during license reload or reactivation.

Impact:
After a license reload, the unknown trap can be seen like the following:

run "tcpdump -ni mgmt port 162 -vvvv &":

12:01:59.883331 IP (tos 0x0, ttl 64, id 47411, offset 0, flags [DF], proto UDP (17), length 101)
    10.248.136.179.55540 > 172.28.8.68.snmptrap: [bad udp cksum 0x486e -> 0xd7b8!] { SNMPv2c { V2Trap(58) R=1205683810 .1.3.6.1.2.1.1.3.0=1775555 .1.3.6.1.6.3.1.1.4.1.0=.1.3.6.1.2.1.47.2.0.1.0.1 } }


816233-1 : Session and authentication cookies should use larger character set

Component: TMOS

Symptoms:
The session and authentication cookies are created using a limited character set.

Conditions:
Creating session and authentication cookies.

Impact:
Cookies created with a less broad character set than they could be.

Workaround:
None.


814585-1 : PPTP profile option not available when creating or modifying virtual servers in GUI

Component: TMOS

Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.

Conditions:
Creating or modifying a virtual server in the GUI.

Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.

Workaround:
Use TMSH to add a PPTP profile to the virtual server.


814353-6 : Pool member silently changed to user-disabled from monitor-disabled

Component: TMOS

Symptoms:
When a node (Disabled by Monitor) is updated via the member screen (no change to configuration required), the status changes from:

'Available (Disabled) pool members is available, monitor disabled'.

To:

'Available (Disabled), pool member is available, user disabled'.

Conditions:
-- A node disabled by Monitor.
-- Go to GUI LTM pool member and navigate into the monitor disabled member, then update without any configuration change.

Impact:
Pool member goes to 'user-disabled'.

Workaround:
To recover, re-enable the pool member.


814273-1 : Multicast route entries are not populating to tmm after failover

Component: TMOS

Symptoms:
Multicast route entries are not populating in tmm after failover. ZebOS has the multicast entries, but tmm does not.

Conditions:
-- High Availability (HA) configured, with multicast traffic.
-- A failover occurs.

Impact:
Multicast traffic does not pass through properly

Workaround:
Clear the multicast entries in ZebOS manually:
> clear ip mroute *
> clear ip igmp group


814037-6 : No virtual server name in Hardware Syncookie activation logs.

Component: Local Traffic Manager

Symptoms:
Missing virtual server name in Hardware Syncookie activation logs. ltm/logs contains error messages:

notice tmm2[1150]: 01010240:5: Syncookie HW mode activated, server = 0.0.0.0:0, HSB modId = 2.

Conditions:
-- More than one virtual server with same Destination IP e.g., 'x.x.x.x'.
-- Port 'y' configured.
-- Hardware Syncookie activated.

Impact:
Difficult to determine which virtual server actually got the Syncookie activated.

Workaround:
None.


813969-5 : Network DoS reporting events as 'not dropped' while in fact, events are dropped

Component: Advanced Firewall Manager

Symptoms:
Logs/Tmctl shows packet dropped whereas AVR shows Action as 'Allowed' and not 'Dropped'.

Conditions:
-- AFM configured.
-- AFM passes the message to AVR for reporting.

Impact:
The operation does not update the drop flag. It appears from AVR Reporting that packets are allowed, but actually they are dropped

Workaround:
There is no workaround at this time.


813701-6 : Proxy ARP failure

Component: Local Traffic Manager

Symptoms:
In certain configurations, and when the BIG-IP system does not have a directly connected route to the request sender, proxy ARP may fail, leading to dropped ARP replies.

Conditions:
-- Running v12.1.4.1 or 12.1.3.7 with engineering hotfix 0.89.2.
-- ARP requests and replies are processed by different TMMs.
-- A directly connected route to the request sender is not available.

Impact:
ARP replies are dropped, leading to connection failures.

Workaround:
Create a self IP in the same subnet as the ARP request senders. This creates the necessary directly connected route.


813221-5 : Autoconf continually changes a virtual IP object when virtual IP/port on LTM is not in sync

Component: Global Traffic Manager (DNS)

Symptoms:
The virtual server for an LTM redundant peer is continually updated with its IP/Port changing back and forth between two values, leading to perpetual GTM configuration syncs.

Conditions:
The destination IP:port of the virtual server on the LTM is not in sync between the LTM devices in the device-group.

Impact:
The virtual server is flapping status between "blue" and 'green', and its destination IP:port is changing between a correct value and an incorrect one. Traffic will be impacted.

Workaround:
Perform a configsync on the LTM device-group that owns the virtual server.


812981-6 : MCPD: memory leak on standby BIG-IP device

Component: TMOS

Symptoms:
MCPD memory consumption may increase on standby BIG-IP device if APM configuration is updated. Some of the allocated memory is not freed after configuration update.

Conditions:
-- BIG-IP high availability (HA) pair is installed and configured
-- APM is provisioned
-- Access Policy is configured and updated periodically

Impact:
MCPD may take a lot of memory on the standby device. Normal functionality of standby device may be stopped; reboot of the device is required.


812705-3 : 'translate-address disabled' setting for LTM virtual server does not have any effect with iRules for NAT64 traffic

Component: Carrier-Grade NAT

Symptoms:
IPv4 Packets are forwarded to server-side with destination address changed to LTM pool member address even when 'translate-address disabled' is configured on a NAT64 virtual server.

Conditions:
-- Create iRules for LTM pool selection.
-- Configure the NAT64 virtual server with 'translate-address disabled'.
-- Send IPv6 client request accessing the NAT64 virtual server.

Impact:
Server-side IPv4 packets are forwarded with destination address modified. The server-side packets do not reach the intended destination, resulting in connection failures.

Workaround:
Use normal LTM pool selection instead of iRules-based, LTM pool selection.


812493-4 : When engineID is reconfigured, snmp and alert daemons must be restarted

Component: TMOS

Symptoms:
The engineID, engineBoots, engineTime values in SNMPv3 traps are shared by both the SNMP and the Alert daemons and are included in traps raised by both daemons. When the engineID is reconfigured then both daemons must be restarted in order to resynchronize the new values.

Conditions:
Traps issued by the SNMP and Alert daemons may not have engine values that are in sync when the EngineID is first reconfigured. This can happen both with a configuration change and an upgrade.

Impact:
This may confuse the SNMP client receiving the trap.

Workaround:
Restart the snmp daemon and then the alert daemon when the engine ID is reconfigured for the first time and the first time after a software upgrade

tmsh restart sys service snmpd alertd


811701-3 : AWS instance using xnet driver not receiving packets on an interface.

Component: TMOS

Symptoms:
Packets are being sent to the AWS instance but no packets are seen on interface.

Conditions:
-- AWS instance using xnet driver.
-- Occurs when the instances are idle and then suddenly passes traffic again.
-- Other, more specific conditions are unknown at this time.

Impact:
Loss of packets in the interface, in turn, causing data loss.

Workaround:
A temporary way to avoid the problem is to configure BIG-IP Virtual Edition (VE) to use an alternative network driver in place of the default 'xnet' driver. In releases 14.1.0 and later, this would be the 'sock' driver; in releases 13.1.0 through 14.0.x, the 'unic' driver is the alternative.

Use one of the following command sequences from the BIG-IP instance's 'bash' prompt to configure the alternative driver. (Note the use of the 'greater-than' symbol.)

-- Commands for Releases 14.1.0 and later:

  # echo "device driver vendor_dev 1d0f:ec20 sock" > /config/tmm_init.tcl

[check that the file's contents are correct]

  # cat /config/tmm_init.tcl

[restart the BIG-IP's TMM processes]

  # bigstart restart tmm

[make certain that the 'driver_in_use' is 'sock']

  # tmctl -dblade -i tmm/device_probed


-- Commands for releases 13.1.0 through 14.0.0:

  # echo "device driver vendor_dev 1af4:1000 unic" > /config/tmm_init.tcl

[check that the file's contents are correct]

  # cat /config/tmm_init.tcl

[restart the BIG-IP's TMM processes]

  # bigstart restart tmm

[make certain that the 'driver_in_use' is 'unic']

  # tmctl -dblade -i tmm/device_probed


811149-2 : Remote users are unable to authenticate via serial console.

Component: TMOS

Symptoms:
Attempts to login to the serial console with remote user credentials (e.g., RADIUS, LDAP, TACACS remote auth) fail with one of the following error messages:

-- 'Cannot load user credentials for user' (v13.1.1.2)
-- 'Session setup problem, abort.' (v14.1.0.1)

Conditions:
Configure system for remote authentication and attempt authentication via serial console.

Impact:
Remote authentication users are unable to login via serial console.

Workaround:
There are two workarounds:
-- Remote authentication users can login using an SSH connection to the BIG-IP system's management IP address.

-- Use the credentials of a local user account to login to the serial console.


811041-7 : Out of shmem, increment amount in /etc/ha_table/ha_table.conf

Component: TMOS

Symptoms:
System logs error:
err sod[8444]: 01140003:3: Out of shmem, increment amount in /etc/ha_table/ha_table.conf.

Conditions:
-- Large number of traffic groups.
-- A number of devices in the device cluster.
-- Heavy traffic resulting in numerous configsync or config save operations.

Impact:
Memory leak. Future changes to the high availability (HA) table may fail or be ignored. This could result in HA events not being tracked correctly.

Workaround:
None.


810821-3 : Management interface flaps after rebooting the device

Component: Local Traffic Manager

Symptoms:
The Management interface flaps after rebooting the device, which causes a momentary active-active condition in a high availability (HA) configuration.

Conditions:
This can occur after rebooting the active or standby device in an HA configuration.

Impact:
Devices go active-active for a few seconds and then resume normal operation.

Workaround:
You may be able to work around this by changing the management port speed to 100/Fixed Duplex.

For more information on changing the interface, see K14107: Configuring the media speed and duplex settings for network interfaces (11.x - 13.x), available at https://support.f5.com/csp/article/K14107.


810533-2 : SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile

Component: Local Traffic Manager

Symptoms:
When the client attempts to connect, even when sending the proper SNI extension, the BIG-IP system resets the connection after the client hello.

Conditions:
-- SNI Required set to true.
-- No Server Name configured in the client SSL profile.

Impact:
SSL connections with valid SNI are closed, and the client cannot connect. With generic alerts enabled, you will see 'SSL alert number 40'. This is because the system does not read the server names from the SAN extension within the certificate.

Workaround:
Specify a valid server name in the server name field of the client SSL profile.


810381-2 : The SNMP max message size check is being incorrectly applied.

Component: TMOS

Symptoms:
If the SNMP server receives an SNMPv3 request with a small max message size then, it applies that check to all requests. This can cause SNMPv1 and SNMPv2c requests time out if they are too long or if their responses are too long, for example, large get bulk requests.

Conditions:
An SNMPv3 small max message size received while processing large SNMPv1 and SNMPv2c requests.

Impact:
Responses time out.

Workaround:
Do not send SNMPv3 requests to the BIG-IP system.


809597-5 : Memory leak observed when running ICRD child

Component: Local Traffic Manager

Symptoms:
When ICRD child process is running and users are switching rapidly, memory may leak.

Conditions:
[1] ICRD child process is running
[2] There are multiple users on the device
[3] The multiple users are fetching a web-page using curl, repeatedly and concurrently

Impact:
The memory leak is very progressive. Eventually ICRD's child process will run out of memory.


807945-3 : Loading UCS file for the first time not updating MCP DB

Component: TMOS

Symptoms:
MCP DB is not updated after loading a UCS file.

Conditions:
1. Save UCS with 'flow-control' default value 'tx-rx'.
2. Modify the value from 'rx-tx' to 'none'.
3. Save another UCS with modified value.
4. Load the UCS with default value, everything works fine here.
5. Load the UCS with the modified value.

Impact:
The 'flow-control' setting gets changed. The functionality does not work after the first UCS load as MCP DB is not getting updated.

Workaround:
Load the same UCS again.

The MCP DB gets updated properly.


807337-5 : Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.

Component: TMOS

Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction will attempt to 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.

Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object, such as (delete, create, modify).

Impact:
Web UI shows misleading info about pool monitor.The monitor-related object may be unchanged; or monitoring may stop for that object.

Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').


807005-5 : Save-on-auto-sync is not working as expected with large configuration objects

Component: TMOS

Symptoms:
In device group has enabled 'save sys config' for all auto-sync operations using the following command:
modify cm device-group name save-on-auto-sync true

Warning: Enabling the save-on-auto-sync option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.

Conditions:
-- The save-on-auto-sync option is enabled.
-- Device has large configuration, such as 2,100 virtual servers and ~1100 partitions

Impact:
Configuration it not saved, which leads to out-of-sync condition.

Workaround:
You can avoid this issue by using manual sync instead of auto-sync, or by not enabling 'save-on-auto-sync'.


806073-1 : MySQL monitor fails to connect to MySQL Server v8.0

Component: TMOS

Symptoms:
The LTM MySQL health monitor fails to connect to a MySQL server running MySQL Server v8.0.
A pool member configured for a MySQL server running MySQL Server v8.0 and using the MySQL health monitor will be marked DOWN.

Conditions:
This occurs when using the LTM MySQL health monitor to monitor a MySQL server running MySQL Server v8.0.

Impact:
BIG-IP cannot monitor the health of a MySQL server running MySQL Server v8.0 using the MySQL health monitor.


803809-4 : SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled.

Component: Service Provider

Symptoms:
When MRF SIP is configured in per-client mode and preserve-strict source port is enabled on a virtual server, messages may fail to forward due to port collisions when multiple clients try to use the same port (which is expected/accepted behavior with this configuration). After the port has been freed or the configuration changed, messages continue to fail for clients that had previous port collisions.

Conditions:
-- MRF SIP configured with: Per-Client connection mode and virtual server with preserve-strict source port enabled.
-- Multiple clients try to connect using the same local port.
-- Previously failed client connections attempt to connect again after the port has been freed or configuration changed.

Impact:
Calls from one or more clients are unable to be completed.

Workaround:
You can prevent this behavior using either workaround:
-- Configure a different connection mode (Per-TMM, for example).
-- Disable preserve-strict source port on the virtual server.


803629-7 : SQL monitor fails with 'Analyze Response failure' message even if recv string is correct

Component: Local Traffic Manager

Symptoms:
For a database (mssql, mysql, postgresql or oracle) monitor type, with a 'recv' string configured, a pool member configured to use the DB monitor may be marked down even if the server is working and includes the configured response string among the response data.

Debug logging of the SQL monitor indicates the following:
... [DBPinger-3778] - Response from server: Database: 'db1'Database: 'information_schema'
... [DBPinger-3778] - Checking for recv string: information_schema
... [DBPinger-3778] - Analyze Response failure

The log shows 'Analyze Response failure' error message even when the configured 'recv' string appears within the response message from the DB server.

Conditions:
This occurs when the string matching the configured 'recv' string value does not appear in the response from the DB server in the row indicated by the 'recv-row' value configured for the monitor.

The default value of 'none' for the 'recv-row' monitor configuration value is actually interpreted as 'row 1' by the DB monitor core implementation.
Therefore, with the default configuration, any 'recv' string configured must appear in the first row of the DB server response in order to be recognized as a match.

Impact:
The DB monitor fails, and the DB server (node) is marked as down even though it is reachable and responding correctly per the configured 'recv' string.

Workaround:
You may use one of the following methods to work around this issue:
1. Configure the DB monitor's 'recv' string to match on the first row in the server response message.
2. Configure the 'recv-row' value in the DB monitor to match the row of the DB server's response which contains the configured 'recv' string.
3. Do not configure 'send' or 'recv' string for the DB monitor.


803237-2 : PVA does not validate interface MTU when setting MSS

Component: TMOS

Symptoms:
An incorrect MSS value might be used when hardware (HW) syncookies are used, and the MTU is smaller than the MSS.

Conditions:
-- The BIG-IP system sends TCP segments, fragmented across multiple IP packets, that exceed the size of the local interface MTU.
-- This occurs when HW Syncookies are enabled.

Impact:
TCP segments larger than the local interface MTU sent towards the client. These TCP segments are transmitted as IP fragments.

Workaround:
Increase MTU size.


803233-1 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable

Component: Local Traffic Manager

Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):

1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:

-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.

2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:

-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.

Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.

Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.

Workaround:
None.


803157-3 : LTM log contains shutdown sequence logs after boot_marker as logs are buffered until BIG-IP reboots

Component: TMOS

Symptoms:
In reboot case, the BIG-IP system buffers the shutdown sequence log messages and writes them to disk once the syslog service starts during the boot process. The boot_marker message is written before shutdown messages sync to disk. This leads to out-of-sequence log messages, making it difficult to determine when the service stop occurred.

Conditions:
Reboot the BIG-IP system.

Impact:
Log messages appear out of order. It is difficult to tell whether service stop happened as part of reboot, or any error during the subsequent boot process.

Workaround:
None.


803109-3 : Source-port preserve-strict configured along with OneConnect may result in zombie forwarding flows

Component: Local Traffic Manager

Symptoms:
Source-port preserve-strict and OneConnect may result in zombie forwarding flows.

Conditions:
-- Source-port is set to preserve-strict.
-- OneConnect configured.

Impact:
Zombie forwarding flows. Over time, the the current allocation count grows and does not return to its prior level when traffic stops.

Workaround:
None.


802685-2 : Unable to configure performance HTTP virtual server via GUI

Component: TMOS

Symptoms:
When creating 'performance HTTP' virtual servers via GUI, the following error is reported:
01070734:3: Configuration error: A Virtual Server(/Common/vfasthttp) cannot be associated with both fasthttp and L4 profile.

Conditions:
Use the GUI to create a virtual server of type Performance (HTTP).

Impact:
Failed to create a 'performance HTTP' virtual server.

Workaround:
Use TMSH to configure the performance HTTP virtual server:
tmsh create ltm virtual vfasthttp destination 1.1.1.1:80 ip-protocol tcp profiles add { fasthttp }


802421-6 : The /var partition may become 100% full requiring manual intervention to clear space

Component: Advanced Firewall Manager

Symptoms:
The /var partition might become completely full on the disk due to files being written to /var/config/rest. This condition may be accompanied by console error messages similar to the following:
011d0004:3: Disk partition /var (slot #) has only 0% free on secondary blade.

Additionally, there may be periodic restjavad and bigd daemons restarts related to disk space exhaustion.

Conditions:
Process traffic while DoS Dashboard is open

Impact:
The partition housing /var/config/rest may become 100% full, impacting future disk IO to the partition.

Workaround:
Important: This workaround is temporary, and may need to be periodically performed either manually or from a script.

Impact of Workaround: While these steps are performed, the BIG-IP REST API will be temporarily inaccessible, and higher disk IO may be seen.

Run the following commands, in sequence:

bigstart stop restjavad
rm -rf /var/config/rest/storage*.zip
rm -rf /var/config/rest/*.tmp
bigstart start restjavad

Manual application of these workaround steps clears the 100% utilized space condition and allows the partition to resume normal operation.


802281-3 : Gossip shows active even when devices are missing

Component: TMOS

Symptoms:
Gossip appears Active even when one or more devices go missing from device group. 'restcul shared/gossip' shows active on both devices, even when the devices are not listed in 'restcurl shared/resolver/device-groups/tm-shared-allBIG-IPs/devices'.

Conditions:
The conditions under which this issue occurs are unknown. This is an intermittent issue.

Impact:
Gossip reports that it is working when it is not.

Workaround:
-- If the missing device is the active device, run the following command on the Active DSC Device:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state

-- If the missing device is the standby device, reboot the device, make it active, and then run the following command:

restcurl -X POST -d '{}' tm/shared/bigip-failover-state


801549-1 : Tmm memory utilization growth.

Component: Local Traffic Manager

Symptoms:
Tmm memory growth with improper high availability (HA) configuration.

Conditions:
- The device mirror-ip is not configured properly, along with either of the following:
  + Persistence mirroring is configured.
  + Connection mirroring of a virtual server with a persistence profile.

Impact:
Connection limits due to memory tmm memory pressure or possible tmm out-of-memory failure.

Workaround:
- Properly configure the cm device mirror-ip and/or mirror-secondary-ip. After doing this, the memory utilization should drop.

- Disable mirroring on the persistence profiles and/or virtual servers. After doing this, the memory utilization will not drop until tmm is restarted.


801497-3 : Virtual wire with LACP pinning to one link in trunk.

Component: Local Traffic Manager

Symptoms:
A virtual-wire that uses interface trunks may use a single interface on egress.

Conditions:
Virtual-wire configured across multi-interface trunks.

Impact:
This may lead to unexpected link saturation.

Workaround:
None.


799001-1 : Sflow agent does not handle disconnect from SNMPD manager correctly

Component: TMOS

Symptoms:
If Sflow agent loses the connection with the SNMPD Manager, it tries to connect multiple times but fails to reconnect.

Conditions:
Sflow agent loses connection with the SNMPD Manager. The conditions that may trigger this are unknown.

Impact:
Snmpd service restarts repeatedly

Workaround:
Run 'tmsh restart sys service sflow_agent' to clear the session data in the sflow agent which results in successful re-connection with snmpd.


798893-1 : Changes to a webacceleration profile are not instantly applied to virtual servers using the profile

Component: Local Traffic Manager

Symptoms:
Changing parameters in a webacceleration profile does not change the behavior of virtual servers already using the profile.

Conditions:
This issue is encountered after changing the settings of a webacceleration profile already in use by one or more virtual servers.

Impact:
The changes are saved correctly and are visible in the WebUI, TMSH, etc. However, virtual servers already using the profile are not affected by the changes. This may result in some confusion and in the BIG-IP Administrator unable to apply their desired changes.

Workaround:
After modifying the profile, remove the profile from all virtual servers and then re-add it.


798885-4 : SNMP response times may be long due to processing burden of requests

Component: TMOS

Symptoms:
It is possible with large configurations to make SNMP requests that require a lot of processing to gather the statistics needed to respond to the request.

Conditions:
With large configurations, it is possible to overburden MCPD and SNMPD such that client queries time out.

Impact:
SNMP clients might think the BIG-IP system has become unresponsive.

Workaround:
If the responses to SNMP queries are taking too long, MCPD and SNMPD may overburden the control plane. It may be necessary to lengthen the timeout and retry values used by the SNMP client. It may also be helpful to trim what is queried, for example, not repetitively walking large tables like the Virtual Server or LTM Pool Member tables for statistics.


796601-2 : Invalid parameter in errdefsd while processing hostname db_variable

Component: TMOS

Symptoms:
Errdefsd crashes, creates a core file, and restarts.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Possible loss of some logged messages.

Workaround:
None.


793121-5 : Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication

Component: TMOS

Symptoms:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, high availability (HA) status, provisioning, and installed software information.

Conditions:
The TMUI redirect-http-to-https is enabled.

Impact:
A vCMP guest cannot access software images and hotfix ISOs from the host. The vCMP host cannot gather status information from the vCMP guest, for example, HA status, provisioning, and installed software information.

Workaround:
On the vCMP guest, disable sys httpd redirect-http-to-https.


793017-3 : Files left behind by failed Attack Signature updates are not cleaned

Component: Application Security Manager

Symptoms:
If an Attack Signature update encounters an error during installation, files that are meant to be temporary are left behind on disk and a not subject to a periodic cleanup. This can eventually lead to disk space issues.

Conditions:
Attack Signature update encounters an error during installation.

Impact:
This can eventually lead to disk space issues.

Workaround:
Old sigfile.tmp.* directories under /var/ts/var/tmp can be safely removed.


793005-1 : 'Current Sessions' statistic of MRF/Diameter pool may be incorrect

Component: Service Provider

Symptoms:
In MRF/Diameter deployment, the LTM pool 'Current Sessions' statistics may show an unusually large number, such as 18446744073709551606.

Conditions:
There is a Diameter answer that does not match a pending request, the answer message is dropped, but BIG-IP system still decrements the 'Current Sessions' counter. If the counter is already zero, it can underflow.

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue. When it underflows, the number becomes useless, making troubleshooting more difficult.

Workaround:
None.


790845-4 : An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default

Component: Local Traffic Manager

Symptoms:
An In-TMM monitor may be marked down when the CMP-hash (Cluster Multiprocessing) is set to non-default value.

Conditions:
-- There is a configured In-TMM monitor (K11323537).
-- CMP-hash is set to non-default value.

Note: For information about In-TMM monitoring, see K11323537: Configuring In-TMM monitoring :: https://support.f5.com/csp/article/K11323537.

Impact:
An In-TMM monitor is falsely marked as down.

Workaround:
Use default settings for a CMP-hash.


788753-2 : GATEWAY_ICMP monitor marks node down with wrong error code

Component: Local Traffic Manager

Symptoms:
Pool state shows down when there is no route configured to node.

Conditions:
-- In-tmm gateway_icmp monitor configured for a node or pool member.
-- There is no route to the node or pool member.

Impact:
The pool member or node is marked down and the reason listed is 'timeout', instead of 'no route to host'.

Workaround:
None.


787973-1 : Potential memory leak when software crypto request is canceled.

Component: Local Traffic Manager

Symptoms:
Memory may occasionally leak when a software crypto request is cancelled before it has completed.

Conditions:
There are a number of reasons why a software crypto request may be canceled.

Impact:
Memory may leak.

Workaround:
No workaround.


787677-5 : AVRD stays at 100% CPU constantly on some systems

Component: Application Visibility and Reporting

Symptoms:
One thread of the avrd process spontaneously starts to consume 100% CPU.

Conditions:
The exact conditions under which this occurs are unknown, but might occur only on vCMP configurations.

Impact:
System performance degrades.

Workaround:
Restart TMM:
bigstart restart tmm


786517-5 : Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address

Component: Local Traffic Manager

Symptoms:
- Monitors are firing and are being sent to a pool-member or node address rather than a monitor's alias address.

- Running the command 'tmsh load /sys config' reports an error:
  01070038:3: Monitor /Common/a-tcp address type requires a port.

Conditions:
-- Create a monitor without an alias address.
-- Modify the monitor later in the TMUI to specify an alias address.

Impact:
Monitors are sent to an incorrect IP address.

tmsh load /sys config will fail to load the configuration.

Workaround:
There are two workarounds:
-- Delete and recreate the monitor and specify the correct alias address at creation time.

-- Fix the monitor definition using tmsh.


785741-3 : Unable to login using LDAP with 'user-template' configuration

Component: TMOS

Symptoms:
Unable to login as remote-user.

Conditions:
When the following are true:
-- LDAP remote-auth configured with user-template.
-- Remote-user configured to permit login.

Impact:
Unable to login with remote-user.

Workaround:
Use bind-dn for authentication.


784733-6 : GUI LTM Stats page freezes for large number of pools

Component: TMOS

Symptoms:
When a configuration has approximately 5400 pools and 40,000 pool members, navigating to the GUI page to look at stats for all or one pool, the GUI page may freeze indefinitely.

Conditions:
Configurations with large number of pools and pool members, e.g., 5400 pools and/or 40,000 pool members.

Impact:
Cannot view pool or pool member stats in GUI.

Workaround:
Use iControl REST or TMSH to retrieve stats for such a large number of pools or pool members.


780437-6 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.

Component: TMOS

Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.

As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.

The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.

Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.

Symptoms for this issue include:

-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.

-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.

-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):

qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img

qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img

-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:

info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]

Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.

-- Large configuration with many guests.

-- The VIPRION chassis is rebooted.

-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.

Impact:
-- Loss of entire configuration on previously working vCMP guests.

-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.

-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.

Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.

If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.


778513-1 : APM intermittently drops log messages for per-request policies

Component: TMOS

Symptoms:
APM may intermittently drop log messages, leading to missing information on policy execution or other events.

Conditions:
Using APM per-request policies, or ACCESS::log iRule commands.

Impact:
Administrator may fail to report certain logging events, hindering troubleshooting or auditing efforts.

Workaround:
No workaround is possible. When reviewing APM logs, keep in mind that during periods of high activity (greater than 100 log messages in 1-to-2 seconds) that the system may drop some log messages.


776393-3 : Memory leak in restjavad causing restjavad to restart frequently with OOM

Component: TMOS

Symptoms:
Restjavad frequently (approximately every 5 minutes) restarting due to OutOfMemory:Java heap space with no extra memory.

Conditions:
-- BIG-IP system with no extra memory given to restjavad.
-- The configuration contains a large number of configuration items related to APM access-policies, APM policy-items, APM policy agents, LTM nodes, LTM rules, DNS Requests, sys application services, LTM data-groups, LTM profiles, security bot-defense profiles, and sys file ssl-certs.

Impact:
REST API intermittently unavailable.

Workaround:
Give restjavad extra memory. This is two-step process.

1. Update memory allocated to the control plane using TMUI. System :: Resource Provisioning. The line for Management has a drop-down box for Small, Medium, or Large. The resulting sizes for restjavad is 192, 352, and 592, respectively. Set this to Large.

2. Run the following two commands, in sequence:
   tmsh modify sys db restjavad.useextramb value true
   bigstart restart restjavad


774257-4 : tmsh show gtm pool and tmsh show gtm wideip print duplicate object types

Component: Global Traffic Manager (DNS)

Symptoms:
Tmsh show gtm pool and show gtm wideip commands with field-fmt will display the object type twice in the output. For example:

tmsh> show gtm pool a field-fmt
gtm pool pool emptypool:A

tmsh> show gtm wideip a field-fmt
gtm wideip wideip testwip.f5.com:A

Conditions:
This occurs when running the following tmsh commands:

tmsh show gtm pool <poolname> field-fmt
tmsh show gtm wideip <wideipname> field-fmt

Impact:
The output type is printed twice

Workaround:
None.


767341-1 : If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file.

Component: TMOS

Symptoms:
Repeated TMM service crash SIGBUS with memory copy operation at the top of stack trace.

Conditions:
TMM loads filestore file and size of this file is smaller than the size reported by mcp or if this ifile store is not present at all.

This condition is possible due to
- filesystem errors/corruption or
- BIG-IP user intervention.

Filesystem error might be due to power loss, full disk or other reasons.

Impact:
TMM crash.
The program terminated with signal SIGBUS, Bus error.

Workaround:
Manual copy of the "good" ifile store and forceload on the previously bad unit. Usually trivial, but error prone.

Another workaround is clean install, if possible/acceptable


767045-4 : TMM cores while applying policy

Component: Anomaly Detection Services

Symptoms:
TMM core and possible cores of other daemons.

Conditions:
The exact conditions are unknown.

Occurrences have been seen during specialized internal testing and while applying a copied and edited ASM policy.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


760471-1 : GTM iQuery connections may be reset during SSL key renegotiation.

Component: Global Traffic Manager (DNS)

Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.

Conditions:
This occurs occasionally during routine renegotiation.

Impact:
The affected iQuery connection is briefly marked down as the connection is marked down before the connection is immediately re-established.

Workaround:
There is no workaround.


760406-1 : HA connection might stall on Active device when the SSL session cache becomes out-of-sync

Component: Local Traffic Manager

Symptoms:
You see 'SSL handshake timeout' error messages in LTM log, and high availability (HA) system performance becomes degraded.

Conditions:
This might occur in either of the following scenarios:

Scenario 1
-- Manual sync operations are performed during while traffic is being passed.
-- SSL Connection mirroring is enabled.


Scenario 2
-- Saving configuration on an HA Standby node during while traffic is being passed.
-- SSL Connection mirroring is enabled.

Impact:
-- In Scenario 1, the sync operations causes the session cache to be out-of-sync between active and standby nodes.

-- In Scenario 2, the save operation clears the session cache on the standby node. As a result, the session cache might be out-of-sync between active and standby nodes.

In either Scenario:
-- SSL Connection mirroring fails and posts the timeout message.

-- The HA system performance becomes degraded due to SSL connection timeout.

Workaround:
-- Disable SSL session caching by setting 'Cache Size' in the client SSL profile option to 0.

-- Set device management sync type to Automatic with incremental sync.


758781 : iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates

Component: TMOS

Symptoms:
The following commands take a long time to complete when there are a large number of certificates:
get_certificate_list()
get_certificate_list_v2()
get_certificate_list_v3()

Conditions:
-- Using the get_certificate_list(), get_certificate_list_v2(), and get_certificate_list_v3() commands to get certificate information.
-- A large number of certificates (typically in the thousands) are installed on the BIG-IP system.

Impact:
Slowness might cause timeouts in applications that are calling these functions.

Workaround:
Use iControl REST API corresponding to sys/file/ssl-cert.


758599-3 : IPv6 Management route is preferred over IPv6 tmm route

Component: Local Traffic Manager

Symptoms:
The IPv6 Management route has lower metric than the static IPv6 tmm route. As a result, traffic that matches the default route goes to the mgmt interface.

Conditions:
Create an IPv6 mgmt route and a static IPv6 tmm route on the same BIG-IP system. IPv6 routes from TMM are injected at metric 1024.

Impact:
The incorrect routing table sends the traffic that matches the default route to the mgmt interface.

Workaround:
None.


757167-3 : TMM logs 'MSIX is not supported' error on vCMP guests

Component: TMOS

Symptoms:
On vCMP guests, logs of 'MSIX is not supported' messages apppear in /var/log/tmm.

Conditions:
This occurs only on vCMP guests.

Impact:
MSIX is not supported on vCMP guests, but system operation and traffic passing are not impacted otherwise.

Workaround:
None.


756313-6 : SSL monitor continues to mark pool member down after restoring services

Component: Local Traffic Manager

Symptoms:
After an HTTPS monitor fails, it never resumes probing. No ClientHello is sent, just 3WHS and then 4-way closure. The pool member remains down.

Conditions:
-- The cipherlist for the monitor is not using TLSv1 (e.g., contains -TLSv1 or !TLSv1).
-- The pool member is marked down.

Impact:
Services are not automatically restored by the health monitor.

Workaround:
To restore the state of the member, remove it, and add it back to the pool.


750588-3 : While loading large configurations on BIG-IP systems, some daemons may core intermittently.

Component: TMOS

Symptoms:
When manually copying a large config file and running 'tmsh load sys config' on specific hardware BIG-IP platforms, multiple cores may be observed from different daemons.

Conditions:
This has been observed on i4800 platforms when the 'management' provisioning (corresponding to the provision.extramb DB key) is set to 500 MB or less.

Impact:
The mcp daemon may core and all daemons on the BIG-IP system may be restarted.

Workaround:
Set db key 'provision.extramb' to 1024 or greater.


746758-1 : Qkview produces core file if interrupted while exiting

Component: TMOS

Symptoms:
If, during qkview operation's exit stage, it is interrupted (with Ctrl-C for example), it produces a core file.

Conditions:
-- Qkview is exiting.
-- The qkview operation receives an interrupt.

Impact:
A core file is produced.

Workaround:
When closing qkview, or if it is closing, do not interrupt it; wait for it to exit.


746348-4 : On rare occasions, gtmd fails to process probe responses originating from the same system.

Component: Global Traffic Manager (DNS)

Symptoms:
On rare occasions, some resources are marked 'unavailable', with a reason of 'big3d: timed out' because gtmd fails to process some probe responses sent by the instance of big3d that is running on the same BIG-IP system.

Conditions:
The monitor response from big3d sent to the gtmd on the same device is being lost. Monitor responses sent to other gtmds are sent without issue. The conditions under which this occurs have not been identified.

Impact:
Some resources are marked 'unavailable' on the affected BIG-IP system, while the other BIG-IP systems in the sync group mark the resource as 'available'.

Workaround:
Restart gtmd on the affected BIG-IP system.


744407-1 : While the client has been closed, iRule function should not try to check on a closed session

Component: Access Policy Manager

Symptoms:
tmm cores. System posts a message:

access::session exists is used during CLIENT_CLOSED iRule event.

Conditions:
-- Client has closed the connection.
-- iRule function tries to check on a closed session.
-- An 'access session::exists' command is used inside the iRule event CLIENT_CLOSED.

Impact:
tmm may core. Traffic disrupted while tmm restarts.

Workaround:
Do not use the iRule command 'access session::exists' inside CLIENT_CLOSED.


742549-3 : Cannot create non-ASCII entities in non-UTF ASM policy using REST

Component: Application Security Manager

Symptoms:
You cannot create non-ASCII entities (such as URLs and parameters) in a non-UTF-8 policy using REST.

Conditions:
-- The policy is configured for an encoding other than UTF-8.
-- Attempting to create non-ASCII entries using REST.

Impact:
You cannot create an entity (such as a URL or parameter) which contains non-ASCII characters using REST.

Workaround:
Use UTF-8.


739618-3 : When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy

Component: Application Security Manager

Symptoms:
When using AWAF or MSP license, you cannot use the BIG-IP Configuration Utility to set rule to control ASM in an LTM policy.

Conditions:
- AWAF or MSP license

Impact:
Admin cannot use the BIG-IP Configuration Utility create LTM policy that controls ASM, and must use TMSH.

Workaround:
Use TMSH to create the rule instead of GUI:
For example:
create ltm policy Drafts/test99 controls add { asm } requires add { http } rules add { rule1 { actions add { 0 { asm enable policy dummy2 }} ordinal 1 }}


737322-3 : tmm may crash at startup if the configuration load fails

Component: TMOS

Symptoms:
Under certain circumstances, tmm may crash at startup if the configuration load fails.

Conditions:
This might occur after a configuration loading failure during startup, when TMM might take longer than usual to be ready.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


730852-1 : The tmrouted repeatedly crashes and produces core when new peer device is added

Component: TMOS

Symptoms:
There is a tmrouted crash when new peer device is added.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Core produced. Tmrouted crashes repeatedly. Dynamic routing for all route domains is temporarily disrupted.

Workaround:
Have MCP force load as described in K13030: Forcing the mcpd process to reload the BIG-IP configuration (https://support.f5.com/csp/article/K13030).


726518-1 : Tmsh show command terminated with CTRL-C can cause TMM to crash.

Component: Local Traffic Manager

Symptoms:
TMM crash when running show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name]

Conditions:
-- Running the command:
show ltm clientssl-proxy cached-certs virtual [name] clientssl-profile [name].
- The command is terminated by the client connection, aborting with CTRL-C.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not terminate tmsh show commands with CTRL-C.


722230-1 : Cannot delete FQDN template node if another FQDN node resolves to same IP address

Component: TMOS

Symptoms:
If multiple FQDN nodes and corresponding pool members are created, with FQDN names that resolve to the same (or a common) IP address, you may not be able to delete any of the affected FQDN nodes even after its corresponding FQDN pool member has been deleted.

Conditions:
This occurs under the following conditions
-- Multiple FQDN template nodes exist with FQDN names that resolve to the same (or a common) IP address.
-- FQDN pool members exist for each FQDN template node, with corresponding ephemeral pool members for each which share the same IP address.
-- One of the FQDN pool members is removed from its pool.
-- You attempt to delete the corresponding FQDN template node.

Impact:
The FQDN template node remains in the configuration and cannot be deleted, while an ephemeral node or pool member exists with an IP address corresponding to that FQDN name.

Workaround:
To work around this issue:
1. Remove all remaining conflicting FQDN pool members (with FQDN names that resolve to the shared/conflicting IP address).
2. Delete the desired FQDN node.
3. Re-create the remaining FQDN pool members to replace those removed in step 1.


720440-6 : Radius monitor marks pool members down after 6 seconds

Component: Local Traffic Manager

Symptoms:
The radius monitor marks a pool member down if it does not respond within 6 seconds, regardless of the interval or timeout settings in the monitor configuration.

Conditions:
A radius monitor is used, and the pool member takes more than 6 seconds to respond to a radius request.

Impact:
The pool member may be marked down incorrectly if the monitor interval is configured to be greater than 6 seconds.

Workaround:
There is no workaround at this time.


719555-3 : Interface listed as 'disable' after SFP insertion and enable

Component: TMOS

Symptoms:
If an unpopulated front panel interface is disabled, then an SFP inserted and the interface re-enabled, TMSH will continue to display the interface as 'disabled' in 'tmsh show net interface output' commands.

Conditions:
-- BIG-IP appliance or blade.
-- Unpopulated front panel interface is disabled.
-- SFP inserted and the interface re-enabled.
-- Running the command: tmsh show net interface output.

Impact:
Output of the command shows the interface is disabled even though it is enabled and fully operational.

Workaround:
This issue is cosmetic; the interface is functional so it may be used.

To correctly identify the enabled/disabled state of the interface, use the following command: tmsh list net interface


718796-5 : IControl REST token issue after upgrade

Component: Device Management

Symptoms:
When upgrading to version 13.1.0.x, sometimes a user who previously had permissions to make calls to iControl REST loses the ability to make those calls.

Conditions:
-- Upgrading to version 13.1.0.x.
-- iControl REST.

Impact:
A previously privileged user can no longer query iControl REST. Also, some remotely authenticated users may loose access to the Network Map and Analytics view after the upgrade.

Workaround:
You can repair the current users permissions with the following process:

   1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:
      # restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"
      # bigstart restart restjavad.

   2) Update shared/authz/roles/iControl_REST_API_User userReference list to add repro user account using PUT:
      # restcurl shared/authz/roles/iControl_REST_API_User > role.json
      # vim role.json and add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
      # curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User

Now, when you create a new user, the permissions should start in a healthy state.


714502-3 : bigd restarts after loading a UCS for the first time

Component: Local Traffic Manager

Symptoms:
bigd restarts when loading a UCS for the first time, where the load succeeds; and no related messages are reported in /var/log/ltm; and no bigd core file is produced.

Conditions:
bigd loads a UCS file for the first time, such as after the command:
tmsh load sys ucs no-license keep-current-management-ip no-platform-check

Impact:
The UCS file is correctly reloaded, and bigd restarts with the loaded configuration. No bigd core is produced, and no related messages are found in /var/log/ltm. After restart, bigd performs all system functions as expected.

Workaround:
System runs as expected after the bigd restart, and the user need not take any action.


714372-5 : Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari

Component: Local Traffic Manager

Symptoms:
If the BIG-IP system has a web-acceleration which provides a number of caching and optimization options suitable for HTTP/1.1. It uses 'Connection: Keep-Alive' header on a server side, which results in appearance of 'Keep-Alive' header in a response. Such a HTTP header was adopted by the industry but not standardized. When a web-acceleration profile is configured and provides a response, Safari clients do not accept responses with a such header and reject those with a RST_STREAM message.

Conditions:
-- BIG-IP has a virtual server with HTTP/2 profile and a web-acceleration profile.
-- A pool member responds with 'Keep-Alive' header in the following format: Keep-Alive: timeout=<number>, max=<number>.

Impact:
A response to a request is rejected, which might cause incorrect rendering of HTTP page.

Workaround:
Use an iRule to remove the Keep-Alive header:

when HTTP_RESPONSE_RELEASE {
    HTTP::header remove keep-alive
}

Alternatively use an LTM Policy where this header is removed from a server's response.


714216-4 : Folder in a partition may result in load sys config error

Component: TMOS

Symptoms:
If you run the command 'tmsh load sys config current-partition' in a partition that includes a folder, the command may return an error.

Conditions:
This occurs in the following scenario:
-- Create a partition.
-- Create a folder in that partition.
-- In the newly-created partition.
-- Save the configuration with the command 'save sys conf'.
-- In the same partition, run the following command to load the configuration: 'tmsh load sys config current-partition'.

Impact:
The load configuration process fails with an error that the folder does not exist.

Workaround:
There is no workaround at this time.


710809-5 : Restjavad hangs and causes GUI page timeouts

Component: Device Management

Symptoms:
Restjavad stops responding, causing GUI page timeouts.

Conditions:
The conditions behind this issue are not known.

Impact:
restjavad is active, but all endpoints are nonresponsive.

Workaround:
Restart restjavad.


706685-1 : The web UI becomes unresponsive after certain commands

Component: TMOS

Symptoms:
The web UI becomes unresponsive after certain commands

Conditions:
Running certain commands

Impact:
The web UI becomes unresponsive

Workaround:
Reload the page


705112-6 : DHCP server flows are not re-established after expiration

Component: Local Traffic Manager

Symptoms:
DHCP relay agent does not have server flows connecting to all active DHCP servers after a while.

Conditions:
- More than one DHCP servers configured for a DHCP virtual.
- Server flows timeout in 60 seconds

Impact:
DHCP server traffic not load balanced.

Workaround:
None.


696348-5 : "GTP::ie insert" and "GTP::ie append" do not work without "-message" option

Component: Service Provider

Symptoms:
When adding "GTP::ie insert" and "GTP::ie append" without "-message" option to iRule, there is warning message:

[The following errors were not caught before. Please correct the script in order to avoid future disruption. "unexpected end of arguments;expected argument spec:VALUE"1290 38]

Conditions:
Using "GTP::ie insert" or "GTP::ie append" command without "-message" option

Impact:
The commands still be executed during runtime but the warning message may confuse user.


688231-3 : Unable to set VET, AZOT, and AZOST timezones

Component: TMOS

Symptoms:
Unable to set VET, AZOT, and AZOST timezones

Conditions:
This occurs under normal operation.

Impact:
Cannot set these timezones.

Workaround:
Use the following zones with the same offset:

The AZOT timezone is the same offset as
N – November Time Zone.

The AZOST timezone is the same offset as
Z – Zulu Time Zone,
GMT – Greenwich Mean Time,
WET – Western European Time.

The VET timezone is the same offset as
AST – Atlantic Standard Time,
CDT – Cuba Daylight Time, CLT – Chile Standard Time,
EDT – Eastern Daylight Time,
FKT – Falkland Island Time,
Q – Quebec Time Zone.


685593-5 : Access session iRules can fail with error 'Illegal argument'

Component: Access Policy Manager

Symptoms:
Certain Access iRules can cause an argument error to occur. Errors in iRule logs appear similar to the following: session ID lookup failed - Illegal argument (line 1).

Conditions:
ACCESS::session iRules are used, for example:
-- ACCESS::session sid.
-- ACCESS::session data get {session.server.landinguri}.
-- ACCESS::session data get {session.policy.result}.

Impact:
Tcl error occurs and the connection is reset. The system posts the 'Illegal argument" message in the iRules logs.

Workaround:
There is no workaround at this time.


673573-1 : tmsh logs boost assertion when running child process and reaches idle-timeout

Component: TMOS

Symptoms:
An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running.

The errors in /var/log/ltm begin with the following text:
    'boost assertion failed'

Conditions:
-- tmsh command reaches idle timeout.
-- Spawned sub-process is still running.

Impact:
Although the wording indicates a failure, the message is benign and you can safely ignore it.

Workaround:
None.


654635-1 : FTP virtual server connections may rapidly reuse ephemeral ports

Solution Article: K34003145

Component: TMOS

Symptoms:
The BIG-IP system reuses ephemeral ports quickly, which might cause connections to fail, because those ports are in TIME-WAIT state on the server.

Conditions:
-- FTP active mode is used.
-- Virtual server source-port=change.

Impact:
FTP active mode connections might fail.

Workaround:
There is no complete workaround. However, you can mitigate the issue using the default setting source-port=preserve on the virtual server.

As alternatives, you can also try the following:
-- Switching client traffic to Passive FTP.
-- Enabling TIME_WAIT reuse on the FTP server, if the operating system supports it.


640842-5 : ASM end user using mobile might be blocked when CSRF is enabled

Component: Application Security Manager

Symptoms:
Users report their access is blocked; when you look at the error log, you see CSRF errors.

Conditions:
-- CSRF enabled on ASM.
-- ASM client is using a mobile device.

Impact:
Client is blocked.

Workaround:
None.


615329-1 : Special Virtual IP configuration required for IPv6 connectivity on some Virtual Edition interfaces

Component: TMOS

Symptoms:
IPv6 virtual servers may not be reachable on specific Virtual Edition (VE) instances, based on the interfaces used by that instance.

Conditions:
VE with IPv6 virtual servers configured. The VE instance must have SR-IOV interfaces, or KVM virtio interfaces backed by macvtap.

Impact:
Special configuration procedure is required.

Workaround:
Follow the defined configuration procedure by explicitly listing the VLANs for which this VIP is enabled. For example, in TMSH:

'modify ltm virtual <name> vlans-enabled'
'modify ltm virtual <name> vlans add { <vlans> }'


605675-6 : Sync requests can be generated faster than they can be handled

Component: TMOS

Symptoms:
Configuration changes in quick succession might generate sync change messages faster than the receiving BIG-IP system can parse them. The sending BIG-IP system's queue for its peer connection fills up, mcp fails to allocate memory, and then the system generates a core file.

Conditions:
Configuration changes in quick succession that might generate sync-change messages.

Impact:
Core file and sync operation does not complete as expected. The possibility for this occurring depends on the size and complexity of the configuration, which impacts the time required to sync, and the traffic load occurring at the time of the sync operation.

Workaround:
None.


593536-9 : Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations

Solution Article: K64445052

Component: TMOS

Symptoms:
Devices do not have matching configuration, but system reports device group as being 'In Sync'.

Conditions:
This occurs when the following conditions are met:
-- Device Service Cluster Device Group with incremental sync is enabled.
-- A ConfigSync operation occurs where a configuration transaction fails validation.
-- A subsequent (or the final) configuration transaction is successful.

Impact:
The BIG-IP system incorrectly reports that the configuration is in-sync, despite the fact that it is not in sync. You might experience various, unexpected failures or unexplained behavior or traffic impact from this.

Workaround:
Turn off incremental sync (by enabling 'Full Sync' / 'full load on sync') for affected device groups.

Once the systems are in sync, you can turn back on incremental sync, and it will work as expected.


587821-10 : vCMP Guest VLAN traffic failure after MCPD restarts on hypervisor.

Component: TMOS

Symptoms:
On the affected slot, the vCMP guest is unable to pass traffic to or from the VLANs. If the guest has multiple slots, the CMP state logged in /var/log/tmm on that slot differs from the CMP state logged by other slots of the same guest.

In the vCMP guest, 'tmsh show net interface -hidden' shows 0.x interfaces for the affected slot that differ from the 0.x interfaces shown by 'tmsh show vcmp guest all-properties' on the vCMP hypervisor for the same guest slot.

Conditions:
The MCPD daemon on one of the blades of the vCMP hypervisor crashes or restarts.

Impact:
The vCMP guests that are still running since before the MCPD daemon restarted may be unable to communicate to VLAN networks. Incoming traffic may also be affected, even though the vCMP guest has other functional slots to process traffic.

Workaround:
On the hypervisor, modify the vCMP guest configuration to not run on the affected slot. Wait to confirm the vCMP guest has stopped on the affected slot. Then modify the vCMP guest to run on the previously affected slot.

Alternatively, modify the vCMP guest to the Configured state, and wait to confirm the vCMP guest has stopped on all slots. Then return the vCMP guest to the Deployed state.


579219-5 : Access keys missing from SessionDB after multi-blade reboot.

Component: Access Policy Manager

Symptoms:
Reboot a 4-blade vCMP guest. Now, only the master key for catalog remained. All subkeys are missing.

Conditions:
This can occur intermittently during a reboot in a multi-blade vCMP guest configured with APM.

Impact:
Some Access subkeys may be missing after the reboot.

Workaround:
Reboot the primary blade.


554506-1 : PMTU discovery from management does not work

Solution Article: K47835034

Component: Local Traffic Manager

Symptoms:
You encounter connectivity issues to management interface.

Conditions:
MTU on the intermediate route is less than the management interface's MTU and the response packets have the DF flag set.

Impact:
Connectivity issues to management interface.

Workaround:
None.


552937-6 : HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the next pipelined request to fail.

Component: Local Traffic Manager

Symptoms:
An iRule that calls HTTP::respond or HTTP::redirect in a non-HTTP iRule event can cause the TMM to core on the next pipelined request.

Conditions:
HTTP::respond or HTTP::redirect used in a non-HTTP iRule event. A pipelined request follows the request that triggers the iRule response.

Impact:
TMM core.

Workaround:
Add the close header to the HTTP::response, and the connection will be automatically closed.


512490-11 : Increased latency during connection setup when using FastL4 profile and connection mirroring.

Component: Local Traffic Manager

Symptoms:
Connection setup when using FastL4 profile and connection mirroring takes longer than previous versions.

Conditions:
FastL4 profile with connection mirroring.

Impact:
Slight delay during connection setup.

Workaround:
Disable tm.fastl4_ack_mirror. Optionally, enable tm.fastl4_mirroring_taciturn for signal to noise ratio improvements. This helps resolve connection setup latency.


486997-4 : The vCMP guest lost watchdog heartbeat, and the host restarted it.

Component: TMOS

Symptoms:
The guest on one slot stops activating its watchdog for 30 seconds, and the host vcmpd restarts the guest. The host logs messages:

-- 01510014:1: vCMP guest 'guestname' heartbeat timeout at the halfway mark.
-- 01510013:1: vCMP guest mn2-jga1-smp-lb lost heartbeat.

In a multi-slot guest, the other, unaffected guest slots /var/log/ltm can report 'clusterd FAILED' and show evidence of the faulty slot going down.

Conditions:
The conditions under which this occurs are unknown. This is a rarely encountered issue.

Impact:
Guest restart on one slot.

Workaround:
This issue has no workaround at this time.

To assist in capturing potential missed messages from the guest serial console, beginning in version 12.0.0, you can enable the db variables vcmp.guest.console and vcmp.guest.console.logging to log the output to a host-side file. To activate the logging, the guest must be re-deployed.


353607-1 : cli global-settings { service number } appears to have no effect

Component: TMOS

Symptoms:
cli global-settings { service number } appears to have no effect.

Conditions:
cli global-settings { service number } command.

Impact:
Has no effect.

Workaround:
None.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************